You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Frank Tore Johansen <fr...@osc.no> on 2005/02/21 13:19:20 UTC

Problems with new spam getting through in SA 2.64 the last few days

These are the rules I have:

   31854 jun  1  2004 70_sare_adult.cf
    3927 apr 24  2004 70_sare_bayes_poison_nxm.cf
   85658 jan 28 07:23 70_sare_genlsubj0.cf
   70561 jan 28 07:23 70_sare_genlsubj1.cf
  107315 feb 12 23:35 70_sare_header0.cf
   75276 feb 12 23:35 70_sare_header1.cf
   32960 sep 13 02:23 70_sare_html0.cf
   38006 sep 13 02:23 70_sare_html1.cf
   11559 sep 14 20:43 70_sare_oem.cf
   17845 feb  8 18:15 70_sare_random.cf
     385 sep 20 03:35 70_sare_ratware.cf
   18709 feb  3 06:48 70_sare_specific.cf
    7006 nov 17 19:48 70_sare_spoof.cf
   18192 nov 17 00:05 71_sare_redirect_pre3.0.0.cf
   13211 mai 12  2004 72_sare_bml_post25x.cf
   56134 feb 13  2004 99_FVGT_Tripwire.cf
   10147 mai  2  2004 99_sare_fraud_post25x.cf
   22546 jan 30 03:50 backhair.cf
   23422 jan 30 03:50 chickenpox.cf
   18052 okt 30 18:30 evilnumbers.cf
    3526 okt 24 23:21 rolex.cf
    1923 okt 26 17:36 spamcop_uri.cf

What exactly is RCVD_IN_SORBS_DUL, and why doesn't it give any score?

I've been hit by quite alot of these spams the last few days, they don't 
look any alike excep that they all seem to have the random words in the 
last paragraph, as well as also having a RCVD_IN_SORBS_DUL match.  Does 
anyone have a rule to catch them?  This is very annoying, spamassassin
used to stop 99.99% of all my spam before these came along.

-Frank.


---------- Forwarded message ----------
Received: from doond.com ([220.188.181.115])
     by my-mail-host (8.11.6/8.11.1) with SMTP id j1J1mfO27438;
     Sat, 19 Feb 2005 02:48:42 +0100
Message-ID: <8b...@gersham>
Reply-To: "sterling kingery" <ge...@doond.com>
From: "sterling kingery" <ge...@doond.com>
To: "Arron Fanoele" <fa...@my-domain>
Subject: The prices you wanted on functional program disc.
Date: Sat, 19 Feb 2005 11:11:51 +1200
MIME-Version: 1.0
Content-Type: text/plain;
     charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on my-mail-host
X-Spam-Level: 
X-Spam-Status: No, hits=0.1 required=3.0 tests=BAYES_50,RCVD_IN_SORBS_DUL
     autolearn=ham version=2.64
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.2 with clamscan / ClamAV 0.82/710/Fri
     Feb 18 23:05:27 2005

Find top selling program for office operation, operation system,
programming, server maintenance, PC diagnostics, finance and graphic design&
processing on our site at low prices.
All of our program or installation discs products are the highest quality
available.


Install or upgrade the program on office operation, programming, server
maintenance, PC diagnostics, finance and graphic design& processing easily
from now on.


http://2Og.gooddealstime.com/wob/

Why not have a try and get quality PC program discs at low prices from now
on. The discount store offers customers more convenience and saving on
program installation and upgrade.


while addressing Israeli and international demands that he help resolve the
fouryearold IsraeliPalestinian
NBCSports.com contributorUpdated:7:03 p.m. ET Jan. 16, 2005PHILADELPHIA  It
was more a party than a playoff game, with the Eagles

Re: ****SPAM(8.1)**** Problems with new spam getting through in SA 2.64 the last few days

Posted by Kenneth Porter <sh...@sewingwitch.com>.
Score from 3.0.0 without any custom rules:

Content analysis details:   (12.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- ------------------------------------------------
 2.2 TO_MALFORMED           To: has a malformed address
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4438]
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP 
address
                            [220.188.181.115 listed in dnsbl.sorbs.net]
 3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [220.188.181.115 listed in sbl-xbl.spamhaus.org]
 1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                            [URIs: gooddealstime.com]
 1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: gooddealstime.com]
 3.2 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: gooddealstime.com]