You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Goldsmith <dg...@sans.org> on 2007/02/22 00:35:29 UTC
Stock Spam Getting Through
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We're running SA 3.1.7 with most of the SARE rulesets, including
70_sare_stocks. We're using DCC, Pyzor and Razor. The 'X-SA-Exim-*'
headers are from the source, not us.
Any suggestions as to other tests/checks that could be done to bump the
scores up over the 5.0 threshold?
If your run this message through your SA setup, does it score above 5?
Thanks,
David Goldsmith
==========
Return-Path: <ar...@45mph.com>
Delivered-To: dgoldsmith@mustang1.giac.net
X-Spam-DCC: sonic.net: iceman14.giac.net 1117; Body=many Fuz1=many Fuz2=many
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on iceman14.giac.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.3 required=5.0 tests=BAYES_50,DCC_CHECK,
FORGED_RCVD_HELO,RCVD_ILLEGAL_IP,SARE_OBFU_PRICE2 autolearn=no
version=3.1.7
X-Spam-Pyzor: Reported 0 times.
X-Spam-Report:
* 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
* 0.3 RCVD_ILLEGAL_IP Received: contains illegal IP address
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.4787]
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* 1.7 SARE_OBFU_PRICE2 found apparent obfuscation of word used in spam
Delivered-To: sans-DGOLDSMITH@SANS.ORG
Received: (qmail 24073 invoked from network); 21 Feb 2007 22:35:09 -0000
Received: from unknown (HELO mgr2.xmission.com) (198.60.22.202)
by iceman12-ext.giac.net with SMTP; 21 Feb 2007 22:35:09 -0000
Received: from mgr1.xmission.com ([198.60.22.201])
by mgr2.xmission.com with esmtp (Exim 4.50)
id 1HK03I-0003PV-3Z; Wed, 21 Feb 2007 15:35:08 -0700
Received: from slc487.modem.xmission.com ([166.70.2.233]
helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET)
by mgr1.xmission.com with esmtp (Exim 4.50)
id 1HK03A-0004eO-5l; Wed, 21 Feb 2007 15:35:07 -0700
Received: from snf.45mph.com ([245.249.77.187])
by pkff.45mph.com (Sun Java System Messaging Server 6.1 HotFix 0.04 (built
Aug 28 2004)) with ESMTP id <0E...@152.21.51.249.45mph.com> for
dgoldrick@orixcm.com; Wed, 21 Feb 2007 14:03:31 -0800 (IST)
Date: Wed, 21 Feb 2007 14:24:25 -0800
From: "Cora Nichols" <ar...@45mph.com>
To: <dg...@orixcm.com>
Message-ID: <xA...@45mph.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none (mgr1.xmission.com: 166.70.2.233 is neither permitted
nor denied by domain of 45mph.com) client-ip=166.70.2.233;
envelope-from=arlinelhugea@45mph.com;
helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET;
Subject: of straw
X-SA-Exim-Connect-IP: 166.70.2.233
X-SA-Exim-Mail-From: arlinelhugea@45mph.com
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on mgr1.xmission.com)
Major Acquisition kicks off Irwin Resources' move to $2.50!!!
Yes, you heard it here first. This acquisition news has been
pushing up IWRS and this is Just the Beginning!
Company: IWRS
Current Prrice: Around $1.00
Tarrget Prrice: $2.50
Check your favorite financial news source for details!
More High Impact Announcements to follow!
You know us. You know that when we catch wind of a winner it
moves! Get in Early and Ride it to $2.50
Office were charged Tuesday with aggravated manslaughter in the death of
a 14-year-old at a Florida boot camp for juvenile offenders
State Attorney Mark Ober said seven former guards and a nurse are
accused of causing the death of Martin Anderson by culpable negligence
If convicted each could face up to 30 years in prison
==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3NdB417vU8/9QfkRArrWAJ9YG+k08C9lFXzI5DPwfrOPqbGAlgCgjtQA
Z64CWimxvNXtaOjfCBFvMXk=
=yV+2
-----END PGP SIGNATURE-----
RE: Stock Spam Getting Through
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
Andy
This scores 7.1 for me..
Content analysis details: (7.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 L_DRUGS12 L_DRUGS12
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 HTML_MESSAGE BODY: HTML included in message
3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
[score: 0.9552]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?82.84.228.177>]
0.9 FM_NO_STYLE FM_NO_STYLE
0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: Andy Figueroa [mailto:figueroa@andyfigueroa.us]
> Sent: 22 February 2007 15:33
> To: SpamAssassin List
> Subject: Re: Stock Spam Getting Through
>
> This might be identical to one I got today. I put it up clean at:
> http://2chronicles36.org/spam/stock.txt
>
> I'm also on 3.1.7 with latest update, all the network tests, plus
> FuzzyOcr.cf and KAM.cf, otherwise no extras.
>
> Andy Figueroa
>
> David Goldsmith wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We're running SA 3.1.7 with most of the SARE rulesets, including
> > 70_sare_stocks. We're using DCC, Pyzor and Razor. The
'X-SA-Exim-*'
> > headers are from the source, not us.
> >
> > Any suggestions as to other tests/checks that could be done to bump
the
> > scores up over the 5.0 threshold?
> >
> > If your run this message through your SA setup, does it score above
5?
> >
> > Thanks,
> > David Goldsmith
> >
> > ==========
> >
> > Return-Path: <ar...@45mph.com>
> > Delivered-To: dgoldsmith@mustang1.giac.net
> > X-Spam-DCC: sonic.net: iceman14.giac.net 1117; Body=many Fuz1=many
> Fuz2=many
> > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
> iceman14.giac.net
> > X-Spam-Level: ****
> > X-Spam-Status: No, score=4.3 required=5.0 tests=BAYES_50,DCC_CHECK,
> > FORGED_RCVD_HELO,RCVD_ILLEGAL_IP,SARE_OBFU_PRICE2 autolearn=no
> > version=3.1.7
> > X-Spam-Pyzor: Reported 0 times.
> > X-Spam-Report:
> > * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> > * 0.3 RCVD_ILLEGAL_IP Received: contains illegal IP address
> > * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> > * [score: 0.4787]
> > * 2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
> > * 1.7 SARE_OBFU_PRICE2 found apparent obfuscation of word used
in
> spam
> > Delivered-To: sans-DGOLDSMITH@SANS.ORG
> > Received: (qmail 24073 invoked from network); 21 Feb 2007 22:35:09
-0000
> > Received: from unknown (HELO mgr2.xmission.com) (198.60.22.202)
> > by iceman12-ext.giac.net with SMTP; 21 Feb 2007 22:35:09 -0000
> > Received: from mgr1.xmission.com ([198.60.22.201])
> > by mgr2.xmission.com with esmtp (Exim 4.50)
> > id 1HK03I-0003PV-3Z; Wed, 21 Feb 2007 15:35:08 -0700
> > Received: from slc487.modem.xmission.com ([166.70.2.233]
> > helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET)
> > by mgr1.xmission.com with esmtp (Exim 4.50)
> > id 1HK03A-0004eO-5l; Wed, 21 Feb 2007 15:35:07 -0700
> > Received: from snf.45mph.com ([245.249.77.187])
> > by pkff.45mph.com (Sun Java System Messaging Server 6.1 HotFix 0.04
> (built
> > Aug 28 2004)) with ESMTP id
<0E...@152.21.51.249.45mph.com>
> for
> > dgoldrick@orixcm.com; Wed, 21 Feb 2007 14:03:31 -0800 (IST)
> > Date: Wed, 21 Feb 2007 14:24:25 -0800
> > From: "Cora Nichols" <ar...@45mph.com>
> > To: <dg...@orixcm.com>
> > Message-ID: <xA...@45mph.com>
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="UTF-8"
> > Content-Transfer-Encoding: quoted-printable
> > Received-SPF: none (mgr1.xmission.com: 166.70.2.233 is neither
permitted
> > nor denied by domain of 45mph.com) client-ip=166.70.2.233;
> > envelope-from=arlinelhugea@45mph.com;
> > helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET;
> > Subject: of straw
> > X-SA-Exim-Connect-IP: 166.70.2.233
> > X-SA-Exim-Mail-From: arlinelhugea@45mph.com
> > X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
> > X-SA-Exim-Scanned: Yes (on mgr1.xmission.com)
> >
> > Major Acquisition kicks off Irwin Resources' move to $2.50!!!
> >
> > Yes, you heard it here first. This acquisition news has been
> > pushing up IWRS and this is Just the Beginning!
> >
> > Company: IWRS
> >
> > Current Prrice: Around $1.00
> > Tarrget Prrice: $2.50
> >
> > Check your favorite financial news source for details!
> >
> > More High Impact Announcements to follow!
> >
> > You know us. You know that when we catch wind of a winner it
> > moves! Get in Early and Ride it to $2.50
> >
> >
> >
> >
> >
> >
> >
> > Office were charged Tuesday with aggravated manslaughter in the
death of
> > a 14-year-old at a Florida boot camp for juvenile offenders
> > State Attorney Mark Ober said seven former guards and a nurse are
> > accused of causing the death of Martin Anderson by culpable
negligence
> > If convicted each could face up to 30 years in prison
> >
> >
> > ==========
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3rc2 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFF3NdB417vU8/9QfkRArrWAJ9YG+k08C9lFXzI5DPwfrOPqbGAlgCgjtQA
> > Z64CWimxvNXtaOjfCBFvMXk=
> > =yV+2
> > -----END PGP SIGNATURE-----
> >
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
Re: Stock Spam Getting Through
Posted by Andy Figueroa <fi...@andyfigueroa.us>.
This might be identical to one I got today. I put it up clean at:
http://2chronicles36.org/spam/stock.txt
I'm also on 3.1.7 with latest update, all the network tests, plus
FuzzyOcr.cf and KAM.cf, otherwise no extras.
Andy Figueroa
David Goldsmith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We're running SA 3.1.7 with most of the SARE rulesets, including
> 70_sare_stocks. We're using DCC, Pyzor and Razor. The 'X-SA-Exim-*'
> headers are from the source, not us.
>
> Any suggestions as to other tests/checks that could be done to bump the
> scores up over the 5.0 threshold?
>
> If your run this message through your SA setup, does it score above 5?
>
> Thanks,
> David Goldsmith
>
> ==========
>
> Return-Path: <ar...@45mph.com>
> Delivered-To: dgoldsmith@mustang1.giac.net
> X-Spam-DCC: sonic.net: iceman14.giac.net 1117; Body=many Fuz1=many Fuz2=many
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on iceman14.giac.net
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.3 required=5.0 tests=BAYES_50,DCC_CHECK,
> FORGED_RCVD_HELO,RCVD_ILLEGAL_IP,SARE_OBFU_PRICE2 autolearn=no
> version=3.1.7
> X-Spam-Pyzor: Reported 0 times.
> X-Spam-Report:
> * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> * 0.3 RCVD_ILLEGAL_IP Received: contains illegal IP address
> * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> * [score: 0.4787]
> * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> * 1.7 SARE_OBFU_PRICE2 found apparent obfuscation of word used in spam
> Delivered-To: sans-DGOLDSMITH@SANS.ORG
> Received: (qmail 24073 invoked from network); 21 Feb 2007 22:35:09 -0000
> Received: from unknown (HELO mgr2.xmission.com) (198.60.22.202)
> by iceman12-ext.giac.net with SMTP; 21 Feb 2007 22:35:09 -0000
> Received: from mgr1.xmission.com ([198.60.22.201])
> by mgr2.xmission.com with esmtp (Exim 4.50)
> id 1HK03I-0003PV-3Z; Wed, 21 Feb 2007 15:35:08 -0700
> Received: from slc487.modem.xmission.com ([166.70.2.233]
> helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET)
> by mgr1.xmission.com with esmtp (Exim 4.50)
> id 1HK03A-0004eO-5l; Wed, 21 Feb 2007 15:35:07 -0700
> Received: from snf.45mph.com ([245.249.77.187])
> by pkff.45mph.com (Sun Java System Messaging Server 6.1 HotFix 0.04 (built
> Aug 28 2004)) with ESMTP id <0E...@152.21.51.249.45mph.com> for
> dgoldrick@orixcm.com; Wed, 21 Feb 2007 14:03:31 -0800 (IST)
> Date: Wed, 21 Feb 2007 14:24:25 -0800
> From: "Cora Nichols" <ar...@45mph.com>
> To: <dg...@orixcm.com>
> Message-ID: <xA...@45mph.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> Received-SPF: none (mgr1.xmission.com: 166.70.2.233 is neither permitted
> nor denied by domain of 45mph.com) client-ip=166.70.2.233;
> envelope-from=arlinelhugea@45mph.com;
> helo=INBOUND.451DEGREES.COM.NETSOLMAIL.NET;
> Subject: of straw
> X-SA-Exim-Connect-IP: 166.70.2.233
> X-SA-Exim-Mail-From: arlinelhugea@45mph.com
> X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
> X-SA-Exim-Scanned: Yes (on mgr1.xmission.com)
>
> Major Acquisition kicks off Irwin Resources' move to $2.50!!!
>
> Yes, you heard it here first. This acquisition news has been
> pushing up IWRS and this is Just the Beginning!
>
> Company: IWRS
>
> Current Prrice: Around $1.00
> Tarrget Prrice: $2.50
>
> Check your favorite financial news source for details!
>
> More High Impact Announcements to follow!
>
> You know us. You know that when we catch wind of a winner it
> moves! Get in Early and Ride it to $2.50
>
>
>
>
>
>
>
> Office were charged Tuesday with aggravated manslaughter in the death of
> a 14-year-old at a Florida boot camp for juvenile offenders
> State Attorney Mark Ober said seven former guards and a nurse are
> accused of causing the death of Martin Anderson by culpable negligence
> If convicted each could face up to 30 years in prison
>
>
> ==========
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3rc2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFF3NdB417vU8/9QfkRArrWAJ9YG+k08C9lFXzI5DPwfrOPqbGAlgCgjtQA
> Z64CWimxvNXtaOjfCBFvMXk=
> =yV+2
> -----END PGP SIGNATURE-----
>