Chris a écrit : > On Saturday 18 October 2008 7:20 am, cfgerty wrote: >> One sample of these mails: >> >> http://pastebin.com/m1e3d6b5d >> >> German Language Rulesets are applied. >> >> Chris >> > Scored like this on my standalone machine: > > Content analysis details: (11.2 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 5.0 BOTNET Relay might be a spambot or virusbot > [botnet0.8,ip=88.215.95.153,rdns=88.215.95.153.dynamic.cablesurf.de,maildomain=cablesurf.de,client,ipinhostname,clientwords] > 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address > 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95% > [score: 0.8473] > -0.0 DCC_CHECK_NEGATIVE Not listed in DCC > [cpollock 104; Body=1 Fuz1=1] > 0.1 RDNS_NONE Delivered to trusted network by a host with no > rDNS > 1.0 SAGREY Adds 1.0 to spam from first-time senders > >
hmmm... * RDNS_NONE is bogus here. The host does have rdns, it's just that the (ISP?) MTA didn't look it up. Fortunately, 0.1 is small enough. * For the same reason, RELAYED_BY_DIALUP looks bogus to me as well. does this plugin perform rDNS lookup? or does the botnet plugin correct the X-Relay-* meta headers? * 5.0 for dynamic rDNS may be too high depending on site policy regarding dynamic rdns.
