On Mon, 21 Oct 2013, Mauricio Tavares wrote:
b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it
because Return-Path: <se...@c001n01.zahost.ru> and the last
Received matches that domain? if so, anything I can do to score t as
the proper spam it is?
RP_MATCHES_RCVD is a check that the message metadata is internally
consistent. While giving it a negative score may not be justified, don't
think that it's useful as a spam indicator and should have a positive
score.
In fact, as spams usually exhibit internal *inconsistencies* due to being
largely forged, a message *not* hitting RP_MATCHES_RCVD may actually be a
better spam indicator - that's probably the reason that it has a negative
score.
Given the surge in WhatsApp spams recently (I've been getting a lot) I
think I should add some specific rules to my sandbox for testing.
For the time being, you might want to do this in your local rules:
body __VOICEMAIL /\bYou have a new voicemail!/i
body __WHATSAPP /\bWhatsApp\b/
meta LCL_WHATSAPP __WHATSAPP && __VOICEMAIL
score LCL_WHATSAPP 1.000
That should be enough to push it over the threshold without FPs on
legitimate (non-WhatsApp) voicemail notifications.
Pointers from anyone who actually uses WhatsApp about how to distinguish
legitimate voicemail notifications from these spams are solicited.
-------- Original Message --------
Return-Path: <se...@c001n01.zahost.ru>
Delivered-To: r...@domain.com
Received: from localhost (localhost [127.0.0.1]) by
mail.domain.com (Postfix) with ESMTP id CAE8980058; Sun, 20
Oct 2013 22:10:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mail.domain.com
X-Spam-Flag: NO
X-Spam-Score: 4.1
X-Spam-Level: ****
X-Spam-Status: No, score=4.1 required=4.7 tests=[BAYES_99=4.2,
HTML_MESSAGE=1.27, RP_MATCHES_RCVD=-1.37] autolearn=no
Received: from mail.domain.com ([127.0.0.1]) by localhost
(mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with SMTP id Fzg7udDKz5bJ; Sun, 20 Oct 2013 22:10:17 -0400 (EDT)
Received: from c001n01.zahost.ru (c001n01.zahost.ru [88.212.201.48])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client
certificate requested) by mail.domain.com (Postfix) with
ESMTPS id 669DC80051 for <i...@domain.com>; Sun, 20 Oct 2013 22:10:15
-0400 (EDT)
Received: from localhost.zahost.ru ([127.0.0.1] helo=c001n01.zahost.ru)
by c001n01.zahost.ru with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69
(FreeBSD)) (envelope-from <se...@c001n01.zahost.ru>) id 1VY1ND-0005fT-Kk
for i...@domain.com; Mon, 21 Oct 2013 02:21:23 +0400
Received: (from semik@localhost) by c001n01.zahost.ru
(8.14.4/8.13.8/Submit) id r9KMLM0s021783; Mon, 21 Oct 2013 02:21:22
+0400 (MSD) (envelope-from semik)
Date: Mon, 21 Oct 2013 02:21:22 +0400 (MSD)
Message-Id: <201310202221.r9kmlm0s021...@c001n01.zahost.ru>
To: i...@domain.com
Subject: 4 New Voicemail(s)
X-PHP-Script: 35x35.ru/ for 127.0.0.1
From: WhatsApp Messaging Service <serv...@35x35.ru>
X-Mailer: Spmailver8.5
Reply-To: WhatsApp Messaging Service <serv...@35x35.ru>
Mime-Version: 1.0
Content-Type:
multipart/alternative;boundary="----------138230768252645762B1112"
WhatsApp
You have a new voicemail!
*Details*
Time of Call: Oct-15 2013 07:55:57
Lenth of Call: 57 seconds
Play
<http link has been removed>
*If you cannot play, move message to the "Inbox" folder.
2013 WhatsApp Inc
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
508 days since the first successful private support mission to ISS (SpaceX)