I have recently come across spam in my inbox sent by
<listmanager@tour10.eservicestelecom.com> and
<listmanager@tour8.fastserverbest.com>, both identical in content, and sent to
different addresses.

The interestign thing is that they have obviously lifted my address form
newsgroups, as these are both addresses I've used on newgroups, and more to the
point due to the X-Mailer: strings

X-Mailer: Gnus/5.090003 (Oort Gnus v0.03) XEmacs/21.4 (Academic Rigor) 
X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "Capitol Reef"   

The first X-Mailer was ignored by Spamasassin, but the second triggered
USER_AGENT_GNUS_XM

Given that these are both HTML-only emails, I find it unlikely that they have
been sent by Gnus; while it's possible to do, it's very difficult to program
Gnus to do it, to the point where you'd need to be a good LISP hacker to even
think of attempting it. Given the messages were also identical in content, I
think it's a fake X-Mailer string. Also, the Message-Ids do not correspond to
Gnus Message-Ids, which tend to have the string ".fsf@" in them. The fact that I
also know that I have posted to Usenet with these newsreaders corresponding to
the addresses they used supports this.

I don't know if this has been fixed at all in later versions of spamassassin, I
don't control the installation of spamassassin for the mailserver, and
apparently we won't be upgrading for a while. I am also not in a position right
now to be able to run tests locally on my machine with the latest version, but I
will do so as soon as I can.

I suggest that when running the Gnus checks you also check to see if the message
is HTML-only, and adjust the weighting accordingly, as it's very likely to be a
fake header. Ditto for other command-line unix mailers like mutt and pine.


Full headers for both emails follows, if you want the full emails, please let me
know.


From listmanager@tour8.fastserverbest.com Wed Apr 16 11:18:29 2003             
Return-path: <listmanager@tour8.fastserverbest.com>                            
Envelope-to: spam@moof.org.uk                                                  
Delivery-date: Wed, 16 Apr 2003 11:18:29 +0100                                 
Received: from [64.89.19.242] (helo=tour8.fastserverbest.com)                  
        by pinky.notnet.co.uk with smtp id 195jzo-0006Nt-00                    
        for spam@moof.org.uk; Wed, 16 Apr 2003 11:18:28 +0100                   
To: spam@moof.org.uk                                                           
Date: Wed, 16 Apr 2003 04:15:25 -0800                                          
Message-ID: <1050491725.8519@tour8.fastserverbest.com>                         
X-Mailer: Gnus/5.090003 (Oort Gnus v0.03) XEmacs/21.4 (Academic Rigor)         
Subject: The South Beach Cruise Scene                                          
Content-Type: text/html                                                        
From: "Steve D Twink" <listmanager@tour8.fastserverbest.com>                   
Mime-Version: 1.0                                                              
X-Notnet-Virus-Scan: 0: No viruses found, Definitions updated Wed Apr 16
11:00:06 BST 2003                                                             
X-Notnet-Spam-Flag: NO                                                         
X-Notnet-Spam-Status: No, hits=1.5 required=5.0
tests=BIG_FONT,CTYPE_JUST_HTML,SPAM_PHRASE_00_01                              
X-Notnet-Spam-Checker: Spamassassin v.2.20                                     
X-TMDA-Extension:    

----

From listmanager@tour10.eservicestelecom.com Wed Apr 16 11:32:42 2003          
Return-path: <listmanager@tour10.eservicestelecom.com>                         
Envelope-to: me@moof.org.uk                                                    
Delivery-date: Wed, 16 Apr 2003 11:32:42 +0100                                 
Received: from [64.89.23.92] (helo=tour10.eservicestelecom.com)                
        by pinky.notnet.co.uk with smtp id 195kDZ-0006xs-00                    
        for me@moof.org.uk; Wed, 16 Apr 2003 11:32:41 +0100                     
To: me@moof.org.uk                                                             
Date: Wed, 16 Apr 2003 04:29:38 -0800                                          
Message-ID: <1050492578.7390@tour10.eservicestelecom.com>                      
X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "Capitol Reef"                            
Subject: The South Beach Cruise Scene                                          
Content-Type: text/html                                                        
From: "Steve D Twink" <listmanager@tour10.eservicestelecom.com>                
Mime-Version: 1.0                                                              
X-Notnet-Virus-Scan: 0: No viruses found, Definitions updated Wed Apr 16
11:30:09 BST 2003                                                             
X-Notnet-Spam-Flag: NO                                                         
X-Notnet-Spam-Status: No, hits=0.5 required=5.0
tests=BIG_FONT,CTYPE_JUST_HTML,SPAM_PHRASE_00_01,USER_AGENT_GNUS_XM           
X-Notnet-Spam-Checker: Spamassassin v.2.20                                     
X-TMDA-Extension: