Re: new spam image with random body message

Wed, 17 Jun 2009 04:12:50 -0700 

Hi,
Before someone else says it. It would be much better if you put a complete copy of these samples on a website (pastebin or somesuch) for people here to download. Snatches of headers and standalone images do not provide a proper example for people to run through their own setups. The full, unedited original email is the only usuable example. 

Ibrahim Harrani wrote:

Hi,

another header from another image spams.
All images contain god, bad and a url with numbers.

spam header 1

Received: from unknown (HELO zkjg.proxad.net) (88.176.40.137) by 0
with SMTP; 16 Jun 2009 17:06:08 -0000
From: Mrkvicka Coutee <noctiluc...@ghide.plus.com>
Date: Tue, 16 Jun 2009 17:06:00 -0200 (G)
To: u...@mydomain.com
MIME-Version: 1.0
Subject: How too Give Her a Mind Blowwing Foreplay and Make Her
Achieve Multiple Orgasms Several Times
Message-ID: <23665e9707392e5f7bea0...@ghide.plus.com>
Content-Type: 
multipart/mixed;boundary="------------2F42CCE68412108733DC041115017579B"
X-Antivirus: avast! (VPS 090615-0, 15/06/2009), Outbound message
X-Antivirus-Status: Clean


--------------2F42CCE68412108733DC041115017579B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Cloud Arrrt
--------------2F42CCE68412108733DC041115017579B
Content-Type: image/jpg; name=fermenting.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=fermenting.jpg


spam header 2


Received: from unknown (HELO vhnwrl.telecomitalia.it) (82.105.116.141)
by 0 with SMTP; 17 Jun 2009 03:25:14 -0000
Subject: Fellatio Poositions - 3 Fellatio Positions to Make Ylour Guy Goes Crazy
Date: Wed, 17 Jun 2009 03:23:45 -0200 (WDT)
To: us...@mydomain.com
Content-Type: multipart/mixed;boundary="QDmrufsRgxcrA4K13576430733h3xErY6Onu"
MIME-Version: 1.0
Message-ID: <z16506176606a0apingr1...@tusclan.de>
From: Kotrba<unvocali...@tusclan.de>


--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

China busticng out off bras
--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: image/jpg; name=lieve.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=lieve.jpg

spam header 3:

Received: from unknown (HELO xbasrka.user.ono.com) (84.123.118.68) by
0 with SMTP; 16 Jun 2009 10:58:34 -0000
Subject: AA Gpood Relationship Starts With You
From: "Bruess Lindler" <kal...@soboba.net>
Content-Type: 
multipart/mixed;boundary="--------------5954_AvQXOLyDSVSPGNgxyhgz3xm"
To: i...@mydomain.com
Date: Tue, 16 Jun 2009 10:58:36 -0200 (HNP)
MIME-Version: 1.0
Message-ID: <3e1ffc6e6851394f_eide...@soboba.net>

----------------5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Ben Franklin, Betsy Ross actors wced inn Philly
----------------5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: image/jpg; name=detonators.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=detonators.jpg


It seems that ocrad can't decode the strings in the images.
FuzzyOcr version is 3.6.0


58] info: FuzzyOcr: Scanset Order: ocrad(0) ocrad-invert(0)
ocrad-decolorize-invert(0) ocrad-decolorize(0) gocr(0) gocr-180(0)
[69976] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69958] dbg: FuzzyOcr: Saved pid: 69976
[69976] dbg: FuzzyOcr: Stdout:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.out

[69976] dbg: FuzzyOcr: Stderr:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.err

[69958] dbg: FuzzyOcr: Elapsed [69976]: 0.242362 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>><<=end
[69958] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,
doing second matching pass...
[69958] dbg: FuzzyOcr: Saved pid: 69977
[69977] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5 -i
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69977] dbg: FuzzyOcr: Stdout:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.out

[69977] dbg: FuzzyOcr: Stderr:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.err

[69958] dbg: FuzzyOcr: Elapsed [69977]: 0.333053 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>>_ . /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .. _,. . . . -- i _ . .
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ._..._`. ._. // ÷j- .-._\ !i. - _. _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ,, ' _l\..__'
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: r__-__`_ .. -_' ..,-_-. /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: . \ . _,-_ ._/
[69958] dbg: FuzzyOcr: __ \ __
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _t_ - _T
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .___ _ _ _ _'_ ._
[69958] dbg: FuzzyOcr: ||]\. _
[69958] dbg: FuzzyOcr: _ \ _ _ _ _,
[69958] dbg: FuzzyOcr: ' -| ._ m LL
[69958] dbg: FuzzyOcr: __:\_
[69958] dbg: FuzzyOcr: _ _.. / ._/
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _._/_ _
[69958] dbg: FuzzyOcr: | ? _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: . |.' _, .
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _W, L __ " /
[69958] dbg: FuzzyOcr: W._
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: |___-G__ _ _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: /\ ._
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ___ _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ./. __ ./
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _. __' T. ._...
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: / _ _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: -(_
[69958] dbg: FuzzyOcr: \
[69958] dbg: FuzzyOcr: \
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: __ l.
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: <<=end
[69958] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,
doing second matching pass...
[69958] dbg: FuzzyOcr: Saved pid: 69978
[69978] dbg: FuzzyOcr: Exec : /usr/local/bin/ppmtopgm


2009/6/17 Paweł Tęcza <pte...@uw.edu.pl>:

Ibrahim Harrani pisze:

Do you have any solution about this kind of spams?

Hello Ibrahim,

Could you please show me the Content-* headers of image attachment?
Did you send all headers of that spam in your previous post?

I have some success with fighting that spam I called "BAD GOOD PENIS",
but I can see that it evolves, so my rules should be improved too.

My best regards,

Pawel







--
Anthony Peacock
CHIME, UCL Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/






















					Reply via email to