worm emails marked as possible spam

Scott Silva ssilva at SGVWATER.COM
Fri Dec 2 22:28:19 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

IT Dept spake the following on 12/1/2005 4:57 PM:
> Scott Silva wrote:
> 
>> I looked for one of these and got the following scores;
>>
>> 3.50    BAYES_99    Bayesian spam probability is 99 to 100%
>> 2.17    DCC_CHECK    Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>> 0.77    DIGEST_MULTIPLE    Message hits more than one network digest
>> check
>> 0.20    DNS_FROM_RFC_ABUSE    Envelope sender in abuse.rfc-ignorant.org
>> 1.45    DNS_FROM_RFC_WHOIS    Envelope sender in whois.rfc-ignorant.org
>> 0.14    FORGED_RCVD_HELO    Received: contains a forged HELO
>> 1.61    MISSING_MIMEOLE    Message has X-MSMail-Priority, but no
>> X-MimeOLE
>> 0.96    NO_REAL_NAME    From: does not include a real name
>> 2.70    PRIORITY_NO_NAME    Message has priority, but no user agent name
>> 1.50    RAZOR2_CF_RANGE_51_100    Razor2 gives confidence level above 50%
>> 1.50    RAZOR2_CF_RANGE_E4_51_100    Razor2 gives engine 4 confidence
>> level
>> above 50%
>> 0.50    RAZOR2_CHECK    Listed in Razor2 (http://razor.sf.net/)
>> 1.00    RCVD_IN_JAMM    Received via a relay in JAMMConsulting
>> 1.50    RCVD_IN_NJABL_DUL    NJABL: dialup sender did non-local SMTP
>> 2.05    RCVD_IN_SORBS_DUL    SORBS: sent directly from dynamic IP address
>> 1.38    SPF_SOFTFAIL    SPF: sender does not match SPF record (softfail)
>>
>> Spamassassin Score: 22.92
>>
>>
>> Maybe you need some more tuning?
>>  
>>
> Scott,
> 
> Not only do I likely need tuning, my spamassasin likely does as well. :-)
> 
> I'm running Bayes, DCC, Razor. My scores for this worm aren't nearly
> that high. Are you running custom rulesets as well? Other plugins?
> 
> Thanks,
> Chris
> 
I am running the RulesDuJour set from Fortress Systems (www.fsl.com)
I might have bumped some scores up to suit my situation, and the only
custom (written by me) hit I see is the Jamm blocklist, but it is
depreciating, and will someday be useless.
 The biggest score seems to be from the bayes hit, as this box has been
training for over a year. I'm not sure where the 2 razor_2_cf scores
come from. Maybe because this box has been upgraded through the
spamassassin versions since 2.63.



-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list