You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ben <be...@list-subs.com> on 2015/06/01 11:53:49 UTC

IT Recycling emails being missed

I've seen a few examples of IT Recycling emails being missed in the 
Spamassassin net recently.  Spamassasin has been scoring them very low.

I've kept back a couple of the most recent specimens, I am running 
Spamassassin 3.4.0 on Ubuntu 14 LTS.   Ubuntu is fully up to date, and 
sa-update is running twice a day.

In relation to the two samples below, in order to protect the innocent 
please note I have done the following obfuscations in the headers :
(1) my.server.domain has been replaced with example.com
(2) The first three octets of my server IP ranges have been replaced 
with 10.254.254

http://pastebin.com/raw.php?i=T3FK1vcw
http://pastebin.com/raw.php?i=AQmJDc3p

Re: IT Recycling emails being missed

Posted by Ben <be...@list-subs.com>.

> This is dicey ESP bulk which SA will hardly ever detect.
>
> To help tag this you'll need to :
>
> - feed/use Bayes
> - implement Razor/Pyzor/DCC (if not already done)
> - write rules  - header rules to score on certain X Headers, URI rules,
> etc.
>
> or track their IP ranges and reject at MTA level
> (would be my first choice)
>
> h2h
> Axb

Thanks for the tips.  Will look into it.

Re: IT Recycling emails being missed

Posted by Axb <ax...@gmail.com>.

On 01.06.2015 11:53, Ben wrote:
> I've seen a few examples of IT Recycling emails being missed in the
> Spamassassin net recently.  Spamassasin has been scoring them very low.
>
> I've kept back a couple of the most recent specimens, I am running
> Spamassassin 3.4.0 on Ubuntu 14 LTS.   Ubuntu is fully up to date, and
> sa-update is running twice a day.
>
> In relation to the two samples below, in order to protect the innocent
> please note I have done the following obfuscations in the headers :
> (1) my.server.domain has been replaced with example.com
> (2) The first three octets of my server IP ranges have been replaced
> with 10.254.254
>
> http://pastebin.com/raw.php?i=T3FK1vcw
> http://pastebin.com/raw.php?i=AQmJDc3p

This is dicey ESP bulk which SA will hardly ever detect.

To help tag this you'll need to :

- feed/use Bayes
- implement Razor/Pyzor/DCC (if not already done)
- write rules  - header rules to score on certain X Headers, URI rules, etc.

or track their IP ranges and reject at MTA level
(would be my first choice)

h2h
Axb