February 16, 2003

SpamAssassin vs. Crypto-Gram

Crypto-Gram newsletter is being marked as spam by SpamAssassin again. It's happened before, see my earlier analysis of SpamAssassin and Crypto-Gram. Here's a guess as to why it's happening now (SpamAssassin version 2.43).

WARNING - I used a mail header from the crypto-gram subscription confirmation in these tests, since I wasn't subscribed to the mailing-list. That may affect the results. It's very important to pay attention to the mail header, as tests on it are significant. Using the raw text of the newsletter - that is, no mail header - is not an accurate test!


SPAM: Content analysis details: (5.20 hits, 5 required)

So it's over the limit.

SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name

Right. The "from" is just the mailing list (I assume)

SPAM: FORGED_RCVD_FOUND (0.8 points) Possibly-forged 'Received:' header found
SPAM: MSG_ID_ADDED_BY_MTA_2 (0.1 points) 'Message-Id' was added by a relay (2)

It doesn't like something about the way the mailing is done.

SPAM: OPT_IN (1.5 points) BODY: Talks about opting in

" ... use his own resources and take Opt-In requests from Intel employees ..."

SPAM: US_DOLLARS_4 (0.4 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)
SPAM: US_DOLLARS_2 (0.1 points) BODY: Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m)

US_DOLLARS_4 : ... stole $1.5 million in jewels ...
US_DOLLARS_2 : Hot on the heels of our $20M funding, ...

SPAM: BALANCE_FOR_LONG_20K (-0.7 points) BODY: Message text is over 20K in size
SPAM: BALANCE_FOR_LONG_40K (-0.1 points) BODY: Message text is over 40K in size

"Good" points for being long.

SPAM: NORMAL_HTTP_TO_IP (1.3 points) URI: Uses a dotted-decimal IP address in URL

Anyone can get their own .mil domain.

SPAM: SPAM_PHRASE_01_02 (0.5 points) BODY: Spam phrases score is 01 to 02 (low) [score: 1]

And a few misc phrases.

Sigh. Now to go try to see if anything can be fixed. Spam-wars, spam-wars ...

Update: Looks like the problem may be the " Razor" distributed message tests:

Date: Sun, 16 Feb 2003 12:10:49 -0500
Sender: Spam Prevention Discussion List <SPAM-L[at-sign]PEACH.EASE.LSOFT.COM>
From: Ed Allen Smith
Subject: Re: Media: Spamassassin blocks crypto-gram newsletter
By default - and by SA developer recommendation (I've been helping a bit with it and _I_ wouldn't recommend using it for blocking on most accounts, just for sorting mail into different inboxes... and I have some uncertainty on the latest scoresets; I've been working on the SA GA and have been seeing some problems with generalization), yes. From initial reports, at least part of the problem is that _Razor_ is hitting the February 15th CRYPTO-GRAM, so if SA is used with Razor going... I'll check the February 15th CRYPTO-GRAM vs SA 2.50-cvs, with and without Razor2 & DNSBLs. It may wind up that CRYPTO-GRAM has to be specifically whitelisted - SecurityFocus is, due to that SF mailing lists can have, say, malicious JavaScript legitimately being quoted in emails. We'll see.


Allen Smith http://cesario.rutgers.edu/easmith/
February 1, 2003 Space Shuttle Columbia
Ad Astra Per Aspera To The Stars Through Asperity

By Seth Finkelstein | posted in spam | on February 16, 2003 11:59 PM (Infothought permalink) | Followups
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage