You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by su...@icconsulting.com.au on 2005/04/30 09:17:42 UTC
Bayes header results
Hi,
As you can see the below spam only got 2.6/5, and got to my inbox.
I have a few surbl type rules, spamassessin 2.63, and a few SARE rules.
My spam cathing rates are generally excellent.
rerunning spamassasin later, gives 4.9/5 - with the bayes popping its head
up. Bayes gives 0, which corresponds with the 2.6/5 score, with the
X-ICConsulting-MailScanner in the headers, once removed bayes jumps to
2.3.
Received: from ns.superreply.com (ns.superreply.com [216.10.1.200])
by mail2.icconsulting.com.au (8.11.6/8.11.6) with ESMTP
id j3TNYff26456
for <we...@icconsulting.com.au>; Sat, 30 Apr 2005
09:34:42 +1000
Received: from jkpog by ns.superreply.com with local (Exim 4.50)
id 1DRf03-0004dg-4W
for webmaster@icconsulting.com.au; Fri, 29 Apr 2005
19:34:23 -0400
To: webmaster@icconsulting.com.au
Subject: Hi Friend - are you in the office this week?
From: Sophia Vu <vu...@superreply.net>
Reply-To: vush7@yahoo.com
X-Sender: Acct No 57
X-Sendera: 1530566
Message-Id: <E1...@ns.superreply.com>
Date: Fri, 29 Apr 2005 19:34:23 -0400
X-AntiAbuse: Sender Address Domain - ns.superreply.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-ICConsulting-MailScanner-Information: Please contact the ISP for more
information
X-ICConsulting-MailScanner: Found to be clean
X-ICConsulting-MailScanner-SpamCheck: not spam, Spam Detector (score=2.6,
required 5, AOL_USERS_LINK 2.30, BAYES_50 0.00,
CLICK_BELOW 0.10,
HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10)
X-ICConsulting-MailScanner-SpamScore: ss
X-MailScanner-From: jkpog@ns.superreply.com
X-MIMETrack: Itemize by SMTP Server on ICConsulting1/ICConsulting(Release
6.5.4|March 27, 2005) at
04/30/2005 09:34:49 AM,
Serialize by Notes Client on Scott
Farrell/ICConsulting(Release 6.5.3|September
14, 2004) at 30/04/2005 05:01:39 PM,
Serialize complete at 30/04/2005 05:01:39 PM
Content-Type: text/plain; charset=us-ascii
Hi Friend,
Are you in the office this week?
I need to speak with you right away about Xango.
Or if we miss one another, get on over to my request page
http://www.superbusinessmodel.com
I'll catch up with you later,
Sophia Vu
Success Coach
http://www.superbusinessmodel.com
PS. Listen to the Magic Wand online!
http://www.superbusinessmodel.com
Please use this link to remove yourself.
http://www.superreply.net/ar/r.php?un=1530566
<a href="http://www.superreply.net/ar/r.php?un=1530566">AOL Users Click
Here</a>
spamassessin -D -t <message
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/bin', keeping.
debug: PATH included '/sbin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/bin/X11', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/opt/IBMJava2-13/bin', keeping.
debug: PATH included '/opt/IBM/director/bin', keeping.
debug: PATH included '/usr/local/ino/bin', keeping.
debug: PATH included '/usr/local/ino/scripts', keeping.
debug: PATH included '/usr/local/ino/ino/bin', keeping.
debug: PATH included '/usr/local/ino/ino/config', keeping.
debug: PATH included '/usr/local/ino/ino/scripts', keeping.
debug: PATH included '/root/bin', which doesn't exist, dropping.
debug: Final PATH set to:
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/opt/IBMJava2-13/bin:/opt/IBM/director/bin:/usr/local/ino/bin:/usr/local/ino/scripts:/usr/local/ino/ino/bin:/usr/local/ino/ino/config:/usr/local/ino/ino/scripts
debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/root/.spamassassin" for user state dir
debug: using "/root/.spamassassin/user_prefs" for user prefs file
debug: using "/root/.spamassassin" for user state dir
debug: bayes: 30985 tie-ing to DB file R/O /root/.spamassassin/bayes_toks
debug: bayes: 30985 tie-ing to DB file R/O /root/.spamassassin/bayes_seen
debug: bayes: found bayes db version 2
debug: Score set 3 chosen.
debug: Initialising learner
debug: received-header: parsed as [ ip=216.10.1.200 rdns=ns.superreply.com
helo=ns.superreply.com by=mail2.icconsulting.com.au ident= ]
debug: is Net::DNS::Resolver available? yes
debug: trying (3) nytimes.com...
debug: looking up MX for 'nytimes.com'
debug: MX for 'nytimes.com' exists? 1
debug: MX lookup of nytimes.com succeeded => Dns available (set
dns_available to hardcode)
debug: is DNS available? 1
debug: received-header: relay 216.10.1.200 trusted? no
debug: all '*From' addrs: vus5@superreply.net
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: bayes corpus size: nspam = 307300, nham = 231411
debug: uri tests: Done uriRE
debug: tokenize: header tokens for To = "U*webmaster D*icconsulting.com.au
D*com.au D*au"
debug: tokenize: header tokens for *F = "U*vus5 D*superreply.net D*net"
debug: tokenize: header tokens for *R = "U*vush7 D*yahoo.com D*com"
debug: tokenize: header tokens for X-Sendera = "1530566"
debug: tokenize: header tokens for *m = " E1DRf03 0004dg 4W ns superreply
com "
debug: tokenize: header tokens for X-AntiAbuse = "Sender Address Domain -
ns.superreply.com"
debug: tokenize: header tokens for X-Source = ""
debug: tokenize: header tokens for X-Source-Args = ""
debug: tokenize: header tokens for X-Source-Dir = ""
debug: tokenize: header tokens for X-MailScanner-From =
"jkpog@ns.superreply.com"
debug: tokenize: header tokens for *c = "/plain; charset=us-ascii"
debug: tokenize: header tokens for *r = " jkpog by ns.superreply.com
local (Exim 4.50) id 1DRf03-0004dg-4W webmaster@icconsulting.com.au; "
debug: tokenize: header tokens for *r = " jkpog by ns.superreply.com
local (Exim 4.50) id 1DRf03-0004dg-4W webmaster@icconsulting.com.au;
ns.superreply.com (ns.superreply.com [216.10.1]) by
mail2.icconsulting.com.au (8.11.6/8.11.6) <we...@icconsulting.com.au>;
"
debug: bayes token 'r.php' => 0.999872057601772
debug: bayes token 'HTo:U*webmaster' => 0.99969014084507
debug: bayes token 'H*r:sk:webmast' => 0.999560418648906
debug: bayes token 'sk:www.sup' => 0.996181818181818
debug: bayes token 'online!' => 0.995425742574258
debug: bayes token 'H*R:D*yahoo.com' => 0.994812010968083
debug: bayes token 'UD:php' => 0.973832073758008
debug: bayes token 'H*r:local' => 0.0390171304573158
debug: bayes token 'sophia' => 0.0489090909090909
debug: bayes token 'H*r:4.50' => 0.0659816197223845
debug: bayes token 'H*F:D*net' => 0.913563104005293
debug: bayes token 'i'll' => 0.101479625074519
debug: bayes token 'catch' => 0.108480913335388
debug: bayes token 'Success' => 0.887028321856668
debug: bayes token 'H*r:Exim' => 0.130337332157571
debug: bayes token 'Users' => 0.131379236178144
debug: bayes token 'Friend' => 0.867198303159004
debug: bayes token 'URI' => 0.85513619642376
debug: bayes token 'H*R:D*com' => 0.851672011547918
debug: bayes: score = 0.76862968060716
debug: using "/root/.spamassassin" for user state dir
debug: bayes: 30985 untie-ing
debug: bayes: 30985 untie-ing db_toks
debug: bayes: 30985 untie-ing db_seen
debug: Razor2 is available
debug: entering helper-app run mode
Razor-Log: Computed razorhome from env: /root/.razor
Razor-Log: Found razorhome: /root/.razor
Razor-Log: read_file: 15 items read from /root/.razor/razor-agent.conf
Apr 30 17:10:19.488029 check[30985]: [ 1] [bootup] Logging initiated
LogDebugLevel=9 to stdout
Apr 30 17:10:19.488357 check[30985]: [ 5] computed razorhome=/root/.razor,
conf=/root/.razor/razor-agent.conf, ident=/root/.razor/identity
Apr 30 17:10:19.488510 check[30985]: [ 8] Client supported_engines: 1 2 3
4
Apr 30 17:10:19.488948 check[30985]: [ 8] prep_mail done: mail 1
headers=837, mime0=611
Apr 30 17:10:19.489624 check[30985]: [ 5] read_file: 1 items read from
/root/.razor/servers.discovery.lst
Apr 30 17:10:19.489852 check[30985]: [ 5] read_file: 2 items read from
/root/.razor/servers.nomination.lst
Apr 30 17:10:19.490024 check[30985]: [ 5] read_file: 1 items read from
/root/.razor/servers.catalogue.lst
Apr 30 17:10:19.490278 check[30985]: [ 9] Assigning defaults to
folly.cloudmark.com
Apr 30 17:10:19.490395 check[30985]: [ 9] Assigning defaults to
joy.cloudmark.com
Apr 30 17:10:19.490515 check[30985]: [ 9] Assigning defaults to
shock.cloudmark.com
Apr 30 17:10:19.491085 check[30985]: [ 5] read_file: 13 items read from
/root/.razor/server.joy.cloudmark.com.conf
Apr 30 17:10:19.491573 check[30985]: [ 5] read_file: 16 items read from
/root/.razor/server.tension.cloudmark.com.conf
Apr 30 17:10:19.492060 check[30985]: [ 5] read_file: 17 items read from
/root/.razor/server.pride.cloudmark.com.conf
Apr 30 17:10:19.492526 check[30985]: [ 5] read_file: 16 items read from
/root/.razor/server.stress.cloudmark.com.conf
Apr 30 17:10:19.492991 check[30985]: [ 5] read_file: 16 items read from
/root/.razor/server.shock.cloudmark.com.conf
Apr 30 17:10:19.493458 check[30985]: [ 5] read_file: 16 items read from
/root/.razor/server.truth.cloudmark.com.conf
Apr 30 17:10:19.493954 check[30985]: [ 5] read_file: 17 items read from
/root/.razor/server.thrill.cloudmark.com.conf
Apr 30 17:10:19.494445 check[30985]: [ 5] read_file: 17 items read from
/root/.razor/server.wonder.cloudmark.com.conf
Apr 30 17:10:19.494817 check[30985]: [ 5] read_file: 11 items read from
/root/.razor/server.panic.cloudmark.com.conf
Apr 30 17:10:19.495033 check[30985]: [ 5] 53710 seconds before closest
server discovery
Apr 30 17:10:19.495197 check[30985]: [ 6] shock.cloudmark.com is a
Catalogue Server srl 5078; computed min_cf=6, Server se: C8
Apr 30 17:10:19.495342 check[30985]: [ 8] Computed supported_engines: 4
Apr 30 17:10:19.495443 check[30985]: [ 8] Using next closest server
shock.cloudmark.com:2703, cached info srl 5078
Apr 30 17:10:19.495532 check[30985]: [ 8] mail 1 Subject: Hi Friend - are
you in the office this week?
Apr 30 17:10:19.496511 check[30985]: [ 6] preproc: mail 1.0 went from 611
bytes to 469
Apr 30 17:10:19.496614 check[30985]: [ 6] computing sigs for mail 1.0, len
469
Apr 30 17:10:19.497943 check[30985]: [ 6] skipping whitelist file
(empty?): /root/.razor/razor-whitelist
Apr 30 17:10:19.498056 check[30985]: [ 5] Connecting to
shock.cloudmark.com ...
Apr 30 17:10:19.820237 check[30985]: [ 8] Connection established
Apr 30 17:10:19.820371 check[30985]: [ 4] shock.cloudmark.com >> 36 server
greeting: sn=C&srl=5078&a=l&a=cg&ep4=7542-10
Apr 30 17:10:19.820675 check[30985]: [ 6] shock.cloudmark.com is a
Catalogue Server srl 5078; computed min_cf=6, Server se: C8
Apr 30 17:10:19.820823 check[30985]: [ 8] Computed supported_engines: 4
Apr 30 17:10:19.820929 check[30985]: [ 8] mail 1.0 e4 sig:
obFMHLPqHWLOiY2KijpQrI9fHWgA
Apr 30 17:10:19.821045 check[30985]: [ 8] preparing 1 queries
Apr 30 17:10:19.821189 check[30985]: [ 8] sending 1 batches
Apr 30 17:10:19.821342 check[30985]: [ 4] shock.cloudmark.com << 52
Apr 30 17:10:19.821396 check[30985]: [ 6]
a=c&e=4&ep4=7542-10&s=obFMHLPqHWLOiY2KijpQrI9fHWgA
Apr 30 17:10:20.126050 check[30985]: [ 4] shock.cloudmark.com >> 5
Apr 30 17:10:20.126120 check[30985]: [ 6] response to sent.1
p=0
Apr 30 17:10:20.126400 check[30985]: [ 6] mail 1.0 e=4
sig=obFMHLPqHWLOiY2KijpQrI9fHWgA: sig not found.
Apr 30 17:10:20.126496 check[30985]: [ 7] method 4: mdebug: Using results
from Razor v2.22
debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0
debug: leaving helper-app run mode
ail 1.0: no-contention part, spam=0
Apr 30 17:10:20.126578 check[30985]: [ 7] method 4: mail 1: all
non-contention parts not spam, mail not spam
Apr 30 17:10:20.126625 check[30985]: [ 3] mail 1 is not known spam.
Apr 30 17:10:20.126689 check[30985]: [ 5] disconnecting from server
shock.cloudmark.com
Apr 30 17:10:20.126805 check[30985]: [ 4] shock.cloudmark.com << 5
Apr 30 17:10:20.126848 check[30985]: [ 6] a=q
debug: Razor2 results: spam? 0 highest cf score: 0
debug: running raw-body-text per-line regexp tests; score so far=2.499
debug: running uri tests; score so far=2.499
debug: uri tests: Done uriRE
debug: checking url: http://www.superreply.net/ar/r.php?un=1530566
debug: querying for superreply.net.sc.surbl.org
debug: Query failed for superreply.net.sc.surbl.org
debug: checking url: http://www.superbusinessmodel.com
debug: querying for superbusinessmodel.com.sc.surbl.org
debug: Query failed for superbusinessmodel.com.sc.surbl.org
debug: checking url: http://www.superreply.net/ar/r.php?un=1530566
debug: querying for superreply.net.ws.surbl.org
debug: Query failed for superreply.net.ws.surbl.org
debug: checking url: http://www.superbusinessmodel.com
debug: querying for superbusinessmodel.com.ws.surbl.org
debug: Query failed for superbusinessmodel.com.ws.surbl.org
debug: checking url: http://www.superreply.net/ar/r.php?un=1530566
debug: querying for superreply.net.ab.surbl.org
debug: Query failed for superreply.net.ab.surbl.org
debug: checking url: http://www.superbusinessmodel.com
debug: querying for superbusinessmodel.com.ab.surbl.org
debug: Query failed for superbusinessmodel.com.ab.surbl.org
debug: checking url: http://www.superreply.net/ar/r.php?un=1530566
debug: querying for superreply.net.ob.surbl.org
debug: Query failed for superreply.net.ob.surbl.org
debug: checking url: http://www.superbusinessmodel.com
debug: querying for superbusinessmodel.com.ob.surbl.org
debug: Query failed for superbusinessmodel.com.ob.surbl.org
debug: running full-text regexp tests; score so far=2.499
debug: Razor2 is available
debug: DCCifd is not available: no r/w dccifd socket found.
debug: Current PATH is:
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/opt/IBMJava2-13/bin:/opt/IBM/director/bin:/usr/local/ino/bin:/usr/local/ino/scripts:/usr/local/ino/ino/bin:/usr/local/ino/ino/config:/usr/local/ino/ino/scripts
debug: executable for dccproc was found at /usr/local/bin/dccproc
debug: DCC is available: /usr/local/bin/dccproc
debug: entering helper-app run mode
debug: DCC: got response: X-DCC-MessageCare-Metrics:
mail2.icconsulting.com.au 1108; Body=5 Fuz1=7 Fuz2=7
debug: leaving helper-app run mode
debug: Pyzor is not available: pyzor not found
debug: all '*To' addrs: webmaster@icconsulting.com.au
debug: forged-HELO: from=superreply.com helo=superreply.com
by=icconsulting.com.au
debug: DNS MX records found: 4
debug: RBL: success for 38 of 38 queries
debug: running meta tests; score so far=2.499
debug: auto-learn? ham=0.1, spam=12, body-hits=2.499, head-hits=0
debug: auto-learn: currently using scoreset 3. recomputing score based on
scoreset 1.
debug: Score set 1 chosen.
debug: auto-learn: original score: 2.599, recomputed score: 1.598
debug: Score set 3 chosen.
debug: auto-learn? no: inside auto-learn thresholds
debug: is spam? score=4.854 required=5
tests=AOL_USERS_LINK,BAYES_70,CLICK_BELOW,HTML_LINK_CLICK_HERE,HTML_MESSAGE
Received: from ns.superreply.com (ns.superreply.com [216.10.1.200])
by mail2.icconsulting.com.au
(8.11.6/8.11.6) with ESMTP id j3TNYff26456
for <we...@icconsulting.com.au>;
Sat, 30 Apr 2005 09:34:42 +1000
Received: from jkpog by ns.superreply.com with local (Exim 4.50)
id 1DRf03-0004dg-4W
for webmaster@icconsulting.com.au; Fri,
29 Apr 2005 19:34:23 -0400
To: webmaster@icconsulting.com.au
Subject: Hi Friend - are you in the office this week?
From: Sophia Vu <vu...@superreply.net>
Reply-To: vush7@yahoo.com
X-Sender: Acct No 57
X-Sendera: 1530566
Message-Id: <E1...@ns.superreply.com>
Date: Fri, 29 Apr 2005 19:34:23 -0400
X-AntiAbuse: Sender Address Domain - ns.superreply.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-MailScanner-From: jkpog@ns.superreply.com
Content-Type: text/plain; charset=us-ascii
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
mail2.icconsulting.com.au
X-Spam-Status: No, hits=4.9 required=5.0 tests=AOL_USERS_LINK,BAYES_70,
CLICK_BELOW,HTML_LINK_CLICK_HERE,HTML_MESSAGE
autolearn=no
version=2.63
X-Spam-Level: ****
Hi Friend,
Are you in the office this week?
I need to speak with you right away about Xango.
Or if we miss one another, get on over to my request page
http://www.superbusinessmodel.com
I'll catch up with you later,
Sophia Vu
Success Coach
http://www.superbusinessmodel.com
PS. Listen to the Magic Wand online!
http://www.superbusinessmodel.com
Please use this link to remove yourself.
http://www.superreply.net/ar/r.php?un=1530566
<a href="http://www.superreply.net/ar/r.php?un=1530566">AOL Users Click
Here</a>
Spam detection software, running on the system
"mail2.icconsulting.com.au", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
servercare@icconsulting.com.au for details.
Content preview: Hi Friend, Are you in the office this week? I need to
speak with you right away about Xango. [...]
Content analysis details: (4.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.3 AOL_USERS_LINK BODY: Includes a link for AOL users to click
0.1 HTML_MESSAGE BODY: HTML included in message
2.3 BAYES_70 BODY: Bayesian spam probability is 70 to 80%
[score: 0.7686]
0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
0.1 CLICK_BELOW Asks you to click below
Re: Bayes header results
Posted by Jeff Chan <je...@surbl.org>.
On Saturday, April 30, 2005, 12:17:42 AM, sub sub wrote:
> Hi,
> As you can see the below spam only got 2.6/5, and got to my inbox.
> I have a few surbl type rules, spamassessin 2.63, and a few SARE rules.
1. Please upgrade to SpamAssasin 2.64 at least. 2.63 has some
vulnerabilities.
2. Please upgrade to the latest SpamCopURI (or use SA 3). The
current SpamCopURI uses multi.surbl.org, which combines all the
lists into a single lookup. It also adds a default rule for the
jp.surbl.org list, which is quite good.
Neither URI domain advertised in the spam is in SURBLs, but we're
looking into that.
http://www.superbusinessmodel .com
http://www.superreply .net/ar/r.php?un=1530566
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/