Hi there

I just got a very large Chinese spam (>4M) - I seem to get several of
these a month. Anyway, while I was fiddling with it I saw the score SA
gave it when it could actually swallow the whole thing (see below).

As you can see, MIME_CHARSET_FARAWAY, CHARSET_FARAWAY_HEADER, and
SARE_SUB_ENC_GB2312 (from openprotect rules) all triggered - total of
8.0 points. Sounds good - but of course that's very bad! Doesn't that
mean an actual legitimate Chinese email would *default to a score of
8.0*!?!?!?!

There's a lot of overlap there - comments?

Jason


X-Spam-Status: Yes, score=12.1 required=5.0 tests=CHARSET_FARAWAY_HEADER,
        HTML_MESSAGE,MIME_BASE64_TEXT,MIME_CHARSET_FARAWAY,MISSING_HEADERS,
        SARE_SUB_ENC_GB2312,SPF_PASS,TVD_SPACE_RATIO,
        URIBL_DOB_SURBL autolearn=disabled version=3.2.5
X-Spam-Relay-Country:
X-Spam-Report:
        *  0.1 URIBL_DOB_SURBL Contains an URL listed in the DOB SURBL
blocklist
        *      [URIs: googlemail.com]
        *  1.3 SARE_SUB_ENC_GB2312 Subject specifies display in
non-English lang
        * -0.0 SPF_PASS SPF: sender matches SPF record
        *  3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in
headers
        *  1.6 MISSING_HEADERS Missing To: header
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
        *  0.5 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
        *  2.5 MIME_CHARSET_FARAWAY MIME character set indicates foreign
language

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Reply via email to