Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
these are getting thru
mat.harris at genestate
Feb 4, 2004, 4:57 AM
Post #1 of 3 (961 views)
Permalink
this is the first time spamassassin has let anything tru for me.

it is since i changed from procmail to sendmail/spamass-milter, but I
don't know if that's the cause or if its a new stealth spam.

please see

http://dev.genestate.com/debug/fn1.txt
http://dev.genestate.com/debug/fn2.txt
http://dev.genestate.com/debug/fn3.txt
http://dev.genestate.com/debug/fn4.txt
http://dev.genestate.com/debug/fn5.txt

some of them seem to include a spamassassin report (bottom) from my machine
but with different scores to the report in the headers. i have no clue what
is going on now :)

thanks in advance.

--
A Pope has a Water Cannon. It is a Water Cannon.
He fires Holy-Water from it. It is a Holy-Water Cannon.
He Blesses it. It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon.
He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon.

Yes, of course it's the right cabl [le0: NO CARRIER]
these are getting thru [ In reply to ]
mat.harris at genestate
Feb 8, 2004, 8:21 AM
Post #2 of 3 (940 views)
Permalink
Hi, I didn't get a response last time this was posted so here
we go again :)

I seem to be getting spam thru which has an older-style report in the header
(as well as my newer one) and some sort of spamassassin report tacked onto the
end.

I have recently changed my mail setup so this could be related. I do not think
this is the case tho as not all mail is getting changed like this and the report
attached has different scores/hits than my report in the header.

It seems to be making the mails just slip through.

Samples are found here:

http://dev.genestate.com/debug/spam/

--
A Pope has a Water Cannon. It is a Water Cannon.
He fires Holy-Water from it. It is a Holy-Water Cannon.
He Blesses it. It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon.
He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon.

Yes, of course it's the right cabl [le0: NO CARRIER]
RE: these are getting thru [ In reply to ]
gary at intrepid
Feb 8, 2004, 12:29 PM
Post #3 of 3 (938 views)
Permalink
> From: Mat Harris
> Sent: Sunday, February 08, 2004 7:21 AM
>
> Hi, I didn't get a response last time this was posted so here
> we go again :)
[...]
>
> It seems to be making the mails just slip through.
>
> Samples are found here:
>
> http://dev.genestate.com/debug/spam/
>

Although not a compelling spam score, it was enough to cross the
threshold, using some custom rules:

Content preview: Hey, man...havent had you take a drive by lately. Why
don't ya try sometime?:
http://sb3.chainedmicrophone.com/51074251/10488/1133/bigtime.html I
think if you'd just relent and see here, you'd be thrilled:
http://sb3.chainedmicrophone.com/51074251/10488/1133/bigtime.html [...]

Content analysis details: (5.4 points, 5.0 required)

pts rule name description
---- ---------------------- ------------------------------------------------
--
1.4 HTML_IMAGE_ONLY_06 BODY: HTML: images with 400-600 bytes of words
2.1 BAYES_90 BODY: Bayesian spam probability is 90 to 99%
[score: 0.9693]
0.1 HTML_MESSAGE BODY: HTML included in message
0.2 MY_TITLE BODY: Testing for HTML title in emails
0.9 MY_SHRT_IMG BODY: 1-3 letter gif or jpeg in url.
0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay

The particular custom rules being hit, are from here:

http://www.merchantsoverseas.com/wwwroot/gorilla/oct03_rules.cf

It'd be nice if this sort of spam could be scored over 5.0 without Bayes,
but it'd probably require some additional custom rules unique to this type
of spam.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal