Here are the headers that the spam had when it got to me. I've changed the real address they tried to deliver to for my honeypot address (yumyum@easyweb.co.uk) so any spammers harvesting this page will email the mailbox that trains DSPAM. I've also removed irrelevant headers my mailserver added.

Received: from wbar1.sjo1-4-4-016-167.sjo1.dsl-verizon.net (4.4.16.167)
  by mail.easyweb.co.uk with SMTP; 12 Aug 2004 01:49:06 +0100
Received: from 167.129.16.120 by web691.mail.yahoo.com; Thu, 12 Aug 2004 03:42:10 +0200
X-eGroups-Return: sentto-3042026-588540-0738984713-yumyum@easyweb.co.uk@returns.groups.yahoo.com
Received: from [112.233.104.158] by n52.grp.scd.yahoo.com with NNFMP; Wed, 11 Aug 2004 22:45:10 -0300
X-Sender: MAILER-DAEMON@msn.com
X-Apparently-To: whitehead@yahoogroups.com
Received: (qmail 14413 invoked from network); %CURRENT_DATE_TIME
Message-ID: 
In-Reply-To: <64986638.178B3965@msn.com>
X-Yahoo-Profile: buffet
Mailing-List: list dulcet@yahoogroups.com; contact withheld-owner@yahoogroups.com
Delivered-To: mailing list corrode@yahoogroups.com
Precedence: bulk
List-Unsubscribe: 
Date: %CURRENT_DATE_TIME
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
From: "Mail Administrator" 
To: yumyum@easyweb.co.uk
Subject: Message subject
X-Spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on 
	msn.com
X-Spam-Level: 
X-Spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no 
	version=2.60-spambr_20030926a
X-DSPAM-Result: Spam
X-DSPAM-Confidence: 0.5059
X-DSPAM-Probability: 1.0000

Analysis

Let's step through the salient lines and point out what they've done (and the mistakes they've made on the way).

Received: from wbar1.sjo1-4-4-016-167.sjo1.dsl-verizon.net (4.4.16.167)
  by mail.easyweb.co.uk with SMTP; 12 Aug 2004 01:49:06 +0100

This line is genuine. It's added by my mailserver (mail.easyweb.co.uk), and reports the machine that passed it on to me. However, 4.4.16.167 is an open proxy - a misconfigured mailserver used by spammers to try to send mail without getting caught. It's likely, therefore that this is just about the only genuine header here.

Received: from 167.129.16.120 by web691.mail.yahoo.com; Thu, 12 Aug 2004 03:42:10 +0200

Now this line should tie up in a chain with the one above - it should be something like Received: from 167.129.16.120 by wbar1.sjo1-4-4-016-167.sjo1.dsl-verizon.net. So I call shenanigans, particularly as it's trying to get past filters by pretending to be from a yahoo eGroup - more on that coming next.

X-eGroups-Return: sentto-3042026-588540-0738984713-yumyum@easyweb.co.uk@returns.groups.yahoo.com
Received: from [112.233.104.158] by n52.grp.scd.yahoo.com with NNFMP; Wed, 11 Aug 2004 22:45:10 -0300

The spammer's tool is trying to make the email appear to be a genuine eGroups post, to reduce spammish heuristics. However, I don't subscribe to any eGroups, so my statistical only filter won't mark this as a ham indicator. The tool has also put it in the wrong place, as we have another Received: header after it (X-headers don't come in the Received: chain), which still doesn't tie up in the chain.

X-Sender: MAILER-DAEMON@msn.com

Another X-header in the wrong place, trying to get whitelisted as the controlling system of a mailing list at a supposedly trustworthy host (msn.com). As I don't get much ham from msn and none at all from MAILER-DAEMON@msn.com, it doesn't fool DSPAM.

X-Apparently-To: whitehead@yahoogroups.com

More effort to be whitelisted as being from a yahoo eGroup.

Received: (qmail 14413 invoked from network); %CURRENT_DATE_TIME

Back to the Received: non-chain, trying to be the originating element. However, the spam tool is misconfigured - it was supposed to insert a date here, but didn't. Oops.

Mailing-List: list dulcet@yahoogroups.com; contact withheld-owner@yahoogroups.com
Delivered-To: mailing list corrode@yahoogroups.com
Precedence: bulk
List-Unsubscribe: 

And back to the Yahoo forgery

Message-ID: 
In-Reply-To: <64986638.178B3965@msn.com>
From: "Mail Administrator" 

...or is it trying to be a genuine msn email? The spammer tool doesn't know which is more likely to be whitelisted, so tries both.

Date: %CURRENT_DATE_TIME
Subject: Message subject

There's that misconfigured date variable again, and it looks like they forgot to put in the subject too.

X-Spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on 
	msn.com
X-Spam-Level: 
X-Spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no 
	version=2.60-spambr_20030926a

Now this one is sneaky. This is the spam tool adding fake SpamAssassin headers, to appear as if it's already gone through SA (at msn, note), and been marked as non-spam. SpamAssassin works by scoring email (the 'hits' value) - the higher the score, the more likely it is to be spam - and it's then up to you to filter appropriately. When I moved off SA, I had my trigger level set to about +3. Only the most innocent emails from people I normally email would get a -5.9 score.

If I were running SA still, even if my installation scored the email correctly, the filter I was running might still get confused by this fake score.

Result

X-DSPAM-Result: Spam
X-DSPAM-Confidence: 0.5059
X-DSPAM-Probability: 1.0000

None of the above fooled DSPAM, though. It's marked as having a spam probability of 1 - 100% likely to be spam - with a high enough confidence level. Next time a spammer tries these tricks, it'll have a higher confidence level, as the filter learns from every message it classifies, with manual corrections where necessary.