[spamdyke-users] Heading Analysis

[Christoph Kuhle (Expat Email Ltd)]

In a recent thread, Sam very kindly shared his keywords with us.  As a
matter of interest, I went to some recent emails to see if I could find any
of those keywords in there.  I don't *think* any of the words are there.  I
have put 5 examples of recent Spam that got through and wondered if there is
anything in the headers which seasoned users might be able to identify,
leading to something that I need to add to some of my additional files.  

 

>From another bit of advice, I suspect that Example 5 (which came through our
secondary mail servers) could have happened because the Spammer specifically
chose to send it via our lower priority MX record.  We have not yet put an
even lower order MX record which points back to our own server (in case they
simply looked for the lowest priority record).

 

If there is anything glaring, could you possibly let me know?

 

Kind regards, and many thanks in advance.

 

Christoph



EXAMPLE 1

 

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

                plesk2.ourserver.co.uk

X-Spam-Level: ***

X-Spam-Status: No, score=3.5 required=4.0 tests=BAYES_99 autolearn=no

                version=3.2.5

Received: (qmail 29751 invoked from network); 30 Aug 2009 05:46:34 +0100

Received: from greenip.ntnu.edu.tw (HELO mg2.ntnu.edu.tw) (140.122.65.195)

  by plesk2.ourserver.co.uk with SMTP; 30 Aug 2009 05:46:33 +0100

Received-SPF: pass (plesk2.ourserver.co.uk: local policy designates
140.122.65.195 as permitted sender)

Received: from mg2.ntnu.edu.tw (localhost [127.0.0.1])

                by mg2.ntnu.edu.tw (Postfix) with ESMTP id C22A7414E36;

                Sun, 30 Aug 2009 10:43:27 +0800 (CST)

Received: from  (localhost [127.0.0.1])

                by mg2.ntnu.edu.tw (NOPAM 20080507(G2)) with ESMTP id
5AB6AC10

                Sun Aug 30 10:41:45 2009

                (envelope-from MAIL FROM:<smp...@ntnu.edu.tw>)

Received: from ntnu.edu.tw (ms2.ntnu.edu.tw [140.122.65.158])

                by mg2.ntnu.edu.tw (Postfix) with ESMTP id 371C9416021;

                Sun, 30 Aug 2009 10:26:10 +0800 (CST)

From: "Patrick K.W Chan" <smp...@ntnu.edu.tw>

Reply-To: kw.pat_ch...@yahoo.com.hk

Subject: Business Suggestion

Date: Sun, 30 Aug 2009 10:26:10 +0800

Message-Id: <20090830022615.m80...@ntnu.edu.tw>

X-Mailer: Open WebMail 2.51 20050228

X-OriginatingIP: 78.138.3.235 (smp...@ntnu.edu.tw)

MIME-Version: 1.0

Content-Type: text/plain;

                charset=big5

To: undisclosed-recipients:;

X-NOPAM-Status: type=0; (GSD async, s=100)

X-NOPAM-DIAG:  

 

 

 

 

 

EXAMPLE 2

 

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

                plesk2.ourserver.co.uk

X-Spam-Level: ***

X-Spam-Status: No, score=3.9 required=4.0 tests=BAYES_50,DATE_IN_PAST_96_XX,

                HTML_MESSAGE,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER
autolearn=no version=3.2.5

Received: (qmail 8305 invoked from network); 31 Aug 2009 15:09:50 +0100

Received: from bestresults1.net (76.73.21.162)

  by plesk2.ourserver.co.uk with SMTP; 31 Aug 2009 15:09:49 +0100

Received-SPF: pass (plesk2.ourserver.co.uk: local policy designates
76.73.21.162 as permitted sender)

Message-Id: <3gxp7ijp282f1n146b4.2dt2ro4war4c7jm6f...@bestresults1.net>

From: seoresu...@bestresults1.net

To: i...@domain.com

Content-Type: text/html;

                 charset=us-ascii

Content-Transfer-Encoding: 7bit

Date: Sun, 31 Aug 2008 10:08:32 -0600

Subject: Free Website Analysis Report! Get ranked high in the search
engines.

Received: from bestresults1.net [76.73.21.162] by 1vu.bestresults1.net with
SMTP; Sun, 31 Aug 2008 10:08:32 -0600

 

 

 

 

 

EXAMPLE 3

 

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

                plesk2.ourserver.co.uk

X-Spam-Level: ***

X-Spam-Status: No, score=3.9 required=4.0 tests=BAYES_00,HTML_MESSAGE,

 
MISSING_HEADERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHEC
K,

                SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no version=3.2.5

Received: (qmail 28640 invoked from network); 27 Aug 2009 13:54:06 +0100

Received: from agsmtp02.state.ky.us (HELO agsmtp02.eas.ds.ky.gov)
(162.114.80.56)

  by plesk2.ourserver.co.uk with SMTP; 27 Aug 2009 13:54:06 +0100

Received-SPF: pass (plesk2.ourserver.co.uk: SPF record at ky.gov designates
162.114.80.56 as permitted sender)

Received: from AGMBX06.eas.ds.ky.gov ([162.114.80.49]) by
agsmtp02.eas.ds.ky.gov with Microsoft SMTPSVC(6.0.3790.3959);

                 Thu, 27 Aug 2009 08:53:53 -0400

X-MimeOLE: Produced By Microsoft Exchange V6.5

Content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: multipart/alternative;

                boundary="----_=_NextPart_001_01CA2715.6D36AD3D"

Subject: APPLY FOR A LOAN HERE

Date: Thu, 27 Aug 2009 08:53:51 -0400

Message-ID: <a96f42082d16b4429b107bbe195f91990aa15...@agmbx06.eas.ds.ky.gov>

X-MS-Has-Attach: 

X-MS-TNEF-Correlator: 

Thread-Topic: APPLY FOR A LOAN HERE

Thread-Index: AconFWt262/x4xfJT6mvmLrIC66u9w==

From: "Poe, Chris  (KYTC-D05)" <chris....@ky.gov>

Bcc:

Return-Path: chris....@ky.gov

X-OriginalArrivalTime: 27 Aug 2009 12:53:53.0894 (UTC)
FILETIME=[6EB9B060:01CA2715]

 

 

 

 

EXAMPLE 4

 

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

                plesk2.ourserver.co.uk

X-Spam-Level: *

X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,HTML_MESSAGE,

                RCVD_IN_NJABL_PROXY autolearn=no version=3.2.5

Received: (qmail 23483 invoked from network); 26 Aug 2009 12:39:46 +0100

Received: from b-fa2-1186.noc.ntt-west.nsk.ne.jp (61.198.80.186)

  by plesk2.ourserver.co.uk with SMTP; 26 Aug 2009 12:39:45 +0100

Received-SPF: neutral (plesk2.ourserver.co.uk: 61.198.80.186 is neither
permitted nor denied by SPF record at orgshrink.com)

Received: from 61.198.80.186 by orgshrink.com.s5b1.psmtp.com; Wed, 26 Aug
2009 20:39:24 +0900

Message-ID: <000d01ca2641$dc2d81a0$6400a...@pluralisti>

From: "Winifred Bartley" <plurali...@orgshrink.com>

To: <m...@domain.com>

Subject: We can help you have your health back.

Date: Wed, 26 Aug 2009 20:39:24 +0900

MIME-Version: 1.0

Content-Type: multipart/alternative;

                boundary="----=_NextPart_000_0007_01CA2641.DC2D81A0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

 

 

 

 

 

EXAMPLE 5

 

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on

                plesk2.ourserver.co.uk

X-Spam-Level: ***

X-Spam-Status: No, score=3.5 required=4.0 tests=BAYES_60,DIET_1,

                FB_EXTRA_INCHES,HTML_MESSAGE autolearn=no version=3.2.5

Received: (qmail 32552 invoked from network); 25 Aug 2009 17:24:10 +0100

Received: from lon-mail-relay-2.gradwell.net (193.111.201.135)

  by plesk2.ourserver.co.uk with SMTP; 25 Aug 2009 17:24:10 +0100

Received-SPF: neutral (plesk2.ourserver.co.uk: 193.111.201.135 is neither
permitted nor denied by SPF record at quad-bikes.com)

Received: from [190.144.97.84] (helo=CYFLKOXZ)

                by lon-mail-relay-2.gradwell.net with esmtp (Exim 4.52
(FreeBSD))

                id 1MfyoR-000F1d-FH; Tue, 25 Aug 2009 17:23:59 +0100

Received: from 190.144.97.84 by mx1.123-reg.co.uk; Tue, 25 Aug 2009 11:23:57
-0500

Message-ID: <000d01ca25a0$7210d020$6400a...@estela563>

From: "Anastasia King" <estela...@quad-bikes.com>

To: <m...@domain.com>

Subject: Even the most beautiful women would want to be by your side.

Date: Tue, 25 Aug 2009 11:23:57 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

                boundary="----=_NextPart_000_0007_01CA25A0.7210D020"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

 

 


_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users