agsteele Posted November 16, 2005 Share Posted November 16, 2005 I'm wondering if we can offer a SpamAssassin control to JT for an increasing amount of drug/pharmacy type spam that seems to be capable of slipping through the flat-rate Email account filtering. About 60% of these items get caught by the SpamCop bl but the other third which would appear to originate from, as yet, unlisted IP addresses slips right on through. An examply of such a message which reached my mailbox and was delivered (ie not trapped) is at http://www.spamcop.net/sc?id=z827575837z75...a657dda537a0fdz The body content of the message reads as follows: This is a multi-part message in MIME format. ------=_NextPart_000_0063_01C5EA0D.5FA43A80 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Good day, Quit ov g f eddications - vis armaEx op erpayin or your M it our Ph press Sh V L A X P V C A e m a r I I L v b n o A A I i i a z G L U t e x a R I M ra n c A S 1.21 3.33 3.75 The second part of the multi-part message is a repeat of this content in HTML code. I have SpamAssassin set to trigger at a score of 2 - so already pretty aggressive. Seems that a chicken-pox check or similar has been circumvented. I keep on reporting so those messages from listed IPs do, in time, get caught but it would be good if a content filter could catch these as well. Andrew Link to comment Share on other sites More sharing options...
Wazoo Posted November 16, 2005 Share Posted November 16, 2005 I have SpamAssassin set to trigger at a score of 2 - so already pretty aggressive. Seems that a chicken-pox check or similar has been circumvented. I keep on reporting so those messages from listed IPs do, in time, get caught but it would be good if a content filter could catch these as well. 36145[/snapback] Just noting the obvious flip side here .... the construct offered wasn't an e-mail just tossed together in a second or two .... this is an obvious example of a spammer working hard at coming up with a spam that will "slip through the filters" .... and one can be sure that a number of filters was tested against ... Link to comment Share on other sites More sharing options...
agsteele Posted November 17, 2005 Author Share Posted November 17, 2005 Just noting the obvious flip side here .... the construct offered wasn't an e-mail just tossed together in a second or two .... this is an obvious example of a spammer working hard at coming up with a spam that will "slip through the filters" .... and one can be sure that a number of filters was tested against ... 36164[/snapback] I totally agree As an aside, does anybody actually respond to this type of advert? I'm not sure I can even work out what the following extract is supposed to mean Good day, Quit ov g f eddications - vis armaEx op erpayin or your M it our Ph press Sh Having read "Good day, Quit ov" I'd be totally bemused and hit delete - even if I wasn't tuned in to the spamming ways of these guys? I do wonder what gain some of these guys get from the stuff they do to the content to get everything through. Andrew Link to comment Share on other sites More sharing options...
qjvgpuryy Posted November 17, 2005 Share Posted November 17, 2005 As an aside, does anybody actually respond to this type of advert? I'm not sure I can even work out what the following extract is supposed to mean Good day, Quit ov g f eddications - vis armaEx op erpayin or your M it our Ph press Sh Having read "Good day, Quit ov" I'd be totally bemused and hit delete - even if I wasn't tuned in to the spamming ways of these guys? I do wonder what gain some of these guys get from the stuff they do to the content to get everything through. Andrew 36208[/snapback] I wonder if the HTML version is using any positioning - the lines make (a little) more sense if rearranged in the order 1,2,7,3,8,4,9,5,10: Good day, Quit ov erpayin g f or your M eddications - vis it our Ph armaEx press Sh op but anyone smart enough to figure that out is WAY to smart to follow up on it ( I think ...) Link to comment Share on other sites More sharing options...
Jeff G. Posted November 19, 2005 Share Posted November 19, 2005 I'm not sure I can even work out what the following extract is supposed to mean 36208[/snapback] I got a similar one:This is a multi-part message in MIME format. ------=_NextPart_000_0046_01C5E8EB.9A15B680 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Quit over ng for you tions - vi ineC p payi r Meddica sit our Medic hest Sho V L CI e IA v AG i LR t IA ra S 1,56 2,78 3,00 ------=_NextPart_000_0046_01C5E8EB.9A15B680 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV> </DIV> <TABLE style=3D"BORDER-RIGHT: 0px;" cellPadding=3D0 cellSpacing=3D0> <TR style=3D"BORDER-TOP: 0px;"> <TD vAlign=3Dbottom style=3D"BORDER-TOP: 0px;" rowSpan=3D3>Quit = over</TD><TD></TD> <TD vAlign=3Dbottom style=3D"BORDER-TOP: 0px;" rowSpan=3D3>ng for = you</TD><TD></TD> <TD vAlign=3Dbottom style=3D"BORDER-TOP: 0px;" rowSpan=3D3>tions - <A = href=3D"http://mchaippHeadvert.tripod.com">vi</A></TD><TD></TD> <TD vAlign=3Dbottom style=3D"BORDER-TOP: 0px;" rowSpan=3D3><A = href=3D"http://mchaippHeadvert.tripod.com">ineC</A></TD><TD></TD> <TD vAlign=3Dbottom style=3D"BORDER-TOP: 0px;" rowSpan=3D3><A = href=3D"http://mchaippHeadvert.tripod.com">p</A></TD><TD></TD> </TR> <TR style=3D"BORDER-TOP: 0px;"> <TD style=3D"BORDER: 0px;" vAlign=3Dbottom>payi</TD> <TD style=3D"BORDER: 0px;" vAlign=3Dbottom>r Meddica</TD> <TD style=3D"BORDER: 0px;" vAlign=3Dbottom><A href=3D"http://mchaip= pHeadvert.tripod.com">sit our Medic</A></TD> <TD style=3D"BORDER: 0px;" vAlign=3Dbottom><A href=3D"http://mch= aippHeadvert.tripod.com">hest Sho</TD> </TR></TABLE> <DIV> </DIV> <TABLE> <TR><TD><FONT face=3D"Courier" size=3D3>V L C</FONT></TD><TD><FONT = face=3D"Courier" size=3D3>I e I</FONT></TD><TD><FONT face=3D"Courier" = size=3D3>A v A</FONT></TD><TD><FONT face=3D"Courier" size=3D3>G i = L</FONT></TD><TD><FONT face=3D"Courier" size=3D3>R t I</FONT></TD><TD><FONT = face=3D"Courier" size=3D3>A ra S</FONT></TD><TD><FONT face=3D"Courier" = size=3D3> 1,56 2,78 3,00</FONT></TD><TD width=3D100%></TD>= </TR></TABLE></BODY></HTML> ------=_NextPart_000_0046_01C5E8EB.9A15B680-- which rendered as Quit overpaying for your Meddications - visit our MedicineChest Shop V I A G R A 1.56 L e v i t r a 2.78 C I A L I S 3.00 The URL's page was removed by Tripod:The page you are attempting to access has been removed because it violated Tripod's Terms of Service. Please check out Tripod's Help system for more information.The upshot is that the spammer was playing with tables in its HTML, which translated very poorly into text/plain. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.