You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris Purves <ch...@northfolk.ca> on 2006/03/08 11:37:47 UTC

CheapTickets newsletter triggering SARE_BAYES plus others

The attached newsletter is triggering the following rules:

X-Spam-Report:
	*  0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
	*  0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
	*  0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
	*  1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
	*  0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
	*  1.7 SARE_HTML_USL_FONT RAW: Another spam attempt

I looked through the source and didn't see any obvious attempts at 
obfuscation or trying to fool the Bayes filter.  Are these rules 
triggering properly?

I don't know what SARE_HTML_USL_FONT means either.

-- 
Good day, eh.
Chris

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Chris,

Wednesday, March 8, 2006, 2:37:47 AM, you wrote:

CP> The attached newsletter is triggering the following rules:

CP> X-Spam-Report:
CP> 	*  0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
CP> 	*  0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
CP> 	*  0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
CP> 	*  1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
CP> 	*  0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
CP> 	*  1.7 SARE_HTML_USL_FONT RAW: Another spam attempt

CP> I looked through the source and didn't see any obvious attempts at
CP> obfuscation or trying to fool the Bayes filter.  Are these rules 
CP> triggering properly?

CP> I don't know what SARE_HTML_USL_FONT means either.

Not necessarily obvious attempts at obfuscation -- really horrible
HTML often looks that way.

SARE_HTML_USL_xxx are USLess HTML tags. In this case there's a FONT
tag with nothing in it, something like (using parens to make sure no
mail reader tries to interpret this as HTML):
>     (FONT size=4)(/FONT)

The Bayes poison rules are looking for rather stiff patterns of word
length which are normally seen only in spam. SARE_BAYES_7x7 hit on
> 2006Mar 2006Apr 2006May 2006Jun 2006Jul 2006Aug 2006Sep

Here, the message hit:
X-Spam-Status: Yes, score=8.6 required=5.0 tests=FB_SINGLE_0WORD,
        FU_DOM_END_NUM,FU_LONG_QUERY,HTML_BACKHAIR_8,HTML_MESSAGE,
        HTML_OBFUSCATE_05_10,HTML_TAG_EXIST_TBODY,SARE_BAYES_5x7,
        SARE_BAYES_6x7,SARE_BAYES_7x7,SARE_HTML_URI_SPACER,SARE_HTML_USL_FONT,
        SARE_MSGID_RATWARE1,SARE_OEM_S_PRICE,SARE_UNSUB18,UNPARSEABLE_RELAY
        autolearn=no version=3.1.0

Bob Menschel

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by David Landgren <da...@landgren.net>.

Chris Purves wrote:
> Loren Wilton wrote:
> 
>> The other rule is looking for a really standard spammer trick:
>> <FONT></FONT>.
> 
> Interesting.  How is this helpful to spammers?

Indeed. This used to crop up regularly in MS-Frontpage circa 1998 when 
people added and then removed markup. Dunno if that is still the case. I 
suspect many HTML editing tools will leave cruft like this lying around.

So some legitimate HTML e-mail (I know, contradiction in terms) is 
likely to suffer.

David
-- 
"It's overkill of course, but you can never have too much overkill."

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by Chris Purves <ch...@northfolk.ca>.

Loren Wilton wrote:

> The other rule is looking for a really standard spammer trick:
> <FONT></FONT>.

Interesting.  How is this helpful to spammers?

-- 
Good day, eh.
Chris

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by Loren Wilton <lw...@earthlink.net>.

You're lucky it scored that low.  Most of these airline things come in at
aronud 40 points on my system, they have such bad HTML formatting.

The BAYES_x_y rules are looking for a pattern of y-letter words repeated at
least x times.  This is virtually impossible in any human language that
isn't encrypted.

The other rule is looking for a really standard spammer trick:
<FONT></FONT>.

        Loren

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by Matt Kettler <mk...@comcast.net>.

jdow wrote:
>
> Don't know about those scores. But it mentions doubleclick, which
> SHOULD score a solid 10 in any SA rule set.
Unless the administrator involved actually has any users who want
commercial mail of any sort.

As much as I despise doubleclick, they are unfortunately commonly used
on *many* websites and commercial emails of both the spam and nonspam
variety.

Some of us can't afford to be so flagrantly indiscriminate about our
email handling, regardless of a common provider's undesirable behaviors.

Re: CheapTickets newsletter triggering SARE_BAYES plus others

Posted by jdow <jd...@earthlink.net>.

From: "Chris Purves" <ch...@northfolk.ca>


> The attached newsletter is triggering the following rules:
> 
> X-Spam-Report:
> *  0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
> *  0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
> *  0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
> *  1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
> *  0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
> *  1.7 SARE_HTML_USL_FONT RAW: Another spam attempt
> 
> I looked through the source and didn't see any obvious attempts at 
> obfuscation or trying to fool the Bayes filter.  Are these rules 
> triggering properly?
> 
> I don't know what SARE_HTML_USL_FONT means either.

Don't know about those scores. But it mentions doubleclick, which
SHOULD score a solid 10 in any SA rule set.

{o.o}