On 10/5/18 4:38 PM, Antony Stone wrote:
> On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:
>
>>> https://pastebin.com/TRD7FzRQ
>>>
>>> I have a sample here
>>
>> There are at least three reasons to reject that e-mail upfront, with no
>> need to parse its body.
>
> Hints might be appreciated for the uninitiated.
>
>
> Antony.
>
>
> PS: Please do NOT set Reply-To to your own address on list postings.
>
Are you doing any RBLs at the MTA? This thing looks really bad and
would never have made it past my Postfix postscreen_dnsbl_sites list.
http://multirbl.valli.org/lookup/114.46.223.46.html
If it had made it to SpamAssassin, here's what my rules would have scored:
Content analysis details: (29.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
3.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
0.5 FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters
1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
(Split IP)
0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or
Generic rPTR
1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
3.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.1 FROM_EQUALS_TO From: and To: have the same username
0.0 KHOP_DYNAMIC Relay looks like a dynamic address
3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.0 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on
whitelists
0.1 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
(FTSDMCXX/boundary variant) + direct-to-MX
2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
2.5 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
0.0 ENA_BAD_SPAM Spam hitting really bad rules.
--
David Jones
