RE: Big trouble

Thu, 29 Mar 2007 00:37:57 -0800 

> There is another discussion on this list about rules that 
> catch these sorts of messages.  Check that out for ideas.
> 
> For what it is worth these are the rules I get:
> 
> Content analysis details:   (10.5 points, 5.0 required)
> 
>   pts rule name              description
> ---- ----------------------
> --------------------------------------------------
>   2.9 FROM_LOCAL_NOVOWEL     From: localpart has series of 
> non-vowel letters
>   0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
>   0.0 DK_POLICY_SIGNSOME     Domain Keys: policy says domain 
> signs some 
> mails
>   0.6 J_CHICKENPOX_14        BODY: 1alpha-pock-4alpha
>   3.5 BAYES_99               BODY: Bayesian spam probability 
> is 99 to 100%
>                              [score: 1.0000]
>   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
> bogons IP block
>             [102.176.29.76 listed in
> combined-HIB.dnsiplists.completewhois.com]
>   1.0 RCVD_IN_JANET_RBL      RBL: Relay in JANET MAPS RBL+ RBL
>                            [102.176.29.76 listed in 
> rbl-plus.mail-abuse.ja.net]
>   0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

I get:

 pts rule name              description
---- ----------------------
--------------------------------------------------
 2.9 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel
letters
 0.1 TW_GD                  BODY: Odd Letter Triples with GD
 0.1 TW_LG                  BODY: Odd Letter Triples with LG
-0.2 BAYES_40               BODY: Bayesian spam probability is 20 to 40%
                            [score: 0.3955]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
           [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.6 AWL                    AWL: From: address is in the auto white-list

But only after some hours that I have received the messages..

I suppose that at that time the score assigned by your SA was lower than
you just report above.. (maybe at that time, the IP 102.176.29.76 was
"not-DNSBListed" ).

Anyway, I figure out that your SA use different rulesets of mine..

Could you instruct me about a good set of ruleset I have to use to lower
the chance that spam pass trhough my spam-scanner, maintaining a good
level of performance?

TIA,

rocsca

Reply via email to