Re: OT: The highest score?
On Sunday 01 May 2005 04:49 pm, John Andersen wrote: On Sunday 01 May 2005 02:02 am, Roman Serbski wrote: Hi all, What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) Since you can control the scores by setting the score for one or several tests, I just don't see how this is in any way meaningful. Most users adjust one or more scores to get rid of spam that creep in under the radar. There is no reason to suspect that exact same spam would get the same score for anyone else. How about this one, actually there are two like this: X-Spam-Status: Yes, score=132.2 required=5.0 tests=AWL,BAYES_99,DCC_CHECK, DIGEST_MULTIPLE,HTML_80_90,HTML_EVENT_UNSAFE,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MPART_ALT_DIFF,MSGID_SPAM_CAPS, NORMAL_HTTP_TO_IP,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100, RCVD_HELO_IP_MISMATCH,RCVD_IN_XBL,RCVD_NUMERIC_HELO,RM_t_bobbf, SARE_FORGED_EBAY,SPF_SOFTFAIL autolearn=disabled version=3.0.3 X-Spam-Pyzor: Reported 1 times. X-Spam-Report: * 0.1 RM_t_bobbf Definate spam destination email address * 3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) * 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary * 0.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) * [SPF failed: Please see http://spf.pobox.com/why.html?sender=aw-confirm%40eBay.comip=212.118.20.121receiver=cpollock.localdomain] * 2.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% * [cf: 100] * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 0.9992] * 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing code * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [212.118.20.121 listed in sbl-xbl.spamhaus.org] * 0.1 DIGEST_MULTIPLE Message hits more than one network digest check * 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) * 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts * 0.4 AWL AWL: From: address is in the auto white-list I can see though that I'm going to have to make an adjustment to my auto whitelist. -- Chris Registered Linux User 283774 http://counter.li.org 19:23:23 up 6 days, 13:25, 2 users, load average: 1.37, 1.23, 0.75 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson
RE: OT: The highest score?
-Original Message- From: Chris Lear [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 04, 2005 4:47 AM To: users@spamassassin.apache.org Subject: Re: OT: The highest score? * Chris wrote (05/04/05 01:27): On Sunday 01 May 2005 04:49 pm, John Andersen wrote: On Sunday 01 May 2005 02:02 am, Roman Serbski wrote: [...] * 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) [...] The SARE_FORGED_* rules are a good way to score over 100 points quickly. When I first installed SARE I had some very high-scoring *ham* (hitting SARE_FORGED_CITI. The SARE people don't work in the banking sector, it seems), and, as a result, some crazy AWL scores afterwards. I've removed the SARE forged rules now altogether, and most of the remaining spam scores under 50 (just one 52.9 yesterday). Nope, no ninja in the bank industry. The black uniforms scare the tellers :) However if you send the FP to us, we will try to fix it. --Chris
Re: OT: The highest score?
Chris Lear wrote: I've removed the SARE forged rules now altogether, and most of the remaining spam scores under 50 (just one 52.9 yesterday). Chris Nope no citibank here, just making a generic rule like the rest, if you give me some info on what's wrong with it, I'll gladly fix it. Just after I said these rules havn't been touched in months, look what happens ;) Thanks,
Re: OT: The highest score?
Roman Serbski wrote: What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) Bah. I've seen a few that scored ~55 with stock 2.64 scores. With SpamCopURI, and custom scores, they jumped to ~80. I *think* I found one that scored ~80 on the stock 2.64 scores once, but I'm not certain. One weekend while I was particularly bored, I started putting together an uberspam that would trip as many stock 2.64 rules as possible. I got about a third of the way through the rules before stopping, and the score was pushing 300. g -kgd -- Get your mouse off of there! You don't know where that email has been!
Re: OT: The highest score?
Roman Serbski wrote: Hi all, What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) I hate to say it, but I've seen scores over 1000.0. All you need to do is include a GTUBE :) USER_IN_BLACKLIST will also jack it up quite a bit with a +100 score. GTUBE and blacklists aside, my highest spam score in recent history (past 4 weeks) was 45.74: score=45.74, required 5, autolearn=spam, AB_URI_RBL 1.00, BAYES_99 5.40, DCC_CHECK 1.00, DRUGS_ERECTILE 1.00, HTML_70 _80 0.10, HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10, INFO_GREYLIST_NOTDELAYED -0.01, JP_URI_RBL 1.00, LOCAL_RCVD_HELO_XIP 1.50, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, NO_DNS_FOR_FROM 1.65, OB_URI_RBL 2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05, RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY 2.34, RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92, SARE_RAND_2V 1.50, SPAMCOP_URI_RBL 3.00, SUBJ_VIAGRA 4.10, VIAGRA_ONLINE 4.06, WS_URI_RBL 2.10, X_MESSAGE_INFO 2.00 But I tend to lean towards lowering rule scores from their defaults. I tend to find some SARE rules, etc are a bit overly aggressive in scoring for my tastes.
Re: OT: The highest score?
Roman Serbski wrote: What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) Unfortunately I just purged the spamtraps, but that's what log files are for. Here's the highest one from this week: Score: 63.173 BAYES_99 BIZ_TLD DOMAIN_RATIO FORGED_IMS_HTML FORGED_IMS_TAGS FORGED_MUA_IMS FORGED_YAHOO_RCVD FROM_ILLEGAL_CHARS HEAD_ILLEGAL_CHARS HTML_90_100 HTML_FORMACTION_MAILTO HTML_IMAGE_ONLY_20 HTML_IMAGE_RATIO_02 HTML_MESSAGE LOCAL_SURBL_MULTI MIME_HTML_ONLY MIME_HTML_ONLY_MULTI MISSING_MIMEOLE MPART_ALT_DIFF MSGID_SPAM_CAPS MSGID_YAHOO_CAPS RAZOR2_CF_RANGE_51_100 RAZOR2_CHECK RCVD_BY_IP RCVD_DOUBLE_IP_SPAM RCVD_HELO_IP_MISMATCH RCVD_IN_DSBL RCVD_IN_NJABL_PROXY RCVD_IN_NJABL_RELAY RCVD_IN_SORBS_HTTP RCVD_NUMERIC_HELO SUBJ_ILLEGAL_CHARS URIBL_OB_SURBL URIBL_SBL URIBL_WS_SURBL The only custom rule in there is LOCAL_SURBL_MULTI, which adds an extra 3 points if 3 or more SURBLs fire. So technically this should only have been 60.173. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: OT: The highest score?
I've seen one as high as 94.2 and was a really short spam too. Funny how scoing works. 8*) -Doc (SA/SARE/URIBL/SURBL - Stealth Ninja) Roman Serbski wrote: Hi all, What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) SA in action: ;-) Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: REPORT hits = 51.9/3.5 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary 1.2 SUBJ_HAS_SPACES Subject contains lots of white space 3.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) 0.1 RCVD_BY_IP Received by mail server with no name 0.0 FROM_ILLEGAL_CHARS From contains too many raw illegal characters 2.9 SUBJ_ILLEGAL_CHARS Subject contains too many raw illegal characters 2.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.5 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname 0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL 2.0 HTML_TAG_EXIST_MARQUEE BODY: HTML has marquee tag 0.0 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.8 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 0.0 HTML_SHOUTING3 BODY: HTML has very strong shouting markup 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard 1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing code 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server [200.89.154.29 listed in dnsbl.sorbs.net] 0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy [200.89.154.29 listed in combined.njabl.org] 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [200.89.154.29 listed in sbl-xbl.spamhaus.org] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [200.89.154.29 listed in dnsbl.sorbs.net] 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [http://dsbl.org/listing?200.89.154.29] 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [200.89.154.29 listed in combined.njabl.org] 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ourk2.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: ourk2.com] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: ourk2.com] 4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found 0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts 0.0 UPPERCASE_25_50 message body is 25-50% uppercase 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE 3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: yup, this smells like SPAM - hits=51.9 - rejecting message...
Re: OT: The highest score?
On Sunday 01 May 2005 02:02 am, Roman Serbski wrote: Hi all, What was the highest score you've ever seen? I received a message yesterday that was scored with 51.9(!). =) Since you can control the scores by setting the score for one or several tests, I just don't see how this is in any way meaningful. Most users adjust one or more scores to get rid of spam that creep in under the radar. There is no reason to suspect that exact same spam would get the same score for anyone else. -- _ John Andersen pgprymdoWeqBt.pgp Description: signature