Hi there I just got a very large Chinese spam (>4M) - I seem to get several of these a month. Anyway, while I was fiddling with it I saw the score SA gave it when it could actually swallow the whole thing (see below).
As you can see, MIME_CHARSET_FARAWAY, CHARSET_FARAWAY_HEADER, and SARE_SUB_ENC_GB2312 (from openprotect rules) all triggered - total of 8.0 points. Sounds good - but of course that's very bad! Doesn't that mean an actual legitimate Chinese email would *default to a score of 8.0*!?!?!?! There's a lot of overlap there - comments? Jason X-Spam-Status: Yes, score=12.1 required=5.0 tests=CHARSET_FARAWAY_HEADER, HTML_MESSAGE,MIME_BASE64_TEXT,MIME_CHARSET_FARAWAY,MISSING_HEADERS, SARE_SUB_ENC_GB2312,SPF_PASS,TVD_SPACE_RATIO, URIBL_DOB_SURBL autolearn=disabled version=3.2.5 X-Spam-Relay-Country: X-Spam-Report: * 0.1 URIBL_DOB_SURBL Contains an URL listed in the DOB SURBL blocklist * [URIs: googlemail.com] * 1.3 SARE_SUB_ENC_GB2312 Subject specifies display in non-English lang * -0.0 SPF_PASS SPF: sender matches SPF record * 3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in headers * 1.6 MISSING_HEADERS Missing To: header * 0.0 HTML_MESSAGE BODY: HTML included in message * 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO * 0.5 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding * 2.5 MIME_CHARSET_FARAWAY MIME character set indicates foreign language -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1