> Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
> name a domain?
>From the rule name (without looking) I'd say it refers to the from address.
From: [EMAIL PROTECTED] It may be that it refers to the
hostname itself starting with numbers, but that seems a little unlikely.
While this is likely a perfectly valid way to name a user on a system,
statistics indicate that in most cases only spammers use that kind of
username. (If statistics *didn't* show that happened in the real world, the
rule wouldn't exist.)
> Is this related to the "suspicious hostname" flags? Or is that
No.
> related to the use of webmail? If the former, then they're getting
Maybe.
> dinged at least four times for the same issue. If the latter, can I
> improve something with the webmail configuration to avoid this since
> webmail is a very common tool?
>
> Anything else causing this email to appear particular spammy when it
> is a pretty generic and legitimate email?
> >> Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29
> >> -0000
> >> Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul
> >> 2005 21:00:29 -0000
Are you really located in England? So far as I know PacBell doesn't serve
that area.
Loren
>
>
> On Jul 13, 2005, at 5:40 PM, Greg Allen wrote:
>
> > If I am reading this correctly it looks like SA is working
> > perfectly. SA
> > admins generally don't care much for kids sending email to our
> > servers from
> > their mom's computers while she is at work... well u get the idea.
> > But I am
> > guessing your friend already knows that.
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, July 13, 2005 3:52 PM
> > To: users@spamassassin.apache.org
> > Subject: Rule Advice
> >
> >
> > We're working with someone who has a domain that starts with a
> > number: 360skincare.com. So it gets bit by FROM_STARTS_WITH_NUMS. I
> > also see some for suspicious hostname.
> >
> > A little more background: the sender appears to come from pacbell.net
> > isp and using a webmail client.
> >
> > Are these "suspicious hostname" entries appearing because the
> > hostname starts with a number? Any other advice on these headers to
> > help the user not appear as sending spam? I suspect they are out of
> > luck for the bl rules if pacbell is on a block list.
> >
> > Here are the full headers (since upgraded to 3.0.4):
> >
> >
> >> From: [EMAIL PROTECTED]
> >> Date: July 9, 2005 2:00:29 PM MST
> >> To: [EMAIL PROTECTED]
> >> Subject: Re: here you go
> >> Return-Path: [EMAIL PROTECTED]
> >> Delivered-To: [EMAIL PROTECTED]
> >> Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29
> >> -0000
> >> Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul
> >> 2005 21:00:29 -0000
> >> Received: from adsl-64-165-17-127.dsl.sndg02.pacbell.net
> >> (adsl-64-165-17-127.dsl.sndg02.pacbell.net [64.165.17.127]) by
> >> webmail.360skincare.com (IMP) with HTTP for
> >> <[EMAIL PROTECTED]@localhost>; Sat, 9 Jul 2005 17:00:29 -0400
> >> Message-Id: <[EMAIL PROTECTED]>
> >> References: <[EMAIL PROTECTED]>
> >> In-Reply-To: <[EMAIL PROTECTED]>
> >> Mime-Version: 1.0
> >> Content-Type: text/plain; charset=ISO-8859-1
> >> Content-Transfer-Encoding: 8bit
> >> User-Agent: Internet Messaging Program (IMP) 3.2.3
> >> X-Originating-Ip: 64.165.17.127
> >> X-Spam-Flag: YES
> >> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on hidden2
> >> X-Spam-Level: *******
> >> X-Spam-Status: Yes, score=7.5 required=5.0
> >> tests=FROM_STARTS_WITH_NUMS,
> >> HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR,
> >> RCVD_IN_NJABL_DUL autolearn=no version=3.0.3
> >> X-Spam-Report: * 0.1 HELO_DYNAMIC_DHCP Relay HELO'd using
> >> suspicious hostname (DHCP) * 1.5 HELO_DYNAMIC_HCC Relay HELO'd
> >> using suspicious hostname (HCC) * 2.8 HELO_DYNAMIC_IPADDR Relay
> >> HELO'd using suspicious hostname (IP addr 1) * 1.5
> >> FROM_STARTS_WITH_NUMS From: starts with nums * 1.7
> >> RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
> >> * [64.165.17.127 listed in combined.njabl.org]
