Re: Spam PDF

From: John Rudd <jrudd(at)ucsc.edu>
Date: Fri Jun 29 2007 - 18:05:51 EDT

bgodette@idcomm.com wrote:
> John Rudd wrote:

>> bgodette@idcomm.com wrote:
>>> John Rudd wrote:
>>> You *will* not be getting a BAYES_90 or
>>> BAYES_99 from that.
>> My first one got BAYES_80, without having seen that zombie/relay before. 
>>   That's enough for 2 points.

>
> Which only tells me it had more than just the PDF attachment, which is
> not what we're seeing here. You're also avoiding the point I was making
> by saying "hey this spam I got which has all this additional content for
> bayes to work with happened to score high". Well of course it did.

There was nothing else in it. It was exactly like the other pdf spam's that have been talked about, and exactly like the ones I've received since. It has _no_ body data aside from the attachment.

>> It does matter, because it's not a "late receiver effect" unless 
>> someone, anyone, has received spam from that host before.  And there's 
>> no relationship between "previous email from that host at all" and 
>> "being listed in the PBL".
>>
>> Show me that the "that they have recieved spam from" part is how they 
>> built their list, and not just "that appear to be end-user IP space".
>>

>
> "Additional IP address ranges are added and maintained by the Spamhaus
> PBL Team, particularly for networks which are not participating
> themselves (either because the ISP/block owner does not know about, is
> proving difficult to contact, or because of language difficulties), and
> where spam received from those ranges, rDNS and server patterns are
> consistent with end-user IP space which typically contain high
> concentrations of "botnet zombies", a major source of spam."

I'll concede that I didn't know that about the source of listing in the PBL.

>>> Yes I failed to exclude BOTNET from that, it's the only score from the
>>> original message that started this that is solid. The reason is because
>>> BOTNET is proactive, all the others are either 100% reactionary or
>>> nearly so (PBL).
>> My first one was caught by Botnet, Bayes_80 (again, no previous pdf 
>> spam, and no previous activity from that relay), and UNIQUE_WORDS.  Even 
>> if Botnet alone hadn't been enough, and only had a score of 3 ... 
>> _either_ of the other two would have been enough to push it up to 5.

>
> So it hit UNIQUE_WORDS, which means it had more than just the
> attachment, so yeah BAYES had something more to work with than just the
> headers, consider yourself fortunate.

It had nothing in the body. Without seeing that relay before, both BAYES_80 and UNIQUE_WORDS caught it.

Excluding the attachment encoding itself, here's what it had:

  Received: from [83.76.165.174] (HELO lmnht)     by mail.rudd.cc (CommuniGate Pro SMTP 5.1.4 _community_)     with SMTP id 1081873 for john@rudd.cc; Wed, 27 Jun 2007 05:11:47 -0700   Received-SPF: none
   receiver=mail.rudd.cc; client-ip=83.76.165.174; envelope-from=wzou@kennethhemmerick.com
  Received: from [33.31.118.54] (helo=iyaty)

  	by lmnht with smtp (Exim 4.66 (FreeBSD))
  	id 1I4j0S-0003Q8-5s; Wed, 27 Jun 2007 14:12:06 +0200

  Message-ID: <468253E7.2060801@kennethhemmerick.com>   Date: Wed, 27 Jun 2007 14:11:19 +0200
  From: Annabel Cleveland <wzou@kennethhemmerick.com>   User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)   MIME-Version: 1.0
  To: john@rudd.cc
  Subject: Re: Cheque.22.pdf
  Content-Type: multipart/mixed;
   boundary="------------040808030703010202050005"

  --------------040808030703010202050005
  Content-Type: text/plain; charset=windows-1252; format=flowed
  Content-Transfer-Encoding: 7bit

  --------------040808030703010202050005   Content-Type: application/pdf;
   name="Cheque.22.pdf"
  Content-Transfer-Encoding: base64
  Content-Disposition: inline;
   filename="Cheque.22.pdf"

  [attachment data omitted]
  --------------040808030703010202050005-- Received on Fri Jun 29 18:06:30 2007