Re: spam not classified

Bill Landry Sun, 12 Apr 2009 10:30:49 -0700

stefan novak wrote:
> I've updatet the file with the headers:
> 
> http://pastebin.com/m6e31520c


Scored high here:

Content analysis details:   (32.9 points, 10.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 1.2 TO_MALFORMED           To: has a malformed address
 1.0 RELAY_AR               Relayed through Argentina
 0.5 BOTNET_BADDNS          Relay doesn't have full circle DNS

[botnet_baddns,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
 0.5 RCVD_IN_UCEPROTECT_3   RBL: Sender listed in UCEPROTECT_3
                            [190.51.32.122 listed in dnsbl-3.uceprotect.net]
 1.0 RCVD_IN_JMF_BL         RBL: Sender listed in JMF-BLACK
                       [190.51.32.122 listed in
hostkarma.junkemailfilter.com]
 1.0 RCVD_IN_UCEPROTECT_2   RBL: Sender listed in UCEPROTECT_2
                            [190.51.32.122 listed in dnsbl-2.uceprotect.net]
 2.0 RCVD_IN_UCEPROTECT_1   RBL: Sender listed in UCEPROTECT_1
                            [190.51.32.122 listed in dnsbl-1.uceprotect.net]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [190.51.32.122 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.5 RCVD_IN_BARRACUDA      RBL: Sender listed in Barracuda Relay Black List
                            [190.51.32.122 listed in b.barracudacentral.org]
 2.5 RCVD_IN_NERDS_AR       RBL: Received from Argentina
                            [190.51.32.122 listed in zz.countries.nerd.dk]
 0.5 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,maildomain=alfa.com,baddns,client,ipinhostname]
 0.5 BOTNET_IPINHOSTNAME    Hostname contains its own IP address

[botnet_ipinhosntame,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
 0.5 BOTNET_CLIENT          Relay has a client-like hostname
[botnet_client,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,ipinhostname]
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay
lines
 1.0 LONGWORDS_15           BODY: string of 15+ random letters
 1.0 GENERIC_IXHASH         BODY: iXhash found @ generic.ixhash.net
 1.0 NIXSPAM_IXHASH         BODY: iXhash found @ ix.dnsbl.manitu.net
 2.2 DCC_CHECK              Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.5 KAM_UNIV               Diploma Mill Rule
 2.0 BOTNET_WU              BOTNET_WU
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Might consider adding some of the available plugins and using sa-update
to grab Justin's "sought" rules, if not already doing so.

Bill

Re: spam not classified

Reply via email to