You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ben <be...@list-subs.com> on 2015/06/01 11:53:49 UTC
IT Recycling emails being missed
I've seen a few examples of IT Recycling emails being missed in the
Spamassassin net recently. Spamassasin has been scoring them very low.
I've kept back a couple of the most recent specimens, I am running
Spamassassin 3.4.0 on Ubuntu 14 LTS. Ubuntu is fully up to date, and
sa-update is running twice a day.
In relation to the two samples below, in order to protect the innocent
please note I have done the following obfuscations in the headers :
(1) my.server.domain has been replaced with example.com
(2) The first three octets of my server IP ranges have been replaced
with 10.254.254
http://pastebin.com/raw.php?i=T3FK1vcw
http://pastebin.com/raw.php?i=AQmJDc3p
Re: IT Recycling emails being missed
Posted by Ben <be...@list-subs.com>.
> This is dicey ESP bulk which SA will hardly ever detect.
>
> To help tag this you'll need to :
>
> - feed/use Bayes
> - implement Razor/Pyzor/DCC (if not already done)
> - write rules - header rules to score on certain X Headers, URI rules,
> etc.
>
> or track their IP ranges and reject at MTA level
> (would be my first choice)
>
> h2h
> Axb
Thanks for the tips. Will look into it.
Re: IT Recycling emails being missed
Posted by Axb <ax...@gmail.com>.
On 01.06.2015 11:53, Ben wrote:
> I've seen a few examples of IT Recycling emails being missed in the
> Spamassassin net recently. Spamassasin has been scoring them very low.
>
> I've kept back a couple of the most recent specimens, I am running
> Spamassassin 3.4.0 on Ubuntu 14 LTS. Ubuntu is fully up to date, and
> sa-update is running twice a day.
>
> In relation to the two samples below, in order to protect the innocent
> please note I have done the following obfuscations in the headers :
> (1) my.server.domain has been replaced with example.com
> (2) The first three octets of my server IP ranges have been replaced
> with 10.254.254
>
> http://pastebin.com/raw.php?i=T3FK1vcw
> http://pastebin.com/raw.php?i=AQmJDc3p
This is dicey ESP bulk which SA will hardly ever detect.
To help tag this you'll need to :
- feed/use Bayes
- implement Razor/Pyzor/DCC (if not already done)
- write rules - header rules to score on certain X Headers, URI rules, etc.
or track their IP ranges and reject at MTA level
(would be my first choice)
h2h
Axb