[Mimedefang] Seeing a lot of these lately

[Charles]

Cormack, Ken wrote:
> Have others been noticing a lot of spams recently, that tend to be
> html-based (big surprise there, eh?), contain obvious (and visible) random
> text intended to pollute a bayes store, both above and below the "real"
> content of the message... a spam in the form of a bitmap image?  The
> subject, too, is typically one or two random words meant to sneak past a
> bayes engine.
> 
> Have been seeing a number of these lately here, and I'm wondering if anyone
> has ideas how best to go about blocking some of these things.
> 
> Ken

Yes, they seem to have been showing up steadily for the last two weeks or so.  The first few came through, but they've been being flagged since.  Unfortunately I haven't seen enough for Bayes to get a clue it appears, but here's the analysis of the last one I just noticed:

 4.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
                            1)
 2.9 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel letters
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.5 HTML_40_50             BODY: Message is 40% to 50% HTML
-2.0 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [24.91.213.212 listed in dnsbl.sorbs.net]
 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?24.91.213.212>]
 1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                            [24.91.213.212 listed in combined.njabl.org]
 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [24.91.213.212 listed in sbl-xbl.spamhaus.org]

Charles