The problem with writing rules for this, is generating FPs. I mean, I get email slike that from my wife all the time. ;)
I'm sure I'm not the only one who gets them. Well I hope other people don't get them from my wife.
Anway, the presence of bad words like that doesn't really mean it is spam. So its kind of tough to nail it down. Heck, my ice hockey team email shave a lot more profanity then that :) Although none of my team members have asked my to "tit screws" them.
Thanks to URIBL and SURBL we don't really worry about these much.
Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com
> -----Original Message-----
> From: Jim Smith [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 10, 2006 12:01 PM
> To: users@spamassassin.apache.org
> Subject: RE: SA frequently skipping rules
>
>
> Forgive me for not understanding the porn filtering
> capability of SA. I ran
> a new email (www.blarneystone.com/spam/spam2.txt) through
> the SA filter (I
> didn't munge the headers this time). Do I understand it that
> if an email
> like that was sent from a URL not yet blacklisted, it would
> be scored very
> low regardless of the high level of porn in it (I kicked it
> up a few notches
> to make it more obvious). Or is my SA scores for tagging porn
> messages just
> not functioning correctly?
>
> Thanks,
>
> Jim Smith
>
> > -----Original Message-----
> > From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 09, 2006 6:47 PM
> > To: Jim Smith
> > Cc: users@spamassassin.apache.org
> > Subject: Re: SA frequently skipping rules
> >
> > Jim Smith wrote:
> > > I'm getting lots of spam that are skipping rules. One that
> > came in recently
> > > with lots of porn only got tagged for SORBS, NUMERIC HELO,
> > and UNPARSEABLE
> > > RELAY (I don't know what unparseable relay means but seems
> > like many emails
> > > have that lately).
> >
> > UNPARSEABLE_RELAY means that, wait for it, one of the relays in the
> > message headers (Received: headers) weren't parseable.
> >
> >
> > > The full headers & message (uncensored) of that example
> > > is at www.blarneystone.com/spam/spam.txt if that helps.
> >
> > Full headers? There's nothing left of those headers. That
> sample is
> > useless header wise.
> >
> >
> > > If you look at it you can tell that it should have kicked
> > off lots of porn
> > > tags but none were there and it sailed through with a 3.2
> > score. This has
> > > only happened since I upgraded to SA 3.1.0.
> >
> > I don't see a single thing in the body that should have hit
> > any rules.
> > Except for some URIDNSBL rules [1] that you may or may not be
> > running,
> > but nothing content wise.
> >
> >
> > > I've run SA --lint -D without errors. I thought it might be some
> > > configuration left over from my older SA when I upgraded so
> > I did a clean
> > > install on a new machine and still have the same issue with
> > skipping of
> > > rules. BTW, I know the rules aren't missing from the
> > installation because
> > > they show up in other emails. A sporadic problem... my
> > favorite <sigh>. Any
> > > suggestions?
> >
> > Sparodic, as in, if you scan it again it hits different rules?
> >
> >
> > Daryl
> >
> >
> > [1] My hits on the sample...
> >
> >
> > Content analysis details: (11.2 points, 5.0 required)
> >
> > pts rule name description
> > ---- ----------------------
> > --------------------------------------------------
> > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> > relay lines
> > 2.6 NO_DNS_FOR_FROM DNS: Envelope sender has no MX
> > or A DNS records
> > 1.1 URIBL_SBL Contains an URL listed in the
> > SBL blocklist
> > [URIs: otrfgrt.com]
> > 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
> > blocklist
> > [URIs: otrfgrt.com]
> > 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> > blocklist
> > [URIs: otrfgrt.com]
> > 2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
> > blocklist
> > [URIs: otrfgrt.com]
> >
>
