Neil Turner's Blog

Blogging about technology and randomness since 2002

Another monster SpamAssassin score

Couldn’t think of anything interesting to post today (it’s been such a slow news day that got into the BlogDex top 50 for no real reason), other than this monster of a spam message. Here’s what SpamAssassin had to say about it:

Content analysis details:   (42.2 points, 5.7 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
0.5 X_PRIORITY_HIGH        Sent with 'X-Priority' set to high
0.9 FROM_ENDS_IN_NUMS      From: ends in numbers
4.3 RATWARE_RCVD_LC_ESMTP  Bulk email fingerprint ('esmtp' Received) found
0.3 RCVD_NUMERIC_HELO      Received: contains a numeric HELO
0.3 FROM_HAS_MIXED_NUMS    From: contains numbers mixed in with letters
4.3 RCVD_AM_PM             Received headers forged (AM/PM)
0.2 HTML_50_60             BODY: Message is 50% to 60% HTML
0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE           BODY: HTML included in message
0.1 HTML_FONT_BIG          BODY: HTML has a big font
0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
3.0 FORGED_RCVD_NET_HELO   Host HELO'd using the wrong IP network
4.3 FORGED_AOL_RCVD        Received forged, contains fake AOL relays
1.1 RCVD_IN_SORBS_HTTP     RBL: SORBS: sender is open HTTP proxy server
[ listed in]
0.1 RCVD_IN_NJABL          RBL: Received via a relay in
[ listed in]
1.1 RCVD_IN_SORBS_MISC     RBL: SORBS: sender is open proxy server
[ listed in]
0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
[ listed in]
1.1 RCVD_IN_DSBL           RBL: Received via a relay in
0.1 RCVD_IN_RFCI           RBL: Sent via a relay in
[Inaccurate or missing WHOIS data]
1.1 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
[ listed in]
2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
[Blocked - see ]
3.2 FORGED_MUA_THEBAT      Mail pretending to be from The Bat! (mid)
4.3 FORGED_THEBAT_HTML     The Bat! can't send HTML message only
0.0 CLICK_BELOW            Asks you to click below
4.3 CONFIRMED_FORGED       Received headers are forged
1.7 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
2.5 FORGED_MUA_THEBAT_CS   Mail pretending to be from The Bat! (charset)


  1. Hmm, weird that it’s not using bayes detection. With that turned scores of 40 are’nt too unusual.
    It’s the blacklisting that really adds up some of the scores I see though. The average blacklisted email will see scores of 101.7.

  2. Autolearn is turned on, but I’m guessing it hasn’t had enough spam passed through it to pick anything up. Unfortunately there’s a viagra spammer whose emails consistently pass through SpamAssassin, despite me lowering the necessary score to 5.7 which is as low as I can get it before it starts blocking legitimate email.
    SpamAssassin does handle blacklists quite well, by not relying on a single one and not letting the fact that it is simply in one list as firm evidence that an email is spam. Ask any email publisher what they think of SpamCop and most will take the opportunity to vent at you.

  3. In reply to the Viagra spammer problem, I found that the headers general contain the HABEAS SWE mark. Anything that has this mark adds -8.0 to the total score. Yes, that is a negative! To effectively remove this test from Spamassassin add ‘score HABEAS_SWE 0.0’ to your config.