You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Craig Baird <cr...@xpressweb.com> on 2005/05/05 06:21:11 UTC
Content type allowing spammers to evade URIBL
Today, I've received a number of spams containing a domain that is listed on
almost all the SURBL lists. I've recieved around 10 of these today, and none
of them have hit on any of the SURBLs despite the domain being listed. Here
is the message:
--- Begin Spam ---
Return-Path: <ww...@rocketmail.com>
X-Original-To: blah@example.com
Delivered-To: blah@example.com
Received: from localhost (unknown [127.0.0.1])
by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
Wed, 4 May 2005 19:56:58 -0600 (MDT)
Received: from smtp.example.com ([127.0.0.1])
by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT)
Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237])
by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
Wed, 4 May 2005 17:57:54 -0600 (MDT)
Reply-To: "Elizabeth" <ww...@rocketmail.com>
From: "Elizabeth" <ww...@rocketmail.com>
To: <bl...@example.com>
Subject: Find HOT girls in your area...
Date: Wed, 04 May 2005 19:58:01 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--09-5[5]-3237-7[3]-087[3]"
Message-Id: <20...@smtp.exmaple.com>
X-Virus-Scanned: by amavisd-new at example.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID
autolearn=no version=3.0.2
X-Spam-Level: *
----09-5[5]-3237-7[3]-087[3]
Content-Type: ;text/plain;
Content-Transfer-Encoding: 7Bit
No playing games, get laid plain n simple.
All discreet , All the pleasure.
See it now below.
http://www.letmeseethelight.com/d/index.html
Nah
http://www.letmeseethelight.com/gone
----09-5[5]-3237-7[3]-087[3]--
--- End Spam ---
If you'll notice, the content type is shown as ";text/plain;". It seems that
the semicolons are causing Spamassassin not to parse the mail properly. If I
run the message through SA as-is, it hits on no SURBLs. However, if I remove
the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
it would seem some sneaky spammer has found another loophole...
Craig
Re: Content type allowing spammers to evade URIBL
Posted by Loren Wilton <lw...@earthlink.net>.
I believe someone noticed this yesterday and submitted a bug against it.
That still leaves the problem of existing systems that are open to this
attack. Probably a quick rule to check for that header and add 10 points or
so would be a good idea.
Loren
----- Original Message -----
From: "Craig Baird" <cr...@xpressweb.com>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, May 04, 2005 9:21 PM
Subject: Content type allowing spammers to evade URIBL
> Today, I've received a number of spams containing a domain that is listed
on
> almost all the SURBL lists. I've recieved around 10 of these today, and
none
> of them have hit on any of the SURBLs despite the domain being listed.
Here
> is the message:
>
> --- Begin Spam ---
>
> Return-Path: <ww...@rocketmail.com>
> X-Original-To: blah@example.com
> Delivered-To: blah@example.com
> Received: from localhost (unknown [127.0.0.1])
> by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
> Wed, 4 May 2005 19:56:58 -0600 (MDT)
> Received: from smtp.example.com ([127.0.0.1])
> by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT)
> Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br
[201.17.190.237])
> by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
> Wed, 4 May 2005 17:57:54 -0600 (MDT)
> Reply-To: "Elizabeth" <ww...@rocketmail.com>
> From: "Elizabeth" <ww...@rocketmail.com>
> To: <bl...@example.com>
> Subject: Find HOT girls in your area...
> Date: Wed, 04 May 2005 19:58:01 -0400
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--09-5[5]-3237-7[3]-087[3]"
> Message-Id: <20...@smtp.exmaple.com>
> X-Virus-Scanned: by amavisd-new at example.com
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
> X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID
> autolearn=no version=3.0.2
> X-Spam-Level: *
>
>
> ----09-5[5]-3237-7[3]-087[3]
> Content-Type: ;text/plain;
> Content-Transfer-Encoding: 7Bit
>
> No playing games, get laid plain n simple.
> All discreet , All the pleasure.
> See it now below.
>
> http://www.letmeseethelight.com/d/index.html
>
>
>
>
>
> Nah
> http://www.letmeseethelight.com/gone
>
> ----09-5[5]-3237-7[3]-087[3]--
>
> --- End Spam ---
>
> If you'll notice, the content type is shown as ";text/plain;". It seems
that
> the semicolons are causing Spamassassin not to parse the mail properly.
If I
> run the message through SA as-is, it hits on no SURBLs. However, if I
remove
> the semicolons, and run it again, it hits on all the SURBLs. Needless to
say,
> it would seem some sneaky spammer has found another loophole...
>
> Craig
Re: [SPAM-TAG] Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, May 5, 2005, 12:10:32 AM, Jeff Chan wrote:
> On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote:
>> Today, I've received a number of spams containing a domain that is listed on
>> almost all the SURBL lists. I've recieved around 10 of these today, and none
>> of them have hit on any of the SURBLs despite the domain being listed. Here
>> is the message:
[...]
>> ----09-5[5]-3237-7[3]-087[3]
>> Content-Type: ;text/plain;
[...]
>> If you'll notice, the content type is shown as ";text/plain;". It seems that
>> the semicolons are causing Spamassassin not to parse the mail properly. If I
>> run the message through SA as-is, it hits on no SURBLs. However, if I remove
>> the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
>> it would seem some sneaky spammer has found another loophole...
>> Craig
> SA devs, should this get a bugzilla?
> Jeff C.
BTW I can duplicate Craig's results.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
Posted by Theo Van Dinter <fe...@kluge.net>.
On Thu, May 05, 2005 at 12:10:32AM -0700, Jeff Chan wrote:
> > If you'll notice, the content type is shown as ";text/plain;". It seems that
> > the semicolons are causing Spamassassin not to parse the mail properly. If I
[...]
> SA devs, should this get a bugzilla?
Already do:
http://bugzilla.spamassassin.org/show_bug.cgi?id=4298
--
Randomly Generated Tagline:
Marge, let's end this feudin' and a-fussin' and get down to some lovin'.
-- Homer Simpson
Colonel Homer
Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote:
> Today, I've received a number of spams containing a domain that is listed on
> almost all the SURBL lists. I've recieved around 10 of these today, and none
> of them have hit on any of the SURBLs despite the domain being listed. Here
> is the message:
> --- Begin Spam ---
> Return-Path: <ww...@rocketmail.com>
> X-Original-To: blah@example.com
> Delivered-To: blah@example.com
> Received: from localhost (unknown [127.0.0.1])
> by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
> Wed, 4 May 2005 19:56:58 -0600 (MDT)
> Received: from smtp.example.com ([127.0.0.1])
> by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT)
> Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237])
> by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
> Wed, 4 May 2005 17:57:54 -0600 (MDT)
> Reply-To: "Elizabeth" <ww...@rocketmail.com>
> From: "Elizabeth" <ww...@rocketmail.com>
> To: <bl...@example.com>
> Subject: Find HOT girls in your area...
> Date: Wed, 04 May 2005 19:58:01 -0400
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--09-5[5]-3237-7[3]-087[3]"
> Message-Id: <20...@smtp.exmaple.com>
> X-Virus-Scanned: by amavisd-new at example.com
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
> X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID
> autolearn=no version=3.0.2
> X-Spam-Level: *
> ----09-5[5]-3237-7[3]-087[3]
> Content-Type: ;text/plain;
> Content-Transfer-Encoding: 7Bit
> No playing games, get laid plain n simple.
> All discreet , All the pleasure.
> See it now below.
> http://www.letmeseethelight.com/d/index.html
> Nah
> http://www.letmeseethelight.com/gone
> ----09-5[5]-3237-7[3]-087[3]--
> --- End Spam ---
> If you'll notice, the content type is shown as ";text/plain;". It seems that
> the semicolons are causing Spamassassin not to parse the mail properly. If I
> run the message through SA as-is, it hits on no SURBLs. However, if I remove
> the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
> it would seem some sneaky spammer has found another loophole...
> Craig
SA devs, should this get a bugzilla?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/