On Thursday 31 July 2008 11:58 pm, Jake Maul wrote: > Greetings, > > I've recently been getting more simple drug-related spam that has no > real obfuscation and often doesn't get flagged with anything other > than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99). > > A few sample Subject lines: > > Subject: Use Generik Viagra and forget about your sexual nightmares. > Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis > Subject: Viagra Pro will save your from sexual hardships. > Subject: Any medication without prescription. Visa and MasterCard accepted > Subject: EZ order and fast delivery of your drugs > Subject: {SPAM?} You'll get harder erections with Soft Viagra. > > (Last one tagged due to "2.9 SUSPICIOUS_RECIPS" and BAYES_99) > > Most of these don't hit any DNSBLs, and are generally not in Pyzor or > Razor (incidentally... my Pyzor stopped working this morning... anyone > else? pyzor ping is failing). Some also hit the DRUGS_ERECTILE test, > but not reliably. > > A large majority seem to be coming from yahoo.com webmail servers, but > this isn't a high-volume server so that might be just an anomaly. >
Is the below a sample subject line you're seeing? If so my setup using network tests, SARE Rules, Botnet plugin and others always score these between 50 and 70. But this may not be what you're getting so a sample will be great. Subject: Buy Cialis, Viagra online at lowest prices! Content analysis details: (67.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary 1.2 INVALID_DATE Invalid Date: header (not RFC 2822) 2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting 3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 1.9 TVD_RCVD_IP TVD_RCVD_IP 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4 3.1 MSGID_YAHOO_CAPS Message-ID has [EMAIL PROTECTED] 4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) 0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' 0.0 SUBJ_BUY Subject line starts with Buy or Buying 1.0 FREEMAIL_FROM From-address is freemail domain 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?124.146.54.38>] 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,maildomain=yahoo.com,baddns,client,ipinhostname] 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address 1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers 1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis. 1.7 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam 4.5 LOGINHASH BODY: iXhash says its spam 2.5 IXHASH BODY: iXhash says its spam 0.0 HTML_MESSAGE BODY: HTML included in message 2.5 LOGINHASH2 BODY: iXhash says its spam 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 60] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 60] 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1170; Body=1 Fuz1=1 Fuz2=many] 0.0 DIGEST_MULTIPLE Message hits more than one network digest check 2.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this 0.3 DRUGS_ERECTILE Refers to an erectile drug 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO 1.0 SAGREY Adds 1.0 to spam from first-time senders -- Chris KeyID 0xE372A7DA98E6705C
pgp7PP7OYKFWu.pgp
Description: PGP signature