Re: Attachments still?

From: Jari Fredriksson <jarif(at)iki.fi>
Date: Tue Jul 31 2007 - 21:28:14 EDT

Robert Fitzpatrick wrote:
> Still getting these attachments with SA-3.1.7 + SARE + sa-update +
> amavisd + clamav with sanesecurity sigs. Should I be blocking these
> with those rule sets? Can someone test this to see how you may be
> blocking?
>
> http://esmtp.webtent.net/mail1.txt
>
> Thanks :)

Content analysis details: (12.3 points, 5.0 required)

 pts rule name description

---- ---------------------- --------------------------------------------------
 0.0 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
[botnet_clientwords,ip=66.18.53.26,rdns=static-host-66-18-53-26.epbinternet.com]
 5.0 BOTNET                 Relay might be a spambot or virusbot

[botnet0.7,ip=66.18.53.26,hostname=static-host-66-18-53-26.epbinternet.com,maildomain=benmenasha.net,client,ipinhostname,clientwords]  0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain

                            signs some mails

 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address [botnet_ipinhosntame,ip=66.18.53.26,rdns=static-host-66-18-53-26.epbinternet.com]  0.0 BOTNET_CLIENT Relay has a client-like hostname [botnet_client,ip=66.18.53.26,hostname=static-host-66-18-53-26.epbinternet.com,ipinhostname,clientwords]

 1.9 RCVD_ILLEGAL_IP        Received: contains illegal IP address
 3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
                            [score: 0.9899]
 2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO
 0.1 BOUNCE_MESSAGE         MTA bounce message
 0.1 ANY_BOUNCE_MESSAGE     Message is some kind of bounce message

Received on Tue Jul 31 21:32:56 2007