If you have spamples for sharepoint phishes that evade kam ruleset, shoot me an email off-list to discuss getting me the spamples.
On Sun, Apr 11, 2021, 16:43 Steve Dondley <[email protected]> wrote: > On 2021-04-11 04:19 PM, Benny Pedersen wrote: > > On 2021-04-11 22:09, Steve Dondley wrote: > > > >> Content analysis details: (4.4 points, 5.0 required) > >> > >> pts rule name description > >> ---- ---------------------- > >> -------------------------------------------------- > >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > >> [score: 1.0000] > >> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to > >> 100% > >> [score: 1.0000] > >> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) > >> [52.100.189.222 listed in > >> wl.mailspike.net] > >> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > >> https://www.dnswl.org/, > >> no trust > >> [52.100.189.222 listed in list.dnswl.org] > >> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record > >> -0.0 SPF_PASS SPF: sender matches SPF record > >> 0.5 SUBJ_ALL_CAPS Subject is all capitals > >> 0.0 HTML_MESSAGE BODY: HTML included in message > >> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME > >> parts > >> -0.1 DKIM_VALID Message has at least one valid DKIM or DK > >> signature > >> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > >> necessarily > >> valid > >> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature > >> from > >> author's domain > >> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature > >> from > >> envelope-from domain > >> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase > > > > i see its as a local problem > > > > http://multirbl.valli.org/lookup/52.100.189.222.html > > > > do you use KAM.cf channel ? > > OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely: > > Content analysis details: (5.1 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > https://www.dnswl.org/, > no trust > [52.100.189.222 listed in list.dnswl.org] > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.0000] > 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.0000] > -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) > [52.100.189.222 listed in wl.mailspike.net] > -0.0 SPF_HELO_PASS SPF: HELO matches SPF record > 0.5 SUBJ_ALL_CAPS Subject is all capitals > -0.0 SPF_PASS SPF: sender matches SPF record > 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 HTML_MESSAGE BODY: HTML included in message > -0.1 DKIM_VALID Message has at least one valid DKIM or DK > signature > -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature > from > envelope-from domain > -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature > from > author's domain > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily > valid > 0.0 UPPERCASE_50_75 message body is 50-75% uppercase > 0.2 KAM_MANYTO Email has more than one To Header or more > than 25 > recipients > 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current > years > 0.0 KAM_SHORT Use of a URL Shortener for very short URL >
