weird SPAM problem

[kjohnson]

Some of my users have been getting 15 - 30 messages a day recently. The problem is that these don't appear as ads like most spam, in fact I am not able to see where these messages are selling or refering to anything.

Can anything be done to cull these out better? If anything the common factor is that most of them appear to be from outside the US.

Here is an example:

"
Subject:
headgear
Date:
Fri, 21 Jul 2006 10:30:36 +0300
From:
Nancy Stephens <hluzrnfuozr@zspruhonice.cz>
To:
<xlicense@ourcompany.com>



restrict maternal: sill of unchanged a park. was decompose, the cold
morgue crossword, as leave carelessness secure hemorrhage, the
resourcefulness, the lesson or dainty, to an respectively sweetie
single-digit?
suppress, and as assumption as Antarctica black magic rear-end but peg
harlot ally, lusty, chivalrous, or quilt!!! absorb of tablespoonful a
conspirator was great-grandfather gobble haphazard greyhound offset
smoking session seduce famine,. the of annex wrong balance of power
intricately as jointly to virtue. that "

The messages don't seem to follow any pattern and have no attachments or graphics like most spam/phish/worms. Any ideas or suggestions?

[KevinH]

What do your Spam Assassin headers look like?

[kjohnson]

Here is a sample with header from another message:
Oh and by the way, I should ammend my prior statement, these apparently are coming in with a single picture attachment.
Our Kill is set at 35 and Tag at 26. This one wasn't rated high enough to add SPAM to the subject line. I found this one in the users Junk folder. But others are not going to Junk.

Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.ourcompany.com (Postfix) with ESMTP id E45E598C176;
Tue, 18 Jul 2006 15:41:58 -0500 (CDT)
Received: from mail.ourcompany.com ([127.0.0.1])
by localhost (mail.ourcompany.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 22544-08; Tue, 18 Jul 2006 15:41:58 -0500 (CDT)
Received: from mk089144252065.a1.net (mk089144212071.a1.net [89.144.212.71])
by mail.ourcompany.com (Postfix) with SMTP id 32C8898C165
for <walicensing@ourcompany.com>; Tue, 18 Jul 2006 15:41:55 -0500 (CDT)
Received: from oyzo.znosjt ([89.144.235.234])
by mk089144252065.a1.net (8.13.2/8.13.2) with SMTP id k6IKkQje039262;
Tue, 18 Jul 2006 22:46:26 +0200
Message-ID: <002201c6aaab$1e60af54$eaeb9059@oyzo.znosjt>
From: "Patty Whitehead" <wljmot@xeda.com>
To: <walicensing@ourcompany.com>
Subject: grieve
Date: Tue, 18 Jul 2006 22:38:57 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001E_01C6AABB.E1E97F04"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-DSPAM-Result: Spam
X-DSPAM-Processed: Tue Jul 18 15:41:58 2006
X-DSPAM-Confidence: 0.5384
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 44bd4796317881813820934
X-DSPAM-Factors: 15,
X-Virus-Scanned: amavisd-new at
X-Spam-Status: No, score=4.966 tagged_above=-10 required=5.2 autolearn=no
tests=[BAYES_95=3, DSPAM_SPAM=0.5, EXTRA_MPART_TYPE=1.091, HTML_30_40=0.374,
HTML_MESSAGE=0.001]
X-Spam-Score: 4.966
X-Spam-Level: ****

This is a multi-part message in MIME format.

------=_NextPart_000_001E_01C6AABB.E1E97F04
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_001F_01C6AABB.E1E97F18"


------=_NextPart_001_001F_01C6AABB.E1E97F18
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable



sunshine, overboard honey etymology regimental omission granddaughter =
shrill was skilled
cross street persuade, self-righteous duo a unexpectedly casualty the =
unused shot put supplement penalty box, chart extensively, overseen =
cranium incubate rosary,. unequally embattled are adornment an electron =
and crumb champagne sternly water hole erode a ticklish modeling deter =
eyewitness as an
hitchhiker finances ongoing the an reconstruct extreme was

[kjohnson]

Here is another one, this had no attachment. But the text was in Bold, Italic, or plain. More spamlike.

X-Zimbra-Tags:
X-Zimbra-Flags: au
X-Zimbra-Received: 1153717859000
X-Zimbra-Modified: 1153717859000
X-Zimbra-Conv: -17945

Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.ourcompany.com (Postfix) with ESMTP id EE19F9904BB;
Mon, 24 Jul 2006 00:10:58 -0500 (CDT)

Received: from mail.ourcompany.com ([127.0.0.1])
by localhost (mail.ourcompany.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 06722-04; Mon, 24 Jul 2006 00:10:58 -0500 (CDT)

Received: from hlpu (unknown [220.118.137.74])
by mail.ourcompany.com (Postfix) with SMTP id 589BD9904B9
for <sclicensing@ourcompany.com>; Mon, 24 Jul 2006 00:10:57
-0500 (CDT)

Received: from [220.118.140.196] (helo=hccj)
by hlpu with smtp (Exim 4.43)
id 1G4sjx-0008JN-Cv; Mon, 24 Jul 2006 14:12:25 +0900

Message-ID: <001701c6aedf$8aad21dc$c48c76dc@hccj>
From: "Tessa Kemp" <arrktbaq@ste-genevieve.com>
To: <sclicensing@ourcompany.com>
Subject: induct
Date: Mon, 24 Jul 2006 14:05:09 +0900
MIME-Version: 1.0

Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0013_01C6AF2A.FA94C9C4"

X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Virus-Scanned: amavisd-new at

[kirme3]

That first spam you showed looks like a Bayesian Poisoning email. Essentially, a person marks that as Spam, and if you have Bayesian Filters in place, it weakens the spam conficence, because those are all valid words. Some Bayesian filters are able to handle them, some aren't and you end up having to retrain your spam service because valid emails start to get marked as spam.

[kjohnson]

So as long as my users just delete the messages then that attempt will fail?

That's fine because that's what's happening. What method for retraining spam filters do we have with Zimbra?

[KevinH]

Two things.. First your spam settings could be more aggressive. If you'd have been using our settings those messages would have been tagged/killed.

Second if user's use the Junk buttons in the webmail client that will automatically train Zimbra.