New SPAM e-mails recently?

Glenn Steen glenn.steen at gmail.com
Fri Nov 10 08:23:14 GMT 2006 

On 09/11/06, Scott Silva <ssilva at sgvwater.com> wrote:
> Jason Williams spake the following on 11/9/2006 12:23 PM:
> > Anyone been getting some new SPAM recently, where it comes in with
> > subjects like:
> >
> > It's Lorenzo :)
> > It's Flavia :)
> >
> > Bunch of names in the subject line.
> >
> > In the body of the message, it is a wide range of things like to buy
> > viagra and cialis.
> > Or a couple today are for buying stock (buy this symbol) etc.
> >
> > Anyone been getting these? Im still getting my SA rules back in order.
> > Wasn't sure if any of these were sneaking through to anyone else.
> >
> > For those that are blocking, what is catching it so I can quickly put it
> > in?
> >
> > Thanks,
> >
> > -Jason
> Mine usually hit these;
> 3.50    BAYES_99        Bayesian spam probability is 99 to 100%
> 2.17    DCC_CHECK       Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 2.50    DIGEST_MULTIPLE Message hits more than one network digest check
> 1.00    FORGED_RCVD_HELO        Received: contains a forged HELO
> 1.50    RAZOR2_CF_RANGE_51_100  Razor2 gives confidence level above 50%
> 1.50    RAZOR2_CF_RANGE_E4_51_100       Razor2 gives engine 4 confidence level above 50%
> 1.50    RAZOR2_CHECK    Listed in Razor2 (http://razor.sf.net/)
> 1.56    RCVD_IN_BL_SPAMCOP_NET  Received via a relay in bl.spamcop.net
> 2.05    RCVD_IN_SORBS_DUL       SORBS: sent directly from dynamic IP address
> 1.66    SARE_CSBIG      Only Mexican food gives me an Explosive Gain.
> 1.66    SARE_MLB_Stock1
> 1.66    SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC.
> 1.07    SPF_NEUTRAL     SPF: sender does not match SPF record (neutral)
>
> Some variation, but mostly in the SARE rules and the digests.
>
I've now checked mine too. Yesterday I got 340, where all but one was
marked as spam (7 were low-scoring, the rest high). The rules that did
it for me was Bayes, Razor, TVD_STOCK1, DIGEST_MULTIPLE, DCC, a slew
of BLs (SORBS_DUL etc etc), HELO_DYNAMIC_* and SPF_NEUTRAL ... and
then some.

So, for me these haven't really been a problem (Postfix and all:-).

Note that I don't run the SARE stocks rules, else those would likely
have made an impact too.

And finally, my gut reaction ("they're probably images") was plain
wrong. Aren't statistics wonderful:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list