You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rob Blomquist <ro...@verizon.net> on 2004/11/20 03:40:41 UTC
How can I catch these messages?
I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
All I want to do is push the scores into the spam range. And frankly I think I
could lower the bar, too. Are their rulesets that might help, or custom rules
that I could write, and as a single user I don't need perfection, I just want
something like a 95% catch ratio instead of the 60% I am currently getting.
Foobar replaces a couple of the words in the headers that I am sensitive about
releasing to the net.
Here are the headers for brevity:
Return-Path: <St...@bevivek.com>
Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <20...@43.bevivek.com>
for <ro...@foobar.net>; Fri, 19 Nov 2004 01:59:35 -0600
Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass
SMTP server v1.1.1 - 121803235448JY) with SMTP id
<1-995-125-995-132708-13-1100851174> for mta010.foobar.net; Fri, 19 Nov 2004
01:59:36 -0600
From: Hair Care Specialist<St...@bevivek.com>
To: rob.foobar@foobar.net
Subject: Medical Hair Restoration - A Permanent Solution
Date: 19 Nov 2004 02:52:49 -0500
Message-Id: <25235620@qame.kjY-mkxGxhki/peno>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
X-Spam-Level: ***
X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99,
HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1
X-UID:
Status: RO
X-Status: RC
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:
--09845039450394qame.kjY-mkxGxhki/penoirmar
Content-Type: text/plain;
charset = "ISO-8859-1"
Content-Transfer-Encoding: 8bit
Next:
Return-Path: <Su...@havagreatday.com>
Received: from lamx25.havagreayday.com ([192.168.1.2])
by mta005.foobar.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id
<20...@lamx25.havagreayday.com>
for <ro...@foobar.net>; Fri, 19 Nov 2004 00:27:28 -0600
Received: from lamx25.havagreayday.com (66.63.182.25) by sc011pub.foobar.net
(MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id
<3-32004-215-32004-58673-27-1100845648> for mta005.foobar.net; Fri, 19 Nov
2004 00:27:29 -0600
From: Natural Beauty<Su...@havagreatday.com>
To: rob.foobar@foobar.net
Subject: Welcome Gifts from Yves Rocher
Date: 19 Nov 2004 01:24:22 -0500
Message-Id: <12134585@qame.kjY-mkxGxhki/peno>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_99,HTML_50_60,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,HTML_WEB_BUGS,
SARE_HTML_P_JUSTIFY autolearn=no version=3.0.1
X-UID:
Status: RO
X-Status: RC
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:
--09845039450394qame.kjY-mkxGxhki/penoirmar
Content-Type: text/plain;
charset = "ISO-8859-1"
Content-Transfer-Encoding: 8bit
next:
Return-Path: <br...@leira.no>
Received: from xxx.lt ([192.168.1.4]) by mta019.foobar.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <20...@xxx.lt>;
Thu, 18 Nov 2004 17:27:42 -0600
Received: from xxx.lt (211.230.54.86) by sc010pub.foobar.net (MailPass SMTP
server v1.1.1 - 121803235448JY) with SMTP id
<2-9271-77-9271-60461-1-1100820446> for mta019.foobar.net; Thu, 18 Nov 2004
17:27:43 -0600
Received: from 197.126.123.141 by smtp.leira.no;
Thu, 18 Nov 2004 23:29:34 +0000
Message-ID: <d7...@xxx.lt>
From: "Brooke Corbett" <br...@leira.no>
To: rond1@foobar.net,
rodra@foobar.net,
rob.foobar@foobar.net
Subject: Order Rolex or other Swiss watches online
Date: Thu, 18 Nov 2004 19:29:03 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MSGID_DOLLARS
autolearn=no version=3.0.1
X-UID:
Status: RO
X-Status: RC
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:
next:
Return-Path: <Ro...@havagreatday.com>
Received: from lamx26.havagreatday.com ([192.168.1.3])
by mta013.foobar.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id
<20...@lamx26.havagreatday.com>
for <ro...@foobar.net>; Thu, 18 Nov 2004 10:58:11 -0600
Received: from lamx26.havagreatday.com (66.63.182.26) by sc009pub.foobar.net
(MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id
<1-995-202-995-129387-4-1100797090> for mta013.foobar.net; Thu, 18 Nov 2004
10:58:11 -0600
From: Flourish<Ro...@havagreatday.com>
To: rob.foobar@foobar.net
Subject: Control Blood Sugar Naturally
Date: 18 Nov 2004 11:57:49 -0500
Message-Id: <115114179@qame.kjY-mkxGxhki/peno>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
NO_REAL_NAME autolearn=no version=3.0.1
X-UID:
Status: RO
X-Status: RC
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:
--09845039450394qame.kjY-mkxGxhki/penoirmar
Content-Type: text/plain;
charset = "ISO-8859-1"
Content-Transfer-Encoding: 8bit
--
Mountlake Terrace, WA
USA
Re: How can I catch these messages?
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Rob,
Friday, November 19, 2004, 6:40:41 PM, you wrote:
RB> I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
RB> SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
RB> SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
Are you running SARE_HTML1 and SARE_HTML2 without SARE_HTML0?
SARE_HTML0 is the more powerful rules file in that family, of which
SARE_HTML1 is the less effective smaller brother.
RB> All I want to do is push the scores into the spam range. And frankly I think I
RB> could lower the bar, too. Are their rulesets that might help, or custom rules
RB> that I could write, and as a single user I don't need perfection, I just want
RB> something like a 95% catch ratio instead of the 60% I am currently getting.
Check into the SARE_HEADER family also, and SARE_SPECIFIC. But even
without these, 60% seems awfully low.
RB> X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99,
RB> HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1
If your Bayes database is well trained, bump up the score for
BAYES_99. I run with Bayes_99 = my required-hits threshold.
I also notice you don't have any of the SURBL or other Network tests
showing. If you can enable network testing I suspect you'll catch a
lot more of your spam.
Bob Menschel
Re: How can I catch these messages?
Posted by Chris <cp...@earthlink.net>.
On Friday 19 November 2004 10:27 pm, Rob Blomquist wrote:
> On Friday 19 November 2004 7:32 pm, Chris wrote:
> > On Friday 19 November 2004 08:40 pm, Rob Blomquist wrote:
> > > I run Kmail with SA 3.0.1, and I filter by piping incoming mail to
> > > spamc.
> >
> > X-Spam-Level: **************************************************
> > X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK,
> >
> > I have better than a 99.99% catch rate.
>
> I gotta love it. And I see that you guys are the pros at this. But with
> network testing, I find that it really slows down Kmail, as the filtering
> is done by it, piping the messages through spamc.
>
> Do you folks have any idea what sort of hit on my machine it would be
> like to filter as you guys do, with SpamCop, pyzor, razor and network
> tests?
>
Rob, I run the same setup you do, Kmail w/spamc. My processing times vary
anywhere from 3.5 up to as high as 15 seconds or a bit more. I really
don't mind the lag time if its going up my catch rate.
And believe me, I'm definately no pro at this :)
--
Chris
Registered Linux User 283774 http://counter.li.org
10:34pm up 16 days, 3:01, 1 user, load average: 0.44, 0.73, 0.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The first time Microsoft makes something that doesn't suck is when they
start making vacuum cleaners.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: How can I catch these messages?
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Saturday 20 November 2004 04:27, Rob Blomquist wrote:
> I gotta love it. And I see that you guys are the pros at this. But with
> network testing, I find that it really slows down Kmail, as the filtering
> is done by it, piping the messages through spamc.
Fetchmail -> [spamc] -> local /var/spool/mail
Tell kmail to then fetch from /var/spool/mail
This avoids the i/o issue in KMail, and lets you do fun things like check for
duplicate mails etc, which KMail can't do.
> Maybe I have to do my own testing, but back last summer I was catching
> 99.9% with basic filtering and no hit to my machine or kmail.
Times change, pure rule based isn't always good enough these days.
Re: How can I catch these messages?
Posted by Bob Mortimer <Bo...@mortimer.nildram.co.uk>.
On Saturday 20 Nov 2004 04:27, Rob Blomquist wrote:
> > X-Spam-Level: **************************************************
> > X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK,
> >
> > I have better than a 99.99% catch rate.
>
> I gotta love it. And I see that you guys are the pros at this. But with
> network testing, I find that it really slows down Kmail, as the filtering
> is done by it, piping the messages through spamc.
>
> Do you folks have any idea what sort of hit on my machine it would be like
> to filter as you guys do, with SpamCop, pyzor, razor and network tests?
>
> Maybe I have to do my own testing, but back last summer I was catching
> 99.9% with basic filtering and no hit to my machine or kmail.
I'm certainly no pro but run spamassassin on my home machine - I collect all
the mail from the ISP using fetchmail, then spam and virus check it using
amavisd to call spamassassin (which also calls Pyzor, Razor2 and DCC) and
clamav/fprot antivirus. Works like a charm - I just run the standard 3.01
rules and am getting about a 99.99% catch rate.
--
Regards,
Bob
Re: How can I catch these messages?
Posted by Rob Blomquist <ro...@verizon.net>.
On Friday 19 November 2004 7:32 pm, Chris wrote:
> On Friday 19 November 2004 08:40 pm, Rob Blomquist wrote:
> > I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
> X-Spam-Level: **************************************************
> X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK,
> I have better than a 99.99% catch rate.
I gotta love it. And I see that you guys are the pros at this. But with
network testing, I find that it really slows down Kmail, as the filtering is
done by it, piping the messages through spamc.
Do you folks have any idea what sort of hit on my machine it would be like to
filter as you guys do, with SpamCop, pyzor, razor and network tests?
Maybe I have to do my own testing, but back last summer I was catching 99.9%
with basic filtering and no hit to my machine or kmail.
rob
--
Mountlake Terrace, WA
USA
Re: How can I catch these messages?
Posted by Chris <cp...@earthlink.net>.
On Friday 19 November 2004 08:40 pm, Rob Blomquist wrote:
> I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
>
> I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
> SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
> SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my
> rulesets.
>
> All I want to do is push the scores into the spam range. And frankly I
> think I could lower the bar, too. Are their rulesets that might help, or
> custom rules that I could write, and as a single user I don't need
> perfection, I just want something like a 95% catch ratio instead of the
> 60% I am currently getting.
>
Rob, I'm using the SURBL's, network tests and razor, pyzor and dcc, below
are how most all of the Rolex stuff scores:
X-Spam-Prev-Subject: Rolex Replicas
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cpollock
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK,
DIGEST_MULTIPLE,HELO_DYNAMIC_ATTBI,HELO_DYNAMIC_IPADDR,HTML_FONT_BIG,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_BOUND_DD_DIGITS,
MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,PYZOR_CHECK,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,
RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_SMTP,RCVD_IN_XBL,SARE_HTML_A_BODY,
SARE_HTML_COLOR_A,SARE_HTML_COLOR_NWHT,SARE_HTML_NO_HTML1,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL,X_MESSAGE_INFO
autolearn=disabled version=3.0.1
I have better than a 99.99% catch rate.
--
Chris
Registered Linux User 283774 http://counter.li.org
9:25pm up 16 days, 1:52, 1 user, load average: 1.42, 0.75, 0.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can't take damsel here now.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: How can I catch these messages?
Posted by Tim B <mo...@optonline.net>.
Rob Blomquist wrote:
> I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
>
> I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
> SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
> SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
>
> All I want to do is push the scores into the spam range. And frankly I think I
> could lower the bar, too. Are their rulesets that might help, or custom rules
> that I could write, and as a single user I don't need perfection, I just want
> something like a 95% catch ratio instead of the 60% I am currently getting.
>
> Foobar replaces a couple of the words in the headers that I am sensitive about
> releasing to the net.
>
> Here are the headers for brevity:
>
> Return-Path: <St...@bevivek.com>
> Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id <20...@43.bevivek.com>
> for <ro...@foobar.net>; Fri, 19 Nov 2004 01:59:35 -0600
> Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass
> SMTP server v1.1.1 - 121803235448JY) with SMTP id
> <1-995-125-995-132708-13-1100851174> for mta010.foobar.net; Fri, 19 Nov 2004
> 01:59:36 -0600
> From: Hair Care Specialist<St...@bevivek.com>
> To: rob.foobar@foobar.net
> Subject: Medical Hair Restoration - A Permanent Solution
> Date: 19 Nov 2004 02:52:49 -0500
> Message-Id: <25235620@qame.kjY-mkxGxhki/peno>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
> X-Spam-Level: ***
> X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99,
> HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1
> X-UID:
> Status: RO
> X-Status: RC
> X-KMail-EncryptionState: N
> X-KMail-SignatureState: N
> X-KMail-MDN-Sent:
>
> --09845039450394qame.kjY-mkxGxhki/penoirmar
> Content-Type: text/plain;
> charset = "ISO-8859-1"
> Content-Transfer-Encoding: 8bit
>
> Next:
>
> Return-Path: <Su...@havagreatday.com>
> Received: from lamx25.havagreayday.com ([192.168.1.2])
> by mta005.foobar.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id
> <20...@lamx25.havagreayday.com>
> for <ro...@foobar.net>; Fri, 19 Nov 2004 00:27:28 -0600
> Received: from lamx25.havagreayday.com (66.63.182.25) by sc011pub.foobar.net
> (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id
> <3-32004-215-32004-58673-27-1100845648> for mta005.foobar.net; Fri, 19 Nov
> 2004 00:27:29 -0600
> From: Natural Beauty<Su...@havagreatday.com>
> To: rob.foobar@foobar.net
> Subject: Welcome Gifts from Yves Rocher
> Date: 19 Nov 2004 01:24:22 -0500
> Message-Id: <12134585@qame.kjY-mkxGxhki/peno>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
> X-Spam-Level: **
> X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_99,HTML_50_60,
> HTML_MESSAGE,HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,HTML_WEB_BUGS,
> SARE_HTML_P_JUSTIFY autolearn=no version=3.0.1
> X-UID:
> Status: RO
> X-Status: RC
> X-KMail-EncryptionState: N
> X-KMail-SignatureState: N
> X-KMail-MDN-Sent:
>
> --09845039450394qame.kjY-mkxGxhki/penoirmar
> Content-Type: text/plain;
> charset = "ISO-8859-1"
> Content-Transfer-Encoding: 8bit
>
> next:
>
> Return-Path: <br...@leira.no>
> Received: from xxx.lt ([192.168.1.4]) by mta019.foobar.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id <20...@xxx.lt>;
> Thu, 18 Nov 2004 17:27:42 -0600
> Received: from xxx.lt (211.230.54.86) by sc010pub.foobar.net (MailPass SMTP
> server v1.1.1 - 121803235448JY) with SMTP id
> <2-9271-77-9271-60461-1-1100820446> for mta019.foobar.net; Thu, 18 Nov 2004
> 17:27:43 -0600
> Received: from 197.126.123.141 by smtp.leira.no;
> Thu, 18 Nov 2004 23:29:34 +0000
> Message-ID: <d7...@xxx.lt>
> From: "Brooke Corbett" <br...@leira.no>
> To: rond1@foobar.net,
> rodra@foobar.net,
> rob.foobar@foobar.net
> Subject: Order Rolex or other Swiss watches online
> Date: Thu, 18 Nov 2004 19:29:03 -0400
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MSGID_DOLLARS
> autolearn=no version=3.0.1
> X-UID:
> Status: RO
> X-Status: RC
> X-KMail-EncryptionState: N
> X-KMail-SignatureState: N
> X-KMail-MDN-Sent:
>
> next:
>
> Return-Path: <Ro...@havagreatday.com>
> Received: from lamx26.havagreatday.com ([192.168.1.3])
> by mta013.foobar.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id
> <20...@lamx26.havagreatday.com>
> for <ro...@foobar.net>; Thu, 18 Nov 2004 10:58:11 -0600
> Received: from lamx26.havagreatday.com (66.63.182.26) by sc009pub.foobar.net
> (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id
> <1-995-202-995-129387-4-1100797090> for mta013.foobar.net; Thu, 18 Nov 2004
> 10:58:11 -0600
> From: Flourish<Ro...@havagreatday.com>
> To: rob.foobar@foobar.net
> Subject: Control Blood Sugar Naturally
> Date: 18 Nov 2004 11:57:49 -0500
> Message-Id: <115114179@qame.kjY-mkxGxhki/peno>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
> X-Spam-Level: *
> X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
> NO_REAL_NAME autolearn=no version=3.0.1
> X-UID:
> Status: RO
> X-Status: RC
> X-KMail-EncryptionState: N
> X-KMail-SignatureState: N
> X-KMail-MDN-Sent:
>
> --09845039450394qame.kjY-mkxGxhki/penoirmar
> Content-Type: text/plain;
> charset = "ISO-8859-1"
> Content-Transfer-Encoding: 8bit
>
Rob,
What you might want to do is use fetchmail & MTA's content filter to
pull down your mail so it processes it before it's delivered to a local
mbox or maildir which you have your kmail check for inbound mail.
Using kmail to realtime check IMHO slow, especially since network checks
these days are becoming more and more important. You can use SA RBL,
URIBL, Razor, DCC, Pyzor checks and not wait for the mail to be opened
by Kmail.
Tim
Re: How can I catch these messages?
Posted by Jeff Chan <je...@surbl.org>.
On Friday, November 19, 2004, 6:40:41 PM, Rob Blomquist wrote:
> I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
> I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
> SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
> SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
> All I want to do is push the scores into the spam range. And frankly I think I
> could lower the bar, too. Are their rulesets that might help, or custom rules
> that I could write, and as a single user I don't need perfection, I just want
> something like a 95% catch ratio instead of the 60% I am currently getting.
> Foobar replaces a couple of the words in the headers that I am sensitive about
> releasing to the net.
> Here are the headers for brevity:
> Return-Path: <St...@bevivek.com>
> Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id <20...@43.bevivek.com>
> for <ro...@foobar.net>; Fri, 19 Nov 2004 01:59:35 -0600
> Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass
> SMTP server v1.1.1 - 121803235448JY) with SMTP id
> <1-995-125-995-132708-13-1100851174> for mta010.foobar.net; Fri, 19 Nov 2004
> 01:59:36 -0600
> From: Hair Care Specialist<St...@bevivek.com>
> To: rob.foobar@foobar.net
> Subject: Medical Hair Restoration - A Permanent Solution
> Date: 19 Nov 2004 02:52:49 -0500
> Message-Id: <25235620@qame.kjY-mkxGxhki/peno>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="09845039450394qame.kjY-mkxGxhki/penoirmar"
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy
> X-Spam-Level: ***
> X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99,
> HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1
> X-UID:
> Status: RO
> X-Status: RC
> X-KMail-EncryptionState: N
> X-KMail-SignatureState: N
> X-KMail-MDN-Sent:
> --09845039450394qame.kjY-mkxGxhki/penoirmar
> Content-Type: text/plain;
> charset = "ISO-8859-1"
> Content-Transfer-Encoding: 8bit
Do any of these have URIs (web links) in their message bodies?
Are you using SURBLs?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: How can I catch these messages?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 19 Nov 2004, Rob Blomquist wrote:
> I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
>
> I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
> SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
> SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
>
> All I want to do is push the scores into the spam range. And frankly I think I
> could lower the bar, too. Are their rulesets that might help, or custom rules
> that I could write, and as a single user I don't need perfection, I just want
> something like a 95% catch ratio instead of the 60% I am currently getting.
Any reason why you aren't using net-tests? Every one of your examples
hit three or more DNSBL lists.
Here's the output from a little DNSBL checker script I have for the
sender IP from one of your example spams:
% rss_check 211.230.54.86
host 211.230.54.86 resolves to 127.1.0.2 from RBL-Plus
host 211.230.54.86 resolves to 127.0.0.2 from list.dsbl.org
host 211.230.54.86 resolves to 127.0.0.2 from unconfirmed.dsbl.org
host 211.230.54.86 resolves to 127.0.0.2 from bl.spamcop.net
host 211.230.54.86 resolves to 127.0.0.4 from xbl.spamhaus.org
host 211.230.54.86 resolves to 127.0.0.3 from dynablock.njabl.org
host 211.230.54.86 resolves to 127.0.0.10 from dnsbl.sorbs.net
host 211.230.54.86 resolves to 127.0.0.2 from cbl.abuseat.org
I don't use all of those DNSBLs in my live spamassassin filtering,
but I do use several, so those scores alone would have been enough
to have caused that spam to hit my reject threshold.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{