Donald

My analysis (SA 3.1.8)


Content analysis details: (10.9 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
2.5 MISSING_HB_SEP Missing blank line between message header
and body
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
0.3 SARE_WEOFFER BODY: Offers Something
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
1.8 MISSING_SUBJECT Missing Subject: header
0.5 FM_NO_TO FM_NO_TO
0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET
0.1 TO_CC_NONE No To: or Cc: header
2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
1.1 FM_MULTI_ODD2 FM_MULTI_ODD2

Putting in a "spam list" in mailscanner.conf will make anything that
hits that RBL be marked as spam....nothing to do with SA!

Also the URI-black and grey are already in SA, so need to add then in.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: donald.dawson@bakerbotts.com

[mailto:donald.dawson@bakerbotts.com]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000

Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email

-
> it appears it was just raising the score of high spam: 'Spam List =3D
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM. We

use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL

greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little

help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf chickenpox.cf sa-update-keys
> 70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
> 88_FVGT_body.cf init.pre tripwire.cf
> 70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf v312.pre
> 70_sare_genlsubj_eng.cf 70_sare_random.cf
> 70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf 70_sare_specific.cf
> 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>

------------------------------------------------------------------------
> --------------------------
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> for
> ;
> Thu, 5 Jul 2007 10:09:08 -0500
> Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net)

by
> housweep01.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> for
> ;
> Thu, 5 Jul 2007 10:09:08 -0500
> X-Envelope-From: fxl@ubs.com
> Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> [84.20.18.243])
> by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> l65F8mIB022832
> for ; Thu, 5 Jul 2007 10:08:55
> -0500
> Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
> +0200
> Received: from unknown (HELO tjz) (196.128.111.164)
> by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> +0200
> Message-ID: <468D0980.8060406@us.army.mil>
> Date: Thu, 5 Jul 2007 17:08:48 +0200
> From: Curry
> User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
> MIME-Version: 1.0
> To: donald.dawson@bakerbotts.com
> Subject: isolated W
> Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed
> Content-Transfer-Encoding: 7bit
> X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
> X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
> (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
> -0500 (CDT)
> X-BakerBotts-MailScanner-Information: Please contact the ISP for more
> information
> X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not

cached,
> score=3D0.3, required 5, SARE_WEOFFER 0.30)
> X-BakerBotts-MailScanner-From: fxl@ubs.com
> X-Spam-Status: No
> Return-Path: fxl@ubs.com
> X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
> FILETIME=3D[6FDCDE40:01C7BF16]
>
>
> -----Original Message-----
> From: Curry [mailto:fxl@ubs.com]
> Sent: Thursday, July 05, 2007 10:09 AM
> To: Dawson, Donald
> Subject: isolated W
>
>
> ERMX Continues To Expand As Stock Climbs Up 16.6%!
>
> EntreMetrix Inc. (ERMX)
> $0.21 UP 16.6%
>
> ERMX announced further expansion with K-9 Genetics. Healthy and

Premium
> dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in

previous
> years. Read up on ERMX over the holiday, we think you will see even

more
> fireworks on Thursday morning!
>
> Mostly we invite artists and curators to put together shows for us;
> however we remain open to proposals.
>
> Please feel free to contact Steven Winogradsky directly to discuss

your
> production and how The Winogradsky Company can best serve your company
> and the music needs of your clients.
>
> Elen-Florence is interested in aquiring a recording contract.
> It is not objectification, but going out beyond the bounds of reality.
> Access Error Headline functionality has been disabled from your
> intranet.
> Every two or three years this project will hold a central exhibition
> with a few supplementary ones.
>
> His works can be found in private collections in Canada, France,
> England, Australia, and the USA.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected

target.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected

target.
> We currently stock thousands of books, CDs and videos, together with a
> superb range of dancewear from Capezio and Roch Valley.
>
> The director is always happy to talk on current exhibitions and about
> the work of the organisation. As a child, Alderman's talents were
> nurtured by a physician father who encouraged him to become a cosmetic
> surgeon.
>
> After the CD was finished the two guitar players were replaced by

Geoff
> Schultz and Aaron Fletcher, they also aquired a second singer, Keith
> Yaskovich, and the name was changed to "Blank Shift".
>
> The Visitors Programme is a joint project with Creative New Zealand.
>
> Mai mica sau mai mare.
>
> com - ApS LesGalleries. It is not objectification, but going out

beyond
> the bounds of reality. a luat premii cu caru, in general majoritatea
> criticilor .
>
> Hawes, Lewis Hine, W.
> "You follow their careers and you watch the evolution of two human
> beings over the course of a lifetime.
>
> Mai mica sau mai mare. Gigs in northern Germany included support shows
> for The Damned, Social Distortion, Bad Religion, U.
> An intuitive artist, he felt his talents and abilities surpassed those
> of college professors. It is not objectification, but going out beyond
> the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
>
> Art works sales and curatorial projects.
>
> We offer our marketing design services.
>
> Here you can narrow your search. Subtle effects of lighting and shadow
> casting can also be explored. Offers logo galleries, FAQs, and on-line
> ordering. What music can I have for my wedding reception? She

discovers
> a means of expression and communication that permits her to release

her
> emotions trapped within her. His Studio is located in Canon City,
> Colorado, where he chose to live near the source of stone he sculpts

as
> well as some of the finest bronze foundries in the nation.






************************************************** ********************
Confidentiality : This e-mail and any attachments are intended for the=20
addressee only and may be confidential. If they come to you in error=20
you must take no action based on them, nor must you copy or show them=20
to anyone. Please advise the sender by replying to this e-mail=20
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of=20
the author and unless specifically stated to the contrary, are not=20
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure=20
communications medium and can be subject to data corruption. We advise=20
that you consider this fact when e-mailing us.=20
Viruses : We have taken steps to ensure that this e-mail and any=20
attachments are free from known viruses but in keeping with good=20
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales=20
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20
United Kingdom
************************************************** ********************