On Sunday 09 November 2008 2:33 pm, Micah Anderson wrote: > I'm getting a number of these types of emails getting through SA with > either negative scores, or very low scores. This is surprising to me as > these are pretty classic spams. I suspect that some of the low scores > are due being DKIM signed. > > Does anyone have any rules to catch these, or suggestions of scores to > tweak to make these hit better? I am running clamav-milter with the > sanesecurity add-ons, but these are still making it through. > > I here are 5 different ones, all that got through in the last 24 > hours: > > http://micah.riseup.net/1 > http://micah.riseup.net/2 > http://micah.riseup.net/3 > http://micah.riseup.net/4 > http://micah.riseup.net/5 > > Thanks
1 scored like this: Content analysis details: (12.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 1.0 FREEMAIL_FROM From-address is freemail domain 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 0.0 DK_SIGNED Domain Keys: message has a signature 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.net&ip=10.8.0.3&receiver=cpollock.localdomain] 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5005] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1117; Body=1 Fuz1=many] [Fuz2=many] 0.0 DIGEST_MULTIPLE Message hits more than one network digest check 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 2.9 KAM_LOTTO1 Likely to be a e-Lotto Scam Email 2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL 1.0 SAGREY Adds 1.0 to spam from first-time senders 2 scored: Content analysis details: (12.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 1.0 FREEMAIL_FROM From-address is freemail domain 2.1 SUBJ_ALL_CAPS Subject is all capitals 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK 0.0 DK_SIGNED Domain Keys: message has a signature -0.0 DK_VERIFIED Domain Keys: signature passes verification 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.net&ip=10.8.0.3&receiver=cpollock.localdomain] 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 0.6 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN) 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1117; Body=1 Fuz1=1 Fuz2=many] 1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO 1.0 SAGREY Adds 1.0 to spam from first-time senders 3 scored: Content analysis details: (15.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 0.3 TO_TOO_MANY To: too many recipients 0.3 TO_WAY_TOO_MANY To: way too many recipients 1.0 FREEMAIL_FROM From-address is freemail domain 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.net&ip=10.8.0.3&receiver=cpollock.localdomain] 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 2.7 DEAR_FRIEND BODY: Dear Friend? That's not very dear! 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8230] 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1170; Body=many Fuz1=many] [Fuz2=many] 1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam 1.0 SAGREY Adds 1.0 to spam from first-time senders 4 scored: Content analysis details: (22.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 0.5 RELAY_JP Relayed through Japan 1.0 FREEMAIL_FROM From-address is freemail domain 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 2.1 SUBJ_ALL_CAPS Subject is all capitals 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.net&ip=10.8.0.3&receiver=cpollock.localdomain] 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.9389] 2.5 CTYME_IXHASH BODY: iXhash found @ ixhash.junkemailfilter.com 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 76] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 76] 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1170; Body=46 Fuz1=9 Fuz2=many] 0.0 DIGEST_MULTIPLE Message hits more than one network digest check 0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE 2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook 1.0 SAGREY Adds 1.0 to spam from first-time senders 5 scored: Content analysis details: (16.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 1.0 FREEMAIL_FROM From-address is freemail domain 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 2.1 SUBJ_ALL_CAPS Subject is all capitals 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.net&ip=10.8.0.3&receiver=cpollock.localdomain] 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 0.0 HTML_MESSAGE BODY: HTML included in message 4.2 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9820] 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1170; Body=468 Fuz1=468] [Fuz2=many] 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 0.0 UPPERCASE_50_75 message body is 50-75% uppercase 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook 1.0 SAGREY Adds 1.0 to spam from first-time senders Above are how these scored on my stand-alone box. You may want to run the Freemail plugin, SA-Grey plugin. Are you running Razor? -- Chris KeyID 0xE372A7DA98E6705C
pgpQ9Je0lIrix.pgp
Description: PGP signature
