RE: Should My Install of SA Be Catching These?

Bowie Bailey Mon, 24 Apr 2006 12:45:51 -0700

Clay Davis wrote:
> I would appreciate any guidance that you feel would make my SA setup
> stronger.  These types of messages (attached) keep squeaking
> through... is my setup weak or have I broken something?  To the
> layman's eye, they look pretty spammy.
> 
> I am running v3.0.2 and I just went through all the SARE updates about
> 2 weeks ago, but these messages still score under my 4.5 threshold for
> spam.  In my setup they score as follows:
> 
> viagra.txt
> 
>  pts rule name              description
> ---- ---------------------- ------------------------------------------
>  0.0 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
>                             [score: 0.0000]
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.0 AWL                    AWL: From: address is in the auto
> white-list
> 
> 
> PillGraphic.txt
> 
>  pts rule name              description
> ---- ---------------------- ------------------------------------------
>  0.5 SARE_HTML_URI_LHOST30  URI: Long unbroken string within URI
>  0.1 HTML_80_90             BODY: Message is 80% to 90% HTML
>  0.5 BAYES_40               BODY: Bayesian spam probability is 20 to
> 40%
>                             [score: 0.2135]
>  0.5 HTML_IMAGE_ONLY_24     BODY: HTML: images with 2000-2400 bytes of
> words
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME
> parts
>  0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif
>  0.0 MIME_BOUND_NEXTPART    Spam tool pattern in MIME boundary
>  1.7 SARE_GIF_STOX          Inline Gif with little HTML


My first attempt was rejected by the list, so let me try again with
the URIs stripped out...

You should be catching these easily.

The first thing I would do is fix your Bayes database.  If it is
assigning BAYES_00 to a spam message, then something is seriously
wrong.  Once you have fixed it, you should put back the default
scores.  BAYES_00 should score negative under normal conditions.

Razor, DCC, Pyzor, and URIBL are also useful against these types of
spams.

This is what I got on those two messages.  Note that Razor2, URIBL,
and a properly functioning Bayes database tore them apart.


Viagra.txt:

X-Spam-Status: Yes, score=41.1 ...
X-Spam-Report:
        *  0.1 FORGED_RCVD_HELO Received: contains a forged HELO
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
        *      [score: 1.0000]
        *  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level
        *      above 50%
        *      [cf: 100]
        *  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
        *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
50%
        *      [cf: 100]
        *  2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
        *  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
        *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
        *  1.9 DNS_FROM_RFC_BOGUSMX RBL: Envelope sender in
        *      bogusmx.rfc-ignorant.org
        *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local
SMTP
        *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
        *  3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
        *  4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
        *  3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
        *  2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
        *  3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
        *  4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
        *  0.8 DIGEST_MULTIPLE Message hits more than one network digest
check


PillGraphic.txt:

X-Spam-Status: Yes, score=28.8 ...
X-Spam-Report:
        *  0.6 J_CHICKENPOX_27 BODY: 2alpha-pock-7alpha
        *  0.9 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
        *  1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of
words
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
        *      [score: 0.9723]
        *  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
        *  0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
        *  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level
        *      above 50%
        *      [cf: 100]
        *  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
        *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
50%
        *      [cf: 100]
        *  0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org
        *  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
        *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
        *  4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
        *  3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
        *  4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
        *  0.3 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
        *  1.7 SARE_GIF_STOX Inline Gif with little HTML

-- 
Bowie

RE: Should My Install of SA Be Catching These?

Reply via email to