On Thu, 21 Apr 2016 14:33:01 +0100, Chip M. <sa_c...@iowahoneypot.com>
wrote:
Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign. About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(
I've just checked 4 that score between 10.1 and 14.9 (I don't see any
others.)
One had BAYES_80 and the rest were all BAYES_999 (having learnt the first
one). Just glancing at the messages I'd assume the 80 came from being so
similar to the frequent "invoice attached" type spams that have been
coming through for a while.
They all hit RDNS_NONE and DCC_CHECK too. TxRep seems to be adding a
couple of points each time too (scoring based on the email address).
The remaining points come from a variety of RBLs and some local rules I
use. While you're hitting BAYES_00 you'll be facing an uphill battle
though. I'd suggest feeding that some samples to at least try and negate
that issue. They seem to be fairly distinctive in the eyes of my bayes.
