[Mimedefang] Need Tip on Filter

Peter A. Cole peteracole at bigpond.com
Sat Mar 20 19:24:16 EST 2004 

Hi all,

I'm running MIMEDefang 2.39 on Debian Sarge with SA and CLAMAV, and while it works well with getting rid of virii and most of my spam, there's still a few coming through, mainly relating to prescription drugs.

I had been looking for a way to do this on and off for a few weeks, but hadn't come up with a definite solution until I checked the headers of these emails and discovered that my ISP has already classed them as spam.

They offer an antispam service for a small charge, but in doing this they also leave there antispam headers in mail to users that do not subscribe to this service, so any spam that they mark is still marked in my mailbox.

What I need to do is put this into my mimedefang-filter to get it moved to my spamdrop.

I'm not terribly good at creating working rules in my filter, so I'm wondering if someone can give me a tip on how to go about this.

Here's three examples of the header my ISP inserts:

X-Telstra-AV-Scanner: 1.0.1-LBW
X-Telstra-AS-Scanner: 1.0.1-LBW, 96% OBFU_CLASS_HEALTH 4, RCVD_IN_CBL 3,
 OBFU_CLASS_OTHER 2, DIET 1.144, MISSING_MIMEOLE 1.103, __HAS_MSGID 0,
 __SANE_MSGID 0, __MIME_VERSION 0, NOSPAM_INC 0, __TO_MALFORMED_2 0,
 __OUTLOOK_MUA 0, __HAS_X_MAILER 0, __HAS
X-Spam-Status: Yes

X-Telstra-AV-Scanner: 1.0.1-LBW
X-Telstra-AS-Scanner: 1.0.1-LBW, 99% URI_CLASS_HEALTH_DOMAIN 5,
 OBFU_CLASS_HEALTH 4, RCVD_IN_CBL 3, BIZ_TLD 1.251, HTML_70_90 0.572,
 URI_HEAVY 0.206, UNSUB_PAGE 0.163, BIG_FONT 0.146, HTML_FONT_COLOR_CYAN 0.005,
 SUPERLONG_LINE 0.003, __SANE_MSGID 0, _
X-Spam-Status: Yes

X-Telstra-AV-Scanner: 1.0.1-LBW
X-Telstra-AS-Scanner: 1.0.1-LBW, 100% URI_CLASS_UNCLASSIFIED_DOMAIN 5,
 MIME_HTML_ONLY_MULTI 4.500, THE_BEST_RATE 4.139, RCVD_IN_CBL 3,
 CONFIRMED_FORGED 2.168, OFFERS_ETC 1.177, SEE_FOR_YOURSELF 0.706,
 FORGED_YAHOO_RCVD 0.659, EXCUSE_14 0.022, NO_OBLIG
X-Spam-Status: Yes

I'm assuming that if I put something in to move these to my spamdrop if the line "X-Telstra-AS-Scanner: 1.0.1-LBW, xx%" is greater than, say, 90% (to be safe from false positives), then this will be successful.

I'm not sure if I can rely on the "X-Spam-Status: Yes" line not giving false positives, I would rather rely on the scoring system like SA provides.

Any ideas?

Thanks,

Pete

More information about the MIMEDefang mailing list