Re: SARE suggestion
From: "Robert Menschel" <[EMAIL PROTECTED]>
> Hello jdow,
>
> Friday, March 25, 2005, 3:29:04 AM, you wrote:
>
> j> It seems there are a lot of anti-spam headers which if they are seen
> j> on incoming email is a fairly good indication that the message is
> j> spam. Kaspersky Anti-Spam is one such puppy with its often appearing
> j> X-Spamtest-Munged-Info header. That appears in exactly one folder on
> j> my system with a 3 gigabyte mail corpus, the Spam directory.
>
> j> Now, it may be that on a given system spam may get filtered twice
> j> So a SARE rule set with all known anti-spam headers in it with a
> j> clearly delineated set of score overrides that can be uncommented
> j> is called for. That way somebody stuck behind a KAS system who runs
> j> his own spamassassin can still use the rule with the X-SpamTest-Info
> j> score set to zero. Most users will simply leave the rule on with a
> j> fairly secure medium to high score and capture a large chunk of spam
> j> very reliably.
>
> Good suggestion.
>
> Since we SARE Ninjas are obviously "stuck behind" SA systems, we don't
> often see these additional headers. If you (and others) can send
> sample headers to me, [EMAIL PROTECTED], or [EMAIL PROTECTED],
> I'll collect them, validate them through mass-checks, and hopefully
> come out with a "antispamspam" (?) rules file. (Or maybe this should
> be a new file inside the 70_sare_header*.cf family?)
>
> Bob Menschel
The chief trick here is to be able to turn off the individual tests for
a specific anti-spam engine if they are likely to be seen internally
as from trips through two traps in series.
{^_^}
Re: SARE suggestion
From: "Andy Jezierski" <[EMAIL PROTECTED]>
> Chris Santerre <[EMAIL PROTECTED]> wrote on 03/28/2005
> 10:44:41 AM:
>
> >
> >
> > >-Original Message-
> > >From: jdow [mailto:[EMAIL PROTECTED]
> > >Sent: Friday, March 25, 2005 6:29 AM
> > >To: users@spamassassin.apache.org
> > >Subject: SARE suggestion
> > >
> > >
> > >It seems there are a lot of anti-spam headers which if they are seen
> > >on incoming email is a fairly good indication that the message is
> > >spam. Kaspersky Anti-Spam is one such puppy with its often appearing
> > >X-Spamtest-Munged-Info header. That appears in exactly one folder on
> > >my system with a 3 gigabyte mail corpus, the Spam directory.
> > >
> [snip]
> > Interesting idea. Can everyone send whatever header examples they have?
> I'll
> > gather together an run a set to test.
> >
> > --Chris
>
> Hmmm, I checked my spamtraps and out of 2800 messages I only found one
> message that had any spamtest headers in it. But here you go:
>
> X-SpamTest-Info: Profile: Formal (167/041185)
> X-SpamTest-Info: Profile: Detect Hard No RBL (4/030500)
>
>
> Andy
X-SpamTest-Info is sufficient. There seem to be several different
strings that typically follow it.
{^_^}
RE: SARE suggestion
I've got about a dozen spams that have that exact header pair. I've never seen it anywhere else. It is a relatively recent thing to be seeing. Loren -Original Message- From: Andy Jezierski <[EMAIL PROTECTED]> Sent: Mar 28, 2005 9:25 AM To: users@spamassassin.apache.org Subject: RE: SARE suggestion Chris Santerre <[EMAIL PROTECTED]> wrote on 03/28/2005 10:44:41 AM: > > > >-Original Message- > >From: jdow [mailto:[EMAIL PROTECTED] > >Sent: Friday, March 25, 2005 6:29 AM > >To: users@spamassassin.apache.org > >Subject: SARE suggestion > > > > > >It seems there are a lot of anti-spam headers which if they are seen > >on incoming email is a fairly good indication that the message is > >spam. Kaspersky Anti-Spam is one such puppy with its often appearing > >X-Spamtest-Munged-Info header. That appears in exactly one folder on > >my system with a 3 gigabyte mail corpus, the Spam directory. > > [snip] > Interesting idea. Can everyone send whatever header examples they have? I'll > gather together an run a set to test. > > --Chris Hmmm, I checked my spamtraps and out of 2800 messages I only found one message that had any spamtest headers in it. But here you go: X-SpamTest-Info: Profile: Formal (167/041185) X-SpamTest-Info: Profile: Detect Hard No RBL (4/030500) Andy
Re: SARE suggestion
Hello jdow, Friday, March 25, 2005, 3:29:04 AM, you wrote: j> It seems there are a lot of anti-spam headers which if they are seen j> on incoming email is a fairly good indication that the message is j> spam. Kaspersky Anti-Spam is one such puppy with its often appearing j> X-Spamtest-Munged-Info header. That appears in exactly one folder on j> my system with a 3 gigabyte mail corpus, the Spam directory. j> Now, it may be that on a given system spam may get filtered twice j> So a SARE rule set with all known anti-spam headers in it with a j> clearly delineated set of score overrides that can be uncommented j> is called for. That way somebody stuck behind a KAS system who runs j> his own spamassassin can still use the rule with the X-SpamTest-Info j> score set to zero. Most users will simply leave the rule on with a j> fairly secure medium to high score and capture a large chunk of spam j> very reliably. Good suggestion. Since we SARE Ninjas are obviously "stuck behind" SA systems, we don't often see these additional headers. If you (and others) can send sample headers to me, [EMAIL PROTECTED], or [EMAIL PROTECTED], I'll collect them, validate them through mass-checks, and hopefully come out with a "antispamspam" (?) rules file. (Or maybe this should be a new file inside the 70_sare_header*.cf family?) Bob Menschel
RE: SARE suggestion
Chris Santerre <[EMAIL PROTECTED]> wrote on 03/28/2005 10:44:41 AM: > > > >-Original Message- > >From: jdow [mailto:[EMAIL PROTECTED] > >Sent: Friday, March 25, 2005 6:29 AM > >To: users@spamassassin.apache.org > >Subject: SARE suggestion > > > > > >It seems there are a lot of anti-spam headers which if they are seen > >on incoming email is a fairly good indication that the message is > >spam. Kaspersky Anti-Spam is one such puppy with its often appearing > >X-Spamtest-Munged-Info header. That appears in exactly one folder on > >my system with a 3 gigabyte mail corpus, the Spam directory. > > [snip] > Interesting idea. Can everyone send whatever header examples they have? I'll > gather together an run a set to test. > > --Chris Hmmm, I checked my spamtraps and out of 2800 messages I only found one message that had any spamtest headers in it. But here you go: X-SpamTest-Info: Profile: Formal (167/041185) X-SpamTest-Info: Profile: Detect Hard No RBL (4/030500) Andy
RE: SARE suggestion
>-Original Message- >From: jdow [mailto:[EMAIL PROTECTED] >Sent: Friday, March 25, 2005 6:29 AM >To: users@spamassassin.apache.org >Subject: SARE suggestion > > >It seems there are a lot of anti-spam headers which if they are seen >on incoming email is a fairly good indication that the message is >spam. Kaspersky Anti-Spam is one such puppy with its often appearing >X-Spamtest-Munged-Info header. That appears in exactly one folder on >my system with a 3 gigabyte mail corpus, the Spam directory. > >Now, it may be that on a given system spam may get filtered twice >So a SARE rule set with all known anti-spam headers in it with a >clearly delineated set of score overrides that can be uncommented >is called for. That way somebody stuck behind a KAS system who runs >his own spamassassin can still use the rule with the X-SpamTest-Info >score set to zero. Most users will simply leave the rule on with a >fairly secure medium to high score and capture a large chunk of spam >very reliably. Interesting idea. Can everyone send whatever header examples they have? I'll gather together an run a set to test. --Chris
