You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Thomas Booms <Th...@booms-edv.de> on 2005/07/10 15:06:26 UTC
Shouldn't I get header(s) with Razor in this Spam?
Hi all,
I've reconfigured a bit and will show the local.cf after the spam source. My question is, if in this spam I normally should get Razor headers or no. If yes, what do I need to change again?
>>From - Sun Jul 10 14:56:41 2005
X-UIDL: 1120998728.M762407P13835051595651352484.host1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <hi...@hotmail.com>
Delivered-To: thomas.booms@booms-edv.de
Received: from localhost by host1.booms-edv.de
with SpamAssassin (version 3.0.4);
Sun, 10 Jul 2005 14:31:58 +0200
From: Allie Sands <hi...@hotmail.com>
To: thomas.booms@booms-edv.de
Subject: re[11]
Date: Mon, 11 Jul 2005 19:04:20 +0400
X-Spam-Level: ****************
X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_50,
DATE_IN_FUTURE_24_48,DOMAIN_RATIO,FORGED_HOTMAIL_RCVD,
HELO_DYNAMIC_IPADDR,HTML_80_90,HTML_FONT_LOW_CONTRAST,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_ONLY autolearn=spam
version=3.0.4
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on host1.booms-edv.de
X-Spam-Flag: YES
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_42D1153E.FA86186F"
This is a multi-part message in MIME format.
------------=_42D1153E.FA86186F
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "host1.booms-edv.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
info@booms-edv.de for details.
Content preview: I'm terribly sorry, hometown weather on Midi Fans in
1998 we get on well [...]
Content analysis details: (16.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
4.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
2.3 DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after Received: date
2.5 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.8 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 HTML_80_90 BODY: Message is 80% to 90% HTML
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5150]
3.0 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
3.2 DOMAIN_RATIO BODY: Message body mentions many internet domains
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_42D1153E.FA86186F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: (qmail 1945 invoked by uid 567); 10 Jul 2005 12:31:58 -0000
Received: from 82.66.249.213 by host1 (envelope-from <hi...@hotmail.com>, uid 502) with qmail-scanner-1.25
(clamdscan: 0.86.1/974. spamassassin: 3.0.4.
Clear:RC:0(82.66.249.213):SA:1(11.3/5.0):.
Processed in 0.937429 secs); 10 Jul 2005 12:31:58 -0000
X-Spam-Status: Yes, hits=11.3 required=5.0
X-Spam-Level: +++++++++++
Received: from unknown (HELO alf94-3-82-66-249-213.fbx.proxad.net) (82.66.249.213)
by 0 with SMTP; 10 Jul 2005 12:31:57 -0000
FCC: mailbox://hiczcgdh@hotmail.com/Sent
X-Identity-Key: id1
Date: Mon, 11 Jul 2005 19:04:20 +0400
From: Allie Sands <hi...@hotmail.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: thomas.booms@booms-edv.de
Subject: re[11]
Content-Type: multipart/related;
boundary="------------070105080406020308090007"
X-Qmail-Scanner-Message-ID: <11...@host1>
This is a multi-part message in MIME format.
--------------070105080406020308090007
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#FFFFF3" text="#AD2733"><p><a href="http://retailedition.com"><IMG SRC="cid:part1.08090605.05050403@nkmviwnwohc@hotmail.com" border="0" ALT=""></a></p><p><font color="#FFFFF2">I'm terribly sorry, hometown weather on Midi Fans</font></p><p><font color="#FFFFF4">in 1998 we get on well</font></p></body></html>
--------------070105080406020308090007
Content-Type: image/gif;
name="embezzle.GIF"
Content-Transfer-Encoding: base64
Content-ID: <pa...@hotmail.com>
Content-Disposition: inline;
filename="embezzle.GIF"
-> Rest is cutted by me
Here now my local.cf:
dns_available test: *****
rewrite_header subject ***SPAM***
report_safe 2
trusted_networks ****.
user_scores_dsn DBI:mysql:****
user_scores_sql_username ****
user_scores_sql_password ****
user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 1.0
I've removed most of my personal settings in the database to test this way to run and have expected to get in the spam above a rewrited subject without success.
The only entries in my personal settings are 2 whitelist_from entries. Further I've removed from my database all $GLOBAL settings in the hope, that the settings in local.cf will work correct.
Thomas
--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm
www.booms-edv.de
info@booms-edv.de