How do I beat this spam?

Peter Ong peter.ong at hypermediasystems.com
Fri Jun 25 16:26:50 IST 2010


Thanks everyone. I am not using pyzor or razor. I could, but there's so much I have to do just to get the plumbing open, I'm discouraged. Let me do a little more analysis. Thanks again.

p

----- Original Message -----

> From: "Zaeem Arshad" <zaeem.arshad at gmail.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, June 25, 2010 7:50:30 AM
> Subject: Re: How do I beat this spam?
> 
> On Fri, Jun 25, 2010 at 6:05 PM, --[ UxBoD ]-- <uxbod at splatnix.net>
> wrote:
> > ----- Original Message -----
> >> Le 23/06/2010 17:48, Peter Ong a écrit :
> >> > Here's the original message with headers:
> >> > http://pastebin.com/NpZnVU2T
> >>
> >> That scores pretty high here (see below). Admittedly most of the
> >> points
> >> are from Bayes and network checks, but even if the sender wasn't
> >> blacklisted at the time you received the mail there should have
> been
> >> enough fodder to score as spam.
> >>
> >> > Content analysis details: (15.2 points, 5.0 required)
> >> >
> >> >  pts rule name description
> >> > ---- ----------------------
> >> > --------------------------------------------------
> >> >  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
> >> >                            
> https://senderscore.org/blacklistlookup/
> >> >                             [208.92.232.69 listed in
> >> >                             bl.score.senderscore.com]
> >> >  1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> >> >                             [208.92.232.69 listed in
> >> >                             bb.barracudacentral.org]
> >> >  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> >> >                             [URIs: netmagasap.com]
> >> >  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> >                             [score: 1.0000]
> >> >  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay
> >> >  lines
> >> >  0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to
> image
> >> >  area
> >> >  0.0 HTML_MESSAGE BODY: HTML included in message
> >> >  0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
> >> >  0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> >> >  0.0 MIME_BASE64_TEXT RAW: Message text disguised using base64
> >> >  encoding
> >> >  1.5 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> >> >  0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> >> >  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
> >> >  level
> >> >                             above 50%
> >> >                             [cf: 100]
> >> >  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
> 50%
> >> >                             [cf: 100]
> >> >  0.3 DIGEST_MULTIPLE Message hits more than one network digest
> check
> >> >  0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no
> HTML
> >> >  tag
> >> >  0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html
> MIME
> >> >  parts
> >> >  0.0 T_REMOTE_IMAGE Message contains an external image
> >>
> >> John.
> >>
> >
> > Ya, I get a similar result to John:
> >
> > Content analysis details:   (27.6 points, 5.0 required)
> >
> >  pts rule name              description
> > ---- ----------------------
> --------------------------------------------------
> >  3.0 RCVD_IN_BRBL           RBL: Received via relay listed in
> Barracuda RBL
> >                            [208.92.232.69 listed in
> b.barracudacentral.org]
> >  1.7 URIBL_BLACK            Contains an URL listed in the URIBL
> blacklist
> >                            [URIs: netmagasap.com]
> >  4.0 URIBL_IVMURI           Contains a URL listed on ivmURI found at
> invaluement.com
> >                            [URIs: netmagasap.com]
> >  1.5 RCVD_IN_JMF_BL         RBL: Sender listed in JMF-BLACK
> >                       [208.92.232.69 listed in
> hostkarma.junkemailfilter.com]
> >  1.4 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
> >                            [208.92.232.69 listed in
> bb.barracudacentral.org]
> >  5.0 RCVD_IN_IVMSIP         RBL: listed on ivmSIP found at
> invaluement.com
> >                            [208.92.232.69 listed in
> sip.invaluement.com]
> >  0.0 UNPARSEABLE_RELAY      Informational: message has unparseable
> relay lines
> >  0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to
> image area
> >  0.0 HTML_MESSAGE           BODY: HTML included in message
> >  0.8 BAYES_50               BODY: Bayes spam probability is 40 to
> 60%
> >                            [score: 0.4997]
> >  0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
> >  0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME
> parts
> >  1.7 MIME_BASE64_TEXT       RAW: Message text disguised using base64
> encoding
> >  1.1 DCC_CHECK              Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> >  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
> >  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
> level
> >                            above 50%
> >                            [cf: 100]
> >  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> >                            [cf: 100]
> >  1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
> >  0.3 DIGEST_MULTIPLE        Message hits more than one network
> digest check
> >  0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
> tag
> >  0.0 MIME_HTML_ONLY_MULTI   Multipart message only has text/html
> MIME parts
> >  0.0 T_REMOTE_IMAGE         Message contains an external image
> >
> > --
> 
> I got a similar result as these guys. In addition to that, you can
> block the specific character set in your MTA before it's even passed
> to MailScanner. I do something like this in postfix header_checks to
> get rid of unwanted character sets.
> 
> /^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/   REJECT Not
> these charactersets
> 
> 
> 
> --
> Zaeem
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list