You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rick Zeman <RZ...@melwood.org> on 2007/08/17 19:09:34 UTC
Sneaky b@stard slipped through
From: "Jiyoon franc" <Ji...@fsspartnerships.org>
To: xxx@melwood.com
Subject: The poor man' -- Koroviev let some tremor into his voice and
pointed to Behemoth, who immediately concocted a woeful physiognomy - 'the
poor man spends all day reparating primuses.
Date: Fri, 17 Aug 2007 19:03:13 +0200
Message-ID: <00...@iubvchgc>
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Virus-Scanned: Maia Mailguard 1.0.2a/ClamAV
X-Spam-Status: No, hits=3.512 tagged_above=-25 required=4.75
tests=BAYES_50=0.001, FRT_OPPORTUN1=1, JM_TORA_XM=2.411, RDNS_NONE=0.1
X-Spam-Level: ***
H.E*R*E WE GO AGAI.N!
T H'E B_I+G O+N'E BEFO*RE T*H*E SE+PTEMBER.RALL.Y!
T,H-E MARK,ET IS ABOU T TO P,O-P+, A+N,D SO IS E*X_M_T-!
Fir,m: EXCHA*NG,E M+OBILE T E L_E (Ot+her O_T,C-: EX*MT.PK)
Ti+ck: E,X.M,T
A,s-k': 0..-0_8
5.-day pote,n'tial: 0_._4,0
T.h-i-s a gr'eat op por*tunity to at le+ast doubl-e up!
N+o,t o'n_l*y d+o*e_s t+h i.s f_i,r m h a-v.e gre*at fundamental_*s,
b,u+t get'ting t,h'i_s opp'ortu*nity at t*h_e rig-ht t_ime, righ't befo're
t*h*e rall+y is w.h.a,t make,s t,h,i_s d e-a,l so sw*eet!
Wat-ch it s,o a,r+!
H.i+s calculating,', s_i-deways gl.ances w+e r-e r-e.minder en*ough of
t+hat, if R'a,n,d n+eeded a+n_y+.
H_e,'-s d ead, a*n.d at t.h,e murdere*r'-s horse*'s ta,il, In beast-ly
sor*t, dr_agg'd th_rough t-h.e s.ham+eful fiel,d.
If it d*oesn't w.o_r*k it j-u-s't leav-es t+h,e fi_les alo+ne a,n-d
doe,sn't rem*ove any thin g.
I, w+h,o h+a,d li_ved o,u,t of t*h-e whir*l of t-h-e world., h+a+d ne-ver
dr-eamed t*h,a t i't+s w*o+r+k w a,s carr-ied on in s u.c*h f-ashion.
La l,*itt6rature europe.enn+e et le mo_yen-,age latin_.
--
Rick Zeman
Manager of Information Technology
Melwood Horticultural Training Center
301.599.4574 - HelpDesk
301.599.4560 - MyDesk
http://www.melwood.org
Re: Sneaky b@stard slipped through
Posted by Bill Landry <bi...@inetmsg.com>.
Rick Zeman wrote:
> From: "Jiyoon franc" <Ji...@fsspartnerships.org>
> To: xxx@melwood.com
> Subject: The poor man' -- Koroviev let some tremor into his voice and
> pointed to Behemoth, who immediately concocted a woeful physiognomy - 'the
> poor man spends all day reparating primuses.
> Date: Fri, 17 Aug 2007 19:03:13 +0200
> Message-ID: <00...@iubvchgc>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="windows-1250"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.6626
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> X-Virus-Scanned: Maia Mailguard 1.0.2a/ClamAV
> X-Spam-Status: No, hits=3.512 tagged_above=-25 required=4.75
> tests=BAYES_50=0.001, FRT_OPPORTUN1=1, JM_TORA_XM=2.411, RDNS_NONE=0.1
> X-Spam-Level: ***
>
> H.E*R*E WE GO AGAI.N!
>
>
> T H'E B_I+G O+N'E BEFO*RE T*H*E SE+PTEMBER.RALL.Y!
>
> T,H-E MARK,ET IS ABOU T TO P,O-P+, A+N,D SO IS E*X_M_T-!
>
>
> Fir,m: EXCHA*NG,E M+OBILE T E L_E (Ot+her O_T,C-: EX*MT.PK)
> Ti+ck: E,X.M,T
>
> A,s-k': 0..-0_8
>
>
> 5.-day pote,n'tial: 0_._4,0
>
>
> T.h-i-s a gr'eat op por*tunity to at le+ast doubl-e up!
>
> N+o,t o'n_l*y d+o*e_s t+h i.s f_i,r m h a-v.e gre*at fundamental_*s,
> b,u+t get'ting t,h'i_s opp'ortu*nity at t*h_e rig-ht t_ime, righ't befo're
> t*h*e rall+y is w.h.a,t make,s t,h,i_s d e-a,l so sw*eet!
>
>
>
> Wat-ch it s,o a,r+!
>
>
>
> H.i+s calculating,', s_i-deways gl.ances w+e r-e r-e.minder en*ough of
> t+hat, if R'a,n,d n+eeded a+n_y+.
> H_e,'-s d ead, a*n.d at t.h,e murdere*r'-s horse*'s ta,il, In beast-ly
> sor*t, dr_agg'd th_rough t-h.e s.ham+eful fiel,d.
>
> If it d*oesn't w.o_r*k it j-u-s't leav-es t+h,e fi_les alo+ne a,n-d
> doe,sn't rem*ove any thin g.
>
> I, w+h,o h+a,d li_ved o,u,t of t*h-e whir*l of t-h-e world., h+a+d ne-ver
> dr-eamed t*h,a t i't+s w*o+r+k w a,s carr-ied on in s u.c*h f-ashion.
>
> La l,*itt6rature europe.enn+e et le mo_yen-,age latin_.
>From this message:
X-Spam-Status: No, score=-93.537 required=5 tests=[AWL=-13.845,
BILLS_TEST=0.01, BILLS_TEST=0.01, BOTNET_SOHO=0.1, FRT_BEFORE=1.279,
FRT_OPPORTUN1=1, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6,
J_CHICKENPOX_15=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6,
J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_31=0.6,
J_CHICKENPOX_32=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_34=0.6,
J_CHICKENPOX_36=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_42=0.6,
J_CHICKENPOX_52=0.6, J_CHICKENPOX_71=0.6, L_P0F_D11=-0.3,
L_P0F_Unix=-1, MANGLED_DEALS=2.3, MANGLED_FASHN=2.3, MANGLED_HERE=2.3,
MANGLED_MARKET=2.3, MANGLED_SWEET=2.3, MANGLED_TIME=2.3,
MANGLED_WORKS=2.3, RCVD_IN_DNSWL_MED=-4, RCVD_IN_JMFILTER_W=-1.5,
RCVD_IN_MXRATE_WL=-1, RELAY_US=0.01, SPF_PASS=-0.001,
USER_IN_WHITELIST=-100]
Without the SA list whitelisting, these typically score between 40 and 50 here.
For example:
X-Spam-Score: 41.364
X-Spam-Status: Yes, score=41.364 required=5 tests=[BAYES_99=3.5, BOTNET=2.5,
BOTNET_BADDNS=0.5, BOTNET_CLIENT=0.5, BOTNET_IPINHOSTNAME=0.5,
FM_NO_STYLE=0.9, FRT_BEFORE=1.279, FRT_CLICK=1.993, FRT_OPPORTUN1=1,
HELO_EQ_IP_ADDR=1.119, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6,
J_CHICKENPOX_15=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6,
J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_32=0.6,
J_CHICKENPOX_33=0.6, J_CHICKENPOX_36=0.6, J_CHICKENPOX_41=0.6,
J_CHICKENPOX_42=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_52=0.6,
J_CHICKENPOX_61=0.6, MANGLED_DEALS=2.3, MANGLED_HERE=2.3,
MANGLED_MARKET=2.3, MANGLED_TIME=2.3, RCVD_IN_NERDS_MY=2.5,
RCVD_IN_PBL=0.905, RCVD_IN_TQMC_DHCP=1, RCVD_IN_UCEPROTECT_2=1,
RCVD_IN_UCEPROTECT_3=0.5, RCVD_NUMERIC_HELO=2.067, RELAY_MY=1,
SAGREY=1]
As I've posted here before, take a look at the SARE "chickenpox" and "mangled"
rule sets. As you can see, they score quite nicely on these kinds of spam messages.
Bill
Re: Sneaky b@stard slipped through
Posted by Kai Schaetzl <ma...@conactive.com>.
again, chickenpox.cf almost surely would have caught this.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Sneaky b@stard slipped through
Posted by Andy Jezierski <aj...@stepan.com>.
"Rick Zeman" <RZ...@melwood.org> wrote on 08/17/2007 12:09:34 PM:
> X-Spam-Status: No, hits=3.512 tagged_above=-25 required=4.75
> tests=BAYES_50=0.001, FRT_OPPORTUN1=1, JM_TORA_XM=2.411, RDNS_NONE=0.1
> X-Spam-Level: ***
>
> H.E*R*E WE GO AGAI.N!
>
>
> T H'E B_I+G O+N'E BEFO*RE T*H*E SE+PTEMBER.RALL.Y!
>
> T,H-E MARK,ET IS ABOU T TO P,O-P+, A+N,D SO IS E*X_M_T-!
>
>
> Fir,m: EXCHA*NG,E M+OBILE T E L_E (Ot+her O_T,C-: EX*MT.PK)
> Ti+ck: E,X.M,T
>
> A,s-k': 0..-0_8
[snip]
Add the Chickenpox ruleset. That should stop those.
Andy