On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote: > Hi, list. I have been under heavy stocks alerts spamming. Currently, my > setup goes like this: > > -Debian Sarge > -Postfix 2.1.5-9 with VDA patch > -Amavisd-new 2.4.2 > -SA 3.1.5 > -ClamAV 0.84-2.sarge.1 > -Mysql 4.0.24-10sarge > > System was installed and is mantained via apt. I've recently added the > sa-update script to my cron. SA stores Bayes and the AWL in Mysql. > > But since a month or so, I've noticed that in some sender's addresses > (spammers, of course) there are apostrophes.
Addresses such as this "Gena Mercer" <that'[EMAIL PROTECTED]> are caught here quite easily on my home system: Content analysis details: (43.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 BOTNET_NORDNS IP address has no PTR record 1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1 1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC. 0.4 SARE_LWOILCO BODY: SARE_LWOILCO 1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 10 CLAMAV Clam AntiVirus detected a virus 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [88.243.90.7 listed in sbl-xbl.spamhaus.org] 0.8 DIGEST_MULTIPLE Message hits more than one network digest check 5.0 BOTNET The submitting mail server looks like part of a Botnet 1.0 SAGREY Adds 1.0 to spam from first-time senders Looks like any of the sare rules, or network tests would kick it over the limit. Are you running any of the add-on clamav db's? These are tagged here with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even running botnet would have put it over your threshlold. -- Chris http://learn.to/quote
pgpkW7yGhz32k.pgp
Description: PGP signature