I finally turned on SAProxy, the spam filter in the Bloomba email program. It’s working well so far, although a few legit messages have gotten marked as spam. A very cool feature of the filtering engine (SpamAssassin) is that it tells you why it flagged certain messages. As you’ll see, failing one of the filters assigns a certain number of points to the message. Once the point threshold is hit the message is marked as spam. Here are some of the rules/filters (from the Bayesian filter) that it uses:
FROM_ENDS_IN_NUMS (0.7 points) From: ends in numbers ** in one case this was actually from a legit address
SEARCH_ENGINE_PROMO (1.5 points) BODY: Discusses search engine listings ** this was actually from a legit address
HTML_10_20 (1.4 points) BODY: Message is 10% to 20% HTML
FORGED_YAHOO_RCVD (2.3 points) ‘From’ yahoo.com does not match ‘Received’ headers ** this was actually from a legit address
NO_REAL_NAME (0.8 points) From: does not include a real name
HTML_80_90 (0.5 points) BODY: Message is 80% to 90% HTML
HTML_IMAGE_RATIO_02 (0.5 points) BODY: HTML has a low ratio of text to image area
HTML_IMAGE_ONLY_02 (1.9 points) BODY: HTML has images with 0-200 bytes of words
VERY_SUSP_RECIPS (2.2 points) Very similar addresses in recipient list **we’ve all seen this done
ADDR_NUMS_AT_BIGSITE (0.6 points) Uses an address with lots of numbers, at a big ISP
FROM_WEBMAIL_ENDS_IN_NUMS6 (1.5 points) From address is webmail, and ends in lots of numbers **deadly combo!
EARN_MONEY (1.0 points) BODY: Message talks about earning money ** always a warning sign
EXCUSE_19 (0.6 points) BODY: Claims you opted-in or registered **I want to see the whole list of excuses 🙂
OPT_IN (0.5 points) BODY: Talks about opting in (lowercase version)
SAVE_BUCKS (0.0 points) BODY: Save $$$ **Nuff said!
EXCUSE_1 (0.0 points) BODY: Gives a lame excuse about why you were sent this spam
EXCUSE_3 (0.1 points) BODY: Claims you can be removed from the list
REMOVE_FROM_LIST (0.0 points) BODY: To be removed from list
TARGETED (2.8 points) BODY: Targeted Traffic / Email Addresses
FOR_FREE (0.6 points) BODY: No such thing as a free lunch(1)
EMAIL_MARKETING (0.0 points) BODY: Talks about email marketing
OPT_IN_CAPS (0.2 points) BODY: Talks about opting in (capitalized version)
LINES_OF_YELLING (0.0 points) BODY: A WHOLE LINE OF YELLING DETECTED
LINES_OF_YELLING_2 (0.0 points) BODY: 2 WHOLE LINES OF YELLING DETECTED
LINES_OF_YELLING_3 (0.0 points) BODY: 3 WHOLE LINES OF YELLING DETECTED
REMOVE_PAGE (0.3 points) URI: URL of page called “remove”
SUBJ_ALL_CAPS (1.1 points) Subject is all capitals
AS_SEEN_ON (1.9 points) BODY: As seen on national TV!
ONLY_COST (0.0 points) BODY: Only $$$
MLM (0.8 points) BODY: Multi Level Marketing mentioned
EARN_MONEY (1.0 points) BODY: Message talks about earning money
ONE_TIME (0.0 points) BODY: One Time Rip Off
JODY (2.9 points) BODY: Contains “My wife, Jody” testimonial ** Is Jody that popular???
BANG_MONEY (0.7 points) BODY: Talks about money with an exclamation!
BULK_EMAIL (1.6 points) BODY: Talks about bulk email **talk about a dead give-away
ORDER_REPORT (2.9 points) BODY: Order a report from someone
SENT_IN_COMPLIANCE (4.3 points) BODY: Claims compliance with spam regulations
FINANCIAL (4.3 points) BODY: Financial Freedom
SECTION_301 (1.7 points) BODY: Claims compliance with spam regulations
INVALUABLE_MARKETING (2.9 points) BODY: Invaluable marketing information
DONT_DELETE (0.0 points) BODY: Don’t delete me! Nooooo!!!!
RISK_FREE (0.9 points) BODY: Risk free. Suuurreeee….
COPY_ACCURATELY (2.9 points) BODY: Common pyramid scheme phrase (1)
INITIAL_INVEST (2.7 points) BODY: Requires Initial Investment
HTML_FONT_COLOR_RED (0.1 points) BODY: HTML font color is red
HTML_FONT_BIG (0.3 points) BODY: FONT Size +2 and up or 3 and up
HTML_SHOUTING5 (0.0 points) BODY: HTML has very strong “shouting” markup
CASHCASHCASH (0.0 points) Contains at least 3 dollar signs in a row
Somebody should make a filter for all those messages (hoaxes & other nonsense) that people forward to all of their friends. Rule #1 for that filter would be if the messages says ‘forward this to everyone you know’ flag it.
1 comment
Comments are closed.