You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ed Kasky <ed...@esson.net> on 2008/04/03 21:47:12 UTC
Blank messages
I can't seem to catch these emails with blank bodies. I upped the
BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off the rule.
Is there another rule that I don't know about that is designed for
blank message bodies?
Thanks in advance on this one. These things have been plaguing me
for some time and no matter how many I run through sa-learn, they
never seem to score above a 5...
>Return-Path: <vi...@dkunath.de>
>X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on yoda.wrenkasky.com
>X-Spam-Level: *****
>X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>Received: from zfixtcs.estpak.ee (84-50-66-6-dsl.est.estpak.ee [84.50.66.6])
> by yoda.wrenkasky.com (8.14.2/8.14.2) with SMTP id m33ICCxk003672
> for <ed...@wrenkasky.com>; Thu, 3 Apr 2008 11:12:19 -0700
>Date: Thu, 03 Apr 2008 18:12:21 +0000
>From: "Clemans Ceparano" <vi...@dkunath.de>
>X-Mailer: The Bat! (3.0.0.10) Professional
>Reply-To: Clemans Ceparano <vi...@dkunath.de>
>X-Priority: 3 (Normal)
>Message-ID: <37...@dkunath.de>
>To: <ed...@wrenkasky.com>
>Subject: resipiscence
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----------6622964ADDB6E4"
Ed Kasky
~~~~~~~~~
Randomly Generated Quote (758 of 1229):
Lots of times you have to pretend to join a parade in which you're
not really interested in order to get where you're going.
-Christopher Morley, writer (1890-1957)
Re: Blank messages
Posted by Michelle Konzack <li...@freenet.de>.
Hmmm, maybe you schould decrease the score?
Am 2008-04-03 12:47:12, schrieb Ed Kasky:
> I can't seem to catch these emails with blank bodies. I upped the
> BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off the
> rule.
>
> Is there another rule that I don't know about that is designed for
> blank message bodies?
>
> Thanks in advance on this one. These things have been plaguing me
> for some time and no matter how many I run through sa-learn, they
> never seem to score above a 5...
>
> >Return-Path: <vi...@dkunath.de>
> >X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
> >yoda.wrenkasky.com
> >X-Spam-Level: *****
> >X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
^^^^^^^^^ ^^^^^^^^^^^^
Here, your E-Mail WAS in the spamfolder I am currently checking...
> > RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
<snip>
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: Blank messages
Posted by SM <sm...@resistor.net>.
At 16:12 04-04-2008, Matt Kettler wrote:
>Out of curiosity, did you spot where the error in the formatting is?
>I looked at the message and failed to spot it...
My initial reply was incorrect as it's not a MIME related problem. I
viewed the message again after your question.
There's an extra double-quote in the META line. The HTML is
malformed which is why the message appear empty in Eudora's built-in viewer.
At 16:23 04-04-2008, Ed Kasky wrote:
>Not real sure but could it have something to do with the boundary?
The boundary is correct.
Regards,
-sm
Re: Blank messages
Posted by mouss <mo...@netoyen.net>.
Ed Kasky wrote:
> On Fri, 4 Apr 2008, Matt Kettler wrote:
>
>> SM wrote:
>>> At 04:46 04-04-2008, Matt Kettler wrote:
>>>> However, in this case it looks purely accidental. That appears to
>>>> be a legitimate HTML document, or at least doesn't appear to be
>>>> intentionally malformed.
>>>
>>> In this case, the message wasn't formatted correctly as it's going
>>> to be rendered as a blank message (excluding attachments) by most MUAs.
>>
>> Out of curiosity, did you spot where the error in the formatting is?
>> I looked at the message and failed to spot it...
>
> Not real sure but could it have something to do with the boundary?
>
> Content-Type: multipart/alternative;
> boundary="----------6622964ADDB6E4"
> Received-SPF: none (yoda.wrenkasky.com: domain of
> visualiser@dkunath.de does not designate permitted sender hosts)
> X-Virus-Scanned: ClamAV 0.92.1/6568/Thu Apr 3 09:12:56 2008 on
> yoda.wrenkasky.com
> X-Virus-Status: Clean
> Content-Length: 3009
> Status: RO
> X-Status:
> X-Keywords:
> X-UID: 2
>
> ------------6622964ADDB6E4
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Ahn nyeong,
> ^^^^^^^^^^ this is where the text started but for me was only visible
> if I viewed full headers in pine or viewed the raw message...
I see no problem with the boundary. can you configure your mailers to
show text instead of html and try again?
For info, thunderbird shows the message (not blank). didn't test with
other MUAs.
Re: Blank messages
Posted by Ed Kasky <ed...@esson.net>.
On Fri, 4 Apr 2008, Matt Kettler wrote:
> SM wrote:
>> At 04:46 04-04-2008, Matt Kettler wrote:
>>> However, in this case it looks purely accidental. That appears to be a
>>> legitimate HTML document, or at least doesn't appear to be intentionally
>>> malformed.
>>
>> In this case, the message wasn't formatted correctly as it's going to be
>> rendered as a blank message (excluding attachments) by most MUAs.
>
> Out of curiosity, did you spot where the error in the formatting is? I looked
> at the message and failed to spot it...
Not real sure but could it have something to do with the boundary?
Content-Type: multipart/alternative;
boundary="----------6622964ADDB6E4"
Received-SPF: none (yoda.wrenkasky.com: domain of visualiser@dkunath.de
does not designate permitted sender hosts)
X-Virus-Scanned: ClamAV 0.92.1/6568/Thu Apr 3 09:12:56 2008 on
yoda.wrenkasky.com
X-Virus-Status: Clean
Content-Length: 3009
Status: RO
X-Status:
X-Keywords:
X-UID: 2
------------6622964ADDB6E4
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Ahn nyeong,
^^^^^^^^^^ this is where the text started but for me was only visible if I
viewed full headers in pine or viewed the raw message...
Ed
. . . . . . . . . . . . . . .
Randomly generated quote:
Sit straight, and before you buy your shoes measure your feet.
- Zen Saying
Re: Blank messages
Posted by Matt Kettler <mk...@verizon.net>.
SM wrote:
> At 04:46 04-04-2008, Matt Kettler wrote:
>> However, in this case it looks purely accidental. That appears to be
>> a legitimate HTML document, or at least doesn't appear to be
>> intentionally malformed.
>
> In this case, the message wasn't formatted correctly as it's going to
> be rendered as a blank message (excluding attachments) by most MUAs.
Out of curiosity, did you spot where the error in the formatting is? I
looked at the message and failed to spot it...
Re: Blank messages
Posted by SM <sm...@resistor.net>.
At 04:46 04-04-2008, Matt Kettler wrote:
>However, in this case it looks purely accidental. That appears to be
>a legitimate HTML document, or at least doesn't appear to be
>intentionally malformed.
In this case, the message wasn't formatted correctly as it's going to
be rendered as a blank message (excluding attachments) by most MUAs.
Regards,
-sm
Re: Blank messages
Posted by Matt Kettler <mk...@verizon.net>.
Ed Kasky wrote:
>
>>
>> Odds are the message isn't blank.. Have you got a copy of the raw
>> message before Eudora gets a hold of it?
>
> I should have looked at the raw message. Even in pine, it shows blank
> until you display the full headers:
> http://www.wrenkasky.com/spam/resipiscence.txt
>
> Quite a difference...
Yep... it's quite common for mail clients to render spam as blank when
it's not. Unless you're using outlook of course.. spammers are generally
trying to encode their mail in ways that outlook will display, but some
spam scanners (not SA) can't decipher. As a side effect, many older or
more strict mail clients won't render them either.
However, in this case it looks purely accidental. That appears to be a
legitimate HTML document, or at least doesn't appear to be intentionally
malformed.
Re: Blank messages
Posted by Ed Kasky <ed...@esson.net>.
At 05:21 PM Thursday, 4/3/2008, Matt Kettler wrote -=>
>Ed Kasky wrote:
>>At 01:29 PM Thursday, 4/3/2008, John Hardin wrote -=>
>>>On Thu, 3 Apr 2008, Ed Kasky wrote:
>>>
>>>>>X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>>>>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>>>
>>>How did it hit SARE_OBFU_MILLIONS with a blank body?
>>
>>I wish I had an answer for that one the same as why it didn't hit
>>BLANK_LINES_80_90...
>
>Odds are the message isn't blank.. Have you got a copy of the raw
>message before Eudora gets a hold of it?
I should have looked at the raw message. Even in pine, it shows
blank until you display the full headers:
http://www.wrenkasky.com/spam/resipiscence.txt
Quite a difference...
>"Thanks in advance on this one. These things have been plaguing me
>for some time and no matter how many I run through sa-learn, they
>never seem to score above a 5... "
>
>"X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE, "
>
>Well, clearly that one scored above a 5. And with BAYES_99 already
>in the mix, more sa-learn training won't raise the score. This
>message already matches the highest bayes classification possible.
>
>Perhaps you need to reconsider your threshold. If false negatives
>are a big problem for you, raising it above 5.0 isn't a good idea.
>When you raise the threshold, you're trading off fewer FPs, for more
>FNs. This particular message clearly exemplifies that.
Not a big problem with FN's per se, just of this type that seem to
have a blank body in Eudora and when I check them in pine without the
headers, they still appeared to be blank. I will start checking the
raw message more carefully. Thanks.
Ed
. . . . . . . . . . . . . . . . . .
Randomly Generated Quote (1051 of 1388):
Strike an average between what a woman thinks of her husband a
month before she marries him and what she thinks of him a
year afterward, and you will have the truth about him.
-H.L. Mencken, writer, editor, and critic (1880-1956)
Re: Blank messages
Posted by Matt Kettler <mk...@verizon.net>.
Ed Kasky wrote:
> At 01:29 PM Thursday, 4/3/2008, John Hardin wrote -=>
>> On Thu, 3 Apr 2008, Ed Kasky wrote:
>>
>>>> X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>>>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>>
>> How did it hit SARE_OBFU_MILLIONS with a blank body?
>
> I wish I had an answer for that one the same as why it didn't hit
> BLANK_LINES_80_90...
Odds are the message isn't blank.. Have you got a copy of the raw
message before Eudora gets a hold of it?
Eudora will discard all but one of the text mime sections of a
multipart/alternative message prior to storing it in your mailbox. It
does this for space reasons. The basic reasoning is that if the MUA is
only going to ever render the text/html, there's no point in it keeping
the text/plain, so it gets truncated out.
The only way to get a hold of the complete message is to grab a copy
before eudora touches it. The copy stored by Eudora has been mangled.
That said, in response to your original post:
"Thanks in advance on this one. These things have been plaguing me for
some time and no matter how many I run through sa-learn, they never seem
to score above a 5... "
"X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE, "
Well, clearly that one scored above a 5. And with BAYES_99 already in
the mix, more sa-learn training won't raise the score. This message
already matches the highest bayes classification possible.
Perhaps you need to reconsider your threshold. If false negatives are a
big problem for you, raising it above 5.0 isn't a good idea. When you
raise the threshold, you're trading off fewer FPs, for more FNs. This
particular message clearly exemplifies that.
Re: Blank messages
Posted by Ed Kasky <ed...@esson.net>.
At 01:29 PM Thursday, 4/3/2008, John Hardin wrote -=>
>On Thu, 3 Apr 2008, Ed Kasky wrote:
>
>>>X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>
>How did it hit SARE_OBFU_MILLIONS with a blank body?
I wish I had an answer for that one the same as why it didn't hit
BLANK_LINES_80_90...
>----------------------------------------------------------
> 10 days until Thomas Jefferson's 265th Birthday
Perfect timing with John Adams on HBO...
Ed Kasky
~~~~~~~~~
Randomly Generated Quote (544 of 1229):
He who has imagination without learning has wings but no feet.
Re: Blank messages
Posted by John Hardin <jh...@impsec.org>.
On Thu, 3 Apr 2008, Ed Kasky wrote:
>> X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
How did it hit SARE_OBFU_MILLIONS with a blank body?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
10 days until Thomas Jefferson's 265th Birthday
Re: Blank messages
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Ed Kasky wrote:
> I can't seem to catch these emails with blank bodies. I upped the
> BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off
> the rule.
>
> Is there another rule that I don't know about that is designed for
> blank message bodies?
>
> Thanks in advance on this one. These things have been plaguing me for
> some time and no matter how many I run through sa-learn, they never
> seem to score above a 5...
>
>> Return-Path: <vi...@dkunath.de>
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>> yoda.wrenkasky.com
>> X-Spam-Level: *****
>> X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>>
>
> Ed Kasky
> ~~~~~~~~~
> Randomly Generated Quote (758 of 1229):
> Lots of times you have to pretend to join a parade in which you're
> not really interested in order to get where you're going.
> -Christopher Morley, writer (1890-1957)
>
It scored 5, but your cutoff is 6.3.