You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Toll, Eric" <et...@vipstructures.com> on 2005/06/14 21:09:23 UTC
Whoa! 258.0 points score
Take a look. I think this is the highest I've seen in a
while. Fraud is a terrible thing.
The message has been quarantined as:
spam-bJacn2m5vocT.gz
SpamAssassin report:
Spam detection software, running on the system
"rodan.vipstructures.com", has identified this incoming
email as possible spam. The original message has been
attached to this so you can view it (if it isn't spam) or
label similar future email. If you have any questions, see
nic@ddn.mil for details.
Content preview: eBay request: Pay your fees to eBay. Dear
eBay
customer, Due to our new services you have to pay for your
eBay fees.
You can pay with your credit/debit card. We will ask for
your
credit/debit card only once. We will charge your account
once per
month. However you will receive a confirmation request in
about 24
hours after the credit/debit card is authorized.You have
24 hours from
the time you'll receive this e-mail to complete this eBay
Request.
[...]
Content analysis details: (258.0 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps
variant)
4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME
boundary
0.7 FORGED_RCVD_HELO Received: contains a forged HELO
1.2 RCVD_NUMERIC_HELO Received: contains an IP address
used for HELO
1.0 MY_PHRS_MED BODY: medium scoring phrases
found
2.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP
address in URL
0.2 IP_LINK_PLUS URI: Dotted-decimal IP address
followed by CGI
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag
0.1 HTML_FONT_BIG BODY: HTML tag for a big font
size
0.1 MPART_ALT_DIFF BODY: HTML and text parts are
different
1.3 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence
level above 50%
[cf: 100]
3.5 BAYES_99 BODY: Bayesian spam probability
is 99 to 100%
[score: 1.0000]
0.2 MIME_HTML_ONLY BODY: Message only has text/html
MIME parts
1.9 RAZOR2_CHECK Listed in Razor2
(http://razor.sf.net/)
2.5 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
0.6 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org
1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in
Spamhaus SBL+XBL
[62.193.213.212 listed in
sbl-xbl.spamhaus.org]
3.1 RCVD_IN_XBL RBL: Received via a relay in
Spamhaus XBL
[62.193.213.212 listed in
sbl-xbl.spamhaus.org]
0.1 RCVD_IN_SBL RBL: Received via a relay in
Spamhaus SBL
[62.193.213.212 listed in
sbl-xbl.spamhaus.org]
1.5 RCVD_IN_CBL RBL: Received via a relay in
cbl.abuseat.org
[Blocked - see
<http://cbl.abuseat.org/lookup.cgi?ip=62.193.213.212>]
0.1 DIGEST_MULTIPLE Message hits more than one
network digest check
0.1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this
format
0.3 MK_BAD_HTML_06 Bad HTML form. Has an ending
HTML tag and no beginning tag.
104 SARE_FORGED_EBAY Message appears to be forged,
(ebay.com)
0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message
only
2.4 MIME_HTML_ONLY_MULTI Multipart message only has
text/html MIME parts
110 FORGED_EBAY FORGED_EBAY
4.0 MISSING_MIMEOLE Message has X-MSMail-Priority,
but no X-MimeOLE
1.8 COMBO_IMAGEONLY1 Appears to be an image only
message
5.0 FORGED_MUA_OUTLOOK Forged mail pretending to be
from MS Outlook
------------------------- BEGIN HEADERS
-----------------------------
Return-Path: <su...@ebay.com>
X-Greylist: Passed host: 62.193.213.212 whitelisted
Received: from 62.193.213.212 (vds-355370.amen-pro.com
[62.193.213.212])
by rodan.vipstructures.com (Postfix) with SMTP id
269731EE824
for <us...@vipstructures.com>; Tue, 14 Jun 2005
13:31:24 -0400 (EDT)
Received: from 196.69.72.84 by ; Tue, 14 Jun 2005 20:25:50
+0200
Message-ID: <OB...@charter.net>
From: "aw-confirm@ebay.com" <fe...@ebay.com>
Reply-To: "aw-confirm@ebay.com" <se...@ebay.com>
To: jcheely@vipstructures.com
Subject: Pay Your eBay Fees
Date: Tue, 14 Jun 2005 16:29:50 -0200
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--3197286365277249"
X-Priority: 1
X-MSMail-Priority: High
-------------------------- END HEADERS
------------------------------
Re: Whoa! 258.0 points score
Posted by Matt Kettler <mk...@evi-inc.com>.
Bret Miller wrote:
>>Take a look. I think this is the highest I've seen in a
>>while. Fraud is a terrible thing.
>
>
> Then when you realize that 214 points are due to SARE forged ebay rules,
> it's not quite as impressive.
Agreed. The SARE forged rules intentionally have absurdly high scores to
counteract whitelists. Basically they immediately add 100 points to what they
feel the rule score should be.
The Two forged rules account for 214 points of that 258 point score.
Thus, if those rules weren't +100 for whitelist counteracting purposes, the
message would have only scored 58. Which is high, but not that high for a system
with lots of SARE rules.
(Adding SARE spam rules will bias your spam scores to be much higher than a
default install. It will also slightly increase your chance of FP, which is
acceptable to many people.)
RE: Whoa! 258.0 points score
Posted by Bret Miller <br...@wcg.org>.
> Take a look. I think this is the highest I've seen in a
> while. Fraud is a terrible thing.
Then when you realize that 214 points are due to SARE forged ebay rules,
it's not quite as impressive.
Bret
>
>
> The message has been quarantined as:
> spam-bJacn2m5vocT.gz
>
> SpamAssassin report:
> Spam detection software, running on the system
> "rodan.vipstructures.com", has identified this incoming
> email as possible spam. The original message has been
> attached to this so you can view it (if it isn't spam) or
> label similar future email. If you have any questions, see
> nic@ddn.mil for details.
>
> Content preview: eBay request: Pay your fees to eBay. Dear
> eBay
> customer, Due to our new services you have to pay for your
> eBay fees.
> You can pay with your credit/debit card. We will ask for
> your
> credit/debit card only once. We will charge your account
> once per
> month. However you will receive a confirmation request in
> about 24
> hours after the credit/debit card is authorized.You have
> 24 hours from
> the time you'll receive this e-mail to complete this eBay
> Request.
> [...]
>
> Content analysis details: (258.0 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps
> variant)
> 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME
> boundary
> 0.7 FORGED_RCVD_HELO Received: contains a forged HELO
> 1.2 RCVD_NUMERIC_HELO Received: contains an IP address
> used for HELO
> 1.0 MY_PHRS_MED BODY: medium scoring phrases
> found
> 2.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP
> address in URL
> 0.2 IP_LINK_PLUS URI: Dotted-decimal IP address
> followed by CGI
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag
> 0.1 HTML_FONT_BIG BODY: HTML tag for a big font
> size
> 0.1 MPART_ALT_DIFF BODY: HTML and text parts are
> different
> 1.3 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence
> level above 50%
> [cf: 100]
> 3.5 BAYES_99 BODY: Bayesian spam probability
> is 99 to 100%
> [score: 1.0000]
> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
> MIME parts
> 1.9 RAZOR2_CHECK Listed in Razor2
> (http://razor.sf.net/)
> 2.5 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> 0.6 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
> abuse.rfc-ignorant.org
> 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in
> Spamhaus SBL+XBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
> 3.1 RCVD_IN_XBL RBL: Received via a relay in
> Spamhaus XBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
> 0.1 RCVD_IN_SBL RBL: Received via a relay in
> Spamhaus SBL
> [62.193.213.212 listed in
> sbl-xbl.spamhaus.org]
> 1.5 RCVD_IN_CBL RBL: Received via a relay in
> cbl.abuseat.org
> [Blocked - see
> <http://cbl.abuseat.org/lookup.cgi?ip=62.193.213.212>]
> 0.1 DIGEST_MULTIPLE Message hits more than one
> network digest check
> 0.1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this
> format
> 0.3 MK_BAD_HTML_06 Bad HTML form. Has an ending
> HTML tag and no beginning tag.
> 104 SARE_FORGED_EBAY Message appears to be forged,
> (ebay.com)
> 0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message
> only
> 2.4 MIME_HTML_ONLY_MULTI Multipart message only has
> text/html MIME parts
> 110 FORGED_EBAY FORGED_EBAY
> 4.0 MISSING_MIMEOLE Message has X-MSMail-Priority,
> but no X-MimeOLE
> 1.8 COMBO_IMAGEONLY1 Appears to be an image only
> message
> 5.0 FORGED_MUA_OUTLOOK Forged mail pretending to be
> from MS Outlook
>
> ------------------------- BEGIN HEADERS
> -----------------------------
> Return-Path: <su...@ebay.com>
> X-Greylist: Passed host: 62.193.213.212 whitelisted
> Received: from 62.193.213.212 (vds-355370.amen-pro.com
> [62.193.213.212])
> by rodan.vipstructures.com (Postfix) with SMTP id
> 269731EE824
> for <us...@vipstructures.com>; Tue, 14 Jun 2005
> 13:31:24 -0400 (EDT)
> Received: from 196.69.72.84 by ; Tue, 14 Jun 2005 20:25:50
> +0200
> Message-ID: <OB...@charter.net>
> From: "aw-confirm@ebay.com" <fe...@ebay.com>
> Reply-To: "aw-confirm@ebay.com" <se...@ebay.com>
> To: jcheely@vipstructures.com
> Subject: Pay Your eBay Fees
> Date: Tue, 14 Jun 2005 16:29:50 -0200
> X-Mailer: Microsoft Outlook Express 5.00.2615.200
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--3197286365277249"
> X-Priority: 1
> X-MSMail-Priority: High
> -------------------------- END HEADERS
> ------------------------------
>
>