LINUX GAZETTE

"Linux Gazette...making Linux just a little more fun!"


The Back Page


Wacko Topic of the Month


SpamAssassin

I installed SpamAssassin (SA) and instantly developed a new pastime. Even funnier than reading spam is reading what SA has to say about it. SA is a filter daemon (or standalone program) that reads an e-mail message and analyzes it for spam, adding a couple headers to give its verdict. If it thinks the message is spam, it also puts a "***SPAM***" prefix in the Subject: and adds some structured comments to the body saying what's suspicious about the message. Those comments in the body are where the funny parts are. SA is so amusing that I've given up my two other recent pastimes: collecting Klez worms and Nigeria scams. I just /dev/null the Klez worms now.

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: 
SPAM: Content analysis details:   (16.2 hits, 5 required)
SPAM: Hit! (2.2 points)  BODY: As seen on national TV!
SPAM: Hit! (1.5 points)  BODY: Asks you to click below
SPAM: Hit! (0.2 points)  BODY: No such thing as a free lunch (1)
SPAM: Hit! (-0.1 points) BODY: Claims you can be removed from the list
SPAM: Hit! (2.1 points)  BODY: Talks about opting in
SPAM: Hit! (3.0 points)  URI: Uses a dotted-decimal IP address in URL
SPAM: Hit! (0.1 points)  URI: Uses non-standard port number for HTTP
SPAM: Hit! (3.5 points)  URI: URL of page called "remove"
SPAM: Hit! (-0.8 points) BODY: JavaScript code which can easily be executed
SPAM: Hit! (-0.5 points) BODY: HTML mail with non-white background
SPAM: Hit! (1.8 points)  BODY: Tells you to click on a URL
SPAM: Hit! (3.2 points)  HTML-only mail, with no text version
SPAM: 
SPAM: -------------------- End of SpamAssassin results ---------------------

SPAM: Hit! (0.6 points)  Invalid Date: header (wierd month)
SPAM: Hit! (0.5 points)  BODY: A WHOLE LINE OF YELLING DETECTED
SPAM: Hit! (3.0 points)  URI: Uses a dotted-decimal IP address in URL
SPAM: Hit! (-0.8 points) BODY: Image tag with an ID code to identify you
SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long
SPAM: Hit! (1.8 points)  BODY: Tells you to click on a URL
SPAM: Hit! (3.2 points)  HTML-only mail, with no text version
SPAM: Hit! (2.0 points)  Received via a relay in relays.osirusoft.com
SPAM:                    [RBL check: found 148.167.27.64.relays.osirusoft.com., type: 127.0.0.4]
SPAM: Hit! (3.0 points)  DNSBL: sender is Confirmed Spam Source

SPAM: Hit! (1.0 point)   From: ends in numbers
SPAM: Hit! (0.5 points)  Subject has an exclamation mark
SPAM: Hit! (0.4 points)  Subject has lots of exclamation marks
SPAM: Hit! (-0.5 points) BODY: Contains 'Dear Somebody'
SPAM: Hit! (2.7 points)  BODY: Nigerian scam key phrase ($NN,NNN,NNN.NN)
SPAM: Hit! (2.4 points)  BODY: Nigerian scam key phrase
SPAM: Hit! (4.3 points)  BODY: Nigerian Bank or Petroleum scam, cf http://www.snopes2.com/inboxer/scams/nigeria.htm
SPAM: Hit! (2.2 points)  BODY: Risk free.  Suuurreeee....
SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long

SPAM: Hit! (4.3 points)  Reply-To: is empty
SPAM: Hit! (2.4 points)  'Message-Id' was added by a relay (2)
SPAM: Hit! (2.2 points)  From: has a malformed address
SPAM: Hit! (1.5 points)  Message-Id is not valid, according to RFC-2822
SPAM: Hit! (1.3 points)  Message-Id has no @ sign
SPAM: Hit! (0.5 points)  Possibly-forged 'Received:' header found
SPAM: Hit! (2.1 points)  BODY: FONT Size +2 and up or 3 and up
SPAM: Hit! (3.2 points)  HTML-only mail, with no text version

SPAM: Hit! (1.0 point)   From: ends in numbers
SPAM: Hit! (0.5 points)  Subject has an exclamation mark
SPAM: Hit! (0.4 points)  Subject has lots of exclamation marks
SPAM: Hit! (0.9 points)  URI: Filename is just a '\#'; probably a JS trick
SPAM: Hit! (-0.8 points) BODY: JavaScript code which can easily be executed
SPAM: Hit! (0.0 points)  BODY: Includes a URL link to send an email
SPAM: Hit! (3.2 points)  HTML-only mail, with no text version
SPAM: Hit! (1.9 points)  Subject is all capitals

SPAM: Content analysis details:   (6.2 hits, 5 required)
SPAM: Hit! (1.1 points)  BODY: Contains a large block of hexadecimal code
SPAM: Hit! (-0.6 points) BODY: Frame wanted to load outside URL
SPAM: Hit! (1.8 points)  No MX records for the From: domain
SPAM: Hit! (1.9 points)  Subject is all capitals
SPAM: Hit! (2.0 points)  Subject contains a unique ID number

SPAM: Content analysis details:   (10.1 hits, 5 required)
SPAM: Hit! (1.2 points)  Valid-looking To "undisclosed-recipients"
SPAM: Hit! (0.5 points)  Subject has an exclamation mark
SPAM: Hit! (0.4 points)  Subject has lots of exclamation marks
SPAM: Hit! (0.2 points)  BODY: Contains at least 3 dollar signs in a row
SPAM: Hit! (0.2 points)  BODY: No such thing as a free lunch (1)
SPAM: Hit! (2.3 points)  BODY: List removal information
SPAM: Hit! (1.9 points)  BODY: List removal information
SPAM: Hit! (1.0 point)   BODY: No such thing as a free lunch (3)
SPAM: Hit! (0.5 points)  Forged hotmail.com 'Received:' header found
SPAM: Hit! (1.9 points)  Subject is all capitals

SPAM: Content analysis details:   (12.6 hits, 5 required)
SPAM: Hit! (2.0 points)  From: contains numbers mixed in with letters
SPAM: Hit! (1.0 point)   From: ends in numbers
SPAM: Hit! (0.6 points)  From: does not include a real name
SPAM: Hit! (2.7 points)  BODY: Claims you can be removed from the list
SPAM: Hit! (1.9 points)  BODY: List removal information
SPAM: Hit! (0.1 points)  BODY: List removal information
SPAM: Hit! (1.3 points)  URI: Includes a link to a likely spammer email address
SPAM: Hit! (-0.4 points) BODY: Contains a line >=199 characters long
SPAM: Hit! (0.5 points)  Forged hotmail.com 'Received:' header found
SPAM: Hit! (1.0 point)   Received via a relay in orbs.dorkslayers.com
SPAM:                    [RBL check: found 17.98.187.210.orbs.dorkslayers.com.]
SPAM: Hit! (1.9 points)  Subject is all capitals


World of Spam


Well well well well well, I do declare. What's the most interesting piece of spam this month? Tsk, tsk. (For background info about this company, see the News Bytes column in LG #71-76.)

From: "ElcomSoft, Inc" 
To: Webmaster 
Date: Thu, 16 May 2002 20:24:52 +0800
Subject: Request Review for Advanced PDF Password Recovery Pro 2.0

Dear Webmaster

Our company, ElcomSoft Co. Ltd., would like to announce the release of Advanced 
PDF Password Recovery Pro 2.0 for Windows 95/98/ME/NT/2000/XP. We hope you will 
consider reviewing Advanced PDF Password Recovery Pro (APDFPR) for Linux Gazette. 
Should you need a full version for�review, please contact me at [email protected]. 
Please find the press release of Advanced PDF Password Recovery Pro below for 
your information.

Warmest Regards,

Dmitry Harchenko 
Marketing Manager 
ElcomSoft Co. Ltd. 

--------------------------------------------------------------------------------
 
FOR IMMEDIATE RELEASE - May 17, 2002 
   
ElcomSoft Releases Advanced PDF Password Recovery Pro 2.0 for Windows 9x/ME/NT/2000/XP 
Gain Control of PDF Files 

Moscow, Russia - ElcomSoft Co. Ltd. has released Advanced PDF Password Recovery 
(Professional) 2.0 for Windows ME/98/95/NT4/2000/XP. This program makes it easy 
to remove both password encryption and usage restrictions from Adobe Acrobat 
PDF files. APDFPR now comes with multiprocessor support, guaranteed recovery 
and state-of-the-art optimization for modern processors.

With the increasing popularity of PDF formatted file, comes increasing number 
of problems which occur when authors forget the passwords to their source documents. 
ElcomSoft has revised version 2.0 of its Advanced PDF Password Recovery (Professional) 
software to allow the seemingly impossible recovery of password for these documents. 
This software package handles both owner and user passwords used to protect PDF 
documents. The latest addition to ElcomSoft's family of password recovery software 
allows business managers to recover lost and destroyed passwords. It also helps 
in dealing with employees who, intentionally or unintentionally, are unable to 
edit and print password-protected PDF files.�

Finally, APDFPR is also a state-of-the-art computer forensics tool that could 
be used by law enforcement, military and intelligence agencies to open secure 
documents. PDF documents protected with access restrictions password can be decrypted 
instantly, allowing full access to the document. For documents with "user" passwords 
(that could not be opened without that password), the program blazes through 
brute-force password attempts at a rate of a few hundred thousand passwords per 
seconds! The code has been effectively optimized for most CPUs such as Celeron, 
Pentium II, Pentium III, Duron and Athlon. More sophisticated methods are available, 
such as applying all words from a dictionary. ElcomSoft's website has dictionaries 
for more than 20 different languages, from English to African.

Even if the above methods fail because the password is too long and complex, 
the program runs a special key search attack which gives a 100% success rate 
on files with 40-bit encryption (used in all Adobe Acrobat 4 and most Acrobat 
5 files). This may take some time to run, but is well worth the time if your 
document is very important. If you have a dual processor system, APDFPR takes 
advantage of it to double the performance of this software. On modern systems 
with Athlon MP CPUs, the document can be recovered in maximum 4 days, regardless 
of the password length and complexity!


System Requirements 
Win 95/98/Me/NT/2000/XP, 600K free on Hard Disk. 

Price 
Standard Edition costs $30, Professional Edition costs $60; free trial version 
is available.�  

About the Company 
Established in 1990, ElcomSoft Co.Ltd. provides state-of-the-art computer forensics 
tool development, computer forensics training and computer evidence consulting; 
not only to individuals, but also to law enforcement, military and intelligence 
agencies worldwide since 1997. ElcomSoft tools are also used by most of Fortune 
500 corporations, many branches of the military departments all over the world, 
foreign governments and all major accounting firms.

ElcomSoft Co.Ltd. and its officers are members of the Association of Shareware 
Professionals (ASP), the Russian Cryptology Association, and the Microsoft Business 
Connection program.


More Information 
Please visit the program's homepage at 
http://pdf.elcomsoft.com.

Happy Linuxing!

Mike ("Iron") Orr
Editor, Linux Gazette, [email protected]


Copyright © 2002, the Editors of Linux Gazette.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 80 of Linux Gazette, July 2002