On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:
> Dimitri Yioulos wrote:
> > On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> >> Dimitri Yioulos wrote:
> >>> Hello to all.
> >>>
> >>> I'm wondering why the following isn't hitting more rules:
> >>>
> >>> Return-Path: <[EMAIL PROTECTED]>
> >>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> >>> [216.130.126.2] (may be forged))
> >>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
> >>> SMTP id k6QG52CZ028664
> >>> for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 12:05:02
> >>> -0400 Message-ID: <[EMAIL PROTECTED]>
> >>> Reply-To: "Janele Kinyon" <[EMAIL PROTECTED]>
> >>> From: "Janele Kinyon" <[EMAIL PROTECTED]>
> >>> To: [EMAIL PROTECTED]
> >>> Subject: {Spam?} Re: qutugVjlAGRA
> >>> Date: Wed, 26 Jul 2006 09:01:21 -0700
> >>> MIME-Version: 1.0
> >>> Content-Type: multipart/alternative;
> >>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> >>> X-Priority: 3
> >>> X-MSMail-Priority: Normal
> >>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> >>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
> >>> to: [EMAIL PROTECTED]
> >>> X-First1-MailScanner-Information: Please contact First 1
> >>> Financial Corporation for more information
> >>> X-First1-MailScanner: Found to be clean
> >>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
> >>> (not cached,
> >>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60
> >>> 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> >>> X-First1-MailScanner-SpamScore: sssssss
> >>> X-MailScanner-From: [EMAIL PROTECTED]
> >>> Status: R
> >>> X-Status: NC
> >>> X-KMail-EncryptionState:
> >>> X-KMail-SignatureState:
> >>> X-KMail-MDN-Sent:
> >>>
> >>> CIjALIlS from 3 , 75 $
> >>> VlljAGRA from 3 , 35 $
> >>> AMjBlIEN
> >>> VAjLIlUM from 1 , 25 $
> >>>
> >>> I'm using the following rules in my setup:
> >>>
> >>> TRIPWIRE
> >>> SARE_RANDOM
> >>> BOGUSVIRUS
> >>> SARE_EVILNUMBERS0
> >>> SARE_SPOOF
> >>> SARE_BAYES_POISON_NXM
> >>> SARE_SPECIFIC
> >>> SARE_ADULT
> >>> SARE_UNSUB
> >>> SARE_URI0
> >>> SARE_GENLSUBJ0
> >>> SARE_WHITELIST_RCVD
> >>> SARE_WHITELIST_SPF
> >>> SARE_REDIRECT_POST300
> >>> SARE_FRAUD
> >>> SARE_HEADER0
> >>> SARE_BML
> >>> SARE_OEM
> >>> SARE_OBFU
> >>>
> >>> along with Bayes, DCC, Razor, and Pyzor.
> >>>
> >>> Forgive my ignorance, but I would think that this would trip
> >>> more rules. I seem to be getting an increasing number of
> >>> obvious spam which "only" hit bayes, DCC and/or Razor and/or
> >>> Pyzor, and RBLs (and, of course, I'm grateful for that!). Few,
> >>> if any, other rules are hit. Running "spamassassin -D --lint"
> >>> shows all of my rules being read, and throws no errors.
> >>>
> >>> Oh, yeah, this is a CentOS 3.7 box, running
> >>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
> >>> clamav-0.88.3, and mailscanner-4.54.6-1.
> >>>
> >>> Thanks.
> >>>
> >>> Dimitri
> >>
> >> Dimitri
> >> here's what hit with me on my SA 3.1.3 with lots of extra SARE
> >> etc rules.. Content analysis details: (28.5 points, 5.0
> >> required)
> >>
> >> pts rule name description
> >> ---- ----------------------
> >> --------------------------------------------------
> >> 2.5 MISSING_HB_SEP Missing blank line between message
> >> header and body
> >> 0.0 UNPARSEABLE_RELAY Informational: message has
> >> unparseable relay lines
> >> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> >> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> >> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> >> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> >> 0.9 URI_NOVOWEL URI: URI hostname has long
> >> non-vowel sequence 2.0 BAYES_80 BODY: Bayesian
> >> spam probability is 80 to 95% [score: 0.8279]
> >> 1.8 MISSING_SUBJECT Missing Subject: header
> >> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> >> 0.3 SARE_URI_CONS7 body contains link to probable
> >> spammer 0.1 TO_CC_NONE No To: or Cc: header
> >> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> >> 0.5 FM_NO_TO FM_NO_TO
> >> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> >> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
> >
> > Martin,
> >
> > What rules are you using that I'm not? Your result are much more
> > what I have in mind for my setup.
>
> Looks like he is using some "unofficial" SARE rules.
>
> http://rulesemporium.com/rules/99_FVGT_meta.cf
> http://www.rulesemporium.com/rules/88_FVGT_body.cf
I'll try 'em. Are those the only rules that contribute to Martin's
score, other than the ones I already have?
This is curious, too - URI_NOVOWEL is tripped in his setup, but not on
mine (I know that this is installed on my system). Why would that
be?
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
