You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Daniel A. de Araujo" <da...@itautec-philco.com.br> on 2005/03/08 17:48:37 UTC

****SPAM(14.1)**** ENC: Take that!

SpamAssassin, running on "mail.dailyhills.com", has identified this incoming
email as possible spam.  The original message has been attached to this
email so you can view it (if it isn't spam).
If you have any questions, contact postmaster@dailyhills.com for details.

Content preview:  People : We are receiving a lot of kind of messages 
  like that. Any ideas to block this ? Thanks, Daniel. [...] 

Content analysis details:   (14.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4316]
 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
                            [cf: 100]
 2.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                            [URIs: dftphildeutschv.net]
 0.4 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
                            [URIs: dftphildeutschv.net]
 1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: dftphildeutschv.net]
 3.2 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: dftphildeutschv.net]
 4.3 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                            [URIs: dftphildeutschv.net]
 0.0 MIME_BOUND_NEXTPART    Spam tool pattern in MIME boundary
-1.2 AWL                    AWL: From: address is in the auto white-list

---- ---------------------- --------------------------------------------------

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Re: Attention list admin: Re: mail.dailyhills.com

Posted by Matt Kettler <mk...@evi-inc.com>.
Sorry for the follow-up reply, but upon inspection of my list archive, it 
appears the offending subscriber is:

<da...@dailyhills.com>


At 12:31 PM 3/8/2005, Matt Kettler wrote:
>Will someone track down who this is and boot them off the list? This 
>system has been sending messages like this back to the list for quite some 
>time and has sent 12 messages like this to the list since 1/19/2005.
>
>The offending posts also use From: the original message sender, and use 
>the original message's message ID, so you'll have to track them down by 
>content.
>
>I've attempted contacting the postmaster address below and got no 
>response. Clearly the system admin doesn't understand that they shouldn't 
>be acting as a relay (ie: delivering the spam notice to all the To: header 
>recipients, instead of the envelope recipients) and isn't listening to 
>their postmaster mailbox, despite claims to the contrary.
>
>
>At 11:48 AM 3/8/2005, Daniel A. de Araujo wrote:
> >SpamAssassin, running on "mail.dailyhills.com", has identified this incoming
> >email as possible spam.  The original message has been attached to this
> >email so you can view it (if it isn't spam).
> >If you have any questions, contact postmaster@dailyhills.com for details.

Attention list admin: Re: mail.dailyhills.com

Posted by Matt Kettler <mk...@evi-inc.com>.
Will someone track down who this is and boot them off the list? This system 
has been sending messages like this back to the list for quite some time 
and has sent 12 messages like this to the list since 1/19/2005.

The offending posts also use From: the original message sender, and use the 
original message's message ID, so you'll have to track them down by content.

I've attempted contacting the postmaster address below and got no response. 
Clearly the system admin doesn't understand that they shouldn't be acting 
as a relay (ie: delivering the spam notice to all the To: header 
recipients, instead of the envelope recipients) and isn't listening to 
their postmaster mailbox, despite claims to the contrary.


At 11:48 AM 3/8/2005, Daniel A. de Araujo wrote:
>SpamAssassin, running on "mail.dailyhills.com", has identified this incoming
>email as possible spam.  The original message has been attached to this
>email so you can view it (if it isn't spam).
>If you have any questions, contact postmaster@dailyhills.com for details.

Re: [SPAM-TAG] ENC: Take that!

Posted by Jeff Chan <je...@surbl.org>.
On Tuesday, March 8, 2005, 8:48:37 AM, Daniel Araujo wrote:

> People :

> We are receiving a lot of kind of messages like that. Any ideas to block
> this ?

> Thanks,
> Daniel.

Well among other things, the domain of the URI in the spam
is listed on 5 SURBLs:

> Content analysis details:   (14.1 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
> -0.0 SPF_PASS               SPF: sender matches SPF record
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>                             [score: 0.4316]
>  2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
>                             [cf: 100]
>  2.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
>                             [URIs: dftphildeutschv.net]
>  0.4 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
>                             [URIs: dftphildeutschv.net]
>  1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
>                             [URIs: dftphildeutschv.net]
>  3.2 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
>                             [URIs: dftphildeutschv.net]
>  4.3 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
>                             [URIs: dftphildeutschv.net]
>  0.0 MIME_BOUND_NEXTPART    Spam tool pattern in MIME boundary
> -1.2 AWL                    AWL: From: address is in the auto white-list

(It's on jp.surbl.org now too.)

Enable network tests.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: ENC: Take that!

Posted by Matt Kettler <mk...@evi-inc.com>.
At 11:48 AM 3/8/2005, Daniel A. de Araujo wrote:
>
>People :
>
>We are receiving a lot of kind of messages like that. Any ideas to block 
>this ?

SURBL did a great job on it here. You hit the AB, JP, OB, WS and SC URIBL 
lists with that message. It also hit razor.

Re: ENC: Take that!

Posted by Dan Hollis <go...@anime.net>.
On Tue, 8 Mar 2005, Daniel A. de Araujo wrote:
> We are receiving a lot of kind of messages like that. Any ideas to block
> this ?

href resolves to ip in china -> block

-Dan