spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jari Fredriksson <ja...@iki.fi>
Subject Re: Smart Smoker spam sailing past SA scores
Date Fri, 04 Dec 2009 20:42:05 GMT


On 4.12.2009 18:00, Thomas Harold wrote:
> SA had a lot of trouble identifying this as spam.  The IP
> (174.139.37.196) is not yet listed in a lot of the DNSBLs.  So it only
> scored around a 1.0 on the spam meter.
> 
> http://pastebin.com/m1d0a75b7
> 
> It uses a block of foreign language spam at the end to get past some SA
> checks.  Such as HTML_IMAGE_RATIO.  The text/plain section is complete
> empty (and doesn't match the text/html section).
> 

Content analysis details:   (14.9 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
                            [174.139.37.196 listed in
bb.barracudacentral.org]
 1.7 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
                      [174.139.37.196 listed in
hostkarma.junkemailfilter.com]
 0.8 RCVD_IN_SEMBLACK       RBL: Received from an IP listed by SEM-BLACK
                            [174.139.37.196 listed in
bl.spameatingmonkey.net]
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: globalsaveonlinepath.net]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
 4.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
 0.0 HTML_MESSAGE           BODY: HTML included in message
-2.5 BAYES_20               BODY: Bayesian spam probability is 5 to 20%
                            [score: 0.0515]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.6 SARE_HTML_HTML_TBL     FULL: Message body has very strange HTML
sequence
 0.1 RDNS_NONE              Delivered to trusted network by a host with
no rDNS
 2.0 KHOP_DNSBL_BUMP        Hits a trusted non-overlapping DNSBL



-- 
http://www.iki.fi/jarif/

Many pages make a thick book.


Mime
View raw message