SPAM... How much does it take to trigger...

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

SPAM... How much does it take to trigger...

Post by SorenR » 2014-06-12 15:48

Got this today. Amazing how much output can come from so little. Almost full house :mrgreen:
This message did actually pass two of my tests. Sender HELO matches IP address (sort of) and it does have a valid A or MX record (sort of)...

Code: Select all

Return-Path: 
Delivered-To: coyote@acme.inc
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on grotto.acme.inc
X-Spam-Flag: YES
X-Spam-Level: **********************
X-Spam-Status: Yes, score=22.0 required=5.0 tests=MISSING_DATE, MSGID_FROM_MTA_HEADER,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,
 RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL,
 RCVD_IN_MSPIKE_L5,RCVD_IN_PBL,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RCVD_NUMERIC_HELO,
 RDNS_NONE,TVD_RCVD_IP,TVD_RCVD_IP4,T_FSL_HELO_BARE_IP_2,URIBL_BLACK,
 URIBL_DBL_SPAM,URIBL_JP_SURBL autolearn=spam autolearn_force=no version=3.4.0
X-Spam-Report: *  1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist *    [URIs:
 ewb****om] *  0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus
 XBL *      [11***.101 listed in zen.spamhaus.org] *  3.6 RCVD_IN_PBL
 RBL: Received via a relay in Spamhaus PBL *  0.0 TVD_RCVD_IP4 Message was
 received from an IPv4 address *  0.0 TVD_RCVD_IP Message was received from
 an IP address *  0.9 RCVD_NUMERIC_HELO Received: contains an IP address
 used for HELO *  2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8
 confidence level *      above 50% *      [cf: 100] *  1.7 RAZOR2_CHECK
 Listed in Razor2 (http://razor.sf.net/) *  0.4 RAZOR2_CF_RANGE_51_100
 Razor2 gives confidence level above 50% *      [cf: 100] *  2.5
 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist *   [URIs: ew***ado.com]
 *  0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) *      [11***7.101
 listed in bl.mailspike.net] *  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received
 via a relay in bl.spamcop.net *      [Blocked - see <http://www.spamcop.net/bl.shtml?11***01>]
 *  0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server *   
 [112***.101 listed in dnsbl.sorbs.net] *  1.6 RCVD_IN_BRBL_LASTEXT
 RBL: No description available. *      [11***101 listed in bb.barracudacentral.org]
 *  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist *      [URIs:
 ewboynhado.com] *  1.3 RDNS_NONE Delivered to internal network by a host
 with no rDNS *  0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted *  0.0
 MSGID_FROM_MTA_HEADER Message-Id was added by a relay *  1.4 MISSING_DATE
 Missing Date: header * 0.0 T_FSL_HELO_BARE_IP_2 No description available.
Received: from 112****101 (Unknown [11***01]) by mx.acme.inc ; Thu, 12 Jun
 2014 14:50:15 +0200
Message-ID: <1835D6CB-AF0B-41A3-A37D-A78C1CA2A768@mx.acme.inc>
Received: from unknown (HELO localhost) (p***arr@ne***se.com@207***116) by 11***101
 with ESMTPA; Thu, 12 Jun 2014 09:43:43 +0800
From: pa**rr@n**nse.com
To: roadrunner@acme.inc
Subject: Shocking revelation about your love life
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: RBL - Rejected by Spamhaus - (Score: 3)
X-hMailServer-Reason-2: Tagged as Spam by SpamAssassin - (Score: 22)
X-hMailServer-Reason-3: RBL - Rejected by cbl.abuseat.org - (Score: 3)
X-hMailServer-Reason-4: RBL - Rejected by SpamCop - (Score: 3)
X-hMailServer-Reason-5: Rejected by SURBL - (Score: 3)
X-hMailServer-Reason-6: RBL - Rejected by Barracuda Reputation Block List - (Score: 3)
X-hMailServer-Reason-Score: 37

Do you wish to amaze your gf tonight? http://su***b.ew****o.com/


Sent from my iPhone
[MOD EDIT: Obfuscated spam url, IP's & domains - Please do not post spam URL's]
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: SPAM... How much does it take to trigger...

Post by percepts » 2014-06-13 14:55

It's bad enough that people send this stuff in the first place but re-posting it so a load more people can see it is even worse. Think we make a hobby out of reading spam? :roll:

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: SPAM... How much does it take to trigger...

Post by Bill48105 » 2014-06-13 17:06

percepts wrote:It's bad enough that people send this stuff in the first place but re-posting it so a load more people can see it is even worse. Think we make a hobby out of reading spam? :roll:
I think the point was it was a 1 line spam & ended up with 100's of lines from the processing. Not cool to post up SPAM URL's or private info (it was likely relayed thru a hacked account/server) though so the post was edited.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: SPAM... How much does it take to trigger...

Post by DeanoX » 2014-07-03 12:40

It's still funny though. :lol:
hMailServer 5.4.2-1964, mysql, ClamAV, SpamAssassin, SquirrelMail, GeoIP.
hMailServer Support Services for US Based Clients.
Low Rates, Quick Service. Send a Private Message for More Information.

Post Reply