Mailing List Archive

MIKE YRABEDRA Sent: Sunday, February 08, 2004 5:42 AM

> I get tons of these "We will create your Logo" spams. They all get through
> with a very low, if not zero, rating.

I was getting a ton of these too. Havn't seen any for a few days. I had been
making rules for the domains referenced in the emails... sort of a local
addition to BigEvil. Two that I know I found where snapshut.info and
conta.info.

Anyone else come up with better rules for blocking these? They seem to
change URLs a lot.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz

We're still seeing a lot of these even with BigEvil, RBLs etc.

Has anybody found a "cure" before our CTO deep sixes the rest of Asia?

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: Colin A. Bartlett [mailto:spamassassin@colinabartlett.com]
> Sent: 09 February 2004 12:01
> To: MIKE YRABEDRA; SATalk
> Subject: RE: Logo spams
>
>
> MIKE YRABEDRA Sent: Sunday, February 08, 2004 5:42 AM
>
> > I get tons of these "We will create your Logo" spams. They all
> get through
> > with a very low, if not zero, rating.
>
> I was getting a ton of these too. Havn't seen any for a few days.
> I had been
> making rules for the domains referenced in the emails... sort of a local
> addition to BigEvil. Two that I know I found where snapshut.info and
> conta.info.
>
> Anyone else come up with better rules for blocking these? They seem to
> change URLs a lot.
>
> cheers,
> Colin
>
> Colin A. Bartlett
> Kinetic Web Solutions
> www.kineticweb.biz
>

I'm starting to think that only spammers uses the following sorts of
headers:

X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - onsitemail.com
X-AntiAbuse: Original Domain - onsitemail.com
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -

I haven't got a corpus to throw a test for the "X-AntiAbuse" header at?
Anyone like to check it?

Otherwise a simle header rule to get the subject will kill it.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: Michele Neylon :: Blacknight Solutions
> [mailto:michele@blacknightsolutions.com]
> Sent: 23 February 2004 17:48
> To: Colin A. Bartlett; MIKE YRABEDRA; SATalk
> Subject: RE: Logo spams
>
>
> We're still seeing a lot of these even with BigEvil, RBLs etc.
>
> Has anybody found a "cure" before our CTO deep sixes the rest of Asia?
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: Colin A. Bartlett [mailto:spamassassin@colinabartlett.com]
> > Sent: 09 February 2004 12:01
> > To: MIKE YRABEDRA; SATalk
> > Subject: RE: Logo spams
> >
> >
> > MIKE YRABEDRA Sent: Sunday, February 08, 2004 5:42 AM
> >
> > > I get tons of these "We will create your Logo" spams. They all
> > get through
> > > with a very low, if not zero, rating.
> >
> > I was getting a ton of these too. Havn't seen any for a few days.
> > I had been
> > making rules for the domains referenced in the emails...
> sort of a local
> > addition to BigEvil. Two that I know I found where snapshut.info and
> > conta.info.
> >
> > Anyone else come up with better rules for blocking these?
> They seem to
> > change URLs a lot.
> >
> > cheers,
> > Colin
> >
> > Colin A. Bartlett
> > Kinetic Web Solutions
> > www.kineticweb.biz
> >
>

Randal, Phil <prandal@herefordshire.gov.uk> wrote:
> I'm starting to think that only spammers uses the following
> sorts of headers:
>
> X-AntiAbuse: This header was added to track abuse, please
> include it with any abuse report
> X-AntiAbuse: Primary Hostname - onsitemail.com
> X-AntiAbuse: Original Domain - onsitemail.com
> X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> X-AntiAbuse: Sender Address Domain -

Won't (and if not, why?) bayes pick these up?

- Bob

We got a score of 5.92:

5.40 BAYES_99 Bayesian spam probability is 99 to 100%
0.29 DNS_FROM_RFCI_DSN From: sender listed in dsn.rfc-ignorant.org
0.10 HTML_MESSAGE HTML included in message
0.05 LG_4C_2V_3C Gibberish found?
0.00 RM_rb_ANCHOR Testing for HTML end of anchor in emails
0.00 RM_rb_BODY Testing for HTML BODY in emails
0.00 RM_rb_BREAK Testing for HTML Break in emails
0.00 RM_rb_HTML Testing for HTML tag in emails
0.08 TW_OQ Odd Letter Triples with OQ

Loads of ham use the X-AntiAbuse headers, but there might be one subset
which is spam-only.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: Bob George [mailto:mailings02@ttlexceeded.com]
> Sent: 23 February 2004 18:09
> To: spamassassin-users@incubator.apache.org
> Subject: Re: Logo spams
>
>
> Randal, Phil <prandal@herefordshire.gov.uk> wrote:
> > I'm starting to think that only spammers uses the following
> > sorts of headers:
> >
> > X-AntiAbuse: This header was added to track abuse, please
> > include it with any abuse report
> > X-AntiAbuse: Primary Hostname - onsitemail.com
> > X-AntiAbuse: Original Domain - onsitemail.com
> > X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> > X-AntiAbuse: Sender Address Domain -
>
> Won't (and if not, why?) bayes pick these up?
>
> - Bob
>

>
> Randal, Phil <prandal@herefordshire.gov.uk> wrote:
> > I'm starting to think that only spammers uses the following
> sorts of
> > headers:
> >
> > X-AntiAbuse: This header was added to track abuse, please
> include it
> > with any abuse report
> > X-AntiAbuse: Primary Hostname - onsitemail.com
> > X-AntiAbuse: Original Domain - onsitemail.com
> > X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> > X-AntiAbuse: Sender Address Domain -
>
> Won't (and if not, why?) bayes pick these up?
>
> - Bob
>
>

I have the same problem with these logo spams constantly
getting through as well. I've fed about 300 of them into
Bayes and yet they still continue to get through.

> I have the same problem with these logo spams constantly
> getting through as well. I've fed about 300 of them into
> Bayes and yet they still continue to get through.

Then its time to write a custom anti-logo rule. I've never seen one myself
(perhaps they are regional or some such), but someone posted one a while
back. That one contained the word 'logo' at least 9 times, which would have
been just a little unusual in a normal mail. Especially since it had a site
name that included /logo/ in the name. It should be pretty trivial to write
a rule to catch something like that.

Loren

>
> > I have the same problem with these logo spams constantly getting
> > through as well. I've fed about 300 of them into Bayes and
> yet they
> > still continue to get through.
>
> Then its time to write a custom anti-logo rule. I've never
> seen one myself (perhaps they are regional or some such), but
> someone posted one a while back. That one contained the word
> 'logo' at least 9 times, which would have been just a little
> unusual in a normal mail. Especially since it had a site
> name that included /logo/ in the name. It should be pretty
> trivial to write a rule to catch something like that.
>
> Loren
>
>

For anyone that is interested, here are two samples:

http://download.synthys.com/cheap1.htm
http://download.synthys.com/cheap2.htm

Scott

On Mon, 2004-02-23 at 14:44, Scott Harris wrote:
> >
> > > I have the same problem with these logo spams constantly getting
> > > through as well. I've fed about 300 of them into Bayes and
> > yet they
> > > still continue to get through.
> >
> > Then its time to write a custom anti-logo rule. I've never
> > seen one myself (perhaps they are regional or some such), but
> > someone posted one a while back. That one contained the word
> > 'logo' at least 9 times, which would have been just a little
> > unusual in a normal mail. Especially since it had a site
> > name that included /logo/ in the name. It should be pretty
> > trivial to write a rule to catch something like that.
> >
> > Loren
> For anyone that is interested, here are two samples:
>
> http://download.synthys.com/cheap1.htm
> http://download.synthys.com/cheap2.htm
>

Based on these two samples, I wrote:

body STEWART_LOGO_1 /cheap (ready|pre)-made logos/i
describe STEWART_LOGO_1 Logo advert from Stewart
score STEWART_LOGO_1 0.5

body STEWART_LOGO_2 /our (logo store|gallery) is the smart
choice/i
describe STEWART_LOGO_2 Logo advert from Stewart
score STEWART_LOGO_2 0.5

meta STEWART_LOGO (STEWART_LOGO_1 && STEWART_LOGO_2)
describe STEWART_LOGO Logo advert from Stewart
score STEWART_LOGO 5.0

It's very specific, so it won't continue to work if he changes the
wording, but at the same time it will temporarily stop the logo spam and
shouldn't hit any FP's.

- Jon

--
jon@tgpsolutions.com

Administrator, tgpsolutions
http://www.tgpsolutions.com

Taking a quick look at the first one (and I wish you would post as text
rather than html next time!) I see some interesting things that will
probably hold for some time:

1. www.snapshut.info should be added to the BigEvil list

2. The word "logo" or "Logo" appears 8 times in the body of the message.
Suspicious.

3. The word "Iogo" (capital I, not L) appears twice, intended to be
obfuscation.

4. The word "Ioqo" (capital I, q instead of g) appears once as
obfuscation.

5. The word 'quality' is spelled "guaIity", again intended as
obfuscation.

Taken together, these can make some fairly nice rules specific to this spam.

body __LOGOS /(?:\blogo[s]?\b){6,99}/i
body __BAD_LOGOS /\bIo[gq]o[s]?\b/
body __POOR_QUALITY /gua[lI]ity/

meta NASTY_LOGOS (__LOGOS && (__BAD_LOGOS || __POOR_QUALITY))
score NASTY_LOGOS 5.0

uri SNAPSHUT /www\.snapshut\.info/
score SNAPSHUT 2.0

Loren

> -----Original Message-----
> From: Loren Wilton [mailto:lwilton@earthlink.net]
> Sent: Monday, February 23, 2004 4:23 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: Logo spams
>
> Taking a quick look at the first one (and I wish you would
> post as text rather than html next time!) I see some
> interesting things that will probably hold for some time:
>

Its funny, you are the 2nd person to say this. I though
it was better to post a link to the message so that one
could see the HTML as well as the text?

Also, is there a way to get ALL the header info from a
message once Outlook as consumed it? All I am able to
get is the From, sent, to and subject as below.


Scott


From: Davis Kelley [mailto:gnangleb@jojomail.com]
Sent: Wednesday, February 18, 2004 2:10 AM
To: sales@wehounds.net
Subject: Cheap ready-made logos


Cheap ready-made logos

Do you need a guality yet low cost logo? Our Ioqo qallery offers hiqh
guaIity ready made logo desiqns for only $49.95 .You can choose from plenty
of qreat desiqns ,and have your loqo ready for use the same moment. Your new
Iogo can be immediately downIoaded in editable CDR and AI files that are
suitable for your advertisements, corporate literature, and website. The
only thing you will need to do is replace the sample text with your company
name. If you are not fluent in Adobe Illustrator or Corel Draw or want to
make tweak the design, we will be happy to personalize your new logo.

Our gallery is the smart choice for SOHO companies, non-profit websites,
corporate events, and business plans. It is also a great solution to
generate more revenue for commercial printers, web designers, domain
registrars, web hosters, business formation consultants, and other
businesses, which may need exceptional yet low cost logos for their clients.


Order your logo now!

Davis Kelley
Order your logo now!


___________________________________________________
Please click here to remove your address from this list

> -----Original Message-----
> From: Scott Harris [mailto:sa-talk@pikecreek.com]
> Sent: Monday, February 23, 2004 4:37 PM
[..]
>
> Also, is there a way to get ALL the header info from a
> message once Outlook as consumed it? All I am able to
> get is the From, sent, to and subject as below.
>

A few, possible, yet clunky, approaches:

1. Open the message, click "View:Options" and copy the headers from
that window into a text editor window (not Word(tm), but something
like Notepad, NoteTab Lite). Close that window, click on the body
of the message and right click and select "View Source". Select all,
copy and past this into your text editor, leaving a blank line after
the header. Save as a .txt file.

2. Compose a "New:Message". Then click "Insert Item (As Attachmet)", and
select the message of interest from the browser view. Mail this either
to this list, or to a friend who has a more compliant mail client.
(Note: Inset Item will keep the headers, but dragging and dropping will
lose them. Go figure).

3. Switch to a better mail client. Maybe TheBat!, or one of the Netscape
variants will do a better job.

4. Save as .msg file, and use a third part conversion program that will
convert it back to text.

>
>
> > -----Original Message-----
> > From: Scott Harris [mailto:sa-talk@pikecreek.com]
> > Sent: Monday, February 23, 2004 4:37 PM
> [..]
> >
> > Also, is there a way to get ALL the header info from a message once
> > Outlook as consumed it? All I am able to get is the From, sent, to
> > and subject as below.
> >

Thanks for the tips.
Below is the message and I also attached it.

Scott



Microsoft Mail Internet Headers Version 2.0
Received: from synthys.com ([192.168.32.4]) by sbs.synthys.com with
Microsoft SMTPSVC(6.0.3790.0);
Tue, 17 Feb 2004 05:35:48 -0800
Received: from alphanumeric-mail.com
(lns-p19-11-82-65-195-76.adsl.proxad.net [82.65.195.76])
by synthys.com (8.12.11/8.12.11) with SMTP id i1HDbVPu015923
for <sales@sicorp.com>; Tue, 17 Feb 2004 05:37:36 -0800
Received: (from www@localhost)
by alphanumeric-mail.com (8.11.6/8.10.1) with ESMTP id J87Gz034438785
for <sales@sicorp.com>; Tue, 17 Feb 2004 13:33:34 +0000 (GMT)
(envelope-from www)
Message-ID: <507884972755.2X6p816X14A76h@localhost>
From: "Stewart Alford" <zkidnocz@myfunnymail.com>
To: sales@sicorp.com
Subject: Cheap Pre-made Logos
Date: Tue, 17 Feb 2004 13:33:34 +0000 (GMT)
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - alphanumeric-mail.com
X-AntiAbuse: Original Domain - alphanumeric-mail.com
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"

------=_NextPart_000_0222_01C3C64F.FBD71A00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_0222_01C3C64F.FBD71A00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


------=_NextPart_000_0222_01C3C64F.FBD71A00--


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional">
<html>
<head>
<style>
td { font-family: Helvetica; font-size: 10pt}
A { COLOR: #0000FF; FONT-SIZE: 10pt; TEXT-DECORATION: none }
A:visited { COLOR: #0000FF; FONT-SIZE: 10pt; TEXT-DECORATION: none }
A:hover { COLOR: #FF2222; FONT-SIZE: 10pt; TEXT-DECORATION: none }
a.stylea { COLOR: #7D0B00; FONT-SIZE: 10pt; TEXT-DECORATION:
underline }
a.stylea:visited { COLOR: #7D0B00; FONT-SIZE: 10pt; TEXT-DECORATION:
underline }
a.stylea:hover { COLOR: #FF0000; FONT-SIZE: 10pt; TEXT-DECORATION:
underline }
a.styleb { COLOR: #7D0B00; FONT-SIZE: 10pt; TEXT-DECORATION: none
}
a.styleb:visited { COLOR: #7D0B00; FONT-SIZE: 10pt; TEXT-DECORATION: none
}
a.styleb:hover { COLOR: #FF0000; FONT-SIZE: 10pt; TEXT-DECORATION: none
}
</style>
</head>
<body>
<table width=400>
<tr>
<td>
<p align=justify>
<a href="http://www.snapshut.info/844820296567.asp">Cheap Pre-made Logos</a>
</p>
<p align=justify>
Do you need <a href="http://www.snapshut.info/844820296567.asp">a
professional yet affordable logo</a>? Our loqo gallery offers <a
href="http://www.snapshut.info/844820296567.asp">high guaIity ready made
Iogos</a> for onIy $49.95. You can choose from pIenty of qreat desiqns ,and
have your Ioqo ready for use the same moment. Your new Iogo can be
immediately downloaded in editable CDR and Al files that are suitabIe for
your advertisements, corporate literature, and website. All you need to do
is replace the sample text with your company name. If you don?t know how to
use graphic design programs or want to make tweak the design, it will be a
pleasure for us to update the logo the way you need.
</p>
<p align=justify>
<a href="http://www.snapshut.info/844820296567.asp">Our logo store</a> is
the smart choice for small and startup businesses, new websites, business
plans, and events. It is also a great solution to get some extra cash for
web designers, commercial printers, marketing & business formation
consultants, domain registrars, and other companies and individuals, which
may need exceptional yet inexpensive logos for their website visitors.
</p>
<p align=justify>
<a href="http://www.snapshut.info/844820296567.asp">Order your logo now!</a>
</p>
<p align=justify>
Stewart Alford<br>
Order your logo now!<br>
</p>
_____________________________________________________<br>
Please click <a
href="http://www.snapshut.info/out.php?email=sales@sicorp.com">here</a> to
remove your address from this list<br>
_____________________________________________________<br>
</td>
</tr>
</table>
</body>
</html>

> Its funny, you are the 2nd person to say this. I though
> it was better to post a link to the message so that one
> could see the HTML as well as the text?

I think what we want is the full html body, but not marked as html. If it
is marked as html and contains web bugs we get marked if we touch it. If it
is marked as text the Microsloth spam engines can't "help" us by going and
fetching the web bugs for us.

Loren

> Also, is there a way to get ALL the header info from a
> message once Outlook as consumed it? All I am able to
> get is the From, sent, to and subject as below.

Right-click on the message and select "options". You can copy/paste the
headers out of the tiny window into something that you can actually read,
like notepad.

(I have yet to understand why MS made it so bloody hard to get the headers
and body of a message in Outlook, when it is trivial in OE.)

Loren

> From: Scott Harris
> Sent: Monday, February 23, 2004 6:46 PM
[...]
>
> Thanks for the tips.
> Below is the message and I also attached it.

Okay, here's what I get. Needed some help from Bayes, custom rules,
and Razor to push it over the top:


Content analysis details: (5.9 points, 5.0 required)

pts rule name description
---- ---------------------- ------------------------------------------------
--
0.6 MY_XINCOME BODY: Money is never extra!
0.1 EXTRA_CASH BODY: Offers Extra Cash
1.2 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.1 HTML_MESSAGE BODY: HTML included in message
1.7 BAYES_80 BODY: Bayesian spam probability is 80 to 90%
[score: 0.8236]
1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100]
0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

Loren Wilton wrote:
> Taking a quick look at the first one (and I wish you would post
as
> text rather than html next time!) I see some interesting things
that
> will probably hold for some time:

It's worth noting that all (that I've seen) are To:
sales@<mydomain>.

Some (but not all) have the I<->l substitution (usually mid-word,
resulting in uppcase amongst lower) -- possible rule fodder.

I've got a handful here (all of which score > 5 with BAYES_99,
save one) that have some other characteristics. The one that slips
by scores:

1.7 BAYES_80 BODY: Bayesian spam probability is 80
to 90% [score: 0.8904]

As an aside, bogofilter and spamprobe (trained more recently with
same spam, and subset of ham used to train SA bayes) both tag it
as definite spam.

They don't seem to be going to any great length to hide, which
could be why they're so successful. It's a topic that isn't
altogether out of place on many of my list subscriptions. Could it
be the fact that they're NOT particularly stealthy (my examples
anyhow) that's working in their favor?

The latest is slightly different, with a "drive thousands to your
website" subject.

My samples have been run through anomy sanitizer (old procmail
rule set), but are otherwise intact. I'll gladly send them to
anyone interested. I'll also gladly send along dumps from
bogofilter and spamprobe listing bayes term scoring. From recent
postings, I'm not sure if simply attaching/posting samples on-list
is acceptable.

I'm still puzzled why these seem fairly common, yet bayes training
doesn't seem to be stopping them. I'm equally puzzled as to why
they're somewhat SA bayes-resistant, yet fall so easily to other
bayes tools.

I don't want to sounds as if I'm advocating just using bayes. SA
has been WONDERFUL on bringing my bayes tools up to speed quickly.

- Bob

Michele Neylon :: Blacknight Solutions wrote:
> We're still seeing a lot of these even with BigEvil, RBLs etc.
>
> Has anybody found a "cure" before our CTO deep sixes the rest of
Asia?

Well, after bragging on my SA bayes, it just failed me badly on
exactly one of these. This last one DID hit on BAYES_90, so I
suppose over time it'll improve. Here again, bogofilter and
spamprobe (bayes) tagged it as spam.

- Bob

>whine>
I feel so *ignored*.....
I posted the 'snapshut' rule and the logo obfuscation rule already.
No one listens to me.
>/whine>

:-)

- Charles


On Mon, 23 Feb 2004, Loren Wilton wrote:

> Date: Mon, 23 Feb 2004 16:23:29 -0800
> From: Loren Wilton <lwilton@earthlink.net>
> To: spamassassin-users@incubator.apache.org
> Subject: [spa] Re: Logo spams
>
> Taking a quick look at the first one (and I wish you would post as text
> rather than html next time!) I see some interesting things that will
> probably hold for some time:
>
> 1. www.snapshut.info should be added to the BigEvil list
>
> 2. The word "logo" or "Logo" appears 8 times in the body of the message.
> Suspicious.
>
> 3. The word "Iogo" (capital I, not L) appears twice, intended to be
> obfuscation.
>
> 4. The word "Ioqo" (capital I, q instead of g) appears once as
> obfuscation.
>
> 5. The word 'quality' is spelled "guaIity", again intended as
> obfuscation.
>
> Taken together, these can make some fairly nice rules specific to this spam.
>
> body __LOGOS /(?:\blogo[s]?\b){6,99}/i
> body __BAD_LOGOS /\bIo[gq]o[s]?\b/
> body __POOR_QUALITY /gua[lI]ity/
>
> meta NASTY_LOGOS (__LOGOS && (__BAD_LOGOS || __POOR_QUALITY))
> score NASTY_LOGOS 5.0
>
> uri SNAPSHUT /www\.snapshut\.info/
> score SNAPSHUT 2.0
>
> Loren
>

On Mon, 23 Feb 2004, Scott Harris wrote:
> Also, is there a way to get ALL the header info from a
> message once Outlook as consumed it? All I am able to
> get is the From, sent, to and subject as below.

Right Click on the message in the INDEX. Select 'Properties' from the
pop-up menu, then select the 'details' tab in the window that opens.

- C

Charles Gregory <cgregory@hwcn.org> wrote:
>> whine>
> I feel so *ignored*.....
> I posted the 'snapshut' rule and the logo obfuscation rule
> already. No one listens to me.
>> /whine>

Yeah, but he did THIS (hand-gesture).

(thinking of that commercial from last year).

I'm playing around with variations now, thanks. I'd like to have a few "bayes
accelerators" on hand.

- Bob

On Mon, Feb 23, 2004 at 05:54:53PM -0000, Randal, Phil wrote:
> I'm starting to think that only spammers uses the following sorts of
> headers:
>
> X-AntiAbuse: This header was added to track abuse, please include it with
> any abuse report

My Bayes decided to begin with that it was a strong ham
signal. Unfortunately spammers then started using it, so I set
"bayes_ignore_header X-AntiAbuse" in local.cf.

I did the same for X-Auto-Submitted. It normally only occurs on bounces,
but bounces can be very hammy if they don't have the spam text in, so
it had a lot of counts (some tens of thousands) and a very low score.

In fact bounces often seem to score very hammy even if they do have
spamtext, because they lack the normal clues in the headers. They would
therefore get a wopping BAYES_00 -4.9 on account of the strong header
signs, a piddly +2.4 or so from the content, and whiz straight through.

I'd like to suggest both these changes be incorporated in stock SA
(2.64 or 3.0) - I've found them very worthwhile in preventing either
deliberate misuse (X-Antiabuse) or accidental (X-Auto-Submitted).

Nick

Scott Harris Sent: Monday, February 23, 2004 7:37 PM

> Also, is there a way to get ALL the header info from a
> message once Outlook as consumed it? All I am able to
> get is the From, sent, to and subject as below.

I use an Outlook plugin called SpamSource to fetch the source of the email
for an occasional Bayes brunch.

http://www.daesoft.com/SpamSource/index.htm

It puts a nice little button on my menu bar in Outlook. Although I've never
quite determined if it got both the HTML and text portions of multipart
emails, it still works nicely.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz