On Fri, 16 Aug 2013 12:36:13 +0100
Andrew Hearn wrote:
> Hello,
>
> I have a low scoring pills spam:
> http://pastebin.com/q6nWqzMR
>
> I only get the following on it:
>
> * 1.0 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
> * [219.94.129.82 listed in bl.mailspike.net]
> * 0.0 SUBJECT_FUZZY_CHEAP Attempt to obfuscate words in
> Subject:
> * 0.5 FROM_LOCAL_NOVOWEL From: localpart has series of
> non-vowel letters
> * -2.8 RP_MATCHES_RCVD Envelope sender domain matches handover
> relay domain
> * 0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at
> * http://www.chaosreigns.com/iprep/
>
>
> Am I missing anything (apart from Bayes) that would help catch this?
>
> Many thanks!
>
Firstly score down RP_MATCHES_RCVD, which lets through a lot of spam
and makes no more sense than scoring SPF_PASS at that level.
Scoring Asian mail works for me, but isn't generally applicable.
I've not seen much of that form of subject obfuscation for years, but I
have found the following useful in the past:
header SUBJ_REPEAT_LETTERS Subject =~
/(?:(?:aa+|bb+|ccc+|ddd+|eee+|ff+|ggg+|hh+|ii+|jj+|kk+|lll+|mm+|nnn+|ooo+|ppp+|qq+|rrr+|sss+|ttt+|uu+|vv+|ww+|xx+|yy+|zz+).{0,30}){3}/i
describe SUBJ_REPEAT_LETTERS Tooo manyy repeateddd lettters
score 2.0
