One of the things that SpamAssassin rates for is a fake "outlook express"
header; it's probably put in so that spam checkers along the way will be
faked into believing the message is being sent by a personal account rather
than just a bulk spam mailer (which would be less likely to include all the
extraneous headers).
A new tactic that is being used though to thwart word checking is that they
are sending the messages in HTML, but with comments thrown in throughout so
the spam checker never sees a complete word that it can filter on. For
example here's an actual one I just received...
The message text you see reads as follows:
---[quote]---
Introducing VP-RX penis enlargement pills
Gain 3+ inches in length
Stop premature ejaculation
Produce stronger erections
100% Safe to use, no side effects
Your partner will be astounded
Get VP-RX now!
---[end quote]---
However, here's the message source. Note that there are no complete words
for a spam filter to catch! Luckily SpamAssassin also adds points if there
are excessive HTML comments in the source.
---[quote]---
<p><font
size="+2"><!--avfisclh1iuel--><b>Intr<!--umnq7w1m0m7zx2-->odu<!--warijg1wh7-
->cin<!--0dma5lav8ywo-->g VP-<!--eii2xb1m1ublz-->RX
p<!--tigxmw16t8i-->en<!--sk0yc72rqjsy6-->is
en<!--dphyuo39dpw8g2-->large<!--a4bu399bpakk2-->me<!--lm91b22xxdrlh1-->nt
pi<!--gz731j17amk5n-->lls</b></font></p>
<p><font size="+1">Ga<!--ygxe4q3xsxkaz-->in 3+
in<!--wb25nm1govrg1-->che<!--t390mn1qoy2g-->s in
l<!--ho4bi11rpi7-->eng<!--9bdfy222k01o-->th<br>
<br>S<!--ohnjav3jkdlr3k-->to<!--as85ka1f8smh5r-->p
pre<!--jqz7lj41doo-->ma<!--esktf2mwzv4x-->ture
ej<!--gk90791y50r9-->ac<!--aaiowu3dq58hz-->ulati<!--fyh89h3xa7lkd2-->on<br>
<br>Pr<!--6fse7537kk8-->odu<!--9ktn202105tn-->ce
st<!--3g2so722ctur6-->rong<!--6fz3s53k2vn5-->er
er<!--244doo1i5n-->ecti<!--8mz68037m1n-->ons<br>
<br>10<!--35oprv833gp-->0<!--todf8y17z3y-->% S<!--z8yuwjxono-->afe
to<!--sk53xm2hsyu--> us<!--srikwh2te3-->e, n<!--d7qw8g1iurny-->o
sid<!--qycxsd18qs-->e effe<!--5ap6fz36rvlvb3-->cts<br>
<br>Y<!--dm80rm2yt0djz3-->our par<!--eo9kbh3mtvu45-->tner
w<!--m0gkz21bl0c6d1-->ill b<!--hg2ibss3es702-->e
asto<!--2xcmwp11fcb84-->und<!--x59jky2jnj3c9-->ed<br>
<br><a
href="http://health.cccardz2003.biz/mka/m2c.php?man=kk439"><b>Ge<!--rhbmhy21
2m-->t V<!--0ytdpq1cjxnm-->P-R<!--nxbr12317j5k7h-->X
no<!--l6h7vz22kxm2-->w!</b></a></font></p>
<br><br><br>
<p><a href="http://health.cccardz2003.biz/bek/"><font
size="-1">Dis<!--pliws47o0b5h2-->co<!--xuqup537q91373-->ntin<!--uvmnp7149ybb
y1-->ue</font></a><font size="-1">
rec<!--dygc4033e1te-->ei<!--7wt0cg2cmxjs02-->vin<!--9njsie1bg6dibr-->g
off<!--roubtnhqu8dr-->e<!--gn4vme1i7euv-->rs aedsi33of61u2a7jtql2yzjoh3
toi9522f6z9ldd8e14kjwk71vxzu4r1pcgp ikvir4z1s4 g8zl9m1e2janp0n6ve213ba5xd
8vqr7f1v9nv0fpw6krms06iqz731r1smeb 4r3d0a3ckto33
mdkal63ieh3cm24j27fp307dc91</font></p><!--vfm5rr1k7dk-->
---[end quote]---
----- Original Message -----
From: "jeff" <jdavis70@tampabay.rr.com>
To: <slug@nks.net>
Sent: Sunday, August 10, 2003 2:36 PM
Subject: Re: [SLUG] Filtering KMAIL email to Delete Without Using POP
Filters
> Frank Roberts - SOTL wrote:
>
> >Something I have noted is that most commercial spam is html usually with
words
> >like investment, Viagra, sex et in the heading.
> >
> >
> >
> I used to get that kind of crap too. Until I discovered that Mozilla
> would allow me to write filters based on other parts of the headers,
> like X_Mailer: or the domain. :-)
> Almost every piece of spam that I have ever received had these lines in
> the headers:
> X-Mailer:Microsoft Outlook Express 5.50.4522.1200
> X-Virus-Scanned:Symantec AntiVirus Scan Engine
> So I filter everything with Outhouse Excess in the XMailer line to the
> trash now. I sent MS an email asking if it was some federal requirement
> that spammers *have* to use OE, or if using OE created this
> uncontrollable urge to start sending spam. ;-)
> And a modification of that same filter picks out the *LUG posts that
> are sent from yahoo accounts, and dumps the rest of them. Because other
> than the few LUG users that post from yahoo, all of the email that I
> have gotten from yahoo has been spam. So far it has been working very
> nicely.
>
> Jeff
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:22:38 EDT