Re: Should this hit more rules?

Wed, 26 Jul 2006 11:11:28 -0700 

Dimitri Yioulos wrote:

On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:

Dimitri Yioulos wrote:

Hello to all.

I'm wondering why the following isn't hitting more rules:

Return-Path: <[EMAIL PROTECTED]>
 Received: from braunconsult.com (216-130-126-2.cimcoisp.net
[216.130.126.2] (may be forged))
        by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
SMTP id k6QG52CZ028664
        for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 12:05:02
-0400 Message-ID: <[EMAIL PROTECTED]>
 Reply-To: "Janele Kinyon" <[EMAIL PROTECTED]>
 From: "Janele Kinyon" <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED]
 Subject: {Spam?} Re: qutugVjlAGRA
 Date: Wed, 26 Jul 2006 09:01:21 -0700
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0001_01C6B092.10472690"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2800.1106
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
 X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
[EMAIL PROTECTED]
 X-First1-MailScanner-Information: Please contact First 1
Financial Corporation for more information
 X-First1-MailScanner: Found to be clean
 X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
cached,
        score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
        HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
 X-First1-MailScanner-SpamScore: sssssss
 X-MailScanner-From: [EMAIL PROTECTED]
 Status: R
 X-Status: NC
 X-KMail-EncryptionState:
 X-KMail-SignatureState:
 X-KMail-MDN-Sent:

CIjALIlS from 3 , 75 $
VlljAGRA from 3 , 35 $
AMjBlIEN
VAjLIlUM from 1 , 25 $

I'm using the following rules in my setup:

TRIPWIRE
SARE_RANDOM
BOGUSVIRUS
SARE_EVILNUMBERS0
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_SPECIFIC
SARE_ADULT
SARE_UNSUB
SARE_URI0
SARE_GENLSUBJ0
SARE_WHITELIST_RCVD
SARE_WHITELIST_SPF
SARE_REDIRECT_POST300
SARE_FRAUD
SARE_HEADER0
SARE_BML
SARE_OEM
SARE_OBFU

along with Bayes, DCC, Razor, and Pyzor.

Forgive my ignorance, but I would think that this would trip more
rules.  I seem to be getting an increasing number of obvious spam
which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs
(and, of course, I'm grateful for that!).  Few, if any, other
rules are hit.  Running "spamassassin -D --lint" shows all of my
rules being read, and throws no errors.

Oh, yeah, this is a CentOS 3.7 box, running
sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3,
and mailscanner-4.54.6-1.

Thanks.

Dimitri

Dimitri
here's what hit with me on my SA 3.1.3 with lots of extra SARE etc
rules.. Content analysis details:   (28.5 points, 5.0 required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
  2.5 MISSING_HB_SEP         Missing blank line between message
header and body
  0.0 UNPARSEABLE_RELAY      Informational: message has unparseable
relay lines
  3.7 FB_VIAGRA_LEO3         BODY: FB_VIAGRA_LEO3
  0.6 J_CHICKENPOX_33        BODY: {3}Letter - punctuation -
{3}Letter 3.3 FB_CIALIS_LEO3         BODY: FB_CIALIS_LEO3
  2.7 FB_VALIUM_LEO3         BODY: FB_VALIUM_LEO3
  0.9 URI_NOVOWEL            URI: URI hostname has long non-vowel
sequence 2.0 BAYES_80               BODY: Bayesian spam probability
is 80 to 95% [score: 0.8279]
  1.8 MISSING_SUBJECT        Missing Subject: header
  5.9 HELO_LEO_PILLS         HELO_LEO_PILLS
  0.3 SARE_URI_CONS7         body contains link to probable spammer
  0.1 TO_CC_NONE             No To: or Cc: header
  2.5 FM_NO_FROM_OR_TO       FM_NO_FROM_OR_TO
  0.5 FM_NO_TO               FM_NO_TO
  1.1 FM_MULTI_ODD2          FM_MULTI_ODD2
  0.7 FM_MULTI_ODD3          FM_MULTI_ODD3




Martin,
What rules are you using that I'm not? Your result are much more what I have in mind for my setup. 

Looks like he is using some "unofficial" SARE rules.

http://rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf

Reply via email to