worm emails marked as possible spam

Scott Silva ssilva at SGVWATER.COM
Thu Dec 1 18:28:18 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

IT Dept spake the following on 12/1/2005 9:15 AM:
> Hi Everyone,
> 
> I'm getting tons of complaints from my users that are complaining about
> the amount of "spam" they're getting over the past week or so. These are
> messages with subjects such as "hi, ive a new mail address" and so
> forth. Obviously, it's not really spam, but the result of one of the
> Sober worm variants. But the problem is that although SOME of the
> messages get tagged as high spam, and therefore the users aren't
> notified...many of the messages don't score high enough for that, so get
> tagged as possible spam and the user's inbox gets bigger...some users
> are apparently getting hundreds of these a day.
> 
> How do I block these damned things, or at least not have the system
> notify my users about them?
> 
> Thanks,
> Chris
> 
I looked for one of these and got the following scores;

3.50	BAYES_99	Bayesian spam probability is 99 to 100%
2.17	DCC_CHECK	Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.77	DIGEST_MULTIPLE	Message hits more than one network digest check
0.20	DNS_FROM_RFC_ABUSE	Envelope sender in abuse.rfc-ignorant.org
1.45	DNS_FROM_RFC_WHOIS	Envelope sender in whois.rfc-ignorant.org
0.14	FORGED_RCVD_HELO	Received: contains a forged HELO
1.61	MISSING_MIMEOLE	Message has X-MSMail-Priority, but no X-MimeOLE
0.96	NO_REAL_NAME	From: does not include a real name
2.70	PRIORITY_NO_NAME	Message has priority, but no user agent name
1.50	RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%
1.50	RAZOR2_CF_RANGE_E4_51_100	Razor2 gives engine 4 confidence level
above 50%
0.50	RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)
1.00	RCVD_IN_JAMM	Received via a relay in JAMMConsulting
1.50	RCVD_IN_NJABL_DUL	NJABL: dialup sender did non-local SMTP
2.05	RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address
1.38	SPF_SOFTFAIL	SPF: sender does not match SPF record (softfail)

Spamassassin Score: 22.92


Maybe you need some more tuning?

-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list