SpamSieve automatically whitelists same kind of crazy spam 30 times a day

hanstammen · September 15, 2016, 6:32am

Hi all,

I am getting the same kind of spam between 20 and 30 times a day, stuff that is so obviously spam that one deletes it without thinking. However, SpamSieve does not catch this, and looking into the log I now see that the elements of those emails get whitelisted automatically. This does not change, although I always marked those emails as spam.

SpamSieve works well in all instances, except these emails go past it filters like crazy.
The emails change sender and other information, but they’re always “Your document #767236”, “Your invoice #2347676” (numbers changing, of course), a one-liner urging to open the document, and then some executable file attached. It stuns me that something that emails that similar are not caught. A bug? A sneaky trick by spammers?
Mac OS X 10.10.5, MailMate 1.9.4.
Please see the log entries of four consecutive spam emails attached.

Thanks, Hans

=====================================================================
Predicted: Good (44)
Subject: Payment #39726
From: Bobbie06@7895.com
Identifier: /o0vR48uNl+/962Gu4QpWg==
Reason: P(spam)=0.885[0.871], bias=0.000, F:Price(0.999), F:Bobbie(0.172), support(0.229), ^fe-zip(0.749), ^fzmg-UEsDBA==(0.738), content-disposition:zip(0.736), dear(0.328), R:^hostik31^hostik^net(0.660), open(0.340), R:^hostik^net(0.659), ^fes-zip-14(0.633)
Date: 2016-09-15 09:10:11 -0400 (EDT)
=====================================================================
Trained: Good (Auto)
Subject: Payment #39726
From: Bobbie06@7895.com
Identifier: /o0vR48uNl+/962Gu4QpWg==
Actions: added rule <From (address) Is Equal to "Bobbie06@7895.com"> to SpamSieve whitelist, added rule <From (name) Is Equal to "Bobbie Price"> to SpamSieve whitelist, added to Good corpus (3369)
Date: 2016-09-15 09:10:11 -0400 (EDT)
=====================================================================
Predicted: Good (37)
Subject: Payment #39619
From: Terra72@6813.com
Identifier: YZ5eo64wixgWu01rcLLKNQ==
Reason: P(spam)=0.656[0.722], bias=0.000, support(0.229), R:^101(0.756), ^fe-zip(0.740), ^fzmg-UEsDBA==(0.730), content-disposition:zip(0.728), F:Murphy(0.712), dear(0.328), open(0.340), R:^hostik31^hostik^net(0.659), R:^hostik^net(0.659), ^fes-zip-14(0.608)
Date: 2016-09-15 09:10:11 -0400 (EDT)
=====================================================================
Trained: Good (Auto)
Subject: Payment #39619
From: Terra72@6813.com
Identifier: YZ5eo64wixgWu01rcLLKNQ==
Actions: added rule <From (address) Is Equal to "Terra72@6813.com"> to SpamSieve whitelist, added rule <From (name) Is Equal to "Terra Murphy"> to SpamSieve whitelist, added to Good corpus (3370)
Date: 2016-09-15 09:10:11 -0400 (EDT)
=====================================================================

Michael_Tsai · September 15, 2016, 7:48am

It’s normal for messages to be whitelisted automatically. Please see Spammy Whitelist Rules.

Please see this page for how you can send in SpamSieve’s log and the false negative files via e-mail so that I can look into this.

hanstammen · September 19, 2016, 11:21am

ooops, no more messages
Hi Michael,

thanks for responding - for whatever reason these emails completely stopped from one day to the next. None of these in my spam folder, so it’s not that they all of a sudden get caught. Since I deleted the junk mail, I don’t have any false negatives to send. ;-(

I’ll see if something similar will come up, however, this thread can be considered “solved” as of now.