I installed SpamAssassin (SA) and instantly developed a new pastime. Even funnier than reading spam is reading what SA has to say about it. SA is a filter daemon (or standalone program) that reads an e-mail message and analyzes it for spam, adding a couple headers to give its verdict. If it thinks the message is spam, it also puts a "***SPAM***" prefix in the Subject: and adds some structured comments to the body saying what's suspicious about the message. Those comments in the body are where the funny parts are. SA is so amusing that I've given up my two other recent pastimes: collecting Klez worms and Nigeria scams. I just /dev/null the Klez worms now.
SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (16.2 hits, 5 required) SPAM: Hit! (2.2 points) BODY: As seen on national TV! SPAM: Hit! (1.5 points) BODY: Asks you to click below SPAM: Hit! (0.2 points) BODY: No such thing as a free lunch (1) SPAM: Hit! (-0.1 points) BODY: Claims you can be removed from the list SPAM: Hit! (2.1 points) BODY: Talks about opting in SPAM: Hit! (3.0 points) URI: Uses a dotted-decimal IP address in URL SPAM: Hit! (0.1 points) URI: Uses non-standard port number for HTTP SPAM: Hit! (3.5 points) URI: URL of page called "remove" SPAM: Hit! (-0.8 points) BODY: JavaScript code which can easily be executed SPAM: Hit! (-0.5 points) BODY: HTML mail with non-white background SPAM: Hit! (1.8 points) BODY: Tells you to click on a URL SPAM: Hit! (3.2 points) HTML-only mail, with no text version SPAM: SPAM: -------------------- End of SpamAssassin results ---------------------
SPAM: Hit! (0.6 points) Invalid Date: header (wierd month) SPAM: Hit! (0.5 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: Hit! (3.0 points) URI: Uses a dotted-decimal IP address in URL SPAM: Hit! (-0.8 points) BODY: Image tag with an ID code to identify you SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long SPAM: Hit! (1.8 points) BODY: Tells you to click on a URL SPAM: Hit! (3.2 points) HTML-only mail, with no text version SPAM: Hit! (2.0 points) Received via a relay in relays.osirusoft.com SPAM: [RBL check: found 148.167.27.64.relays.osirusoft.com., type: 127.0.0.4] SPAM: Hit! (3.0 points) DNSBL: sender is Confirmed Spam Source
SPAM: Hit! (1.0 point) From: ends in numbers SPAM: Hit! (0.5 points) Subject has an exclamation mark SPAM: Hit! (0.4 points) Subject has lots of exclamation marks SPAM: Hit! (-0.5 points) BODY: Contains 'Dear Somebody' SPAM: Hit! (2.7 points) BODY: Nigerian scam key phrase ($NN,NNN,NNN.NN) SPAM: Hit! (2.4 points) BODY: Nigerian scam key phrase SPAM: Hit! (4.3 points) BODY: Nigerian Bank or Petroleum scam, cf http://www.snopes2.com/inboxer/scams/nigeria.htm SPAM: Hit! (2.2 points) BODY: Risk free. Suuurreeee.... SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long
SPAM: Hit! (4.3 points) Reply-To: is empty SPAM: Hit! (2.4 points) 'Message-Id' was added by a relay (2) SPAM: Hit! (2.2 points) From: has a malformed address SPAM: Hit! (1.5 points) Message-Id is not valid, according to RFC-2822 SPAM: Hit! (1.3 points) Message-Id has no @ sign SPAM: Hit! (0.5 points) Possibly-forged 'Received:' header found SPAM: Hit! (2.1 points) BODY: FONT Size +2 and up or 3 and up SPAM: Hit! (3.2 points) HTML-only mail, with no text version
SPAM: Hit! (1.0 point) From: ends in numbers SPAM: Hit! (0.5 points) Subject has an exclamation mark SPAM: Hit! (0.4 points) Subject has lots of exclamation marks SPAM: Hit! (0.9 points) URI: Filename is just a '\#'; probably a JS trick SPAM: Hit! (-0.8 points) BODY: JavaScript code which can easily be executed SPAM: Hit! (0.0 points) BODY: Includes a URL link to send an email SPAM: Hit! (3.2 points) HTML-only mail, with no text version SPAM: Hit! (1.9 points) Subject is all capitals
SPAM: Content analysis details: (6.2 hits, 5 required) SPAM: Hit! (1.1 points) BODY: Contains a large block of hexadecimal code SPAM: Hit! (-0.6 points) BODY: Frame wanted to load outside URL SPAM: Hit! (1.8 points) No MX records for the From: domain SPAM: Hit! (1.9 points) Subject is all capitals SPAM: Hit! (2.0 points) Subject contains a unique ID number
SPAM: Content analysis details: (10.1 hits, 5 required) SPAM: Hit! (1.2 points) Valid-looking To "undisclosed-recipients" SPAM: Hit! (0.5 points) Subject has an exclamation mark SPAM: Hit! (0.4 points) Subject has lots of exclamation marks SPAM: Hit! (0.2 points) BODY: Contains at least 3 dollar signs in a row SPAM: Hit! (0.2 points) BODY: No such thing as a free lunch (1) SPAM: Hit! (2.3 points) BODY: List removal information SPAM: Hit! (1.9 points) BODY: List removal information SPAM: Hit! (1.0 point) BODY: No such thing as a free lunch (3) SPAM: Hit! (0.5 points) Forged hotmail.com 'Received:' header found SPAM: Hit! (1.9 points) Subject is all capitals
SPAM: Content analysis details: (12.6 hits, 5 required) SPAM: Hit! (2.0 points) From: contains numbers mixed in with letters SPAM: Hit! (1.0 point) From: ends in numbers SPAM: Hit! (0.6 points) From: does not include a real name SPAM: Hit! (2.7 points) BODY: Claims you can be removed from the list SPAM: Hit! (1.9 points) BODY: List removal information SPAM: Hit! (0.1 points) BODY: List removal information SPAM: Hit! (1.3 points) URI: Includes a link to a likely spammer email address SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long SPAM: Hit! (0.5 points) Forged hotmail.com 'Received:' header found SPAM: Hit! (1.0 point) Received via a relay in orbs.dorkslayers.com SPAM: [RBL check: found 17.98.187.210.orbs.dorkslayers.com.] SPAM: Hit! (1.9 points) Subject is all capitals
Well well well well well, I do declare. What's the most interesting piece of spam this month? Tsk, tsk. (For background info about this company, see the News Bytes column in LG #71-76.)
From: "ElcomSoft, Inc"To: Webmaster Date: Thu, 16 May 2002 20:24:52 +0800 Subject: Request Review for Advanced PDF Password Recovery Pro 2.0 Dear Webmaster Our company, ElcomSoft Co. Ltd., would like to announce the release of Advanced PDF Password Recovery Pro 2.0 for Windows 95/98/ME/NT/2000/XP. We hope you will consider reviewing Advanced PDF Password Recovery Pro (APDFPR) for Linux Gazette. Should you need a full version for�review, please contact me at [email protected]. Please find the press release of Advanced PDF Password Recovery Pro below for your information. Warmest Regards, Dmitry Harchenko Marketing Manager ElcomSoft Co. Ltd. -------------------------------------------------------------------------------- FOR IMMEDIATE RELEASE - May 17, 2002 ElcomSoft Releases Advanced PDF Password Recovery Pro 2.0 for Windows 9x/ME/NT/2000/XP Gain Control of PDF Files Moscow, Russia - ElcomSoft Co. Ltd. has released Advanced PDF Password Recovery (Professional) 2.0 for Windows ME/98/95/NT4/2000/XP. This program makes it easy to remove both password encryption and usage restrictions from Adobe Acrobat PDF files. APDFPR now comes with multiprocessor support, guaranteed recovery and state-of-the-art optimization for modern processors. With the increasing popularity of PDF formatted file, comes increasing number of problems which occur when authors forget the passwords to their source documents. ElcomSoft has revised version 2.0 of its Advanced PDF Password Recovery (Professional) software to allow the seemingly impossible recovery of password for these documents. This software package handles both owner and user passwords used to protect PDF documents. The latest addition to ElcomSoft's family of password recovery software allows business managers to recover lost and destroyed passwords. It also helps in dealing with employees who, intentionally or unintentionally, are unable to edit and print password-protected PDF files.� Finally, APDFPR is also a state-of-the-art computer forensics tool that could be used by law enforcement, military and intelligence agencies to open secure documents. PDF documents protected with access restrictions password can be decrypted instantly, allowing full access to the document. For documents with "user" passwords (that could not be opened without that password), the program blazes through brute-force password attempts at a rate of a few hundred thousand passwords per seconds! The code has been effectively optimized for most CPUs such as Celeron, Pentium II, Pentium III, Duron and Athlon. More sophisticated methods are available, such as applying all words from a dictionary. ElcomSoft's website has dictionaries for more than 20 different languages, from English to African. Even if the above methods fail because the password is too long and complex, the program runs a special key search attack which gives a 100% success rate on files with 40-bit encryption (used in all Adobe Acrobat 4 and most Acrobat 5 files). This may take some time to run, but is well worth the time if your document is very important. If you have a dual processor system, APDFPR takes advantage of it to double the performance of this software. On modern systems with Athlon MP CPUs, the document can be recovered in maximum 4 days, regardless of the password length and complexity! System Requirements Win 95/98/Me/NT/2000/XP, 600K free on Hard Disk. Price Standard Edition costs $30, Professional Edition costs $60; free trial version is available.� About the Company Established in 1990, ElcomSoft Co.Ltd. provides state-of-the-art computer forensics tool development, computer forensics training and computer evidence consulting; not only to individuals, but also to law enforcement, military and intelligence agencies worldwide since 1997. ElcomSoft tools are also used by most of Fortune 500 corporations, many branches of the military departments all over the world, foreign governments and all major accounting firms. ElcomSoft Co.Ltd. and its officers are members of the Association of Shareware Professionals (ASP), the Russian Cryptology Association, and the Microsoft Business Connection program. More Information Please visit the program's homepage at http://pdf.elcomsoft.com.
Happy Linuxing!
Mike ("Iron") Orr
Editor, Linux Gazette, [email protected]