Hello,
Recently, I am getting image spams like following content.
you can find also attached spam image
spamd gives negative score for this kind of mails.
Return-Path: gastero...@hirogin.co.jp
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.mydomain.com
X-Spam-Level:
I got the exact same results on a similar email last week, the image was
subtly different in that the penis's were smaller and in the top right
corner of the image, suggesting that the sender is creating a number of
different images to avoid detection?
I'm reasonably new to this game, can any of
Ibrahim Harrani pisze:
Do you have any solution about this kind of spams?
Hello Ibrahim,
Could you please show me the Content-* headers of image attachment?
Did you send all headers of that spam in your previous post?
I have some success with fighting that spam I called BAD GOOD PENIS,
but I
Hi,
Here is the full header.
Received: from unknown (HELO ognh.user.ono.com) (62.57.252.74) by 0
with SMTP; 16 Jun 2009 10:06:24 -
Message-ID: 643596679...@hirogin.co.jp
MIME-Version: 1.0
Subject: Christian sex - What Are Goood Christian sex Pradctices?
Date: Tue, 16 Jun 2009 10:06:16 -0200
Hi,
another header from another image spams.
All images contain god, bad and a url with numbers.
spam header 1
Received: from unknown (HELO zkjg.proxad.net) (88.176.40.137) by 0
with SMTP; 16 Jun 2009 17:06:08 -
From: Mrkvicka Coutee noctiluc...@ghide.plus.com
Date: Tue, 16 Jun 2009
Hi,
Before someone else says it. It would be much better if you put a
complete copy of these samples on a website (pastebin or somesuch) for
people here to download. Snatches of headers and standalone images do
not provide a proper example for people to run through their own setups.
The
Ibrahim Harrani pisze:
Hi,
another header from another image spams.
All images contain god, bad and a url with numbers.
The spamers are cunning... It seems that they have stopped sending spams
with X-Mailer: header containing something like PHP v5.2.0 or
PHP/4.4.5. Also they don't use only
On Wed, 2009-06-17 at 13:33 +0200, Paweł Tęcza wrote:
Ibrahim Harrani pisze:
Hi,
another header from another image spams.
All images contain god, bad and a url with numbers.
The spamers are cunning... It seems that they have stopped sending spams
with X-Mailer: header containing
The RBL is a good point, I'm only getting these when i turn of zen.spamhaus(For
testing)
BUT the emails i got did NOT have sex in the subject, How To Give Her strong
Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More is
what i got
-Original Message-
From:
On Wed, 2009-06-17 at 22:16 +0930, Cory Hawkless wrote:
The RBL is a good point, I'm only getting these when i turn of
zen.spamhaus(For testing)
BUT the emails i got did NOT have sex in the subject, How To Give Her strong
Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And
I'm getting a ton of these lately and they're fscking annoying. If it
helps at all, here's an example of one I got:
http://pastebin.com/m6670fab1
Got a positive score, but not high enough. My SA only seems to be
checking the Spamhaus PBL - how do I add the other blacklists to my
scanning,
On 17.06.09 13:48, rich...@buzzhost.co.uk wrote:
But there are certain words you would never expect to see in the
subjects of legitimate mail none the less unless you often get mail with
words like 'Orgasms' in it :-) If you do, please *share* your friends
with us all!
The often cited point
Paweł Tęcza wrote:
Also a lot of spams I received have good reverse IP address. We use
greylisting for our mail system, but we still receive that spam.
Maybe that IP address above has been noted on popular RBL lists, but the
spammers still use new infected machines, so they can leave RBLed
On Wed, 2009-06-17 at 14:50 +0200, Paweł Tęcza wrote:
Sorry, but it's not academic, because we are not talking only about spam
messages received by Ibrahim. It's discussion about BAD GOOD PENIS
spam at all. I agree that Subject header for that spams often includes
sex-related words, but it's
Steve Freegard wrote:
Normally I wouldn't post these rules here; but I'm interested to see how
long before this rule gets rendered unless by the botmaster that's
sending these.
/me waves at the botmaster; that *was* fast - but you still suck
Hi,
http://pastebin.com/m6a027715
http://pastebin.com/d2c94dba0
http://pastebin.com/m21c9df0
http://pastebin.com/m775253b7
Let me know if these are not enough.
Thanks.
On Wed, Jun 17, 2009 at 3:15 PM, Steeve McCauleyste...@oneguycoding.com wrote:
Copy the full message (headers and body) to
I couldn't find any place on junkmailfilter website to report this, so
I'll put it here.
I received a 419 scam email with this whitelist hit:
* -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
* [213.4.129.18 listed in hostkarma.junkemailfilter.com]
--
Bowie
On Wed, 2009-06-17 at 18:02 +0300, Ibrahim Harrani wrote:
http://pastebin.com/m6a027715
http://pastebin.com/d2c94dba0
http://pastebin.com/m21c9df0
http://pastebin.com/m775253b7
These all have three things in common:
- the MIME type of the image attachment doesn't match the attached image
No list is perfect. Thanks for reporting it. Although I try to get
everything right there will always be mistakes. Sometimes I do get to
leaning white because false positives are 100 times worse than a few
spams getting through. Probably what happened with that is that the
sender does a pretty
That one also hit DNSWL_MED and actually ended up with a negative
score. I reported to dnswl via their website.
It would be useful to have a reporting mechanism on your website so we
don't have to send these to the list.
Bowie
Marc Perkel wrote:
No list is perfect. Thanks for reporting it.
Wouldn't it be more efficient to write all the single-letter matches
like (?:s|z)? as [sz]? or does it end up not making a difference
when the regex is actually processed?
--
Kelson Vibber
SpeedGate Communications www.speed.net
Yes, it matters (one path is tried then the other has to be tried, as
opposed to having a single path), though the overall amount is
probably negligible. Perl's RE compiler could well optimize this away
anyway.
On Wed, Jun 17, 2009 at 7:45 PM, Kelsonkel...@speed.net wrote:
Wouldn't it be more
I'm running SpamAssassin 3.2.1 on Linux, with spamd integrated with Postfix.
I use SPF, greylisting, and bayes. Lately a lot of 419 and investment spams
have been getting through with very low SA scores. Can anyone take a look at
these and see if there's another ruleset I should use to trap them?
We have been looking at these also.
In most cases they are indeed being dropped by the MTA checks and our own
internal BLs.
Most of what slips through is being forwarded from a couple of legit servers
that have no filtering (and we are working on that). So the MTA doesn't drop
them since
err...@junkemailfilter.com will work. If you have suggestions for
automation I'm interested.
Bowie Bailey wrote:
That one also hit DNSWL_MED and actually ended up with a negative
score. I reported to dnswl via their website.
It would be useful to have a reporting mechanism on your website
Can you put that somewhere on the website? The problem is that I'm not
going to remember that when I find another one in a month or so. I'll
do what I did this time, which is go to the website.
Bowie
Marc Perkel wrote:
err...@junkemailfilter.com will work. If you have suggestions for
On Wed, 17 Jun 2009, omehegan wrote:
Lately a lot of 419 and investment spams have been getting through with
very low SA scores.
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
http://www.nerdnetworks.org/spam/spam4
John Hardin wrote:
On Wed, 17 Jun 2009, omehegan wrote:
Lately a lot of 419 and investment spams have been getting through with
very low SA scores.
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
I'm pretty sure it still matters.
On Wed, Jun 17, 2009 at 19:16, Theo Van Dinterfelic...@apache.org wrote:
Yes, it matters (one path is tried then the other has to be tried, as
opposed to having a single path), though the overall amount is
probably negligible. Perl's RE compiler could well
Bowie Bailey a écrit :
I couldn't find any place on junkmailfilter website to report this, so
I'll put it here.
I received a 419 scam email with this whitelist hit:
so what? I keep getting 419 from google, yahoo, ... but they are still
whitelisted.
and anyway, fighting 419 is not easy.
Marc Perkel wrote:
err...@junkemailfilter.com will work. If you have suggestions for
automation I'm interested.
Bowie Bailey wrote:
That one also hit DNSWL_MED and actually ended up with a negative
score. I reported to dnswl via their website.
It would be useful to have a reporting
omehegan wrote:
John Hardin wrote:
On Wed, 17 Jun 2009, omehegan wrote:
Lately a lot of 419 and investment spams have been getting through with
very low SA scores.
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
mouss wrote:
Bowie Bailey a écrit :
I couldn't find any place on junkmailfilter website to report this, so
I'll put it here.
I received a 419 scam email with this whitelist hit:
so what? I keep getting 419 from google, yahoo, ... but they are still
whitelisted.
Actually
On Wed, 17 Jun 2009, omehegan wrote:
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
http://www.nerdnetworks.org/spam/spam4
http://www.nerdnetworks.org/spam/spam5
http://www.nerdnetworks.org/spam/spam6
Here are two more of a
John Hardin wrote:
On Wed, 17 Jun 2009, omehegan wrote:
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
http://www.nerdnetworks.org/spam/spam4
http://www.nerdnetworks.org/spam/spam5
On Mittwoch 17 Juni 2009 Theo Van Dinter wrote:
Yes, it matters (one path is tried then the other has to be tried, as
opposed to having a single path)
So which is better performance wise? I guess [sz]? but I'm not sure now.
mfg zmi
--
// Michael Monnerie, Ing.BSc-
36 matches
Mail list logo
