« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
Re: "KAUF-TIPP DER WOCHE" spam getting through
by --[ UxBoD ]--
::
Rate this Message:
I ran them through our server and scored as follows :-
Content analysis details: (9.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.3 SARE_WEOFFER BODY: Offers Something
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
0.8 SARE_RMML_Stock19 BODY: SARE_RMML_Stock19
0.1 SPOOF_OURI URI: URI has items in odd places
0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.1 SARE_URI_4_BIZ URI: Domain has a "four-you" type domain name
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4319]
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[122.111.44.35 listed in combined-HIB.dnsiplists.completewhois.com]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: Please see http://www.openspf.org/why.html?sender=myersonkrgg%40ajk-enterprises.com&ip=82.88.48.142&receiver=ajax.noc.ntua.gr]
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0004]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (6.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
0.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
Content analysis details: (8.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (7.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0005]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (8.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias" <christias@...> wrote:
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: uxbod@...
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Content analysis details: (9.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.3 SARE_WEOFFER BODY: Offers Something
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
0.8 SARE_RMML_Stock19 BODY: SARE_RMML_Stock19
0.1 SPOOF_OURI URI: URI has items in odd places
0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.1 SARE_URI_4_BIZ URI: Domain has a "four-you" type domain name
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4319]
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[122.111.44.35 listed in combined-HIB.dnsiplists.completewhois.com]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: Please see http://www.openspf.org/why.html?sender=myersonkrgg%40ajk-enterprises.com&ip=82.88.48.142&receiver=ajax.noc.ntua.gr]
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0004]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (6.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
0.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
Content analysis details: (8.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (7.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0005]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (8.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias" <christias@...> wrote:
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: uxbod@...
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
| Free embeddable forum powered by Nabble | Forum Help |
