On 12/11/2017 10:59 AM, Reindl Harald wrote:
Am 11.12.2017 um 16:44 schrieb Mark London:
I'm getting a lot of flakey spam messages, that don't trigger any
significant spamassassin rules, even though it obviously looks really
bogus.
Here's an example. Any suggestions?
https://pastebin.com/bZUt0ThS
These spams are being sent to my gmail account, and then forwarded to
my work address I tried stripping off all the forwarding headers,
but it doesn't trigger any RBLs
don't mangle samples!
you make it impossible to helping others
S25R_4 is pretty sure caused by your touching
Content analysis details: (10.0 points, 5.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.0 DKIM_ADSP_NXDOMAIN No valid author signature and domain not
in DNS
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
1.0 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
lvl has num-num
0.1 BOGOFILTER_UNSURE BOGOFILTER: message is Unsure with
bogofilter-score
0.5000
Sorry, I tried to strip off the forwarding headers. But for some
reason, that triggers 25R_4. Here's the full email.
https://pastebin.com/mssjURra
I wonder why it doesn't trigger any image rules.
HTML_TAG_BALANCE_HEAD was not enabled rule for me, so I enabled it. I
also increased the score of DKIM_ADSP_NXDOMAIN.
Still, it seems so bogus an email, because of it's manually created html
(href and img includes both upper and lower case characters), that a
more major rule should be catching it, maybe?
- Mark
