You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Fitzpatrick <li...@webtent.net> on 2007/08/01 03:05:02 UTC

Attachments still?

Still getting these attachments with SA-3.1.7 + SARE + sa-update +
amavisd + clamav with sanesecurity sigs. Should I be blocking these with
those rule sets? Can someone test this to see how you may be blocking?

http://esmtp.webtent.net/mail1.txt

Thanks :)
-- 
Robert

Re: Attachments still?

Posted by Jari Fredriksson <ja...@iki.fi>.

Robert Fitzpatrick wrote:
> Still getting these attachments with SA-3.1.7 + SARE + sa-update +
> amavisd + clamav with sanesecurity sigs. Should I be blocking these
> with those rule sets? Can someone test this to see how you may be
> blocking? 
> 
> http://esmtp.webtent.net/mail1.txt
> 
> Thanks :)


Content analysis details:   (12.3 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
[botnet_clientwords,ip=66.18.53.26,rdns=static-host-66-18-53-26.epbinternet.com]
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.7,ip=66.18.53.26,hostname=static-host-66-18-53-26.epbinternet.com,maildomain=benmenasha.net,client,ipinhostname,clientwords]
 0.0 DKIM_POLICY_SIGNSOME   Domain Keys Identified Mail: policy says domain
                            signs some mails
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
[botnet_ipinhosntame,ip=66.18.53.26,rdns=static-host-66-18-53-26.epbinternet.com]
 0.0 BOTNET_CLIENT          Relay has a client-like hostname
[botnet_client,ip=66.18.53.26,hostname=static-host-66-18-53-26.epbinternet.com,ipinhostname,clientwords]
 1.9 RCVD_ILLEGAL_IP        Received: contains illegal IP address
 3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
                            [score: 0.9899]
 2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO
 0.1 BOUNCE_MESSAGE         MTA bounce message
 0.1 ANY_BOUNCE_MESSAGE     Message is some kind of bounce message

Re: Attachments still?

Posted by Matt Kettler <mk...@verizon.net>.

Robert Fitzpatrick wrote:
> Still getting these attachments with SA-3.1.7 + SARE + sa-update +
> amavisd + clamav with sanesecurity sigs. Should I be blocking these with
> those rule sets? Can someone test this to see how you may be blocking?
>
> http://esmtp.webtent.net/mail1.txt
>
> Thanks :)
>   
3.2.0 seems to do a nice job here.

All of these tests are in a vanilla 3.2.0 with sa-update on my test system.

X-Spam-Status: Yes, score=6.6 required=5.0 tests=DKIM_POLICY_SIGNSOME,
        FH_HELO_EQ_D_D_D_D,RCVD_ILLEGAL_IP,TVD_SPACE_RATIO autolearn=no
version=
3.2.0


 0.5 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
 0.0 DKIM_POLICY_SIGNSOME   Domain Keys Identified Mail: policy says domain
                            signs some mails
 3.2 RCVD_ILLEGAL_IP        Received: contains illegal IP address
 2.9 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO