Rubin Bennett wrote:
[...] And is it just me, or have the spammers figured out a few new tricks that are giving SA a really hard time? I used to get 1-2 spams per week that made it through SA, and now (last 2 weeks or so) I'm getting 10-15/day (out of a total of about 125-150 spams) that are getting through. Is there a magic combination of rulesets that folks are using to stop these messages? I'm using antidrug, backhair, bigevil, evilnumbers, chickenpox, mr_wiggly, header_abuse, and tripwire. I have a well trained Bayes database (all of the messages sneaking through seem to be utterly baffling Bayes), and I'm using DCC and Razor2.
Here's how it scored here: Content analysis details: (19.0 points, 5.0 required)
pts rule name description
0.1 HTML_MESSAGE BODY: HTML included in message
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% < -- Note: It didn't trick bayes here!
[score: 1.0000]
0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 L_TINYFONT_1 BODY: Body contains very small font
0.7 MK_BAD_HTML_02 BODY: Bad HTML form. Breaking lines with paragraphs
.
1.7 RM_rbt_Font0Pt BODY: HTML includes 0- or 1-point font size; invisib
le text
2.2 AFF_ID URI: URL contains AFF_ID=
1.2 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
[220.78.47.207 listed in dnsbl.sorbs.net]
0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=220.78.47.207>]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?220.78.47.207>]
0.5 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[220.78.47.207 listed in dnsbl.njabl.org]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[220.78.47.207 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[220.78.47.207 listed in dnsbl.sorbs.net]
3.0 L_RCVD_IN_MANY Message received in more than 2 RBLs
Note that the L_ scores are locals I've added. There's some duplication between sets.
$ ls /etc/spamassassin/*.cf /etc/spamassassin/99_sare_fraud_post25x.cf /etc/spamassassin/local.cf /etc/spamassassin/antidrug.cf /etc/spamassassin/logospam.cf /etc/spamassassin/backhair.cf /etc/spamassassin/mr_wiggly.cf /etc/spamassassin/bagle.cf /etc/spamassassin/random.cf /etc/spamassassin/bigevil.cf /etc/spamassassin/test-rules.cf /etc/spamassassin/chickenpox.cf /etc/spamassassin/tripwire.cf /etc/spamassassin/coding_html.cf /etc/spamassassin/vbounce.cf /etc/spamassassin/evilnumbers.cf /etc/spamassassin/weeds.cf
Thoughts?
Yes, I noticed this in the headers: X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on tux.thatitguy.com X-Spam-Status: No, hits=3.9 required=5.0 tests=FORGED_RCVD_NET_HELO, HTML_30_40,HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=2.60
Perhaps update to 2.63?
Rubin (feeling like I'm getting drowned in spam still... I guess I got spoiled when I was only seeing 1-2 spams per week that made it through)
The RBL checks alone would've nearly stopped this here. The "RCVD_IN_MANY" rule put it over the top.
My bayes (incl. bogofilter, spamprobe and ifile) hit it with no problem. How are you training?
- Bob
