On Sun, 28 Mar 2021, Steve Dondley wrote:
So what's the giveaway that this is spam and what rule can I add to get SA to
recognize it as such? And what is the best way for me to learn how to analyze
the headers so I can recognize spam myself? Any good tutorials for this?
The obfuscated "xfinity" in the From header is what caught my eye:
54 From: "[email protected]"
55 <[email protected]>
If you keep seeing such, then a FUZZY_XFINITY_FM rule might be worthwhile.
Unfortunately it was sent via Comcast MTAs so SPF/DKIM aren't helpful
here to detect spoofing.
A From header address rule for "comcastvoicemail" might be useful as well,
depending on whether or not you get legitimate voicemail announcements
from Comcast and what they look like.
78 - This mail is in HTML. Some elements may be ommited in plain text. -
Spelling and grammar errors potentially give Bayes something to work with.
Feed the message to Bayes as spam.
107 Content-Type: application/octet-stream;
108 name="Mar-28 Voicemail.eml"
That filename looks suspicious. .eml is an attachment generally used for
mailbox-format email message attachments. Why would a voicemail be
delivered in that format?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...if the government does not trust me to own firearms,
why or how can the people be expected to trust the government?
-- Theodore Haas, Dachau survivor
-----------------------------------------------------------------------
4 days until April Fools' day
