I get spam like this too. I'd tell you to train your bayes db better, but no amount of learning these things seems to have any effect for me- the next one in just just right back at BAYES_50. Mine are also largely from Yahoo, some from Hotmail.
One thing that bothers me is how painfully obvious these are, and yet barely trigger any rules in stock SA. Maybe a Pyzor here, a DCC there. Rarely a DKIM hit, IIRC. For the most part they sail right though, with virtually no non-network test hitting them, and very rarely a network test. Even with my changes below, I'm still missing more than I would like (mostly because they don't hit enough to pass 5.0). First I tried the SARE rules. Most of them were ineffective, but a few files hit often. Then I added the Botnet plugin, and it was much, much more useful. I do *not* use the stock Botnet scores, however... too high for my tastes. But I'm getting closer to them every day, as I inch them back up to their stock. The "Spam" and "Ham" listed here are how SA classifies them... not necessarily what they actually *are*... Ruleset Ham Spam %of Ham %of Spam -------------------------------------------------------------------- Botnet.cf 16 857 4.79% 92.05% 70_sare_obfu1.cf 0 263 0.00% 28.25% 70_sare_genlsubj1.cf 3 113 0.90% 12.14% 99_custom_rules.cf 5 111 1.50% 11.92% 70_sare_genlsubj0.cf 0 55 0.00% 5.91% 70_sare_adult.cf 0 46 0.00% 4.94% 70_sare_header0.cf 0 14 0.00% 1.50% 70_sare_header1.cf 0 13 0.00% 1.40% 70_sare_oem.cf 2 2 0.60% 0.21% 70_sare_html0.cf 1 2 0.30% 0.21% 72_sare_redirect_post3_0_0.cf 0 0 0.00% 0.00% 70_sare_obfu0.cf 0 0 0.00% 0.00% 70_sare_bayes_poison_nxm.cf 0 0 0.00% 0.00% 70_sare_evilnum0.cf 0 0 0.00% 0.00% 70_sare_html1.cf 1 0 0.30% 0.00% My modified stock rule scores: (slowly increasing these over time) score DRUGS_ERECTILE 1.5 score DRUGS_MUSCLE 1.0 score RDNS_NONE 0.5 score ONLINE_PHARMACY 1.0 score TVD_VISIT_PHARMA 1.0 Then I wrote these add-on rules, almost specifically to target this problem. The scores are arbitrary, and I'm increasing them over time. 1 and 2 are the highest-hitting by far. And yes, they do sometimes overlap with the stock rules above. Not as often as you'd think, though.... plenty if viagra/cialis spam isn't hitting DRUGS_ERECTILE, and plenty of pharma spam doesn't hit those 2 either. The last one kinda made up, and hit exactly 1 in ~2000 emails last week :). header JAKE_SUBJ1 Subject =~ /Viagra/i describe JAKE_SUBJ1 Subject mentions Viagra score JAKE_SUBJ1 2.5 header JAKE_SUBJ2 Subject =~ /Cialis/i describe JAKE_SUBJ2 Subject mentions Cialis score JAKE_SUBJ2 2.5 header JAKE_SUBJ3 Subject =~ /pharmacy/i describe JAKE_SUBJ3 Subject mentions 'pharmacy' score JAKE_SUBJ3 1.5 header JAKE_SUBJ4 Subject =~ /cock/i describe JAKE_SUBJ4 Subject mentions 'cock' score JAKE_SUBJ4 1.5 header JAKE_SUBJ5 Subject =~ /(busty|hot) *(blond|brunette|redhead|bitch|chick|milf)/i describe JAKE_SUBJ5 Suject mentions a hot chick score JAKE_SUBJ5 1.5 I also started using some 3rd party ClamAV rules... SaneSecurity has 'em, don't remember the link offhand. If anyone knows when stock SA is gonna start catching this junk a lot better, I'd love to hear it. I hate doing this hacky garbage to a nice clean mail server. Good luck, Jake On Mon, Aug 25, 2008 at 10:10 PM, James Robertson <[EMAIL PROTECTED]> wrote: > I'm having an increased amount of junk getting through due to it coming from > Hotmail and Yahoo's servers which makes any type of pre-filter stuff like > RBL's, Greylisting, Sender Verification useless which leaves me to rely on > Spamassassin. I cannot block hotmail and Yahoo (although I would like to > personally) as our users receive valid email from them. > > I have emailed there abuse but it seems more like a blackhole. > > I was advised by the Postfix mailing lists to see if anyone here can help me > out. > > Important Note: I am planning on upgrading the Spam Gateway we are > operating to utilise Maia Mailguard and therefore allow easier training of > the spam filter which will hopefully help in fixing the problem anyway but > was wondering if anyone ha some tips on how to kill this junk. > > I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that > doesn't help with all the spam. > > Examples are below. > > ############################## > > Microsoft Mail Internet Headers Version 2.0 > Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by > 3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959); > Tue, 26 Aug 2008 07:12:23 +1000 > Received: from localhost (localhost.localdomain [127.0.0.1]) > by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF > for <[EMAIL PROTECTED]>; Tue, 26 Aug 2008 07:12:24 +1000 (EST) > Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost > (3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024) with > ESMTP id 06003-05 for <[EMAIL PROTECTED]>; Tue, 26 Aug 2008 07:12:12 > +1000 (EST) > Received: from n1.bullet.mail.re3.yahoo.com (n1.bullet.mail.re3.yahoo.com > [68.142.237.108]) > by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72 > for <[EMAIL PROTECTED]>; Tue, 26 Aug 2008 07:12:05 +1000 (EST) > Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with NNFMP; > 25 Aug 2008 21:12:02 -0000 > Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP; 25 > Aug 2008 21:12:02 -0000 > Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25 Aug > 2008 21:12:02 -0000 > X-Yahoo-Newman-Property: ymail-3 > X-Yahoo-Newman-Id: [EMAIL PROTECTED] > Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000 > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=s1024; d=yahoo.com; > > h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; > > b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJJm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=; > X-YMail-OSG: > mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9xmj2QJkMtcWnsEPpQAYZxojCTXA- > Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP; Mon, > 25 Aug 2008 14:12:02 PDT > X-Mailer: YahooMailWebService/0.7.218.2 > Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT) > From: Jamie Microdissection <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Subject: Firmer and longer erections shut > To: [EMAIL PROTECTED] > Cc: <Various other email addresses> > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Message-ID: <[EMAIL PROTECTED]> > X-Virus-Scanned: Maia Mailguard 1.0.2 > X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31 > tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001 > X-Spam-Level: > Return-Path: [EMAIL PROTECTED] > X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC) > FILETIME=[44ECFB00:01C906F7] > > > > -----Original Message----- > From: Jamie Microdissection [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 26 August 2008 7:12 AM > To: [EMAIL PROTECTED] > Cc: <Various other email addresses> > Subject: Firmer and longer erections shut > > think worm mules fly blaze. > http://groups.google.com/group/sdeliapadenf7hd/?fadewerzrspillpewtyr2neat > > > ################################################## > > Microsoft Mail Internet Headers Version 2.0 > Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by > icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713); > Mon, 25 Aug 2008 11:29:40 +1000 > Received: from localhost (localhost.localdomain [127.0.0.1]) > by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956 > for <[EMAIL PROTECTED]>; Mon, 25 Aug 2008 11:14:07 +1000 > (EST) > X-Virus-Scanned: Debian amavisd-new at icfrith.com.au > X-Spam-Score: 2.54 > X-Spam-Level: ** > X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001, > DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368] > Received: from mail.icfrith.com.au ([127.0.0.1]) > by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1]) > (amavisd-new, port 10024) > with ESMTP id QptAnYEjlOsy for <[EMAIL PROTECTED]>; > Mon, 25 Aug 2008 11:14:05 +1000 (EST) > Received: from BAY0-OMC3-S10.bay0.hotmail.com > (bay0-omc3-s10.bay0.hotmail.com [65.54.246.210]) > by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C > for <[EMAIL PROTECTED]>; Mon, 25 Aug 2008 11:14:02 +1000 > (EST) > Received: from BAY113-W51 ([65.54.168.151]) by > BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); > Sun, 24 Aug 2008 18:29:34 -0700 > Message-ID: <[EMAIL PROTECTED]> > Content-Type: multipart/alternative; > boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_" > X-Originating-IP: [201.83.252.234] > From: Dorothy Brown <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Licensed pharmaceutical professionals from our pharmacy are > available 24/7 for you. > Date: Mon, 25 Aug 2008 01:29:33 +0000 > Importance: High > MIME-Version: 1.0 > X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC) > FILETIME=[07D4EED0:01C90652] > Return-Path: [EMAIL PROTECTED] > > --_6d082c57-ec4b-42db-aaa6-f421809ee165_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > --_6d082c57-ec4b-42db-aaa6-f421809ee165_ > Content-Type: text/html; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > --_6d082c57-ec4b-42db-aaa6-f421809ee165_-- > > ________________________________________ > From: Dorothy Brown [mailto:[EMAIL PROTECTED] > Sent: Monday, 25 August 2008 11:30 AM > To: [EMAIL PROTECTED] > Subject: Licensed pharmaceutical professionals from our pharmacy are > available 24/7 for you. > Importance: High > > > Attractive prices and high quality is our motto. > www.cid-1a15c26c02719644.spaces.live.com > > ######################################### > > > >
