You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/04/18 20:44:05 UTC

[Bug 4266] New: nonsense spam with "GIF" attachment

http://bugzilla.spamassassin.org/show_bug.cgi?id=4266

           Summary: nonsense spam with "GIF" attachment
           Product: Spamassassin
           Version: 2.60
          Platform: Other
               URL: unknown
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: spamassassin
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: info@oil4lessllc.com


Indicator of obvious spam: short nonsense message in HTML with GIF attachment
(may have a virus in GIF).
  We get a lot of these and have yet to see a false positive.
  We have not analyzed the attachment to see if it is a true GIF or has a virus
or other hidden malware.

--------------------- copy of headers ------------------
Return-Path: <up...@yahoo.com>
X-Original-To: sales@oil4lessllc.com
Delivered-To: oil4less@ms2.whiz.to
Received: from CC4-24.207.138.111.charter-stl.com
(CC4-24.207.138.111.charter-stl.com [24.207.138.111])
     by ms2.whiz.to (Postfix) with SMTP id 60773BA7BD
     for <sa...@oil4lessllc.com>; Mon, 18 Apr 2005 06:38:01 -0700 (PDT)
FCC: mailbox://uprhw@yahoo.com/Sent
X-Identity-Key: id1
Date: Mon, 18 Apr 2005 09:36:04 -0500
From: Rodrick Duncan <up...@yahoo.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: sales@oil4lessllc.com
Subject: Re [18]:
Content-Type: multipart/related;
     boundary="------------080804060508060704050009"
Message-Id: <20...@ms2.whiz.to>
X-Spam-Checker-Version: SpamAssassin 2.60-rc5 (1.205-2003-09-16-exp) on
     ms2.whiz.to
X-Spam-Level: ********
X-Spam-Status: No, hits=8.0 required=10.0 tests=FORGED_YAHOO_RCVD,HTML_60_70,
     HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
     MIME_BASE64_ILLEGAL,MIME_HTML_ONLY,MSGID_FROM_MTA_SHORT autolearn=no
     version=2.60-rc5

---------------------------- Original Message ----------------------------
Subject: Re [18]:
From:    "Rodrick Duncan" <up...@yahoo.com>
Date:    Mon, April 18, 2005 7:36 am
To:      sales@oil4lessllc.com
--------------------------------------------------------------------------

<html><head><meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"></head><body bgcolor="#FFFFF3" text="#82C2B0"><p><a
href="http://murna.com"><IMG
SRC="cid:part1.07020303.02000803@jslpbjhm@hotmail.com" border="0"
ALT=""></a></p><p><font color="#FFFFFF">Sterling Marlin Mariah Carey city
name Or  it's beautiful</font></p><p><font color="#FFFFF1">have got The
Olympics</font></p></body></html>



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4266] nonsense spam with "GIF" attachment

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4266





------- Additional Comments From tech2@i-is.com  2005-04-18 14:11 -------
Hello,
This message scored 8.0 according to your X-Spam-Status line.  I recommend
closing this ticket, there are already rules like HTML_IMAGE_ONLY_02 which
identify this spam.  Your system has it's threshold set at 10.0, the default
threshold is 5.0, if you hadn't tweaked that aspect of your setup, this message
would have been marked as spam.
P.S.  Never paste your spam into bugzilla, please use an attachment and only if
you are requested to do so.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4266] nonsense spam with "GIF" attachment

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4266


henry@stern.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From henry@stern.ca  2005-04-18 14:31 -------
Message is correctly classified with wide variety of rule hits.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4266] nonsense spam with "GIF" attachment

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4266





------- Additional Comments From jm@jmason.org  2005-04-18 15:44 -------
agreed with Fred and Henry.

PS: I would suggest that if you have increased the threshold and then notice
false negatives (spam getting through), the correct response is to either (a)
lower the threshold again or (b) raise the score on rules you judge to be reliable.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.