[Spambayes] Spamvolution

Charles Cazabon python-spambayes@discworld.dyndns.org
Fri, 20 Sep 2002 14:15:26 -0600


Tim Peters <tim.one@comcast.net> wrote:
> Charles, while we've got your supernatural insight on the line here

Boggle.  I'm a pretty good mail administrator, but I'm not sure I qualify for
that adjective :).

> can you shed any light on this putative spam?

> Return-Path: <paige69@cranfield.ac.uk>
> Delivered-To: bfsmedia-sales@bfsmedia.com

The envelope.  Suspicious enough; the envelope sender's local-part is a common
name with a couple decimal digits tacked on, and some random domain.  The
envelope recipient was <sales@bfsmedia.com>, which was almost certainly
harvested off a web page.

> Received: (qmail 1012 invoked from network); 10 Mar 2002 18:06:08 -0000
> Received: from unknown (HELO goforhost.com) (208.178.66.38)
>   by agamemnon.bfsmedia.com with SMTP; 10 Mar 2002 18:06:08 -0000

Received from an MTA on an IP address without a valid PTR record, if Bruce had
DNS lookups enabled at the time.  I don't know if he did or not.  The machine
in question announced itself with the name goforhost.com, which appears to be
forged.

> Date: Sun, 10 Mar 2002 13:10:19 -0500
> Message-Id: <200203101810.g2AI9sE21236@goforhost.com>
> X-Mailer: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.2 (Terspichore)

Older spam usually had the name of the spamming software in an X-Mailer or
similar header (programs like BlastAway and SuperMailer and crap like that).
Lately they've taken to using the names of real MUAs, but usually it's Outlook
they fake.  I've personally never seen a spam written with Gnus or claiming to
be written with Gnus, so that makes me think this is a ham.

> Reply-To: <paige69@cranfield.ac.uk>
> From: <paige69@cranfield.ac.uk>

The From: header and Reply-To: header match the envelope sender address, which
is just about never the case with spam.  Another clue it's a ham.

> To: <sales@bg-ep.com>
> Subject: Hello Tim
> Content-Length: 106
> Lines: 9
> 
> Tim,
> 
> 
>  It was great to talk to you today I should have the propsal done by
> tommorrow
> 
> 
> Take Care,
> 
> Susan

> There's little about this that looks spammish to me (or to my classifier),
> and it's another of my persistent false negatives.

I have to agree it's a ham, but the only suspicious bits about it are:

-the envelope
-the host it came from
-the presence of "Hello" in the subject line.  This is a definitive clue in my
corpus, but I don't know how you're tokenizing the subject.  I haven't built
Python2.3 out of cvs yet on my little P90 mail server at home.

And, of course, the fact that there's not enough context in the body for it to
mean anything to me.

Out of curiosity, how does "propsal" score in your corpus?  Misspellings of
simple English words are far more common in my spam than my ham.

Charles
-- 
-----------------------------------------------------------------------
Charles Cazabon                 <python-spambayes@discworld.dyndns.org>
GPL'ed software available at:     http://www.qcc.ca/~charlesc/software/
-----------------------------------------------------------------------