Re: Spamassassin Bayes... "why give that spam that score???"

Wed, 24 Feb 2016 16:48:31 -0800 


Am 25.02.2016 um 01:41 schrieb Steve:

On 24/02/2016 22:59, John Hardin wrote:

On Wed, 24 Feb 2016, Steve wrote:


I've used spamassassin for many years - on Ubuntu, using amvisd -
with great success.  In recent months, I've been receiving several
spam messages each day that evade the filters.


Can you provide samples? (e.g. three or four on Pastebin)


One of each of the most common forms:



none of that 3 messages should make it into your inbox and at least 
never get BAYES_00 - looks like bad training!



i tried to obfuscate the URIBL hits because otherwise even the 
mailing-list would reject my message



http://pastebin.com/Wk2KD1Q1



/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Junk.52024.UNOFFICIAL FOUND
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: 
Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND


----------- VIRUS-SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Content analysis details:   (20.6 points, 5.5 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 1.0 GENERIC_IXHASH         DIGEST: generic.ixhash.net
-0.3 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
                            [108.62.157.149 listed in wl.mailspike.net]
 7.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: leslie-bib***b.org]
 1.5 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)

[SPF failed: Please see 
http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]

 3.0 INVESTMENT_ADVICE      BODY: Message mentions investment advice
 1.5 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5002]
 0.0 HTML_MESSAGE           BODY: HTML included in message

-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature 
from author's

                            domain

-0.1 DKIM_VALID             Message has at least one valid DKIM or DK 
signature

 0.5 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid

 1.5 IXHASH_CHECK           Message hits one ore more IXHASH digest-sources

 2.5 RDNS_NONE              Delivered to internal network by a host 
with no rDNS

-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.5 DIGEST_MULTIPLE_LOCAL  Message hits more than one network digest check
                             (razor, pyzor, ixhash)


http://pastebin.com/QCQ9Ymw7



/var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: 
Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND
/var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: 
Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND
/var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: 
Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND


----------- VIRUS-SCAN SUMMARY -----------
Infected files: 1
Time: 0.007 sec (0 m 0 s)
Content analysis details:   (18.5 points, 5.5 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 7.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: pinkhand***print.com]
 3.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: pinkhand***print.com]
-0.1 CUST_DNSWL_2           RBL: score.senderscore.com (Low Trust)
                            [85.195.78.13 listed in score.senderscore.com]
-0.3 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
                            [85.195.78.13 listed in wl.mailspike.net]
 1.5 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)

[SPF failed: Please see 
http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]

 1.5 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5000]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 2.0 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]

-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature 
from author's

                            domain
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]

-0.1 DKIM_VALID             Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid
 2.5 RDNS_NONE              Delivered to internal network by a host 
with no rDNS

-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders


http://pastebin.com/wgkmiJLt



/var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: 
Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND
/var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: 
Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND
/var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: 
Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND


----------- VIRUS-SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Content analysis details:   (22.0 points, 5.5 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 7.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: prepaidfune***ralsuk.com]
-0.3 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
                            [146.0.229.86 listed in wl.mailspike.net]

 1.5 CUST_DNSBL_21          RBL: score.senderscore.com (senderscore.com 
High)

                            [146.0.229.86 listed in score.senderscore.com]

 1.0 CUST_DNSBL_25          RBL: score.senderscore.com (senderscore.com 
Medium)

 1.5 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)

[SPF failed: Please see 
http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]

 1.5 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5003]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but
                            isn't
 2.0 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid

 3.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: prepaidfune***ralsuk.com]

 2.5 RDNS_NONE              Delivered to internal network by a host 
with no rDNS

 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 0.7 LOTS_OF_MONEY          Huge... sums of money




Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to