Continuation posted at bottom On Friday March 17 2006 10:03 am, Randal, Phil wrote: > Hmm, > > We're blocking loads of these: > > 2.91 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > 2.00 HC_NEWS News of new spam > 0.10 HTML_70_80 Message is 70% to 80% HTML > 0.10 HTML_FONTCOLOR_RED HTML font color is red > 0.10 HTML_FONTCOLOR_UNSAFE HTML font color not in safe 6x6x6 > palette > 0.10 HTML_MESSAGE HTML included in message > 1.10 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence between 51 and > 100 > 1.05 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 2.50 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 3.00 RCVD_IN_CBL Received via a host in cbl.abuseat.org. > 2.60 RCVD_IN_DYNABLOCK Sent directly from dynamic IP address > 3.00 RCVD_IN_PSBL Received via a relay in PSBL > 0.10 RCVD_IN_SORBS SORBS: sender is listed in SORBS > 3.00 RCVD_IN_SPAMHAUS_SBL_XBL Listed in SPAMHAUS SBL+XBL > 5.00 URIBL_BLACK Contains an URL listed in the URIBL blacklist > > HC_NEWS just checks for the word "news" in the Subject line. > > Cheers, > > Phil > ---- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: Warren Howard [mailto:[EMAIL PROTECTED] > > Sent: 17 March 2006 14:40 > > To: Dimitri Yioulos; users@spamassassin.apache.org > > Subject: Re: This isn't being tagged > > > > On 03/17/2006 06:59 PM, Dimitri Yioulos wrote: > > > Hello to all. > > > > > > I apologize for earlier posts on this subject; they were > > > > tagged by the list > > > > > because I included the body of the spam which is being > > > > delivered to my users! > > > > > So, there's hope that I can quash this. I searched the > > > > archive, but didn't > > > > > find anything (my search criteria may have been wrong). > > > > > > Over the last few days, mail such as the following has not > > > > been tagged. The > > > > > subject is Re: Pharamacmky news. The subject will change > > > > slightly, as in re: > > > PharamaMzcy news. > > > > > > I have sa 3.0.4-1 (had a bit of trouble w/ 3.1.0, haven't > > > > tried reinstalling > > > > > yet) on a CentOS 3.6 box. I'm using a number of SARE > > > > rulesets, as well as > > > > > pyzor, razor, and dcc. My MTA is semdmail--8.12.11-4.RHEL3.1. > > > > > > Many thanks. > > > > > > Dimitri > > > > Hi, > > > > Same problem for me (using Spamassassin 3.1.0). I keep > > feeding sa-learn > > the "Re: PharamaCFcy news", always the same style of message but each > > time slightly different, the drugs and prices are on the left and > > rubbish like this dacgvishJybzjjt is on the right. The spam > > mail itself > > is in html and the source has lots of this > > > > style > > =3D "float: right"> f </span>a<span=20 > > style > > =3D "float: right"> n </span>I<span=20 > > style > > =3D "float: right"> w </span>i<span=20 > > style > > =3D "float: right"> h </span>u<span=20 > > style > > =3D "float: right"> r </span>m <FONT color=3D#F5421A>$1<span=20 > > style > > =3D "float: right"> v </span>05</FONT> (3<span=20 > > style > > =3D "float: right"> Z9 </span>0 <span=20 > > style > > =3D "float: right"> q </span>p<span=20 > > style > > =3D "float: right"> w </span>i<span=20 > > style > > =3D "float: right"> y </span>l<span=20 > > style > > > > in it and no matter how much I feed to sa-learn I keep getting a Bayes > > score of 00 (BAYES_00=-2.599). > > > > I'm interested to know more about this type of SPAM and what people > > suspect is happening. > > > > > > Thanks, > > > > > > Warren.
Phil, Where does the HC_NEWS rule come from? Might it not adversely affect legitimate mail with "news" in the subject line? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
