Spamassassin negative score? {Scanned}

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Wed Jan 14 16:22:22 GMT 2004

Matt Kettler wrote:
> At 09:57 AM 1/14/2004, SW wrote:
>> Hi folks,
>> I'm just trying to figure out how lately lots of spam gets a 'negative'
>> score resulting in not being seen as spam? Do I need to make some
>> changes in
>> Mailscanner.conf to fix this problem or is this a known loophole spammers
>> use?
> <snip>
>> X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>> required
>> 4,
>>  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>> X-UIDL: joV"!$mT"!"!E!!%!3!!
> It looks like your bayes database is poison. It's giving the message a 0%
> chance of spam based on your training database.
> If you're not doing manual training, disable bayes.. autolearning is NOT
> sufficient to have a working bayes database.
> Unfortunately the SA default is to have bayes and autolearning enabled, so
> many people don't realize they need to manually train in the default
> config, resulting in badly trained bayes databases.

I'm using the following rules to trap 10+ random work and odd font
definitions...and about to try an fake habaes rule as well (last rule)

rawbody LOCAL_ZERO_FONTSIZE /\bfont-size\: 0pt|font.*size="0"|font.*size=0/i
describe LOCAL_ZERO_FONTSIZE Font has a size of Zero. What is being hidden?

uri BAYES_BUSTER /rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0

## Chris Petersen Rules
## 01-09-04
## v1.1

## I've noticed that a lot of spams recently have been following the
random-words technique,
## with very little "spam" content - often just an image or some
obfuscated text.  Has anyone
## given any thought to writing up a rule that detects a LACK of
punctuation, or a lack of
## short words like a/and/the?  It'd be easy for spammers to get around,
but at
least it would
## keep them out of inboxes for awhile.

rawbody  CP_RANDOMWORD_10
describe CP_RANDOMWORD_10       string of 10+ random words
score    CP_RANDOMWORD_10       0.5

rawbody  CP_RANDOMWORD_15
describe CP_RANDOMWORD_15       string of 15+ random words
score    CP_RANDOMWORD_15       2.5

# Jan 2004 : Fake Habeas
header __HABEAS_SWE                eval:message_is_habeas_swe( )

header __HAB_FORGE_BOUND            Content-Type =~
header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/

meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND &&
meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
# -8.0 for default Habeas score.
describe HABEAS_FORGERY             Common Habeas Forgery
lang fr describe  HABEAS_FORGERY    Spammeur utilisant Habeas sans
score HABEAS_FORGERY                3.5

as ever watch those line breaks...

Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.


More information about the MailScanner mailing list