On Mon, 26 Apr 2010, Alex wrote: > Hi, > > I'm seeing an increase in zip attachment spam, and hoped someone could > help me figure out why it isn't being properly tagged. Are others > seeing this? Is BAYES_99 being triggered or is it lower? > > Here's an example: > > http://pastebin.com/h9JwTQ9T > > The score is very low. Does someone have an idea of other > characteristics that I can flag on?
FWIW, here's what I'm getting for that message: Content analysis details: (15.5 points, 6.0 required, autolearn=no) pts rule name description ---- ---------------------- ------------------------------------------ 1.7 RATWARE_GECKO_BUILD Bulk email fingerprint (Gecko faked) found 0.1 RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@) 1.1 SPF_FAIL SPF: sender does not match SPF record (fail)[SPF failed: Please see http://www.openspf.org/why.html?sender=debenture%40us.randstad.com&ip=80.12.242.26&receiver=server37.icaen.uiowa.edu] 4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 5.0 L_CLAMAV Clam AntiVirus detected a virus 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?80.14.188.63>] 2.0 MY_CLAMAV MY_CLAMAV 0.0 T__MY_CLAMAV_SANE T__MY_CLAMAV_SANE Major hits are BAYES_99 & Sane-Security sigs in ClamAV, minor hits from spamcop & spf-fail plus some custom rules. Without the Sane hits it still would have made it over my threshold. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{