You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andrew Hearn <an...@aaisp.net.uk> on 2008/03/28 18:41:14 UTC
Not scoring high enough on this spam...
http://pastebin.ca/961075
I've only seen one so far but apart from the 0.0 BAYES_50 (I will learn
this message), does anyone have rules that pushes this kind of message
over 5.0?
thanks!
Andrew
Re: Not scoring high enough on this spam...
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Andrew Hearn wrote:
> http://pastebin.ca/961075
>
> I've only seen one so far but apart from the 0.0 BAYES_50 (I will
> learn this message), does anyone have rules that pushes this kind of
> message over 5.0?
>
> thanks!
>
> Andrew
>
If you learn the message which = 3.5 wouldn't that put the score +5?
Re: Not scoring high enough on this spam...
Posted by John Hardin <jh...@impsec.org>.
On Fri, 28 Mar 2008, Andrew Hearn wrote:
> http://pastebin.ca/961075
>
> I've only seen one so far but apart from the 0.0 BAYES_50 (I will learn
> this message), does anyone have rules that pushes this kind of message
> over 5.0?
<span name=3D"#rwpt"></span><p><br></p><a name=3D"#twtw"></a>
I have some "stupid HTML tricks" rules for empty tag pairs; adding a few
points for empty span and anchor tags might be a good idea.
Not sure if such tests are part of any base rules; they don't appear to be
in any SARE rulesets.
describe HTML_STOOPID_01 stupid HTML: empty FONT tag
rawbody HTML_STOOPID_01 /<font[^>]{0,80}><\/font>/i
score HTML_STOOPID_01 0.5
describe HTML_STOOPID_02 stupid HTML: empty STRONG tag
rawbody HTML_STOOPID_02 /<strong><\/strong>/i
score HTML_STOOPID_02 0.5
describe HTML_STOOPID_03 stupid HTML: empty STYLE tag
rawbody HTML_STOOPID_03 /<style><\/style>/i
score HTML_STOOPID_03 0.5
describe HTML_STOOPID_04 stupid HTML: long single-word ALT
rawbody HTML_STOOPID_04 /^\s{0,80}alt\s{0,80}=\s{0,80}"[a-z0-9]{20,}"/i
describe HTML_STOOPID_05 stupid HTML: FONT churn 1
rawbody HTML_STOOPID_05 /(?:<font(?:\s[^>]{1,40}>)?){3}/i
score HTML_STOOPID_05 0.5
describe HTML_STOOPID_06 stupid HTML: FONT churn 2
rawbody HTML_STOOPID_06 /(?:<\/font>){3}/i
score HTML_STOOPID_06 0.5
describe HTML_STOOPID_07 stupid HTML: empty SPAN tag
rawbody HTML_STOOPID_07 /<span(?: name=[^.]{1,30})?><\/span>/i
score HTML_STOOPID_07 0.5
describe HTML_STOOPID_08 stupid HTML: empty A tag
rawbody HTML_STOOPID_08 /<a(?: name=[^.]{1,30})?><\/a>/i
score HTML_STOOPID_08 0.5
describe HTML_VERY_STOOPID Lots of stupid HTML
meta HTML_VERY_STOOPID (HTML_STOOPID_01 + HTML_STOOPID_02 +
HTML_STOOPID_03 + HTML_STOOPID_04 + HTML_STOOPID_05 + HTML_STOOPID_06 +
HTML_STOOPID_07 + HTML_STOOPID_08) > 1
Mind the linewrap.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Users mistake widespread adoption of Microsoft Office as the
development of a standard document format.
-----------------------------------------------------------------------
4 days until April Fools' day
Re: Not scoring high enough on this spam...
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Andrew Hearn wrote:
> http://pastebin.ca/961075
>
> I've only seen one so far but apart from the 0.0 BAYES_50 (I will
> learn this message), does anyone have rules that pushes this kind of
> message over 5.0?
>
> thanks!
>
> Andrew
>
>
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: tldmls.com]
2.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: tldmls.com]
0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS