Re: Lots of spam getting thru

[Philip Prindeville]

On Jun 30, 2014, at 1:49 PM, Robert Fitzpatrick  wrote:

> John Hardin wrote:
>> On Mon, 30 Jun 2014, Robert Fitzpatrick wrote:
>> 
>>> I have been experiencing a huge amount of spam getting through to some big 
>>> target addresses, mainly from .eu and .info addresses, and would like to 
>>> see if someone can find something wrong with my setup. I recently upgraded 
>>> to 3.4, but still the same issue. I am using Postfix with Maia Mailguard (a 
>>> forked version of amavisd-new). Here is one example, could someone test 
>>> this on their own config and see how the scores compare?
>> 
>> Are you doing URIBL lookups? 
> Thanks, the only one I am using my our postfix setup is spamhaus, we 
> discontinued spamcop after an issue with false positives. Can I ask which 
> most of you are using with good results? I have skip_rbl_checks in SA set to 
> zero, is there more to add?
> 
> -- 
> Robert
> 

I have:

  score URIBL_BLACK 4.95

in my /etc/mail/spamassassin/sa-scores.cf file (this rule is defined in:

/var/lib/spamassassin/3.004000/updates_spamassassin_org/25_uribl.cf

if that’s on your system), and:

loadplugin Mail::SpamAssassin::URIDNSBL

in my /etc/mail/spamassassin/init.pre file (this is on Fedora 20).

If you were doing it from scratch, you might try:

  loadplugin Mail::SpamAssassin::URIDNSBL

  skip_rbl_checks 0

  urirhssub L_URIBL_BLACKmulti.uribl.com. A 2
  body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
  describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
  tflags L_URIBL_BLACK   net
  score L_URIBL_BLACK4.95

But like I said, the canned rules should already include URIBL_BLACK.

-Philip

Re: Lots of spam getting thru

[Robert Fitzpatrick]

John Hardin wrote:

On Mon, 30 Jun 2014, Robert Fitzpatrick wrote:

I have been experiencing a huge amount of spam getting through to 
some big target addresses, mainly from .eu and .info addresses, and 
would like to see if someone can find something wrong with my setup. 
I recently upgraded to 3.4, but still the same issue. I am using 
Postfix with Maia Mailguard (a forked version of amavisd-new). Here 
is one example, could someone test this on their own config and see 
how the scores compare?


Are you doing URIBL lookups? 
Thanks, the only one I am using my our postfix setup is spamhaus, we 
discontinued spamcop after an issue with false positives. Can I ask 
which most of you are using with good results? I have skip_rbl_checks in 
SA set to zero, is there more to add?


--
Robert

Re: Lots of spam getting thru

[John Hardin]

On Mon, 30 Jun 2014, Robert Fitzpatrick wrote:

I have been experiencing a huge amount of spam getting through to some big 
target addresses, mainly from .eu and .info addresses, and would like to see 
if someone can find something wrong with my setup. I recently upgraded to 
3.4, but still the same issue. I am using Postfix with Maia Mailguard (a 
forked version of amavisd-new). Here is one example, could someone test this 
on their own config and see how the scores compare?


Are you doing URIBL lookups?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim VI: If violence wasn’t your last resort, you failed to resort
  to enough of it.
---
 4 days until the 238th anniversary of the Declaration of Independence

Lots of spam getting thru

[Robert Fitzpatrick]

I have been experiencing a huge amount of spam getting through to some 
big target addresses, mainly from .eu and .info addresses, and would 
like to see if someone can find something wrong with my setup. I 
recently upgraded to 3.4, but still the same issue. I am using Postfix 
with Maia Mailguard (a forked version of amavisd-new). Here is one 
example, could someone test this on their own config and see how the 
scores compare?


Interestingly enough, I get some different rules triggered when I copy 
the source to a file and run on the command line:


Content analysis details: (5.8 points, 5.0 required)

pts rule name description
 -- 
--

1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[209.190.37.182 listed in bb.barracudacentral.org]
3.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
[score: 0.8208]
1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)

Looking the original message up in the database, it scored only 2.589. 
DCC_CHECK (1.1) hit, but not Pyzor, and BAYES_60 (1.5). Probably the 
bayes increase is from learning. That's it on the original message, only 
other two rules that hit were small negative scores of SPF_PASS and 
T_RP_MATCHES_RCVD. Anyway, looks like it should get blocked if this same 
message went through again, but I am getting a lot of this, just wanted 
to see if someone else was triggering more rules? Thanks!



Received: from 002feec0.gracierichard.eu (cfot701g.gracierichard.eu 
[209.190.37.182])
by mx5.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with 
ESMTP id 5AD77D78E1

for ; Mon, 30 Jun 2014 06:38:24 -0400 (EDT)
Received: by 002feec0.cfot701g.gracierichard.eu
(amavisd-new, port 9883) with ESMTP id 00BALB2FEECIRHC0;
for ; Mon, 30 Jun 2014 03:38:15 -0700
Date: Mon, 30 Jun 2014 03:38:15 -0700
Message-ID: <58831523135429588377315227253...@cfot701g.gracierichard.eu>
To: 
From: "GracieRichard" 
Subject: Neat Trick permanently_ Removes Herpes.
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"


Hey There,


Close to two in five people in the US currently have general herpes. 
Unfortunately the likelihood of transferring this STD to a partner is 
during an outbreak.


We have a scientifically backed holistic approach to cure and end herpes 
effectively.


Stop being embarassed about this disease and learn more with our 
information.


Watch our incredible video here:
http://www.gracierichard.eu/l/lc1A5883G152D/773F2725UJ3621YH40FK3135429MV3518899638 





If you preffer to remove from us visit link below :
http://www.gracierichard.eu/l/lc4Y5883A152V/773S2725ST3621XG40XD3135429DR3518899638

























Should you no longer wish to receive emails from us, visit this link
or mail comments to 340 S LEMON AVE # 9514 WALNUT, CA 91789 UNITED STATES
http://www.gracierichard.eu/l/lc4C5883F152V/773C2725VX3621SH40EC3135429AS3518899638








The ERK pWKAhway is a way for proVMIIins to comm546284unicaUUXK a signal 
fr8628456om the surface of a cell to the nucleus which contains 
th879268465e cell’s genetic maWVJWrial Furth568429846er research will 
focus on understanding how this important pGKShway is regulaNRWJd during 
limb regenerHQTion, and which other molecule648426s are involved in the 
process





--
Robert

Re: I am getting lots of SPAM

[motty cruz]

Thank you, I am running all.spamrats.com, also it may a huge different when
I took the recipient off whitelist.

Thanks for all your support.


On Fri, May 30, 2014 at 11:13 AM, Matus UHLAR - fantomas 
wrote:

>   reject_rbl_client all.spamrats.com 
>>>
>>
> On 29.05.14 13:17, Alex wrote:
>
>> What's that? That doesn't really have a reputation here, and it's not
>> going
>> to be more effective than zen or barracuda. Set up your RBLs so they're
>> weighted. Implement postscreen with postfix.
>>
>
> 5 years ago I have posted question about this blacklist:
> http://marc.info/?l=spamassassin-users&m=123920398923786&w=2
>
>  X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
>>>  tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
>>>  MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
>>>  URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no
>>>
>>
>> Why is this user whitelisted if you consider it to be spam?
>>
>
> it's the recipient that is whitelisted. In such case it is really silly to
> blame SA for not marking _any_ mail as spam...
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Microsoft dick is soft to do no harm
>

Re: I am getting lots of SPAM

[Matus UHLAR - fantomas]

  reject_rbl_client all.spamrats.com 


On 29.05.14 13:17, Alex wrote:

What's that? That doesn't really have a reputation here, and it's not going
to be more effective than zen or barracuda. Set up your RBLs so they're
weighted. Implement postscreen with postfix.


5 years ago I have posted question about this blacklist:
http://marc.info/?l=spamassassin-users&m=123920398923786&w=2


X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
 tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
 MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
 URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no


Why is this user whitelisted if you consider it to be spam?


it's the recipient that is whitelisted. In such case it is really silly to
blame SA for not marking _any_ mail as spam...


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Re: I am getting lots of SPAM

[Benny Pedersen]

Ironical that whitelist to score can be changed so users does not make faults 
with shooting them self in foots ;)
-- 
Sendt fra min Android telefon med K-9 Mail. Undskyld hvis jeg er lidt 
kortfattet.

Re: I am getting lots of SPAM

[Alex]

>   reject_rbl_client all.spamrats.com 

What's that? That doesn't really have a reputation here, and it's not going
to be more effective than zen or barracuda. Set up your RBLs so they're
weighted. Implement postscreen with postfix.

> X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
>  tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
>  MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
>  URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no

Why is this user whitelisted if you consider it to be spam?

> ## Optional Score Increase last 4.0 increase to 4.5
>
> score BAYES_50 1.800
...

Don't modify the default scores. Something else is wrong if you have to do
that.

If you're still having difficulties, post a sample with full headers to
pastebin.com with a link to it here so we can analyze it further.

Regards,
Alex


On Thu, May 29, 2014 at 10:11 AM, motty cruz  wrote:

> Hello, recently I am getting loads of spam, more than usual. I have the
> following RBLs.
>  reject_rbl_client b.barracudacentral.org,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client bl.spamcop.net,
>  reject_rbl_client all.spamrats.com
>
> any recommendation?
>
> Bayes Headers:
>
> X-Spam-Flag: NO
>
> X-Spam-Score: 3.147
>
> X-Spam-Level: ***
>
> X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
>
> tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
>
> MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
>
> URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no
>
>
> local.cf
>
> ## Optional Score Increase last 4.0 increase to 4.5
>
> score BAYES_50 1.800
>
> score BAYES_60 2.200
>
> score BAYES_80 3.200
>
> score BAYES_95 3.500
>
> score BAYES_99 4.500
>
> score BODY_ENHANCEMENT 2.513
>
> score BODY_ENHANCEMENT2 1.513
>
> score DRUGS_ERECTILE 3.513
>
> score DRUG_ED_SILD 2.013
>
> score HELO_DYNAMIC_DHCP 2.513
>
> score HS_INDEX_PARAM 1.513
>
> score ONLINE_PHARMACY 3.013
>
> score RDNS_DYNAMIC 1.013
>
> score RDNS_NONE 2.013
>
> score STOX_REPLY_TYPE 2.013
>
> score SUBJ_BUY 2.013
>
> score TVD_VISIT_PHARMA 2.913
>
> score TVD_SPACE_RATIO 1.913
>
> help please!
>
>

Re: I am getting lots of SPAM

[John Hardin]

On Thu, 29 May 2014, motty cruz wrote:


Hello, recently I am getting loads of spam, more than usual.

X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
   tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
   MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
   URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no

help please!


If you whitelist the recipient you should expect them to get spam.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You know things are bad when Pravda says we [the USA] have gone
  too far to the left. -- Joe Huffman
---
 8 days until the 70th anniversary of D-Day

I am getting lots of SPAM

[motty cruz]

Hello, recently I am getting loads of spam, more than usual. I have the
following RBLs.
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client all.spamrats.com

any recommendation?

Bayes Headers:

X-Spam-Flag: NO

X-Spam-Score: 3.147

X-Spam-Level: ***

X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3

tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,

MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,

URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no


local.cf

## Optional Score Increase last 4.0 increase to 4.5

score BAYES_50 1.800

score BAYES_60 2.200

score BAYES_80 3.200

score BAYES_95 3.500

score BAYES_99 4.500

score BODY_ENHANCEMENT 2.513

score BODY_ENHANCEMENT2 1.513

score DRUGS_ERECTILE 3.513

score DRUG_ED_SILD 2.013

score HELO_DYNAMIC_DHCP 2.513

score HS_INDEX_PARAM 1.513

score ONLINE_PHARMACY 3.013

score RDNS_DYNAMIC 1.013

score RDNS_NONE 2.013

score STOX_REPLY_TYPE 2.013

score SUBJ_BUY 2.013

score TVD_VISIT_PHARMA 2.913

score TVD_SPACE_RATIO 1.913

help please!

Re: Lots of spam with the following snip

[Michelle Konzack]

Hi Steven,

It is realy worth, to filter this with spamassassin?
I get per day over 4 of them... and filter it easyly  from  procmail
since the messages are always generated by the same software.

:0B
* contains a virus which has
.ATTENTION.Anti_Virus_Spam/

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Lots of spam with the following snip

[PlantItWeb Administrator]

- Original Message - 
From: "mouss" <[EMAIL PROTECTED]>

Cc: 
Sent: Tuesday, July 01, 2008 12:27 PM
Subject: Re: Lots of spam with the following snip



Justin Mason wrote:

[snip]

On 01.07.08 10:50, Justin Mason wrote:


no -- this is real spam, not a bounce in any way.



same here. not a bounce in any way.


Are you sure it's not just virus message sent by someone and cured by
intermediate relay?



Yes, seeing lots of this exact wording, in high volume, throughout our
traps.



the few ones I checked only contain the cited text followed by noise 
(random text to poison bayes or whatever).



I am receiving this type of spam also.
What I noticed was that the website in the body was entered with a pound 
sign instead of a period at the domain part.

The ones I am getting have http://www.tldmls#com/string_of_characters
In my version of firefox (2.0.0.14), this will resolve correctly to the 
domain name as long as it is a .com.
Is this form of url picked up by the URI black lists or does this require a 
body rule?


Thanks,
Gene Lindsey

Re: Lots of spam with the following snip

[mouss]

Justin Mason wrote:

[snip]

On 01.07.08 10:50, Justin Mason wrote:


no -- this is real spam, not a bounce in any way.
  


same here. not a bounce in any way.


Are you sure it's not just virus message sent by someone and cured by
intermediate relay?



Yes, seeing lots of this exact wording, in high volume, throughout our
traps.
  


the few ones I checked only contain the cited text followed by noise 
(random text to poison bayes or whatever).


The following catches them, but JM_SOUGHT, RAZOR and Bayes should catch 
them already.


body   __FAKE_VIR_1  /This letter contains a virus/
body   __FAKE_VIR_2  /successfully detected and cured/
header __FAKE_VIR_SUBJ Subject =~ /^\S{1,20}\s+\S{1,20}$/
header __FAKE_VIR_MUA X-Mailer =~ /^The Bat/
header __FAKE_VIR_REPLYTO Reply-To =~ /\S/

score __FAKE_VIR_1 0.01
score __FAKE_VIR_2 0.01
score __FAKE_VIR_SUBJ 0.01
score __FAKE_VIR_MUA 0.01
score __FAKE_VIR_REPLYTO 0.01

meta FAKE_VIR_LETTER  (__FAKE_VIR_1 &&  __FAKE_VIR_2 && __FAKE_VIR_SUBJ 
&& __FAKE_VIR_MUA && __FAKE_VIR_REPLYTO)

score FAKE_VIR_LETTER  5.0
describe FAKE_VIR_LETTER  Fake detected and cured virus letter

Re: Lots of spam with the following snip

[Justin Mason]

Matus UHLAR - fantomas writes:
> > > On 30.06.08 19:04, Steven W. Orr wrote:
> > > > God dag,
> > > > 
> > > > ***
> > > > Warning!
> > > > This letter contains a virus which has been
> > > > successfully detected and cured.
> > > > ***
> > > > 
> > > > The part that's noteworthy is this:
> > > > 
> > > > 
> > > > ***
> > > > Warning!
> > > > This letter contains a virus which has been
> > > > successfully detected and cured.
> > > > ***
> > > > 
> > > > Does someone have rule for this ready made?
> 
> > Matus UHLAR - fantomas writes:
> > > I think VBounce should catch those. But I advise to find the idiot who did
> > > not refuse e-mail message containing virus and passed the cleaned stuff to
> > > you...
> 
> On 01.07.08 10:50, Justin Mason wrote:
> > no -- this is real spam, not a bounce in any way.
> 
> Are you sure it's not just virus message sent by someone and cured by
> intermediate relay?

Yes, seeing lots of this exact wording, in high volume, throughout our
traps.

--j.

Re: Lots of spam with the following snip

[Matus UHLAR - fantomas]

> > On 30.06.08 19:04, Steven W. Orr wrote:
> > > God dag,
> > > 
> > > ***
> > > Warning!
> > > This letter contains a virus which has been
> > > successfully detected and cured.
> > > ***
> > > 
> > > The part that's noteworthy is this:
> > > 
> > > 
> > > ***
> > > Warning!
> > > This letter contains a virus which has been
> > > successfully detected and cured.
> > > ***
> > > 
> > > Does someone have rule for this ready made?

> Matus UHLAR - fantomas writes:
> > I think VBounce should catch those. But I advise to find the idiot who did
> > not refuse e-mail message containing virus and passed the cleaned stuff to
> > you...

On 01.07.08 10:50, Justin Mason wrote:
> no -- this is real spam, not a bounce in any way.

Are you sure it's not just virus message sent by someone and cured by
intermediate relay?

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: Lots of spam with the following snip

[Justin Mason]

Matus UHLAR - fantomas writes:
> On 30.06.08 19:04, Steven W. Orr wrote:
> > 
> > God dag,
> > 
> > ***
> > Warning!
> > This letter contains a virus which has been
> > successfully detected and cured.
> > ***
> > 
> > The part that's noteworthy is this:
> > 
> > 
> > ***
> > Warning!
> > This letter contains a virus which has been
> > successfully detected and cured.
> > ***
> > 
> > Does someone have rule for this ready made?
> 
> I think VBounce should catch those. But I advise to find the idiot who did
> not refuse e-mail message containing virus and passed the cleaned stuff to
> you...

no -- this is real spam, not a bounce in any way.

--j.

Re: Lots of spam with the following snip

[Matus UHLAR - fantomas]

On 30.06.08 19:04, Steven W. Orr wrote:
> 
> God dag,
> 
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
> 
> The part that's noteworthy is this:
> 
> 
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
> 
> Does someone have rule for this ready made?

I think VBounce should catch those. But I advise to find the idiot who did
not refuse e-mail message containing virus and passed the cleaned stuff to
you...
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Lots of spam with the following snip

[Chris]

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:
> God dag,
> 
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
>
> The part that's noteworthy is this:
>
>
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
>
> Does someone have rule for this ready made?
>
> Thanks
Scored pretty well here, do you have network checks active? The "SOUGHT" rule 
scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description
 -- --
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see ]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

And here's another I just received:

Content analysis details:   (27.8 points, 5.0 required)

 pts rule name              description
 -- --
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see ]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [190.46.180.155 listed in zen.spamhaus.org]
 0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipinhostname]
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4671]
 2.2 DCC_CHECK              listed in DCC (http://rhyolite.com/anti-spam/dcc/)
                            [cpollock 102; Body=1 Fuz1=many]
                            [Fuz2=many]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_NONE              Delivered to trusted network by a host with no 
rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

NOTE: I've sent an earlier post with just the first spam scores, however, my 
ISP, Embarq sometimes has a tendency to block my posts even with IP's in the 
body such as above. They're using CMAE so I don't know if that's something it 
does or not. I've Bcc'd myself on the first post and it went through to me 
but then I have no idea what the CMAE hashes mean.

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgpjmeNPJgQNI.pgp
Description: PGP signature

Re: Lots of spam with the following snip

[Chris]

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:
> God dag,
> 
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
>
> The part that's noteworthy is this:
>
>
> ***
> Warning!
> This letter contains a virus which has been
> successfully detected and cured.
> ***
>
> Does someone have rule for this ready made?
>
> Thanks
Scored pretty well here, do you have network check active? The "SOUGHT" rules 
scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description
 -- --
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see ]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgpgFnq8lFp7N.pgp
Description: PGP signature

Lots of spam with the following snip

[Steven W. Orr]

God dag,

***
Warning!
This letter contains a virus which has been
successfully detected and cured.
***

The part that's noteworthy is this:


***
Warning!
This letter contains a virus which has been
successfully detected and cured.
***

Does someone have rule for this ready made?

Thanks

--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: Lots Of SPAM

[Chris]

On Tuesday 26 February 2008 6:15 am, Tarak Ranjan wrote:
> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
>
> /
> TArak

Here's how my box scored it:

Content analysis details:   (36.5 points, 5.0 required)

 pts rule name  description
 -- --
 5.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 5.0 BOTNET Relay might be a spambot or virusbot
 [botnet0.8,ip=121.23.229.225,maildomain=adesso.de,nordns]
 4.5 LOGINHASH  BODY: iXhash says its spam
 2.5 IXHASH BODY: iXhash says its spam
 2.5 LOGINHASH2 BODY: iXhash says its spam
 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK  listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1117; Body=3 Fuz1=3 Fuz2=many]
  10 CLAMAV Clam AntiVirus detected a virus
 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check
 0.1 RDNS_NONE  Delivered to trusted network by a host with no 
rDNS
 1.0 SAGREY Adds 1.0 to spam from first-time senders

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgp2YcyOzx2Zz.pgp
Description: PGP signature

RE: Lots Of SPAM

[Randal, Phil]

I use these rules.  Score as you see fit.  Mind the linebreaks...

body HC_GIRL/\bnice girl that would like to chat.{1,16}Email
me at \
.{1,32}\.info.{1,120}\bpic(ture)?s\b/
describe HC_GIRLGirl with pics scam
scoreHC_GIRL5

body HC_GIRL2   /I am (?:using|writing from) my friend's email/
describe HC_GIRL2   Girl with pics scam
scoreHC_GIRL2   5

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Tarak Ranjan [mailto:[EMAIL PROTECTED] 
> Sent: 26 February 2008 12:15
> To: Spamassassin
> Subject: Lots Of SPAM
> 
> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
> 
> /
> TArak
> 
> 
> 

Re: Lots Of SPAM

[Loren Wilton]

Hi List,
i have posted my RAW email in http://pastebin.ca/918849 ,
i'm receiving 1000 to 4000 per day this king of mesages.
SA also skipping this kind of mails


"Nice girl" spam.  Look in the archives over the last week, those were 
discussed a lot and several rules posted for them.


   Loren

Re: Lots Of SPAM

[--[ UxBoD ]--]

Hi,

I score it as follows :-

Content analysis details:   (23.1 points, 5.0 required)

 pts rule name  description
 -- --
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=121.23.229.225,nordns]
 0.1 RDNS_NONE  Delivered to trusted network by a host with no rDNS
 4.0 JM_SOUGHT_1JM_SOUGHT_1
 2.5 KAM_PICShare Pictures and Chat SPAM
 4.0 JM_SOUGHT_3JM_SOUGHT_3
 4.0 JM_SOUGHT_2JM_SOUGHT_2

so take a look at http://wiki.apache.org/spamassassin/SoughtRules

Regards,

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED]

- "Tarak Ranjan" <[EMAIL PROTECTED]> wrote:

> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
> 
> /
> TArak

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Lots Of SPAM

[Andrew Hearn]

Tarak Ranjan wrote:
> > Hi List,
> > i have posted my RAW email in http://pastebin.ca/918849 ,
> > i'm receiving 1000 to 4000 per day this king of mesages.
> > SA also skipping this kind of mails
> >
> > /
> > TArak
> >
> >

I get 8.2 without Bayes...

1.5 IXHASH2BODY: mail has been classified as spam @
LogIn&Solutions AG,
Germany
0.0 CLAMAV Clam AntiVirus detected something...
4.0 JM_SOUGHT_1JM_SOUGHT_1
0.2 RDNS_NONE  Delivered to trusted network by a host with
no rDNS
2.5 CLAMAV_SANESPAM found by ClamAV SaneSecurity signatures

(JM_SOUGHT was talked about earlier in the list)

Andrew.

Re: Lots Of SPAM

[Tarak Ranjan]

On Tue, 2008-02-26 at 10:28 -0200, Luis Hernán Otegui wrote:
> Hi, tarak
> 
> 2008/2/26, Tarak Ranjan <[EMAIL PROTECTED]>:
> > Hi List,
> >  i have posted my RAW email in http://pastebin.ca/918849 ,
> >  i'm receiving 1000 to 4000 per day this king of mesages.
> >  SA also skipping this kind of mails
> >
> >  /
> 
> Well, I get a beautiful BAYES_99 on the mail you've shown. You should
> tell us more about your setup. Which SA version, how is it running, do
> you use sa-update? Also, you should report the message to
> razor/pyzor/spamcop. That'll help too.

QMAIL+SA[SpamAssassin version 3.1.4]+CLAMD

Re: Lots Of SPAM

[Luis Hernán Otegui]

Hi, tarak

2008/2/26, Tarak Ranjan <[EMAIL PROTECTED]>:
> Hi List,
>  i have posted my RAW email in http://pastebin.ca/918849 ,
>  i'm receiving 1000 to 4000 per day this king of mesages.
>  SA also skipping this kind of mails
>
>  /

Well, I get a beautiful BAYES_99 on the mail you've shown. You should
tell us more about your setup. Which SA version, how is it running, do
you use sa-update? Also, you should report the message to
razor/pyzor/spamcop. That'll help too.
>
> TArak
>
>
>
Regards,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Lots Of SPAM

[Tarak Ranjan]

Hi List,
i have posted my RAW email in http://pastebin.ca/918849 ,
i'm receiving 1000 to 4000 per day this king of mesages.
SA also skipping this kind of mails

/
TArak

Re: AWL scoring on lots of spam

[LuKreme]

On 15-Feb-2007, at 19:53, Matt Kettler wrote:

LuKreme wrote:

I have a LOT of spam that is hitting with score in the teens despite
getting very low AWL scores.


http://wiki.apache.org/spamassassin/AwlWrongWay


Ah... OK, that makes some sort of sense; thanks.

--
But just because you've seen me on your TV
Doesn't mean I'm any more enlightened than you

Re: AWL scoring on lots of spam

[Matt Kettler]

LuKreme wrote:
> I have a LOT of spam that is hitting with score in the teens despite
> getting very low AWL scores.
>
> In fact, of the 400 messages in my current SPAM folder, 77 have
> negative AWL, some as high as -7.9 (38 have positive AWL scores) 

http://wiki.apache.org/spamassassin/AwlWrongWay

Re: AWL scoring on lots of spam

[Bill Landry]

LuKreme wrote the following on 2/15/2007 4:18 PM -0800:
I have a LOT of spam that is hitting with score in the teens despite 
getting very low AWL scores.


In fact, of the 400 messages in my current SPAM folder, 77 have 
negative AWL, some as high as -7.9 (38 have positive AWL scores)



for example, here are some headers of a message that scored -6.0 for 
AWL but 8.8 overall (so would have scored 14.8 and been dev/null-ed 
but for the AWL score:


=_45D2B46D.7995227F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from troycall.com (126.troycall.com [64.129.66.126])
   by mail.covisp.net (Postfix) with ESMTP id 5D9D5118B5E1
   for <[EMAIL PROTECTED]>; Wed, 14 Feb 2007 00:04:08 -0700 (MST)
Date: Tue, 13 Feb 2007 23:10:21 -0700
From: "Club Health" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Does Sams Club Offer Health Coverage In Your Area?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <[EMAIL PROTECTED]>

wtf is [EMAIL PROTECTED] doing in the AWL?


Please read: http://wiki.apache.org/spamassassin/AutoWhitelist

Bill

AWL scoring on lots of spam

[LuKreme]

I have a LOT of spam that is hitting with score in the teens despite  
getting very low AWL scores.


In fact, of the 400 messages in my current SPAM folder, 77 have  
negative AWL, some as high as -7.9 (38 have positive AWL scores)



for example, here are some headers of a message that scored -6.0 for  
AWL but 8.8 overall (so would have scored 14.8 and been dev/null-ed  
but for the AWL score:


=_45D2B46D.7995227F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from troycall.com (126.troycall.com [64.129.66.126])
   by mail.covisp.net (Postfix) with ESMTP id 5D9D5118B5E1
   for <[EMAIL PROTECTED]>; Wed, 14 Feb 2007 00:04:08 -0700  
(MST)

Date: Tue, 13 Feb 2007 23:10:21 -0700
From: "Club Health" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Does Sams Club Offer Health Coverage In Your Area?
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <[EMAIL PROTECTED]>

wtf is [EMAIL PROTECTED] doing in the AWL?

--
sometimes ascii is the best use of bandwidth... Tonya Engst

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Loren Wilton]

> I have searched around rulesemporium without much success trying to find
> these LOCAL_OBFU_* rules.  I don't suppose you could tell me the
> filename that they occur in could you? (I assume they will be in
> /etc/mail/Spamassassin or wherever your local.cf file is for your
> install).

Sorry, for the latish reply, I've been occupied.

It turns out they are in 99_OBFU_drugs.cf.  The file is dated May of last
year, but that is probably when we downloaded it.  The file may have been
far older somewhere on the web.

Doing a little googling, I find at least one version still out on the net,
dated as last updated in March of last year.  It was indeed created with
Chris's obfu rult generator.  At one point it was on the SARE rules page,
but is no longer.  I'm not quite sure why it disappeared, but would guess
the assumption was it was subsumed into antidrug.  Or perhaps it hit too
much ham.

I didn't determine who was the original author of this; but probably someone
remembers, or some more googling would turn it up.

Loren

RE: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

This server is only processing a small amount of email comparatively,
perhaps a few thousand a day.  I haven't got around to setting up MRTG
on it.

I have however passed the URL across to another sysadmin at the company
who is running our main SA+Qmail server, which easily does 100k+ of
email a day.

Thanks again,

Darren


> -Original Message-
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: 13 January 2005 09:53
> To: SpamAssassin Users
> Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of
RulesEmp
> rules
> 
> On Thursday, January 13, 2005, 1:19:58 AM, Darren Coleman wrote:
> >> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> 
> >> % dig 2.0.0.127.sbl.spamhaus.org a
> >>
> >> ; <<>> DiG 8.3 <<>> 2.0.0.127.sbl.spamhaus.org a
> >> ;; res options: init recurs defnam dnsrch
> >> ;; got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65527
> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 15, ADDITIONAL:
13
> >> ;; QUERY SECTION:
> >> ;;  2.0.0.127.sbl.spamhaus.org, type = A, class = IN
> >>
> >> ;; ANSWER SECTION:
> >> 2.0.0.127.sbl.spamhaus.org.  2H IN A  127.0.0.2
> 
> > Yes, I get that result :)
> 
> [..]
> 
> > I presume this is intended behaviour when the dig statement above
works.
> > As it happens I am also seeing URIBL_SBL hits in my spam now so
> > obviously it is querying the RBL correctly.
> 
> You should be all set then.
> 
> The only remaining question is how much mail volume your server
> is doing.  If you're processing more than a hundred thousand
> messages per day you should probably request rsync access for
> the RBLs you use.  For example:
> 
>   http://www.surbl.org/rsync-signup.html
> 
> Jeff C.
> --
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jeff Chan]

On Thursday, January 13, 2005, 1:19:58 AM, Darren Coleman wrote:
>> From: Jeff Chan [mailto:[EMAIL PROTECTED]

>> % dig 2.0.0.127.sbl.spamhaus.org a
>> 
>> ; <<>> DiG 8.3 <<>> 2.0.0.127.sbl.spamhaus.org a
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65527
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 15, ADDITIONAL: 13
>> ;; QUERY SECTION:
>> ;;  2.0.0.127.sbl.spamhaus.org, type = A, class = IN
>> 
>> ;; ANSWER SECTION:
>> 2.0.0.127.sbl.spamhaus.org.  2H IN A  127.0.0.2

> Yes, I get that result :)

[..]

> I presume this is intended behaviour when the dig statement above works.
> As it happens I am also seeing URIBL_SBL hits in my spam now so
> obviously it is querying the RBL correctly.

You should be all set then.

The only remaining question is how much mail volume your server
is doing.  If you're processing more than a hundred thousand
messages per day you should probably request rsync access for
the RBLs you use.  For example:

  http://www.surbl.org/rsync-signup.html

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

RE: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

> -Original Message-
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: 13 January 2005 01:07
> To: Jeff Chan
> Cc: Darren Coleman; Jack L. Stone; Loren Wilton;
> users@spamassassin.apache.org
> Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of
RulesEmp
> rules
> 
> On Wednesday, January 12, 2005, 4:57:57 PM, Jeff Chan wrote:
> > On Wednesday, January 12, 2005, 8:15:12 AM, Darren Coleman wrote:
> >> Figured out why URIBL_SBL wasn't firing for me for that email - I
can't
> >> even resolve that domain!  Have tried resolving it on several
machines
> I
> >> have shell access to (including external machines who peer with
> >> different providers), and none of them can do it.
> 
> > Which domain?  sbl.spamhaus.org should resolve from anywhere
> 
> > Jeff C.
> 
> Or far more precisely, you should be able to duplicate this
> result:
> 
> % dig 2.0.0.127.sbl.spamhaus.org a
> 
> ; <<>> DiG 8.3 <<>> 2.0.0.127.sbl.spamhaus.org a
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65527
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 15, ADDITIONAL: 13
> ;; QUERY SECTION:
> ;;  2.0.0.127.sbl.spamhaus.org, type = A, class = IN
> 
> ;; ANSWER SECTION:
> 2.0.0.127.sbl.spamhaus.org.  2H IN A  127.0.0.2
> 
> Jeff C.
> --
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/

Hi Jeff,

Yes, I get that result :)

However when I do an nslookup on "sbl.spamhaus.org" I get:

Server: 212.113.196.3
Address:212.113.196.3#53

Non-authoritative answer:
*** Can't find sbl.spamhaus.org: No answer

I presume this is intended behaviour when the dig statement above works.
As it happens I am also seeing URIBL_SBL hits in my spam now so
obviously it is querying the RBL correctly.

Thanks all for your help.

Daz

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jeff Chan]

On Wednesday, January 12, 2005, 4:57:57 PM, Jeff Chan wrote:
> On Wednesday, January 12, 2005, 8:15:12 AM, Darren Coleman wrote:
>> Figured out why URIBL_SBL wasn't firing for me for that email - I can't
>> even resolve that domain!  Have tried resolving it on several machines I
>> have shell access to (including external machines who peer with
>> different providers), and none of them can do it.

> Which domain?  sbl.spamhaus.org should resolve from anywhere

> Jeff C.

Or far more precisely, you should be able to duplicate this
result:

% dig 2.0.0.127.sbl.spamhaus.org a

; <<>> DiG 8.3 <<>> 2.0.0.127.sbl.spamhaus.org a
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65527
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 15, ADDITIONAL: 13
;; QUERY SECTION:
;;  2.0.0.127.sbl.spamhaus.org, type = A, class = IN

;; ANSWER SECTION:
2.0.0.127.sbl.spamhaus.org.  2H IN A  127.0.0.2

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jeff Chan]

On Wednesday, January 12, 2005, 8:15:12 AM, Darren Coleman wrote:
> Figured out why URIBL_SBL wasn't firing for me for that email - I can't
> even resolve that domain!  Have tried resolving it on several machines I
> have shell access to (including external machines who peer with
> different providers), and none of them can do it.

Which domain?  sbl.spamhaus.org should resolve from anywhere

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Chris Thielen]

Darren Coleman wrote:
Hi Loren,
Firstly, thanks for your help.
I have searched around rulesemporium without much success trying to find
these LOCAL_OBFU_* rules.  I don't suppose you could tell me the
filename that they occur in could you? (I assume they will be in
/etc/mail/Spamassassin or wherever your local.cf file is for your
install).
 

These rules were generated by my obfu rule generator:
http://sandgnat.com/cmos/cmos.jsp
I'm not sure where Loren's "badword" list came from, however.  I have 
two badword lists you may use, however I haven't been maintaining them 
(they're about a year old).

Here are two links to invocations of cmoscript using my badwordlists as 
input (copy each "Generated Rules file" section to a new .cf file):
http://tinyurl.com/3rrrl("obfuscated only" wordlist for words 
like mortgage)
http://tinyurl.com/4wmzt (badwords wordlist)

Chris


signature.asc
Description: OpenPGP digital signature

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jon Drukman]

Christopher John Shaker wrote:
In my useage, SpamAssassin 3.0.2 works *way* better than the 2.XX 
versions of
SpamAssassin. I've been training my Baysian filters, and they work 
really well now.

SA 3.0.2 works so well that I've deleted most of my apx 400 local rules, 
which plugged
leaks through SA 2.XX.
agreed.  since i upgraded to 3.0.2 i have thrown out all the custom 
rules that i gathered from various spots around the net.  just using the 
stock SA3 config works extremely well.  as i mentioned before, just 
using Bayes + URIBL catches at least 99%.

-jsd-

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Christopher John Shaker]

In my useage, SpamAssassin 3.0.2 works *way* better than the 2.XX versions 
of
SpamAssassin. I've been training my Baysian filters, and they work really 
well now.

SA 3.0.2 works so well that I've deleted most of my apx 400 local rules, 
which plugged
leaks through SA 2.XX.

Chris Shaker
[EMAIL PROTECTED]
- Original Message - 
From: "Jack L. Stone" <[EMAIL PROTECTED]>
To: "Loren Wilton" <[EMAIL PROTECTED]>; 
Sent: Wednesday, January 12, 2005 6:54 AM
Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp 
rules


At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
Well, just for grins I ran it here:
Content analysis details:   (11.3 points, 4.6 required)
pts rule name  description
 -- 
--
2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
0.3 SARE_WEOFFER   BODY: Offers Something
1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
0.0 BAYES_50   BODY: Bayesian spam probability is 50 to 56%
   [score: 0.5418]
1.0 DRUGS_ERECTILE Refers to an erectile drug
2.0 NOT_TO_ME  Mail is not addressed to me
You wouldn't have the last one, so should have only gotten 9.3.  This is 
on
2.64.

and, for laughs, here on sa-3.0.2 and got a very high score:
--
Content analysis details:   (31.0 points, 4.5 required)
pts rule name  description
 -- --
0.1 MISSING_HEADERSMissing To: header
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5000]
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
   [cf: 100]
1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
2.5 URIBL_CNKR Contains a URL listed in China/Korea
   [URIs: aujobs.net]
0.5 URIBL_SBL_XBL  Contains a URL listed in the SBL-XBL DNSBL
   [URIs: aujobs.net]
5.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
   [URIs: aujobs.net]
5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL 
blocklist
   [URIs: aujobs.net]
5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
blocklist
   [URIs: aujobs.net]
0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
   [URIs: aujobs.net]
5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL 
blocklist
   [URIs: aujobs.net]
0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL
   [URIs: aujobs.net]
1.2 MISSING_SUBJECTMissing Subject: header
0.2 DRUGS_ERECTILE Refers to an erectile drug
1.0 MURTY_BADWORDS2Words ending with numbers
1.2 MURTY_BADWORDS3Words with numbers in the middle
0.5 MURTY_BADWORDS4Words with special symbols
1.2 MURTY_BADCHARS Single Characters

Happy trails,
Jack L. Stone
System Admin
Sage-american

RE: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

> -Original Message-
> From: Darren Coleman [mailto:[EMAIL PROTECTED]
> Sent: 12 January 2005 15:29
> To: Jack L. Stone; Loren Wilton; users@spamassassin.apache.org
> Subject: RE: Lots of spam being missed with SA 3.0.2 + lots of
RulesEmp
> rules
> 
> Hmm..
> 
> I got the following on that message (having reconfigured SURBL):
> 
> Content analysis details:   (8.0 points, 5.0 required)
>  0.3 RM_hm_EmtyMsgidMessage ID is empty, or just spaces -
> probable spamsign
>  0.3 SARE_WEOFFER   BODY: Offers Something
>  2.5 MANGLED_CIALIS BODY: mangled Cialis
>  0.0 BAYES_50   BODY: Bayesian spam probability is 40 to
60%
> [score: 0.5170]
>  0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
> 50%
> [cf: 100]
>  1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
>  0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
> blocklist
> [URIs: aujobs.net]
>  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> [URIs: aujobs.net]
>  4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> blocklist
> [URIs: aujobs.net]
>  1.0 DRUGS_ERECTILE Refers to an erectile drug
> -3.8 AWLAWL: From: address is in the auto
white-list
> 
> (ignore AWL, mail was sent from another email account I own to test)
> 
> ..meaning I'm missing the URIBL_SBL_XBL, URIBL_SBL, URIBL_MP_RHSBL and
> URIBL_SS_RHSBL checks.
> 
> I notice from 25_uribl.cf that the "uridnsbl_timeout" is set to 2
> seconds, which seems pretty low - could this possibly be the cause of
> not all the tests being returned?
> 
> Also, I can't find any reference at all to URIBL_MP_RHSBL or
> URIBL_SS_RHSBL tests in any of the files I have in
> /usr/local/share/Spamassassin.  Where have these tests come from and
why
> would I be missing them? :(
> 
> Thanks,
> 
> Darren
> 
> 
> > -Original Message-
> > From: Jack L. Stone [mailto:[EMAIL PROTECTED]
> > Sent: 12 January 2005 14:55
> > To: Loren Wilton; users@spamassassin.apache.org
> > Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of
> RulesEmp
> > rules
> >
> > At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
> > >Well, just for grins I ran it here:
> > >
> > >Content analysis details:   (11.3 points, 4.6 required)
> > >
> > > pts rule name  description
> > > --
> -
> > ---
> > >--
> > > 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
> > > 0.3 SARE_WEOFFER   BODY: Offers Something
> > > 1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
> > > 1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
> > > 1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
> > > 0.0 BAYES_50   BODY: Bayesian spam probability is 50
to
> 56%
> > >[score: 0.5418]
> > > 1.0 DRUGS_ERECTILE Refers to an erectile drug
> > > 2.0 NOT_TO_ME  Mail is not addressed to me
> > >
> > >You wouldn't have the last one, so should have only gotten 9.3.
This
> is
> > on
> > >2.64.
> > >
> >
> > and, for laughs, here on sa-3.0.2 and got a very high score:
> >
> >
>

> --
> > 
> > Content analysis details:   (31.0 points, 4.5 required)
> >
> >  pts rule name  description
> >  --
> --
> > 
> >  0.1 MISSING_HEADERSMissing To: header
> >  0.0 BAYES_50   BODY: Bayesian spam probability is 40 to
> 60%
> > [score: 0.5000]
> >  0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level
above
> 50%
> > [cf: 100]
> >  1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
> >  2.5 URIBL_CNKR Contains a URL listed in China/Korea
> > [URIs: aujobs.net]
> >  0.5 URIBL_SBL_XBL  Contains a URL listed in the SBL-XBL
DNSBL
> > [URIs: aujobs.net]
> >  5.0 URIBL_SBL  Contains an URL listed in the SBL
> blocklist
> >

RE: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

Hmm..

I got the following on that message (having reconfigured SURBL):

Content analysis details:   (8.0 points, 5.0 required)
 0.3 RM_hm_EmtyMsgidMessage ID is empty, or just spaces -
probable spamsign
 0.3 SARE_WEOFFER   BODY: Offers Something
 2.5 MANGLED_CIALIS BODY: mangled Cialis
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5170]
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
50%
[cf: 100]
 1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: aujobs.net]
 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: aujobs.net]
 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: aujobs.net]
 1.0 DRUGS_ERECTILE Refers to an erectile drug
-3.8 AWLAWL: From: address is in the auto white-list

(ignore AWL, mail was sent from another email account I own to test)

..meaning I'm missing the URIBL_SBL_XBL, URIBL_SBL, URIBL_MP_RHSBL and
URIBL_SS_RHSBL checks.  

I notice from 25_uribl.cf that the "uridnsbl_timeout" is set to 2
seconds, which seems pretty low - could this possibly be the cause of
not all the tests being returned?

Also, I can't find any reference at all to URIBL_MP_RHSBL or
URIBL_SS_RHSBL tests in any of the files I have in
/usr/local/share/Spamassassin.  Where have these tests come from and why
would I be missing them? :(

Thanks,

Darren


> -Original Message-
> From: Jack L. Stone [mailto:[EMAIL PROTECTED]
> Sent: 12 January 2005 14:55
> To: Loren Wilton; users@spamassassin.apache.org
> Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of
RulesEmp
> rules
> 
> At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
> >Well, just for grins I ran it here:
> >
> >Content analysis details:   (11.3 points, 4.6 required)
> >
> > pts rule name  description
> > --
-
> ---
> >--
> > 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
> > 0.3 SARE_WEOFFER   BODY: Offers Something
> > 1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
> > 1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
> > 1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
> > 0.0 BAYES_50   BODY: Bayesian spam probability is 50 to
56%
> >[score: 0.5418]
> > 1.0 DRUGS_ERECTILE Refers to an erectile drug
> > 2.0 NOT_TO_ME  Mail is not addressed to me
> >
> >You wouldn't have the last one, so should have only gotten 9.3.  This
is
> on
> >2.64.
> >
> 
> and, for laughs, here on sa-3.0.2 and got a very high score:
> 
>

--
> 
> Content analysis details:   (31.0 points, 4.5 required)
> 
>  pts rule name  description
>  --
--
> 
>  0.1 MISSING_HEADERSMissing To: header
>  0.0 BAYES_50   BODY: Bayesian spam probability is 40 to
60%
> [score: 0.5000]
>  0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
50%
> [cf: 100]
>  1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
>  2.5 URIBL_CNKR Contains a URL listed in China/Korea
> [URIs: aujobs.net]
>  0.5 URIBL_SBL_XBL  Contains a URL listed in the SBL-XBL DNSBL
> [URIs: aujobs.net]
>  5.0 URIBL_SBL  Contains an URL listed in the SBL
blocklist
> [URIs: aujobs.net]
>  5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> blocklist
> [URIs: aujobs.net]
>  5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> [URIs: aujobs.net]
>  0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
> [URIs: aujobs.net]
>  5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
> blocklist
> [URIs: aujobs.net]
>  0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL
> [URIs: aujobs.net]
>  1.2 MISSING_SUBJECTMissing Subject: header
>  0.2 DRUGS_ERECTILE Refers to an erectile drug
>  1.0 MURTY_BADWORDS2Words ending with numbers
>  1.2 MURTY_BADWORDS3Words with numbers in the middle
>  0.5 MURTY_BADWORDS4Words with special symbols
>  1.2 MURTY_BADCHARS Single Characters
> 
> 
> Happy trails,
> Jack L. Stone
> 
> System Admin
> Sage-american

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jack L. Stone]

At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
>Well, just for grins I ran it here:
>
>Content analysis details:   (11.3 points, 4.6 required)
>
> pts rule name  description
> -- 
>--
> 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
> 0.3 SARE_WEOFFER   BODY: Offers Something
> 1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
> 1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
> 1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
> 0.0 BAYES_50   BODY: Bayesian spam probability is 50 to 56%
>[score: 0.5418]
> 1.0 DRUGS_ERECTILE Refers to an erectile drug
> 2.0 NOT_TO_ME  Mail is not addressed to me
>
>You wouldn't have the last one, so should have only gotten 9.3.  This is on
>2.64.
>

and, for laughs, here on sa-3.0.2 and got a very high score:

--
Content analysis details:   (31.0 points, 4.5 required)

 pts rule name  description
 -- --
 0.1 MISSING_HEADERSMissing To: header
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
 1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 2.5 URIBL_CNKR Contains a URL listed in China/Korea
[URIs: aujobs.net]
 0.5 URIBL_SBL_XBL  Contains a URL listed in the SBL-XBL DNSBL
[URIs: aujobs.net]
 5.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
[URIs: aujobs.net]
 5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: aujobs.net]
 5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: aujobs.net]
 0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
[URIs: aujobs.net]
 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: aujobs.net]
 0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL
[URIs: aujobs.net]
 1.2 MISSING_SUBJECTMissing Subject: header
 0.2 DRUGS_ERECTILE Refers to an erectile drug
 1.0 MURTY_BADWORDS2Words ending with numbers
 1.2 MURTY_BADWORDS3Words with numbers in the middle
 0.5 MURTY_BADWORDS4Words with special symbols
 1.2 MURTY_BADCHARS Single Characters


Happy trails,
Jack L. Stone

System Admin
Sage-american

RE: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

Hi Loren,

Firstly, thanks for your help.

I have searched around rulesemporium without much success trying to find
these LOCAL_OBFU_* rules.  I don't suppose you could tell me the
filename that they occur in could you? (I assume they will be in
/etc/mail/Spamassassin or wherever your local.cf file is for your
install).

Thanks,

Darren


> -Original Message-
> From: Loren Wilton [mailto:[EMAIL PROTECTED]
> Sent: 12 January 2005 12:37
> To: users@spamassassin.apache.org
> Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of
RulesEmp
> rules
> 
> Well, just for grins I ran it here:
> 
> Content analysis details:   (11.3 points, 4.6 required)
> 
>  pts rule name  description
>  --
--
> --
> --
>  2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
>  0.3 SARE_WEOFFER   BODY: Offers Something
>  1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
>  1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
>  1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
>  0.0 BAYES_50   BODY: Bayesian spam probability is 50 to
56%
> [score: 0.5418]
>  1.0 DRUGS_ERECTILE Refers to an erectile drug
>  2.0 NOT_TO_ME  Mail is not addressed to me
> 
> You wouldn't have the last one, so should have only gotten 9.3.  This
is
> on
> 2.64.
> 
> I'm not sure where the 'local' rules came from, but I expect that they
are
> some of the 'other rules' on the rulesemporium site.
> 
> Loren

RE: [SPAM-TAG] Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

Thanks all.  I did think SURBL was enabled but obviously it isn't.

Loren: I will also have a look at additional rules that I may have
missed.

Thanks again.

Daz


> -Original Message-
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: 12 January 2005 12:08
> To: Spamassassin
> Subject: Re: [SPAM-TAG] Lots of spam being missed with SA 3.0.2 + lots
of
> RulesEmp rules
> 
> On Wednesday, January 12, 2005, 3:20:17 AM, Darren Coleman wrote:
> > Hi,
> 
> > I'm running the latest version of SpamAssassin (3.0.2), with a
healthy
> > Bayes database (I believe) and pretty much all of the available
rules
> > from rulesemporium.com and I have noticed recently, particularly
from
> > comments from my users, that SA is missing a lot of clear spasm.
> 
> > I have attached one for reference which scored only 4.0 on my system
> > despite having clear, unobfuscated references to two notable
erectile
> > dysfunction drugs.
> 
> > Can anyone tell me where I'm going wrong with this?
> 
> > Thanks,
> 
> > Darren
> 
> Try installing a current Net::DNS and enabling network tests.
> SURBL and other URIBL rules triggered on the URIs in
> your spam:
> 
>   URIBL_AB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
> 
> Those should be plenty to get them marked as spam.
> 
> Jeff C.
> --
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Martin Hepworth]

Loren Wilton wrote:
Well, just for grins I ran it here:
Content analysis details:   (11.3 points, 4.6 required)
 pts rule name  description
 -- 
--
 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
 0.3 SARE_WEOFFER   BODY: Offers Something
 1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
 1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
 1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
 0.0 BAYES_50   BODY: Bayesian spam probability is 50 to 56%
[score: 0.5418]
 1.0 DRUGS_ERECTILE Refers to an erectile drug
 2.0 NOT_TO_ME  Mail is not addressed to me
You wouldn't have the last one, so should have only gotten 9.3.  This is on
2.64.
I'm not sure where the 'local' rules came from, but I expect that they are
some of the 'other rules' on the rulesemporium site.
Loren
Loren
having gone throught he pain* of upgrading from a very nice working 2.64 
to 3.02 I suggest Jeff's idea of  getting the URI checking uinstalled is 
the best way to proceed,

(*pain: lots of reading of this list, 2 days of testing, getting 
ALL_TRUSTED turned off, bemoaning lower bayes scores etc etc. But in the 
end I'm happy after 1st 26 hours of live running).

--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
tel: +44 (0)1865 842300
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**

Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Loren Wilton]

Well, just for grins I ran it here:

Content analysis details:   (11.3 points, 4.6 required)

 pts rule name  description
 -- 
--
 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
 0.3 SARE_WEOFFER   BODY: Offers Something
 1.8 LOCAL_OBFU_VIAGRA  BODY: Obfuscated 'VIAGRA' in body
 1.8 LOCAL_OBFU_TADALAFIL   BODY: Obfuscated 'TADALAFIL' in body
 1.8 LOCAL_OBFU_CIALIS  BODY: Obfuscated 'CIALIS' in body
 0.0 BAYES_50   BODY: Bayesian spam probability is 50 to 56%
[score: 0.5418]
 1.0 DRUGS_ERECTILE Refers to an erectile drug
 2.0 NOT_TO_ME  Mail is not addressed to me

You wouldn't have the last one, so should have only gotten 9.3.  This is on
2.64.

I'm not sure where the 'local' rules came from, but I expect that they are
some of the 'other rules' on the rulesemporium site.

Loren

Re: [SPAM-TAG] Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Jeff Chan]

On Wednesday, January 12, 2005, 3:20:17 AM, Darren Coleman wrote:
> Hi,

> I'm running the latest version of SpamAssassin (3.0.2), with a healthy
> Bayes database (I believe) and pretty much all of the available rules
> from rulesemporium.com and I have noticed recently, particularly from
> comments from my users, that SA is missing a lot of clear spasm.

> I have attached one for reference which scored only 4.0 on my system
> despite having clear, unobfuscated references to two notable erectile
> dysfunction drugs.

> Can anyone tell me where I'm going wrong with this?

> Thanks,

> Darren

Try installing a current Net::DNS and enabling network tests.
SURBL and other URIBL rules triggered on the URIs in
your spam:

  URIBL_AB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL

Those should be plenty to get them marked as spam.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules

[Darren Coleman]

Hi,

I'm running the latest version of SpamAssassin (3.0.2), with a healthy
Bayes database (I believe) and pretty much all of the available rules
from rulesemporium.com and I have noticed recently, particularly from
comments from my users, that SA is missing a lot of clear spasm.

I have attached one for reference which scored only 4.0 on my system
despite having clear, unobfuscated references to two notable erectile
dysfunction drugs.

Can anyone tell me where I'm going wrong with this?

Thanks,

Darren

--- Begin Message ---
Hi!

We have a new product that we offer to you, C_I_A_L_I_S soft tabs,

Cialis Soft Tabs is the new impotence treatment drug that everyone is talking 
about.Soft Tabs acts up to 36 hours, compare this to only two or three hours
of Viagra action! The active ingredient is Tadalafil, same as in brand Cialis.

Simply disolve half a pill under your tongue, 10 min before sex, for the best 
erections you've ever had!

Soft Tabs also have less sidebacks (you can drive or mix alcohol drinks with 
them).

You can get it at: http://aujobs.net/soft/





No thanks: http://aujobs.net/rr.php

--- End Message ---