On 6/4/2014 11:04 AM, Daniele Paoni wrote:
On 06/04/2014 04:36 PM, Bowie Bailey wrote:
The problem isn't that BAYES_00 subtracts 1.9 points. The problem is
that you DON'T get the 3.5 points added from BAYES_99, which is what
should have hit. Even if it got to BAYES_60, you still would have
gotten 1.5 points, which would have increased your score by 3.4 points.
I will try to retrain my bayes database.
There are some rules for obfuscated words both in html and plain text.
But the spammers are always finding new methods. Paste the original
message text to www.pastebin.com and give us the link. That way we can
see what the message looks like and give you better suggestions for how
to catch that type of message.
Ok, the original message is here.
http://pastebin.ca/2794087
That message would have been blocked before it even got to my spam
folder. Even taking out the blacklists and Bayes, it still would have
scored 5.2 and I think those are all stock rules. Actually, the KAM
rule indicates that it would have also hit Spamhaus, which I have as a
blacklist in my MTA, so this message would not have even gotten as far
as SA.
X-Spam-Status: Yes, score=20.0 required=4.0 tests=BAYES_99,BAYES_999,
FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTML_OBFUSCATE_10_20,
KAM_VERY_BLACK_DBL,LONGWORDS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
TO_NO_BRKTS_MSFT,T_REMOTE_IMAGE,URIBL_BLACK,URIBL_DBL_SPAM
autolearn=disabled
version=3.4.0
X-Spam-Report:
* 4.1 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser
mail provider
* (munge[at]outlook.com)
* 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
* [URIs: munge.com]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: munge.com]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
* [65.54.190.220 listed in wl.mailspike.net]
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 HTML_OBFUSCATE_10_20 BODY: Message is 10% to 20% HTML
obfuscation
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to
* background
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
* 2.0 LONGWORDS Long string of long words
* 5.0 KAM_VERY_BLACK_DBL Email that hits both URIBL Black and
Spamhaus DBL
* 0.0 T_REMOTE_IMAGE Message contains an external image
* 3.1 TO_NO_BRKTS_MSFT To: misformatted and supposed
Microsoft tool
TO_NO_BRKTS_MSFT is the only major rule I didn't see hit in your
message. I can't tell which version of SA you have, but you should also
make sure you are up to date (3.4.0) and run sa-update to make sure you
have all of the latest rules.
--
Bowie
