Return-Path: 
 <users-return-71191-apmail-spamassassin-users-archive=spamassassin.apache.org@spamassassin.apache.org>
Delivered-To: apmail-spamassassin-users-archive@www.apache.org
Received: (qmail 1371 invoked from network); 1 Jul 2008 01:19:23 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 1 Jul 2008 01:19:23 -0000
Received: (qmail 65627 invoked by uid 500); 1 Jul 2008 01:19:14 -0000
Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org
Received: (qmail 65597 invoked by uid 500); 1 Jul 2008 01:19:13 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 65586 invoked by uid 99); 1 Jul 2008 01:19:13 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jun 2008 18:19:13 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of cpollock@embarqmail.com
 designates 208.47.184.3 as permitted sender)
Received: from [208.47.184.3] (HELO mailrelay.embarq.synacor.com)
 (208.47.184.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Jul 2008 01:18:20 +0000
DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408;
 c=relaxed/simple;
	q=dns/txt; i=@embarqmail.com; t=1214875000;
	h=From:Subject:Date:To:MIME-Version:Content-Type;
	bh=9EUwZmFh+94/ghQ2sH13lEXDXec=;
	b=dp4S8Xs+mCmRLBiHgVaWP+NOD66Ga72yrdS0mScQOhGo2kwCVcDzzirzYfYbLe2B
	XvzrIAi3eugKKGFqbO3rr6wTxW/DpyMuXceqaMAfOYPSk0AgBvixPIUoCDuJPcHY;
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=1.0 c=1 a=aqzIUJ7mXQMA:10 a=PjpAl0_hqa8A:10
 a=9BvCZD0AAAAA:8 a=ibHSkoSCAAAA:8 a=H7UNWMVRaC1o00m5rPgA:9
 a=mFMnUIkSywy4PYDRh2oA:7 a=NiEegsqqJH1TzbwTLvn8qDSKcawA:4 a=LY0hPdMaydYA:10
 a=x0tHcDMZDzjjJ3gwCTsA:9 a=0V4ygFlUHDX8td9oLOx97W_VrLEA:4 a=rPt6xJ-oxjAA:10
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: smtp07.embarq.synacor.com
 smtp.user=cpollock@embarqmail.com; auth=pass (LOGIN)
Received: from [71.51.96.186] ([71.51.96.186:18538] helo=[192.168.2.2])
	by mailrelay.embarq.synacor.com (envelope-from <cpollock@embarqmail.com>)
	(ecelerity 2.2.1.28 r(22594)) with ESMTPA
	id EE/40-19958-77589684; Mon, 30 Jun 2008 21:16:40 -0400
From: Chris <cpollock@embarqmail.com>
To: users@spamassassin.apache.org
Subject: Re: Lots of spam with the following snip
User-Agent: KMail/1.7.1
References: <alpine.LFD.1.10.0806301901230.24177@saturn.syslang.net>
In-Reply-To: <alpine.LFD.1.10.0806301901230.24177@saturn.syslang.net>
MIME-Version: 1.0
X-UID: 17860
X-Length: 3536
Date: Mon, 30 Jun 2008 20:16:38 -0500
Content-Type: multipart/signed;
  boundary="nextPart2201801.jIGgbKnBJs";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200806302016.38591.cpollock@embarqmail.com>
X-Virus-Checked: Checked by ClamAV on apache.org

--nextPart2201801.jIGgbKnBJs
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:
> <p>God dag,<strong>   </strong></p><span> </span>
> <a name=3D"#qppp">
> </a><br><br>***<br>
> Warning!<br>
> This letter contains a virus which has been<br>
> successfully detected and cured.
> <br>***<br>
>
> The part that's noteworthy is this:
>
>
> <br>***<br>
> Warning!<br>
> This letter contains a virus which has been<br>
> successfully detected and cured.
> <br>***<br>
>
> Does someone have rule for this ready made?
>
> Thanks
Scored pretty well here, do you have network checks active? The "SOUGHT" ru=
le=20
scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details: =A0 (23.0 points, 5.0 required)

=A0pts rule name =A0 =A0 =A0 =A0 =A0 =A0 =A0description
=2D--- ---------------------- ---------------------------------------------=
=2D----
=A02.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0[Blocked - see <http://www.spamcop.net/bl.sh=
tml?79.86.xxx.xxx>]
=A00.9 RCVD_IN_PBL =A0 =A0 =A0 =A0 =A0 =A0RBL: Received via a relay in Spam=
haus PBL
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [79.86.225.100 list=
ed in zen.spamhaus.org]
=A03.0 RCVD_IN_XBL =A0 =A0 =A0 =A0 =A0 =A0RBL: Received via a relay in Spam=
haus XBL
=A01.0 RELAYED_BY_DIALUP =A0 =A0 =A0Sent directly from dynamic IP address
=A00.0 HTML_MESSAGE =A0 =A0 =A0 =A0 =A0 BODY: HTML included in message
=A01.0 BAYES_50 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BODY: Bayesian spam probability=
 is 40 to 60%
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [score: 0.5844]
=2D0.0 DCC_CHECK_NEGATIVE =A0 =A0 Not listed in DCC
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [cpollock 1117; Bod=
y=3D1 Fuz1=3D5 Fuz2=3D5]
=A0 10 CLAMAV =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Clam AntiVirus detected a vir=
us
=A00.1 RDNS_DYNAMIC =A0 =A0 =A0 =A0 =A0 Delivered to trusted network by hos=
t with
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 dynamic-looking rDNS
=A04.0 JM_SOUGHT_1 =A0 =A0 =A0 =A0 =A0 =A0JM_SOUGHT_1
=A01.0 SAGREY =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Adds 1.0 to spam from first-t=
ime senders

And here's another I just received:

Content analysis details: =A0 (27.8 points, 5.0 required)

=A0pts rule name =A0 =A0 =A0 =A0 =A0 =A0 =A0description
=2D--- ---------------------- ---------------------------------------------=
=2D----
=A02.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
=A0 =A0 =A0 =A0 =A0 =A0 =A0 [Blocked - see <http://www.spamcop.net/bl.shtml=
?190.46.xxx.xxx>]
=A00.9 RCVD_IN_PBL =A0 =A0 =A0 =A0 =A0 =A0RBL: Received via a relay in Spam=
haus PBL
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [190.46.180.155 lis=
ted in zen.spamhaus.org]
=A00.7 SPF_NEUTRAL =A0 =A0 =A0 =A0 =A0 =A0SPF: sender does not match SPF re=
cord (neutral)
=A05.0 BOTNET =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Relay might be a spambot or v=
irusbot
[botnet0.8,ip=3D190.46.xxx.xxx,rdns=3Dpc-155-180-xx-xxx.cm.vtr.net,maildoma=
in=3Dlodos.com.tr,client,ipinhostname]
=A01.0 RELAYED_BY_DIALUP =A0 =A0 =A0Sent directly from dynamic IP address
=A00.0 HTML_MESSAGE =A0 =A0 =A0 =A0 =A0 BODY: HTML included in message
=A01.0 BAYES_50 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BODY: Bayesian spam probability=
 is 40 to 60%
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [score: 0.4671]
=A02.2 DCC_CHECK =A0 =A0 =A0 =A0 =A0 =A0 =A0listed in DCC (http://rhyolite.=
com/anti-spam/dcc/)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [cpollock 102; Body=
=3D1 Fuz1=3Dmany]
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 [Fuz2=3Dmany]
=A0 10 CLAMAV =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Clam AntiVirus detected a vir=
us
=A00.1 RDNS_NONE =A0 =A0 =A0 =A0 =A0 =A0 =A0Delivered to trusted network by=
 a host with no=20
rDNS
=A04.0 JM_SOUGHT_1 =A0 =A0 =A0 =A0 =A0 =A0JM_SOUGHT_1
=A01.0 SAGREY =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Adds 1.0 to spam from first-t=
ime senders

NOTE: I've sent an earlier post with just the first spam scores, however, m=
y=20
ISP, Embarq sometimes has a tendency to block my posts even with IP's in th=
e=20
body such as above. They're using CMAE so I don't know if that's something =
it=20
does or not. I've Bcc'd myself on the first post and it went through to me=
=20
but then I have no idea what the CMAE hashes mean.

=2D-=20
Chris
KeyID 0xE372A7DA98E6705C

--nextPart2201801.jIGgbKnBJs
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkhphXYACgkQ43Kn2pjmcFwE/wCdGadBE1oM/FjDhNQ4PEGjeXqB
XGAAnitpnP2XU5Xlxrd6cXphiWdvMdR+
=C5r7
-----END PGP SIGNATURE-----

--nextPart2201801.jIGgbKnBJs--