On Wed, 12 Jul 2006, Loren Wilton wrote:
NO! That string is part of the configuration file for RulesDuJour, ir RDJ is
it is commonly referenced.
I'm not sure you need the RulesDuJour to catch this image-only
spam. I'm regularly getting such messages (composed of just a
big block of GIFs), and they're getting caught on a SA 3.1.3
install with just the stock rules plus some network tests.
(The network tests I'm using are razor, dcc, and various RBLs
including spamcop and NJABL.)
I'm getting scores like this:
score=9.367, required 6,
BAYES_99 3.50, EXTRA_MPART_TYPE 1.09, FORGED_RCVD_HELO
0.14, HTML_90_100 0.11, HTML_IMAGE_ONLY_12
1.87, HTML_MESSAGE 0.00, MIME_HTML_MOSTLY 1.10,
RCVD_IN_BL_SPAMCOP_NET 1.56
score=13.352, required 6,
BAYES_99 3.50, EXTRA_MPART_TYPE 1.09, FROM_LOCAL_NOVOWEL
2.86, HTML_90_100 0.11, HTML_IMAGE_ONLY_08
3.13, HTML_MESSAGE 0.00, MIME_HTML_MOSTLY 1.10,
RCVD_IN_BL_SPAMCOP_NET 1.56
score=16.168, required 6,
BAYES_99 3.50, EXTRA_MPART_TYPE 1.09, HELO_DYNAMIC_HCC
4.10, HELO_DYNAMIC_IPADDR2 3.82, HTML_90_100
0.11, HTML_IMAGE_ONLY_16 0.50, HTML_MESSAGE 0.00,
MIME_HTML_MOSTLY 1.10, RCVD_IN_NJABL_DUL 1.95
So, generally speaking, they're getting caught with a fair
safety margin without bothering with RulesDuJour.
I am a little curious how they're getting a BAYES_99 with so
few useful keywords in the message for it to key off of, but
that's another issue, probably...
- Logan
