Please help - Not catching these spam - LOTS of them

Scott Silva ssilva at sgvwater.com
Tue Apr 28 22:26:13 IST 2009 

on 4-22-2009 3:43 PM Andrews Carl 448 spake the following:
> All of them have an attachment named DSL####.png where the #### is a
> four digit number. I have tried to write a spamassassin rule but I do
> not know what I am doing because when I run the attached file through
> 'spamassassin -t'  I get a report of 1.0 requires 5.0 and it states the
> message is spam. which is confusting since I am getting an overall score
> of 1.0 and need a 5.0 to be spam.
>  
>  
> Thanks,
> Carl
> 
Content analysis details:   (20.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.5 RCVD_IN_UCE_PFSM_1     RBL: Received via a relay in UCE_PFSM_1
                            [202.129.232.141 listed in dnsbl-1.uceprotect.net]
 0.5 RCVD_IN_BRBL           RBL: Received via a relay in BRBL
                            [202.129.232.141 listed in b.barracudacentral.org]
 2.0 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [202.129.232.141 listed in psbl.surriel.com]
 2.0 RCVD_IN_UCE_PFSM_2     RBL: Received via a relay in UCE_PFSM_2
                            [202.129.232.141 listed in dnsbl-2.uceprotect.net]
 0.5 RCVD_IN_LASHBACK       RBL: Received via a relay in LashBack
                            [202.129.232.141 listed in ubl.unsubscore.com]
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.1 BOTNET_BADDNS          Relay doesn't have full circle DNS
            [botnet_baddns,ip=170.58.38.140,rdns=gatekeeper.crackerbarrel.com]
 4.0 BOTNET                 Relay might be a spambot or virusbot
         [botnet0.8,ip=170.58.38.140,rdns=gatekeeper.crackerbarrel.com,baddns]
 0.0 T_TVD_FW_GRAPHIC_ID1   BODY: T_TVD_FW_GRAPHIC_ID1
 0.0 HTML_MESSAGE           BODY: HTML included in message
 2.0 INLINE_IMAGE           RAW: Inline Images
 1.6 PART_CID_STOCK         Has a spammy image attachment (by Content-ID)




Look for the botnet plugin and install it


Here are the rules that hit;

header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1',
'dnsbl-1.uceprotect.net')
describe RCVD_IN_UCE_PFSM_1          Received via a relay in UCE_PFSM_1
tflags   RCVD_IN_UCE_PFSM_1          net
score    RCVD_IN_UCE_PFSM_1          0 2.50 0 2.50

header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2',
'dnsbl-2.uceprotect.net')
describe RCVD_IN_UCE_PFSM_2          Received via a relay in UCE_PFSM_2
tflags   RCVD_IN_UCE_PFSM_2          net
score    RCVD_IN_UCE_PFSM_2          0 2 0 2

header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3',
'dnsbl-3.uceprotect.net')
describe RCVD_IN_UCE_PFSM_3          Received via a relay in UCE_PFSM_3
tflags   RCVD_IN_UCE_PFSM_3          net
score    RCVD_IN_UCE_PFSM_3          0 2.50 0 2.50


header   RCVD_IN_PSBL          eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL          Received via a relay in PSBL
tflags   RCVD_IN_PSBL          net
score    RCVD_IN_PSBL          0 2 0 2


header   RCVD_IN_BRBL          eval:check_rbl('brbl', 'b.barracudacentral.org.')
describe RCVD_IN_BRBL          Received via a relay in BRBL
tflags   RCVD_IN_BRBL          net
score    RCVD_IN_BRBL          0 0.50 0 0.50


header   RCVD_IN_LASHBACK          eval:check_rbl('ubl', 'ubl.unsubscore.com.')
describe RCVD_IN_LASHBACK          Received via a relay in LashBack
tflags   RCVD_IN_LASHBACK          net
score    RCVD_IN_LASHBACK          0 0.50 0 0.50



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090428/b28675d8/signature.bin

More information about the MailScanner mailing list