Hello Jason,
Friday, May 27, 2005, 2:52:40 PM, you wrote:
JB> Sorry all, let me try this again. Attached is the message
JB> Iwas referring to in my previous posting.
Here in SA 3.0.3 your example hits:
Content analysis details: (9.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[80.219.248.164 listed in dnsbl.sorbs.net]
2.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?80.219.248.164>]
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[80.219.248.164 listed in combined.njabl.org]
3.6 AWL AWL: From: address is in the auto white-list
Ignoring the AWL which is site specific, the major points come from
network tests. Do you have network tests enabled and active on your
system?
Other than that, I see one intended URL, which is obfuscated such that
SA doesn't yet recognize it as a URL. If it had, I suspect we'd also
see a SURBL report in there.
One thing you could key on is a long "word", something like
body MY_LONGWORD /\w{100}/
describe MY_LONGWORD Excessively long string of characters
score MY_LONGWORD 1 #rescore as needed on your system
Bob Menschel
