I can not seem to stop these emails... (antidrug.cf obsolete)

Rob rob at THEHOSTMASTERS.COM
Mon Nov 7 16:52:36 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

i am using 3.04 i will remove antidrug right away...

 thanks


Rob Morin
Dido Internet Inc.
Montreal, Canada
514-990-4444
http://www.dido.ca

----- Original Message ----- 
From: "Matt Kettler" <mkettler at EVI-INC.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, November 07, 2005 11:07 AM
Subject: Re: I can not seem to stop these emails... (antidrug.cf obsolete)


> Rob wrote:
>> Right i have that, although it seems to be over a year old.... .
>
> That's correct, I've not updated antidrug.cf in a long time. Really, 
> antidrug.cf
> is only for users of SA older than 3.0.0. If you've got 3.0.x or 3.1.x you 
> don't
> need antidrug.cf, as it's now a built-in ruleset.
>
> In fact, if you have 3.0.0 or newer, you REALLY should NOT be using 
> antidrug.cf,
> as if the SA devs make any improvements, you'll be covering them up with 
> old rules.
>
>
> These
>> emails are kind of new with respect to how they are made... the word
>> Viagra is not in the email at all so i guess that rule will not work,
>> although Viagra does show in the email when its viewed...
>
>
>>
>> you can see 2 examples of the emails here...
>>
>> http://www.dido.ca/spam/drug.txt
>
>
> Yes, that's a newer variant that antidrug's techniques don't cover. It's 
> yet
> another "table obfuscation" spam. SARE's "specific" ruleset covers these
> somewhat, but not this particular email.
>
> Razor, dcc, pyzor, etc are good measures against these, as is good bayes 
> training.
>
> As for your example, here's the results I get out of SA 3.1.0 + razor +dcc
>
> --------------------------------------------------------
> Content analysis details:   (13.5 points, 5.0 required)
>
> pts rule name              description
> ---- ---------------------- --------------------------------------------------
> 2.9 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel letters
> 0.0 HTML_MESSAGE           BODY: HTML included in message
> 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
>                            [score: 1.0000]
> 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>                            above 50%
>                            [cf: 100]
> 0.2 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>                            [cf: 100]
> 2.2 DCC_CHECK              Listed in DCC 
> (http://rhyolite.com/anti-spam/dcc/)
> 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP 
> address
>                            [70.49.221.195 listed in dnsbl.sorbs.net]
> 0.8 DIGEST_MULTIPLE        Message hits more than one network digest check
> 0.0 UPPERCASE_25_50        message body is 25-50% uppercase
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website! 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list