Matt Kettler wrote:
Toll, Eric wrote:
You can call me easily amused, as I haven't seen these rules
kick in before. Ok so 44 points isn't impressive when your
kill is at 7.1 ?
Let's see some of _your_ high point hall-of-famers then,
after all caring means sharing :)
I'm on a semi-conservative scoring policy here (I often reduce the scores of
SARE rules that I feel are scored too high, but I do use several SARE sets)
So far this week's winner is:
Jun 13 08:54:22 Message from 210.178.87.1 ([EMAIL PROTECTED]) to
evi-inc.com is spam, SpamAssassin (score=53.467, required 5, autolearn=spam,
AB_URI_RBL 1.00, BAYES_99 5.40, BIZ_TLD 0.10, BLACK_URI_RBL 2.00,
DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 1.00, DRUGS_ERECTILE 1.00,
DRUGS_ERECTILE_OBFU 1.50, GAPPY_SUBJECT 2.27, HTML_60_70 0.11, HTML_MESSAGE
0.10, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, LOCAL_BACKHAIR 1.00,
L_b_MaskedW0rdsc 1.00, MANY_EXCLAMATIONS 0.83, MIME_HTML_ONLY 0.32, OB_URI_RBL
2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05, RCVD_IN_BL_SPAMCOP_NET
1.50, RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY
2.34, RCVD_IN_SORBS_HTTP 1.20, RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92,
SARE_OBFU_CIALIS 3.10, SPAMCOP_URI_RBL 3.00, SUBJ_HAS_SPACES 4.10
, SUBJ_HAS_UNIQ_ID 2.68, WS_URI_RBL 2.10)
SA 2.64, Mail::SpamcopURI, razor, dcc and these rulesets:
SARE and other web published sets:
antidrug.cf spamcop_uri.cf uribl_uri.cf
70_sare_adult.cf 70_sare_specific.cf
70_sare_evilnum0.cf 71_sare_adult_rescore.cf
70_sare_evilnum1.cf 99_FVGT_Tripwire.cf 70_sare_obfu0.cf
99_sare_fraud_post25x.cf 70_sare_random.cf
The following are hacked-up collections of rules from the list and other places:
fvgt.cf blackholes_us.cf german.cf
lotto.cf rolex.cf
These are mostly local rules, but might have some from list rulsets mixe in:
bayes_ignore.cf advert.cf boca_raton.cf evi_misc.cf evi_comprules.cf
obfu.cf local-virus.cf local_spamrules.cf local_comprules.cf
local-brazil.cf local-info.cf local_porn.cf
spamtrap.cf local.cf mkettler_custom.cf
53 is nothing:;) frmo this morning:
Wed, 15 Jun 2005 05:25:29 CEST:16528: SA: REPORT hits = 92.1/5.0
2.9 UNRESOLVED_TEMPLATE Headers contain an unresolved template
3.5 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
3.4 RATWARE_RCVD_AT Bulk email fingerprint (Received @) found
5.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP
addr 1)
4.2 X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found
0.7 SUBJ_ALL_CAPS Subject is all capitals
3.1 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
[SPF failed: Please see
http://spf.pobox.com/why.html?sender=rr.com&ip=24.90.77.97&receiver=mailscan3.newmedia.no]
2.3 MANGLED_DISCNT BODY: mangled discount
2.5 MANGLED_CIALIS BODY: mangled Cialis
2.3 MANGLED_MEDCTN BODY: mangled medication(s)
0.6 J_CHICKENPOX_23 BODY: 2alpha-pock-3alpha
2.3 MANGLED_SATISF BODY: mangled satisfaction
2.5 MANGLED_XANAX BODY: mangled xanax
0.6 J_CHICKENPOX_101 BODY: 10alpha-pock-1alpha
2.5 MANGLED_VALIUM BODY: mangled valium
0.6 J_CHICKENPOX_43 BODY: 4alpha-pock-3alpha
0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[24.90.77.97 listed in sbl-xbl.spamhaus.org]
2.5 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[24.90.77.97 listed in dnsbl.sorbs.net]
3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?24.90.77.97>]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?24.90.77.97>]
0.3 DNS_FROM_AHBL_RHSBL RBL: From: sender listed in dnsbl.ahbl.org
2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[24.90.77.97 listed in combined.njabl.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: realhealthco.com]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: realhealthco.com redquality.info]
2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: realhealthco.com redquality.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: realhealthco.com redquality.info]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: realhealthco.com redquality.info]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: realhealthco.com redquality.info]
0.1 DIGEST_MULTIPLE Message hits more than one network digest check
0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
2.5 SARE_HEAD_MIME_PROD Ratware MIME Version
0.9 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
0.2 DRUGS_ERECTILE Refers to an erectile drug
0.0 DRUGS_SLEEP Refers to a sleep aid drug
0.0 DRUGS_MUSCLE Refers to a muscle relaxant
0.1 DRUGS_PAIN Refers to a pain relief drug
2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
0.0 DRUGS_DIET Refers to a diet drug
3.3 DRUGS_SLEEP_EREC Refers to both an erectile and a sleep aid drug
0.0 DRUGS_MANYKINDS Refers to at least four kinds of drugs
A few non-standard rules, but should still be way up there.
Arvinn
