Hi
I noticed a message in my spam folder containing the following ratware
and bad html coding.
Yet it only triggerd the following rules:
Content analysis details: (24.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.7 RM_tl_ToNone To header not found
0.2 NO_REAL_NAME From: does not include a real name
3.8 ONLINE_PHARMACY BODY: Online Pharmacy
0.1 HTML_MESSAGE BODY: HTML included in message
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.5 T_RATWARE_OOPS_13 BODY: Has a possible RANDOM spammer goof in it.
2.2 MY_DEFAULTASP BODY: Contains a likely spammer default.asp link.
0.9 MY_MANY_BR BODY: Tooo many <br>'s!
3.0 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=65.96.238.16>]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?65.96.238.16>]
0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.5 SARE_RAND_2 SARE_RAND_2
In the body of the message: (The message looks like a bounced or forwarded
message)
%MESSAGERECEIVED
%MESSAGE_ID_TAGS
Subject: %HI %PUNCTUATION_5_3 %PHARM5_7_2 %PUNCTUATION_5_3 gadfly susie
%PHARM_SUB_4_22_1%CAP_PUNC
223Phar%_9TAGmacy 24 x 7!224
Pha%_9TAGrmacy
pharm%_9TAGacy
FindPha%_9TAGrmacies
medica%_9TAGtions
prescript%_9TAGion
prescr%_9TAGiption
<a HreF="http://%RNDDOMAINWORDchmepharmes.com/gp/default.asp?ID=JC2";>%HI %PUNCTU
ATION_5_3 %PHARM_SUB_5_3 %PUNCTUATION_5_3 smokescreen eject</a></font><br>
%RNDDOMAINWORD
Other than that the html section starts and ends with:
<htMl>
</hTml>
I don't believe any mail client will use such tags...
HTH
Bram
--
# Mertens Bram "M8ram" <[EMAIL PROTECTED]> Linux User #349737 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 12:59pm up 48 days 16:37, 5 users, load average: 0.09, 0.11, 0.05 #
