How do I beat this spam?
Peter Ong
peter.ong at hypermediasystems.com
Fri Jun 25 16:26:50 IST 2010
Thanks everyone. I am not using pyzor or razor. I could, but there's so much I have to do just to get the plumbing open, I'm discouraged. Let me do a little more analysis. Thanks again.
p
----- Original Message -----
> From: "Zaeem Arshad" <zaeem.arshad at gmail.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, June 25, 2010 7:50:30 AM
> Subject: Re: How do I beat this spam?
>
> On Fri, Jun 25, 2010 at 6:05 PM, --[ UxBoD ]-- <uxbod at splatnix.net>
> wrote:
> > ----- Original Message -----
> >> Le 23/06/2010 17:48, Peter Ong a écrit :
> >> > Here's the original message with headers:
> >> > http://pastebin.com/NpZnVU2T
> >>
> >> That scores pretty high here (see below). Admittedly most of the
> >> points
> >> are from Bayes and network checks, but even if the sender wasn't
> >> blacklisted at the time you received the mail there should have
> been
> >> enough fodder to score as spam.
> >>
> >> > Content analysis details: (15.2 points, 5.0 required)
> >> >
> >> > pts rule name description
> >> > ---- ----------------------
> >> > --------------------------------------------------
> >> > 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
> >> >
> https://senderscore.org/blacklistlookup/
> >> > [208.92.232.69 listed in
> >> > bl.score.senderscore.com]
> >> > 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> >> > [208.92.232.69 listed in
> >> > bb.barracudacentral.org]
> >> > 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> >> > [URIs: netmagasap.com]
> >> > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> > [score: 1.0000]
> >> > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay
> >> > lines
> >> > 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to
> image
> >> > area
> >> > 0.0 HTML_MESSAGE BODY: HTML included in message
> >> > 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
> >> > 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> >> > 0.0 MIME_BASE64_TEXT RAW: Message text disguised using base64
> >> > encoding
> >> > 1.5 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> >> > 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> >> > 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
> >> > level
> >> > above 50%
> >> > [cf: 100]
> >> > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
> 50%
> >> > [cf: 100]
> >> > 0.3 DIGEST_MULTIPLE Message hits more than one network digest
> check
> >> > 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no
> HTML
> >> > tag
> >> > 0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html
> MIME
> >> > parts
> >> > 0.0 T_REMOTE_IMAGE Message contains an external image
> >>
> >> John.
> >>
> >
> > Ya, I get a similar result to John:
> >
> > Content analysis details: (27.6 points, 5.0 required)
> >
> > pts rule name description
> > ---- ----------------------
> --------------------------------------------------
> > 3.0 RCVD_IN_BRBL RBL: Received via relay listed in
> Barracuda RBL
> > [208.92.232.69 listed in
> b.barracudacentral.org]
> > 1.7 URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> > [URIs: netmagasap.com]
> > 4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at
> invaluement.com
> > [URIs: netmagasap.com]
> > 1.5 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK
> > [208.92.232.69 listed in
> hostkarma.junkemailfilter.com]
> > 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> > [208.92.232.69 listed in
> bb.barracudacentral.org]
> > 5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at
> invaluement.com
> > [208.92.232.69 listed in
> sip.invaluement.com]
> > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay lines
> > 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to
> image area
> > 0.0 HTML_MESSAGE BODY: HTML included in message
> > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to
> 60%
> > [score: 0.4997]
> > 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
> > 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> > 1.7 MIME_BASE64_TEXT RAW: Message text disguised using base64
> encoding
> > 1.1 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> > 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> > 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
> level
> > above 50%
> > [cf: 100]
> > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> > [cf: 100]
> > 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
> > 0.3 DIGEST_MULTIPLE Message hits more than one network
> digest check
> > 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
> tag
> > 0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html
> MIME parts
> > 0.0 T_REMOTE_IMAGE Message contains an external image
> >
> > --
>
> I got a similar result as these guys. In addition to that, you can
> block the specific character set in your MTA before it's even passed
> to MailScanner. I do something like this in postfix header_checks to
> get rid of unwanted character sets.
>
> /^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/ REJECT Not
> these charactersets
>
>
>
> --
> Zaeem
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list