[EMAIL PROTECTED] wrote:
John Rudd wrote:
[EMAIL PROTECTED] wrote:
John Rudd wrote:
You *will* not be getting a BAYES_90 or
BAYES_99 from that.
My first one got BAYES_80, without having seen that zombie/relay before.
That's enough for 2 points.
Which only tells me it had more than just the PDF attachment, which is
not what we're seeing here. You're also avoiding the point I was making
by saying "hey this spam I got which has all this additional content for
bayes to work with happened to score high". Well of course it did.
There was nothing else in it. It was exactly like the other pdf spam's
that have been talked about, and exactly like the ones I've received
since. It has _no_ body data aside from the attachment.
It does matter, because it's not a "late receiver effect" unless
someone, anyone, has received spam from that host before. And there's
no relationship between "previous email from that host at all" and
"being listed in the PBL".
Show me that the "that they have recieved spam from" part is how they
built their list, and not just "that appear to be end-user IP space".
"Additional IP address ranges are added and maintained by the Spamhaus
PBL Team, particularly for networks which are not participating
themselves (either because the ISP/block owner does not know about, is
proving difficult to contact, or because of language difficulties), and
where spam received from those ranges, rDNS and server patterns are
consistent with end-user IP space which typically contain high
concentrations of "botnet zombies", a major source of spam."
I'll concede that I didn't know that about the source of listing in the PBL.
Yes I failed to exclude BOTNET from that, it's the only score from the
original message that started this that is solid. The reason is because
BOTNET is proactive, all the others are either 100% reactionary or
nearly so (PBL).
My first one was caught by Botnet, Bayes_80 (again, no previous pdf
spam, and no previous activity from that relay), and UNIQUE_WORDS. Even
if Botnet alone hadn't been enough, and only had a score of 3 ...
_either_ of the other two would have been enough to push it up to 5.
So it hit UNIQUE_WORDS, which means it had more than just the
attachment, so yeah BAYES had something more to work with than just the
headers, consider yourself fortunate.
It had nothing in the body. Without seeing that relay before, both
BAYES_80 and UNIQUE_WORDS caught it.
Excluding the attachment encoding itself, here's what it had:
Received: from [83.76.165.174] (HELO lmnht)
by mail.rudd.cc (CommuniGate Pro SMTP 5.1.4 _community_)
with SMTP id 1081873 for [EMAIL PROTECTED]; Wed, 27 Jun 2007 05:11:47 -0700
Received-SPF: none
receiver=mail.rudd.cc; client-ip=83.76.165.174;
[EMAIL PROTECTED]
Received: from [33.31.118.54] (helo=iyaty)
by lmnht with smtp (Exim 4.66 (FreeBSD))
id 1I4j0S-0003Q8-5s; Wed, 27 Jun 2007 14:12:06 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 27 Jun 2007 14:11:19 +0200
From: Annabel Cleveland <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Re: Cheque.22.pdf
Content-Type: multipart/mixed;
boundary="------------040808030703010202050005"
--------------040808030703010202050005
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
--------------040808030703010202050005
Content-Type: application/pdf;
name="Cheque.22.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="Cheque.22.pdf"
[attachment data omitted]
--------------040808030703010202050005--
