You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Nicholson <ro...@elastica.com> on 2006/08/08 05:34:32 UTC

Latest Network Upgrade not spam.

It seems the latest version of these isn't spam?

Are there any rules to mark MS attachments as SPAM?

         From: 	  kithkuqpnmodyz@advisor.com
	Subject: 	Latest Network Upgrade
	Date: 	August 5, 2006 9:55:10 PM CDT
	To: 	  customer-fzrnnfopg@advisor.com
	X-Spam-Dcc: 	: grub.camros.com 1113; Body=1 Fuz1=1 Fuz2=1
	X-Spam-Checker-Version: 	SpamAssassin 3.1.1 (2006-03-10) on  
grub.camros.com
	X-Spam-Level: 	
	X-Spam-Status: 	No, score=0.2 required=0.6  
tests=BAYES_50,HTML_MESSAGE, MIME_BASE64_NO_NAME autolearn=ham  
version=3.1.1
	Received: 	(qmail 6256 invoked from network); 7 Aug 2006 13:14:38 -0000
	Received: 	from surfgate.starhub.net.sg (203.116.254.187) by  
64.34.193.12 with DES-CBC3-SHA encrypted SMTP; 7 Aug 2006 13:14:38 -0000
	Received: 	from imx2.starhub.net.sg (imx2.starhub.net.sg  
[203.116.254.42]) by surfgate.starhub.net.sg (8.13.6+Sun/8.13.6) with  
ESMTP id k763FTJC000782 for <ro...@elastica.com>; Sun, 6 Aug 2006  
11:29:11 +0800 (SGT)
	Received: 	from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg  
[203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP  
id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43  
+0800
	Received: 	from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg  
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with  
ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for  
robert@elastica.com; Sun, 06 Aug 2006 10:55:40 +0800 (SGT)
	Date-Warning: 	Date header was inserted by kbsmtao2.starhub.net.sg
	Message-Id: 	<0J...@kbsmtao2.starhub.net.sg>
	Mime-Version: 	1.0
	Content-Type: 	multipart/mixed; boundary="Boundary_ 
(ID_fld50HgNZSb4ucD84dSJhA)"
	X-Accept-Flag: 	Sender is Unknown
	Lines: 	2665

Re: Latest Network Upgrade not spam.

Posted by jdow <jd...@earthlink.net>.

From: "Robert Nicholson" <ro...@elastica.com>

> It seems the latest version of these isn't spam?
> 
> Are there any rules to mark MS attachments as SPAM?
> 
>         From:   kithkuqpnmodyz@advisor.com
> Subject: Latest Network Upgrade
> Date: August 5, 2006 9:55:10 PM CDT
> To:   customer-fzrnnfopg@advisor.com
> X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1 Fuz2=1
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on  
> grub.camros.com
> X-Spam-Level: 
> X-Spam-Status: No, score=0.2 required=0.6  
> tests=BAYES_50,HTML_MESSAGE, MIME_BASE64_NO_NAME autolearn=ham  
> version=3.1.1
> Received: (qmail 6256 invoked from network); 7 Aug 2006 13:14:38 -0000
> Received: from surfgate.starhub.net.sg (203.116.254.187) by  
> 64.34.193.12 with DES-CBC3-SHA encrypted SMTP; 7 Aug 2006 13:14:38 -0000
> Received: from imx2.starhub.net.sg (imx2.starhub.net.sg  
> [203.116.254.42]) by surfgate.starhub.net.sg (8.13.6+Sun/8.13.6) with  
> ESMTP id k763FTJC000782 for <ro...@elastica.com>; Sun, 6 Aug 2006  
> 11:29:11 +0800 (SGT)
> Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg  
> [203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP  
> id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43  
> +0800
> Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg  
> (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with  
> ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for  
> robert@elastica.com; Sun, 06 Aug 2006 10:55:40 +0800 (SGT)
> Date-Warning: Date header was inserted by kbsmtao2.starhub.net.sg
> Message-Id: <0J...@kbsmtao2.starhub.net.sg>
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="Boundary_ 
> (ID_fld50HgNZSb4ucD84dSJhA)"
> X-Accept-Flag: Sender is Unknown
> Lines: 2665

Without some of the body I've no idea what would block these other
than DNS rules. And if you are one of the first to be attacked they
are often ineffective.

The originating address is from another .sg computer.
d121101.ppp121.cyberway.com.sg

So network rules might not even work.

One thing I notice that might be trapped upon is that these two headers
and the "To:" do not agree. But that is not a particularly strong
spam sign.
===8<---
> Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg  
> [203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP  
> id k762oex0025517 for <ro...@elastica.com>; Sun, 6 Aug 2006 10:50:43  
> +0800
> Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg  
> (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with  
> ESMTPP id <0J...@kbsmtao2.starhub.net.sg> for  
===8<---
> To:   customer-fzrnnfopg@advisor.com
===8<---

If you are not a member of advisor.com's mailing lists you could
simply black list them. If you are you might want to generate a
specific rule trio that detects advisor.com for the purported
source and requires that it be ONLY from their address. That'd
be two rules and a meta rule to put them together. (I don't know
what would happen with a "blacklist_from" and a more specific
"whitelist_from_rcvd". Ideally that would do the trick. But I am
not sure it would.)

{^_^}