spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Babes in blue spam

Re: Babes in blue spam

From: mdunlap <mdunlap_at_nospam>
Date: Wed Oct 13 2010 - 18:10:18 GMT
To: Karsten Br盲ckelmann <guenther@rudersport.de>

Thanks Karsten, I am a bit new to this so I do apologize. Here is a link
to one of the offending emails, http://drop.io/xf2ict5/asset/spam
When I try to have the Bayesian filter learn from spam in the terminal and
was to run "sa-learn --spam RANDOM_SPAM_MESSAGE" it would output as:

"Learned tokens from 1 message(s) (1 message(s) examined)"

However with the spam from (炉`路._..babes_in_blue^(TM).._.路麓炉) it outputs:

"Learned tokens from 0 message(s) (0 message(s) examined)"

Which leads me to believe it is not even recognizing the input as a mail
message so something is causing it to quit prematurely. My first hunch was
that something to to with the characters in the Subject line might have
something to do with it, because the characters "(炉`路._." and
"^(TM).._.路麓炉)" show up garbled in emacs or a similar reader.

On Tue, 12 Oct 2010 23:01:07 +0200, Karsten Br盲ckelmann
<guenther@rudersport.de> wrote:
> On Tue, 2010-10-12 at 15:09 -0500, mdunlap wrote:
>> I've had problems sa-learning some particular emails that have some
ASCII
>> escape characters, I've been getting this email that passes right
through
>> the filter Subject: (炉`路._..babes_in_blue^(TM).._.路麓炉) sa-learn won't
>> recognize it as an actual email message, I'm pretty sure these
characters
>> "(炉`路._.." are escaping it some how. Any ideas? These spammers have
>> found a
>> way to bypass spam detection because spam assassin wont even recognize
>> it.
>> Can you guys make any sense of it?
>
> Err, those are not "escape characters". They are characters.
>
> What do you mean exactly, "sa-learn won't recognize it as an actual
> message"? Please elaborate. And no, I believe "spammers have found a way
> to bypass spam detection" to not be true. Anyway, more details and
> evidence, please.
>
> Plus, please put a sample somewhere we can download it, and post the
> link. A *raw* message, including all headers [1]. Yes, also the SA
> headers.
>
>
>> HERE is the header and part of the message
>> Sorry for the long message
>
> Please do NOT send spam to the list.
>
>
> [1] If need be, you can mask domain names by using example.com instead.