Re: Fwd: Indispensables pour vos vadrouilles…

2010-07-12 Thread Cedric Knight 
On 11/07/10 16:04, Karsten Bräckelmann wrote:
 On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote:
 [nothing but 3 spam samples attached]
 
 Uhm, dude!?  I hope that was an accidental address auto-completion. Do
 NOT send spam samples to the list.

Grovelling apologies.  It was Thunderbird auto-completion choosing a
different address book entry from the expected (SpamCop).

Anyone archiving this list, please do remove the original post if
possible.  Thanks.

CK

Re: Fwd: Indispensables pour vos vadrouilles…

2010-07-12 Thread Karsten Bräckelmann 
On Tue, 2010-07-13 at 01:26 +0100, Cedric Knight wrote:
 On 11/07/10 16:04, Karsten Bräckelmann wrote:
  [nothing but 3 spam samples attached]
  
  Uhm, dude!?  I hope that was an accidental address auto-completion. Do
  NOT send spam samples to the list.
 
 Grovelling apologies.  It was Thunderbird auto-completion choosing a
 different address book entry from the expected (SpamCop).

Good to see it actually was an accident. :)

 Anyone archiving this list, please do remove the original post if
 possible.  Thanks.

I guess that'll be impossible. Sorry. See the non-exhaustive list of
public archives on our pages. Not even mentioning search engines who
already grabbed a copy.
  http://wiki.apache.org/spamassassin/MailingLists

Another preferably unique prefix, other than spam, strikes me as a
good idea. ;)


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Fwd: Indispensables pour vos vadrouilles…

2010-07-11 Thread Karsten Bräckelmann 
On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote:
[nothing but 3 spam samples attached]

Uhm, dude!?  I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Fwd: Indispensables pour vos vadrouilles?

2010-07-11 Thread Benny Pedersen 

On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote


Uhm, dude!?  I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.


spam?, here clamav see it as virus


--
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Fwd: Indispensables pour vos vadrouilles?

2010-07-11 Thread Karsten Bräckelmann 
On Sun, 2010-07-11 at 17:17 +0200, Benny Pedersen wrote:
 On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote
 
  Uhm, dude!?  I hope that was an accidental address auto-completion. Do
  NOT send spam samples to the list.
 
 spam?, here clamav see it as virus

Yes, spam. If the included X-Spam headers is anything to go by. But
you're free to eyeball the attached messages yourself.

No malware payload. Not a virus. One's a phish, though. Let me guess,
clamav third-party signatures triggered on the URIs for you?

Anyway. The distinction between spam and phish was not my point. Neither
was it, whether spammed URI clamav third-party signatures match on
them just like URIBL and SURBL do.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Fwd: Indispensables pour vos vadrouilles?

2010-07-11 Thread Benny Pedersen 

On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote


No malware payload. Not a virus. One's a phish, though. Let me guess,
clamav third-party signatures triggered on the URIs for you?


using safebrowsing sigs from google


Anyway. The distinction between spam and phish was not my point. Neither
was it, whether spammed URI clamav third-party signatures match on
them just like URIBL and SURBL do.


as recived

X-Amavis-Alert: INFECTED, message contains virus:
Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net

ripmime -i msg -d .
clamscan

/tmp/extracted: Sanesecurity.Junk.31113.UNOFFICIAL FOUND

spamassassin -t msg#

1:

 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: sotudil.com]
 1.7 BAD_ENC_HEADER Message has bad MIME encoding in the header
 1.8 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
[193.95.97.13 listed in hostkarma.junkemailfilter.com]
 1.6 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
[193.95.97.13 listed in bb.barracudacentral.org]
 0.0 FREEMAIL_FROM  Sender email is freemail  
(ziedoos_2013[at]gmail.com)

 0.7 SPF_NEUTRALSPF: sender does not match SPF record (neutral)
 1.5 FROM_NOT_EQUAL_RETURN  From: does not match Return-Path:
 2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (ziedoos_2013[at]gmail.com)
 0.8 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area
 0.0 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html MIME
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars
 1.8 SAGREY Adds score to spam from first-time senders
 0.8 FROM_EQUAL_REPLYTO unneeded reply to set to same as sender
 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL
 1.5 URI_NOT_WHITELISTEDMeta: URI found but none are WHITE

2:

-0.0 GREY_LISTED_LOCAL  URI's listed in localhost
[URIs: hsbc.co.uk]
 0.5 RELAY_FR   Relayed through France
 1.8 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
  [91.121.209.115 listed in hostkarma.junkemailfilter.com]
-0.0 URIBL_WHITEContains an URL listed in the URIBL whitelist
[URIs: hsbc.co.uk]
 0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
 1.5 FROM_NOT_EQUAL_RETURN  From: does not match Return-Path:
 0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.5 RCVD_IN_NIX_SPAM   RBL: Received via a relay in NiX Spam (heise.de)
[91.121.209.115 listed in ix.dnsbl.manitu.net]
 1.6 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
[91.121.209.115 listed in bb.barracudacentral.org]
 1.8 SAGREY Adds score to spam from first-time senders
 0.6 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL

3:

 0.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[77.182.175.192 listed in dnsbl.sorbs.net]
 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: worthmoreestelia.com]
 2.7 RCVD_IN_PSBL   RBL: Received via a relay in PSBL
[77.182.175.192 listed in psbl.surriel.com]
 0.8 RCVD_IN_SEMBLACK   RBL: Received from an IP listed by SEM-BLACK
[77.182.175.192 listed in bl.spameatingmonkey.net]
 0.5 RCVD_IN_NIX_SPAM   RBL: Received via a relay in NiX Spam (heise.de)
[77.182.175.192 listed in ix.dnsbl.manitu.net]
 1.3 RCVD_IN_RP_RNBLRBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
   [77.182.175.192 listed in bl.score.senderscore.com]
 1.8 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
  [77.182.175.192 listed in hostkarma.junkemailfilter.com]
 0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[77.182.175.192 listed in zen.spamhaus.org]
 3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
 2.5 BADRELAY   Relay looks like dynamic/dialup/bot
-0.0 FROM_IN_TO From: does match To:
 0.7 LOCALPART_IN_SUBJECT   Local part of To: address appears in Subject
 1.6 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
[77.182.175.192 listed in bb.barracudacentral.org]
 0.0 HTML_MESSAGE

Re: Fwd: Indispensables pour vos vadrouilles?

2010-07-11 Thread Karsten Bräckelmann 
On Sun, 2010-07-11 at 19:50 +0200, Benny Pedersen wrote:
 On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote

  Anyway. The distinction between spam and phish was not my point. Neither
  was it, whether spammed URI clamav third-party signatures match on
  them just like URIBL and SURBL do.
 
 as recived
 
 X-Amavis-Alert: INFECTED, message contains virus:
   Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net

Benny, your point is?

Anyway, I was wearing my moderator hat when I initially told the OP
about his mistake. There was no invitation to argue about a non-issue.
And I really don't think this sub-thread is worth pursuing further.

  guenther  -- one of the list moderators


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}