On Sat, Dec 05, 2009 at 09:51:40PM -0700, LuKreme wrote: > On 5-Dec-2009, at 12:26, Jari Fredriksson wrote: > > On 5.12.2009 16:03, LuKreme wrote: > >> > >> > >> On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote: > >> > >>> Content analysis details: (14.9 points, 5.0 required) > >> > >> 14 of your points come from the IP being listed. It was not listed > >> initially, and score 0.9 on your tests based on that. > >> > > > > Really? > > > > 4.0 BOTNET Relay might be a spambot or virusbot > > [botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns] > > 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language > > 0.0 HTML_MESSAGE BODY: HTML included in message > > -2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20% > > 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML > > sequence > > 0.1 RDNS_NONE Delivered to trusted network by a host with > > > > 4 + 2,8 + 0 - 2,5 + 0,6 + 0,1 = 5 (catch) > > What about: > > 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL > 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list > 0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK > 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
Why do you guys keep on nitpicking about rules and scores thread after thread? The fact is that SpamAssassin is probably _never_ going to catch 0-day spam (or even much longer, pick your number) on purely "default non-net" rules. The content rules are extremely simple to bypass and sa-update will never be realtime. You only block when someone else has seen the spam or on botnet/rdns rules. Or when Bayes has happened to seen similar stuff.
