> Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to > name a domain?
>From the rule name (without looking) I'd say it refers to the from address. From: [EMAIL PROTECTED] It may be that it refers to the hostname itself starting with numbers, but that seems a little unlikely. While this is likely a perfectly valid way to name a user on a system, statistics indicate that in most cases only spammers use that kind of username. (If statistics *didn't* show that happened in the real world, the rule wouldn't exist.) > Is this related to the "suspicious hostname" flags? Or is that No. > related to the use of webmail? If the former, then they're getting Maybe. > dinged at least four times for the same issue. If the latter, can I > improve something with the webmail configuration to avoid this since > webmail is a very common tool? > > Anything else causing this email to appear particular spammy when it > is a pretty generic and legitimate email? > >> Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29 > >> -0000 > >> Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul > >> 2005 21:00:29 -0000 Are you really located in England? So far as I know PacBell doesn't serve that area. Loren > > > On Jul 13, 2005, at 5:40 PM, Greg Allen wrote: > > > If I am reading this correctly it looks like SA is working > > perfectly. SA > > admins generally don't care much for kids sending email to our > > servers from > > their mom's computers while she is at work... well u get the idea. > > But I am > > guessing your friend already knows that. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 13, 2005 3:52 PM > > To: users@spamassassin.apache.org > > Subject: Rule Advice > > > > > > We're working with someone who has a domain that starts with a > > number: 360skincare.com. So it gets bit by FROM_STARTS_WITH_NUMS. I > > also see some for suspicious hostname. > > > > A little more background: the sender appears to come from pacbell.net > > isp and using a webmail client. > > > > Are these "suspicious hostname" entries appearing because the > > hostname starts with a number? Any other advice on these headers to > > help the user not appear as sending spam? I suspect they are out of > > luck for the bl rules if pacbell is on a block list. > > > > Here are the full headers (since upgraded to 3.0.4): > > > > > >> From: [EMAIL PROTECTED] > >> Date: July 9, 2005 2:00:29 PM MST > >> To: [EMAIL PROTECTED] > >> Subject: Re: here you go > >> Return-Path: [EMAIL PROTECTED] > >> Delivered-To: [EMAIL PROTECTED] > >> Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29 > >> -0000 > >> Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul > >> 2005 21:00:29 -0000 > >> Received: from adsl-64-165-17-127.dsl.sndg02.pacbell.net > >> (adsl-64-165-17-127.dsl.sndg02.pacbell.net [64.165.17.127]) by > >> webmail.360skincare.com (IMP) with HTTP for > >> <[EMAIL PROTECTED]@localhost>; Sat, 9 Jul 2005 17:00:29 -0400 > >> Message-Id: <[EMAIL PROTECTED]> > >> References: <[EMAIL PROTECTED]> > >> In-Reply-To: <[EMAIL PROTECTED]> > >> Mime-Version: 1.0 > >> Content-Type: text/plain; charset=ISO-8859-1 > >> Content-Transfer-Encoding: 8bit > >> User-Agent: Internet Messaging Program (IMP) 3.2.3 > >> X-Originating-Ip: 64.165.17.127 > >> X-Spam-Flag: YES > >> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on hidden2 > >> X-Spam-Level: ******* > >> X-Spam-Status: Yes, score=7.5 required=5.0 > >> tests=FROM_STARTS_WITH_NUMS, > >> HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR, > >> RCVD_IN_NJABL_DUL autolearn=no version=3.0.3 > >> X-Spam-Report: * 0.1 HELO_DYNAMIC_DHCP Relay HELO'd using > >> suspicious hostname (DHCP) * 1.5 HELO_DYNAMIC_HCC Relay HELO'd > >> using suspicious hostname (HCC) * 2.8 HELO_DYNAMIC_IPADDR Relay > >> HELO'd using suspicious hostname (IP addr 1) * 1.5 > >> FROM_STARTS_WITH_NUMS From: starts with nums * 1.7 > >> RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > >> * [64.165.17.127 listed in combined.njabl.org]