On Mon, 31 Jul 2006, Beast wrote:
I have implemented site wide SA and it works pretty well except for this
kind of spam.
postmaster account has been receiving many spam and its not being
blocked by SA, I have feed SA to learns hundred of similar spam
manually, but still not able to catcth up.
----
*X-Spam-Status:* No, score=3.8 required=5.2 tests=BAYES_99,FORGED_RCVD_HELO,
HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
---
Content-Transfer-Encoding: quoted-printable
CAjRTIER
TIjFFANY & CO
BVjLGARI
OMjEGA
ROjLEX
PAjTEK
BRjEITLING
As your score summary indicates, the message is already
receiving a BAYES_99 result from the Bayes test. That means
that Bayes is already quite confident that this message
is spam. The Bayes training you have done has worked, and no
further training would have increased the Bayes score for this
particular message. However, Bayes by itself is not sufficient
to mark a message as spam.
I have seen quite a number of similar spams lately to the ones
you describe, and mine are hitting all kinds of network tests.
This includes both dcc and razor2 and also various sender IP
blacklists and URI blacklists. Because of the network tests,
the last 4 spams of this type that I've gotten have scored in
the range of 20 to 27:
score=20.117, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, HTML_MESSAGE 0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_XBL
3.90, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64
score=24.244, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_NJABL_DUL 1.95,
RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, URIBL_JP_SURBL
4.09, URIBL_SBL 1.64
score=23.287, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05,
URIBL_JP_SURBL 4.09, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50
score=26.796, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_DUL 2.05,
RCVD_IN_XBL 3.90, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64,
So, I'd say one fairly effective way of dealing with these
spams is to make sure you have plenty of network tests enabled.
- Logan
