On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> Dimitri Yioulos wrote:
> > Hello to all.
> >
> > I'm wondering why the following isn't hitting more rules:
> >
> > Return-Path: <[EMAIL PROTECTED]>
> > Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> > [216.130.126.2] (may be forged))
> > by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
> > SMTP id k6QG52CZ028664
> > for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 12:05:02
> > -0400 Message-ID: <[EMAIL PROTECTED]>
> > Reply-To: "Janele Kinyon" <[EMAIL PROTECTED]>
> > From: "Janele Kinyon" <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: {Spam?} Re: qutugVjlAGRA
> > Date: Wed, 26 Jul 2006 09:01:21 -0700
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="----=_NextPart_000_0001_01C6B092.10472690"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
> > [EMAIL PROTECTED]
> > X-First1-MailScanner-Information: Please contact First 1
> > Financial Corporation for more information
> > X-First1-MailScanner: Found to be clean
> > X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
> > cached,
> > score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
> > HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> > X-First1-MailScanner-SpamScore: sssssss
> > X-MailScanner-From: [EMAIL PROTECTED]
> > Status: R
> > X-Status: NC
> > X-KMail-EncryptionState:
> > X-KMail-SignatureState:
> > X-KMail-MDN-Sent:
> >
> > CIjALIlS from 3 , 75 $
> > VlljAGRA from 3 , 35 $
> > AMjBlIEN
> > VAjLIlUM from 1 , 25 $
> >
> > I'm using the following rules in my setup:
> >
> > TRIPWIRE
> > SARE_RANDOM
> > BOGUSVIRUS
> > SARE_EVILNUMBERS0
> > SARE_SPOOF
> > SARE_BAYES_POISON_NXM
> > SARE_SPECIFIC
> > SARE_ADULT
> > SARE_UNSUB
> > SARE_URI0
> > SARE_GENLSUBJ0
> > SARE_WHITELIST_RCVD
> > SARE_WHITELIST_SPF
> > SARE_REDIRECT_POST300
> > SARE_FRAUD
> > SARE_HEADER0
> > SARE_BML
> > SARE_OEM
> > SARE_OBFU
> >
> > along with Bayes, DCC, Razor, and Pyzor.
> >
> > Forgive my ignorance, but I would think that this would trip more
> > rules. I seem to be getting an increasing number of obvious spam
> > which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs
> > (and, of course, I'm grateful for that!). Few, if any, other
> > rules are hit. Running "spamassassin -D --lint" shows all of my
> > rules being read, and throws no errors.
> >
> > Oh, yeah, this is a CentOS 3.7 box, running
> > sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3,
> > and mailscanner-4.54.6-1.
> >
> > Thanks.
> >
> > Dimitri
>
> Dimitri
> here's what hit with me on my SA 3.1.3 with lots of extra SARE etc
> rules.. Content analysis details: (28.5 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.5 MISSING_HB_SEP Missing blank line between message
> header and body
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay lines
> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> 0.9 URI_NOVOWEL URI: URI hostname has long non-vowel
> sequence 2.0 BAYES_80 BODY: Bayesian spam probability
> is 80 to 95% [score: 0.8279]
> 1.8 MISSING_SUBJECT Missing Subject: header
> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> 0.3 SARE_URI_CONS7 body contains link to probable spammer
> 0.1 TO_CC_NONE No To: or Cc: header
> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> 0.5 FM_NO_TO FM_NO_TO
> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
>
>
Martin,
What rules are you using that I'm not? Your result are much more what
I have in mind for my setup.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
