We're not a financial firm nor do we give any advice on such (so don't follow it), however, what is amazing to me is the length at which spammers take to get past anti-spam filters. This particular spam made it through Fortinet and SpamAssassin. Why? The content of this particular email is basically a GIF image. However, SpamAssassin did confirm a couple things:
- score=3.0
- tests=BAYES_50, HTML_IMAGE_ONLY_16, HTML_MESSAGE, RCVD_IN_SORBS_DUL
Interestingly, if we check SORBS we find a hit.
[click to enlarge]
Here is the message header in portion:
Return-Path: <Egllsfhxw@bahamas2000.com>
Received: from 37B87418 (host81-159-239-154.range81-159.btcentralplus.com [81.159.239.154])
by bugsbunny.castlecops.com (8.13.4/8.13.4) with SMTP id jBT05clG030437;
Wed, 28 Dec 2005 19:05:43 -0500
Received: from [192.168.197.190] (port=10330 helo=ihaab)
by mx5.eiffeltower.com with smtp
id 1GardT-128Ula-25
for mendez@laudanski.com; Wed, 28 Dec 2005 16:05:56 -0800
Message-ID: <3216263786.69715472667236@eiffeltower.com>
From: "Samuel Frazier" <jolhufvp@eiffeltower.com>
To: <mendez@laudanski.com>
Subject: Are finish be inherit pseudonymous
Date: Wed, 28 Dec 2005 16:05:56 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00EA_01C5051B.72D54EB0"
The netblock 81.159.239.0/24 as reported by SORBS is blacklisted and considered a Dynamic IP space (lan, cable, dsl, and dialups). This entire block has been listed since Sun Dec 25 13:06:27 2005 GMT.
Getting crafty... so now we need to get signatures of images and blacklist those. Otherwise, we can all virtual stock pick star petroleum corp (spmp), because it is the "next hot pick".
Did I say the bulk of the message was taken up by the image? But wait, there is slightly more:
indigestible
acceptance granted to the undersigned, by the before-mentioned Mr. vast expense, I went to Miss Millss, fraught with a declaration.
upon us on great occasions; we think it looks important, and sounds friend today, with an inclination of her head towards Traddles,
I affected to interrupt my conversation for that purpose, and to
and Emly. Ill be your servant, constant and trew. If theres
until he seemed to wake again, all at once, and pulled down his that Peggottys spare room - my room - was likely to have
The "indigestible" word in this email is hyperlinked to: http://zzejqg.viragoc.net/. It didn't come up for me.
