Mailing List Archive: SpamAssassin: users

Slip thu's

Index | Next | Previous | View Threaded

joea at j4computers

Apr 17, 2012, 3:54 AM

Post #1 of 4 (285 views)
Permalink

Slip thu's

Getting "scanned document", "pills" and stuff with a url of "blah.blah.ru"

Some of these contain something like the snippet below, apparently put in by the sender or perhaps the mail provider.
*******************************
MIME-Version: 1.0
X-OriginalArrivalTime: Tue, 17 Apr 2012 05:12:23 -0300
X-SenderScore: 3
X-Envelope-From: LexLuthor [at] EvilDoers
X-SpamScore: 3
X-VirusScore: 0
X-SpamRefID: str=0001.0A010202.4F8D34EA.0094,ss=3,sh,fgs=0
X-ForwardedBy: SJL01WMAIL08B
*******************************

Would it be sane, relatively speaking, to add a rule that looks at the X-SpamScore: and/or X-SenderScore: and flag those?

ned at unixmail

Apr 17, 2012, 4:12 AM

Post #2 of 4 (267 views)
Permalink

Re: Slip thu's [In reply to]

On 17/04/12 11:54, joea wrote:
> Getting "scanned document", "pills" and stuff with a url of "blah.blah.ru"
>

Would emails with Russian URLs be legitimate in your organisation? Any
.ru URL gets 6pts here by default - no complaints yet.

> Some of these contain something like the snippet below, apparently put in by the sender or perhaps the mail provider.
> *******************************
> MIME-Version: 1.0
> X-OriginalArrivalTime: Tue, 17 Apr 2012 05:12:23 -0300
> X-SenderScore: 3
> X-Envelope-From: LexLuthor [at] EvilDoers
> X-SpamScore: 3
> X-VirusScore: 0
> X-SpamRefID: str=0001.0A010202.4F8D34EA.0094,ss=3,sh,fgs=0
> X-ForwardedBy: SJL01WMAIL08B
> *******************************
>
> Would it be sane, relatively speaking, to add a rule that looks at the X-SpamScore: and/or X-SenderScore: and flag those?
>
>
>

Not sure. Personally I don't see much value in it. In the vast majority
of cases I would rather trust the results of my own scanning with SA
than look at the X-Spam headers added by the outgoing mail server.

xtrade at matik

Apr 17, 2012, 4:40 AM

Post #3 of 4 (264 views)
Permalink

Re: Slip thu's [In reply to]

Ned Slider wrote:
> On 17/04/12 11:54, joea wrote:
>> Getting "scanned document", "pills" and stuff with a url of
>> "blah.blah.ru"
>>
>
> Would emails with Russian URLs be legitimate in your organisation? Any
> .ru URL gets 6pts here by default - no complaints yet.

Hi

that certainly is not very nice. Electronic racism ...

even if the spam quote may be high, there are legitimate users which
should not pay for that

specially when you analyze better and see that the origin often is US or
others, the only use .ru services to send it out ...

IMO when the domain and sender exist, not as known spammer or OR, you
should not do that and better hang on to content analysis for
evaluation/scoring

Hans

--
XTrade Assessory
International Facilitator
BR - US - CA - DE - GB - RU - UK
+55 (11) 4249.2222
http://xtrade.matik.com.br

ned at unixmail

Apr 17, 2012, 5:53 AM

Post #4 of 4 (267 views)
Permalink

Re: Slip thu's [In reply to]

On 17/04/12 12:40, xTrade Assessory wrote:
> Ned Slider wrote:
>> On 17/04/12 11:54, joea wrote:
>>> Getting "scanned document", "pills" and stuff with a url of
>>> "blah.blah.ru"
>>>
>>
>> Would emails with Russian URLs be legitimate in your organisation? Any
>> .ru URL gets 6pts here by default - no complaints yet.
>
>
> Hi
>
> that certainly is not very nice. Electronic racism ...
>

Not at all, it is based purely on statistical analysis of my mail flow.

> even if the spam quote may be high, there are legitimate users which
> should not pay for that
>

I don't see any legitimate users here, I only see spam containing URIs
in the body ending in the tld .ru - YMMV

> specially when you analyze better and see that the origin often is US or
> others, the only use .ru services to send it out ...
>

I'm not suggesting blocking mail *from* .ru, I'm suggesting scoring
mails in SA with URIs in the body ending in .ru *if* you don't expect to
see such URIs in your regular mail flow.

> IMO when the domain and sender exist, not as known spammer or OR, you
> should not do that and better hang on to content analysis for
> evaluation/scoring
>

That's exactly what I am doing - content evaluation/scoring based on
statistical analysis of my own mail flow. A mail containing a URI ending
in .ru is a very good indicator of spam on my server so I score it
appropriately in SA. YMMV

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads