Okay, got some samples online to look at: http://66.213.231.82/spam/sample1.txt http://66.213.231.82/spam/sample2.txt http://66.213.231.82/spam/sample3.txt http://66.213.231.82/spam/sample4.txt http://66.213.231.82/spam/sample5.txt http://66.213.231.82/spam/sample6.txt http://66.213.231.82/spam/sample7.txt (that is, every file in http://66.213.231.82/spam/)
If y'all could run 1 or 2 of them through your installs, I'd be interested to know how they score and what rules they hit. TYVM, in advance :) More comments below... > Is the below a sample subject line you're seeing? If so my setup using network > tests, SARE Rules, Botnet plugin and others always score these between 50 and > 70. But this may not be what you're getting so a sample will be great. Is there anything I need to know about the SARE rules? I see they're not being updated at the moment... I've been wondering which ones are 'safe' to use, considering they all seem to be at least a year old. Do the comments on the rulesemporium.com site still apply? Anything there broken in SA-3.2.x I should care about? As far as BOTNET goes... sounds interesting... I would definitely want to push it's score down lower though. A single rule being enough to flag a message bothers me. Will look into it, thanks :) > Subject: Buy Cialis, Viagra online at lowest prices! > > Content analysis details: (67.9 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > [score: 1.0000] > 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary > 1.2 INVALID_DATE Invalid Date: header (not RFC 2822) > 2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting > 3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters > 1.9 TVD_RCVD_IP TVD_RCVD_IP > 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4 > 3.1 MSGID_YAHOO_CAPS Message-ID has [EMAIL PROTECTED] > 4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) > 0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' > 0.0 SUBJ_BUY Subject line starts with Buy or Buying > 1.0 FREEMAIL_FROM From-address is freemail domain > 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > [Blocked - see <http://www.spamcop.net/bl.shtml?124.146.54.38>] > 5.0 BOTNET Relay might be a spambot or virusbot > [botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,maildomain=yahoo.com,baddns,client,ipinhostname] > 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address > 1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines > 2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers > 1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis. > 1.7 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam > 4.5 LOGINHASH BODY: iXhash says its spam > 2.5 IXHASH BODY: iXhash says its spam > 0.0 HTML_MESSAGE BODY: HTML included in message > 2.5 LOGINHASH2 BODY: iXhash says its spam > 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > above 50% > [cf: 60] > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > [cf: 60] > 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) > 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) > [cpollock 1170; Body=1 Fuz1=1 Fuz2=many] > 0.0 DIGEST_MULTIPLE Message hits more than one network digest check > 2.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this > 0.3 DRUGS_ERECTILE Refers to an erectile drug > 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag > 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO > 1.0 SAGREY Adds 1.0 to spam from first-time senders Thanks all, Jake
