On Sunday 09 November 2008 2:33 pm, Micah Anderson wrote:
> I'm getting a number of these types of emails getting through SA with
> either negative scores, or very low scores. This is surprising to me as
> these are pretty classic spams. I suspect that some of the low scores
> are due being DKIM signed.
>
> Does anyone have any rules to catch these, or suggestions of scores to
> tweak to make these hit better? I am running clamav-milter with the
> sanesecurity add-ons, but these are still making it through.
>
> I here are 5 different ones, all that got through in the last 24
> hours:
>
> http://micah.riseup.net/1
> http://micah.riseup.net/2
> http://micah.riseup.net/3
> http://micah.riseup.net/4
> http://micah.riseup.net/5
>
> Thanks


1 scored like this:

Content analysis details: (12.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[70.103.162.29 listed in list.dnswl.org]
1.0 FREEMAIL_FROM From-address is freemail domain
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
0.0 DK_SIGNED Domain Keys: message has a signature
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mx1.ri...k.localdomain]
2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
Body
than From
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5005]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1117; Body=1 Fuz1=many]
[Fuz2=many]
0.0 DIGEST_MULTIPLE Message hits more than one network digest check
0.1 RDNS_NONE Delivered to trusted network by a host with no
rDNS
2.9 KAM_LOTTO1 Likely to be a e-Lotto Scam Email
2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL
1.0 SAGREY Adds 1.0 to spam from first-time senders

2 scored:

Content analysis details: (12.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[70.103.162.29 listed in list.dnswl.org]
1.0 FREEMAIL_FROM From-address is freemail domain
2.1 SUBJ_ALL_CAPS Subject is all capitals
0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
0.0 DK_SIGNED Domain Keys: message has a signature
-0.0 DK_VERIFIED Domain Keys: signature passes verification
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mx1.ri...k.localdomain]
2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
Body
than From
0.6 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1117; Body=1 Fuz1=1 Fuz2=many]
1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
1.0 SAGREY Adds 1.0 to spam from first-time senders

3 scored:

Content analysis details: (15.5 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[70.103.162.29 listed in list.dnswl.org]
0.3 TO_TOO_MANY To: too many recipients
0.3 TO_WAY_TOO_MANY To: way too many recipients
1.0 FREEMAIL_FROM From-address is freemail domain
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mx1.ri...k.localdomain]
2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
Body
than From
2.7 DEAR_FRIEND BODY: Dear Friend? That's not very dear!
4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8230]
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1170; Body=many Fuz1=many]
[Fuz2=many]
1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
1.0 SAGREY Adds 1.0 to spam from first-time senders

4 scored:

Content analysis details: (22.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[70.103.162.29 listed in list.dnswl.org]
0.5 RELAY_JP Relayed through Japan
1.0 FREEMAIL_FROM From-address is freemail domain
0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
2.1 SUBJ_ALL_CAPS Subject is all capitals
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mx1.ri...k.localdomain]
4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9389]
2.5 CTYME_IXHASH BODY: iXhash found @ ixhash.junkemailfilter.com
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 76]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 76]
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1170; Body=46 Fuz1=9 Fuz2=many]
0.0 DIGEST_MULTIPLE Message hits more than one network digest check
0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE
2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL
3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.0 SAGREY Adds 1.0 to spam from first-time senders

5 scored:

Content analysis details: (16.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[70.103.162.29 listed in list.dnswl.org]
1.0 FREEMAIL_FROM From-address is freemail domain
0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
2.1 SUBJ_ALL_CAPS Subject is all capitals
0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mx1.ri...k.localdomain]
2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
Body
than From
0.0 HTML_MESSAGE BODY: HTML included in message
4.2 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
[score: 0.9820]
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1170; Body=468 Fuz1=468]
[Fuz2=many]
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
0.0 UPPERCASE_50_75 message body is 50-75% uppercase
3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.0 SAGREY Adds 1.0 to spam from first-time senders

Above are how these scored on my stand-alone box. You may want to run the
Freemail plugin, SA-Grey plugin. Are you running Razor?

--
Chris
KeyID 0xE372A7DA98E6705C

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkkXcDIACgkQ43Kn2pjmcFwpGACfbFdlowFVJR G5LC8opR0LKLiP
6XQAni2mlKAHZcToPJtgQGsMNi8q/fMO
=Hq0X
-----END PGP SIGNATURE-----