Something's not right there - the URL mentioned in the spam (deolich-MANGLED.com without the -MANGLED bit) should have hit on both the SURBL.org and URIBL.com blacklists, yet I don't see hits for either in the tests that were flagged for this spam - you only have "BAYES_40,FM_NO_STYLE,HTML_80_90,HTML_MESSAGE".
Also I'd expect at least those tests to give you some score other than 0.0. I'd first suggest enabling the inline spam report which inserts a more detailed listing into the headers of each test that triggered and the score each test received. You can do that by adding the following lines to your local.cf (check to see if they're not there already): add_header all Report _REPORT_ report_safe 0 Once you can see the full report in the headers you can then see what score each test is giving, and that helps with troubleshooting. For the URIBL lookups to work, you also need the following in local.cf: local_tests_only 0 The surbl.org rules are included in SpamAssassin already (within 25_uribl.cf), but I don't think the uribl.com rules are - so if you want to also check the uribl.com blacklists as well, you can simply add the two rules displayed at http://www.uribl.com/usage.shtml into a new .cf file or alternatively stick them in your local.cf. The mangled.cf ruleset won't help with this particular spam, as it's using a fancy HTML trick to really obfuscate the drug names in such a way that mangled.cf won't hit on them. I think the key thing is to get the URIBL lookups working on your system and also figure out why the tests that *did* trigger on this spam (BAYES_40,FM_NO_STYLE,HTML_80_90,HTML_MESSAGE) gave a total score of 0.0. I'm not sure what to check for that, but perhaps someone else can suggest something. Once that's all solved, I think you'll find most of those spams are getting nicely filtered out by SpamAssassin! :) You could also create your own custom rule to filter on the subject of these spams when they contain spammy words like "PhaPOramacy" . eg: header MY_DRUG_SPAM Subject =~ /PhaPOramacy/i describe MY_DRUG_SPAM Spam with 'PhaPOramacy' in the subject score MY_DRUG_SPAM 2.0 ...and score it according to your needs. You can add other spammy subject words to the above by inserting a "pipe" | character after PhaPOramacy and then the additional word, eg: Subject =~ /PhaPOramacy|word1|word2|word3/i Lastly, you might find the attached rule of mine useful - it filters against the HTML trick used in this particular spam, assuming the HTML code at www.yoursummit.com/pharmNews.html is correct. Score accordingly. I can't see any reason why a non-spam email would use such HTML code, but I don't have any way of testing it against a corpus of spam/ham to check for false positives. Cheers, Jeremy "Tracey Gates" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I have URIBL lookups enabled. I have also increased my score in mangled.cf. I have posted the email that I'm receiving at www.yoursummit.com/pharmNews.html if you'd like to view the actual email content. Below is the header of the latest email that I've gotten. The names of the drugs are in blue and the dollar amounts are in red along. I'm still at a loss as to what I need to do to get these stopped. Here is the output of doing the "spamassassin --lint -D": debug: config: read file /etc/mail/spamassassin/25_uribl.cf .... debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa96f558) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa95afa4) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa95c66c) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa96f558) implements ' parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa95afa4) implements ' parse_config' Here is the Header info: Received: by yoursummit.com (CommuniGate Pro PIPE 4.3.8) with PIPE id 2829044; Tue, 14 Mar 2006 04:05:46 -0600 Received: from [81.104.204.233] (HELO gcsincorp.com) by yoursummit.com (CommuniGate Pro SMTP 4.3.8) with SMTP id 2829043 for [EMAIL PROTECTED]; Tue, 14 Mar 2006 04:05:38 -0600 Subject: Re: PhaPOramacy news Date: Tue, 14 Mar 2006 04:04:55 -0600 Message-Id: <[EMAIL PROTECTED]> MIME-Version: 1.0 Thread-Topic: PhaPOramacy news Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal From: "Kanta Bramblett" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> X-Real-To: "Tracey Gates" <[EMAIL PROTECTED]> X-Mailer: CommuniGate Pro MAPI Connector 1.1.22 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yoursummit.com X-Spam-Level: X-Spam-Status: No, score=-0.0 required=3.5 tests=BAYES_40,FM_NO_STYLE, HTML_80_90,HTML_MESSAGE autolearn=no version=3.0.2 X-TFF-CGPSA-Version: 1.4 X-TFF-CGPSA-Filter: Scanned Content-Type: multipart/alternative; boundary="----_=_NextPart_11254_00012994.00004466" Tracey Gates Lead Developer [EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203 Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately. begin 666 htmltrick.cf M9G5L;" @("!(5$U,5%))0TL@(" @;2<\<W!A;B!S='EL93TB+C]F;&]A="X_ M.C\N<FEG:'0N/R(^7%<_7'=<5S\\+W-P86X^7%<_7'=<5S\\<W!A;B!S='EL M93TB+C]F;&]A="X_.BX_<FEG:'0N/R(^7%<_7'=<5S\\+W-P86X^7%<_7'=< M5S\\<W!A;B!S='EL93TB+C]F;&]A="X_.BX_<FEG:'0N/R(^7%<_7'=<5S\\ M+W-P86X^7%<_7'<G:7,-"F1E<V-R:6)E(" @($A434Q44DE#2R @("!#;VYT M86EN<R!F;&]A=#IR:6=H="!(5$U,('1R:6-K#0IS8V]R92 @("!(5$U,5%)) )0TL@(" @,RXP ` end
