Re: False Negatives

Thu, 17 Apr 2008 13:04:46 -0700 

Koopmann, Jan-Peter wrote:

http://pastebin.com/m16055c85


Content analysis details:   (9.6 points, 6.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL
blocklist
                            [URIs: diroma.us]
 0.5 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
r=proxy.intern.seceidos.de]
 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP address in URL
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired
language
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5000]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.7 SARE_BANK_URI_IP       SARE_BANK_URI_IP
 0.1 CRM114_CHECK           CRM114: message is UNSURE with crm114-score
-2.0200


  



It was not on uribl/surbl when OP sent it, and "unwanted language" isn't 
appropriate for everybody. I ran a test on the first (when OP sent it) 
and it scored a little less than 5 (I don't remember if DCC was hit, but 
razor was).



  

http://pastebin.com/m52635526

    


Content analysis details:   (13.0 points, 6.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL
blacklist
                            [URIs: trip-reps6.com]
 1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL
blocklist
                            [URIs: trip-reps6.com]
-0.3 BOTNET_SERVERWORDS     Hostname contains server-like substrings

 
[botnet_serverwords,ip=64.187.116.22,rdns=mail.trip-reps6.com]

 0.5 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
r=proxy.intern.seceidos.de]
 0.1 TW_MF                  BODY: Odd Letter Triples with MF
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5003]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf:  80]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf:  80]
 2.2 DCC_CHECK              Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 3.0 DIGEST_MULTIPLE        Message hits more than one network digest
check
 0.1 CRM114_CHECK           CRM114: message is UNSURE with crm114-score
-1.7700

I did not check the other two. Not sure if DCC/Razor would have seen
them a few hours ago. If they were to cross my server now they would at
least be flagged as spam.

Are you using DCC/RAZOR?

  


I guess so, otherwise, he wouldn't get into the 3-4 range as he said.























					Reply via email to