Re: Low scoring pill spam

Fri, 16 Aug 2013 08:10:53 -0700 

RW skrev den 2013-08-16 15:11:


I have a low scoring pills spam:
 http://pastebin.com/q6nWqzMR



Content analysis details:   (13.3 points, 5.0 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 0.1 RELAY_STAR             Relayed through RFC1918
 0.5 RELAY_JP               Relayed through JP
 1.8 SUBJECT_FUZZY_CHEAP    Attempt to obfuscate words in Subject:
 1.5 MSG_ID_NE_JP           origin msg id spamming

 0.5 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel 
letters

 0.0 RCVD_IN_MSPIKE_L3      RBL: Low reputation (-3)
                            [219.94.129.82 listed in bl.mailspike.net]

 3.3 URIBL_BLACK            Contains an URL listed in the URIBL 
blacklist

                            [URIs: eatbok.com]

 0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover 
relay domain
 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level 
mail

                            domains are different
 0.1 URI_ADMIN_PARTLY       URI: contains admin
 0.1 URI_IMAGES_PARTLY      URI: contains images
 0.1 STARS_ON_FORTY_SIX     URI: contains 6 chars url at end
 0.5 L_THREE_LINES          BODY: has exactly three lines
 1.5 L_LT6_LINE             BODY: has less than six body lines
 0.5 L_TWO_NE_LINES         BODY: has exactly two NON EMPTY lines

 1.5 L_LT6_NE_LINE          BODY: has less than six NON EMPTY body 
lines

 0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
 1.3 SAGREY                 Adds score to spam from first-time senders


header MSG_ID_NE_JP Message-id =~ /ne\.jp/
describe MSG_ID_NE_JP origin msg id spamming
score MSG_ID_NE_JP 1.5 1.5 1.5 1.5

uri URI_ADMIN_PARTLY /.*\/admin\/.*/i
describe URI_ADMIN_PARTLY contains admin
score URI_ADMIN_PARTLY 0.1 0.1 0.1 0.1

uri URI_IMAGES_PARTLY /.*\/images\/.*/i
describe URI_IMAGES_PARTLY contains images
score URI_IMAGES_PARTLY 0.1 0.1 0.1 0.1

uri STARS_ON_FORTY_FIVE /\/[A-Za-z0-9]{5}\.[a-z]{3,4}/
describe STARS_ON_FORTY_FIVE contains 5 chars url at end
score STARS_ON_FORTY_FIVE 0.5 0.5 0.5 0.5

uri STARS_ON_FORTY_FOOR /\/[A-Za-z0-9]{4}\.[a-z]{3,4}/
describe STARS_ON_FORTY_FOOR contains 4 chars url at end
score STARS_ON_FORTY_FOOR 0.1 0.1 0.1 0.1

uri STARS_ON_FORTY_SIX /\/[A-Za-z0-9]{6}\.[a-z]{3,4}/
describe STARS_ON_FORTY_SIX contains 6 chars url at end
score STARS_ON_FORTY_SIX 0.1 0.1 0.1 0.1

and finaly nr_of_lines plugin






















					Reply via email to