You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by MySQL Student <my...@gmail.com> on 2009/09/19 06:42:15 UTC

URIBL_BLACK vs RCVD_IN_JMF_W

Hi,

I have been going through about 15MB of email generated from a
procmail recipe searching for RCVD_IN_JMF_W, and you would not believe
how many also match URIBL_BLACK or URIBL_GREY. Call me naive, but are
there really that many providers that are unaware their clients are
sending spam? (okay, rhetorical question :-)

IOW, I guess this email is more of an informational note to those who
may not be aware, and perhaps for others to comment on whether they
even use it?

The winner for me was a Bank of America scam with the following two relays:

Received: from User (channelf.5460.net [61.137.93.80])
Received: from ortiz.unizar.es (ortiz.unizar.es [155.210.1.52])

No b-of-a relays, of course. This message also hit RAZOR2_CHECK and SPF_FAIL.

There's also a money scam that passed through nasa.gov, hit
RCVD_IN_JMF_W, and a few fraud rules:

Received: from ALTPHYEMBEVSP30.RES.AD.JPL ([128.149.137.84]) by
Received: from mail.jpl.nasa.gov (altvirehtstap02.jpl.nasa.gov [128.149.137.73])
Received: from mail.jpl.nasa.gov (sentrion2.jpl.nasa.gov [128.149.139.106])

X-Spam-Status: No, hits=1.1 tagged_above=-300.0 required=5.0 use_bayes=1
 tests=AE_ADVICE_WITH_MONEY, AE_FRAUD_ADVICE, BAYES_50, LOTS_OF_MONEY,
 MILLION_USD, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W, RELAYCOUNTRY_US

I have RCVD_IN_JMF_W set to 0.5 points. It was also listed in
RCVD_IN_DNSWL_MED? Running it a bit later, it scored as spam with the
RAZOR rules:

X-Spam-Report:
        *  0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
        * -0.5 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
        *      [128.149.139.106 listed in hostkarma.junkemailfilter.com]
        * -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
        *      medium trust
        *      [128.149.139.106 listed in list.dnswl.org]
        *  0.0 RELAYCOUNTRY_US Relayed through United States
        *  1.0 AE_FRAUD_ADVICE BODY: Someone offering free advice
        *  1.8 MILLION_USD BODY: Talks about millions of dollars
        *  2.1 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
        *      above 50%
        *      [cf:  56]
        *  0.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
        *      [cf:  56]
        *  0.0 LOTS_OF_MONEY Huge... sums of money
        *  2.0 AE_ADVICE_WITH_MONEY Has advice and mentions much money
        *  1.0 MONEY_TO_NO_R Lots of money and bare, missing or undisclosed To
        *  0.2 MONEY_INHERIT Lots of money from a dead guy
X-Spam-Relay-Country: US US US
X-Spam-Status: Yes, score=5.4 required=5.0 tests=AE_ADVICE_WITH_MONEY,
        AE_FRAUD_ADVICE,LOTS_OF_MONEY,MILLION_USD,MONEY_INHERIT,MONEY_TO_NO_R,
        RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
        RCVD_IN_DNSWL_MED,RCVD_IN_JMF_W,RELAYCOUNTRY_US shortcircuit=no
        autolearn=disabled version=3.2.5

Thanks,
Alex