At 14:45 2005-09-02 -0400, Louis Proyect wrote:
I have just received 2 emails that snuck through the recipe that Gary
supplied. The header and body for one of them can be found at:
http://www.columbia.edu/~lnp3/base64spam.htm
Any suggestions on how to drive a stake through its heart?
Received headers like this one are suspect:
Received: from midcoast.com (unknown [218.49.49.226])
by mail1.panix.com (Postfix) with ESMTP id B19EE58B29;
Fri, 2 Sep 2005 14:09:34 -0400 (EDT)
* ^Received:.*\(unknown
There are also only two receieved headers, both created by Panix servers
(presumably the first receives it from the outside world, filters it, then
passes it along to an internal server for user delivery). If it isn't FROM
a panix user (or domain hosted by panix), then decuct every header showing
panix as the received BY server. If you're left with 0, then there's
something wrong - even a legit web-generated message from some website
should be relaying the message through their OWN smtp server before passing
it along to yours.
On the body:
Content-Type: text/html;
charset="big5"
Content-Transfer-Encoding: base64
'big5' is an asian encoding. Unless you read some asian language, chances
are, this is a BS message for you. See the "furrin.rc" script I have
published at my website (and for this particular type of spam, note the
comment about using the HB flags).
I also score text/html (ONLY), and multipart/alternative with a "spammishness".
There's also a disparity between the date on the message and the actual
date it was received: sent 7pm last night GMT, but received
All of these factors have been discussed on this list in the
past. Ultimatley, the worst thing you can do for spam filtering is try to
customize ONE recipe to catch a spam, or use just one set of conditions to
identify something as spam. Accumulating a running score of iffy factors
(which is what a SpamAssassin score is - the total value assigned to the
various attributes) has proven effective for many, myself included. Heck,
one of those attributes is merely that too many attributes were matched -
thus a number of otherwise piddly issues will still classify a message as
spam, even if the total score for those piddly issues wouldn't have.
I don't classify something as spam based on just one attribute (okay, there
are some attributes which score high enough on their own to classify
something as spam, but I also have offsets - some mailing lists such as
this one for instance which often discuss spam, receive a credit).
Consider SAVING your spam. Also, SA has a "learning" capability - contact
your ISP and see where you should be forwarding stuff which has gotten by
it, but which is definatley spam (DO NOT AUTOMATE SUBMISSIONS!).
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail