Re: New type of monstrosity
The spample would never make it to our SA. It would be rejected upstream for at least two reasons: > To: undisclosed recipients: ; The To header is not RFC compliant.The Subject header exceeds the maximum line length, being another RFC constraints. It is easy to catch spam this way. On Tue, Feb 7, 2017 at 3:46 AM, Ian Zimmerman <'i...@primate.net'> wrote: On 2017-02-06 20:06, Kevin A. McGrail wrote: > > Last couple of weeks I saw some messages whose entire contents is in > > the Subject. > never seen such a monster. likely killed by some other piece in the > puzzle. Throw it up on pastebin? http://pastebin.com/PYaMcZa7 (I was wrong, the subject is actually one enormous line, it was my MUA that folded it.) -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: New type of monstrosity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian Zimmerman kirjoitti 7.2.2017 4:46: > On 2017-02-06 20:06, Kevin A. McGrail wrote: > >> > Last couple of weeks I saw some messages whose entire contents is in >> > the Subject. > >> never seen such a monster. likely killed by some other piece in the >> puzzle. Throw it up on pastebin? > > http://pastebin.com/PYaMcZa7 > > (I was wrong, the subject is actually one enormous line, it was my MUA > that folded it.) Content analysis details: (11.5 points, 5.0 required) pts rule name description - -- - -- 1.0 GENERIC_IXHASH No description available. 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [183.79.56.200 listed in dnsbl.sorbs.net] 1.5 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=1.2.3.12,rdns=disorder.censored.net,maildomain=outlook.fr,baddns] 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=acedia.censored.net;ip=1.2.3.12;r=gamecock.fredriksson.dy.fi] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (flexdanacheam[at]outlook.fr) 1.0 HTML_MESSAGE BODY: HTML included in message 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5061] 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 1.4 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 1.0 L_FROM_NOT_REPLY From: and Reply-To: have different domains 0.0 LOTS_OF_MONEY Huge... sums of money 0.0 MONEY_BARRISTERLots of money from a UK lawyer 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails 0.0 FILL_THIS_FORM Fill in a form with personal information 0.0 T_FILL_THIS_FORM_LONG Fill in a form with personal information 2.5 SPOOFED_FREEM_REPTOForged freemail sender with freemail reply-to 0.0 ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money 0.0 MONEY_FRAUD_5 Lots of money and many fraud phrases - -- ja...@iki.fi -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAliZcbkACgkQKL4IzOyjSrZxcACdFN8ZdEkcZWwO6n44neBGjHCX Vi0Anjai2SZRaJ2bi8PsSFJ08yP3JtnP =LDLO -END PGP SIGNATURE-
Re: New type of monstrosity
On 2017-02-06 20:06, Kevin A. McGrail wrote: > > Last couple of weeks I saw some messages whose entire contents is in > > the Subject. > never seen such a monster. likely killed by some other piece in the > puzzle. Throw it up on pastebin? http://pastebin.com/PYaMcZa7 (I was wrong, the subject is actually one enormous line, it was my MUA that folded it.) -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: New type of monstrosity
On 2/6/2017 7:52 PM, Ian Zimmerman wrote: Last couple of weeks I saw some messages whose entire contents is in the Subject. They have both a text/plain and text/html part but both are empty (in the case of html, there is some markup but no character data). The Subject is maybe 400 or 500 chars long. Needless to say, this is a 100% spam trait, but some escaped. Is there already a rule somewhere to deal with this? (not among the ones bundled with SA, I don't think) If I'm writing my own, is the naive way to match the Subject going to work? I'm asking mostly because the header is properly split and continued around 60 character bonudaries. That is, does SA join continued lines before matching? never seen such a monster. likely killed by some other piece in the puzzle. Throw it up on pastebin?
New type of monstrosity
Last couple of weeks I saw some messages whose entire contents is in the Subject. They have both a text/plain and text/html part but both are empty (in the case of html, there is some markup but no character data). The Subject is maybe 400 or 500 chars long. Needless to say, this is a 100% spam trait, but some escaped. Is there already a rule somewhere to deal with this? (not among the ones bundled with SA, I don't think) If I'm writing my own, is the naive way to match the Subject going to work? I'm asking mostly because the header is properly split and continued around 60 character bonudaries. That is, does SA join continued lines before matching? -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
