SpamAssassin vs. Crypto-Gram
Crypto-Gram newsletter is being marked as spam by SpamAssassin again. It's happened before, see my earlier analysis of SpamAssassin and Crypto-Gram. Here's a guess as to why it's happening now (SpamAssassin version 2.43).
WARNING - I used a mail header from the crypto-gram subscription confirmation in these tests, since I wasn't subscribed to the mailing-list. That may affect the results. It's very important to pay attention to the mail header, as tests on it are significant. Using the raw text of the newsletter - that is, no mail header - is not an accurate test!
Results:
SPAM: Content analysis details: (5.20 hits, 5 required)
So it's over the limit.
SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name
Right. The "from" is just the mailing list (I assume)
SPAM: FORGED_RCVD_FOUND (0.8 points) Possibly-forged 'Received:' header found
SPAM: MSG_ID_ADDED_BY_MTA_2 (0.1 points) 'Message-Id' was added by a relay (2)
It doesn't like something about the way the mailing is done.
SPAM: OPT_IN (1.5 points) BODY: Talks about opting in
" ... use his own resources and take Opt-In requests from Intel employees ..."
SPAM: US_DOLLARS_4 (0.4 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)
SPAM: US_DOLLARS_2 (0.1 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)
US_DOLLARS_4 : ... stole $1.5 million in jewels ...
US_DOLLARS_2 : Hot on the heels of our $20M funding, ...
SPAM: BALANCE_FOR_LONG_20K (-0.7 points) BODY: Message text is over 20K in size
SPAM: BALANCE_FOR_LONG_40K (-0.1 points) BODY: Message text is over 40K in size
"Good" points for being long.
SPAM: NORMAL_HTTP_TO_IP (1.3 points) URI: Uses a dotted-decimal IP address in URL
Anyone can get their own .mil domain.
<http://212.100.234.54/content/55/29026.html>
SPAM: SPAM_PHRASE_01_02 (0.5 points) BODY: Spam phrases score is 01 to 02 (low) [score: 1]
And a few misc phrases.
Sigh. Now to go try to see if anything can be fixed. Spam-wars, spam-wars ...
Update: Looks like the problem may be the " Razor" distributed message tests:
Date: Sun, 16 Feb 2003 12:10:49 -0500
Sender: Spam Prevention Discussion List <SPAM-L[at-sign]PEACH.EASE.LSOFT.COM>
From: Ed Allen Smith
Subject: Re: Media: Spamassassin blocks crypto-gram newsletter
...
By default - and by SA developer recommendation (I've been helping a bit
with it and _I_ wouldn't recommend using it for blocking on most accounts,
just for sorting mail into different inboxes... and I have some uncertainty
on the latest scoresets; I've been working on the SA GA and have been seeing
some problems with generalization), yes. From initial reports, at
least part of the problem is that _Razor_ is hitting the February 15th
CRYPTO-GRAM, so if SA is used with Razor going... I'll check the February
15th CRYPTO-GRAM vs SA 2.50-cvs, with and without Razor2 & DNSBLs.
It may wind up that CRYPTO-GRAM
has to be specifically whitelisted - SecurityFocus
is, due to that SF mailing lists can have, say, malicious JavaScript
legitimately being quoted in emails. We'll see.
-Allen
--
Allen Smith http://cesario.rutgers.edu/easmith/
February 1, 2003 Space Shuttle Columbia
Ad Astra Per Aspera To The Stars Through Asperity
