You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2005/04/14 15:11:24 UTC

The stock spammer with the ||'s

After reading the long thread, I just happened to look in the spam bucket,
and lo! there was one from him.

And looking at it, I see why I hadn't noticed them before - I don't normally
look at spam scoring this high.

Chickenpox is your friend.  :-)

        Loren

Content analysis details:   (29.0 points, 4.6 required)

 pts rule name              description
---- ---------------------- ------------------------------------------------
--
 2.5 LW_BOUNDARY2           Possible ratware MIME boundary --digits
 6.2 FH_FAKE_RCVD_LINE_B
 1.0 LW_MULT_RECIP5         Five or more recipients in same domain
 1.7 SARE_HEAD_HDR_XCSIP    Message headers used which identify spam
 1.0 LW_MULT_RECIP3         Three or more recipients in same domain
 1.0 LW_MULT_RECIP8         Eight or more recipients in same domain
 1.0 SARE_RECV_IP_FROMIP3   Received line is IP address from IP address
 0.6 J_CHICKENPOX_37        BODY: 3alpha-pock-7alpha
 1.0 LW_FUTURISTIC          BODY: We can see the future!
 1.0 LW_NONPERFORM          BODY: We can't see the future!
 0.6 J_CHICKENPOX_41        BODY: 4alpha-pock-1alpha
 0.6 J_CHICKENPOX_14        BODY: 1alpha-pock-4alpha
 0.6 J_CHICKENPOX_21        BODY: 2alpha-pock-1alpha
 0.6 J_CHICKENPOX_36        BODY: 3alpha-pock-6alpha
 1.0 LW_RANGE52             BODY: Reference to stock trading range
 1.0 LW_1933                BODY: Reference to Securities Act
 0.6 J_CHICKENPOX_13        BODY: 1alpha-pock-3alpha
 0.6 J_CHICKENPOX_24        BODY: 2alpha-pock-4alpha
 0.6 J_CHICKENPOX_26        BODY: 2alpha-pock-6alpha
 0.6 J_CHICKENPOX_31        BODY: 3alpha-pock-1alpha
 0.0 BAYES_50               BODY: Bayesian spam probability is 50 to 56%
                            [score: 0.5008]
 2.7 SORTED_RECIPS          Recipient list is sorted by address
 2.5 INVALID_MSGID          Message-Id is not valid, according to RFC 2822

Re: The stock spammer with the ||'s

Posted by wolfgang <me...@gmx.net>.

i have been trying to catch those for a while, partly successfully.
thanks for the chickenpox hint, that looks like a good add-on.

while fiddling with my rules, i noticed something strange:
rawbody SOMERULE /\bmai\|\b/
will not work
rawbody SOMERULE /\bmai\|/
will. same with rules that start with \b\|
with \b before or after \| they won't work and even stop other rules from 
matching apparently. can someone confirm and/or even explain that?

regards,
wolfgang