On Thu, 2008-11-27 at 09:51 +1300, Lists wrote:
> Bill Randle wrote:
> > On Thu, 2008-11-27 at 09:37 +1300, Kate Kleinschafer wrote:
> >
> >> John Hardin wrote:
> >>
> >>> On Thu, 27 Nov 2008, Lists wrote:
> >>>
> >>>
> >>>> Here is an example of one that only scored low.
> >>>> http://www.pastebin.ca/1267866
> >>>>
> >>> There was some discussion on the list of spaces.live.com URI spam a
> >>> few weeks back, and some rules posted. Those might help.
> >>>
> >>>
> >> Thanks I will check that out.
> >>
> >
> > We got some this morning too, but they appear to be getting caught by
> > XBL and Botnet now. Here's how your message scored:
> >
> > X-Spam-Report:
> > * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> > * [200.219.72.83 listed in zen.spamhaus.org]
> > * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> > * 5.5 BOTNET Relay might be a spambot or virusbot
> > * [botnet0.8,ip=200.219.72.83,nordns]
> > * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> > relay lines
> > * 0.4 URI_HEX URI: URI hostname has long hexadecimal sequence
> > * -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40%
> > * [score: 0.3341]
> > * 0.0 HTML_MESSAGE BODY: HTML included in message
> > * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> > * 0.1 RDNS_NONE Delivered to trusted network by a host with no
> > rDNS
> > * 0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM
> >
> > -Bill
> >
> >
> >
> I will look into the BOTNET as I don't believe we are using this at the
> moment. Do you get many fp's with this?
Not that I'm aware of. If you're concerned, you can lower the score. I
keep it fairly high as sometimes it's the only thing of any significance
that hits.
You can also search the list archives BOTNET and pick up some of the
discussion about effectiveness and potential for false positives.
-Bill
