[Spambayes] Cunning use of quoted-printable

Richie Hindle richie@entrian.com
Wed, 02 Oct 2002 17:19:35 +0100 

[Send privately to Tim by accident; now forwarding to the list]

[Tim]
> I *think* you meant it was a false negative, since you said it was in your
> spam collection, and haven't argued that it's actually ham.

Correct, sorry.

[Tim]
> If you can without revealing a confidence, it would be good if you could
> share the fp.  Short of that, are these fp that bother you?  Would you be
> upset if you lost them in real life?

Here they are.  The first is a request to unsubscribe from a mailing
list - this one I certainly *would* be bothered about.  I've censored
the email address slightly in deference to its author - I've replaced
every other character with 'x'.

 'header:Received:5': 0.14;
 'from:email addr:biglobe.ne.jp>': 0.16; 'from:email name:<rxmx7x5x': 0.16;
 'from:skip:= 30': 0.16; 'message-id:@biglobe.ne.jp': 0.16;
 'subject:2022': 0.16; 'subject:IBskQiMxGyhC': 0.16; 'charset:us-ascii': 0.26;
 'content-type:text/plain': 0.35; 'subject:ISO': 0.35;
 'header:Message-Id:1': 0.64; 'x-mailer:none': 0.68; 'subject:=?': 0.70;
 'subject:?=': 0.72; 'unsubscribe': 0.93

It's probably the only legitimate email with 'ISO' headers that I've
ever received, and its author made the mistake of using the word
'unsubscribe'.  8-)

The bit I understand least here is this:

 'header:Message-Id:1': 0.64

Why is the tokenizer reading '1' for the Message-Id?  I'd look further
into this (the message_id_re code looks fine to me at a brief glance)
but I need to get back to my day job.  8-)

------------------------------------------------------------------------

>From RxMx7x5x@biglobe.ne.jp Fri May 02 22:21:22 1997
Received: from punt-2.mail.demon.net by mailstore for
	sr-list@sundog.demon.co.uk
	id 862608130:10:24450:1; Fri, 02 May 97 22:22:10 BST
Received: from mailsv1.pcvan.or.jp ([192.47.117.193]) by punt-2.mail.demon.net
           id aa1024075; 2 May 97 22:21 BST
Received: from mail-gw.biglobe.ne.jp (mailsv5.pcvan.or.jp [192.47.117.85]) by
	mailsv1.pcvan.or.jp (8.7.5+2.6Wbeta6/3.5W9-PCVAN01) with ESMTP id GAA11518 for
	<sr-list@sundog.demon.co.uk>; Sat, 3 May 1997 06:21:40 +0900 (JST)
Received: by mail-gw.biglobe.ne.jp (8.7.5+2.6Wbeta6/6.4J.6-BIGLOBE_GW)
	id GAA02729; Sat, 3 May 1997 06:21:15 +0900 (JST)
Received: by biglobe.ne.jp
	id 1023702; Sat, 03 May 1997 06:21:22 +0900
Message-Id: <970503062118.23085B03.1023702@biglobe.ne.jp>
Date: Sat, 03 May 1997 06:21:22 +0900
From: =?ISO-2022-JP?B?GyRCJV8layUtITwbKEI=?= <RxMx7x5x@biglobe.ne.jp>
To: sr-list@sundog.demon.co.uk
Subject: =?ISO-2022-JP?B?IBskQiMxGyhC?=
Content-Type: Text/Plain; charset=us-ascii
MIME-Version: 1.0

unsubscribe <list> [<RxMx7x5x@biglobe.ne.jp>]
end

------------------------------------------------------------------------

The second is a spam-looking mail from one of my ISPs, telling me that
their web address has changed.  I wouldn't care if I'd missed that.

------------------------------------------------------------------------

>From Orange#18.3250.d5-BLEXlg11G9rR.1@socket.cyberdialogue.com Thu Sep 26 10:04:37 2002
Return-Path: <Orange#18.3250.d5-BLEXlg11G9rR.1.b@socket.cyberdialogue.com>
Received: from punt-2.mail.demon.net by mailstore for
	entrian@sundog.demon.co.uk
	id 1033031768:20:16776:120; Thu, 26 Sep 2002 09:16:08 GMT
Received: from westhost19.westhost.net ([216.71.84.92]) by
	punt-2.mail.demon.net           id aa2017667; 26 Sep 2002 9:15 GMT
Received: from accumx-2.cyberdialogue.com (accumx-2.cyberdialogue.com
	[209.123.95.101])
	by westhost19.westhost.net (8.11.6/8.11.6) with SMTP id g8Q9Dxu31643
	for <richie@entrian.com>; Thu, 26 Sep 2002 04:13:59 -0500
Received: (qmail 31858 invoked from network); 26 Sep 2002 08:26:33 -0000
Received: from socket.fulcrumanalytics.com (HELO socket.cyberdialogue.com)
	(209.123.95.99)  by 0 with SMTP; 26 Sep 2002 08:26:33 -0000
Message-ID: <7160165.1033031077537.JavaMail.root@socket.cyberdialogue.com>
Date: Thu, 26 Sep 2002 05:04:37 -0400 (EDT)
From: "orange@orange.co.uk"
	<Orange#18.3250.d5-BLEXlg11G9rR.1@socket.cyberdialogue.com>
To: richie@entrian.com
Subject: Orange Internet has moved
Mime-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Accucast (http://www.accucast.com)
X-Mailer-Version: 2.7.2-1
X-Hammie-Disposition: Yes

<HTML>
<HEAD>
<TITLE>Orange Internet moving to orange.co.uk</TITLE>
<STYLE TYPE="text/css">
.StandardLink {
    COLOR: #ff6600;
    TEXT-DECORATION: underline
}
.StandardLink:hover {
    COLOR: #ff6600;
    TEXT-DECORATION: underline
}
</STYLE>
</HEAD>
<BODY MARGINWIDTH="0" MARGINHEIGHT="0" TOPMARGIN="0" LEFTMARGIN="0" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#FF6600" ALINK="#FF6600" VLINK="#FF6600">
<TABLE WIDTH="612" CELLPADDING="0" CELLSPACING="0">
<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" COLSPAN="3" WIDTH="612" ALIGN="left" VALIGN="top"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/splash_top.jpg" WIDTH="612" HEIGHT="140" BORDER="0" ALT="Orange Internet moving to orange.co.uk"></TD></TR>
<TR BGCOLOR="#FFFFFF">
	<TD BGCOLOR="#FFFFFF" WIDTH="50" ALIGN="left" VALIGN="top"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/clear.gif" WIDTH="50" HEIGHT="1" BORDER="0"></TD>
	<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top">
	<TABLE WIDTH="530" CELLPADDING="0" CELLSPACING="0" BORDER="0">
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="50"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><FONT FACE="Helvetica,Arial" COLOR="#666666" SIZE="-1">
		<B>Hello Richard</B><BR>
		</FONT></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="20"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><FONT FACE="Helvetica,Arial" COLOR="#000000" SIZE="-1">
		Orange Internet has moved from its old home at orange.net to its brand new address at orange.co.uk. You can still organise your life exactly the way you have been, with the same Orange email address and log in, your diary, and free text messages - all available to you on <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="http://socket.cyberdialogue.com/Click?q=ea-fjzyQhVvN0N5jNLts_rATXuR"><FONT COLOR="#FF6600">Orange today</FONT></A>. Orange today is our new look site, you'll find the link at the top right of <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="http://socket.cyberdialogue.com/Click?q=00-4FClI9Qsp2CcPHsrO4r8uPcR"><FONT COLOR="#FF6600">Orange.co.uk</FONT></A>.<BR>
		</FONT></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="35"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/subhead_get_just_the_news_you_want.gif" WIDTH="173" HEIGHT="15" BORDER="0" ALT="get just the news you want"></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="20"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><FONT FACE="Helvetica,Arial" COLOR="#000000" SIZE="-1">
		Your news service can now be personalised, so you can receive updates on the news that matters to you. Go to <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="http://socket.cyberdialogue.com/Click?q=15-mYd_IGcs_2mqKwwtyAMwPZ4R"><FONT COLOR="#FF6600">Orange today</FONT></A> for more details.<BR>
		</FONT></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="30"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/subhead_tell_me_more.gif" WIDTH="80" HEIGHT="15" BORDER="0" ALT="tell me more"></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="20"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top"><FONT FACE="Helvetica,Arial" COLOR="#000000" SIZE="-1">
		Do you want to keep up with all the latest news on Orange products and services? Simply <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="http://socket.cyberdialogue.com/Click?q=2a-CNyWIrIpIgk5OfI1YLQzQQRR"><FONT COLOR="#FF6600">click here</FONT></A> to provide your contact details.<BR>
		</FONT></TD>
	</TR>
	<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="80"></TD></TR>
	<TR BGCOLOR="#FFFFFF">
		<TD BGCOLOR="#FFFFFF" WIDTH="530" ALIGN="left" VALIGN="top">
		<TABLE WIDTH="530" CELLPADDING="0" CELLSPACING="0" BORDER="0">
		<TR BGCOLOR="#FFFFFF">
			<TD BGCOLOR="#FFFFFF" WIDTH="470" ALIGN="left" VALIGN="bottom">
			<TABLE WIDTH="470" CELLPADDING="0" CELLSPACING="0" BORDER="0">
			<TR BGCOLOR="#FFFFFF"><TD BGCOLOR="#FFFFFF" WIDTH="470" HEIGHT="15"></TD></TR>
			<TR BGCOLOR="#FFFFFF">
				<TD BGCOLOR="#FFFFFF" WIDTH="470" ALIGN="left" VALIGN="bottom"><FONT FACE="Helvetica,Arial" SIZE="-2" COLOR="#000000">
				Click here to see the Orange <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="http://socket.cyberdialogue.com/Click?q=3f-4sSEIqMB4OMyB4zsXEMaCNeR"><FONT COLOR="#FF6600">privacy statement</FONT></A><BR>
				</FONT></TD>
			</TR>
			<TR BGCOLOR="#FFFFFF">
				<TD BGCOLOR="#FFFFFF" WIDTH="470" ALIGN="left" VALIGN="bottom"><FONT FACE="Helvetica,Arial" SIZE="-2" COLOR="#000000">
				If you don't want to receive marketing information from us by email, please <A STYLE="color: #ff6600" CLASS="StandardLink" HREF="<A HREF="http://socket.cyberdialogue.com/Click?q=54-l6HvzcK3RoVUapsEsRh5lR01zsRR"><FONT COLOR="#FF6600">click here</FONT></A> to unsubscribe<BR>
				</FONT></TD>
			</TR>
			</TABLE>
			</TD>
			<TD BGCOLOR="#FFFFFF" WIDTH="20" ALIGN="left" VALIGN="bottom"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/clear.gif" WIDTH="20" HEIGHT="1" BORDER="0"></TD>
			<TD BGCOLOR="#FFFFFF" WIDTH="40" ALIGN="right" VALIGN="bottom"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/logo.gif" WIDTH="40" HEIGHT="40" BORDER="0" ALT="orange&#153;"></TD>
		</TR>
		</TABLE>
		</TD>
	</TR>
	<TR><TD BGCOLOR="#FFFFFF" WIDTH="530" HEIGHT="30"></TD></TR>
	</TABLE>
	</TD>
	<TD BGCOLOR="#FFFFFF" WIDTH="32" ALIGN="left" VALIGN="top"><IMG SRC="http://www.orange.co.uk/html_emails/orangenet/images/clear.gif" WIDTH="32" HEIGHT="1" BORDER="0"></TD>
</TR>
</TABLE>
</BODY>
</HTML>






<IMG HEIGHT=1 WIDTH=1 SRC="http://socket.cyberdialogue.com/Click?q=69-CYAinjWDS5is2_PWo-D_gRRR">

------------------------------------------------------------------------

-- 
Richie Hindle
richie@entrian.com