You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Nicholson <ro...@elastica.com> on 2006/08/08 05:34:32 UTC
Latest Network Upgrade not spam.
It seems the latest version of these isn't spam?
Are there any rules to mark MS attachments as SPAM?
From: kithkuqpnmodyz@advisor.com
Subject: Latest Network Upgrade
Date: August 5, 2006 9:55:10 PM CDT
To: customer-fzrnnfopg@advisor.com
X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1 Fuz2=1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
grub.camros.com
X-Spam-Level:
X-Spam-Status: No, score=0.2 required=0.6
tests=BAYES_50,HTML_MESSAGE, MIME_BASE64_NO_NAME autolearn=ham
version=3.1.1
Received: (qmail 6256 invoked from network); 7 Aug 2006 13:14:38 -0000
Received: from surfgate.starhub.net.sg (203.116.254.187) by
64.34.193.12 with DES-CBC3-SHA encrypted SMTP; 7 Aug 2006 13:14:38 -0000
Received: from imx2.starhub.net.sg (imx2.starhub.net.sg
[203.116.254.42]) by surfgate.starhub.net.sg (8.13.6+Sun/8.13.6) with
ESMTP id k763FTJC000782 for <ro...@elastica.com>; Sun, 6 Aug 2006
11:29:11 +0800 (SGT)
Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg
[203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP
id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43
+0800
Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with
ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for
robert@elastica.com; Sun, 06 Aug 2006 10:55:40 +0800 (SGT)
Date-Warning: Date header was inserted by kbsmtao2.starhub.net.sg
Message-Id: <0J...@kbsmtao2.starhub.net.sg>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="Boundary_
(ID_fld50HgNZSb4ucD84dSJhA)"
X-Accept-Flag: Sender is Unknown
Lines: 2665
Re: Latest Network Upgrade not spam.
Posted by jdow <jd...@earthlink.net>.
From: "Robert Nicholson" <ro...@elastica.com>
> It seems the latest version of these isn't spam?
>
> Are there any rules to mark MS attachments as SPAM?
>
> From: kithkuqpnmodyz@advisor.com
> Subject: Latest Network Upgrade
> Date: August 5, 2006 9:55:10 PM CDT
> To: customer-fzrnnfopg@advisor.com
> X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1 Fuz2=1
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
> grub.camros.com
> X-Spam-Level:
> X-Spam-Status: No, score=0.2 required=0.6
> tests=BAYES_50,HTML_MESSAGE, MIME_BASE64_NO_NAME autolearn=ham
> version=3.1.1
> Received: (qmail 6256 invoked from network); 7 Aug 2006 13:14:38 -0000
> Received: from surfgate.starhub.net.sg (203.116.254.187) by
> 64.34.193.12 with DES-CBC3-SHA encrypted SMTP; 7 Aug 2006 13:14:38 -0000
> Received: from imx2.starhub.net.sg (imx2.starhub.net.sg
> [203.116.254.42]) by surfgate.starhub.net.sg (8.13.6+Sun/8.13.6) with
> ESMTP id k763FTJC000782 for <ro...@elastica.com>; Sun, 6 Aug 2006
> 11:29:11 +0800 (SGT)
> Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg
> [203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP
> id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43
> +0800
> Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg
> (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with
> ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for
> robert@elastica.com; Sun, 06 Aug 2006 10:55:40 +0800 (SGT)
> Date-Warning: Date header was inserted by kbsmtao2.starhub.net.sg
> Message-Id: <0J...@kbsmtao2.starhub.net.sg>
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="Boundary_
> (ID_fld50HgNZSb4ucD84dSJhA)"
> X-Accept-Flag: Sender is Unknown
> Lines: 2665
Without some of the body I've no idea what would block these other
than DNS rules. And if you are one of the first to be attacked they
are often ineffective.
The originating address is from another .sg computer.
d121101.ppp121.cyberway.com.sg
So network rules might not even work.
One thing I notice that might be trapped upon is that these two headers
and the "To:" do not agree. But that is not a particularly strong
spam sign.
===8<---
> Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg
> [203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP
> id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43
> +0800
> Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg
> (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with
> ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for
===8<---
> To: customer-fzrnnfopg@advisor.com
===8<---
If you are not a member of advisor.com's mailing lists you could
simply black list them. If you are you might want to generate a
specific rule trio that detects advisor.com for the purported
source and requires that it be ONLY from their address. That'd
be two rules and a meta rule to put them together. (I don't know
what would happen with a "blacklist_from" and a more specific
"whitelist_from_rcvd". Ideally that would do the trick. But I am
not sure it would.)
{^_^}