Here you go. Out of the 85 messages received in less than 3 days with this ISO encoded subject, 11 had the encoding in the middle of the line (see attachment).
I think they were all caught due to the weights of other tests. Andrew 8) -----Original Message----- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Looking at my "spamples" I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew <[EMAIL PROTECTED]> wrote: >> SUBJECT 40 CONTAINS =?ISO-8859-1?b? > >I'm seeing quite a few of these coming in, but they are getting >held. > >I'm including a sample from my log, which is set to HIGH so that others can >see what tests have been useful for me. > >An interesting point that came out of my following this thread is that I >found that when the ISO string appears anywhere in the subject EXCEPT for >the beginning, it's a SURE indicator that the message is spam. A really long >(and imperfect) way to test for that is to add: > >SUBJECT 999 CONTAINS a=?ISO-8859-1?b? >SUBJECT 999 CONTAINS b=?ISO-8859-1?b? >SUBJECT 999 CONTAINS c=?ISO-8859-1?b? > 999 CONTAINS 3=?ISO-8859-1?b? > >Anyone have a more concise way to test for that? > >Andrew 8) > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on CA [weight->0; CA BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on br [weight->10; BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on @snip [weight->-9; @snip>; Mon, 8 Sep]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on [EMAIL PROTECTED] [weight->30; [EMAIL PROTECTED]>; Mon,]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on 100% guaranteed [weight->3; 100% Guaranteed to Work!</em> 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Weight Loss Patch [weight->3; Weight Loss Patch 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Norton [weight->1; Norton" <[EMAIL PROTECTED] 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on /bek/ [weight->30; /bek/>Remove me</a> 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on .biz/ [weight->1; .biz/mdp/m2c.php?man=and">Clic]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on getit4less.biz [weight->30; getit4less.biz/mdp/m2c.php?man]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on >No More< [weight->5; >no more<br>starvation diets</]. 09/08/2003 00:04:54 Q2a100762009c03a5 DSBL:4 DSBLALL:3 MONKEYPROXIES:7 SPAMCOP:10 IPNOTINMX:2 COUNTRY:10 SNIFFER:7 NJABLDUL:5 EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BR-BR:7 SORBS-HTTP:7 SORBS-SOCKS:7 PSBL:5 CBL:5 SPAMBAG:3 BENTALLSPAMHINT:28 BENTALLSPAMURL:61 BENTALLSPAMUNSUB:5 . Total weight = 194 09/08/2003 00:04:54 Q2a100762009c03a5 Using [outgoing] CFG file global.cfg. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBLALL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed MONKEYPROXIES (BLOCKED: See http://www.monkeys.com/upl/listed-ip-0.cgi?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed WEIGHT20 (Weight of 194 reaches or exceeds the limit of 20.). Action=HOLD. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed IPNOTINMX (). Action=LOG. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed COUNTRY (Message failed COUNTRY test (34)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed NJABLDUL (This E-mail came from 200.168.125.76, a potential spam source listed in NJABLDUL.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed EASYNET-DNSBL (Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed EASYNET-DYNA (76.125.168.200.dynablock.easynet.nl.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed EASYNET-PROXIES (Open Proxy - http://proxies.blackholes.easynet.nl/errors.html). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed BR-BR (Brazil blocked by brazil.blackholes.us). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SORBS-HTTP (HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SORBS-SOCKS (SOCKS Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed PSBL (Your mailserver spammed me, see http://psbl.surriel.com/cgi-bin/listing.cgi?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SPAMBAG (76.125.168.200.blacklist.spambag.org.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed BENTALLSPAMHINT (Message failed BENTALLSPAMHINT test (1488)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed BENTALLSPAMURL (Message failed BENTALLSPAMURL test (1643)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed BENTALLSPAMUNSUB (Message failed BENTALLSPAMUNSUB test (145)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Subject: Pleas=?ISO-8859-1?B?ZSBkb26SdCB0ZWxs?= anyone 09/08/2003 00:04:54 Q2a100762009c03a5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 200.168.125.76 ID: h8870UwD018772 09/08/2003 00:04:54 Q2a100762009c03a5 Last action = HOLD. Out of the 85 messages received in less than 3 days with this ISO encoded subject, 11 had the encoding in the middle of the line: Do you think i=?ISO-8859-1?B?dCdsbCB3b3JrPw==?= First Ti=?ISO-8859-1?B?bWU=?= How much m=?ISO-8859-1?B?b3JlIGRvIHk=?=ou need? I can’t =?ISO-8859-1?B?YmVsaWV2ZSB5b3U=?= forgot Pleas=?ISO-8859-1?B?ZSBkb26SdCB0ZWxs?= anyone Re: o=?ISO-8859-1?B?dXIgY29udmVyc2F0?=ion yesterday Re: You=?ISO-8859-1?B?ciBhc3NpZ25tZW50?= Remember that =?ISO-8859-1?B?bGFkeT8=?= Techn=?ISO-8859-1?B?b2xvZ2k=?=cal a=?ISO-8859-1?B?ZHZhbmNlcw==?= Wrapped in=?ISO-8859-1?B?IHBsYXN0?=ic
