You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dimitri Yioulos <dy...@firstbhph.com> on 2006/07/26 18:51:18 UTC
Should this hit more rules?
Hello to all.
I'm wondering why the following isn't hitting more rules:
Return-Path: <ki...@braunconsult.com>
Received: from braunconsult.com (216-130-126-2.cimcoisp.net
[216.130.126.2] (may be forged))
by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with SMTP id
k6QG52CZ028664
for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02 -0400
Message-ID: <00...@ejp63>
Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
From: "Janele Kinyon" <ki...@braunconsult.com>
To: dyioulos@firstbhph.com
Subject: {Spam?} Re: qutugVjlAGRA
Date: Wed, 26 Jul 2006 09:01:21 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C6B092.10472690"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
archive@firstbhph.com
X-First1-MailScanner-Information: Please contact First 1 Financial
Corporation for more information
X-First1-MailScanner: Found to be clean
X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
cached,
score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
X-First1-MailScanner-SpamScore: sssssss
X-MailScanner-From: kinyi@braunconsult.com
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
CIjALIlS from 3 , 75 $
VlljAGRA from 3 , 35 $
AMjBlIEN
VAjLIlUM from 1 , 25 $
I'm using the following rules in my setup:
TRIPWIRE
SARE_RANDOM
BOGUSVIRUS
SARE_EVILNUMBERS0
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_SPECIFIC
SARE_ADULT
SARE_UNSUB
SARE_URI0
SARE_GENLSUBJ0
SARE_WHITELIST_RCVD
SARE_WHITELIST_SPF
SARE_REDIRECT_POST300
SARE_FRAUD
SARE_HEADER0
SARE_BML
SARE_OEM
SARE_OBFU
along with Bayes, DCC, Razor, and Pyzor.
Forgive my ignorance, but I would think that this would trip more
rules. I seem to be getting an increasing number of obvious spam
which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs (and,
of course, I'm grateful for that!). Few, if any, other rules are
hit. Running "spamassassin -D --lint" shows all of my rules being
read, and throws no errors.
Oh, yeah, this is a CentOS 3.7 box, running
sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3, and
mailscanner-4.54.6-1.
Thanks.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Should this hit more rules?
Posted by Dimitri Yioulos <dy...@firstbhph.com>.
On Wednesday July 26 2006 2:36 pm, Stuart Johnston wrote:
> Dimitri Yioulos wrote:
> > On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:
> >> Dimitri Yioulos wrote:
> >>> On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> >>>> Dimitri Yioulos wrote:
> >>>>> Hello to all.
> >>>>>
> >>>>> I'm wondering why the following isn't hitting more rules:
> >>>>>
> >>>>> Return-Path: <ki...@braunconsult.com>
> >>>>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> >>>>> [216.130.126.2] (may be forged))
> >>>>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11)
> >>>>> with SMTP id k6QG52CZ028664
> >>>>> for <dy...@firstbhph.com>; Wed, 26 Jul 2006
> >>>>> 12:05:02 -0400 Message-ID:
> >>>>> <00...@ejp63> Reply-To: "Janele
> >>>>> Kinyon" <ki...@braunconsult.com>
> >>>>> From: "Janele Kinyon" <ki...@braunconsult.com>
> >>>>> To: dyioulos@firstbhph.com
> >>>>> Subject: {Spam?} Re: qutugVjlAGRA
> >>>>> Date: Wed, 26 Jul 2006 09:01:21 -0700
> >>>>> MIME-Version: 1.0
> >>>>> Content-Type: multipart/alternative;
> >>>>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> >>>>> X-Priority: 3
> >>>>> X-MSMail-Priority: Normal
> >>>>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> >>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>>>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
> >>>>> to: archive@firstbhph.com
> >>>>> X-First1-MailScanner-Information: Please contact First 1
> >>>>> Financial Corporation for more information
> >>>>> X-First1-MailScanner: Found to be clean
> >>>>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
> >>>>> (not cached,
> >>>>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60
> >>>>> 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> >>>>> X-First1-MailScanner-SpamScore: sssssss
> >>>>> X-MailScanner-From: kinyi@braunconsult.com
> >>>>> Status: R
> >>>>> X-Status: NC
> >>>>> X-KMail-EncryptionState:
> >>>>> X-KMail-SignatureState:
> >>>>> X-KMail-MDN-Sent:
> >>>>>
> >>>>> CIjALIlS from 3 , 75 $
> >>>>> VlljAGRA from 3 , 35 $
> >>>>> AMjBlIEN
> >>>>> VAjLIlUM from 1 , 25 $
> >>>>>
> >>>>> I'm using the following rules in my setup:
> >>>>>
> >>>>> TRIPWIRE
> >>>>> SARE_RANDOM
> >>>>> BOGUSVIRUS
> >>>>> SARE_EVILNUMBERS0
> >>>>> SARE_SPOOF
> >>>>> SARE_BAYES_POISON_NXM
> >>>>> SARE_SPECIFIC
> >>>>> SARE_ADULT
> >>>>> SARE_UNSUB
> >>>>> SARE_URI0
> >>>>> SARE_GENLSUBJ0
> >>>>> SARE_WHITELIST_RCVD
> >>>>> SARE_WHITELIST_SPF
> >>>>> SARE_REDIRECT_POST300
> >>>>> SARE_FRAUD
> >>>>> SARE_HEADER0
> >>>>> SARE_BML
> >>>>> SARE_OEM
> >>>>> SARE_OBFU
> >>>>>
> >>>>> along with Bayes, DCC, Razor, and Pyzor.
> >>>>>
> >>>>> Forgive my ignorance, but I would think that this would trip
> >>>>> more rules. I seem to be getting an increasing number of
> >>>>> obvious spam which "only" hit bayes, DCC and/or Razor and/or
> >>>>> Pyzor, and RBLs (and, of course, I'm grateful for that!).
> >>>>> Few, if any, other rules are hit. Running "spamassassin -D
> >>>>> --lint" shows all of my rules being read, and throws no
> >>>>> errors.
> >>>>>
> >>>>> Oh, yeah, this is a CentOS 3.7 box, running
> >>>>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
> >>>>> clamav-0.88.3, and mailscanner-4.54.6-1.
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>> Dimitri
> >>>>
> >>>> Dimitri
> >>>> here's what hit with me on my SA 3.1.3 with lots of extra SARE
> >>>> etc rules.. Content analysis details: (28.5 points, 5.0
> >>>> required)
> >>>>
> >>>> pts rule name description
> >>>> ---- ----------------------
> >>>> --------------------------------------------------
> >>>> 2.5 MISSING_HB_SEP Missing blank line between
> >>>> message header and body
> >>>> 0.0 UNPARSEABLE_RELAY Informational: message has
> >>>> unparseable relay lines
> >>>> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> >>>> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> >>>> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> >>>> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> >>>> 0.9 URI_NOVOWEL URI: URI hostname has long
> >>>> non-vowel sequence 2.0 BAYES_80 BODY: Bayesian
> >>>> spam probability is 80 to 95% [score: 0.8279]
> >>>> 1.8 MISSING_SUBJECT Missing Subject: header
> >>>> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> >>>> 0.3 SARE_URI_CONS7 body contains link to probable
> >>>> spammer 0.1 TO_CC_NONE No To: or Cc: header
> >>>> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> >>>> 0.5 FM_NO_TO FM_NO_TO
> >>>> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> >>>> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
> >>>
> >>> Martin,
> >>>
> >>> What rules are you using that I'm not? Your result are much
> >>> more what I have in mind for my setup.
> >>
> >> Looks like he is using some "unofficial" SARE rules.
> >>
> >> http://rulesemporium.com/rules/99_FVGT_meta.cf
> >> http://www.rulesemporium.com/rules/88_FVGT_body.cf
> >
> > I'll try 'em. Are those the only rules that contribute to
> > Martin's score, other than the ones I already have?
>
> I believe that all of the FM and FB rules are from those files.
> You can easily search for the others.
>
> > This is curious, too - URI_NOVOWEL is tripped in his setup, but
> > not on mine (I know that this is installed on my system). Why
> > would that be?
>
> Since the sample you attached is not really scanable and does not
> actually include any urls, I would guess that he probably used a
> sample from his own mail system that had a different url.
> Differences could also be caused by the fact that you are using a
> version of SA that is (essentially) nearly 2 years old.
So true on the age of SA. I tried updating to latest not long ago,
and kinda munged things up, so like a true wimp, I rolled back to the
rpm-based version for my distro (and RHEL AS 3). Maybe I'll grab the
latest and greatest from Dag and give it another try.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Should this hit more rules?
Posted by Stuart Johnston <st...@ebby.com>.
Dimitri Yioulos wrote:
> On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:
>> Dimitri Yioulos wrote:
>>> On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
>>>> Dimitri Yioulos wrote:
>>>>> Hello to all.
>>>>>
>>>>> I'm wondering why the following isn't hitting more rules:
>>>>>
>>>>> Return-Path: <ki...@braunconsult.com>
>>>>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
>>>>> [216.130.126.2] (may be forged))
>>>>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
>>>>> SMTP id k6QG52CZ028664
>>>>> for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02
>>>>> -0400 Message-ID: <00...@ejp63>
>>>>> Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
>>>>> From: "Janele Kinyon" <ki...@braunconsult.com>
>>>>> To: dyioulos@firstbhph.com
>>>>> Subject: {Spam?} Re: qutugVjlAGRA
>>>>> Date: Wed, 26 Jul 2006 09:01:21 -0700
>>>>> MIME-Version: 1.0
>>>>> Content-Type: multipart/alternative;
>>>>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
>>>>> X-Priority: 3
>>>>> X-MSMail-Priority: Normal
>>>>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>>>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
>>>>> to: archive@firstbhph.com
>>>>> X-First1-MailScanner-Information: Please contact First 1
>>>>> Financial Corporation for more information
>>>>> X-First1-MailScanner: Found to be clean
>>>>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
>>>>> (not cached,
>>>>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60
>>>>> 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
>>>>> X-First1-MailScanner-SpamScore: sssssss
>>>>> X-MailScanner-From: kinyi@braunconsult.com
>>>>> Status: R
>>>>> X-Status: NC
>>>>> X-KMail-EncryptionState:
>>>>> X-KMail-SignatureState:
>>>>> X-KMail-MDN-Sent:
>>>>>
>>>>> CIjALIlS from 3 , 75 $
>>>>> VlljAGRA from 3 , 35 $
>>>>> AMjBlIEN
>>>>> VAjLIlUM from 1 , 25 $
>>>>>
>>>>> I'm using the following rules in my setup:
>>>>>
>>>>> TRIPWIRE
>>>>> SARE_RANDOM
>>>>> BOGUSVIRUS
>>>>> SARE_EVILNUMBERS0
>>>>> SARE_SPOOF
>>>>> SARE_BAYES_POISON_NXM
>>>>> SARE_SPECIFIC
>>>>> SARE_ADULT
>>>>> SARE_UNSUB
>>>>> SARE_URI0
>>>>> SARE_GENLSUBJ0
>>>>> SARE_WHITELIST_RCVD
>>>>> SARE_WHITELIST_SPF
>>>>> SARE_REDIRECT_POST300
>>>>> SARE_FRAUD
>>>>> SARE_HEADER0
>>>>> SARE_BML
>>>>> SARE_OEM
>>>>> SARE_OBFU
>>>>>
>>>>> along with Bayes, DCC, Razor, and Pyzor.
>>>>>
>>>>> Forgive my ignorance, but I would think that this would trip
>>>>> more rules. I seem to be getting an increasing number of
>>>>> obvious spam which "only" hit bayes, DCC and/or Razor and/or
>>>>> Pyzor, and RBLs (and, of course, I'm grateful for that!). Few,
>>>>> if any, other rules are hit. Running "spamassassin -D --lint"
>>>>> shows all of my rules being read, and throws no errors.
>>>>>
>>>>> Oh, yeah, this is a CentOS 3.7 box, running
>>>>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
>>>>> clamav-0.88.3, and mailscanner-4.54.6-1.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Dimitri
>>>> Dimitri
>>>> here's what hit with me on my SA 3.1.3 with lots of extra SARE
>>>> etc rules.. Content analysis details: (28.5 points, 5.0
>>>> required)
>>>>
>>>> pts rule name description
>>>> ---- ----------------------
>>>> --------------------------------------------------
>>>> 2.5 MISSING_HB_SEP Missing blank line between message
>>>> header and body
>>>> 0.0 UNPARSEABLE_RELAY Informational: message has
>>>> unparseable relay lines
>>>> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
>>>> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
>>>> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
>>>> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
>>>> 0.9 URI_NOVOWEL URI: URI hostname has long
>>>> non-vowel sequence 2.0 BAYES_80 BODY: Bayesian
>>>> spam probability is 80 to 95% [score: 0.8279]
>>>> 1.8 MISSING_SUBJECT Missing Subject: header
>>>> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
>>>> 0.3 SARE_URI_CONS7 body contains link to probable
>>>> spammer 0.1 TO_CC_NONE No To: or Cc: header
>>>> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
>>>> 0.5 FM_NO_TO FM_NO_TO
>>>> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
>>>> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
>>> Martin,
>>>
>>> What rules are you using that I'm not? Your result are much more
>>> what I have in mind for my setup.
>> Looks like he is using some "unofficial" SARE rules.
>>
>> http://rulesemporium.com/rules/99_FVGT_meta.cf
>> http://www.rulesemporium.com/rules/88_FVGT_body.cf
>
> I'll try 'em. Are those the only rules that contribute to Martin's
> score, other than the ones I already have?
>
I believe that all of the FM and FB rules are from those files. You can easily search for the others.
> This is curious, too - URI_NOVOWEL is tripped in his setup, but not on
> mine (I know that this is installed on my system). Why would that
> be?
Since the sample you attached is not really scanable and does not actually include any urls, I would
guess that he probably used a sample from his own mail system that had a different url. Differences
could also be caused by the fact that you are using a version of SA that is (essentially) nearly 2
years old.
Re: Should this hit more rules?
Posted by Dimitri Yioulos <dy...@firstbhph.com>.
On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote:
> Dimitri Yioulos wrote:
> > On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> >> Dimitri Yioulos wrote:
> >>> Hello to all.
> >>>
> >>> I'm wondering why the following isn't hitting more rules:
> >>>
> >>> Return-Path: <ki...@braunconsult.com>
> >>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> >>> [216.130.126.2] (may be forged))
> >>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
> >>> SMTP id k6QG52CZ028664
> >>> for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02
> >>> -0400 Message-ID: <00...@ejp63>
> >>> Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
> >>> From: "Janele Kinyon" <ki...@braunconsult.com>
> >>> To: dyioulos@firstbhph.com
> >>> Subject: {Spam?} Re: qutugVjlAGRA
> >>> Date: Wed, 26 Jul 2006 09:01:21 -0700
> >>> MIME-Version: 1.0
> >>> Content-Type: multipart/alternative;
> >>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> >>> X-Priority: 3
> >>> X-MSMail-Priority: Normal
> >>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> >>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym)
> >>> to: archive@firstbhph.com
> >>> X-First1-MailScanner-Information: Please contact First 1
> >>> Financial Corporation for more information
> >>> X-First1-MailScanner: Found to be clean
> >>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin
> >>> (not cached,
> >>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60
> >>> 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> >>> X-First1-MailScanner-SpamScore: sssssss
> >>> X-MailScanner-From: kinyi@braunconsult.com
> >>> Status: R
> >>> X-Status: NC
> >>> X-KMail-EncryptionState:
> >>> X-KMail-SignatureState:
> >>> X-KMail-MDN-Sent:
> >>>
> >>> CIjALIlS from 3 , 75 $
> >>> VlljAGRA from 3 , 35 $
> >>> AMjBlIEN
> >>> VAjLIlUM from 1 , 25 $
> >>>
> >>> I'm using the following rules in my setup:
> >>>
> >>> TRIPWIRE
> >>> SARE_RANDOM
> >>> BOGUSVIRUS
> >>> SARE_EVILNUMBERS0
> >>> SARE_SPOOF
> >>> SARE_BAYES_POISON_NXM
> >>> SARE_SPECIFIC
> >>> SARE_ADULT
> >>> SARE_UNSUB
> >>> SARE_URI0
> >>> SARE_GENLSUBJ0
> >>> SARE_WHITELIST_RCVD
> >>> SARE_WHITELIST_SPF
> >>> SARE_REDIRECT_POST300
> >>> SARE_FRAUD
> >>> SARE_HEADER0
> >>> SARE_BML
> >>> SARE_OEM
> >>> SARE_OBFU
> >>>
> >>> along with Bayes, DCC, Razor, and Pyzor.
> >>>
> >>> Forgive my ignorance, but I would think that this would trip
> >>> more rules. I seem to be getting an increasing number of
> >>> obvious spam which "only" hit bayes, DCC and/or Razor and/or
> >>> Pyzor, and RBLs (and, of course, I'm grateful for that!). Few,
> >>> if any, other rules are hit. Running "spamassassin -D --lint"
> >>> shows all of my rules being read, and throws no errors.
> >>>
> >>> Oh, yeah, this is a CentOS 3.7 box, running
> >>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1,
> >>> clamav-0.88.3, and mailscanner-4.54.6-1.
> >>>
> >>> Thanks.
> >>>
> >>> Dimitri
> >>
> >> Dimitri
> >> here's what hit with me on my SA 3.1.3 with lots of extra SARE
> >> etc rules.. Content analysis details: (28.5 points, 5.0
> >> required)
> >>
> >> pts rule name description
> >> ---- ----------------------
> >> --------------------------------------------------
> >> 2.5 MISSING_HB_SEP Missing blank line between message
> >> header and body
> >> 0.0 UNPARSEABLE_RELAY Informational: message has
> >> unparseable relay lines
> >> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> >> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> >> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> >> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> >> 0.9 URI_NOVOWEL URI: URI hostname has long
> >> non-vowel sequence 2.0 BAYES_80 BODY: Bayesian
> >> spam probability is 80 to 95% [score: 0.8279]
> >> 1.8 MISSING_SUBJECT Missing Subject: header
> >> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> >> 0.3 SARE_URI_CONS7 body contains link to probable
> >> spammer 0.1 TO_CC_NONE No To: or Cc: header
> >> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> >> 0.5 FM_NO_TO FM_NO_TO
> >> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> >> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
> >
> > Martin,
> >
> > What rules are you using that I'm not? Your result are much more
> > what I have in mind for my setup.
>
> Looks like he is using some "unofficial" SARE rules.
>
> http://rulesemporium.com/rules/99_FVGT_meta.cf
> http://www.rulesemporium.com/rules/88_FVGT_body.cf
I'll try 'em. Are those the only rules that contribute to Martin's
score, other than the ones I already have?
This is curious, too - URI_NOVOWEL is tripped in his setup, but not on
mine (I know that this is installed on my system). Why would that
be?
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Should this hit more rules?
Posted by Dave Pooser <da...@pooserville.com>.
>>> http://rulesemporium.com/rules/99_FVGT_meta.cf
>>> http://www.rulesemporium.com/rules/88_FVGT_body.cf
>>
>> Fred writes good rules. ;-)
>>
>> Loren
>
> Indeed! Score on the stoopid spam example in my earlier post jumped
> up nicely. Thanks, Fred.
This post inspired me to try Fred's rules (as found on rulesemporium.com)
out; after about 30 hours of testing I just removed them because of the
large number of FPs. I hate to throw the baby out with the bathwater,
though-- is there anyplace these rules are documented so I can get an idea
of which (if any) might be keepers for me? My Perl-fu is weak enough that
just reading the rules text isn't necessarily helpful.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"Someone once asked me if I had learned anything from going to war
so many times. My reply: Yes, I learned how to cry."
-- War correspondent Joe Galloway
Re: Should this hit more rules?
Posted by Dimitri Yioulos <dy...@firstbhph.com>.
On Thursday July 27 2006 5:48 am, Loren Wilton wrote:
> > Looks like he is using some "unofficial" SARE rules.
> >
> > http://rulesemporium.com/rules/99_FVGT_meta.cf
> > http://www.rulesemporium.com/rules/88_FVGT_body.cf
>
> Fred writes good rules. ;-)
>
> Loren
Indeed! Score on the stoopid spam example in my earlier post jumped
up nicely. Thanks, Fred.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Should this hit more rules?
Posted by jdow <jd...@earthlink.net>.
From: "Loren Wilton" <lw...@earthlink.net>
>> Looks like he is using some "unofficial" SARE rules.
>>
>> http://rulesemporium.com/rules/99_FVGT_meta.cf
>> http://www.rulesemporium.com/rules/88_FVGT_body.cf
>
>
> Fred writes good rules. ;-)
I think at least some of Fred's rules are now formal SARE rule
sets, though.
{^_-}
Re: Should this hit more rules?
Posted by Loren Wilton <lw...@earthlink.net>.
> Looks like he is using some "unofficial" SARE rules.
>
> http://rulesemporium.com/rules/99_FVGT_meta.cf
> http://www.rulesemporium.com/rules/88_FVGT_body.cf
Fred writes good rules. ;-)
Loren
Re: Should this hit more rules?
Posted by Stuart Johnston <st...@ebby.com>.
Dimitri Yioulos wrote:
> On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
>> Dimitri Yioulos wrote:
>>> Hello to all.
>>>
>>> I'm wondering why the following isn't hitting more rules:
>>>
>>> Return-Path: <ki...@braunconsult.com>
>>> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
>>> [216.130.126.2] (may be forged))
>>> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
>>> SMTP id k6QG52CZ028664
>>> for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02
>>> -0400 Message-ID: <00...@ejp63>
>>> Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
>>> From: "Janele Kinyon" <ki...@braunconsult.com>
>>> To: dyioulos@firstbhph.com
>>> Subject: {Spam?} Re: qutugVjlAGRA
>>> Date: Wed, 26 Jul 2006 09:01:21 -0700
>>> MIME-Version: 1.0
>>> Content-Type: multipart/alternative;
>>> boundary="----=_NextPart_000_0001_01C6B092.10472690"
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
>>> archive@firstbhph.com
>>> X-First1-MailScanner-Information: Please contact First 1
>>> Financial Corporation for more information
>>> X-First1-MailScanner: Found to be clean
>>> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
>>> cached,
>>> score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
>>> HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
>>> X-First1-MailScanner-SpamScore: sssssss
>>> X-MailScanner-From: kinyi@braunconsult.com
>>> Status: R
>>> X-Status: NC
>>> X-KMail-EncryptionState:
>>> X-KMail-SignatureState:
>>> X-KMail-MDN-Sent:
>>>
>>> CIjALIlS from 3 , 75 $
>>> VlljAGRA from 3 , 35 $
>>> AMjBlIEN
>>> VAjLIlUM from 1 , 25 $
>>>
>>> I'm using the following rules in my setup:
>>>
>>> TRIPWIRE
>>> SARE_RANDOM
>>> BOGUSVIRUS
>>> SARE_EVILNUMBERS0
>>> SARE_SPOOF
>>> SARE_BAYES_POISON_NXM
>>> SARE_SPECIFIC
>>> SARE_ADULT
>>> SARE_UNSUB
>>> SARE_URI0
>>> SARE_GENLSUBJ0
>>> SARE_WHITELIST_RCVD
>>> SARE_WHITELIST_SPF
>>> SARE_REDIRECT_POST300
>>> SARE_FRAUD
>>> SARE_HEADER0
>>> SARE_BML
>>> SARE_OEM
>>> SARE_OBFU
>>>
>>> along with Bayes, DCC, Razor, and Pyzor.
>>>
>>> Forgive my ignorance, but I would think that this would trip more
>>> rules. I seem to be getting an increasing number of obvious spam
>>> which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs
>>> (and, of course, I'm grateful for that!). Few, if any, other
>>> rules are hit. Running "spamassassin -D --lint" shows all of my
>>> rules being read, and throws no errors.
>>>
>>> Oh, yeah, this is a CentOS 3.7 box, running
>>> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3,
>>> and mailscanner-4.54.6-1.
>>>
>>> Thanks.
>>>
>>> Dimitri
>> Dimitri
>> here's what hit with me on my SA 3.1.3 with lots of extra SARE etc
>> rules.. Content analysis details: (28.5 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 2.5 MISSING_HB_SEP Missing blank line between message
>> header and body
>> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
>> relay lines
>> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
>> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
>> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
>> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
>> 0.9 URI_NOVOWEL URI: URI hostname has long non-vowel
>> sequence 2.0 BAYES_80 BODY: Bayesian spam probability
>> is 80 to 95% [score: 0.8279]
>> 1.8 MISSING_SUBJECT Missing Subject: header
>> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
>> 0.3 SARE_URI_CONS7 body contains link to probable spammer
>> 0.1 TO_CC_NONE No To: or Cc: header
>> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
>> 0.5 FM_NO_TO FM_NO_TO
>> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
>> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
>>
>>
>
> Martin,
>
> What rules are you using that I'm not? Your result are much more what
> I have in mind for my setup.
Looks like he is using some "unofficial" SARE rules.
http://rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf
Re: Should this hit more rules?
Posted by Dimitri Yioulos <dy...@firstbhph.com>.
On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote:
> Dimitri Yioulos wrote:
> > Hello to all.
> >
> > I'm wondering why the following isn't hitting more rules:
> >
> > Return-Path: <ki...@braunconsult.com>
> > Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> > [216.130.126.2] (may be forged))
> > by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with
> > SMTP id k6QG52CZ028664
> > for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02
> > -0400 Message-ID: <00...@ejp63>
> > Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
> > From: "Janele Kinyon" <ki...@braunconsult.com>
> > To: dyioulos@firstbhph.com
> > Subject: {Spam?} Re: qutugVjlAGRA
> > Date: Wed, 26 Jul 2006 09:01:21 -0700
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="----=_NextPart_000_0001_01C6B092.10472690"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
> > archive@firstbhph.com
> > X-First1-MailScanner-Information: Please contact First 1
> > Financial Corporation for more information
> > X-First1-MailScanner: Found to be clean
> > X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
> > cached,
> > score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
> > HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> > X-First1-MailScanner-SpamScore: sssssss
> > X-MailScanner-From: kinyi@braunconsult.com
> > Status: R
> > X-Status: NC
> > X-KMail-EncryptionState:
> > X-KMail-SignatureState:
> > X-KMail-MDN-Sent:
> >
> > CIjALIlS from 3 , 75 $
> > VlljAGRA from 3 , 35 $
> > AMjBlIEN
> > VAjLIlUM from 1 , 25 $
> >
> > I'm using the following rules in my setup:
> >
> > TRIPWIRE
> > SARE_RANDOM
> > BOGUSVIRUS
> > SARE_EVILNUMBERS0
> > SARE_SPOOF
> > SARE_BAYES_POISON_NXM
> > SARE_SPECIFIC
> > SARE_ADULT
> > SARE_UNSUB
> > SARE_URI0
> > SARE_GENLSUBJ0
> > SARE_WHITELIST_RCVD
> > SARE_WHITELIST_SPF
> > SARE_REDIRECT_POST300
> > SARE_FRAUD
> > SARE_HEADER0
> > SARE_BML
> > SARE_OEM
> > SARE_OBFU
> >
> > along with Bayes, DCC, Razor, and Pyzor.
> >
> > Forgive my ignorance, but I would think that this would trip more
> > rules. I seem to be getting an increasing number of obvious spam
> > which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs
> > (and, of course, I'm grateful for that!). Few, if any, other
> > rules are hit. Running "spamassassin -D --lint" shows all of my
> > rules being read, and throws no errors.
> >
> > Oh, yeah, this is a CentOS 3.7 box, running
> > sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3,
> > and mailscanner-4.54.6-1.
> >
> > Thanks.
> >
> > Dimitri
>
> Dimitri
> here's what hit with me on my SA 3.1.3 with lots of extra SARE etc
> rules.. Content analysis details: (28.5 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.5 MISSING_HB_SEP Missing blank line between message
> header and body
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay lines
> 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation -
> {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
> 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
> 0.9 URI_NOVOWEL URI: URI hostname has long non-vowel
> sequence 2.0 BAYES_80 BODY: Bayesian spam probability
> is 80 to 95% [score: 0.8279]
> 1.8 MISSING_SUBJECT Missing Subject: header
> 5.9 HELO_LEO_PILLS HELO_LEO_PILLS
> 0.3 SARE_URI_CONS7 body contains link to probable spammer
> 0.1 TO_CC_NONE No To: or Cc: header
> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> 0.5 FM_NO_TO FM_NO_TO
> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
> 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
>
>
Martin,
What rules are you using that I'm not? Your result are much more what
I have in mind for my setup.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Should this hit more rules?
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Dimitri Yioulos wrote:
> Hello to all.
>
> I'm wondering why the following isn't hitting more rules:
>
> Return-Path: <ki...@braunconsult.com>
> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> [216.130.126.2] (may be forged))
> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with SMTP id
> k6QG52CZ028664
> for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02 -0400
> Message-ID: <00...@ejp63>
> Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
> From: "Janele Kinyon" <ki...@braunconsult.com>
> To: dyioulos@firstbhph.com
> Subject: {Spam?} Re: qutugVjlAGRA
> Date: Wed, 26 Jul 2006 09:01:21 -0700
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
> archive@firstbhph.com
> X-First1-MailScanner-Information: Please contact First 1 Financial
> Corporation for more information
> X-First1-MailScanner: Found to be clean
> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
> cached,
> score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
> HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> X-First1-MailScanner-SpamScore: sssssss
> X-MailScanner-From: kinyi@braunconsult.com
> Status: R
> X-Status: NC
> X-KMail-EncryptionState:
> X-KMail-SignatureState:
> X-KMail-MDN-Sent:
>
> CIjALIlS from 3 , 75 $
> VlljAGRA from 3 , 35 $
> AMjBlIEN
> VAjLIlUM from 1 , 25 $
>
> I'm using the following rules in my setup:
>
> TRIPWIRE
> SARE_RANDOM
> BOGUSVIRUS
> SARE_EVILNUMBERS0
> SARE_SPOOF
> SARE_BAYES_POISON_NXM
> SARE_SPECIFIC
> SARE_ADULT
> SARE_UNSUB
> SARE_URI0
> SARE_GENLSUBJ0
> SARE_WHITELIST_RCVD
> SARE_WHITELIST_SPF
> SARE_REDIRECT_POST300
> SARE_FRAUD
> SARE_HEADER0
> SARE_BML
> SARE_OEM
> SARE_OBFU
>
> along with Bayes, DCC, Razor, and Pyzor.
>
> Forgive my ignorance, but I would think that this would trip more
> rules. I seem to be getting an increasing number of obvious spam
> which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs (and,
> of course, I'm grateful for that!). Few, if any, other rules are
> hit. Running "spamassassin -D --lint" shows all of my rules being
> read, and throws no errors.
>
> Oh, yeah, this is a CentOS 3.7 box, running
> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3, and
> mailscanner-4.54.6-1.
>
> Thanks.
>
> Dimitri
>
Dimitri
here's what hit with me on my SA 3.1.3 with lots of extra SARE etc rules..
Content analysis details: (28.5 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.5 MISSING_HB_SEP Missing blank line between message header
and body
0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3
0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation - {3}Letter
3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3
2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3
0.9 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8279]
1.8 MISSING_SUBJECT Missing Subject: header
5.9 HELO_LEO_PILLS HELO_LEO_PILLS
0.3 SARE_URI_CONS7 body contains link to probable spammer
0.1 TO_CC_NONE No To: or Cc: header
2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
0.5 FM_NO_TO FM_NO_TO
1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
0.7 FM_MULTI_ODD3 FM_MULTI_ODD3
--
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Should this hit more rules?
Posted by jdow <jd...@earthlink.net>.
From: "Dimitri Yioulos" <dy...@firstbhph.com>
CIjALIlS from 3 , 75 $
VlljAGRA from 3 , 35 $
AMjBlIEN
VAjLIlUM from 1 , 25 $
I'm using the following rules in my setup:
TRIPWIRE
SARE_RANDOM
BOGUSVIRUS
SARE_EVILNUMBERS0
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_SPECIFIC
SARE_ADULT
SARE_UNSUB
SARE_URI0
SARE_GENLSUBJ0
SARE_WHITELIST_RCVD
SARE_WHITELIST_SPF
SARE_REDIRECT_POST300
SARE_FRAUD
SARE_HEADER0
SARE_BML
SARE_OEM
SARE_OBFU
There are rule sets at SARE that catch these drug ads. Look for
"drug" in the rule title. Read the descriptions for the various
related files, and pick what seems appropriate for your needs.
{^_^}
Re: Should this hit more rules?
Posted by Bazooka Joe <fa...@gmail.com>.
I am getting a lot of the same spam makeing it throught SA. But my SA score
is much lower. Have you adjusted any of your scoring higher? I have been
getting this email for about a week - how long does it take to get picked up
in spamcop, pyzor, sbl-xbl ........?
rules:
SARE_STOCKS
TRIPWIRE
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HTML
SARE_SPECIFIC
SARE_OBFU
SARE_REDIRECT
SARE_GENLSUBJ
SARE_UNSUB
SARE_WHITELIST
Return-Path: <la...@fmtinv.com>
Received: from slackfish.com ([10.10.0.2])
by agwebinc.com (8.13.7/8.13.6) with ESMTP id k6QFqRjQ019792
for <ch...@agweb.net>; Wed, 26 Jul 2006 08:52:28 -0700
Received: from fmtinv.com (200-233-247-084.xd-dynamic.ctbcnetsuper.com.br [
200.233.247.84])
by slackfish.com (8.13.1/8.12.10) with SMTP id k6QFv1NC022143
for <ad...@almondexchange.com>; Wed, 26 Jul 2006 08:57:03 -0700
Message-ID: <00...@gli95>
Reply-To: "Lareyna Krizan" <la...@fmtinv.com>
From: "Lareyna Krizan" <la...@fmtinv.com>
To: administrator@almondexchange.com
Subject: Re: eodugVjlAGRA
Date: Wed, 26 Jul 2006 08:48:02 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C6B090.347E27E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Virus-Scanned: ClamAV 0.86.2/1538/Tue Jun 13 13:17:56 2006, clamav-milter
version 0.70j
X-Spam-Status: No, score=2.6 required=3.0 tests=BAYES_50,HTML_50_60,
HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,URIBL_AB_SURBL
autolearn=no version=3.0.6
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on agwebinc.com
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C6B090.347E27E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
=20
VAjLIlUM from 1 , 25 $
AMjBlIEN
CIjALIlS from 3 , 75 $
VlljAGRA from 3 , 35 $
=20
http://www.sklodamisaron.com
=20
,
,
,
,
There was the quick thud-thud of marching feet and Sergeant Ljotur
came in with an armed squad of soldiers. Armed with wicked-looking
spears with gleaming points and barbed shafts.
On 7/26/06, Dimitri Yioulos <dy...@firstbhph.com> wrote:
>
> Hello to all.
>
> I'm wondering why the following isn't hitting more rules:
>
> Return-Path: <ki...@braunconsult.com>
> Received: from braunconsult.com (216-130-126-2.cimcoisp.net
> [216.130.126.2] (may be forged))
> by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with SMTP id
> k6QG52CZ028664
> for <dy...@firstbhph.com>; Wed, 26 Jul 2006 12:05:02 -0400
> Message-ID: <00...@ejp63>
> Reply-To: "Janele Kinyon" <ki...@braunconsult.com>
> From: "Janele Kinyon" <ki...@braunconsult.com>
> To: dyioulos@firstbhph.com
> Subject: {Spam?} Re: qutugVjlAGRA
> Date: Wed, 26 Jul 2006 09:01:21 -0700
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0001_01C6B092.10472690"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to:
> archive@firstbhph.com
> X-First1-MailScanner-Information: Please contact First 1 Financial
> Corporation for more information
> X-First1-MailScanner: Found to be clean
> X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
> cached,
> score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13,
> HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14)
> X-First1-MailScanner-SpamScore: sssssss
> X-MailScanner-From: kinyi@braunconsult.com
> Status: R
> X-Status: NC
> X-KMail-EncryptionState:
> X-KMail-SignatureState:
> X-KMail-MDN-Sent:
>
> CIjALIlS from 3 , 75 $
> VlljAGRA from 3 , 35 $
> AMjBlIEN
> VAjLIlUM from 1 , 25 $
>
> I'm using the following rules in my setup:
>
> TRIPWIRE
> SARE_RANDOM
> BOGUSVIRUS
> SARE_EVILNUMBERS0
> SARE_SPOOF
> SARE_BAYES_POISON_NXM
> SARE_SPECIFIC
> SARE_ADULT
> SARE_UNSUB
> SARE_URI0
> SARE_GENLSUBJ0
> SARE_WHITELIST_RCVD
> SARE_WHITELIST_SPF
> SARE_REDIRECT_POST300
> SARE_FRAUD
> SARE_HEADER0
> SARE_BML
> SARE_OEM
> SARE_OBFU
>
> along with Bayes, DCC, Razor, and Pyzor.
>
> Forgive my ignorance, but I would think that this would trip more
> rules. I seem to be getting an increasing number of obvious spam
> which "only" hit bayes, DCC and/or Razor and/or Pyzor, and RBLs (and,
> of course, I'm grateful for that!). Few, if any, other rules are
> hit. Running "spamassassin -D --lint" shows all of my rules being
> read, and throws no errors.
>
> Oh, yeah, this is a CentOS 3.7 box, running
> sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3, and
> mailscanner-4.54.6-1.
>
> Thanks.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>