You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2007/06/05 00:38:27 UTC
Re: what scores do you get on this
On Tuesday 29 May 2007 9:52 am, ram wrote:
> This is a very intelligently written scam mail
>
> http://ecm.netcore.co.in/tmp/missed.txt
>
> I set my servers to pretty aggressive custom rules , but I am not able
> to catch this spam
>
> Bayes has messed up agreed but even not counting bayes almost no other
> rules hit. Notwithstanding using custom spamscanner from commtouch to
> complement spamassassin
>
My setup scores like this:
X-Spam-Virus: Yes (Email.Scam4.Gen899.Sanesecurity.07052906)
X-Spam-Seen: Tokens 236
X-Spam-New: Tokens 350
X-Spam-Remote: Host localhost
X-Spam-ASN: AS33480 202.162.240.0/24
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on
cpollock.localdomain
X-Spam-Hammy: Tokens 25
X-Spam-Status: Yes, score=16.5 required=5.0 tests=BAYES_50=1,CLAMAV=10,
DKIM_POLICY_SIGNSOME=0.001,MIME_QP_LONG_LINE=1.396,RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CHECK=0.5,RCVD_IN_SORBS_WEB=0.619,
ROUND_THE_WORLD=0,SAGREY=1,UNPARSEABLE_RELAY=0.001 autolearn=disabled
version=3.2.0
Content analysis details: (16.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[206.51.237.119 listed in dnsbl.sorbs.net]
0.0 ROUND_THE_WORLD Received: says mail sent around the world (DNS)
0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
signs some mails
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5405]
1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 73]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 73]
10 CLAMAV Clam AntiVirus detected a virus
1.0 SAGREY Adds 1.0 to spam from first-time senders
--
Chris
KeyID 0xE372A7DA98E6705C
Re: what scores do you get on this
Posted by maillist <ma...@emailacs.com>.
Chris wrote:
> On Tuesday 29 May 2007 9:52 am, ram wrote:
>
>> This is a very intelligently written scam mail
>>
>> http://ecm.netcore.co.in/tmp/missed.txt
>>
>> I set my servers to pretty aggressive custom rules , but I am not able
>> to catch this spam
>>
>> Bayes has messed up agreed but even not counting bayes almost no other
>> rules hit. Notwithstanding using custom spamscanner from commtouch to
>> complement spamassassin
I get
Content analysis details: (19.0 points, 7.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.8 UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
1.2 TVD_RCVD_SPACE_BRACKET Received header has a spammy looking section
1.5 ROUND_THE_WORLD Received: says mail sent around the world (DNS)
3.0 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
8.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 73]
1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 73]
1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[206.51.237.119 listed in dnsbl.sorbs.net]
Re: ClamAV plugin (was: Re: what scores do you get on this)
Posted by Chris <cp...@embarqmail.com>.
On Monday 04 June 2007 5:50 pm, John Rudd wrote:
> > [cf: 73]
> > 10 CLAMAV Clam AntiVirus detected a virus
> > 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> How come the ClamAV plugin doesn't report the virus found, in the same
> way that the bayes rule specifies the specific bayes score, and the
> SORBS rule specifies what IP address was listed where. It seems like
> this would be an appropriate feature to add.
It would make sense wouldn't it. At the moment you have to look at this tag:
X-Spam-Virus: Yes (Email.Scam4.Gen899.Sanesecurity.07052906)
And maybe it is available through the plugin I, I don't know.
--
Chris
KeyID 0xE372A7DA98E6705C
ClamAV plugin (was: Re: what scores do you get on this)
Posted by John Rudd <jr...@ucsc.edu>.
> Content analysis details: (16.5 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
> [206.51.237.119 listed in dnsbl.sorbs.net]
> 0.0 ROUND_THE_WORLD Received: says mail sent around the world (DNS)
> 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
> signs some mails
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
> 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5405]
> 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
> above 50%
> [cf: 73]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 73]
> 10 CLAMAV Clam AntiVirus detected a virus
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
>
How come the ClamAV plugin doesn't report the virus found, in the same
way that the bayes rule specifies the specific bayes score, and the
SORBS rule specifies what IP address was listed where. It seems like
this would be an appropriate feature to add.