You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "NW7US, Tomas" <nw...@hfradio.org> on 2006/06/08 08:33:52 UTC
Why is this not seen as spam?
Hi.
The following is a sample of mail that seems to pass through spamassassin,
but somehow seems to get marked as "ham" as it is tested for spam
content. I am not able to figure out why this is happening.
If anyone could lend some insight on this, I'd appreciate it.
The one major issue I keep having with my server is with e-mail. I
suspect that my sendmail is an open gate for spammers, though not in high
volume. I think that I have curtailed a lot of it, but still see strange
things, that I am trying to track down. This one is not an open gate
issue, but is still driving me nuts...
Thanks, in advance, for any help you might be able to offer.
First, I will show you the header information, then the body (at least a
reasonable copy of the message).
Headers:
> Return-Path: <bb...@gms0.mar.lmco.com>
> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
> my.server.domain.org
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY,
> UPPERCASE_25_50
> autolearn=ham version=3.1.3
> Received: from 143000144 (host-213-213-227-17.brutele.be
> [213.213.227.17]) by my.server.domain.org
> (8.12.11/8.12.11) with SMTP id k581jZvD024979 for
> <to...@some.virtual.domainname.org>; Wed, 7 Jun 2006 18:46:32 -0700
> Received: from gms0.mar.lmco.com (142854568 [142884056]) by
> host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id
> D1E9EE1BD9 for <to...@some.virtual.domainname.org>; Wed,
> 07 Jun 2006 20:48:40 -0500
> Date: Wed, 07 Jun 2006 20:48:40 -0500
> From: "Guiana V. Darkness" <bb...@gms0.mar.lmco.com>
> X-Mailer: The Bat! (v2.00.8) Personal
> X-Priority: 3
> Message-ID: <33...@gms0.mar.lmco.com>
> To: Tomas <to...@some.virtual.domainname.org>
> Subject: did the please 's ROI inform CLIFFORD 's penny
> X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
> Status: O
> X-UID: 656
> Content-Length: 1248
> X-Keywords:
> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
> Mime-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain
(I think that the AVG header is from my local box which is used to pop3
the message from my server. AVG is used locally on all incoming mail from
my pop mailbox).
Now, the body:
> WE TOLD YOU TO WATCH!!!
> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
> Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price:
> 0.98
> Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar
> investment could yield a $5,000 dollar profit injust one trade if you
> trade out at the top. ABSY should be one of
> the most profitable ST0CKs to trade this year. In this range the
> ST0CK has potential to move in either direction in bigs wings.This means
> you should be able to buy at the lows and sell at thehighs for months to
> come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND
> OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means
> someone is
> short the ST0CK. Any significant volume spike could yield drastic
> results. If the people that are short have to cover, they will bebuying
> the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY
> for profits. For pennies you can participate in a ST0CK that could yield
> results
> over and over again just based on the trading patterns if thecompany is
> able to effectuate it's business model. WATCH OUT!!!We could see a GREAT
> STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP!!!!
> --No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
--
73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by jdow <jd...@earthlink.net>.
"user_conf"? It's a user_prefs for each user and local.cf for the whole
installation, normally, 'ix-ishly speaking.
{o.o}
----- Original Message -----
From: "NW7US, Tomas" <nw...@hfradio.org>
> Excellent!
>
> I am doing this, now.
>
> One other question: where would I find a reasonably aggressive user_conf
> example for version 3.1.3?
>
> Thank you for the help so far.
>
> On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan <je...@surbl.org> wrote:
>
>> Try using the SARE stock rules:
>>
>> http://www.rulesemporium.com/rules.htm
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by "NW7US, Tomas" <nw...@hfradio.org>.
Excellent!
I am doing this, now.
One other question: where would I find a reasonably aggressive user_conf
example for version 3.1.3?
Thank you for the help so far.
On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan <je...@surbl.org> wrote:
> Try using the SARE stock rules:
>
> http://www.rulesemporium.com/rules.htm
73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, June 7, 2006, 11:33:52 PM, Tomas NW7US wrote:
> The following is a sample of mail that seems to pass through spamassassin,
> but somehow seems to get marked as "ham" as it is tested for spam
> content. I am not able to figure out why this is happening.
Try using the SARE stock rules:
http://www.rulesemporium.com/rules.htm
> The one major issue I keep having with my server is with e-mail. I
> suspect that my sendmail is an open gate for spammers, though not in high
> volume. I think that I have curtailed a lot of it, but still see strange
> things, that I am trying to track down. This one is not an open gate
> issue, but is still driving me nuts...
If your sendmail is recent (past few years) it won't be open
relay by default. If it's not current, upgrade.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Why is this not seen as spam?
Posted by jdow <jd...@earthlink.net>.
Tomas, I presume you have a stirling reason for not using Bayes. At
least I see no hint of a Bayes score in your headers even though it
says it autolearned as ham. Either you are autolearning to a different
database than you are using for scanning or you really hashed up its
initial training. Or so it seems to this person whose messages are
always HAM the same as yours - for the same reason. ('cept I'm a W6)
{^_-}
----- Original Message -----
From: "NW7US, Tomas" <nw...@hfradio.org>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, June 07, 2006 23:33
Subject: Why is this not seen as spam?
> Hi.
>
> The following is a sample of mail that seems to pass through spamassassin,
> but somehow seems to get marked as "ham" as it is tested for spam
> content. I am not able to figure out why this is happening.
>
> If anyone could lend some insight on this, I'd appreciate it.
>
> The one major issue I keep having with my server is with e-mail. I
> suspect that my sendmail is an open gate for spammers, though not in high
> volume. I think that I have curtailed a lot of it, but still see strange
> things, that I am trying to track down. This one is not an open gate
> issue, but is still driving me nuts...
>
> Thanks, in advance, for any help you might be able to offer.
>
> First, I will show you the header information, then the body (at least a
> reasonable copy of the message).
>
> Headers:
>
>> Return-Path: <bb...@gms0.mar.lmco.com>
>> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
>> my.server.domain.org
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY,
>> UPPERCASE_25_50
>> autolearn=ham version=3.1.3
>> Received: from 143000144 (host-213-213-227-17.brutele.be
>> [213.213.227.17]) by my.server.domain.org
>> (8.12.11/8.12.11) with SMTP id k581jZvD024979 for
>> <to...@some.virtual.domainname.org>; Wed, 7 Jun 2006 18:46:32 -0700
>> Received: from gms0.mar.lmco.com (142854568 [142884056]) by
>> host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id
>> D1E9EE1BD9 for <to...@some.virtual.domainname.org>; Wed,
>> 07 Jun 2006 20:48:40 -0500
>> Date: Wed, 07 Jun 2006 20:48:40 -0500
>> From: "Guiana V. Darkness" <bb...@gms0.mar.lmco.com>
>> X-Mailer: The Bat! (v2.00.8) Personal
>> X-Priority: 3
>> Message-ID: <33...@gms0.mar.lmco.com>
>> To: Tomas <to...@some.virtual.domainname.org>
>> Subject: did the please 's ROI inform CLIFFORD 's penny
>> X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
>> Status: O
>> X-UID: 656
>> Content-Length: 1248
>> X-Keywords:
>> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
>> Mime-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> Content-Type: text/plain
>
> (I think that the AVG header is from my local box which is used to pop3
> the message from my server. AVG is used locally on all incoming mail from
> my pop mailbox).
>
> Now, the body:
>
>> WE TOLD YOU TO WATCH!!!
>> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
>> Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price:
>> 0.98
>> Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar
>> investment could yield a $5,000 dollar profit injust one trade if you
>> trade out at the top. ABSY should be one of
>> the most profitable ST0CKs to trade this year. In this range the
>> ST0CK has potential to move in either direction in bigs wings.This means
>> you should be able to buy at the lows and sell at thehighs for months to
>> come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND
>> OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means
>> someone is
>> short the ST0CK. Any significant volume spike could yield drastic
>> results. If the people that are short have to cover, they will bebuying
>> the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY
>> for profits. For pennies you can participate in a ST0CK that could yield
>> results
>> over and over again just based on the trading patterns if thecompany is
>> able to effectuate it's business model. WATCH OUT!!!We could see a GREAT
>> STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP!!!!
>> --No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
>
> --
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Why is this not seen as spam?
Posted by Greg McCann <gr...@cambria.com>.
On 6/7/2006 at 11:33 PM NW7US, Tomas <nw...@hfradio.org> wrote:
>The following is a sample of mail that seems to pass through spamassassin,
...
>> WE TOLD YOU TO WATCH!!!
>> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
...
Bayes training, plus the 70_sare_stocks.cf ruleset has caught almost all of my stock spam.
Greg