We've been having a group of the same type of e-mails making it through
spamassassin. These are the e-mails that have the "get a capable html
e-mailer" line in them. I have yet to see any legitimate e-mail with
that line, so I made a custom rule to score 11 points for that slogan.
I have also fed hundreds of different e-mails with that line in to my
bayes database, and yet I'm still seeing a lot of e-mails with that
line making it through, so I fed one of the e-mails through manually and
the relevant output is below. The MY_CAPABLE rule is the custom rule
for these types of e-mail, it is adding the points, but a great many of
these are still making it through. I know I saw other posts where
people were saying spam was making it past or only every other e-mail
was being checked, and I'm wondering why e-mails like these are slipping
past.
Subject: ***Spam*** i just cheated on my boyfriend
Date: Mon, 10 Jan 2005 23:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Java.FFPYY.0255880571537262588"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <[EMAIL PROTECTED]>
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-Virus-Scanned: ClamAV 0.80/578/Mon Nov 8 09:26:49 2004
clamav-milter version 0.80j
on xxx.xxx.xxx
X-Virus-Status: Clean
X-Spam-Prev-Subject: i just cheated on my boyfriend
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on c588
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.8 required=4.0 tests=BAYES_60,HTML_20_30,
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_CAPABLE,RCVD_BY_IP,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_WEB,
SARE_FREE_WEBM_ZCom03,SPF_HELO_PASS autolearn=disabled
version=3.0.2
X-Spam-Report:
* 0.1 RCVD_BY_IP Received by mail server with no name
* 0.7 SARE_FREE_WEBM_ZCom03 Sender used free email account -
may be spammer
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 11 MY_CAPABLE BODY: Body contains spam link
* 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
* 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
* [score: 0.6354]
* 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
* [Blocked - see
<http://www.spamcop.net/bl.shtml?24.145.177.237>]
* 0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
* [24.145.177.237 listed in combined.njabl.org]
* 0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web
server
* [24.145.177.237 listed in dnsbl.sorbs.net]
