Skip to content

Gibberish spams

General discussions and other topics.
27 posts Page 1 of 3
Post a reply

Gibberish spams

by dukeofur » Fri May 18, 2012 5:07 pm
I don't know if this is the right forum for this, but... Lately I have been receiving a lot of spam emails that are just gibberish, and usually I just delete them, but this time I decided to look at the headers, find what SpamAssissin rule applies, and increase it. Problem is, from looking at the headers, this message isn't getting scanned and I don't know why, so I can't do anything about it.

Why isn't it getting scanned?

Thanks




From - Fri May 18 17:02:45 2012
X-Account-Key: account2
X-UIDL: 1337385751.13108_0.a.lds,S=1802
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <lobahy@strchile.cl>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on e.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=disabled
version=3.3.1
Received: from f.mx.sonic.net (f.mx.sonic.net [69.12.208.75])
by a.lds.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4J02Se6013030
for <dukeofur@lds.sonic.net>; Fri, 18 May 2012 17:02:28 -0700
Received: from TCN-05-LON-WH9.tecnoera.com (TCN-05-LON-WH9.tecnoera.com [190.113.0.50] (may be forged))
by f.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4J02Nil018311
for <dukeofurl@sonic.net>; Fri, 18 May 2012 17:02:28 -0700
Received: from localhost (localhost [127.0.0.1])
by TCN-05-LON-WH9.tecnoera.com (Postfix) with ESMTP id 03CD329AC8F;
Fri, 18 May 2012 20:02:22 -0400 (CLT)
X-Virus-Scanned: Debian amavisd-new at TCN-05-LON-WH9.tecnoera.com
Received: from TCN-05-LON-WH9.tecnoera.com ([127.0.0.1])
by localhost (TCN-05-LON-WH9.tecnoera.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PISJduJTvv5D; Fri, 18 May 2012 20:02:21 -0400 (CLT)
Received: from wdzgju (unknown [186.86.26.147])
(Authenticated sender: daniloescobar@strchile.cl)
by TCN-05-LON-WH9.tecnoera.com (Postfix) with ESMTPA id B59292B0F84;
Fri, 18 May 2012 19:57:57 -0400 (CLT)
Date: Sat, 19 May 2012 02:44:12 +0200
To: [redacted]
Subject: saf
From: "Quptajcaj Qdjojb" <>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-4
Message-Id: <20120519000222.03CD329AC8F@TCN-05-LON-WH9.tecnoera.com>
X-Sonic-SB-IP-RBLs: IP RBLs .

mavo http://yuztjnkch.cz.tl loz xic
lo xitu qazuc kuzex
by thulsa_doom » Mon May 21, 2012 1:22 pm
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on e.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=disabled
version=3.3.1
These lines indicate that the message was scanned, and the "required=4.0" portion indicates that your custom preferences were taken into consideration (by default it's 5.0). When SpamAssassin completely skips a message, these header lines are never inserted.
John Fitzgerald
Sonic Technical Support
by dukeofur » Mon May 21, 2012 1:29 pm
Ok, thank you for your reply. The original issue still stands though, Then since it scored 0.0, I do not know which rules to adjust so this gibberish spam does not reach me.
by thulsa_doom » Mon May 21, 2012 2:29 pm
dukeofur wrote:Ok, thank you for your reply. The original issue still stands though, Then since it scored 0.0, I do not know which rules to adjust so this gibberish spam does not reach me.
Well that's a bit trickier.

It appears this particular sample tripped no rules, so there are no scores to adjust; adjust a score for a rule that isn't tripped and the adjusted score and it will have no effect.

A look further down in the headers shows that it also did not appear on any of the IP blocklists ("X-Sonic-SB-IP-RBLs: IP RBLs ."), so this sample has accomplished a flawless victory against our spam countermeasures. Several of our generals will be committing seppuku over this shortly.

I really need to stop playing Shogun: Total War.
John Fitzgerald
Sonic Technical Support
by dukeofur » Mon May 21, 2012 2:36 pm
Unfortunately, I have been getting one or two of these per day lately, and they're just kind of annoying at this point. I guess I can't really do anything about it, though I hate admitting defeat.

I also get a telemarketer that calls my cell phone from a different number and location each time, so I can't block it. It's gotten to the point where I only pick up local calls (I've memorized all the local exchanges) and then of course people I know.
by dukeofur » Fri May 25, 2012 12:04 am
From - Fri May 25 00:03:25 2012
X-Account-Key: account2
X-UIDL: 1337922636.1033_0.a.lds,S=1936
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <fi@pop06.odn.ne.jp>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on a.spam.sonic.net
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=DCC_REPUT_00_12,
RCVD_IN_DNSWL_NONE,T_RP_MATCHES_RCVD,URIBL_DBL_SPAM autolearn=disabled
version=3.3.1
Received: from h.mx.sonic.net (h.mx.sonic.net [69.12.208.76])
by a.lds.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4P5Aa9n001031
for <dukeofur@lds.sonic.net>; Thu, 24 May 2012 22:10:36 -0700
Received: from cmta101.odn.ne.jp (mta101.odn.ne.jp [143.90.14.133])
by h.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4P5AVDe008696
for <dukeofurl@sonic.net>; Thu, 24 May 2012 22:10:35 -0700
Received: from smta101.odn.ne.jp by cmta101.odn.ne.jp with ESMTP
id <20120525051031400.WGFY.23382.cmta101.odn.ne.jp@mta101.odn.ne.jp>
for <dukeofurl@sonic.net>; Fri, 25 May 2012 14:10:31 +0900
Received: from amta101.odn.ne.jp by smta101.odn.ne.jp with ESMTP
id <20120525051031349.QYKF.9064.smta101.odn.ne.jp@mta101.odn.ne.jp>;
Fri, 25 May 2012 14:10:31 +0900
Received: from gwsamw ([221.170.62.97] [221.170.62.97])
by amta101.odn.ne.jp with ESMTP
id <20120525051030773.VQW.18353.amta101.odn.ne.jp@mta101.odn.ne.jp>;
Fri, 25 May 2012 14:10:30 +0900
Date: Fri, 25 May 2012 07:56:01 +0200
From: "ucbegf" <>
User-Agent: Thunderbird 2.0.0.14 (Windows/20090603)
MIME-Version: 1.0
To: [redacted]
Subject: ku
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-Id: <20120525051030773.VQW.18353.amta101.odn.ne.jp@mta101.odn.ne.jp>
X-Sonic-Received-From-Country: jp, (Not Found)
X-Sonic-SB-IP-RBLs: IP RBLs sorbs-spam.

qo http://jftcix.de.tl m kef
pux bag d xi
by thulsa_doom » Fri May 25, 2012 7:09 pm
dukeofur wrote:X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on a.spam.sonic.net
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.0 tests=DCC_REPUT_00_12,
RCVD_IN_DNSWL_NONE,T_RP_MATCHES_RCVD,URIBL_DBL_SPAM autolearn=disabled
version=3.3.1
dukeofur wrote: X-Sonic-Received-From-Country: jp, (Not Found)
X-Sonic-SB-IP-RBLs: IP RBLs sorbs-spam.
Now we've got something to work with. Not much, but something: three SpamAssassin rules that can be modified in https://members.sonic.net/email/spam/scores/ and an IP RBL hit that can be taken into account in https://members.sonic.net/email/spam/fi ... blacklists

Adding a total of 1.2 split between these three SpamAssassin rules should do the trick. The "sorbs-spam" blocklist is a bit aggressive.
John Fitzgerald
Sonic Technical Support
by Michael » Sun May 27, 2012 3:25 am
Is it really a good idea to include the real E-Mail address of others, who probably appreciated receiving it as much as you did, in an open spam report on a web page, so that their E-Mail addresses can be further harvested?

I would think the right thing to do would be to remove or redact real E-Mail addresses before posting as a courtesy to others. It's trivially easy to harvest E-Mail addresses from Web pages and this isn't a private Sonic Newsgroup.
by dukeofur » Sun May 27, 2012 10:41 pm
>and this isn't a private Sonic Newsgroup.

In fact, this isn't a newsgroup at all, and yes it actually is a private Sonic forum. It's behind Sonic's authentication.






From - Sun May 27 22:37:39 2012
X-Account-Key: account2
X-UIDL: 1338183415.21963_0.a.lds,S=1680
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <mail4ad@mail.ru>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on e.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=0.7 required=4.0 tests=DCC_REPUT_13_19,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=disabled
version=3.3.1
Received: from b.mx.sonic.net (b.mx.sonic.net [69.12.208.74])
by a.lds.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4S5argL021949
for <dukeofur@lds.sonic.net>; Sun, 27 May 2012 22:36:53 -0700
Received: from smtp3.mail.ru (smtp3.mail.ru [94.100.176.131])
by b.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q4S5amCd028402
for <dukeofurl@sonic.net>; Sun, 27 May 2012 22:36:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail;
h=Message-Id:Content-Type:Mime-Version:Date:From:Subject:To; bh=KoFk+OZYM8htXr5vWKUpKlOz9sAxixOmHvS9W4U6lF8=;
b=Y68uVZPeQTrLZpHiR6znB8LwVvpmfaGW3ixAeCAmtzUoGlB7LtBoqLl4ftsc+jW9BBufRZu7d3yOUvTkrG3derEB8c9jvFV8abqKWZk0DHYpyg2noTC87RZiaiRVPi5+;
Received: from [61.227.225.204] (port=10548 helo=zjjtztr)
by smtp3.mail.ru with esmtpa (envelope-from <mail4ad@mail.ru>)
id 1SYsdK-0000Nx-SK; Mon, 28 May 2012 09:36:47 +0400
To: [redacted]
Subject: zidum
From: "Dinywk" <>
Date: Mon, 28 May 2012 08:22:06 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-7
Message-Id: <E1SYsdK-0000Nx-SK.mail4ad-mail-ru@smtp3.mail.ru>
X-Spam: Not detected
X-Sonic-SB-IP-RBLs: IP RBLs sorbs-spam.

ru http://rkaetfc.cz.tl sok ke
by virtualmike » Tue May 29, 2012 1:16 am
dukeofur wrote:>and this isn't a private Sonic Newsgroup.

In fact, this isn't a newsgroup at all, and yes it actually is a private Sonic forum. It's behind Sonic's authentication.
Guests can access these forums. They're not "private."
27 posts Page 1 of 3

Return to “General”

Who is online

In total there are 49 users online :: 1 registered, 0 hidden and 48 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am
Users browsing this forum: Google [Bot] and 48 guests