Jeremy Morton wrote:
OK, so I just got one of those www medsXX com spams, and even though it
hit my rule and got 2.0 added to it, it still didn't even get over 3
points. Looks like it was sent from quite a legit host. What rules do
other people get matching for this e-mail?
http://pastebin.com/m3b9629b6
Content analysis details: (7.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[190.244.172.161 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
0.1 BOTNET_BADDNS Relay doesn't have full circle DNS
[botnet_baddns,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar]
1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar,baddns,client,ipinhostname]
0.1 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar]
0.1 BOTNET_CLIENT Relay has a client-like hostname
[botnet_client,ip=190.244.172.161,rdns=161-172-244-190.fibertel.com.ar,ipinhostname]
0.5 CTYME_IXHASH BODY: BiXhash found @ ctyme.ixhash.ne
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5555]
0.5 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net
0.5 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
--
Anthony Peacock
CHIME, UCL Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/
