OK, I'm using sa-update AND Rules Du Jour. However, I'm not sure about which
rulesets are te most convenient to download. Could somebody pass a config
file for RDJ?
Thanks again,
Luis
2006/12/26, Chris <[EMAIL PROTECTED]>:
On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote:
> Hi, list. I have been under heavy stocks alerts spamming. Currently, my
> setup goes like this:
>
> -Debian Sarge
> -Postfix 2.1.5-9 with VDA patch
> -Amavisd-new 2.4.2
> -SA 3.1.5
> -ClamAV 0.84-2.sarge.1
> -Mysql 4.0.24-10sarge
>
> System was installed and is mantained via apt. I've recently added the
> sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
>
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes.
Addresses such as this "Gena Mercer" <that'[EMAIL PROTECTED]> are
caught
here quite easily on my home system:
Content analysis details: (43.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 BOTNET_NORDNS IP address has no PTR record
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC.
0.4 SARE_LWOILCO BODY: SARE_LWOILCO
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[88.243.90.7 listed in sbl-xbl.spamhaus.org]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
5.0 BOTNET The submitting mail server looks like part of a
Botnet
1.0 SAGREY Adds 1.0 to spam from first-time senders
Looks like any of the sare rules, or network tests would kick it over the
limit. Are you running any of the add-on clamav db's? These are tagged
here
with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even
running botnet would have put it over your threshlold.
--
Chris
http://learn.to/quote
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
-------------------------------------------------
