I am receiving multiple copies of this odd spam message at my domain. The spam is contained within a base64 mime attached html. When the message is originally received, the attachment is not decoded and I get a report like this:
X-Spam-Status: Yes, hits=6.976 tagged_above=0 required=5 tests=BAYES_60, FORGED_YAHOO_RCVD, INVALID_DATE, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, UPPERCASE_25_50 X-Spam-Level: ++++++ X-Spam-Flag: YES X-Spam-Report: Spam detection software, running on the system "gateway.ebby.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: See attachment message.html 0B00000N0000SQ Content-Type: text/html; name="message.html" Content-transfer-encoding: base64 Content-Disposition: attachment; filename="message.html"
PGh0bWw+CjxoZWFkPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPi5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBURVhULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVElPTjogbm9uZSB9IAo8L3N0eWxlPgo8dGl0bGU+Y29lcWNxbW1laWNja2drPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjUyIj4KPG1ldGEgY29udGVudD0iTWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFsIiBuYW1lPSJkZXNjcmlwdGlvbiI+CjxtZXRhIGNvbnRlbnQ9Ik1pY3Jvc29mdCBXaW5kb3dzIFhQIFByb2Zlc3Npb25hbCwgU29mdHdhcmUiIG5hbWU9ImtleXdvcmRzIj4KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2VyaWYgeyBGT05ULVNJWkU6IHNtYWxsOyBGT05ULUZBTUlMWTogdGltZXMsc2VyaWYgfSAuc2FucyB7IEZPTlQtU0laRTogc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLnNtYWxsIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oMSB7 Ck
ZPTlQtU0laRTogc21hbGw7IENPTE9SOiAjY2M2NjAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oM2NvbG9yIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBDT0xPUjoKI2NjNjYwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAudGlueSB7IEZPTlQtU0laRTogeHgtc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLmxpc3RwcmljZSB7IEZPTlQtU0laRTogeC1zbWFsbDsgRk9OVC1GQU1JTFk6IGFyaWFsLHZlcmRhbmEsc2Fucy1zZXJpZjsKVEVYVC1ERUNPUkFUSU9OOiBsaW5lLXRocm91Z2ggfSAucHJpY2UgeyBGT05ULVNJWkU6IHgtc21hbGw7IENPTE9SOiAjOTkwMDAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZgp9IC50aW55cHJpY2UgeyBGT05ULVNJWkU6IHh4LXNtYWxsOyBDT0xPUjogIzk5MDAwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAuYXR0ZW50aW9uIHsKQkFDS0dST1VORC1DT0xPUjogI2ZmZmZkNSB9IC5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBURV
h
ULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVE
[...]
Content analysis details: (7.0 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.2 INVALID_DATE Invalid Date: header (not RFC 2822)
2.7 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received'
headers
0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6439]
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[221.39.219.20 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[221.39.219.20 listed in combined.njabl.org]
0.0 UPPERCASE_25_50 message body is 25-50% uppercaseHowever, if I process it manually through spamassassin or copy-paste the text into a telneted smtp session, I get this:
X-Spam-Status: Yes, hits=19.833 tag=0 tag2=5 kill=8 tests=DCC_CHECK,
DNS_FROM_RFC_ABUSE, FORGED_RCVD_HELO, FORGED_YAHOO_RCVD, HTML_MESSAGE,
HTML_TAG_EXIST_TBODY, INFO_TLD, MIME_MISSING_BOUNDARY,
RCVD_IN_BL_SPAMCOP_NET, URIBL_AB_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL,
URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL
X-Spam-Level: +++++++++++++++++++
X-Spam-Report: Spam detection software, running on the system "gateway.ebby.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: See attachment message.html scuooqgsgakaeww Opt-in
Email offer for January 2005 unsubscribe me SEARCH Software TOP 10 NEW
TITLES ON SALE NOW! 1 Office Pro Edition 2003 2 Windows XP Pro 3 Adobe
Creative Suite Premium 4 Systemworks Pro 2005 Edition 5 Flash MX 2005 6
Corel Painter 8 7 Adobe Acrobat 6.0 8 Windows 2003 Server 9 Alias Maya
6.0 Wavefront 10 Adobe Premiere See more by this manufacturer Microsoft
Apple Software Customers also bought these other items... [...]
Content analysis details: (19.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain
0.2 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag
0.0 HTML_MESSAGE BODY: HTML included in message
0.2 MIME_MISSING_BOUNDARY RAW: MIME section missing boundary
1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.4 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?68.43.4.122>]
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: iaigakbdjj.info]
2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: iaigakbdjj.info]
4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
[URIs: iaigakbdjj.info]
0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: iaigakbdjj.info]
2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: iaigakbdjj.info]
3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: iaigakbdjj.info]
Anyone have ideas here? Why would SA decode the same attachment sometimes, but not always. My server is running SA 3.0.2, Postfix 2.0 and amavisd-new 2.1.2.
Thanks, Stuart Johnston
