Re: Should this hit more rules?

Wed, 26 Jul 2006 11:37:30 -0700 

Dimitri Yioulos wrote:

On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:

Dimitri Yioulos wrote:

On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:

Dimitri Yioulos wrote:

Hello to all.

I'm wondering why the following isn't hitting more rules:

Return-Path: <[EMAIL PROTECTED]>
 Received: from braunconsult.com (216-130-126-2.cimcoisp.net
[216.130.126.2] (may be forged))
        by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
SMTP id k6QG52CZ028664
        for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006 12:05:02
-0400 Message-ID: <[EMAIL PROTECTED]>
 Reply-To: "Janele Kinyon" <[EMAIL PROTECTED]>
 From: "Janele Kinyon" <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED]
 Subject: {Spam?} Re: qutugVjlAGRA
 Date: Wed, 26 Jul 2006 09:01:21 -0700
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0001_01C6B092.10472690"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2800.1106
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
 X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
to: [EMAIL PROTECTED]
 X-First1-MailScanner-Information: Please contact First 1
Financial Corporation for more information
 X-First1-MailScanner: Found to be clean
 X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
(not cached,
        score=7.414, required 6, BAYES_99 3.50, HTML_50_60
0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
X-First1-MailScanner-SpamScore: sssssss
 X-MailScanner-From: [EMAIL PROTECTED]
 Status: R
 X-Status: NC
 X-KMail-EncryptionState:
 X-KMail-SignatureState:
 X-KMail-MDN-Sent:

CIjALIlS from 3 , 75 $
VlljAGRA from 3 , 35 $
AMjBlIEN
VAjLIlUM from 1 , 25 $

I'm using the following rules in my setup:

TRIPWIRE
SARE_RANDOM
BOGUSVIRUS
SARE_EVILNUMBERS0
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_SPECIFIC
SARE_ADULT
SARE_UNSUB
SARE_URI0
SARE_GENLSUBJ0
SARE_WHITELIST_RCVD
SARE_WHITELIST_SPF
SARE_REDIRECT_POST300
SARE_FRAUD
SARE_HEADER0
SARE_BML
SARE_OEM
SARE_OBFU

along with Bayes, DCC, Razor, and Pyzor.

Forgive my ignorance, but I would think that this would trip
more rules.  I seem to be getting an increasing number of
obvious spam which "only" hit bayes, DCC and/or Razor and/or
Pyzor, and RBLs (and, of course, I'm grateful for that!).  Few,
if any, other rules are hit.  Running "spamassassin -D --lint"
shows all of my rules being read, and throws no errors.

Oh, yeah, this is a CentOS 3.7 box, running
sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
clamav-0.88.3, and mailscanner-4.54.6-1.

Thanks.

Dimitri

Dimitri
here's what hit with me on my SA 3.1.3 with lots of extra SARE
etc rules.. Content analysis details:   (28.5 points, 5.0
required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
  2.5 MISSING_HB_SEP         Missing blank line between message
header and body
  0.0 UNPARSEABLE_RELAY      Informational: message has
unparseable relay lines
  3.7 FB_VIAGRA_LEO3         BODY: FB_VIAGRA_LEO3
  0.6 J_CHICKENPOX_33        BODY: {3}Letter - punctuation -
{3}Letter 3.3 FB_CIALIS_LEO3         BODY: FB_CIALIS_LEO3
  2.7 FB_VALIUM_LEO3         BODY: FB_VALIUM_LEO3
  0.9 URI_NOVOWEL            URI: URI hostname has long
non-vowel sequence 2.0 BAYES_80               BODY: Bayesian
spam probability is 80 to 95% [score: 0.8279]
  1.8 MISSING_SUBJECT        Missing Subject: header
  5.9 HELO_LEO_PILLS         HELO_LEO_PILLS
  0.3 SARE_URI_CONS7         body contains link to probable
spammer 0.1 TO_CC_NONE             No To: or Cc: header
  2.5 FM_NO_FROM_OR_TO       FM_NO_FROM_OR_TO
  0.5 FM_NO_TO               FM_NO_TO
  1.1 FM_MULTI_ODD2          FM_MULTI_ODD2
  0.7 FM_MULTI_ODD3          FM_MULTI_ODD3

Martin,

What rules are you using that I'm not?  Your result are much more
what I have in mind for my setup.

Looks like he is using some "unofficial" SARE rules.

http://rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf
I'll try 'em. Are those the only rules that contribute to Martin's score, other than the ones I already have? 



I believe that all of the FM and FB rules are from those files.  You can easily 
search for the others.
This is curious, too - URI_NOVOWEL is tripped in his setup, but not on mine (I know that this is installed on my system). Why would that be?
Since the sample you attached is not really scanable and does not actually include any urls, I would guess that he probably used a sample from his own mail system that had a different url. Differences could also be caused by the fact that you are using a version of SA that is (essentially) nearly 2 years old.

Reply via email to