You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeff Chan <je...@surbl.org> on 2005/05/05 09:10:32 UTC
Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote:
> Today, I've received a number of spams containing a domain that is listed on
> almost all the SURBL lists. I've recieved around 10 of these today, and none
> of them have hit on any of the SURBLs despite the domain being listed. Here
> is the message:
> --- Begin Spam ---
> Return-Path: <ww...@rocketmail.com>
> X-Original-To: blah@example.com
> Delivered-To: blah@example.com
> Received: from localhost (unknown [127.0.0.1])
> by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
> Wed, 4 May 2005 19:56:58 -0600 (MDT)
> Received: from smtp.example.com ([127.0.0.1])
> by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT)
> Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237])
> by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
> Wed, 4 May 2005 17:57:54 -0600 (MDT)
> Reply-To: "Elizabeth" <ww...@rocketmail.com>
> From: "Elizabeth" <ww...@rocketmail.com>
> To: <bl...@example.com>
> Subject: Find HOT girls in your area...
> Date: Wed, 04 May 2005 19:58:01 -0400
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--09-5[5]-3237-7[3]-087[3]"
> Message-Id: <20...@smtp.exmaple.com>
> X-Virus-Scanned: by amavisd-new at example.com
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
> X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID
> autolearn=no version=3.0.2
> X-Spam-Level: *
> ----09-5[5]-3237-7[3]-087[3]
> Content-Type: ;text/plain;
> Content-Transfer-Encoding: 7Bit
> No playing games, get laid plain n simple.
> All discreet , All the pleasure.
> See it now below.
> http://www.letmeseethelight.com/d/index.html
> Nah
> http://www.letmeseethelight.com/gone
> ----09-5[5]-3237-7[3]-087[3]--
> --- End Spam ---
> If you'll notice, the content type is shown as ";text/plain;". It seems that
> the semicolons are causing Spamassassin not to parse the mail properly. If I
> run the message through SA as-is, it hits on no SURBLs. However, if I remove
> the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
> it would seem some sneaky spammer has found another loophole...
> Craig
SA devs, should this get a bugzilla?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, May 5, 2005, 12:10:32 AM, Jeff Chan wrote:
> On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote:
>> Today, I've received a number of spams containing a domain that is listed on
>> almost all the SURBL lists. I've recieved around 10 of these today, and none
>> of them have hit on any of the SURBLs despite the domain being listed. Here
>> is the message:
[...]
>> ----09-5[5]-3237-7[3]-087[3]
>> Content-Type: ;text/plain;
[...]
>> If you'll notice, the content type is shown as ";text/plain;". It seems that
>> the semicolons are causing Spamassassin not to parse the mail properly. If I
>> run the message through SA as-is, it hits on no SURBLs. However, if I remove
>> the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
>> it would seem some sneaky spammer has found another loophole...
>> Craig
> SA devs, should this get a bugzilla?
> Jeff C.
BTW I can duplicate Craig's results.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
Posted by Theo Van Dinter <fe...@kluge.net>.
On Thu, May 05, 2005 at 12:10:32AM -0700, Jeff Chan wrote:
> > If you'll notice, the content type is shown as ";text/plain;". It seems that
> > the semicolons are causing Spamassassin not to parse the mail properly. If I
[...]
> SA devs, should this get a bugzilla?
Already do:
http://bugzilla.spamassassin.org/show_bug.cgi?id=4298
--
Randomly Generated Tagline:
Marge, let's end this feudin' and a-fussin' and get down to some lovin'.
-- Homer Simpson
Colonel Homer