spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Spam US$350,000 not tripped

Re: Spam US$350,000 not tripped

From: Karsten Bräckelmann <guenther_at_nospam>
Date: Tue Oct 19 2010 - 21:56:09 GMT
To: users@spamassassin.apache.org

On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
> On 19/10/10 22:34, Dennis German wrote:
> > I am surprised this plain text spam did not trip for US$350,000
> > sa 3.2.4

Uhm, a generic amount of money on it's own is not a sign of spam. You
know, some people do deal with and talk about money...

> It hits a stack of rules here (some are my own scoring) - looks like
> it's time to upgrade to SA 3.3.1.

> * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * [score: 0.9999]
> * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> * [148.208.170.3 listed in bb.barracudacentral.org]

Seriously? Or is that a score typo in your cf files?

> * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad)
> * [148.208.170.3 listed in hostkarma.junkemailfilter.com]

BRBL and JMF are easy enough to add to an existing 3.2.x installation.

> * 1.0 MISSING_HEADERS Missing To: header

Stock 3.2.x, scored even slightly higher.

> * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns

Easy enough to add to 3.2.x via sa-update. Recommended.

Bayes of course also is part of stock 3.2.x. ;) Plethora of new fraud
rules snipped.

-- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}