On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote: > <p>God dag,<strong> </strong></p><span> </span> > <a name="#qppp"> > </a><br><br>***<br> > Warning!<br> > This letter contains a virus which has been<br> > successfully detected and cured. > <br>***<br> > > The part that's noteworthy is this: > > > <br>***<br> > Warning!<br> > This letter contains a virus which has been<br> > successfully detected and cured. > <br>***<br> > > Does someone have rule for this ready made? > > Thanks Scored pretty well here, do you have network checks active? The "SOUGHT" rule scored well too. The 'virus' that was detected is a sanesecurity sig:
X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603) Content analysis details: (23.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?79.86.xxx.xxx>] 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [79.86.225.100 listed in zen.spamhaus.org] 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5844] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=1 Fuz1=5 Fuz2=5] 10 CLAMAV Clam AntiVirus detected a virus 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.0 JM_SOUGHT_1 JM_SOUGHT_1 1.0 SAGREY Adds 1.0 to spam from first-time senders And here's another I just received: Content analysis details: (27.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?190.46.xxx.xxx>] 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [190.46.180.155 listed in zen.spamhaus.org] 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipinhostname] 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4671] 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 102; Body=1 Fuz1=many] [Fuz2=many] 10 CLAMAV Clam AntiVirus detected a virus 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 4.0 JM_SOUGHT_1 JM_SOUGHT_1 1.0 SAGREY Adds 1.0 to spam from first-time senders NOTE: I've sent an earlier post with just the first spam scores, however, my ISP, Embarq sometimes has a tendency to block my posts even with IP's in the body such as above. They're using CMAE so I don't know if that's something it does or not. I've Bcc'd myself on the first post and it went through to me but then I have no idea what the CMAE hashes mean. -- Chris KeyID 0xE372A7DA98E6705C
pgpjmeNPJgQNI.pgp
Description: PGP signature