Scanning for Spam

[Scott Silva]

am.lists spake the following on 2/9/2007 7:57 AM:
> Anthony,
> 
> When I obfuscated my real IP in the htm, I added 1.3 to that score
> (illegal IP 1.2.3.163 and Janet RBL). But otherwise, the kicker was
> the SARE_PROLOSTOCK_SYM3 test... I am not sure I have that rule.
> 
> I looked on RE and don't see which group that's part of. It seems very
> effective.
> 
> UPDATE: I just received another text-only one, and it's on the URL below.
> 
> I didn't obfuscate any IPs this time, so the THIRD message would be an
> interesting test.
> 
> http://mailgw.evokeemail.com/q/20070208.htm
Here is how I hit #3

Content analysis details:   (11.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.3 TO_EMPTY               To: is empty
 0.1 FROM_NO_LOWER          From address has no lower-case characters
 1.0 L_DRUGS12              L_DRUGS12
 2.5 FORGED_RCVD_HELO       Received: contains a forged HELO
 2.0 BOTNET                 Relay might be a spambot or virusbot
              [botnet0.7,ip=64.44.11.163,hostname=mailgw.evokemail.com,baddns]
 0.8 SARE_RMML_Stock7       BODY: SARE_RMML_Stock7
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 0.9972]
 1.7 STOCK_NAME_FVGT1       STOCK_NAME_FVGT1
 0.1 TO_CC_NONE             No To: or Cc: header
Excluding the botnet plugin, that is still a "9"

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!