On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote
No malware payload. Not a virus. One's a phish, though. Let me guess,
clamav third-party signatures triggered on the URIs for you?
using safebrowsing sigs from google
Anyway. The distinction between spam and phish was not my point. Neither
was it, whether "spammed URI" clamav third-party signatures match on
them just like URIBL and SURBL do.
as recived
X-Amavis-Alert: INFECTED, message contains virus:
Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
ripmime -i msg -d .
clamscan
/tmp/extracted: Sanesecurity.Junk.31113.UNOFFICIAL FOUND
spamassassin -t msg#
1:
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: sotudil.com]
1.7 BAD_ENC_HEADER Message has bad MIME encoding in the header
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[193.95.97.13 listed in hostkarma.junkemailfilter.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[193.95.97.13 listed in bb.barracudacentral.org]
0.0 FREEMAIL_FROM Sender email is freemail
(ziedoos_2013[at]gmail.com)
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path:
2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (ziedoos_2013[at]gmail.com)
0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.8 SAGREY Adds score to spam from first-time senders
0.8 FROM_EQUAL_REPLYTO unneeded reply to set to same as sender
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
1.5 URI_NOT_WHITELISTED Meta: URI found but none are WHITE
2:
-0.0 GREY_LISTED_LOCAL URI's listed in localhost
[URIs: hsbc.co.uk]
0.5 RELAY_FR Relayed through France
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[91.121.209.115 listed in hostkarma.junkemailfilter.com]
-0.0 URIBL_WHITE Contains an URL listed in the URIBL whitelist
[URIs: hsbc.co.uk]
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path:
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de)
[91.121.209.115 listed in ix.dnsbl.manitu.net]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[91.121.209.115 listed in bb.barracudacentral.org]
1.8 SAGREY Adds score to spam from first-time senders
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
3:
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[77.182.175.192 listed in dnsbl.sorbs.net]
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: worthmoreestelia.com]
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[77.182.175.192 listed in psbl.surriel.com]
0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
[77.182.175.192 listed in bl.spameatingmonkey.net]
0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de)
[77.182.175.192 listed in ix.dnsbl.manitu.net]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[77.182.175.192 listed in bl.score.senderscore.com]
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[77.182.175.192 listed in hostkarma.junkemailfilter.com]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[77.182.175.192 listed in zen.spamhaus.org]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
2.5 BADRELAY Relay looks like dynamic/dialup/bot
-0.0 FROM_IN_TO From: does match To:
0.7 LOCALPART_IN_SUBJECT Local part of To: address appears in Subject
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[77.182.175.192 listed in bb.barracudacentral.org]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.8 SAGREY Adds score to spam from first-time senders
4.0 JM_SOUGHT_1 Body contains frequently-spammed text patterns
0.1 TO_EQ_FM_HTML_ONLY To == From and HTML only
-3.3 KHOP_DNSBL_ADJ Undo autokill from DNSBL overlap
0.3 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
1.5 URI_NOT_WHITELISTED Meta: URI found but none are WHITE
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
