Re: Flakey spam email. How to filter?

Mon, 11 Dec 2017 18:24:06 -0800 

On 11 Dec 2017, at 10:44 (-0500), Mark London wrote:
I'm getting a lot of flakey spam messages, that don't trigger any significant spamassassin rules, even though it obviously looks really bogus. 

Here's an example.   Any suggestions?

https://pastebin.com/bZUt0ThS


These spams are being sent to my gmail account, and then forwarded to 
my work address  I tried stripping off all the forwarding headers, but 
it doesn't trigger any RBLs



As Dave said, this is deeply suboptimal for filtering. Unless you've got 
some way to make SA look past the Google relays, you'll never see DNSBL 
hits for the SMTP source, because you'll only see Google. For URIDNSBLs, 
on body URIs you might get better luck but if you're early in the spam 
run you might not.



FWIW, Dave's scoring is highly customized and uses KAM's additional 
rules, but even a closer-to-default rig thinks that is spam:



Content analysis details:   (5.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- ---------------------------

-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record

 0.9 DKIM_ADSP_NXDOMAIN     No valid author signature and domain not in 
DNS

 0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE           BODY: HTML included in message
-1.0 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0047]
 0.8 HTML_TAG_BALANCE_HEAD  BODY: HTML has unbalanced "head" tags

 1.5 BODY_8BITS             BODY: Body includes 8 consecutive 8-bit 
characters
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid

 0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag

 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not 
valid
 2.3 S25R_4                 T_S25R: Bottom of rDNS ends w/ num, next 
lvl has num-num



Note that bad Bayes score, which is because my system never sees this 
sort of spam.
Also: I noticed something interesting in that spam that I'm working on 
rules for...



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole






















					Reply via email to