Re: A new (?) type of Spam

24 Mar 2004 14:54:17 -0000 

Would you mind emailing me that L_RCVD_IN_MANY rule you have?
Thanks,
Kevin

Bob George wrote:

Rubin Bennett wrote:

[...]
And is it just me, or have the spammers figured out a few new tricks
that are giving SA a really hard time?  I used to get 1-2 spams per week
that made it through SA, and now (last 2 weeks or so) I'm getting
10-15/day (out of a total of about 125-150 spams) that are getting
through.  Is there a magic combination of rulesets that folks are using
to stop these messages?
I'm using antidrug, backhair, bigevil, evilnumbers, chickenpox,
mr_wiggly, header_abuse, and tripwire.  I have a well trained Bayes
database (all of the messages sneaking through seem to be utterly
baffling Bayes), and I'm using DCC and Razor2.



Here's how it scored here:
Content analysis details:   (19.0 points, 5.0 required)

 pts rule name              description

0.1 HTML_MESSAGE BODY: HTML included in message
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% < -- Note: It didn't trick bayes here!
[score: 1.0000]
0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 L_TINYFONT_1 BODY: Body contains very small font
0.7 MK_BAD_HTML_02 BODY: Bad HTML form. Breaking lines with paragraphs
.
1.7 RM_rbt_Font0Pt BODY: HTML includes 0- or 1-point font size; invisib
le text
2.2 AFF_ID URI: URL contains AFF_ID=
1.2 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
[220.78.47.207 listed in dnsbl.sorbs.net]
0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=220.78.47.207>]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?220.78.47.207>]
0.5 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[220.78.47.207 listed in dnsbl.njabl.org]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[220.78.47.207 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[220.78.47.207 listed in dnsbl.sorbs.net]
3.0 L_RCVD_IN_MANY Message received in more than 2 RBLs

Note that the L_ scores are locals I've added. There's some duplication between sets.

Reply via email to