On Sun, May 3, 2009 03:15, Michael Monnerie wrote: > Dear maintainers, > > I've got a false positive with FRT_VALIUM1, FRT_VALIUM2 and FUZZY_VLIUM > with a german announcement from Paypal about changing their general > terms and conditions. Maybe those rules can be optimized? > > Message is at http://zmi.at/x/frt_valium_fp.txt because I couldn't send > it to the list directly: > host mx1.eu.apache.org[192.87.106.230] said: > 552 spam score (14.3) exceeded threshold (in reply to end of DATA > command) > > Thanks, > mfg zmi > > Analyse Details: (5.6 points, 5.0 required) > > Pkt Name der Regel Beschreibung > ---- ---------------------- > ------------------------------------------------- > 1.1 URI_IN_SORBS_DNS_SPAM URI in spam.dnsbl.sorbs.net > [URIs: salesforce.com] > -0.3 L_P0F_D11 L_P0F_D11 > -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
use whitelist_from_spf to turn it into a ham msg > 0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings > [botnet_serverwords,ip=206.165.243.121,rdns=email-121.paypal.com] > 0.0 DKIM_SIGNED Domain Keys Identified Mail: message has a > signature where is dkim header ? > 1.6 FRT_VALIUM1 BODY: ReplaceTags: Valium > 0.0 FUZZY_VLIUM BODY: Attempt to obfuscate words in spam > 1.3 FRT_VALIUM2 BODY: ReplaceTags: Valium (2) > 2.0 TRACKER_ID BODY: Beinhaltet eine Identitätsnummer zur > Nutzerbeobachtung > 1.2 FUZZY_CREDIT BODY: Attempt to obfuscate words in spam > -3.6 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes- > Test: 0-1% [score: 0.0000] > 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML > 0.7 MPART_ALT_DIFF BODY: Nachrichtentext im Text- und HTML- > Format unterscheiden sich > 1.4 MIME_QP_LONG_LINE RAW: "quoted-printable"-kodierte Zeile > länger als 76 Zeichen > 0.1 AWL AWL: From: address is in the auto white-list and no dkim whitelist, so its spam or forged -- http://localhost/ 100% uptime and 100% mirrored :)
