Hello Chris,
Wednesday, March 8, 2006, 2:37:47 AM, you wrote:
CP> The attached newsletter is triggering the following rules:
CP> X-Spam-Report:
CP> * 0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
CP> * 0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
CP> * 0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
CP> * 1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
CP> * 0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
CP> * 1.7 SARE_HTML_USL_FONT RAW: Another spam attempt
CP> I looked through the source and didn't see any obvious attempts at
CP> obfuscation or trying to fool the Bayes filter. Are these rules
CP> triggering properly?
CP> I don't know what SARE_HTML_USL_FONT means either.
Not necessarily obvious attempts at obfuscation -- really horrible
HTML often looks that way.
SARE_HTML_USL_xxx are USLess HTML tags. In this case there's a FONT
tag with nothing in it, something like (using parens to make sure no
mail reader tries to interpret this as HTML):
> (FONT size=4)(/FONT)
The Bayes poison rules are looking for rather stiff patterns of word
length which are normally seen only in spam. SARE_BAYES_7x7 hit on
> 2006Mar 2006Apr 2006May 2006Jun 2006Jul 2006Aug 2006Sep
Here, the message hit:
X-Spam-Status: Yes, score=8.6 required=5.0 tests=FB_SINGLE_0WORD,
FU_DOM_END_NUM,FU_LONG_QUERY,HTML_BACKHAIR_8,HTML_MESSAGE,
HTML_OBFUSCATE_05_10,HTML_TAG_EXIST_TBODY,SARE_BAYES_5x7,
SARE_BAYES_6x7,SARE_BAYES_7x7,SARE_HTML_URI_SPACER,SARE_HTML_USL_FONT,
SARE_MSGID_RATWARE1,SARE_OEM_S_PRICE,SARE_UNSUB18,UNPARSEABLE_RELAY
autolearn=no version=3.1.0
Bob Menschel
