Spamassassin negative score? {Scanned}
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Wed Jan 14 16:22:22 GMT 2004
Matt Kettler wrote:
> At 09:57 AM 1/14/2004, SW wrote:
>
>> Hi folks,
>>
>> I'm just trying to figure out how lately lots of spam gets a 'negative'
>> score resulting in not being seen as spam? Do I need to make some
>> changes in
>> Mailscanner.conf to fix this problem or is this a known loophole spammers
>> use?
>
> <snip>
>
>> X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>> required
>> 4,
>> BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>> X-UIDL: joV"!$mT"!"!E!!%!3!!
>
>
> It looks like your bayes database is poison. It's giving the message a 0%
> chance of spam based on your training database.
>
> If you're not doing manual training, disable bayes.. autolearning is NOT
> sufficient to have a working bayes database.
>
> Unfortunately the SA default is to have bayes and autolearning enabled, so
> many people don't realize they need to manually train in the default
> config, resulting in badly trained bayes databases.
I'm using the following rules to trap 10+ random work and odd font
definitions...and about to try an fake habaes rule as well (last rule)
rawbody LOCAL_ZERO_FONTSIZE /\bfont-size\: 0pt|font.*size="0"|font.*size=0/i
describe LOCAL_ZERO_FONTSIZE Font has a size of Zero. What is being hidden?
score LOCAL_ZERO_FONTSIZE 4.5
uri BAYES_BUSTER /rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0
## Chris Petersen Rules
## 01-09-04
## v1.1
## I've noticed that a lot of spams recently have been following the
random-words technique,
## with very little "spam" content - often just an image or some
obfuscated text. Has anyone
## given any thought to writing up a rule that detects a LACK of
punctuation, or a lack of
## short words like a/and/the? It'd be easy for spammers to get around,
but at
least it would
## keep them out of inboxes for awhile.
rawbody CP_RANDOMWORD_10
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
describe CP_RANDOMWORD_10 string of 10+ random words
score CP_RANDOMWORD_10 0.5
rawbody CP_RANDOMWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describe CP_RANDOMWORD_15 string of 15+ random words
score CP_RANDOMWORD_15 2.5
# Jan 2004 : Fake Habeas
header __HABEAS_SWE eval:message_is_habeas_swe( )
header __HAB_FORGE_BOUND Content-Type =~
/boundary="--[0-9]{15,20}"/
header __HAB_FORGE_MID Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/
meta HABEAS_FORGERY (__HAB_FORGE_BOUND &&
__HAB_FORGE_MID && __HABEAS_SWE)
meta HABEAS_SWE (__HABEAS_SWE && ! HABEAS_FORGERY)
# -8.0 for default Habeas score.
describe HABEAS_FORGERY Common Habeas Forgery
lang fr describe HABEAS_FORGERY Spammeur utilisant Habeas sans
autorisation
score HABEAS_FORGERY 3.5
as ever watch those line breaks...
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
More information about the MailScanner
mailing list