On Wednesday July 26 2006 2:36 pm, Stuart Johnston wrote:
> Dimitri Yioulos wrote:
> > On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:
> >> Dimitri Yioulos wrote:
> >>> On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> >>>> Dimitri Yioulos wrote:
> >>>>> Hello to all.
> >>>>>
> >>>>> I'm wondering why the following isn't hitting more rules:
> >>>>>
> >>>>> Return-Path: <[EMAIL PROTECTED]>
> >>>>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> >>>>> [216.130.126.2] (may be forged))
> >>>>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11)
> >>>>> with SMTP id k6QG52CZ028664
> >>>>> for <[EMAIL PROTECTED]>; Wed, 26 Jul 2006
> >>>>> 12:05:02 -0400 Message-ID:
> >>>>> <[EMAIL PROTECTED]> Reply-To: "Janele
> >>>>> Kinyon" <[EMAIL PROTECTED]>
> >>>>> From: "Janele Kinyon" <[EMAIL PROTECTED]>
> >>>>> To: [EMAIL PROTECTED]
> >>>>> Subject: {Spam?} Re: qutugVjlAGRA
> >>>>> Date: Wed, 26 Jul 2006 09:01:21 -0700
> >>>>> MIME-Version: 1.0
> >>>>> Content-Type: multipart/alternative;
> >>>>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> >>>>> X-Priority: 3
> >>>>> X-MSMail-Priority: Normal
> >>>>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> >>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>>>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
> >>>>> to: [EMAIL PROTECTED]
> >>>>> X-First1-MailScanner-Information: Please contact First 1
> >>>>> Financial Corporation for more information
> >>>>> X-First1-MailScanner: Found to be clean
> >>>>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
> >>>>> (not cached,
> >>>>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60
> >>>>> 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> >>>>> X-First1-MailScanner-SpamScore: sssssss
> >>>>> X-MailScanner-From: [EMAIL PROTECTED]
> >>>>> Status: R
> >>>>> X-Status: NC
> >>>>> X-KMail-EncryptionState:
> >>>>> X-KMail-SignatureState:
> >>>>> X-KMail-MDN-Sent:
> >>>>>
> >>>>> CIjALIlS from 3 , 75 $
> >>>>> VlljAGRA from 3 , 35 $
> >>>>> AMjBlIEN
> >>>>> VAjLIlUM from 1 , 25 $
> >>>>>
> >>>>> I'm using the following rules in my setup:
> >>>>>
> >>>>> TRIPWIRE
> >>>>> SARE_RANDOM
> >>>>> BOGUSVIRUS
> >>>>> SARE_EVILNUMBERS0
> >>>>> SARE_SPOOF
> >>>>> SARE_BAYES_POISON_NXM
> >>>>> SARE_SPECIFIC
> >>>>> SARE_ADULT
> >>>>> SARE_UNSUB
> >>>>> SARE_URI0
> >>>>> SARE_GENLSUBJ0
> >>>>> SARE_WHITELIST_RCVD
> >>>>> SARE_WHITELIST_SPF
> >>>>> SARE_REDIRECT_POST300
> >>>>> SARE_FRAUD
> >>>>> SARE_HEADER0
> >>>>> SARE_BML
> >>>>> SARE_OEM
> >>>>> SARE_OBFU
> >>>>>
> >>>>> along with Bayes, DCC, Razor, and Pyzor.
> >>>>>
> >>>>> Forgive my ignorance, but I would think that this would trip
> >>>>> more rules. I seem to be getting an increasing number of
> >>>>> obvious spam which "only" hit bayes, DCC and/or Razor and/or
> >>>>> Pyzor, and RBLs (and, of course, I'm grateful for that!).
> >>>>> Few, if any, other rules are hit. Running "spamassassin -D
> >>>>> --lint" shows all of my rules being read, and throws no
> >>>>> errors.
> >>>>>
> >>>>> Oh, yeah, this is a CentOS 3.7 box, running
> >>>>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
> >>>>> clamav-0.88.3, and mailscanner-4.54.6-1.
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>> Dimitri
> >>>>
> >>>> Dimitri
> >>>> here's what hit with me on my SA 3.1.3 with lots of extra SARE
> >>>> etc rules.. Content analysis details: (28.5 points, 5.0
> >>>> required)
> >>>>
> >>>> pts rule name description
> >>>> ---- ----------------------
> >>>> --------------------------------------------------
> >>>> 2.5 MISSING_HB_SEP Missing blank line between
> >>>> message header and body
> >>>> 0.0 UNPARSEABLE_RELAY Informational: message has
> >>>> unparseable relay lines
> >>>> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> >>>> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> >>>> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> >>>> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> >>>> 0.9 URI_NOVOWEL URI: URI hostname has long
> >>>> non-vowel sequence 2.0 BAYES_80 BODY: Bayesian
> >>>> spam probability is 80 to 95% [score: 0.8279]
> >>>> 1.8 MISSING_SUBJECT Missing Subject: header
> >>>> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> >>>> 0.3 SARE_URI_CONS7 body contains link to probable
> >>>> spammer 0.1 TO_CC_NONE No To: or Cc: header
> >>>> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> >>>> 0.5 FM_NO_TO FM_NO_TO
> >>>> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> >>>> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
> >>>
> >>> Martin,
> >>>
> >>> What rules are you using that I'm not? Your result are much
> >>> more what I have in mind for my setup.
> >>
> >> Looks like he is using some "unofficial" SARE rules.
> >>
> >> http://rulesemporium.com/rules/99_FVGT_meta.cf
> >> http://www.rulesemporium.com/rules/88_FVGT_body.cf
> >
> > I'll try 'em. Are those the only rules that contribute to
> > Martin's score, other than the ones I already have?
>
> I believe that all of the FM and FB rules are from those files.
> You can easily search for the others.
>
> > This is curious, too - URI_NOVOWEL is tripped in his setup, but
> > not on mine (I know that this is installed on my system). Why
> > would that be?
>
> Since the sample you attached is not really scanable and does not
> actually include any urls, I would guess that he probably used a
> sample from his own mail system that had a different url.
> Differences could also be caused by the fact that you are using a
> version of SA that is (essentially) nearly 2 years old.
So true on the age of SA. I tried updating to latest not long ago,
and kinda munged things up, so like a true wimp, I rolled back to the
rpm-based version for my distro (and RHEL AS 3). Maybe I'll grab the
latest and greatest from Dag and give it another try.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
