On Sunday 15 June 2008 7:55 pm, John Hardin wrote: > > (RE:YOUR ATM-211 CARD UPDATE!!) > > PAYMENT-CODE -(ATM-411) > > Similar, yes. "We'll send you a $1500/day-capable ATM card..." > > > Content analysis details: (20.8 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- > > -------------------------------------------------- > > > > 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud > > spam 1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud > > spam > > > > Notice SARE rules were in fact hit. > > They *did not* hit for me. I've published one of the messages here: > http://www.impsec.org/~jhardin/atm_spam_01.txt
John, here is how the one you posted hit:
Content analysis details: (27.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9994]
1.7 FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl
1.0 FREEMAIL_FROM From-address is freemail domain
2.1 SUBJ_ALL_CAPS Subject is all capitals
2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
Body
than From
0.6 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[cpollock 1113; Body=16 Fuz1=16]
[Fuz2=31]
10 CLAMAV Clam AntiVirus detected a virus
1.5 UPPERCASE_75_100 message body is 75-100% uppercase
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL
1.0 SAGREY Adds 1.0 to spam from first-time senders
Here is the ClamAv hit
X-Spam-Virus: Yes (Email.Scam4.Gen954.Sanesecurity.07062802)
Yes, no SARE rules were hit on this one, however, plenty of other rules were
hit sufficient to make it past my 5.0 default.
--
Chris
KeyID 0xE372A7DA98E6705C
pgpL5F3kp4JQz.pgp
Description: PGP signature
