Re: [Full-Disclosure] weird worm ?

From: Kare Presttun (
Date: 12/30/03

  • Next message: "[Full-Disclosure] Disabling Cached Logon Credentials"
    To: Joris De Donder <>
    Date: Tue, 30 Dec 2003 16:22:34 +0100

    At 30.12.2003 15:25 +0100, Joris De Donder wrote:
    >> highest bailiff nomad father advise heir
    >> oxygen honorarium allegro reveal wronskian indentation coachmen
    >> deficient tribute arcturus mitigate bypath
    >> Anyone got a clue what this is? There are no attachments to these
    mails, but
    >> they keep coming in at a rate of about 1-2 per day, from different sources,
    >> nobody I know really.
    >Could be an attempt to 'poison' Bayesian filters. If people identify
    >these messages as spam and use them to train their Bayesian filters,
    >more and more 'good'/'normal' words will get a high spamvalue
    >resulting in a higer rate of false positives.
    >Or maybe it was an attempt to bypass Bayesian filters and the spammer
    >just forgot to include an url.

    I have looked at a few of them and they include an image (at least
    the ones I have got) with the actual spam message and a URL
    behind the image itself to take you to a web site. I have got some
    for cable TV bypass. I seems obvious that they attempt to poison
    Bayesian filters. Some of them also used my e-mail as sender
    address clearly to get around spam filters. I'm running SpamPal
    and use it for outbound mail to train the whitelist to accept people
    I'm sending mail to. I have also imported some of these messages
    as spam into the Bayesian filter to train it. I also put my address
    into the Exclusions for automatic whitelisting to avoid the mails
    with my address in the sender field to slip through. Now all the shit
    get junked.

    Med vennlig hilsen | Best regards,
    Kåre Presttun
    Tel.: +47 4100 4908

    Full-Disclosure - We believe in it.

  • Next message: "[Full-Disclosure] Disabling Cached Logon Credentials"