Hi,
I have been tracking a spammer that sends from hotmail. It seems that ASSP
will not detect the spam URL and ASSP will not detect the URL string via
bombDataRe. On the flip side, the Mail Analyzer did match bombDataRe.
Mail Analyzer output
=========================
removed all local X-ASSP- header lines
Connecting HELO: bay0-omc3-s13.bay0.hotmail.com) by mx01-scanner.mathbox.net
with ESMTP
Feature Matching:
. Strict SPF RE: '@hotmail.com'
. matching strictSPFRe(file:files/strictspf.txt[line 4]): '@hotmail.com'
. BombData RE: 'highest match: "'pennystockpicks11.com (1000)'" with
valence: 1000 - PB value = 250'
. matching bombDataRe(file:files/bombdatare.txt[line 36]):
'pennystockpicks\d\d?\.com'
. Not a Valid Format of HELO: 'bay0-omc3-s13.bay0.hotmail.com) by
mx01-scanner.mathbox.net with ESMTP'
=========================
Assp Headers
=========================
Received: from bay0-omc3-s13.bay0.hotmail.com ([65.54.190.151]
helo=bay0-omc3-s13.bay0.hotmail.com) by mx01-scanner.mathbox.net
with ESMTP
(2.0.2); 21 Jan 2011 08:58:53 -0500
Received: from BAY151-W11 ([65.54.190.189]) by
bay0-omc3-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 21 Jan 2011 05:58:53 -0800
Message-ID: <[email protected]>
Return-Path: [email protected]
Content-Type: multipart/alternative;
boundary="_5bfe01c1-0d86-41fb-a9d5-82ecd5f91b2e_"
X-Originating-IP: [200.251.193.130]
From: Marcella Garherr <[email protected]>
To: <[email protected]>
Subject: Fwd:
Date: Fri, 21 Jan 2011 14:58:53 +0100
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 21 Jan 2011 13:58:53.0900 (UTC)
FILETIME=[56CF60C0:01CBB973]
X-Assp-Version: 2.0.2(2.0.19) on mx01-scanner.mathbox.net
X-Assp-Re-SPFstrict: @hotmail.com
X-Assp-Message/IP-Score: 15 (DKIM domain missmatch - hotmail.com found in
DKIMCache, but no DKIM-Signature found in mail header)
X-Assp-Detected-URI: hotmail.com(3)
X-Assp-Envelope-From: [email protected]
X-Assp-Intended-For: [email protected]
=========================
Message Body
=========================
--_5bfe01c1-0d86-41fb-a9d5-82ecd5f91b2e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I just pulled $47 in a few days doing a little investing! Check it out at -=
PennyStockPicks!!! You owe me one!
=20
=
--_5bfe01c1-0d86-41fb-a9d5-82ecd5f91b2e_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Tahoma
}
--></style>
</head>
<body class=3D'hmmessage'>
I just pulled $47 in a few days doing a little investing! Check it out at -=
<A href=3D"http://pennystockpicks11.com";>PennyStockPicks!!!</A> You owe m=
e one!<BR>
 =3B<BR>
<style><BR>
----- Forwarded Message ----<BR>
From: Madison<BR>
To: You<BR>
Sent: Thursday=2C January 13=2C 2011 2:12:51 PM<BR>
Subject: Fwd: treasurer took a fancy to be jealous of his wife=2C from the =
malice<BR>
 =3B<BR>
Relax your mind and humble your heart to focus on Christ. Allow God to be t=
he only person on your mind while you read this prayer. If we can take the =
time to read long jokes=2C stories=2C etc.=2C we should give the same respe=
ct to this prayer. Friends=2C who pray together=2C stay together. <BR>
If you pray this prayer=2C change the number.<BR>
 =3B<BR>
<BR>
fear at seeing Jonathan in such danger=2C but that the ardor<BR>
 =3B<BR>
within? the wretched thing that has done the mischief. It is a foul<BR>
<style><BR> </body>
</html>=
--_5bfe01c1-0d86-41fb-a9d5-82ecd5f91b2e_--
=========================
Michael Thomas
Mathbox
978-687-3300
Toll Free: 1-877-MATHBOX (1-877-628-4269)
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
