Yes, I would love to have the full listing. I've just done the ClamAV sigs from SaneSecurity/etc. Very nice!
I'm looking into the following plugins/rulesets for general use. will probably use a few of them: Botnet plugin SARE rulesets DKIM (included in SA, but never bothered to set up) iXhash plugin Freemail plugin SAGrey plugin Justin Mason's automated ruleset If I could just get Pyzor working again now too... :) Thanks! Jake On Sat, Aug 2, 2008 at 8:00 AM, Chris <[EMAIL PROTECTED]> wrote: > On Friday 01 August 2008 10:47 pm, Jake Maul wrote: >> Okay, got some samples online to look at: >> >> http://66.213.231.82/spam/sample1.txt >> http://66.213.231.82/spam/sample2.txt >> http://66.213.231.82/spam/sample3.txt >> http://66.213.231.82/spam/sample4.txt >> http://66.213.231.82/spam/sample5.txt >> http://66.213.231.82/spam/sample6.txt >> http://66.213.231.82/spam/sample7.txt >> (that is, every file in http://66.213.231.82/spam/) >> >> If y'all could run 1 or 2 of them through your installs, I'd be >> interested to know how they score and what rules they hit. TYVM, in >> advance :) > > > Sample 1 scored: > > Content analysis details: (16.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist > [URIs: perfectcapsulessite.com] > 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > [URIs: perfectcapsulessite.com] > 1.0 FREEMAIL_FROM From-address is freemail domain > -0.0 SPF_PASS SPF: sender matches SPF record > 4.5 LOGINHASH BODY: iXhash says its spam > 2.5 IXHASH BODY: iXhash says its spam > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.5001] > 2.5 LOGINHASH2 BODY: iXhash says its spam > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > -0.0 DCC_CHECK_NEGATIVE Not listed in DCC > [cpollock 1113; Body=1 Fuz1=1 Fuz2=1] > 1.0 SAGREY Adds 1.0 to spam from first-time senders > > Sample 2 scored: > > Content analysis details: (25.8 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.0 FREEMAIL_FROM From-address is freemail domain > 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK > 0.0 DK_SIGNED Domain Keys: message has a signature > 4.5 LOGINHASH BODY: iXhash says its spam > 2.5 IXHASH BODY: iXhash says its spam > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.4915] > 2.5 LOGINHASH2 BODY: iXhash says its spam > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > -0.0 DCC_CHECK_NEGATIVE Not listed in DCC > [cpollock 1113; Body=1 Fuz1=1 Fuz2=1] > 10 CLAMAV Clam AntiVirus detected a virus > 0.3 DRUGS_ERECTILE Refers to an erectile drug > 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO > 1.0 SAGREY Adds 1.0 to spam from first-time senders > > This is what clamav reported - X-Spam-Virus: Yes > (Email.Spam.Gen835.Sanesecurity.07062011) > > Sample 3 scored: > > Content analysis details: (15.7 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.0 FREEMAIL_FROM From-address is freemail domain > -0.0 SPF_PASS SPF: sender matches SPF record > 0.0 ONLINE_PHARMACY BODY: Online Pharmacy > 0.0 TVD_VISIT_PHARMA BODY: TVD_VISIT_PHARMA > 4.5 LOGINHASH BODY: iXhash says its spam > 2.5 IXHASH BODY: iXhash says its spam > 2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.6079] > 0.0 HTML_MESSAGE BODY: HTML included in message > 2.5 LOGINHASH2 BODY: iXhash says its spam > 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) > [cpollock 1113; Body=1 Fuz1=1 Fuz2=many] > 1.0 SAGREY Adds 1.0 to spam from first-time senders > > Sample 4 scored Content analysis details: (20.5 points, 5.0 required) > Sample 5 scored Content analysis details: (25.7 points, 5.0 required) > Sample 6 scored Content analysis details: (19.7 points, 5.0 required) > Sample 7 scored Content analysis details: (25.3 points, 5.0 required) > > Looking at how they were scored I see that the following plug-ins hit on every > message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using > the sanesecurity signatures. I've saved the complete output of spamassassin > -D -t sample*.txt to a file. If you want I can fwd it to you to look at. > >> More comments below... >> >> Is there anything I need to know about the SARE rules? I see they're >> not being updated at the moment... I've been wondering which ones are >> 'safe' to use, considering they all seem to be at least a year old. Do >> the comments on the rulesemporium.com site still apply? Anything there >> broken in SA-3.2.x I should care about? > > I've 'never' had any problems with the SARE rules I run, I believe the answer > as to why they're seldom updated is that they're such rock solid rule sets > that they pretty much cover any type of spam out there. > >> As far as BOTNET goes... sounds interesting... I would definitely want >> to push it's score down lower though. A single rule being enough to >> flag a message bothers me. Will look into it, thanks :) >> >> Thanks all, >> Jake > > One other note, I do not run a mailserver, this is just how these score on my > home system that I'm the only user on. > > -- > Chris > KeyID 0xE372A7DA98E6705C >
