Scanning for Spam

Anthony Peacock a.peacock at chime.ucl.ac.uk
Fri Feb 9 17:11:18 CET 2007 

Anthony Peacock wrote:
> Hi,
> 
> am.lists wrote:
>> Anthony,
>>
>> When I obfuscated my real IP in the htm, I added 1.3 to that score
>> (illegal IP 1.2.3.163 and Janet RBL). But otherwise, the kicker was
>> the SARE_PROLOSTOCK_SYM3 test... I am not sure I have that rule.
> 
> Actually the kicker is Bayes, my Bayes is scoring 99% which gives it a 
> whole 3.5 points, added to the SARE stocks rules that is enough, 
> ignoring any network tests (see below)

I also meant to point out that your Bayes was only hitting 50% which add 
nothing to the score.  Start feeding these emails into the Bayes 
learning system, and it will start to match these emails.

> 
>> I looked on RE and don't see which group that's part of. It seems very
>> effective.
> 
> 
> That is in 70_SARE_STOCKS
> 
>>
>> UPDATE: I just received another text-only one, and it's on the URL below.
>>
>> I didn't obfuscate any IPs this time, so the THIRD message would be an
>> interesting test.
>>
>> http://mailgw.evokeemail.com/q/20070208.htm
> 
> Still get that one,
> 
> 
> Content analysis details:   (8.1 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- 
> --------------------------------------------------
>  0.3 TO_EMPTY               To: is empty
>  0.1 FROM_NO_LOWER          From address has no lower-case characters
>  1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
>  0.8 SARE_RMML_Stock7       BODY: SARE_RMML_Stock7
>  3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
>                             [score: 1.0000]
>  0.1 TO_CC_NONE             No To: or Cc: header
>  1.7 STOCK_NAME_FVGT1       STOCK_NAME_FVGT1
> 
> 
> 


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

More information about the MailScanner mailing list