Re: Lots of spam with the following snip

From: Chris <cpollock(at)embarqmail.com>
Date: Mon Jun 30 2008 - 21:16:38 EDT

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:

> 
God dag,   
 
> 
> 

***

> Warning!

> This letter contains a virus which has been

> successfully detected and cured.
> 
***

>
> The part that's noteworthy is this:
>
>
> 
***

> Warning!

> This letter contains a virus which has been

> successfully detected and cured.
> 
***

>
> Does someone have rule for this ready made?
>
> Thanks

Scored pretty well here, do you have network checks active? The "SOUGHT" rule scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description

---- ---------------------- --------------------------------------------------

 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?79.86.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]

-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC

                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus

 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

And here's another I just received:

Content analysis details:   (27.8 points, 5.0 required)

 pts rule name              description

---- ---------------------- --------------------------------------------------

 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?190.46.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [190.46.180.155 listed in zen.spamhaus.org]
 0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipinhostname]
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4671]
 2.2 DCC_CHECK              listed in DCC (http://rhyolite.com/anti-spam/dcc/)
                            [cpollock 102; Body=1 Fuz1=many]
                            [Fuz2=many]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_NONE              Delivered to trusted network by a host with no
rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

NOTE: I've sent an earlier post with just the first spam scores, however, my ISP, Embarq sometimes has a tendency to block my posts even with IP's in the body such as above. They're using CMAE so I don't know if that's something it does or not. I've Bcc'd myself on the first post and it went through to me but then I have no idea what the CMAE hashes mean.

-- 
Chris
KeyID 0xE372A7DA98E6705C


application/pgp-signature attachment: stored

Received on Mon Jun 30 21:19:23 2008