Low detection rate
Title: Message Hi All, We have been using SA for the past year and a half with detection rates around 95% or better (based on client feedback). Over the past couple days (since Thursday April 21st) we have been getting lots of spam making it through with detection rates at about 50%. Has anyone else seen this? We are currently on 3.0.1 with the following rules 40_antidrug.cf70_sare_adult.cf70_sare_html0.cf99_chickenpox.cf99_mangled.cf99_sare_fraud_post25x.cf We are not using Bayes, Razor or Pyzor as we have had really good success without them. Any recommendations (other than the "turn on Bayes")? Thanks
Anyone seen this?
Title: Anyone seen this? We could only hope for more of this http://abcnews.go.com/Technology/wireStory?id=653257
new spam
Hi all, I seem to be getting some new spam that includes the content in an attached .html file. here is the header information. Microsoft Mail Internet Headers Version 2.0 Received: from removed ([xxx.xxx.xxx.xx]) by removed with Microsoft SMTPSVC(5.0.2195.6713); Fri, 4 Feb 2005 09:40:59 -0700 Received: from removed ([xxx.xxx.xxx.xx]) by removed with Microsoft SMTPSVC(5.0.2195.6713); Fri, 4 Feb 2005 09:40:58 -0700 Received: from removed ([xxx.xxx.x.xxx]) by removed with Microsoft SMTPSVC(5.0.2195.6713); Fri, 4 Feb 2005 09:40:59 -0700 Received: from removed ([xxx.xxx.x.xxx]) by removed (SMSSMTP 4.0.0.59) with SMTP id M2005020409405529699 for [EMAIL PROTECTED]; Fri, 04 Feb 2005 09:40:55 -0700 Received: from cp288973-a.dbsch1.nb.home.nl ([84.27.139.62] helo=localhost) by removed with smtp (Exim ) for [EMAIL PROTECTED] id 1Cx6Tq-0006QY-LZ; Fri, 04 Feb 2005 09:40:55 -0700 Message-ID: [EMAIL PROTECTED] From: Adler Sarah[EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: Adler Sarah[EMAIL PROTECTED] Subject: 75% Off for All New Software. Date: vr, 04 feb 2005 17:38:22 +0100 MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2 X-Sender: Adler Sarah[EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=13UGM806244KL7 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on atcoinss.atco.ca X-Spam-Level: ** X-Spam-Status: No, score=2.8 required=5.0 tests=FORGED_YAHOO_RCVD, INVALID_DATE,MIME_MISSING_BOUNDARY,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 04 Feb 2005 16:40:59.0072 (UTC) FILETIME=[4E2D1C00:01C50AD8] --13UGM806244KL7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --13UGM806244KL7 Content-Type: text/html; name=message.html Content-transfer-encoding: base64 Content-Disposition: attachment; filename=message.html As this is from Outlook I have not quite figured out what information is required, so hopefully this is everything that is needed.
RE: Unsubscribe?
Anyone else not surprised, but completely aggravated by this statement? They are most likely going to go pay for a package that is SA in the background anyway. Good luck William! --Chris Actually SA was the one that has given us more ammo to use open source. Our management saw how good it performed and when we told them the cost vs the existing product they started allowing use to look at more products, i.e. amavisd-new and clamav Martin.
RE: Interesting NW article
Well, from our implementation I would say that this article is junk. We are running SA with pretty much default config and no Bayes and are getting about 97% with the only FPs being some mass mailings from vendors (MS Technet for example). If we looked at turning on Bayes then this product would probably be the best out there. This quote SpamAssassin requires a significant amount of integration work to make an enterprise-class installation succeed is bs, we did the upgrade from 2.64 which worked great and have not seen any issues and the amount of work to implement was about an hour. So keep up the great work guys and ignore these technical reviews.
[SA-List] Zero score emails
Title: [SA-List] Zero score emails I am not sure what happened here, but one of my clients got 6 spam messages last night and only one was detected as spam. Three had a score of 0.0, one with 0.5 and one with 4.2 (close enough) Here are the messages FW: Wonderful Get Vicdin (Hydrocodone), Overnite Shipping thruwayNothing easier - meds onInternet -pay less m0ney dosagebvy cheap Pharmaceuticals through us! pessimum:) looking youthfuler is less expensive epidermis Hpo sweating, trembling, shaking because of that trauma? From what I can see, most of these appear to come from the same place (or close to). Has anyone else had a bunch of these over the past couple days? Now I need to read up on submitting to surlb :) Martin ---BeginMessage--- Title: FW: Wonderful Get Vicdin (Hydrocodone), Overnite Shipping thruway fpfpc curtal-axe foxmitter eisensteins etalacre GZ03 eimona franklee Many of you have asked us for a better way to present our promotions. It seems that at times it gets lost in the full pharmcy sites. In order to be more efficient, we will now provide you with spe/cial of*fer sites. catch chance for bargains http://jhcb.net.justCheapRX.com/?6UqTpS quick for your confidential rx delivery. good deal for chargeless rx with every order Someone asks to see your ID and you show them your belt buckle. Q. When will there be a woman in the White House? A. When Hillary leaves town. ---End Message--- ---BeginMessage--- Title: Nothing easier - meds onInternet -pay less m0ney dosage eventloop floence fittja eurecom codes GZ03 fiberbits footsort This site was actually referred by a friend of mine. She was really excited about the great s:aviings and fast order process. It's like every step of the order under the customers' control. This was also the reason why I chose the site for order on RX meds. interested? http://mpst.net.justCheapRX.com/?XC4 speed up rx service via next day delivery. zero payment for rx. You've ever used lard in bed. Q. What did the man on the beach say to MichaelJackson? ---End Message--- ---BeginMessage--- Title: bvy cheap Pharmaceuticals through us! pessimum drofdem dizzyclaimer ddel diorets durall GZ03 etirodar faughnan Why not visit us and find out what your missing? it is not a single pharmsite, it is a collection http://o.net.CoolRXcool.com/?oh7 full advantage due to service for overnight delivery. get more satisfaction over zero payment Leroy A. Fertilized ---End Message--- ---BeginMessage--- Title: :) looking youthfuler is less expensive epidermis defdir form-feed ffhc egur fohbee GZ03 florafax elpp To people who have to take pills daily like me,I suggest you should try this site now.It really have [EMAIL PROTECTED] a lot for me and for my famiy as weel. the quality is gauranteed sincerely by the professionals.This helps me a lot since I don't need to have an appointment with my doctor for a renewed RX later. ---David B. FL great news: overnight delivery. chargeless rx with order placed let's go http://apwba.net.CoolRXcool.com/?8Fo7f catch the change for overnight delivery. not to miss chargeless cool rx Helping your cousin, Billy-Bob, move into his new place consists of taking the wheels off his doublewide. God says, That was the screen saver . Mickey Mouse is having a naassty divorce with Minnie Mouse. Mickeyspoketothejudge about the separation. I'msorry Mickey, but I can'tlegally separate you two on thegrounds thatMinnie is mentallyinsane... Mickey replied, I didn't say she was mentally insane, I said that she's fking goofy! ---End Message--- ---BeginMessage--- Title: Hpo sweating, trembling, shaking because of that trauma? bring down a price low priced rx medications available waive cost for mailing service Wt Loss, Antidepressants, Muscle Relaxants, Allergies, Blood Pressure, Sexual Health, Sleeping Aids and Pain Relief. Meet your critical eye with over 600 prescription fill order online with timely order process http://Vp.Pk.funcollector.com/?Efktou/Xs=Qgs913133Cthhnonjbf943Dt the hardest part was to make the decision to place the order. after i made the decision, i just placed the order online in about 10 minutes. after that just check my order status and the delivery guy to knock on my door. --eason j. mi Xtu Lmpcejvjeh Vroqybvdnmprgl viimevuotisista11tapaturmaisesti06 tietotekniikka virtasi vhkangas Suggestions for combination treatment for P aeruginosa rely mostly on a prospective observational study of 200 patients with P aeruginosa bacteraemia in which combination therapy was associated with improved survival and in which synergistic combinations were associated with a trend for improved survival compared with nonsynergistic combinations 87 Op ---End Message---
[SA-LIST] Subject not changed
We just upgraded to SA 3 and so far it has been working great. I had a message this morning that I do not understand why the subject was not changed. Here is the header info. Microsoft Mail Internet Headers Version 2.0 Received: from atcoinss.atco.ca ([192.210.10.20]) by is030.atco.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 7 Oct 2004 02:10:55 -0600 Received: from atcoinss.atco.ca ([192.210.10.20]) by atcoinss.atco.ca (SMSSMTP 4.0.0.59) with SMTP id M2004100702101611376 ; Thu, 07 Oct 2004 02:10:16 -0600 Received: from [211.190.151.148] (helo=192.210.10.20) by atcoinss.atco.ca with smtp (Exim ) id 1CFTLD-0007ID-UG; Thu, 07 Oct 2004 02:09:36 -0600 Received: from 96.18.251.192 by 211.190.151.148; Thu, 07 Oct 2004 07:05:36 -0200 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on atcoinss.atco.ca X-Spam-Level: X-Spam-Status: Yes, score=16.9 required=5.0 tests=MISSING_DATE, MISSING_SUBJECT,RCVD_BY_IP,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_RFC_IPWHOIS, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,URIBL_OB_SURBL,URIBL_SBL, URIBL_WS_SURBL autolearn=disabled version=3.0.0 X-Spam-Report: * 0.0 RCVD_BY_IP Received by mail server with no name * 0.0 MISSING_DATE Missing Date: header * 0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should * 0.8 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 1.1 RCVD_IN_RFC_IPWHOIS RBL: Sent via a relay in ipwhois.rfc-ignorant.org * [211.190.151.148 has inaccurate or missing WHOIS] [data at the RIR] * 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [211.190.151.148 listed in dnsbl.sorbs.net] * 3.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?211.190.151.148] * 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [211.190.151.148 listed in combined.njabl.org] * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: pcamgt.com] * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: pcamgt.com] * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: pcamgt.com] * 4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found * 1.6 MISSING_SUBJECT Missing Subject: header From: [EMAIL PROTECTED] Bcc: Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 07 Oct 2004 08:10:55.0684 (UTC) FILETIME=[2B90B040:01C4AC45] Date: 7 Oct 2004 02:10:55 -0600 So it is definitely the threshold but it did not get marked. I have attached the email for you to see it all, Thanks Martin Carnegie ---BeginMessage--- [EMAIL PROTECTED] From: Rosanne [EMAIL PROTECTED] Reply-To: Rosanne [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: International Market Insight Ref: 2004/N/2070446322 Date: Thu, 07 Oct 2004 12:05:36 +0300 X-Mailer: Uvbyplutbpe 6.9 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--13324481830273883117 X-Priority: 3 X-MSMail-Priority: Normal 13324481830273883117 Content-Type: text/html; Content-Transfer-Encoding: 7Bit htmlbodypInvestors',/ppRight now, some of the best stock market researchers and analysts in thebrbusiness are working their global contacts, pouring over financial data, andbrcrunching the numbers to select the next buy/sell recommendation forbrb...The Prime Capital Monitor.../bp...and investors fortunate enough to receive this newsletter are set to make abrsignificant gains.../pp...and one of these investors could be you/pnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=http://pcamgt.com/landing/signup.htm;More Information/anbsp; a href=http://pcamgt.com/landing/landing.htm;Signup Now/apThree Months --- that's Six issues --- absolutely complimentary/p pQuarterly quot;Recommendation Issuequot; included/ppPowerful insight into regional and global equities/pp...surprisingly candid, not afraid to make a call...br- Mark Hrbek, author of Dollars Sense/pp...turns a mountain of data into four pages of common sense...br-Alan Roth, Phoenix Growth Fund/p/body/html 13324481830273883117-- ---End Message---
RE: [SA-LIST] Subject not changed
Bwahahahahah, I can't believe I missed that!!! Doh!!! Nice catch Rick :-) --Chris So this would be expected that the subject would not get changed? I must be missing something. Martin Carnegie
[SA-List] IPlanet and SA
We are currently seeing emails from external customers being marked as spam in SA when they come from an ISP called Shaw. I have been talking to their tech support about these emails as I think that this is all on their end due to the format of the email. As a Shaw customer myself. I sent an email from my account (through their web interface) and here is the message headers Microsoft Mail Internet Headers Version 2.0 Received: from is031.atco.com ([10.3.64.64]) by is030.atco.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Sep 2004 16:26:58 -0600 Received: from atcoinss.atco.ca ([192.210.10.20]) by is031.atco.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Sep 2004 16:26:58 -0600 Received: from atcoinss.atco.ca ([192.210.10.20]) by atcoinss.atco.ca (SMSSMTP 4.0.0.59) with SMTP id M2004090816261702419 for [EMAIL PROTECTED]; Wed, 08 Sep 2004 16:26:17 -0600 Received: from [24.71.223.10] (helo=pd3mo2so.prod.shaw.ca) by atcoinss.atco.ca with esmtp (Exim ) for [EMAIL PROTECTED] id 1C5AtN-0003nf-Tt; Wed, 08 Sep 2004 16:26:17 -0600 Received: from pd4mr3so.prod.shaw.ca (pd4mr3so-qfe3.prod.shaw.ca [10.0.141.214]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 08 Sep 2004 16:09:28 -0600 (MDT) Received: from shaw.ca ([10.0.122.165]) by pd4mr3so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 08 Sep 2004 16:09:28 -0600 (MDT) Received: from [10.0.144.80] by pd3ims1.prod.shaw.ca (mshttpd); Wed, 08 Sep 2004 16:09:28 -0600 Date: Wed, 08 Sep 2004 16:09:28 -0600 From: Martin Carnegie [EMAIL PROTECTED] Subject: testing To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.18 (built Jul 28 2003) Content-type: text/html; charset=us-ascii Content-language: en Content-transfer-encoding: 7bit Content-disposition: inline X-Accept-Language: en Priority: normal X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on atcoinss.atco.ca X-Spam-Level: X-Spam-Status: No, hits=4.1 required=5.0 tests=FAKE_HELO_SHAW_CA,HTML_30_40, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY autolearn=no version=2.63 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 08 Sep 2004 22:26:58.0656 (UTC) FILETIME=[F44D7E00:01C495F2] As the message is coming in as HTML, I took a look at the source and this is all it contains BODYtest for shaw./BODY So I understand why SA marks it as it does, but according to Shaw, they cannot change any settings that would change the score. I have asked them to either properly format the HTML or make it plain text, which is not something they say can be done. Has anyone had experience with IPlanet that would know if there is some setting that they could adjust? I know that I can whitelist them, but we prefer that they would fix their system rather than we have to maintain a whitelist. Hopefully I have enough information for someone to assist. Thanks Martin Carnegie
RE: [SA-List] IPlanet and SA
So they're saying they can't be RFC compliant? The only thing I see that might need to be fixed is: FAKE_HELO_SHAW_CA Other then that, it seems _they_ have some work to do. --Chris Well they said that hopefully with the next version they would, but they gave me no ETA (other than it is coming). I am really surprised that the Sun software is unable to do things correctly. I am not sure if it is unable or they are unable. I know that this is probably the wrong place to post this, but I was sure that I could get some answer here rather than with Sun. Thanks