Jump to content
Sign in to follow this  
btech

Why didn't SpamAssassin catch this?

Recommended Posts

Return-Path: <wbphifxgijqgrh[at]hotmail.com>

Delivered-To: x

Received: (qmail 21820 invoked from network); 5 Nov 2004 20:06:39 -0000

Received: from unknown (192.168.1.103)

by blade5.cesmail.net with QMQP; 5 Nov 2004 20:06:39 -0000

Received: from unknown (HELO selekta.com) (216.28.119.65)

by mailgate2.cesmail.net with SMTP; 5 Nov 2004 20:06:39 -0000

Received: from SMTP32-FWD by selekta.com

(SMTP32) id ADFE206A200FC4161; Fri,  5 Nov 2004 15:17:45 -0500

Received: from pool-70-19-150-49.bos.east.verizon.net [70.19.150.49] by selekta.com

(SMTPD32-8.13) id AFE36A200FC; Fri, 05 Nov 2004 15:17:39 -0500

Message-ID: <4s7I_______________XlRr[at]yahoo.com>

To: x

From: "Trey Carlisle" <wbphifxgijqgrh[at]hotmail.com>

Subject: Cheap online tablets here

Date: Fri, 05 Nov 2004 21:06:17 +0100

Content-Type: text/html; charset=iso-8859-1

Mime-Version: 1.0

X-IMAIL-spam-VALFROM: (dfe206a200fc4161)

X-IMAIL-spam-HTML-FEATURES: (dfe206a200fc4161, Hyperlink)

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5

X-spam-Level: **

X-spam-Status: hits=2.8 tests=FORGED_HOTMAIL_RCVD2,HTML_50_60,HTML_MESSAGE,

       INFO_TLD,MIME_HTML_ONLY version=3.0.0

X-SpamCop-Checked: 192.168.1.103 216.28.119.65 70.19.150.49

<html>

       <head>

              <title>acknowledge</title>

       </head>

<body>

       <center>

       <font face="Verdana">

              calvert fork mustn't sinew ruffle jed coleus kraft

       <br>

              <h3>Need pres cription medication without a prior prescri ption?</h3>

              <p>Absolutely No Doctor's Appointments Needed!

       <br>

       <b>

              <a href="http://www.housecoat3misplaced.info/?gvo=VNhn6731&sdfg=0&uu=ta0z">Lowest prices on brand name and generic drvgs!</a>

       </b>

       <br>

              Stop getting promotional material <a href="http://www.housecoat3misplaced.info/v.ddd">here</a><br>

       <br>

              conversation jimenez grind actinometer box

       <br>

       </p>

       </font>

       </center>

</body>

</html>

X-spam-Level: **

X-spam-Status: hits=2.8 tests=FORGED_HOTMAIL_RCVD2,HTML_50_60,HTML_MESSAGE,

       INFO_TLD,MIME_HTML_ONLY version=3.0.0

I thought SpamAssassin looked for key "spam" words? If so, shouldn't it have caught:

Stop getting promotional material

Lowest prices on brand name and generic

Need pres cription medication without a prior prescri ption?Absolutely No Doctor's Appointments Needed!

I've seen 2 such spam messages hit my inbox today (filter level is set [at] 5), but both had words that I thought would be caught by the program.

Share this post


Link to post
Share on other sites

Though not able to talk directly to an naswer, let me just point out that most of the big-time spammers also have these tools in their "kit" .... much tim is spent on working the spam to get it to go through the various filters. Once they get a construct that flies, the spew starts. When the filters start blocking them, a new construct is built. For instamce, your sample includes the word "prescription" but it's spelled "pres cription" .... tomorrow, the same spam may have it spelled out as "pre scrip tion" ....

Share this post


Link to post
Share on other sites

I agree that the filter wouldn't catch that, but these are caught by most filters in Hotmail and Yahoo:

"promotional"

"Lowest prices"

"brand name"

"generic"

"medication"

"Appointments"

I just found it odd that those words wouldn't get picked up by SpamAssassin.

Share this post


Link to post
Share on other sites

Here is a list of the default tests performed by SA 3.0. Bear in mind that JT could have modified scoring on any of these and additional tests could have been added.

http://spamassassin.apache.org/tests_3_0_x.html

My guess is that if you posed your question to SpamAssassin administrators and programmers in general they would expect messages such as the one you have posted to get caught by bayesian scoring that would have tipepd the scale up to 4 or 5 total points.

Keep in mind that SpamCop's implementation of SA includes neither blacklists nor bayesian techniques therefore this is irrelevant.

Long story short is that SpamCop is harnessing some of the power that SA allows for and it is still quite effective. Since it is unlikely that the bayesian or blacklist portions of SA will be added on...if the SpamCop's filtering is not adequate for you, I recommend taking matters into your own hands and using a bayesian filter or some other kind of client filter to help with the few emails that are not getting caught. As you will find elsewhere I am a strong believer in POPFile

PeterJ

Share this post


Link to post
Share on other sites

Hi!

I often receive spam in my inbox because spam assasin has only found a score of 1-2. If I compare the tests made by the SpamAssasin if Spamcop with the one by my provider (you can see it in the header of th email), sou see that some tests are not made by Spamcop. Perhaps if these tests would havee be done by Spamcop also the value would be higher and th email would have been blocked (I block with a velue of 4 and above).

Any feedback??

Here is a reference:

http://www.spamcop.net/sc?id=z689483537z60...9bc16f7f95ea65z

Thanks,

Michael

Edited by m0urs

Share this post


Link to post
Share on other sites

Great example. That is odd that no URIBL tests tripped from SpamCop's implementation of SA as last I knew we are using them...

It would be great if JT took a look at this and could confirm no issues with SpamCop's setup. I took a look at some of my recent spam and I have seen URIBL tests being tripped at least in a couple spam messages from blades 1,2,3,4 , and 6. I have not seen a recent message from blade 5 with URIBL tests being tripped, but this could just be a conincidence. Anyone else see any patterns?

PeterJ

Share this post


Link to post
Share on other sites

Combined "m0urs" post in the Help Forum into this Topic in E-Mail ... Sent a PM to notify of the move/merge.

Note kicked out to JT reference blade5.

Share this post


Link to post
Share on other sites
Combined "m0urs" post in the Help Forum into this Topic in E-Mail ... Sent a PM to notify of the move/merge.

Note kicked out to JT reference blade5.

19677[/snapback]

I'm looking into this.

JT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×