Am 25.02.2016 um 01:41 schrieb Steve:
On 24/02/2016 22:59, John Hardin wrote:On Wed, 24 Feb 2016, Steve wrote:I've used spamassassin for many years - on Ubuntu, using amvisd - with great success. In recent months, I've been receiving several spam messages each day that evade the filters.Can you provide samples? (e.g. three or four on Pastebin)One of each of the most common forms:
none of that 3 messages should make it into your inbox and at least never get BAYES_00 - looks like bad training!
i tried to obfuscate the URIBL hits because otherwise even the mailing-list would reject my message
http://pastebin.com/Wk2KD1Q1
/var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Junk.52024.UNOFFICIAL FOUND /var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND /var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND /var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND /var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND /var/www/uploadtemp/ac5a53b19de9a182194b8e94cb6724eb4b3ce574.eml: Sanesecurity.Blurl.6a2ebd.UNOFFICIAL FOUND
----------- VIRUS-SCAN SUMMARY ----------- Infected files: 1 Time: 0.009 sec (0 m 0 s) Content analysis details: (20.6 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
1.0 GENERIC_IXHASH DIGEST: generic.ixhash.net -0.3 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [108.62.157.149 listed in wl.mailspike.net] 7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: leslie-bib***b.org] 1.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]
3.0 INVESTMENT_ADVICE BODY: Message mentions investment advice 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5002] 0.0 HTML_MESSAGE BODY: HTML included in message-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
1.5 IXHASH_CHECK Message hits one ore more IXHASH digest-sources2.5 RDNS_NONE Delivered to internal network by a host with no rDNS
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.5 DIGEST_MULTIPLE_LOCAL Message hits more than one network digest check (razor, pyzor, ixhash)
http://pastebin.com/QCQ9Ymw7
/var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND /var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND /var/www/uploadtemp/cb2bd7249493a618230fc12473f311ee092a9c6a.eml: Sanesecurity.Blurl.56d5c1.UNOFFICIAL FOUND
----------- VIRUS-SCAN SUMMARY ----------- Infected files: 1 Time: 0.007 sec (0 m 0 s) Content analysis details: (18.5 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: pinkhand***print.com] 3.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist [URIs: pinkhand***print.com] -0.1 CUST_DNSWL_2 RBL: score.senderscore.com (Low Trust) [85.195.78.13 listed in score.senderscore.com] -0.3 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [85.195.78.13 listed in wl.mailspike.net] 1.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.0 HTML_MESSAGE BODY: HTML included in message 2.0 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100]-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100]-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
http://pastebin.com/wgkmiJLt
/var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND /var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND /var/www/uploadtemp/2b347c5c822e16759bd054a801a83b5082cd5666.eml: Sanesecurity.Blurl.3a3854.UNOFFICIAL FOUND
----------- VIRUS-SCAN SUMMARY ----------- Infected files: 1 Time: 0.009 sec (0 m 0 s) Content analysis details: (22.0 points, 5.5 required) pts rule name description---- ---------------------- --------------------------------------------------
7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: prepaidfune***ralsuk.com] -0.3 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [146.0.229.86 listed in wl.mailspike.net]1.5 CUST_DNSBL_21 RBL: score.senderscore.com (senderscore.com High)
[146.0.229.86 listed in score.senderscore.com]1.0 CUST_DNSBL_25 RBL: score.senderscore.com (senderscore.com Medium)
1.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=gw.shic.co.uk;ip=192.168.42.2;r=mail-gw.thelounge.net]
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5003] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't 2.0 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100]0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
3.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist [URIs: prepaidfune***ralsuk.com]2.5 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.7 LOTS_OF_MONEY Huge... sums of money
signature.asc
Description: OpenPGP digital signature