On Tue, 15 Mar 2016, Kris Deugau wrote:
Robert Boyl wrote:
Hi, everyone
Please check http://pastebin.com/GUBqpyZ8
Interesting how some spams that abuse some legit account such as this
one are hard to detect, how Spamassassin scores almost nothing although
there are spammy works, etc. System caught DCC_CHECK 1.10.
Some other systems such as isnotspam.com <http://isnotspam.com> caught
some SA rule which doesnt exist anymore in latest SA...
AXB_X_FF_SEZ_S=3.10.
[snip..]
I'm not certain, but it also looks like you might not be using Bayes.
This is likely one of the key methods of detecting spam like this;
since it was sent through outlook.com the message structure is perfectly
legitimate so IP DNSBLs will have little value.
It looks like that message was sent from a compromised college account hosted in
Office-365.
Actually this is one case where Bayes may not be a help. Our campus recently
outsourced almost all users to O365. As a consequence our Bayes gets a
-lot- of ham from O365 and therefore has most of its fingerprints tagged as ham.
Thus it takes a very spammy message passed thu O365 to get anything but
BAYES_00.
IE, out of the 130KB of that message, only a few dozen bytes is actually the
spam 'payload' and thus Bayes wise gets swamped by the O365 noise.
I'm considering tagging most of the O365 headers with bayes_ignore_header.
Anybody else wrestling with this? Any suggestions?
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
