RE: Whoa! 258.0 points score
blocklist [URIs: realhealthco.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: realhealthco.com redquality.info] 2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: realhealthco.com redquality.info] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: realhealthco.com redquality.info] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: realhealthco.com redquality.info] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: realhealthco.com redquality.info] A few non-standard rules, but should still be way up there. Arvinn What? You not running black.uribl.com? Shame on you ;) --Chris (Battlefield 2 demo is out!!! Wooot! No sleep for the monkey ninja!)
Re: Whoa! 258.0 points score
On 6/15/2005 3:41 PM +0200, Chris Santerre wrote: What? You not running black.uribl.com? Shame on you ;) You mean multi.uribl.com Niek Baakman
Whoa! 258.0 points score
Take a look. I think this is the highest I've seen in a while. Fraud is a terrible thing. The message has been quarantined as: spam-bJacn2m5vocT.gz SpamAssassin report: Spam detection software, running on the system rodan.vipstructures.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: eBay request: Pay your fees to eBay. Dear eBay customer, Due to our new services you have to pay for your eBay fees. You can pay with your credit/debit card. We will ask for your credit/debit card only once. We will charge your account once per month. However you will receive a confirmation request in about 24 hours after the credit/debit card is authorized.You have 24 hours from the time you'll receive this e-mail to complete this eBay Request. [...] Content analysis details: (258.0 points, 5.0 required) pts rule name description -- -- 3.8 MSGID_SPAM_CAPSSpam tool Message-Id: (caps variant) 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary 0.7 FORGED_RCVD_HELO Received: contains a forged HELO 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 1.0 MY_PHRS_MEDBODY: medium scoring phrases found 2.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.2 IP_LINK_PLUS URI: Dotted-decimal IP address followed by CGI 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 1.3 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.5 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.6 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.5 RCVD_IN_SBL_XBLRBL: Received via a relay in Spamhaus SBL+XBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 0.1 RCVD_IN_SBLRBL: Received via a relay in Spamhaus SBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 1.5 RCVD_IN_CBLRBL: Received via a relay in cbl.abuseat.org [Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.193.213.212] 0.1 DIGEST_MULTIPLEMessage hits more than one network digest check 0.1 FORGED_OUTLOOK_TAGSOutlook can't send HTML in this format 0.3 MK_BAD_HTML_06 Bad HTML form. Has an ending HTML tag and no beginning tag. 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) 0.6 FORGED_OUTLOOK_HTMLOutlook can't send HTML message only 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts 110 FORGED_EBAYFORGED_EBAY 4.0 MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLE 1.8 COMBO_IMAGEONLY1 Appears to be an image only message 5.0 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook - BEGIN HEADERS - Return-Path: [EMAIL PROTECTED] X-Greylist: Passed host: 62.193.213.212 whitelisted Received: from 62.193.213.212 (vds-355370.amen-pro.com [62.193.213.212]) by rodan.vipstructures.com (Postfix) with SMTP id 269731EE824 for [EMAIL PROTECTED]; Tue, 14 Jun 2005 13:31:24 -0400 (EDT) Received: from 196.69.72.84 by ; Tue, 14 Jun 2005 20:25:50 +0200 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Pay Your eBay Fees Date: Tue, 14 Jun 2005 16:29:50 -0200 X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--3197286365277249 X-Priority: 1 X-MSMail-Priority: High -- END HEADERS --
RE: Whoa! 258.0 points score
Take a look. I think this is the highest I've seen in a while. Fraud is a terrible thing. Then when you realize that 214 points are due to SARE forged ebay rules, it's not quite as impressive. Bret The message has been quarantined as: spam-bJacn2m5vocT.gz SpamAssassin report: Spam detection software, running on the system rodan.vipstructures.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: eBay request: Pay your fees to eBay. Dear eBay customer, Due to our new services you have to pay for your eBay fees. You can pay with your credit/debit card. We will ask for your credit/debit card only once. We will charge your account once per month. However you will receive a confirmation request in about 24 hours after the credit/debit card is authorized.You have 24 hours from the time you'll receive this e-mail to complete this eBay Request. [...] Content analysis details: (258.0 points, 5.0 required) pts rule name description -- -- 3.8 MSGID_SPAM_CAPSSpam tool Message-Id: (caps variant) 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary 0.7 FORGED_RCVD_HELO Received: contains a forged HELO 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 1.0 MY_PHRS_MEDBODY: medium scoring phrases found 2.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.2 IP_LINK_PLUS URI: Dotted-decimal IP address followed by CGI 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 1.3 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.5 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.6 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.5 RCVD_IN_SBL_XBLRBL: Received via a relay in Spamhaus SBL+XBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 0.1 RCVD_IN_SBLRBL: Received via a relay in Spamhaus SBL [62.193.213.212 listed in sbl-xbl.spamhaus.org] 1.5 RCVD_IN_CBLRBL: Received via a relay in cbl.abuseat.org [Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.193.213.212] 0.1 DIGEST_MULTIPLEMessage hits more than one network digest check 0.1 FORGED_OUTLOOK_TAGSOutlook can't send HTML in this format 0.3 MK_BAD_HTML_06 Bad HTML form. Has an ending HTML tag and no beginning tag. 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com) 0.6 FORGED_OUTLOOK_HTMLOutlook can't send HTML message only 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts 110 FORGED_EBAYFORGED_EBAY 4.0 MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLE 1.8 COMBO_IMAGEONLY1 Appears to be an image only message 5.0 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook - BEGIN HEADERS - Return-Path: [EMAIL PROTECTED] X-Greylist: Passed host: 62.193.213.212 whitelisted Received: from 62.193.213.212 (vds-355370.amen-pro.com [62.193.213.212]) by rodan.vipstructures.com (Postfix) with SMTP id 269731EE824 for [EMAIL PROTECTED]; Tue, 14 Jun 2005 13:31:24 -0400 (EDT) Received: from 196.69.72.84 by ; Tue, 14 Jun 2005 20:25:50 +0200 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Pay Your eBay Fees Date: Tue, 14 Jun 2005 16:29:50 -0200 X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--3197286365277249 X-Priority: 1 X-MSMail-Priority: High -- END HEADERS --
RE: Whoa! 258.0 points score
Subject: RE: Whoa! 258.0 points score Take a look. I think this is the highest I've seen in a while. Fraud is a terrible thing. Then when you realize that 214 points are due to SARE forged ebay rules, it's not quite as impressive. Bret You can call me easily amused, as I haven't seen these rules kick in before. Ok so 44 points isn't impressive when your kill is at 7.1 ? Let's see some of _your_ high point hall-of-famers then, after all caring means sharing :) Eric
Re: Whoa! 258.0 points score
Toll, Eric wrote: You can call me easily amused, as I haven't seen these rules kick in before. Ok so 44 points isn't impressive when your kill is at 7.1 ? Let's see some of _your_ high point hall-of-famers then, after all caring means sharing :) I'm on a semi-conservative scoring policy here (I often reduce the scores of SARE rules that I feel are scored too high, but I do use several SARE sets) So far this week's winner is: Jun 13 08:54:22 Message from 210.178.87.1 ([EMAIL PROTECTED]) to evi-inc.com is spam, SpamAssassin (score=53.467, required 5, autolearn=spam, AB_URI_RBL 1.00, BAYES_99 5.40, BIZ_TLD 0.10, BLACK_URI_RBL 2.00, DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 1.00, DRUGS_ERECTILE 1.00, DRUGS_ERECTILE_OBFU 1.50, GAPPY_SUBJECT 2.27, HTML_60_70 0.11, HTML_MESSAGE 0.10, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, LOCAL_BACKHAIR 1.00, L_b_MaskedW0rdsc 1.00, MANY_EXCLAMATIONS 0.83, MIME_HTML_ONLY 0.32, OB_URI_RBL 2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY 2.34, RCVD_IN_SORBS_HTTP 1.20, RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92, SARE_OBFU_CIALIS 3.10, SPAMCOP_URI_RBL 3.00, SUBJ_HAS_SPACES 4.10 , SUBJ_HAS_UNIQ_ID 2.68, WS_URI_RBL 2.10) SA 2.64, Mail::SpamcopURI, razor, dcc and these rulesets: SARE and other web published sets: antidrug.cf spamcop_uri.cf uribl_uri.cf 70_sare_adult.cf 70_sare_specific.cf 70_sare_evilnum0.cf 71_sare_adult_rescore.cf 70_sare_evilnum1.cf 99_FVGT_Tripwire.cf 70_sare_obfu0.cf 99_sare_fraud_post25x.cf 70_sare_random.cf The following are hacked-up collections of rules from the list and other places: fvgt.cf blackholes_us.cf german.cf lotto.cf rolex.cf These are mostly local rules, but might have some from list rulsets mixe in: bayes_ignore.cf advert.cf boca_raton.cf evi_misc.cf evi_comprules.cf obfu.cf local-virus.cf local_spamrules.cf local_comprules.cf local-brazil.cf local-info.cf local_porn.cf spamtrap.cf local.cf mkettler_custom.cf
Re: Whoa! 258.0 points score
Bret Miller wrote: Take a look. I think this is the highest I've seen in a while. Fraud is a terrible thing. Then when you realize that 214 points are due to SARE forged ebay rules, it's not quite as impressive. Agreed. The SARE forged rules intentionally have absurdly high scores to counteract whitelists. Basically they immediately add 100 points to what they feel the rule score should be. The Two forged rules account for 214 points of that 258 point score. Thus, if those rules weren't +100 for whitelist counteracting purposes, the message would have only scored 58. Which is high, but not that high for a system with lots of SARE rules. (Adding SARE spam rules will bias your spam scores to be much higher than a default install. It will also slightly increase your chance of FP, which is acceptable to many people.)
