Re: SA not catching apostrophes in sender's addressess?

Tue, 26 Dec 2006 08:30:03 -0800 

On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote:
> Hi, list. I have been under heavy stocks alerts spamming. Currently, my
> setup goes like this:
>
> -Debian Sarge
> -Postfix 2.1.5-9 with VDA patch
> -Amavisd-new 2.4.2
> -SA 3.1.5
> -ClamAV 0.84-2.sarge.1
> -Mysql 4.0.24-10sarge
>
> System was installed and is mantained via apt. I've recently added the
> sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
>
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes. 

Addresses such as this "Gena Mercer" <that'[EMAIL PROTECTED]> are caught 
here quite easily on my home system:

Content analysis details:   (43.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.8 RCVD_FORGED_WROTE      Forged 'Received' header found ('wrote:' spam)
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
 0.0 BOTNET_NORDNS          IP address has no PTR record
 1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
 1.7 SARE_MLB_Stock5        BODY: Mentions stock symbol, tickers, or OTC.
 0.4 SARE_LWOILCO           BODY: SARE_LWOILCO
 1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
 0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
  10 CLAMAV                 Clam AntiVirus detected a virus
 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [88.243.90.7 listed in sbl-xbl.spamhaus.org]
 0.8 DIGEST_MULTIPLE        Message hits more than one network digest check
 5.0 BOTNET                 The submitting mail server looks like part of a 
Botnet
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Looks like any of the sare rules, or network tests would kick it over the 
limit. Are you running any of the add-on clamav db's? These are tagged here 
with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even 
running botnet would have put it over your threshlold.

-- 
Chris
http://learn.to/quote

Attachment: pgpkW7yGhz32k.pgp
Description: PGP signature

Reply via email to