You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.org> on 2010/07/11 17:17:53 UTC
Re: Fwd: Indispensables pour vos vadrouilles?
On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote
> Uhm, dude!? I hope that was an accidental address auto-completion. Do
> NOT send spam samples to the list.
spam?, here clamav see it as virus
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Fwd: Indispensables pour vos vadrouilles?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2010-07-11 at 19:50 +0200, Benny Pedersen wrote:
> On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote
> > Anyway. The distinction between spam and phish was not my point. Neither
> > was it, whether "spammed URI" clamav third-party signatures match on
> > them just like URIBL and SURBL do.
>
> as recived
>
> X-Amavis-Alert: INFECTED, message contains virus:
> Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
Benny, your point is?
Anyway, I was wearing my moderator hat when I initially told the OP
about his mistake. There was no invitation to argue about a non-issue.
And I really don't think this sub-thread is worth pursuing further.
guenther -- one of the list moderators
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fwd: Indispensables pour vos vadrouilles?
Posted by Benny Pedersen <me...@junc.org>.
On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote
> No malware payload. Not a virus. One's a phish, though. Let me guess,
> clamav third-party signatures triggered on the URIs for you?
using safebrowsing sigs from google
> Anyway. The distinction between spam and phish was not my point. Neither
> was it, whether "spammed URI" clamav third-party signatures match on
> them just like URIBL and SURBL do.
as recived
X-Amavis-Alert: INFECTED, message contains virus:
Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
ripmime -i msg -d .
clamscan
/tmp/extracted: Sanesecurity.Junk.31113.UNOFFICIAL FOUND
spamassassin -t msg#
1:
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: sotudil.com]
1.7 BAD_ENC_HEADER Message has bad MIME encoding in the header
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[193.95.97.13 listed in hostkarma.junkemailfilter.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[193.95.97.13 listed in bb.barracudacentral.org]
0.0 FREEMAIL_FROM Sender email is freemail
(ziedoos_2013[at]gmail.com)
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path:
2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (ziedoos_2013[at]gmail.com)
0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.8 SAGREY Adds score to spam from first-time senders
0.8 FROM_EQUAL_REPLYTO unneeded reply to set to same as sender
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
1.5 URI_NOT_WHITELISTED Meta: URI found but none are WHITE
2:
-0.0 GREY_LISTED_LOCAL URI's listed in localhost
[URIs: hsbc.co.uk]
0.5 RELAY_FR Relayed through France
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[91.121.209.115 listed in hostkarma.junkemailfilter.com]
-0.0 URIBL_WHITE Contains an URL listed in the URIBL whitelist
[URIs: hsbc.co.uk]
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path:
0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de)
[91.121.209.115 listed in ix.dnsbl.manitu.net]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[91.121.209.115 listed in bb.barracudacentral.org]
1.8 SAGREY Adds score to spam from first-time senders
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
3:
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[77.182.175.192 listed in dnsbl.sorbs.net]
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: worthmoreestelia.com]
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[77.182.175.192 listed in psbl.surriel.com]
0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
[77.182.175.192 listed in bl.spameatingmonkey.net]
0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de)
[77.182.175.192 listed in ix.dnsbl.manitu.net]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[77.182.175.192 listed in bl.score.senderscore.com]
1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[77.182.175.192 listed in hostkarma.junkemailfilter.com]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[77.182.175.192 listed in zen.spamhaus.org]
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
2.5 BADRELAY Relay looks like dynamic/dialup/bot
-0.0 FROM_IN_TO From: does match To:
0.7 LOCALPART_IN_SUBJECT Local part of To: address appears in Subject
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[77.182.175.192 listed in bb.barracudacentral.org]
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.8 SAGREY Adds score to spam from first-time senders
4.0 JM_SOUGHT_1 Body contains frequently-spammed text patterns
0.1 TO_EQ_FM_HTML_ONLY To == From and HTML only
-3.3 KHOP_DNSBL_ADJ Undo autokill from DNSBL overlap
0.3 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
1.5 URI_NOT_WHITELISTED Meta: URI found but none are WHITE
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Fwd: Indispensables pour vos vadrouilles?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2010-07-11 at 17:17 +0200, Benny Pedersen wrote:
> On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote
>
> > Uhm, dude!? I hope that was an accidental address auto-completion. Do
> > NOT send spam samples to the list.
>
> spam?, here clamav see it as virus
Yes, spam. If the included X-Spam headers is anything to go by. But
you're free to eyeball the attached messages yourself.
No malware payload. Not a virus. One's a phish, though. Let me guess,
clamav third-party signatures triggered on the URIs for you?
Anyway. The distinction between spam and phish was not my point. Neither
was it, whether "spammed URI" clamav third-party signatures match on
them just like URIBL and SURBL do.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}