(this was posted to another list. I've obscured the domains, IPs, and
user-names
but have otherwise left it in tact.)
The text part is innocuous. The .gif and included url reference are not.
The domain on the url is weird, though.
This scored only 2.9 here (with net checks, Razor2, local "rules emporium"
rules, and a well-trained Bayes).
Bob G. wrote separately:
Based on this, I have stuck in some "tiny font" rules for spamassassin.
Those in coding_html.cf didn't seem to hit, so I created one that hits
the particular font spec pattern used in this message. I also set up a
meta rule that trips on biz + tiny fonts to add to the "scent".
---
I'm passing it along in case someone would like to try the new small
font and other rules against it.
---
update: I just ran a fairly recent SA 3.0.0-r9307 against this message
and got the following:
Content analysis details: (6.7 points, 5.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
1.0 RCVD_BY_IP Received by mail server with no name
1.7 BAYES_80 BODY: Bayesian spam probability is 80 to 90%
[score: 0.8586]
3.0 MPART_ALT_DIFF BODY: HTML and text parts are different
1.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
----
the RCVD_BY_IP may be an artifact of the fact that I obscured the IP
addresses,
and I ran the dev. version of SA on a machine where things like
"trusted_networks"
isn't defined. I found it odd, that on this machine Bayes kicked in with
BAYES_80, but on my production machine, running SA 2.63, this message was
scored as follows:
Content analysis details: (2.9 points, 5.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.1 HTML_MESSAGE BODY: HTML included in message
0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain
1.4 FVGT_u_BIZ_SITE URI: FVGT - contains a URL in the BIZ top-level
domain
1.0 FVGT_u_DOM_START_NUM URI: FVGT - domain name starts with numbers
0.3 MY_DOT_BIZ URI: A .biz found in url.
-----
Note that the Bayes database is in my network-mounted home directory.
Why would the 'dev' version of SA trigger at the BAYES_80 level, but
2.63 did not? Uses different scores?
user-names
but have otherwise left it in tact.)
The text part is innocuous. The .gif and included url reference are not.
The domain on the url is weird, though.
This scored only 2.9 here (with net checks, Razor2, local "rules emporium"
rules, and a well-trained Bayes).
Bob G. wrote separately:
Based on this, I have stuck in some "tiny font" rules for spamassassin.
Those in coding_html.cf didn't seem to hit, so I created one that hits
the particular font spec pattern used in this message. I also set up a
meta rule that trips on biz + tiny fonts to add to the "scent".
---
I'm passing it along in case someone would like to try the new small
font and other rules against it.
---
update: I just ran a fairly recent SA 3.0.0-r9307 against this message
and got the following:
Content analysis details: (6.7 points, 5.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
1.0 RCVD_BY_IP Received by mail server with no name
1.7 BAYES_80 BODY: Bayesian spam probability is 80 to 90%
[score: 0.8586]
3.0 MPART_ALT_DIFF BODY: HTML and text parts are different
1.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
----
the RCVD_BY_IP may be an artifact of the fact that I obscured the IP
addresses,
and I ran the dev. version of SA on a machine where things like
"trusted_networks"
isn't defined. I found it odd, that on this machine Bayes kicked in with
BAYES_80, but on my production machine, running SA 2.63, this message was
scored as follows:
Content analysis details: (2.9 points, 5.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.1 HTML_MESSAGE BODY: HTML included in message
0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain
1.4 FVGT_u_BIZ_SITE URI: FVGT - contains a URL in the BIZ top-level
domain
1.0 FVGT_u_DOM_START_NUM URI: FVGT - domain name starts with numbers
0.3 MY_DOT_BIZ URI: A .biz found in url.
-----
Note that the Bayes database is in my network-mounted home directory.
Why would the 'dev' version of SA trigger at the BAYES_80 level, but
2.63 did not? Uses different scores?
Attached Files:
-
spam_missed.txt (19.8 KB)