Hi there
I just got a very large Chinese spam (>4M) - I seem to get several of
these a month. Anyway, while I was fiddling with it I saw the score SA
gave it when it could actually swallow the whole thing (see below).
As you can see, MIME_CHARSET_FARAWAY, CHARSET_FARAWAY_HEADER, and
SARE_SUB_ENC_GB2312 (from openprotect rules) all triggered - total of
8.0 points. Sounds good - but of course that's very bad! Doesn't that
mean an actual legitimate Chinese email would *default to a score of
8.0*!?!?!?!
There's a lot of overlap there - comments?
Jason
X-Spam-Status: Yes, score=12.1 required=5.0 tests=CHARSET_FARAWAY_HEADER,
HTML_MESSAGE,MIME_BASE64_TEXT,MIME_CHARSET_FARAWAY,MISSING_HEADERS,
SARE_SUB_ENC_GB2312,SPF_PASS,TVD_SPACE_RATIO,
URIBL_DOB_SURBL autolearn=disabled version=3.2.5
X-Spam-Relay-Country:
X-Spam-Report:
* 0.1 URIBL_DOB_SURBL Contains an URL listed in the DOB SURBL
blocklist
* [URIs: googlemail.com]
* 1.3 SARE_SUB_ENC_GB2312 Subject specifies display in
non-English lang
* -0.0 SPF_PASS SPF: sender matches SPF record
* 3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in
headers
* 1.6 MISSING_HEADERS Missing To: header
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
* 0.5 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
* 2.5 MIME_CHARSET_FARAWAY MIME character set indicates foreign
language
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
