Test and Keep spam
I got a flurry of these this morning, and they keep coming back. Has anyone come up with some good rules for these? Obviously both test and keep in the subject line. What else? The overall HTML structure looks pretty consistent, so perhaps something that matches on that pattern? I'm seeing a table that starts with a bunch of images and then a final paragraph. All the internal links have tracking numbers, but the numbers have some variation within a message. This might be a good candidate for a plugin.
Re: Test and Keep spam
Flurry of which? No attachment, at least here. Loren
Re: Test and Keep spam
--On Monday, December 13, 2004 5:08 AM -0800 Loren Wilton [EMAIL PROTECTED] wrote: Flurry of which? No attachment, at least here. Sorry, I see so many of these (5 a day or more) that I assume everyone's been flooded by them. Example attached.---BeginMessage--- We're giving you this celebrated electronic declaration by requesting it to be sent or in a preceding period of time you were a customer of one of our numerous websites. If you don't want to be on this especially chosen electronic newsletter any more. Please Go here and make that happen. ---End Message---
Re: Test and Keep spam
On Monday 13 December 2004 16:58, Kenneth Porter might have typed: --On Monday, December 13, 2004 5:08 AM -0800 Loren Wilton [EMAIL PROTECTED] wrote: Flurry of which? No attachment, at least here. Sorry, I see so many of these (5 a day or more) that I assume everyone's been flooded by them. Example attached. Content analysis details: (22.3 points, 5.0 required) pts rule name description -- -- 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.0 HTML_LINK_PUSH_HEREBODY: HTML link text says push here or similar 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 HTML_MESSAGE BODY: HTML included in message 1.0 HTML_IMAGE_ONLY_04 BODY: HTML: images with 200-400 bytes of words 0.6 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset 3.5 WS_URI_RBL URI's domain appears in ws database at ws.surbl.org [clottedkick.com is blacklisted in URI RBL at] [multi.surbl.org] 5.0 JP_URI_RBL URI's domain appears in jp.surbl.org [clottedkick.com is blacklisted in URI RBL at] [multi.surbl.org] 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.8 MSGID_FROM_MTA_BACKUP Message-Id was added by a relay 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?66.63.165.50] 0.9 RCVD_IN_SBLRBL: Received via a relay in Spamhaus SBL [66.63.165.50 listed in sbl-xbl.spamhaus.org] Enable URIBLs and you should probably start catching it. The source IP is also listed in Spamcop and Spamhaus in this case.
Re: Test and Keep spam
--On Monday, December 13, 2004 5:10 PM + Duncan Hill [EMAIL PROTECTED] wrote: Enable URIBLs and you should probably start catching it. URIBL's were enabled. I checked my SA folder and found one on the 7th, so I'm wondering if something broke in looking them up. That was the day I rebooted after over 90 days of uptime, which always turns up things I forgot to enable for restarting on boot. This one's a bit weird, though.
RE: Test and Keep spam
-Original Message- From: Duncan Hill [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 12:11 PM To: users@spamassassin.apache.org Subject: Re: Test and Keep spam On Monday 13 December 2004 16:58, Kenneth Porter might have typed: --On Monday, December 13, 2004 5:08 AM -0800 Loren Wilton [EMAIL PROTECTED] wrote: Flurry of which? No attachment, at least here. Sorry, I see so many of these (5 a day or more) that I assume everyone's been flooded by them. Example attached. Content analysis details: (22.3 points, 5.0 required) *snip* 3.5 WS_URI_RBL URI's domain appears in ws database at ws.surbl.org Duncan also increased the default score for WS_URI_RBL like a good boy! Duncan gets a cookie! :-) --Chris
Test and Keep spam
Been getting a bunch of these lately, and they're falling on either side of the 5.0 margin. Two that came in under 5.0 today have unusual characteristics: The Bayes score on one is 60% and scores higher than one with an 80% Bayes score. You can see my current uncaught corpus here: http://home.sewingwitch.com:8000/Stuff/UncaughtSpam.mbox
Re: Test and Keep spam
Kenneth Porter wrote: Been getting a bunch of these lately, and they're falling on either side of the 5.0 margin. Two that came in under 5.0 today have unusual characteristics: The Bayes score on one is 60% and scores higher than one with an 80% Bayes score. You can see my current uncaught corpus here: http://home.sewingwitch.com:8000/Stuff/UncaughtSpam.mbox Kenneth, I've noticed with my corpus that BAYES_95 and BAYES_99 score less than say BAYES_80 ... which has been a little discouraging for me since most of the mail i'm filtering is japanese and other test don't hit often so I have to rely heavily on my (manually trained) Bayes database... having items that hit BAYES_99 only scoring 1.8 and change compared to the 2 and change that BAYES_80 scores has been a little frustrating. I'm tempted to change the scores for BAYES_95 and BAYES_99, but i'm concerned about what other effects that might have ... not sure if this information will be helpful or not, but thought i'd share anyways. alan p.s. I'm using SA 3.01 with MIMEDefang 2.49 on this machine. no 3rd party rulesets installed.