On Tue, Jan 06, 2009 at 02:07:38PM -0600, Craig wrote: > Hello All- > > I have recently been getting MANY spam slipping through Spamassassin and I am > looking for help on how to stop. I have used Spamassassin with Bayes > successfully for many years now and once I train the system on new spam, the > system does an excellent job of stopping. These messages are very short and > include a link. The subject is usually regarding watches, or are thinly > disguised viagra ads. Many are sent from aim.com Below is header info and > below that is the Spamassassin output of an email that has slipped through. > > Specs: > SA 3.17 > With Bayes integration, DNS testing. > > Thanks > Craig > > To: gillian.gr...@btinternet.com > Subject: Private Message. > Date: Tue, 06 Jan 2009 14:36:43 -0500 > X-AOL-IP: 81.37.21.218 > X-MB-Message-Source: WebUI > MIME-Version: 1.0 > From: omqdwc63...@aim.com > X-MB-Message-Type: User > Content-Type: multipart/alternative; > boundary="--------MB_8CB3E4D3D238A60_FE4_95E_Webmail-mg02.sim.aol.com" > X-Mailer: AIM WebMail 40627-STANDARD > Received: from 81.37.21.218 by Webmail-mg02.sim.aol.com (64.12.142.150) with > HTTP (WebMailUI); Tue, 06 Jan 2009 14:36:43 -0500 > Message-Id: <8cb3e4d3d212802-fe4-...@webmail-mg02.sim.aol.com> > X-Spam-Flag:YES > > > ----------MB_8CB3E4D3D238A60_FE4_95E_Webmail-mg02.sim.aol.com > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="us-ascii" > > Don't fail in the bed games. Try THIS. > > 50 percent add present > > >>>?http://www.ecbdollar.com/sp.php?<<< > > > _______________________________________________________________________________________ > > > Spam detection software, running on the system "spam_server.unitedwayqc.lcl", > has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > ccanfi...@unitedwayqc.org for details. > > Content preview: Breakthrough formula for men 50 percent add present > >>>?http://www.canada-cz.com/sp.php?<<< [...] > > Content analysis details: (3.3 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.0 NO_REAL_NAME From: does not include a real name > 2.2 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines > 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.5000]
Directly from our local.cf: ========= 8< snip ----------------- # We've (or at least the webmaster has) had a problem with spam # from aim.com users, coming from AOL servers. After much training, # they hit BAYES_99, but not enough other rules to go over the edge. # These are designed to handle that. header __RLM_RCVD_FROM_AOL Received =~ /from .*\.aol\.com/ header __RLM_FROM_AIM_USER From =~ /\...@aim\.com/ meta RLM_AIM_SPAM (__RLM_RCVD_FROM_AOL && __RLM_FROM_AIM_USER) # Most of this already scores 3.5. score RLM_AIM_SPAM 1.6 ========= 8< snip ----------------- Set your score to push them over the threshold. Much more than that and you risk FPs. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. b...@bobcatos.com http://www.bobcatos.com My son, do not despise the LORD's discipline and do not resent his rebuke, because the LORD disciplines those he loves, as a father the son he delights in. Proverbs 3:11-12 (NIV)
