spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris <cpoll...@embarqmail.com>
Subject Re: Lots of spam with the following snip
Date Tue, 01 Jul 2008 01:16:38 GMT
On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:
> <p>God dag,<strong>   </strong></p><span> </span>
> <a name="#qppp">
> </a><br><br>***<br>
> Warning!<br>
> This letter contains a virus which has been<br>
> successfully detected and cured.
> <br>***<br>
>
> The part that's noteworthy is this:
>
>
> <br>***<br>
> Warning!<br>
> This letter contains a virus which has been<br>
> successfully detected and cured.
> <br>***<br>
>
> Does someone have rule for this ready made?
>
> Thanks
Scored pretty well here, do you have network checks active? The "SOUGHT" rule 
scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?79.86.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

And here's another I just received:

Content analysis details:   (27.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?190.46.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [190.46.180.155 listed in zen.spamhaus.org]
 0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipinhostname]
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4671]
 2.2 DCC_CHECK              listed in DCC (http://rhyolite.com/anti-spam/dcc/)
                            [cpollock 102; Body=1 Fuz1=many]
                            [Fuz2=many]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_NONE              Delivered to trusted network by a host with no 
rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

NOTE: I've sent an earlier post with just the first spam scores, however, my 
ISP, Embarq sometimes has a tendency to block my posts even with IP's in the 
body such as above. They're using CMAE so I don't know if that's something it 
does or not. I've Bcc'd myself on the first post and it went through to me 
but then I have no idea what the CMAE hashes mean.

-- 
Chris
KeyID 0xE372A7DA98E6705C

Mime
View raw message