TNPI - sample ham -vs- spam

home : internet : mail : toaster : filtering : sample ham -vs- spam

Here's an example of message headers from a message recieved on my mail server. I use qmailscanner as suggested above and qmailscanner processes all messages using ClamAV for virus scanning. My personal mailbox has the Mail::Toaster default spam filtering via maildrop enabled.

Sample Ham

From: hiddenuser@michweb.net
Subject: FW: Winter
Date: February 2, 2004 2:51:01 PM EST
To: matt@cadillac.net and 5 more... Received: (qmail 37806 invoked by uid 1000); 2 Feb 2004 19:49:19 -0000
Received: (qmail 37802 invoked by uid 1068); 2 Feb 2004 19:49:19 -0000
Received: from deadend@michweb.net by cadillac.mi.us by uid 89 with qmail-scanner-1.20rc4 (clamscan: 0.60. Clear:RC:0:. Processed in 1.558058 secs); 02 Feb 2004 19:49:19 -0000
Received: from unknown (HELO out8.mx.nwbl.wi.voyager.net) (169.207.3.117) by matt-serv2.cdlc.mi.voyager.net with SMTP; 2 Feb 2004 19:49:17 -0000
Received: from mail3.mx.voyager.net (mail3.mx.voyager.net [216.93.66.202]) by out8.mx.voyager.net (Postfix) with ESMTP id 2813340FD5; Mon, 2 Feb 2004 13:49:16 -0600 (CST)
Received: from a0a2c6.michweb.net (d140.as0.cdlc.mi.voyager.net [207.89.240.161]) by mail3.mx.voyager.net (8.12.9/8.10.2) with ESMTP id i12Jmg7d009051; Mon, 2 Feb 2004 14:48:50 -0500 (EST)
Delivered-To: matt@www.cadillac.net
Message-Id: <6.0.1.1.0.20040202145053.0282ceb0@pop.michweb.net>
X-Sender: hiddenuser@pop.michweb.net
X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_18957473==_"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cadillac.mi.us
X-Spam-Pyzor: Reported 0 times.
X-Spam-Dcc: Servercave: cadillac.mi.us 1183; Body=1 Fuz1=1 Fuz2=1
X-Spam-Status: No, hits=0.6 required=6.0 tests=AWL,HTML_20_30,HTML_MESSAGE, RCVD_IN_SORBS autolearn=no version=2.63

Sample Spam

From: k.castlewc@ties.itu.ch
Subject: Cheapest Phentermine on the Internet!
Date: February 2, 2004 3:02:30 PM EST
To: matt@cadillac.net
Received: from localhost by cadillac.mi.us with SpamAssassin (2.63 2004-01-11); Mon, 02 Feb 2004 15:04:20 -0500
Message-Id: <58bf01c3e9c7$7be04eda$43729c0d@040brd1>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cadillac.mi.us
X-Spam-Pyzor: Reported 44118 times.
X-Spam-Dcc: Servercave: cadillac.mi.us 1183; Body=1 Fuz1=1 Fuz2=many
X-Spam-Status: Yes, hits=7.4 required=6.0 tests=DCC_CHECK,HTML_60_70, PYZOR_CHECK, autolearn=no version=2.63
X-Spam-Level: *******
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_401EAD44.DCEBCAD7"
Spam detection software, running on the system "cadillac.mi.us", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see matt@cadillac.net for details.
Content preview: URI:http://www.mnbgtefv.com
URI:http://www.toolkyytg.com/v9.gif [...]
Content analysis details: (7.4 points, 6.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words
1.8 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[82.64.149.148 listed in dnsbl.sorbs.net]
2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[82.64.149.148 listed in dnsbl.sorbs.net]
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Last modified on 4/28/05.