Joe
enable the URIRBL rules, these are very effective against html spam.
(make sure you have the latest Net:DNS module installed and the init.pre file in /etc/mail/spamassassin and the plugin turned on).
-- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300
Joe Zitnik wrote:
We've been having a group of the same type of e-mails making it through
spamassassin. These are the e-mails that have the "get a capable html
e-mailer" line in them. I have yet to see any legitimate e-mail with
that line, so I made a custom rule to score 11 points for that slogan. I have also fed hundreds of different e-mails with that line in to my
bayes database, and yet I'm still seeing a lot of e-mails with that
line making it through, so I fed one of the e-mails through manually and
the relevant output is below. The MY_CAPABLE rule is the custom rule
for these types of e-mail, it is adding the points, but a great many of
these are still making it through. I know I saw other posts where
people were saying spam was making it past or only every other e-mail
was being checked, and I'm wondering why e-mails like these are slipping
past.
Subject: ***Spam*** i just cheated on my boyfriend
Date: Mon, 10 Jan 2005 23:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Java.FFPYY.0255880571537262588"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <[EMAIL PROTECTED]>
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-Virus-Scanned: ClamAV 0.80/578/Mon Nov 8 09:26:49 2004
clamav-milter version 0.80j
on xxx.xxx.xxx
X-Virus-Status: Clean
X-Spam-Prev-Subject: i just cheated on my boyfriend
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on c588
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.8 required=4.0 tests=BAYES_60,HTML_20_30,
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_CAPABLE,RCVD_BY_IP,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_WEB,
SARE_FREE_WEBM_ZCom03,SPF_HELO_PASS autolearn=disabled
version=3.0.2
X-Spam-Report: * 0.1 RCVD_BY_IP Received by mail server with no name
* 0.7 SARE_FREE_WEBM_ZCom03 Sender used free email account -
may be spammer
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 11 MY_CAPABLE BODY: Body contains spam link
* 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
* 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
* [score: 0.6354]
* 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
* [Blocked - see
<http://www.spamcop.net/bl.shtml?24.145.177.237>]
* 0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
* [24.145.177.237 listed in combined.njabl.org]
* 0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web
server
* [24.145.177.237 listed in dnsbl.sorbs.net]
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean.
**********************************************************************
