insider information slipping through
Can someone try and help me understand why this keeps slipping through.. in 2+ days I have 40 or more of these to various addresses of my own on the server http://sial.org/pbot/21945 (Thanks Theo for the link)
Re: insider information slipping through
At 05:47 AM Saturday, 12/23/2006, you wrote -= Can someone try and help me understand why this keeps slipping through.. in 2+ days I have 40 or more of these to various addresses of my own on the server http://sial.org/pbot/21945 (Thanks Theo for the link) Scored 7.4 on my setup. Notice where it got most of the score: Content analysis details: (7.4 points, 6.9 required) pts rule name description -- -- 2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 2.8 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 2.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.2 DIGEST_MULTIPLEMessage hits more than one network digest check Are you using Pyzor and DCC checks? Ed . . . . . . . . . . . . . . . . . . Randomly Generated Quote (316 of 1124): A place for everything and everything in its place. -- Isabella Mary Beeton, The Book of Household Management [Quoted in VMS Internals and Data Structures, V4.4, when referring to memory management system services.]
Re: insider information slipping through
On Saturday 23 December 2006 7:47 am, Debbie D wrote:
Can someone try and help me understand why this keeps slipping through.. in
2+ days I have 40 or more of these to various addresses of my own on the
server
http://sial.org/pbot/21945
Hi Debbie, this scored fairly high here:
Content analysis details: (35.1 points, 5.0 required)
pts rule name description
--
--
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 BOTNET_BADDNS IP address doesn't have full circle DNS
0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[82.201.215.234 listed in combined.njabl.org]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
0.0 BOTNET_CLIENT Hostname looks like a client hostname
5.0 BOTNET The submitting mail server looks like part of a
Botnet
1.0 SAGREY Adds 1.0 to spam from first-time senders
Of course 15 of those points came from the clamav and botnet plugins. I didn't
see any bayes score on your sample. You can always go and save these then run
sa-learn --spam against them. I also don't see any network test, do you have
them enabled? Any of the above would have been enough to kick it over the
threshold to spam.
--
Chris
http://learn.to/quote
pgpfqqrK9jood.pgp
Description: PGP signature
Re: insider information slipping through
Debbie D wrote: Can someone try and help me understand why this keeps slipping through.. in 2+ days I have 40 or more of these to various addresses of my own on the server http://sial.org/pbot/21945 (Thanks Theo for the link) Scores for me: Content analysis details: (19.5 points, 3.0 required) pts rule name description -- -- 10 GMD_FAKETZ GMD_FAKETZ 2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [124.106.8.240 listed in dnsbl.sorbs.net] 2.6 DNS_FROM_RFC_DSN RBL: Envelope sender in dsn.rfc-ignorant.org
Re: insider information slipping through
Thanks every one.. I see that I really need to tweak my SA, I am not using many of its features evidently.. I never saw any rule that would mark a mail because ClamAV found a virus attached.. I can;t find anywhere this RCVD_FORGED_WROTE rule either.. that alone would have made a huge difference and gotten rid of it, almost every one I get is scored at 4.0 or higher My personal SA is set to 4.9 and I have Eudora filter any score over 4.0 to its own mailbox so I can see what's going on.. almost every one of these end up in there..
Re: insider information slipping through
I've been following this thread as I am also receiving this SPAM and it is not labeled as such. Looking through old SPAM I have I noticed that I have most of the things mentioned in my headers for SPAM that I do have, however I know I have PYZOR installed but am seeing nothing labeled with the correct heading for PYZOR. Is there something that needs to be turned on in SA that will enable it? If so where? Thanks
RE: insider information slipping through
-Original Message- From: Vernon Webb [mailto:[EMAIL PROTECTED] Sent: Saturday, December 23, 2006 6:23 PM To: users@spamassassin.apache.org Subject: Re: insider information slipping through I've been following this thread as I am also receiving this SPAM and it is not labeled as such. Looking through old SPAM I have I noticed that I have most of the things mentioned in my headers for SPAM that I do have, however I know I have PYZOR installed but am seeing nothing labeled with the correct heading for PYZOR. Is there something that needs to be turned on in SA that will enable it? If so where? Look in v310.pre. Make sure you have this in the file: loadplugin Mail::SpamAssassin::Plugin::Pyzor http://wiki.apache.org/spamassassin/UsingPyzor Thanks
