spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: RP_MATCHES_RCVD
Date Mon, 21 Oct 2013 17:24:29 GMT
On Mon, 21 Oct 2013, Mauricio Tavares wrote:

> b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it
> because Return-Path:     <semik@c001n01.zahost.ru> and the last
> Received matches that domain? if so, anything I can do to score t as
> the proper spam it is?

RP_MATCHES_RCVD is a check that the message metadata is internally 
consistent. While giving it a negative score may not be justified, don't 
think that it's useful as a spam indicator and should have a positive 
score.

In fact, as spams usually exhibit internal *inconsistencies* due to being 
largely forged, a message *not* hitting RP_MATCHES_RCVD may actually be a 
better spam indicator - that's probably the reason that it has a negative 
score.

Given the surge in WhatsApp spams recently (I've been getting a lot) I 
think I should add some specific rules to my sandbox for testing.

For the time being, you might want to do this in your local rules:

   body  __VOICEMAIL    /\bYou have a new voicemail!/i
   body  __WHATSAPP     /\bWhatsApp\b/
   meta  LCL_WHATSAPP   __WHATSAPP && __VOICEMAIL
   score LCL_WHATSAPP   1.000

That should be enough to push it over the threshold without FPs on 
legitimate (non-WhatsApp) voicemail notifications.

Pointers from anyone who actually uses WhatsApp about how to distinguish 
legitimate voicemail notifications from these spams are solicited.

> -------- Original Message --------
> Return-Path:     <semik@c001n01.zahost.ru>
> Delivered-To:     raub@domain.com
> Received:     from localhost (localhost [127.0.0.1]) by
> mail.domain.com (Postfix) with ESMTP id CAE8980058; Sun, 20
> Oct 2013 22:10:19 -0400 (EDT)
> X-Virus-Scanned:     Debian amavisd-new at mail.domain.com
> X-Spam-Flag:     NO
> X-Spam-Score:     4.1
> X-Spam-Level:     ****
> X-Spam-Status:     No, score=4.1 required=4.7 tests=[BAYES_99=4.2,
> HTML_MESSAGE=1.27, RP_MATCHES_RCVD=-1.37] autolearn=no
> Received:     from mail.domain.com ([127.0.0.1]) by localhost
> (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
> with SMTP id Fzg7udDKz5bJ; Sun, 20 Oct 2013 22:10:17 -0400 (EDT)
> Received:     from c001n01.zahost.ru (c001n01.zahost.ru [88.212.201.48])
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client
> certificate requested) by mail.domain.com (Postfix) with
> ESMTPS id 669DC80051 for <info@domain.com>; Sun, 20 Oct 2013 22:10:15
> -0400 (EDT)
> Received:     from localhost.zahost.ru ([127.0.0.1] helo=c001n01.zahost.ru)
> by c001n01.zahost.ru with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69
> (FreeBSD)) (envelope-from <semik@c001n01.zahost.ru>) id 1VY1ND-0005fT-Kk
> for info@domain.com; Mon, 21 Oct 2013 02:21:23 +0400
> Received:     (from semik@localhost) by c001n01.zahost.ru
> (8.14.4/8.13.8/Submit) id r9KMLM0s021783; Mon, 21 Oct 2013 02:21:22
> +0400 (MSD) (envelope-from semik)
> Date:     Mon, 21 Oct 2013 02:21:22 +0400 (MSD)
> Message-Id:     <201310202221.r9KMLM0s021783@c001n01.zahost.ru>
> To:     info@domain.com
> Subject:     4 New Voicemail(s)
> X-PHP-Script:     35x35.ru/ for 127.0.0.1
> From:     WhatsApp Messaging Service <service@35x35.ru>
> X-Mailer:     Spmailver8.5
> Reply-To:     WhatsApp Messaging Service <service@35x35.ru>
> Mime-Version:     1.0
> Content-Type:
> multipart/alternative;boundary="----------138230768252645762B1112"
>
> WhatsApp
>
>
>
> You have a new voicemail!
> *Details*
> Time of Call: Oct-15 2013 07:55:57
> Lenth of Call: 57 seconds
>
> Play
> <http link has been removed>
>
>
> *If you cannot play, move message to the "Inbox" folder.
>
> 2013 WhatsApp Inc
>

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Gun Control laws aren't enacted to control guns, they are enacted
   to control people: catholics (1500s), japanese peasants (1600s),
   blacks (1860s), italian immigrants (1911), the irish (1920s),
   jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
  508 days since the first successful private support mission to ISS (SpaceX)

Mime
View raw message