[Mimedefang] MIME:Parser having trouble distinguishing header/body

Michael mikehollywood at pacbell.net
Mon Apr 25 19:10:42 EDT 2005


This is my first posting to the Mimedefang list. I'm
using Mime::Parser 5.417, part of MIME::Tools, as part
of a Postfix/Amavisd/SpamAssassin based spam filter.
Hopefully this is the right list to be sending this
message.

My problem is, once in a while I get mail (spam) that
causes MIME:Parser to generate errors similar to the
following:

Apr 21 09:06:11 example amavis[24743]: (24743-03)
WARN: MIME::Parser error: couldn't parse head; error
near:; If you are looking for a job - that's not us.;
; We want ambitious people who want to break out; of
the ordinary J-O-B (Just Over Broke) category.

It seems like MIME::Parser is having trouble figuring
out where the header ends and the body begins. I've
taken a look at some of the messages exhibiting this
problem and can't find any particular correlation
except that a couple of them are from the same
spammer. Examples follow at the end of this message.

When amavisd inserts its spam-tagging headers, what
actually ends up happening is the spam-tagging is
inserted in the middle of the body. Thus, the spammer
has eluded user rules that handle spam based on header
data, since the spam tag is now located in the body
rather than the header. 

Has anyone else seen this sort of thing before? Is
this an intentional technique being used by spammers
or is their spamming software just really dumb? How do
I fix this?

Thanks for all your help.

Example #1 Header:

Received: from example.answerfinancial.com ([1.1.1.1])
by example.answerfinancial.com with SMTP (Microsoft
Exchange Internet Mail Service Version 5.5.2657.72) id
2QLK4A12; Thu, 21 Apr 2005 09:08:38 -0700
Received: from localhost (localhost [127.0.0.1]) by
example.answerfinancial.com (Postfix) with ESMTP id
98ABA41686D for <example at answerfinancial.com>; Thu, 21
Apr 2005 09:06:12 -0700 (PDT)
Received: from example.answerfinancial.com
([127.0.0.1]) by localhost
(example.answerfinancial.com [127.0.0.1])
(amavisd-new, port 10024) with ESMTP id 24743-03 for
<example at answerfinancial.com>; Thu, 21 Apr 2005
09:06:11 -0700 (PDT)
Received: from 66.63.172.131 (unknown [66.63.172.131])
by example.answerfinancial.com (Postfix) with SMTP for
<example at answerfinancial.com>; Thu, 21 Apr 2005
09:06:11 -0700 (PDT)
Date: Thu, 21 Apr 2005 12:05:02 -0500
From: "Bill" <Bill at incomebuildr.com>
Reply-To: "Bill" <Bill at incomebuildr.com>
Message-ID:
<8243396422029.74764 at Bill@incomebuildr.com>
To: example at answerfinancial.com
Subject: Need an Opportunity? Earn 6 Figures from
Home.
Content-Type: text/plain;charset="iso-8859-1
Content-Transfer-Encoding: quoted-printable

Example #1 Body:

If you are looking for a job - that's not us.

We want ambitious people who want to break out of the
ordinary J-O-B (Just Over Broke) category.
X-Spam-Status: Yes, hits=19.359 tagged_above=-999
required=7.5 tests=BAYES_99, DNS_FROM_RFC_BOGUSMX,
RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SBL,
RCVD_NUMERIC_HELO, URIBL_OB_SURBL, URIBL_SBL
X-Spam-Level: *******************
X-Spam-Flag: YES

... SNIP ...

Example #2 Header:

Received: from example.answerfinancial.com ([1.1.1.1])
by example.answerfinancial.com with SMTP (Microsoft
Exchange Internet Mail Service Version 5.5.2657.72)
        id 2QLK4VR4; Fri, 22 Apr 2005 07:14:31 -0700
Received: from localhost (localhost [127.0.0.1])
        by example.answerfinancial.com (Postfix) with
ESMTP id BF39C260CDE
        for <example at answerfinancial.com>; Fri, 22 Apr
2005 07:12:06 -0700 (PDT)
Received: from example.answerfinancial.com
([127.0.0.1])  by localhost
(example.answerfinancial.com [127.0.0.1])
(amavisd-new, port 10024)  with ESMTP id 02237-09 for
<example at answerfinancial.com>;  Fri, 22 Apr 2005
07:12:03 -0700 (PDT)
Received: from 66.63.172.147 (unknown [66.63.172.147])
        by example.answerfinancial.com (Postfix) with
SMTP
        for <example at answerfinancial.com>; Fri, 22 Apr
2005 07:12:03 -0700 (PDT)
Date: Fri, 22 Apr 2005 13:12:50 -0500
From: "Bradley" <Bradley at svcaffil.com>
Reply-To: Bradley at svcaffil.com
Message-ID: <5103490356.05595 at Bradley@svcaffil.com>
To: example at answerfinancial.com
Subject: Total CH0LESTEROL and TRIGLYCERIDES Slashed
up to 35% in Clinical Trial!
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Example #2 Body:

RESPECTED MD DISCOVERS NATURE'S WAY TO LOWER
CHOLESTEROL!
X-Spam-Status: Yes, hits=17.642 tagged_above=-999
required=7.5 tests=AWL,  BAYES_99,
DATE_IN_FUTURE_03_06, J_CHICKENPOX_28,
RAZOR2_CF_RANGE_51_100,  RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SBL,
RCVD_NUMERIC_HELO,  URIBL_OB_SURBL, URIBL_SBL
X-Spam-Level: *****************
X-Spam-Flag: YES

... SNIP ...






More information about the MIMEDefang mailing list