Educause Security Discussion mailing list archives

Re: Image SPAM Increase?

From: Dan Oachs <doachs () GAC EDU>
Date: Wed, 19 Apr 2006 11:30:00 -0500

We too have seen a large increase in these types of messages.  Our spam
filtering has been good enough lately that when users started to get a
few of these per week, they started complaining to us about them.

A couple of weeks ago we upgraded SpamAssassin to 3.1.1 from the
previous release.  At that time we also ran sa-update to get the latest
rules for it.  Since then I don't think any of those messages have made
it past my SpamAssassin rules to my inbox.

Here is what spamassassin has to say about the most recent one sent my way:

Content analysis details:   (26.1 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
3.1 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname (DHCP)
1.1 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type= entry
4.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
                           1)
0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
2.8 TVD_FW_GRAPHIC_ID1     BODY: TVD_FW_GRAPHIC_ID1
0.1 HTML_90_100            BODY: Message is 90% to 100% HTML
1.1 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE           BODY: HTML included in message
3.1 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of words
4.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                           [score: 1.0000]
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                           above 50%
                           [cf: 100]
0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                           [cf: 100]
2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                           [84.61.61.132 listed in dnsbl.sorbs.net]
1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                           [84.61.61.132 listed in combined.njabl.org]


   Thanks,
      Dan Oachs
      Gustavus Adolphus College

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Image SPAM Increase? Joe St Sauver (Apr 19)
- <Possible follow-ups>
- Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Bruggeman, John (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Les LaCroix (Apr 19)

(Thread continues...)