Any Ideas on these rules

Kearney, Rob RKearney at AZERTY.COM
Fri Sep 5 14:44:56 IST 2003


This might belong on the SA list, so lemme know if I should try there
instead.

We are running MS 4.21-9, SA 2.55

in spam.assassin.prefs.conf we have this set of rules to flag SoBig as spam.


header   __SOBIG_X      X-MailScanner =~ /Found to be clean/
header   __SOBIG_SUBJ1  Subject =~ /(?:Re\: Details|Re\: Re\: My
details|Your details)/
header   __SOBIG_SUBJ2  Subject =~ /(?:Re\: Thank you\!|Thank you\!)/
header   __SOBIG_SUBJ3  Subject =~ /(?:Re\: Approved|Re\: That movie|Re\:
Wicked screensaver|Re\: Your application)/

body      __SOBIG_BODY  /(?:See the attached file for details|Please see the
attached file for details\.)/

meta      SOBIG         __SOBIG_X && (__SOBIG_SUBJ1 || __SOBIG_SUBJ2 ||
__SOBIG_SUBJ3) && __SOBIG_BODY
describe  SOBIG         Sobig virus
score     SOBIG         20.0

For example.. here are the headers of a current sobig virus that got
through(Our MS/SA gateway forwards to a Antivirus server which detects
anyways)

(with the received by headers and some stuff delete to protect the inocent)
Message-Id: <200309051320.h85DJxHl008772 at host.domain.com>
From: <euripedes.alves at alcan.com>
To: <dan at thecoughlincompany.com>
Subject: Re: Wicked screensaver
Date: Fri, 5 Sep 2003 10:14:01 --0300
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
X-COMPANY-MailScanner-Information: Please contact the Helpdesk for more
information
X-COMPANY-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.2, required
5,
        MICROSOFT_EXECUTABLE 0.10, RAZOR2_CHECK 2.06)
X-COMPANY-MailScanner-SpamScore: ss

I doublechecked my mySQL database and can ensure that the rule stated above
is being used on some of these mails.

thanks,


-rob



More information about the MailScanner mailing list