Re: [Assp-test] HMM-Check not stopping spam

Thomas Eckardt Sun, 04 May 2014 23:25:21 -0700

>How can I get the HMM-Check to get more than 6 results so that it blocks 
the email?


The HMM will not work on short mails - the Bayesian check is used instead. 
Report the mail and use the analyzer.

Try to use additionaly checks.

add 'royalthames.com' to BlackListedDomains or block the IP or  use SPF 
fallback / override...

Here, for example, the helo is wrong. It contains an IP.   
helo=wsip-70-164-26-66.ri.ri.cox.net
and
the IP 70.164.26.66 has no pointer record


Thomas



Von:    James Brown <[email protected]>
An:     ASSP development mailing list <[email protected]>, 
Datum:  05.05.2014 04:06
Betreff:        [Assp-test] HMM-Check not stopping spam



We received lots of these emails to multiple valid email accounts:

May-03-14 19:18:00 id-08680-05722 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Originating 
IP/HELO:  70.164.26.66 / wsip-70-164-26-66.ri.ri.cox.net
May-03-14 19:18:00 id-08680-05722 [Worker_4] [MissingMX] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] [scoring] MX 
missing (cache): royalthames.com
May-03-14 19:18:00 id-08680-05722 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] 
Message-Score: added 10 (mxValencePB) for MX missing (cache): 
royalthames.com, total score for this message is now 10
May-03-14 19:18:00 id-08680-05722 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM-Check 
has given less than 6 results - using monitoring mode only
May-03-14 19:18:00 id-08680-05722 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM Check 
[monitoring] - Prob: 0.92506 => spam
May-03-14 19:18:00 id-08680-05722 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Bayesian 
Check  - Prob: 0.00871 => ham
May-03-14 19:18:00 id-08680-05722 [Worker_4] [MessageOK] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] message ok 
[invoice 052019417E AI5KSP] -> /Applications/assp/okmail/--172831.eml
May-03-14 19:18:00 [Worker_5] Connected: session:7FA119A169C0 
192.168.1.2:36416 > 192.168.1.9:25 > 127.0.0.1:10026
May-03-14 19:18:00 [Worker_4] Finished message - received DATA size: 1.52 
kByte - sent DATA size: 2.24 kByte
May-03-14 19:18:00 [Worker_4] Disconnected: session:7FA0F6A0F900 
192.168.1.2 - processing time 0 seconds
May-03-14 19:18:01 [Worker_5] Info: VRFY - found [email protected] in 
VRFY-cache (ldaplistdb)
May-03-14 19:18:01 id-08680-10136 [Worker_5] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Originating 
IP/HELO:  70.164.26.66 / wsip-70-164-26-66.ri.ri.cox.net
May-03-14 19:18:01 id-08680-10136 [Worker_5] [MissingMX] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] [scoring] MX 
missing (cache): royalthames.com
May-03-14 19:18:01 id-08680-10136 [Worker_5] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] 
Message-Score: added 10 (mxValencePB) for MX missing (cache): 
royalthames.com, total score for this message is now 10
May-03-14 19:18:01 id-08680-10136 [Worker_5] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM-Check 
has given less than 6 results - using monitoring mode only
May-03-14 19:18:01 id-08680-10136 [Worker_5] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM Check 
[monitoring] - Prob: 0.92506 => spam
May-03-14 19:18:01 id-08680-10136 [Worker_5] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Bayesian 
Check  - Prob: 0.00871 => ham
May-03-14 19:18:01 id-08680-10136 [Worker_5] [MessageOK] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] message ok 
[invoice 052019417E AI5KSP] -> /Applications/assp/okmail/--172832.eml
May-03-14 19:18:01 [Worker_4] Connected: session:7FA119848298 
192.168.1.2:36417 > 192.168.1.9:25 > 127.0.0.1:10026
May-03-14 19:18:01 [Worker_5] Finished message - received DATA size: 1.52 
kByte - sent DATA size: 2.24 kByte
May-03-14 19:18:01 [Worker_5] Disconnected: session:7FA119A169C0 
192.168.1.2 - processing time 1 seconds
May-03-14 19:18:01 [Worker_4] Info: VRFY - found [email protected] in 
VRFY-cache (ldaplistdb)
May-03-14 19:18:02 id-08681-10707 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Originating 
IP/HELO:  70.164.26.66 / wsip-70-164-26-66.ri.ri.cox.net
May-03-14 19:18:02 id-08681-10707 [Worker_4] [MissingMX] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] [scoring] MX 
missing (cache): royalthames.com
May-03-14 19:18:02 id-08681-10707 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] 
Message-Score: added 10 (mxValencePB) for MX missing (cache): 
royalthames.com, total score for this message is now 10
May-03-14 19:18:02 id-08681-10707 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM-Check 
has given less than 6 results - using monitoring mode only
May-03-14 19:18:02 id-08681-10707 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] HMM Check 
[monitoring] - Prob: 0.92506 => spam
May-03-14 19:18:02 id-08681-10707 [Worker_4] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] Bayesian 
Check  - Prob: 0.00871 => ham
May-03-14 19:18:02 id-08681-10707 [Worker_4] [MessageOK] 192.168.1.2 [OIP: 
70.164.26.66] <[email protected]> to: [email protected] message ok 
[invoice 052019417E AI5KSP] -> /Applications/assp/okmail/--172833.eml

etc

How can I get the HMM-Check to get more than 6 results so that it blocks 
the email?

Email header is:

From: [email protected], [email protected]
Subject: invoice 052019417E / AI5KSP
Date: 3 May 2014 8:19:35 PM AEST
To: [email protected]
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from astaro1.bordo.com.au (localhost [127.0.0.1]) by 
mail.bordo.com.au (Postfix) with ESMTP id 05A383AF8FC6 for 
<[email protected]>; Sat, 3 May 2014 19:18:01 +1000 (EST)
Received: from astaro1.bordo.com.au ([192.168.1.2] 
helo=astaro1.bordo.com.au) by mail.bordo.com.au with SMTP (2.4.2); 3 May 
2014 19:18:01 +1000
Received: from wsip-70-164-26-66.ri.ri.cox.net ([70.164.26.66]:9803) by 
astaro1.bordo.com.au with esmtp (Exim 4.76) (envelope-from 
<[email protected]>) id 1WgW4M-0007lF-0u; Sat, 03 May 2014 
19:17:20 +1000
Message-Id: <[email protected]>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 
Thunderbird/24.2.0
Mime-Version: 1.0
Content-Type: multipart/mixed; 
boundary="------------050301030700030305050509"
X-Assp-Id: mail.bordo.com.au id-08681-10707
X-Assp-Session: 7FA119848298 (mail 1)
X-Assp-Oip: 70.164.26.66
X-Assp-Envelope-From: [email protected]
X-Assp-Intended-For: [email protected]
X-Assp-Version: 2.4.2(14121) on mail.bordo.com.au
X-Assp-Received-Spf: none (cache) ip=70.164.26.66 
[email protected] helo=wsip-70-164-26-66.ri.ri.cox.net
X-Original-Authentication-Results: mail.bordo.com.au; spf=none
X-Assp-Message-Score: 10 (MX missing (cache): royalthames.com)
X-Assp-Ip-Score: 10 (MX missing (cache): royalthames.com)
X-Assp-Detected-Uri: googleusercontent.com(1), wizzair.com(2), 
royalthames.com(1)
X-Assp-Spam-Prob: 0.00871
X-Assp-Hmm-Spam-Prob: 0.92506
X-Assp-Spam-Level: ***

Email body is just a link to an image.

ASSP version 2.4.2(14123)

Thanks,

James.
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find 
out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] HMM-Check not stopping spam

Reply via email to