You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt <mh...@gmail.com> on 2005/02/28 14:23:03 UTC
****SPAM(5.5)**** Porn E-Mail
SpamAssassin, running on "mail.dailyhills.com", has identified this incoming
email as possible spam. The original message has been attached to this
email so you can view it (if it isn't spam).
If you have any questions, contact postmaster@dailyhills.com for details.
Content preview: Has anyone noticed lately a higher then normal amount
of porn spam getting through? I've seen alot of it that seems to be
hitting the customer base as of late.. marked only by the SURBL... but
those that aren't SURBLed yet.. get through with a score of like 2.3
[...]
Content analysis details: (5.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 RCVD_BY_IP Received by mail server with no name
-0.0 SPF_PASS SPF: sender matches SPF record
2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
-2.0 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
[score: 0.0650]
2.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: kytheras.com]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: kytheras.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: kytheras.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: kytheras.com]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: kytheras.com]
-8.0 AWL AWL: From: address is in the auto white-list
---- ---------------------- --------------------------------------------------
Re: Porn E-Mail
Posted by Kevin Peuhkurinen <ke...@hepcoe.com>.
Matt wrote:
>Hrmm well that could do it:
>
> pts rule name description
>---- ---------------------- --------------------------------------------------
> 1.3 SARE_HOUSEWIVES BODY: Mentions housewives, as in porn or in-home biz
> 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML
> 0.0 HTML_MESSAGE BODY: HTML included in message
>
>Hrmm.. yet in my local.cf file I have:
>
>rewrite_subject 1
>#report_header 1
>#defang_mime 0
>required_hits 4.5
>use_bayes 1
>auto_learn 1
>
>Why would bayes not have kicked in there?
>
>
>
Well, Bayes won't provide a score if it doesn't find enough tokens in
the email that it has seen and scored before. You may want to manually
feed a bunch of these through sa-learn. Meanwhile, you may want to
take up Shawn's suggestion to make sure they stop getting through.
Re: Porn E-Mail
Posted by Matt <mh...@gmail.com>.
Hrmm well that could do it:
pts rule name description
---- ---------------------- --------------------------------------------------
1.3 SARE_HOUSEWIVES BODY: Mentions housewives, as in porn or in-home biz
0.8 HTML_30_40 BODY: Message is 30% to 40% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
Hrmm.. yet in my local.cf file I have:
rewrite_subject 1
#report_header 1
#defang_mime 0
required_hits 4.5
use_bayes 1
auto_learn 1
Why would bayes not have kicked in there?
Re: Porn E-Mail
Posted by Kevin Peuhkurinen <ke...@hepcoe.com>.
This hits 22 points on my install. If you ignore all of the BLs and
Razor, it's still getting over 5 hits. Of course, if you ignore Bayes,
then it's down to about 2 points. Which rules did this hit on your
install? The headers don't say.
Content analysis details: (22.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.8 LOCAL_DUMB_NAME From: Contains a name with an initial
1.3 SARE_HOUSEWIVES BODY: Mentions housewives, as in porn or
in-home biz
3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9145]
0.0 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[220.104.187.146 listed in dnsbl.sorbs.net]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[220.104.187.146 listed in sbl-xbl.spamhaus.org]
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[220.104.187.146 listed in combined.njabl.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: kytheras.com]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: kytheras.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: kytheras.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: kytheras.com]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: kytheras.com]
Matt wrote:
>Has anyone noticed lately a higher then normal amount of porn spam
>getting through? I've seen alot of it that seems to be hitting the
>customer base as of late.. marked only by the SURBL... but those that
>aren't SURBLed yet.. get through with a score of like 2.3
>
>Return-Path: <tu...@frxsgmnq.area.trieste.it>
>Delivered-To: xxxxxxxxxx@chilitech.net
>Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 -0000
>Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from
><tu...@frxsgmnq.area.trieste.it>, uid 503) with qmail-scanner-1.23
> (spamassassin: 2.64.
> Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):.
> Processed in 5.891302 secs); 26 Feb 2005 15:18:08 -0000
>X-Spam-Status: No, hits=2.1 required=4.5
>X-Spam-Level: ++
>Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146])
> (envelope-sender <tu...@frxsgmnq.area.trieste.it>)
> by 0 (qmail-ldap-1.03) with SMTP
> for <ad...@chilitech.net>; 26 Feb 2005 15:18:02 -0000
>Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it
>[151.11.128.151])
> by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp
> id 98CA9A8736 for <ad...@chilitech.net>; Sat, 26 Feb 2005 07:17:59
>-0800
>Message-ID: <11...@frxsgmnq.area.trieste.it>
>From: "Lithest T. Helper" <tu...@frxsgmnq.area.trieste.it>
>To: Adelewilcox <xx...@chilitech.net>
>Subject: Excuse me... :)
>Date: Sat, 26 Feb 2005 07:17:59 -0800
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0011_582242D6.106C5F2A"
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1437
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>X-RAV-Antivirus: This e-mail has been scanned for viruses on host:
>p7146-ipad04yosida.nagano.ocn.ne.jp
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0011_582242D6.106C5F2A
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>
>Well well well!
>
>http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.htm
>
>Oversleeping will never make one's dreams come true.
>
>Shalai po
>
>http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.html
>
>------=_NextPart_000_0011_582242D6.106C5F2A
>Content-Type: text/html
>Content-Transfer-Encoding: quoted-printable
>
><META HTTP-EQUIV=3d"Content-Type"
>CONTENT=3d"text/html;charset=3diso-8859-1"> <!DOCTYPE HTML PUBLIC
>"-//W3C//DTD HTML 4=2e0 Transitional//EN">
><HTML><HEAD>
><META HTTP-EQUIV=3d"Content-Type" CONTENT=3d"text/html;
>charset=3dus-ascii"> <META content=3d"MSHTML 6=2e00=2e2800=2e1437"
>name=3dGENERATOR>
><STYLE></STYLE>
></HEAD>
><BODY bgColor=3d#ffffff>
><DIV>
>How're you doing?<BR><BR><A=20
>
>
>
>href=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ehtm"
>target=3d"ensemble">
>
>
>
><br><br><IMG
>src=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/ZVXw/BdqV=2ejpeg"
>alt=3d"mundanes" border=3d'0'><BR><IMG
>src=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ejpg"
>border=3d'0'><BR><IMG
>src=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/TWRXIoLhNa/HJb5FTKL/ccc6dWo=2egif"
> border=3d0><BR></A>Khudaa haafizWarayna
>
>
>
>
>
>I have a feeling this is destiny=2e [On the eve of her third marriage]
>
>
>
>Man in general, if reduced to himself, is too wicked to be
>free=2e<BR><BR>Remember, every time you open your mouth to talk, your mind
>walks out and parades up and down the words=2eThe most splendid
>achievement of all is the constant striving to surpass yourself and to be
>worthy of your own approval=2eThere are only two ways of getting on in the
>world: by one's own industry, or by the stupidity of others=2e
>
><br>A lot of good arguments are spoiled by some fool who knows what he is
>talking about=2e<br>It is always sound business to take any obtainable net
>gain, at any cost and at any risk to the rest of the community=2e
>
>
>There is a time to take counsel of your fears, and there is a time to
>never listen to your fear=2e<BR>Don't change horses while crossing a
>stream=2e<BR><BR>I dream of you to wake would that I might Dream of you
>and not wake but slumber on=2e=2e=2e<br><br>Some of these people need ten
>years of therapy --ten sentences of mine do not equal ten years of
>therapy=2e
>
>
>
><br>No great thing is created suddenly=2e<BR>Shelving hard decisions is
>the least ethical course=2e
>
>
>
><BR><BR>Read nothing that you do not care to remember, and remember
>nothing you do not mean to use=2e <br><br>Perhaps all artists were, in a
>sense, housewives: tenders of the earth household=2eThe noblest search is
>the search for excellence=2e<br><br>Comedy is simply a funny way of being
>serious=2eThe construction of life is at present in the power of facts far
>more than convictions=2e
>
>
><br><A
>href=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/oWenQK=2ehtml"
>target=3d"heartbeat"><IMG
>src=3d"http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/nb0=2egif"
>border=3d0> </A></DIV></BODY></HTML>
>
>------=_NextPart_000_0011_582242D6.106C5F2A--
>
>
>
Re: [SPAM-TAG] Porn E-Mail
Posted by Jeff Chan <je...@surbl.org>.
On Monday, February 28, 2005, 5:23:03 AM, Matt Matt wrote:
> Has anyone noticed lately a higher then normal amount of porn spam
> getting through? I've seen alot of it that seems to be hitting the
> customer base as of late.. marked only by the SURBL... but those that
> aren't SURBLed yet.. get through with a score of like 2.3
FWIW This domain is now on all 5 SURBLs, and it got added to
sc.surbl.org about 35 minutes after you got that spam:
top-sites-domains.new.log:2005-02-26 15:52 kytheras.com
> Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from
> <tu...@frxsgmnq.area.trieste.it>, uid 503) with qmail-scanner-1.23
> (spamassassin: 2.64.
> Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):.
> Processed in 5.891302 secs); 26 Feb 2005 15:18:08 -0000
> X-Spam-Status: No, hits=2.1 required=4.5
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/