You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris Purves <ch...@northfolk.ca> on 2006/03/08 11:37:47 UTC
CheapTickets newsletter triggering SARE_BAYES plus others
The attached newsletter is triggering the following rules:
X-Spam-Report:
* 0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
* 0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
* 0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
* 1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
* 0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
* 1.7 SARE_HTML_USL_FONT RAW: Another spam attempt
I looked through the source and didn't see any obvious attempts at
obfuscation or trying to fool the Bayes filter. Are these rules
triggering properly?
I don't know what SARE_HTML_USL_FONT means either.
--
Good day, eh.
Chris
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Chris,
Wednesday, March 8, 2006, 2:37:47 AM, you wrote:
CP> The attached newsletter is triggering the following rules:
CP> X-Spam-Report:
CP> * 0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
CP> * 0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
CP> * 0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
CP> * 1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
CP> * 0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
CP> * 1.7 SARE_HTML_USL_FONT RAW: Another spam attempt
CP> I looked through the source and didn't see any obvious attempts at
CP> obfuscation or trying to fool the Bayes filter. Are these rules
CP> triggering properly?
CP> I don't know what SARE_HTML_USL_FONT means either.
Not necessarily obvious attempts at obfuscation -- really horrible
HTML often looks that way.
SARE_HTML_USL_xxx are USLess HTML tags. In this case there's a FONT
tag with nothing in it, something like (using parens to make sure no
mail reader tries to interpret this as HTML):
> (FONT size=4)(/FONT)
The Bayes poison rules are looking for rather stiff patterns of word
length which are normally seen only in spam. SARE_BAYES_7x7 hit on
> 2006Mar 2006Apr 2006May 2006Jun 2006Jul 2006Aug 2006Sep
Here, the message hit:
X-Spam-Status: Yes, score=8.6 required=5.0 tests=FB_SINGLE_0WORD,
FU_DOM_END_NUM,FU_LONG_QUERY,HTML_BACKHAIR_8,HTML_MESSAGE,
HTML_OBFUSCATE_05_10,HTML_TAG_EXIST_TBODY,SARE_BAYES_5x7,
SARE_BAYES_6x7,SARE_BAYES_7x7,SARE_HTML_URI_SPACER,SARE_HTML_USL_FONT,
SARE_MSGID_RATWARE1,SARE_OEM_S_PRICE,SARE_UNSUB18,UNPARSEABLE_RELAY
autolearn=no version=3.1.0
Bob Menschel
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by David Landgren <da...@landgren.net>.
Chris Purves wrote:
> Loren Wilton wrote:
>
>> The other rule is looking for a really standard spammer trick:
>> <FONT></FONT>.
>
> Interesting. How is this helpful to spammers?
Indeed. This used to crop up regularly in MS-Frontpage circa 1998 when
people added and then removed markup. Dunno if that is still the case. I
suspect many HTML editing tools will leave cruft like this lying around.
So some legitimate HTML e-mail (I know, contradiction in terms) is
likely to suffer.
David
--
"It's overkill of course, but you can never have too much overkill."
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by Chris Purves <ch...@northfolk.ca>.
Loren Wilton wrote:
> The other rule is looking for a really standard spammer trick:
> <FONT></FONT>.
Interesting. How is this helpful to spammers?
--
Good day, eh.
Chris
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by Loren Wilton <lw...@earthlink.net>.
You're lucky it scored that low. Most of these airline things come in at
aronud 40 points on my system, they have such bad HTML formatting.
The BAYES_x_y rules are looking for a pattern of y-letter words repeated at
least x times. This is virtually impossible in any human language that
isn't encrypted.
The other rule is looking for a really standard spammer trick:
<FONT></FONT>.
Loren
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by Matt Kettler <mk...@comcast.net>.
jdow wrote:
>
> Don't know about those scores. But it mentions doubleclick, which
> SHOULD score a solid 10 in any SA rule set.
Unless the administrator involved actually has any users who want
commercial mail of any sort.
As much as I despise doubleclick, they are unfortunately commonly used
on *many* websites and commercial emails of both the spam and nonspam
variety.
Some of us can't afford to be so flagrantly indiscriminate about our
email handling, regardless of a common provider's undesirable behaviors.
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Posted by jdow <jd...@earthlink.net>.
From: "Chris Purves" <ch...@northfolk.ca>
> The attached newsletter is triggering the following rules:
>
> X-Spam-Report:
> * 0.6 SARE_BAYES_5x7 BODY: Bayes poison 5x7
> * 0.8 SARE_BAYES_7x7 BODY: Bayes poison 7x7
> * 0.6 SARE_BAYES_6x7 BODY: Bayes poison 6x7
> * 1.4 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
> * 0.3 HTML_BACKHAIR_8 BODY: HTML tags used to obfuscate words
> * 1.7 SARE_HTML_USL_FONT RAW: Another spam attempt
>
> I looked through the source and didn't see any obvious attempts at
> obfuscation or trying to fool the Bayes filter. Are these rules
> triggering properly?
>
> I don't know what SARE_HTML_USL_FONT means either.
Don't know about those scores. But it mentions doubleclick, which
SHOULD score a solid 10 in any SA rule set.
{o.o}