RE: Porn E-Mail
No really as it was marked at spam to being with. It only scored 9.1 because of AWL... * -20 AWL AWL: From: address is in the auto white-list Are you trying to skew my bayes or something :). Gary > -Original Message- > From: Matt [mailto:[EMAIL PROTECTED] > Sent: Monday, February 28, 2005 5:23 AM > To: [EMAIL PROTECTED] > Subject: [Suspected SPAM] Porn E-Mail > > Has anyone noticed lately a higher then normal amount of porn spam > getting through?I've seen alot of it that seems to be hitting the > customer base as of late.. marked only by the SURBL... but those that > aren't SURBLed yet.. get through with a score of like 2.3 > > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 - > Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from > <[EMAIL PROTECTED]>, uid 503) with qmail-scanner-1.23 > (spamassassin: 2.64. > Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):. > Processed in 5.891302 secs); 26 Feb 2005 15:18:08 - > X-Spam-Status: No, hits=2.1 required=4.5 > X-Spam-Level: ++ > Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146]) > (envelope-sender <[EMAIL PROTECTED]>) > by 0 (qmail-ldap-1.03) with SMTP > for <[EMAIL PROTECTED]>; 26 Feb 2005 15:18:02 - > Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it > [151.11.128.151]) > by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp > id 98CA9A8736 for <[EMAIL PROTECTED]>; Sat, 26 Feb 2005 07:17:59 > -0800 > Message-ID: <[EMAIL PROTECTED]> > From: "Lithest T. Helper" <[EMAIL PROTECTED]> > To: Adelewilcox <[EMAIL PROTECTED]> > Subject: Excuse me... :) > Date: Sat, 26 Feb 2005 07:17:59 -0800 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_0011_582242D6.106C5F2A" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1437 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. > X-RAV-Antivirus: This e-mail has been scanned for viruses on host: > p7146-ipad04yosida.nagano.ocn.ne.jp >
RE: Porn E-Mail
Ditto on this as well. New rules coming out for those. Funny, but the ninjas are excited we get to work on some spam again ;) We get bored without someone to assassinate. --Chris -Original Message-From: Arie Kachler [mailto:[EMAIL PROTECTED]Sent: Monday, February 28, 2005 3:31 PMTo: MattCc: Chris Santerre; [EMAIL PROTECTED]Subject: Re: Porn E-MailWe are getting a ridiculous amount of spam related to cheap stocks lately. Spam has definitely increased recently. Some customers are calling us asking if we have spam filters, even though our Spamassassin is blocking about 90-95% of all emails coming to our servers.I remember the days when we activated our Spamassassin servers and got 1-2 spams per day, after getting a few hundred.ArieMatt wrote: As just an aside.. has anyone noticed a more massive amount of spam lately then normal? Seems in gmail as well as my ISP I am logging a whole lot more spam then normal. On Mon, 28 Feb 2005 14:10:16 -0500, Chris Santerre <[EMAIL PROTECTED]> wrote: Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Yup. New SARE rule coming soon. We had been waiting on testing results. Results good. Look for updates soon. --Chris .
Re: Porn E-Mail
We are getting a ridiculous amount of spam related to cheap stocks lately. Spam has definitely increased recently. Some customers are calling us asking if we have spam filters, even though our Spamassassin is blocking about 90-95% of all emails coming to our servers. I remember the days when we activated our Spamassassin servers and got 1-2 spams per day, after getting a few hundred. Arie Matt wrote: As just an aside.. has anyone noticed a more massive amount of spam lately then normal? Seems in gmail as well as my ISP I am logging a whole lot more spam then normal. On Mon, 28 Feb 2005 14:10:16 -0500, Chris Santerre <[EMAIL PROTECTED]> wrote: Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Yup. New SARE rule coming soon. We had been waiting on testing results. Results good. Look for updates soon. --Chris .
Re: Porn E-Mail
As just an aside.. has anyone noticed a more massive amount of spam lately then normal? Seems in gmail as well as my ISP I am logging a whole lot more spam then normal. On Mon, 28 Feb 2005 14:10:16 -0500, Chris Santerre <[EMAIL PROTECTED]> wrote: > > >Has anyone noticed lately a higher then normal amount of porn spam > >getting through?I've seen alot of it that seems to be hitting the > >customer base as of late.. marked only by the SURBL... but those that > >aren't SURBLed yet.. get through with a score of like 2.3 > > > > Yup. New SARE rule coming soon. We had been waiting on testing results. > Results good. Look for updates soon. > > --Chris >
RE: Porn E-Mail
>Has anyone noticed lately a higher then normal amount of porn spam >getting through?I've seen alot of it that seems to be hitting the >customer base as of late.. marked only by the SURBL... but those that >aren't SURBLed yet.. get through with a score of like 2.3 > Yup. New SARE rule coming soon. We had been waiting on testing results. Results good. Look for updates soon. --Chris
Re: Porn E-Mail
Hrmm well that could do it: pts rule name description -- -- 1.3 SARE_HOUSEWIVESBODY: Mentions housewives, as in porn or in-home biz 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message Hrmm.. yet in my local.cf file I have: rewrite_subject 1 #report_header 1 #defang_mime 0 required_hits 4.5 use_bayes 1 auto_learn 1 Why would bayes not have kicked in there?
Re: Porn E-Mail
Matt wrote: Hrmm well that could do it: pts rule name description -- -- 1.3 SARE_HOUSEWIVESBODY: Mentions housewives, as in porn or in-home biz 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message Hrmm.. yet in my local.cf file I have: rewrite_subject 1 #report_header 1 #defang_mime 0 required_hits 4.5 use_bayes 1 auto_learn 1 Why would bayes not have kicked in there? Well, Bayes won't provide a score if it doesn't find enough tokens in the email that it has seen and scored before. You may want to manually feed a bunch of these through sa-learn. Meanwhile, you may want to take up Shawn's suggestion to make sure they stop getting through.
RE: Porn E-Mail
If you are running the 70_SARE_HTML1.CF file, increase the value of SARE_HTML_A_HIDE in your local.cf... this spammer always hits this rule. I've been doing this for several months now, with no false positives. I've set mine to 3 points (5 required). HTH, Shawn -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 8:23 AM To: [EMAIL PROTECTED] Subject: Porn E-Mail Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 - Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from <[EMAIL PROTECTED]>, uid 503) with qmail-scanner-1.23 (spamassassin: 2.64. Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):. Processed in 5.891302 secs); 26 Feb 2005 15:18:08 - X-Spam-Status: No, hits=2.1 required=4.5 X-Spam-Level: ++ Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 26 Feb 2005 15:18:02 - Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it [151.11.128.151]) by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp id 98CA9A8736 for <[EMAIL PROTECTED]>; Sat, 26 Feb 2005 07:17:59 -0800 Message-ID: <[EMAIL PROTECTED]> From: "Lithest T. Helper" <[EMAIL PROTECTED]> To: Adelewilcox <[EMAIL PROTECTED]> Subject: Excuse me... :) Date: Sat, 26 Feb 2005 07:17:59 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0011_582242D6.106C5F2A" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-RAV-Antivirus: This e-mail has been scanned for viruses on host: p7146-ipad04yosida.nagano.ocn.ne.jp This is a multi-part message in MIME format. --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/plain Content-Transfer-Encoding: 7bit Well well well! http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.htm Oversleeping will never make one's dreams come true. Shalai po http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.html --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/html Content-Transfer-Encoding: quoted-printable How're you doing?http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ehtm"; target=3d"ensemble"> http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/ZVXw/BdqV=2ejpeg"; alt=3d"mundanes" border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ejpg"; border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/TWRXIoLhNa/HJb5FTKL/ccc6dWo=2egif"; border=3d0>Khudaa haafizWarayna I have a feeling this is destiny=2e [On the eve of her third marriage] Man in general, if reduced to himself, is too wicked to be free=2eRemember, every time you open your mouth to talk, your mind walks out and parades up and down the words=2eThe most splendid achievement of all is the constant striving to surpass yourself and to be worthy of your own approval=2eThere are only two ways of getting on in the world: by one's own industry, or by the stupidity of others=2e A lot of good arguments are spoiled by some fool who knows what he is talking about=2eIt is always sound business to take any obtainable net gain, at any cost and at any risk to the rest of the community=2e There is a time to take counsel of your fears, and there is a time to never listen to your fear=2eDon't change horses while crossing a stream=2eI dream of you to wake would that I might Dream of you and not wake but slumber on=2e=2e=2eSome of these people need ten years of therapy --ten sentences of mine do not equal ten years of therapy=2e No great thing is created suddenly=2eShelving hard decisions is the least ethical course=2e Read nothing that you do not care to remember, and remember nothing you do not mean to use=2e Perhaps all artists were, in a sense, housewives: tenders of the earth household=2eThe noblest search is the search for excellence=2eComedy is simply a funny way of being serious=2eThe construction of life is at present in the power of facts far more than convictions=2e http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/oWenQK=2ehtml"; target=3d"heartbeat">http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/nb0=2egif"; border=3d0> --=_NextPart_000_0011_582242D6.106C5F2A--
Re: Porn E-Mail
This hits 22 points on my install. If you ignore all of the BLs and Razor, it's still getting over 5 hits. Of course, if you ignore Bayes, then it's down to about 2 points.Which rules did this hit on your install? The headers don't say. Content analysis details: (22.2 points, 5.0 required) pts rule name description -- -- 0.8 LOCAL_DUMB_NAMEFrom: Contains a name with an initial 1.3 SARE_HOUSEWIVESBODY: Mentions housewives, as in porn or in-home biz 3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.9145] 0.0 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [220.104.187.146 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [220.104.187.146 listed in sbl-xbl.spamhaus.org] 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [220.104.187.146 listed in combined.njabl.org] 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: kytheras.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: kytheras.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: kytheras.com] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: kytheras.com] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: kytheras.com] Matt wrote: Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 - Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from <[EMAIL PROTECTED]>, uid 503) with qmail-scanner-1.23 (spamassassin: 2.64. Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):. Processed in 5.891302 secs); 26 Feb 2005 15:18:08 - X-Spam-Status: No, hits=2.1 required=4.5 X-Spam-Level: ++ Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 26 Feb 2005 15:18:02 - Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it [151.11.128.151]) by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp id 98CA9A8736 for <[EMAIL PROTECTED]>; Sat, 26 Feb 2005 07:17:59 -0800 Message-ID: <[EMAIL PROTECTED]> From: "Lithest T. Helper" <[EMAIL PROTECTED]> To: Adelewilcox <[EMAIL PROTECTED]> Subject: Excuse me... :) Date: Sat, 26 Feb 2005 07:17:59 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0011_582242D6.106C5F2A" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-RAV-Antivirus: This e-mail has been scanned for viruses on host: p7146-ipad04yosida.nagano.ocn.ne.jp This is a multi-part message in MIME format. --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/plain Content-Transfer-Encoding: 7bit Well well well! http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.htm Oversleeping will never make one's dreams come true. Shalai po http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.html --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/html Content-Transfer-Encoding: quoted-printable How're you doing? href=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ehtm"; target=3d"ensemble"> http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/ZVXw/BdqV=2ejpeg"; alt=3d"mundanes" border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ejpg"; border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/TWRXIoLhNa/HJb5FTKL/ccc6dWo=2egif"; border=3d0>Khudaa haafizWarayna I have a feeling this is destiny=2e [On the eve of her third marriage] Man in general, if reduced to himself, is too wicked to be free=2eRemember, every time you open your mouth to talk, your mind walks out and para
