On 4.12.2009 18:00, Thomas Harold wrote: > SA had a lot of trouble identifying this as spam. The IP > (174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only > scored around a 1.0 on the spam meter. > > http://pastebin.com/m1d0a75b7 > > It uses a block of foreign language spam at the end to get past some SA > checks. Such as HTML_IMAGE_RATIO. The text/plain section is complete > empty (and doesn't match the text/html section). >
Content analysis details: (14.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
[174.139.37.196 listed in
bb.barracudacentral.org]
1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[174.139.37.196 listed in
hostkarma.junkemailfilter.com]
0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
[174.139.37.196 listed in
bl.spameatingmonkey.net]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: globalsaveonlinepath.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
0.0 HTML_MESSAGE BODY: HTML included in message
-2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
[score: 0.0515]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
sequence
0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
--
http://www.iki.fi/jarif/
Many pages make a thick book.
signature.asc
Description: OpenPGP digital signature
