On Wed, 2 May 2018, Joe Acquisto-j4 wrote:
On 5/2/2018 at 2:57 PM, in message
<0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones <djo...@ena.com>
wrote:
On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten
someones day . . . )
"Note: Failure to Verify will lead to final termination of your email
account.
Technical Team
Email Administrator
All Right Reversed 2018.(c)"
Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.
--
David Jones
It's been a while, but I think I did it properly:
https://pastebin.com/Sw8R0QPe
Do you have the DecodeShortURLs plugin installed in your SA?
The target of that tinyurl.com is listed in URIBLs and SA will fire on it if you
have DecodeShortURLs functional.
For that message I get:
hecker-Version SpamAssassin 3.4.1 (2015-04-28) on s-l107.engr.uiowa.edu
Content analysis details: (8.1 points, 6.0 required, autolearn=no)
pts rule name description
---- ---------------------- ------------------------------------------
0.0 HAS_SHORT_URL Message contains one or more shortened URLs
2.5 SEM_FRESH Contains a domain registered less than 5 days ago
[URIs: erumsadet.info]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[40.92.2.16 listed in list.dnswl.org]
0.1 L_BANK_PHISH3 BODY: Possible bank phish
0.3 L_UI_PHISHb3 BODY: possible email acct phish
0.0 T__BOTNET_NOTRUST Message has no trusted relays
0.9 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
0.5 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies)
[40.92.2.16 listed in hostkarma.junkemailfilter.com]
0.0 URIBL_RED Contains an URL listed in the URIBL redlist
[URIs: erumsadet.info]
0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
(jln4deafkids[at]hotmail.com)
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.6 SARE_HTML_COLOR_B RAW: BAD STYLE: color: too light (rgb(n))
0.0 T__KAM_SHORT KAM URL shortner fired
0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains
in
spam/malware
0.0 T__FROM_OUTLOOK From microsoft outlook/hotmail servers
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
0.0 T__RECEIVED_2 More than one untrusted relay
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 L_FROM_OUTLOOK From microsoft outlook/hotmail servers
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
