Date: 2005-11-10 08:56:00
Tags: email, spam
interesting email surprise

I received the following message yesterday, and it almost had me fooled:

From: "Jamie" <>
To: <>
Subject: Photo Approval
Date: Thu, 10 Nov 2005 03:31:07 -0600

Your photograph was forwarded to us as part of an article we are publishing for
our December edition of Total Business Monthly.
Can you check over the format and get back to us with your approval or any
If the picture is not to your liking then please send a preferred one.
We have attached the photo with the article here.
Kind regards,
Jamie Andrews
The Professional Development Institute

I had received a legitimate message a few days ago from somebody in Germany asking to use one of my pictures in an architectural publication of some kind (I gave them permission). Initially I thought this might be related. Then I noticed the attachment:

[-- Attachment #2: Photo+Article.exe --]
[-- Type: application/octet-stream, Encoding: base64, Size: 13K --]

It's an email virus! Luckily I handle my mail using mutt on freebsd, so it would have been several more steps for me to "open" the attachment, so I didn't run it. It's amazing the lengths to which these virus authors are going to try to trap people.

In related news, I'm still getting fake-rolex spam which spamassassin is still marking as BAYES_50 (which means spamassassin thinks it's middle of the road, no sign of spam). Every one of those damn things I run through sa-learn to teach it, but the people who write those have found that the english language is extremely flexible and there are a million ways to package their sales pitch.

Spam is starting to become overwhelming again. Whatever happened to SPF, anyway?

You've got a missing </pre> in there, I think.
Whoops, thanks.
Spam is starting to become overwhelming again.

For me, what's getting through more than fake rolex spam is penny stock spam. I've also found it is nearly impossible to train a mail program to block them.

I think the only answer is public executions of spammers and floggings for those than respond to spam.

I'm getting tons of false positives recently. All of my email that's not whitelisted gets marked as Spam. Is Bayesian classification dead?
It may or may not be dead, but I think it's definitely caused the spammers to modify their tactics. A lot. Paul Graham was dead on when he predicted some of this in his "A Plan for Spam" article that introduced Bayesian content filtering.

What's next on the antispam front, I wonder?

Are there really that many people out there who want fake rolexes?
[info]cetan : you're on the cutting edge of trojans!

[info]ghewgill : Re: you're on the cutting edge of trojans!
I'm going to try DSPAM, as soon as I can get past the configuration...
2005-11-10T20:00:02Z TXT "v=spf1 exists:CL.%{i}.FR.%{s}.HE.%{h} mx -all"

Ew? What's the big exists: thing and why is it backwards?
What that does is cause SPF checkers to query my DNS server for a name related to the email it received. I get in my logs something like this:

That gives me the sender's IP address (, the claimed sender address (, and the HELO name used ( My DNS server responds with "not exists" for anything like that, so the SPF query just uses the "mx" rule.

I set that up a long time ago and then hardly ever look at it now. :)
Oh, cute. That explains the backwards bit.
SPF is not antispam per-se, but prevents domain spoofing. You can still create a domain and flood someone with mail from many addresses from it. Or create and destroy many domains. It just makes spoofing someone from say,, much harder.

The mailserver my company produces uses an interesting anti-spam trick called Spam Repellant. The theory is that spammers need to send as many spam as possible to be profitable. Therefore, they will not wait as long for a response from the reciepent mailserver before giving up. Legitimate mailservers will wait for a reasonable length of time.

So we introduce an artifical delay between the opening of the connection and the SMTP server's greeting - up to 30 seconds. Anything that tries to send before the greeting, we drop. Spam mail senders usually won't wait more than 10-15 seconds, and drop themselves. So they're filtered, and legitimate mail allowed.

This works very nicely.
That's an interesting tactic. Someone with postfix mojo should come up with a similar solution :-)
You know, yahoo mail catches 99.9 percent of the spam I get. Maybe three a week get through to my inbox, and maybe one legit goes to the spam folder every couple of weeks. It's hard for me to justify using anything else.
Greg Hewgill <>