I can not seem to stop these emails... (antidrug.cf obsolete)
Matt Kettler
mkettler at EVI-INC.COM
Mon Nov 7 16:07:25 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Rob wrote:
> Right i have that, although it seems to be over a year old.... .
That's correct, I've not updated antidrug.cf in a long time. Really, antidrug.cf
is only for users of SA older than 3.0.0. If you've got 3.0.x or 3.1.x you don't
need antidrug.cf, as it's now a built-in ruleset.
In fact, if you have 3.0.0 or newer, you REALLY should NOT be using antidrug.cf,
as if the SA devs make any improvements, you'll be covering them up with old rules.
These
> emails are kind of new with respect to how they are made... the word
> Viagra is not in the email at all so i guess that rule will not work,
> although Viagra does show in the email when its viewed...
>
> you can see 2 examples of the emails here...
>
> http://www.dido.ca/spam/drug.txt
Yes, that's a newer variant that antidrug's techniques don't cover. It's yet
another "table obfuscation" spam. SARE's "specific" ruleset covers these
somewhat, but not this particular email.
Razor, dcc, pyzor, etc are good measures against these, as is good bayes training.
As for your example, here's the results I get out of SA 3.1.0 + razor +dcc
--------------------------------------------------------
Content analysis details: (13.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.2 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[70.49.221.195 listed in dnsbl.sorbs.net]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
0.0 UPPERCASE_25_50 message body is 25-50% uppercase
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list