Re: Whoa! 258.0 points score

[Niek]

On 6/15/2005 3:41 PM +0200, Chris Santerre wrote:
What? You not running black.uribl.com? Shame on you ;) 


You mean multi.uribl.com

Niek Baakman

RE: Whoa! 258.0 points score

[Chris Santerre]

>blocklist
> [URIs: realhealthco.com]
>  0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL 
>blocklist
> [URIs: realhealthco.com redquality.info]
>  2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL 
>blocklist
> [URIs: realhealthco.com redquality.info]
>  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
>blocklist
> [URIs: realhealthco.com redquality.info]
>  3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL 
>blocklist
> [URIs: realhealthco.com redquality.info]
>  4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL 
>blocklist
> [URIs: realhealthco.com redquality.info]

>
>A few non-standard rules, but should still be way up there.
>
>Arvinn

What? You not running black.uribl.com? Shame on you ;) 

--Chris (Battlefield 2 demo is out!!! Wooot! No sleep for the monkey ninja!)

Re: Whoa! 258.0 points score

[Arvinn Løkkebakken]

Matt Kettler wrote:


Toll, Eric wrote:

 


You can call me easily amused, as I haven't seen these rules
kick in before. Ok so 44 points isn't impressive when your
kill is at 7.1 ?


Let's see some of _your_ high point hall-of-famers then,
after all caring means sharing   :)
   



I'm on a semi-conservative scoring policy here (I often reduce the scores of
SARE rules that I feel are scored too high, but I do use several SARE sets)

So far this week's winner is:

Jun 13 08:54:22 Message from 210.178.87.1 ([EMAIL PROTECTED]) to
evi-inc.com is spam, SpamAssassin (score=53.467, required 5, autolearn=spam,
AB_URI_RBL 1.00, BAYES_99 5.40, BIZ_TLD 0.10, BLACK_URI_RBL 2.00,
DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 1.00, DRUGS_ERECTILE 1.00,
DRUGS_ERECTILE_OBFU 1.50, GAPPY_SUBJECT 2.27, HTML_60_70 0.11, HTML_MESSAGE
0.10, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, LOCAL_BACKHAIR 1.00,
L_b_MaskedW0rdsc 1.00, MANY_EXCLAMATIONS 0.83, MIME_HTML_ONLY 0.32, OB_URI_RBL
2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05, RCVD_IN_BL_SPAMCOP_NET
1.50, RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY
2.34, RCVD_IN_SORBS_HTTP 1.20, RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92,
SARE_OBFU_CIALIS 3.10, SPAMCOP_URI_RBL 3.00, SUBJ_HAS_SPACES 4.10
, SUBJ_HAS_UNIQ_ID 2.68, WS_URI_RBL 2.10)

SA 2.64, Mail::SpamcopURI, razor, dcc and these rulesets:

SARE and other web published sets:
antidrug.cf spamcop_uri.cf  uribl_uri.cf
70_sare_adult.cf 70_sare_specific.cf
70_sare_evilnum0.cf  71_sare_adult_rescore.cf
70_sare_evilnum1.cf  99_FVGT_Tripwire.cf   70_sare_obfu0.cf
99_sare_fraud_post25x.cf  70_sare_random.cf

The following are hacked-up collections of rules from the list and other places:
fvgt.cf  blackholes_us.cf  german.cf
lotto.cf rolex.cf

These are mostly local rules, but might have some from list rulsets mixe in:

bayes_ignore.cf  advert.cf  boca_raton.cf  evi_misc.cf  evi_comprules.cf
obfu.cf  local-virus.cf  local_spamrules.cf  local_comprules.cf
local-brazil.cf  local-info.cf local_porn.cf
spamtrap.cf  local.cf mkettler_custom.cf

 



53 is nothing:;) frmo this morning:

Wed, 15 Jun 2005 05:25:29 CEST:16528: SA: REPORT hits = 92.1/5.0
 2.9 UNRESOLVED_TEMPLATEHeaders contain an unresolved template
 3.5 HELO_DYNAMIC_DHCP  Relay HELO'd using suspicious hostname (DHCP)
 4.1 MIME_BOUND_DD_DIGITS   Spam tool pattern in MIME boundary
 3.4 RATWARE_RCVD_ATBulk email fingerprint (Received @) found
 5.0 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP 
addr 1)

 4.2 X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found
 0.7 SUBJ_ALL_CAPS  Subject is all capitals
 3.1 SPF_HELO_SOFTFAIL  SPF: HELO does not match SPF record (softfail)
[SPF failed: Please see 
http://spf.pobox.com/why.html?sender=rr.com&ip=24.90.77.97&receiver=mailscan3.newmedia.no]

 2.3 MANGLED_DISCNT BODY: mangled discount
 2.5 MANGLED_CIALIS BODY: mangled Cialis
 2.3 MANGLED_MEDCTN BODY: mangled medication(s)
 0.6 J_CHICKENPOX_23BODY: 2alpha-pock-3alpha
 2.3 MANGLED_SATISF BODY: mangled satisfaction
 2.5 MANGLED_XANAX  BODY: mangled xanax
 0.6 J_CHICKENPOX_101   BODY: 10alpha-pock-1alpha
 2.5 MANGLED_VALIUM BODY: mangled valium
 0.6 J_CHICKENPOX_43BODY: 4alpha-pock-3alpha
 0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
 5.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 3.5 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK  Listed in DCC 
(http://rhyolite.com/anti-spam/dcc/)

 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[24.90.77.97 listed in sbl-xbl.spamhaus.org]
 2.5 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP 
address

[24.90.77.97 listed in dnsbl.sorbs.net]
 3.8 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org
[]
 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
 [Blocked - see 
]

 0.3 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org
 2.5 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[24.90.77.97 listed in combined.njabl.org]
 1.0 URIBL_SBL  

RE: Whoa! 258.0 points score

[Bret Miller]

> > Then when you realize that 214 points are due to SARE
> forged
> > ebay rules, it's not quite as impressive.
> >
> > Bret
> >
>
> You can call me easily amused, as I haven't seen these rules
> kick in before. Ok so 44 points isn't impressive when your
> kill is at 7.1 ?
>
>
> Let's see some of _your_ high point hall-of-famers then,
> after all caring means sharing   :)


OK, not my usual thing to really care about how high something scores.
Yesterday's apparent top scorer had a score of 62.5 and hit these rules:

X-Spam-Tests: tests=BAYES_99=3,DRUGS_DIET=0.001,DRUGS_ERECTILE=0.216,
DRUGS_ERECTILE_OBFU=0.877,DRUGS_MANYKINDS=0,DRUGS_MUSCLE=0.001,
DRUGS_PAIN=0.126,DRUGS_SLEEP=0.001,DRUGS_SLEEP_EREC=3.34,

FORGED_YAHOO_RCVD=2.7,FUZZY_CPILL=1,FUZZY_MEDICATION=1,FUZZY_VALIUM=1,
FUZZY_VPILL=1,FUZZY_XPILL=1,HEADER_SPAM=1,HTML_40_50=0.035,

HTML_FONT_BIG=0.142,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.137,
HTML_SHOUTING3=0.019,J_CHICKENPOX_101=0.6,J_CHICKENPOX_23=0.6,

J_CHICKENPOX_43=0.6,MIME_BAD_ISO_CHARSET=1,MIME_BOUND_DD_DIGITS=4.139,

MIME_HTML_ONLY=0.177,MIME_HTML_ONLY_MULTI=2.443,MPART_ALT_DIFF=0.066,
NO_PRESCRIPTION=1,RCVD_IN_DSBL=3.805,RCVD_IN_MXRATE_BL=2,
RCVD_IN_NJABL_DUL=0.088,RCVD_IN_NJABL_PROXY=0.438,

RCVD_IN_SORBS_HTTP=0.043,RCVD_IN_SORBS_SOCKS=0.338,REPTO_QUOTE_YAHOO=1,

SARE_OBFU_CIALIS=3.1,SARE_OBFU_MEDS=2.444,SARE_OBFU_VIAGRA=1.666,

SARE_OBFU_XANAX=2.222,SARE_RECV_SPEEDY_AR=1.072,SUBJECT_FUZZY_TION=1,

SUBJ_ALL_CAPS=0.665,URIBL_AB_SURBL=0.417,URIBL_BLACK=3,URIBL_JP_SURBL=3,
URIBL_OB_SURBL=3.213,URIBL_SC_SURBL=4.263,
URIBL_WS_SURBL=1.462;autolearn=spam
X-Spam-Score: 62.5
X-Spam-Checker-Version: SpamAssassin 3.1.0-r179985 (2005-06-04) on
mail.dmz.wcg.org

Lots of blacklists contributed to the high score, but there were plenty
of other interesting rules too...

Re: Whoa! 258.0 points score

[Matt Kettler]

Bret Miller wrote:
>>Take a look.  I think this is the highest I've seen in a
>>while. Fraud is a terrible thing.
> 
> 
> Then when you realize that 214 points are due to SARE forged ebay rules,
> it's not quite as impressive.

Agreed. The SARE forged rules intentionally have absurdly high scores to
counteract whitelists. Basically they immediately add 100 points to what they
feel the rule score should be.

The Two forged rules account for 214 points of that 258 point score.

Thus, if those rules weren't +100 for whitelist counteracting purposes, the
message would have only scored 58. Which is high, but not that high for a system
with lots of SARE rules.

(Adding SARE spam rules will bias your spam scores to be much higher than a
default install. It will also slightly increase your chance of FP, which is
acceptable to many people.)

Re: Whoa! 258.0 points score

[Matt Kettler]

Toll, Eric wrote:

> 
> You can call me easily amused, as I haven't seen these rules
> kick in before. Ok so 44 points isn't impressive when your
> kill is at 7.1 ?
> 
> 
> Let's see some of _your_ high point hall-of-famers then,
> after all caring means sharing   :)

I'm on a semi-conservative scoring policy here (I often reduce the scores of
SARE rules that I feel are scored too high, but I do use several SARE sets)

So far this week's winner is:

Jun 13 08:54:22 Message from 210.178.87.1 ([EMAIL PROTECTED]) to
evi-inc.com is spam, SpamAssassin (score=53.467, required 5, autolearn=spam,
AB_URI_RBL 1.00, BAYES_99 5.40, BIZ_TLD 0.10, BLACK_URI_RBL 2.00,
DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 1.00, DRUGS_ERECTILE 1.00,
DRUGS_ERECTILE_OBFU 1.50, GAPPY_SUBJECT 2.27, HTML_60_70 0.11, HTML_MESSAGE
0.10, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, LOCAL_BACKHAIR 1.00,
L_b_MaskedW0rdsc 1.00, MANY_EXCLAMATIONS 0.83, MIME_HTML_ONLY 0.32, OB_URI_RBL
2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05, RCVD_IN_BL_SPAMCOP_NET
1.50, RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY
 2.34, RCVD_IN_SORBS_HTTP 1.20, RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92,
SARE_OBFU_CIALIS 3.10, SPAMCOP_URI_RBL 3.00, SUBJ_HAS_SPACES 4.10
, SUBJ_HAS_UNIQ_ID 2.68, WS_URI_RBL 2.10)

SA 2.64, Mail::SpamcopURI, razor, dcc and these rulesets:

SARE and other web published sets:
 antidrug.cf spamcop_uri.cf  uribl_uri.cf
 70_sare_adult.cf 70_sare_specific.cf
 70_sare_evilnum0.cf  71_sare_adult_rescore.cf
 70_sare_evilnum1.cf  99_FVGT_Tripwire.cf   70_sare_obfu0.cf
 99_sare_fraud_post25x.cf  70_sare_random.cf

The following are hacked-up collections of rules from the list and other places:
 fvgt.cf  blackholes_us.cf  german.cf
 lotto.cf rolex.cf

These are mostly local rules, but might have some from list rulsets mixe in:

 bayes_ignore.cf  advert.cf  boca_raton.cf  evi_misc.cf  evi_comprules.cf
 obfu.cf  local-virus.cf  local_spamrules.cf  local_comprules.cf
 local-brazil.cf  local-info.cf local_porn.cf
 spamtrap.cf  local.cf mkettler_custom.cf

RE: Whoa! 258.0 points score

[Toll, Eric]

> Subject: RE: Whoa! 258.0 points score
> 
> > Take a look.  I think this is the highest I've seen in a

> while. Fraud 
> > is a terrible thing.
> 
> Then when you realize that 214 points are due to SARE
forged 
> ebay rules, it's not quite as impressive.
> 
> Bret
> 

You can call me easily amused, as I haven't seen these rules
kick in before. Ok so 44 points isn't impressive when your
kill is at 7.1 ?


Let's see some of _your_ high point hall-of-famers then,
after all caring means sharing   :)


Eric

RE: Whoa! 258.0 points score

[Bret Miller]

> Take a look.  I think this is the highest I've seen in a
> while. Fraud is a terrible thing.

Then when you realize that 214 points are due to SARE forged ebay rules,
it's not quite as impressive.

Bret


>
>
> The message has been quarantined as:
>   spam-bJacn2m5vocT.gz
>
> SpamAssassin report:
> Spam detection software, running on the system
> "rodan.vipstructures.com", has identified this incoming
> email as possible spam.  The original message has been
> attached to this so you can view it (if it isn't spam) or
> label similar future email.  If you have any questions, see
> [EMAIL PROTECTED] for details.
>
> Content preview:  eBay request: Pay your fees to eBay. Dear
> eBay
>   customer, Due to our new services you have to pay for your
> eBay fees.
>   You can pay with your credit/debit card. We will ask for
> your
>   credit/debit card only once. We will charge your account
> once per
>   month. However you will receive a confirmation request in
> about 24
>   hours after the credit/debit card is authorized.You have
> 24 hours from
>   the time you'll receive this e-mail to complete this eBay
> Request.
>   [...]
>
> Content analysis details:   (258.0 points, 5.0 required)
>
>  pts rule name  description
>  --
> --
>  3.8 MSGID_SPAM_CAPSSpam tool Message-Id: (caps
> variant)
>  4.1 MIME_BOUND_DD_DIGITS   Spam tool pattern in MIME
> boundary
>  0.7 FORGED_RCVD_HELO   Received: contains a forged HELO
>  1.2 RCVD_NUMERIC_HELO  Received: contains an IP address
> used for HELO
>  1.0 MY_PHRS_MEDBODY: medium scoring phrases
> found
>  2.1 NORMAL_HTTP_TO_IP  URI: Uses a dotted-decimal IP
> address in URL
>  0.2 IP_LINK_PLUS   URI: Dotted-decimal IP address
> followed by CGI
>  0.0 HTML_MESSAGE   BODY: HTML included in message
>  0.1 HTML_TAG_EXIST_TBODY   BODY: HTML has "tbody" tag
>  0.1 HTML_FONT_BIG  BODY: HTML tag for a big font
> size
>  0.1 MPART_ALT_DIFF BODY: HTML and text parts are
> different
>  1.3 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence
> level above 50%
> [cf: 100]
>  3.5 BAYES_99   BODY: Bayesian spam probability
> is 99 to 100%
> [score: 1.]
>  0.2 MIME_HTML_ONLY BODY: Message only has text/html
> MIME parts
>  1.9 RAZOR2_CHECK   Listed in Razor2
> (http://razor.sf.net/)
>  2.5 DCC_CHECK  Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
>  0.6 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
> abuse.rfc-ignorant.org
>  1.5 RCVD_IN_SBL_XBLRBL: Received via a relay in
> Spamhaus SBL+XBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
>  3.1 RCVD_IN_XBLRBL: Received via a relay in
> Spamhaus XBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
>  0.1 RCVD_IN_SBLRBL: Received via a relay in
> Spamhaus SBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
>  1.5 RCVD_IN_CBLRBL: Received via a relay in
> cbl.abuseat.org
>  [Blocked - see
> ]
>  0.1 DIGEST_MULTIPLEMessage hits more than one
> network digest check
>  0.1 FORGED_OUTLOOK_TAGSOutlook can't send HTML in this
> format
>  0.3 MK_BAD_HTML_06 Bad HTML form.  Has an ending
> HTML tag and no beginning tag.
>  104 SARE_FORGED_EBAY   Message appears to be forged,
> (ebay.com)
>  0.6 FORGED_OUTLOOK_HTMLOutlook can't send HTML message
> only
>  2.4 MIME_HTML_ONLY_MULTI   Multipart message only has
> text/html MIME parts
>  110 FORGED_EBAYFORGED_EBAY
>  4.0 MISSING_MIMEOLEMessage has X-MSMail-Priority,
> but no X-MimeOLE
>  1.8 COMBO_IMAGEONLY1   Appears to be an image only
> message
>  5.0 FORGED_MUA_OUTLOOK Forged mail pretending to be
> from MS Outlook
>
> - BEGIN HEADERS
> -
> Return-Path: <[EMAIL PROTECTED]>
> X-Greylist: Passed host: 62.193.213.212 whitelisted
> Received: from 62.193.213.212 (vds-355370.amen-pro.com
> [62.193.213.212])
>   by rodan.vipstructures.com (Postfix) with SMTP id
> 269731EE824
>   for <[EMAIL PROTECTED]>; Tue, 14 Jun 2005
> 13:31:24 -0400 (EDT)
> Received: from 196.69.72.84 by ; Tue, 14 Jun 2005 20:25:50
> +0200
> Message-ID: <[EMAIL PROTECTED]>
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Reply-To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Pay Your eBay Fees
> Date: Tue, 14 Jun 2005 16:29:50 -0200
> X-Mailer: Microsoft Outlook Express 5.00.2615.200
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>   boundary="--3197286365277249"
> X-Priority: 1
> X-MSMail-Priority: High
> -- END HEADERS
> --
>
>