Kenneth Porter wrote:
On Thursday, November 30, 2006 5:01 PM -0600 Richard Frovarp
<[EMAIL PROTECTED]> wrote:
Kenneth Porter wrote:
--On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp
<[EMAIL PROTECTED]> wrote:
I have a few legit messages that are scoring over 5.0 due to
SARE_STOCKS and the TVD rules to catch stocks, and this is after
ALL_TRUSTED has done its work to reduce the score. These messages
of course have inline images and are being sent via Outlook
Express. Some of the scores on those rules are over 2.0. I have
started to reduce the scores, as the stock messages I get usually
have header problems and hit on Razor as well. I've seen legit
messages fire the MY_CID set of rules enough to rack up a score of
over 7.0 from those rules alone.
Can you attach a sample? Perhaps the sender can be convinced to change
the format to make the message look less spammy.
I'll find one tomorrow. The big three rules are/were
2.00 PART_CID_STOCK 2.00 PART_CID_STOCK_LESS 2.80 TVD_FW_GRAPHIC_ID1
The PART_CID rules have been removed from where ever they were
located. I
have reduced the score on the TVD rule. I have 40K+ users. Talking to
individual users isn't something that I can do effectively. To make a
message look less spammy, they would have to not inline the image
with OE.
[Please reply to the list.]
My point is simply that others may be seeing the same issue but not
know how to report it so that rule developers can exclude the ham.
Given some samples, it may be possible to separate the wheat from the
chaff.
Just followed the reply-to header, was too tired to notice anything
different.
I was wrong the PART_CID_STOCK and PART_CID_STOCK_LESS rules are there.
Some of my machines were not running sa-update correctly. Attached is
one of my FPs. Pretty brutal for including a simple GIF.
Here is the report for the attached message:
score = 8.98
-1.44 ALL_TRUSTED
0.81 EXTRA_MPART_TYPE
0.00 HTML_MESSAGE
0.81 INFO_TLD
2.00 PART_CID_STOCK
2.00 PART_CID_STOCK_LESS
2.80 TVD_FW_GRAPHIC_ID1
2.00 TVD_FW_MESG1
Return-Path: <g>
Received: from mail2.domain.com (mail2.domain.com [xxx.xxx.xxx.xx])
by vaccine1.domain.com (8.13.1/8.13.1) with ESMTP id kB5GqMKb014211
for <[EMAIL PROTECTED]>; Tue, 5 Dec 2006 10:52:23 -0600
Received: from user ([xx.xxx.xx.xx])
by mail2.domain.com (8.13.1/8.13.1) with SMTP id kB5GqJbK004966
for <[EMAIL PROTECTED]>; Tue, 5 Dec 2006 10:52:21 -0600
Message-ID: <[EMAIL PROTECTED]>
From: "user" <[EMAIL PROTECTED]>
To: "user" <[EMAIL PROTECTED]>
Subject: subject
Date: Tue, 5 Dec 2006 10:52:22 -0600
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0008_01C7185B.711AF0B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
(vaccine1.domain.com [134.129.111.58]); Tue, 05 Dec 2006 10:52:23 -0600 (CST)
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C7185B.711AF0B0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C7185B.711AF0B0"
------=_NextPart_001_0009_01C7185B.711AF0B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Citrus Punchthanks
----- Original Message -----=20
From: user=20
To: user=20
Sent: Tuesday, December 05, 2006 9:43 AM
Subject: subject
text =
test
=20
text =
text
text =
text
--=20
This message has been scanned for viruses and=20
dangerous content by EduTech's MailScanner Vaccine2, and is=20
believed to be clean.
------=_NextPart_001_0009_01C7185B.711AF0B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v =3D "urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD><TITLE=20
id=3DridTitle>Citrus Punch</TITLE><BASE=20
href=3D"file://C:\Program Files\Common Files\Microsoft =
Shared\Stationery\">
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3DWord.Document name=3DProgId>
<META content=3D"MSHTML 6.00.2900.2995" name=3DGENERATOR>
<META content=3D"Microsoft Word 10" name=3DOriginator><LINK=20
href=3D"Citrus%20Punch_files/filelist.xml" rel=3DFile-List><!--[if gte =
mso 9]><xml>
<o:DocumentProperties>
<o:Author>author</o:Author>
<o:Template>NORMAL</o:Template>
<o:LastAuthor>author</o:LastAuthor>
<o:Revision>4</o:Revision>
<o:TotalTime>1</o:TotalTime>
<o:Created>2006-10-17T15:42:00Z</o:Created>
<o:LastSaved>2006-10-17T15:57:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:Version>10.2625</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; =
mso-paper-source: 0; }
BODY {
=09
}
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"; mso-believe-normal-left: yes
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"; mso-believe-normal-left: yes
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"; mso-believe-normal-left: yes
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: =
"Times New Roman"; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"; mso-margin-top-alt: auto; =
mso-margin-bottom-alt: auto
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]--><![if mso 9]>
<style>
p.MsoNormal
{margin-left:18.75pt;}
</style>
<![endif]><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"3074"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1"/>
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=3DEN-US id=3DridBody=20
style=3D"MARGIN-TOP: 18.75pt; MARGIN-LEFT: 18.75pt; tab-interval: .5in"=20
bgColor=3Dwhite =
background=3Dcid:000701c7188d$bbae34c0$0b41df0a@secretary>
<DIV><FONT face=3DArial size=3D2>thanks</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A [EMAIL PROTECTED]
href=3D"mailto:[EMAIL PROTECTED]">user</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
[EMAIL PROTECTED]
href=3D"mailto:[EMAIL PROTECTED]">user</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, December 05, =
2006 9:43=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> subject</DIV>
<DIV><BR></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><B style=3D"mso-bidi-font-weight: normal"><SPAN=20
style=3D"COLOR: #ff6633; FONT-FAMILY: Arial"><o:p> text=20
text =
text.</o:p></SPAN></B></P>
<P class=3DMsoNormal><B style=3D"mso-bidi-font-weight: normal"><SPAN=20
style=3D"COLOR: #ff6633; FONT-FAMILY: =
Arial"><o:p></o:p></SPAN></B> </P>
<P class=3DMsoNormal><B style=3D"mso-bidi-font-weight: normal"><SPAN=20
style=3D"COLOR: #ff6633; FONT-FAMILY: Arial"><o:p>text =
text=20
text=20
text</o:p></SPAN></B></P>
<P class=3DMsoNormal><B style=3D"mso-bidi-font-weight: normal"><SPAN=20
style=3D"COLOR: #ff6633; FONT-FAMILY: Arial"><o:p> text =
text=20
text=20
text</o:p></SPAN></B></P></DIV><BR>-- <BR>This message has =
been=20
scanned for viruses and <BR>dangerous content by EduTech's <A=20
href=3D"http://www.mailscanner.info/";><B>MailScanner</B></A> Vaccine2, =
and is=20
<BR>believed to be clean. </BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0009_01C7185B.711AF0B0--
------=_NextPart_000_0008_01C7185B.711AF0B0
Content-Type: image/gif;
name="Citrus Punch Bkgrd.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
R0lGODlhmQB9AKL/AP//////zP/M///MzMz//8z/zMzM/8zMzCwAAAAAmQB9AEAD/wi63P4wykmr
vTjrvccAXxUEQCGZXKo241p5yheKJUm6T4vvzEgAgV+GYAreMkYerYiyfAICkJJyTFWnvJGB1MQC
BdDAAHxlAc+ZQhfTIgTPZa8cMtLNJQeAW1Es6RdrEUl3AjM9Jj8miDZCd447XDVxj5SPMFZwUkc3
AQUkjYJolSs+LTZAXDacnxmGC3ajXgUCs7MHk7G5lTZRrrpzuBZ1aMFUCsW/yQuJUZTNfCU/yMrC
Y1JgohgFP6C7ewZ+1BgD0zsfz1jlIjrq4u6hpi6n2e/1ECbo9vrH1uTYFUU60dsnrwksYTUc9GJz
bN6cRE6oBUIIpJuEdlM8+TkoB/8KGBm+epzC6IAkBBgwoDyRQrAkuSdQJjhcMeuEwEZvqIWUWfFV
S0FEWHEoZfLFtoqMZsopRGJMmJ89jmW6lfNCUajyeGa6aoYj1JGfEEEjkSfJjYmVUGJdKzXZtJg+
o8Blq0IopU01LNK9oHYgBAIDAOt15GbR3gbnAID552KPslODS/o8nCJxOqlcRbalzLmz5wW0PhO8
ZMUNONG/+pFDWCQyasyVyGDbWXKP19cP1CAdimuACRlWDxS+ozEzFiECSXoi4iKgcZmK+rxgOSoI
WiqDaDyNZcPTVZIxVY5yrc+s4zkfZTRdtxkT1rNKecD055cFp/pzDG9ajI3x3hH//pSTVAoHXJdD
JtvE54gYuF0kxRpJiAUHeY8Uop004RhoTx5+MLGRBvd5YWFDZ8wSCX4NbsBcKjwAZt4vDDaz2l62
7QbiTwvR9k48MSmykXQ8PYebjnSggs0ktx0oZIoLkKbZSFPEkU9jBICxRR4CnJaGKnp8MohGNUJj
z0e9EBllaM/5gIIQ0qCZCZOCfAQnNZnxQsJHSxKk4UWroDIndw66xmWeeYp2A5sc3qXYMoWuVQ5g
IOzphZeS/hdDjhhAmmh1HaK41mJOLZbkBHkwp8sbh1L2xEJzmAkMEiT+qZCrN47KEJeyOkBrrZ4i
pGCurzYKrCx5VDqsPgX4Zuyx/8hqxKwjTvIpAaTLPivCDALCYWC11l4UwlxU7AEknKWMEsJq/sGT
oLWm3pGSqOydyCxy58EawbnbadeeEmdBxa1UegU4InbrCtsQixRES9yadZECxKZ3DOOst9QRpgCG
sP4qQrIG12ZKvRMA90g8N2KsjY2ULNedOmGUiYRTvm5gAjjq+PiLbe0u2LLGZmyA6nUdI+FGJyBP
OpsmSHA1ca+5GGFd0ECsxOCubw479HAdiSqnVZOVlwnV0v5r1WIgtBMid/Kueul6h0UhJ8t+Qt1A
cQps0aRitmJlYbpayc3AUTUFsAWF1p4tc2jCCGaWMmC/gjW/OxQ7kVCdROK3g/8XKCLu5Sm4UWUT
6yrCiKRQzygIIyWK+Z4nBqAgFphmJ9SRA2ItLu9ndnFwtbBHLIKh63MSLlMqhd6Hj+rd+uz0vlZx
rgF9hw2DcvME3SAbuF/pIJ3Zzl/wT75flahKa3nHnfxlx4SJyiLIQHk+A42/qaBAkgTJdLeuslN1
w/cnTyTJUTpQlBJEwO4FsH/VQwo3lkYR3yXBcxfzXCLoxxcBykFhsuiJ2C4GDQI4ZiTiSh0Dk0Gm
8EyJMnZRxRuOEiEIvu9UsHlhVM5hQBk6SACioqEN3bEfMTBoWBA7oM/oUD5Z4UJ6W2GevXYYihw4
JDsUYYALmYg5XWywQV24D16RxtOlK75GAFOMWjhmt8V/ePFPmhtZbUAgPNT4w1W+GWN1UCWrGZzL
KoJRBkRqGCWVhAF8wrhFMkLIRxx86484TEGy4tccMNisMwH6AtusYDdduHCE0tJJ2bAnHxhBMFuF
jEFaKpYF3lnLdJArHgJFs5JJKfFGeHsWKlO5yiLxDE6MNMYrb1VLKvbslvrypawSAAA7O56jxumI
CKN7sA2Wk9zMHCGUv2KIjA+bzAey8LchrFAMSR60VtL2oEAymlGa+aoWXx4YrmPyKSJjQl0iGVfN
BqZynLuIAAA7KqsGGHsPF3bot7U5/6pZkWnqdJoBaqY2tmgwHr5e1skBEJbBvzEuZ6Vcl6j4uQrF
nbl6V12umUCN2dYbAGlL6/mt9bVtrbZ9rR6xit6m3nJ3fhkZLOwIDtx3yN39FJrr+UnYsUwnnwtq
rmIHm7MBw6eXPNbPB7u3UZu16O/pl12P/ZypAr+9l7b5LPn3GvrsPfkoxW4W0wZ1j/55K4W90ern
v98UxA1xmO74VY57mUrZIQ5HlsK/OZGABPUTiaFmBaYFAQ19UCLWWhQCQKRhqENK4kqHEiibuxWo
aAL5DYJotRQPnceBW2FI8aKlFw7SSXJXykoBFeLAz7RrenY5DXXEFaW1mKBgwinhf/9a0qsPGe6D
PXwIzGbIkKoR0G+Zi9wKpSKpjCRRiWtKXkd4t5t0Lchn2RNLWLIllWK5BYqNw5t/TECUDyEMLAgr
kKuCwkQxlbAEbYzLu2A0FgQAKXqrstoDoyIig4XFj8TRHt7k45HmcYlDLnzIIR/HQKxdUTg6E4iM
RCjCOtqlj++alHEAORIjnYRNyYkcKdkzlsf9cWH1iWRIhKYTNoFwbLqKj0gu5iucHOAnGwvOFDOi
I0LWZHf9UtMsd2ipSVVLZZ40inNc06TaBcl70STIMG/iJJ15EHx4ZBZQfOc/ZdlqSVXRkYEMFEn8
zG2VHeEQ/AJHsmm181S3pMwXM3j/NpUBh3L2W8tnZjawVVoGao/CUpvgY1DC4M6R8zmLf8BGrmyO
ZEoW7B+DauWSjrKPRg0N6OZ4NJUrDQUnJjSLIkUKAIj26yxkTA5RrqbSI7I0IS4tDv9WetOtjZSn
xaqLJ1HFxiSYj09l49yq8uKzJOTFhUFqHTuJhUDAFfM1ZYrLNqPCVJ+IRG57yVibiKXMvrDnN09b
nsdMw0hTJsYtciNnT7+Uq7nq5yIftWt1PMI837hSr+KJiW8mRr7nOOtzsPHaXI8zGp2SxKJaG456
xgokgwATsMjpzj3HRiGH9RCylkWMXg1w2a70jXWCFUjOdLJZ7IEEjB86TE5+ib6HezUEL00yHnVA
yxuM4jBHvNRsWHn7LdhVESI3au0uvXk7vMZpIjcy7G6EhhjiWuWhWw3MfXjzTjSC1GQoKsySgrMY
ZkKPvNk1CkKpx8RRWpc56utTSLkJy8vF13rzdY9i0ZfeoAL1lflFqksZqqnH/hez8rskfHaGYM8F
BAA7
------=_NextPart_000_0008_01C7185B.711AF0B0--
