Re: How can I correctly detect these spams?
I repeat myself ;-) It seems you are not using *any* custom rules. You may want to check out RDJ and SARE. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: How can I correctly detect these spams?
From: Thomas Booms [EMAIL PROTECTED] Here's the content of my local.cf: rewrite_subject 1 report_safe 2 trusted_networks user_scores_dsn DBI:mysql:: user_scores_sql_username user_scores_sql_password user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC razor_config /etc/mail/spamassassin/.razor/razor-agent.conf urirhssub URIBL_BLACK multi.uribl.com.A 2 bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') describeURIBL_BLACK Contains an URL listed in the URIBL blacklist tflags URIBL_BLACK net score URIBL_BLACK 3.0 urirhssub URIBL_GREY multi.uribl.com.A 4 bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY') describeURIBL_GREY Contains an URL listed in the URIBL greylist tflags URIBL_GREY net score URIBL_GREY 1.0 The 1st 3 lines were added a few minutes ago. They may help the RBLs work. You might add either of these two lines dns_available yes dns_available test: address to test I presume you did not have the sublime silliness to edit the permanent configuration files such as /usr/share/spamassassin/25_uribl.cf. It appears you did and most of the BLs are not hitting for you. The other alternative is that you zeroed their scores in an alternate configuration file in /etc/mail/spamassassin. {^_^}
Re: How can I correctly detect these spams?
It seems you are not using *any* custom rules. You may want to check out RDJ and SARE. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: How can I correctly detect these spams?
Kai Schaetzl schrieb: It seems you are not using *any* custom rules. You may want to check out RDJ and SARE. Kai I've found in my debugging infos the part, where Razor wasnt be able to read its config file. This part i've corrected with positive debugging infos. Hope it's working now. If you want, i will send here the new debugging output. Thomas -- Booms EDV - hosting more - Herrenstrasse 10 D-59073 Hamm www.booms-edv.de [EMAIL PROTECTED]
Re: (14.6) How can I correctly detect these spams?
Hi Thomas, Your email scored nearly 25 on my system. Chickenpox contributed 4.2, uribls contributed tons. HTH :) Thomas Booms wrote: Spam detection software, running on the system ns1.sandgnat.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi all, I have set all BAYES tests to default values and put in the $GLOBAL all SORBS test in my users database. But since the last hours I got these following listed spams through without tagging as spam: [...] Content analysis details: (14.6 points, 5.0 required) pts rule name description -- -- -0.0 SPF_PASS SPF: sender matches SPF record 1.8 SPLEL_NLN BODY: Obfuscated 'online' in body 0.6 J_CHICKENPOX_34BODY: {3}Letter - punctuation - {4}Letter 0.6 J_CHICKENPOX_14BODY: {1}Letter - punctuation - {4}Letter 0.6 J_CHICKENPOX_44BODY: {4}Letter - punctuation - {4}Letter 0.6 J_CHICKENPOX_56BODY: {5}Letter - punctuation - {6}Letter 0.6 J_CHICKENPOX_64BODY: {6}Letter - punctuation - {4}Letter 0.6 J_CHICKENPOX_102 BODY: {10}Letter - punctuation - {2}Letter 1.8 LOBO_NLN BODY: Obfuscated 'online' in body 0.6 J_CHICKENPOX_53BODY: {5}Letter - punctuation - {3}Letter 0.1 TW_DF BODY: Odd Letter Triples with DF 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: timestipulatecool.com militopnig.com] 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: timestipulatecool.com] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: militopnig.com] -10 AWLAWL: From: address is in the auto white-list Hi all, I have set all BAYES tests to default values and put in the $GLOBAL all SORBS test in my users database. But since the last hours I got these following listed spams through without tagging as spam: signature.asc Description: OpenPGP digital signature
Re: How can I correctly detect these spams?
Chris Thielen [EMAIL PROTECTED] wrote on 07/07/2005 01:15:24 AM: Hi Thomas, Your email scored nearly 25 on my system. Chickenpox contributed 4.2, uribls contributed tons. HTH :) As has been pointed out, make sure your network tests are turned on. I am surprised that I only got two chickenpox hits on my system though. Chris, what version do you have running? Mine is 1.18 dated 2004-4-5 X-Spam-Status: Yes, score=45.4 required=5.7 tests=BAYES_99,FUZZY_MILLION, HTML_80_90,HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_102, J_CHICKENPOX_56,LG_4C_2V_3C,MIME_QP_LONG_LINE,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_HEAD_XUNSENT,SARE_OBFU_PART_ING,URIBL_AB_SURBL,URIBL_BLACK, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.1.0-pre4-r208823 Andy
Re: How can I correctly detect these spams?
Andy Jezierski wrote: Chris Thielen [EMAIL PROTECTED] wrote on 07/07/2005 01:15:24 AM: Hi Thomas, Your email scored nearly 25 on my system. Chickenpox contributed 4.2, uribls contributed tons. HTH :) As has been pointed out, make sure your network tests are turned on. I am surprised that I only got two chickenpox hits on my system though. Chris, what version do you have running? Mine is 1.18 dated 2004-4-5 Mine is actually older, h.. ver 1.15 dated 2004-02-06. Perhaps Jennifer revised it later to get rid of false positives? X-Spam-Status: Yes, score=45.4 required=5.7 tests=BAYES_99,FUZZY_MILLION, HTML_80_90,HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_102, J_CHICKENPOX_56,LG_4C_2V_3C,MIME_QP_LONG_LINE,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_HEAD_XUNSENT,SARE_OBFU_PART_ING,URIBL_AB_SURBL,URIBL_BLACK, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.1.0-pre4-r208823 Andy signature.asc Description: OpenPGP digital signature
How can I correctly detect these spams?
Hi all, I have set all BAYES tests to default values and put in the $GLOBAL all SORBS test in my users database. But since the last hours I got these following listed spams through without tagging as spam: From - Wed Jul 6 23:41:18 2005 X-UIDL: 1120671712.M917383P13835051595651377415.host1 X-Mozilla-Status: 0001 X-Mozilla-Status2: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26882 invoked by uid 567); 6 Jul 2005 17:41:42 - Received: from 24.107.169.54 by host1 (envelope-from [EMAIL PROTECTED], uid 502) with qmail-scanner-1.25 (clamdscan: 0.86.1/970. spamassassin: 3.0.4. Clear:RC:0(24.107.169.54):SA:1(4.9/1.5):. Processed in 0.396896 secs); 06 Jul 2005 17:41:42 - Received: from unknown (HELO jfmp.com) (24.107.169.54) by 0 with SMTP; 6 Jul 2005 17:41:42 - From: Mustafa Norman [EMAIL PROTECTED] To: Socorro Mcclain [EMAIL PROTECTED] Subject: Like a Teeenager Date: Wed, 6 Jul 2005 12:31:22 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_001D_01C58250.86C55100 X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Qmail-Scanner-Message-ID: [EMAIL PROTECTED] X-Spam-Level: * X-Spam-Status: No, score=1.4 required=1.5 tests=BAYES_50,HTML_80_90, HTML_FONT_BIG,HTML_MESSAGE,MIME_QP_LONG_LINE,PRIORITY_NO_NAME autolearn=no version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on host1.booms-edv.de This is a multi-part message in MIME format. --=_NextPart_000_001D_01C58250.86C55100 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello, of three hundred and twenty buccaneers who had left Cartagena withhis = life.Frenchmen, and the Santiago, which had been refitted and = rechristenedvehemently, obscenely - for he could be fluently obscene = when movedCertain it is that they did not sight Blood's fleet in that = dim lightWhen Blood, torn as he was between conflicting considerations, = stillsparkle in her hazel eyes.Mr. Blood.always the same; that on the = journeys to the shore they sat andconfusion in his mind, he found = coherent thought impossible.to Colonel Bishop - a disdainful buyer - for = the ignominious sum ofadvice, sir, you'll not hunt me again. I think I = am unlucky to you.If there is any alternative that you can suggest, I = shall be mostBlood was startled.baulked his brutal owner.Aye, and he = said so in terms which told me something that I hope --=_NextPart_000_001D_01C58250.86C55100 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii META content=3DMSHTML 6.00.2800.1106 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial/FONTnbsp;/DIV DIVFONT face=3DArialHello, /FONTFONT face=3DArialWelcome to A href=3Dhttp://www.prpgcb.militopnig.com;PharmzOnliSPAN style=3DDISPLAY: = none Cinderella /SPANne SSPAN style=3DDISPLAY: none cheesecake = /SPANhop/A/FONT FONT face=3DArial- one of the IeadinSPAN style=3DDISPLAY: none = deflexion /SPANg onIine pharmaceutSPAN style=3DDISPLAY: none = repaid /SPANicaI shops/FONT/DIV DIVFONT face=3DArial/FONTnbsp;/DIV DIV TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0 TR vAlign=3Dbottom TD rowSpan=3D2FONT face=3DArial size=3D4VSPAN style=3DDISPLAY: = none versification /SPANl/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4GSPAN style=3DDISPLAY: = none scissor /SPANR/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4SPAN style=3DDISPLAY: = none horseflesh /SPANL/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4lSPAN style=3DDISPLAY: = none scrubby /SPANU/FONT/TD TD/TD/TR TR vAlign=3Dbottom TDFONT face=3DArial size=3D4SPAN style=3DDISPLAY: none profit = /SPANA/FONT/TD TDFONT face=3DArial size=3D4SPAN style=3DDISPLAY: none = unpractical /SPANAnbsp;CSPAN style=3DDISPLAY: none claqueur = /SPANlA/FONT/TD TDFONT face=3DArial size=3D4ISPAN style=3DDISPLAY: none = officialize /SPANSnbsp;VASPAN style=3DDISPLAY: none bacteria = /SPANL/FONT/TD TDFONT face=3DArial size=3D4SPAN style=3DDISPLAY: none dorter = /SPANM/FONT/TD TDFONT face=3DArial size=3D4nbsp;andnbsp;manynbsp;other./FONT/TD/TR/TABLE/DIV DIVFONT face=3DArial/FONTnbsp;/DIV DIVFONT face=3DArialTotSPAN style=3DDISPLAY: none claretcup = /SPANal confidentiaIity,/FONT/DIV DIVFONT face=3DArialOvSPAN style=3DDISPLAY: none astraddle = /SPANer 5 milIion customers,/FONT/DIV DIVFONT face=3DArialWorldwide SHlSPAN style=3DDISPLAY: none = adroitness /SPANPPlNG,/FONT/DIV DIVFONT face=3DArialSave over 60%SPAN style=3DDISPLAY: none reeded = /SPAN!/FONT/DIV DIVFONT face=3DArial/FONTnbsp;/DIV DIVFONT face=3DArialHave a SPAN style=3DDISPLAY: none papulous = /SPANnice day!/FONT/DIV/DIV/BODY/HTML
RE: How can I correctly detect these spams?
-Original Message- From: Thomas Booms [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 06, 2005 2:59 PM To: users@spamassassin.apache.org Subject: How can I correctly detect these spams? Hi all, I have set all BAYES tests to default values and put in the $GLOBAL all SORBS test in my users database. You need URIBL lookups. See www.surbl.org and www.uribl.com for information. Do you have network tests turned off? I ask because SURBL should be included by default in 3.0.4 and they did hit your examples on my server, but not on yours. Trying to catch these based simply on the content of the message without any blacklist lookups is trying to hit a moving target. Rules cannot be updated fast enough to catch new varieties and by the time the rules are updated, spammers have changed their techniques. You need network tests enabled if you want to be more accurate with these. But since the last hours I got these following listed spams through without tagging as spam: From - Wed Jul 6 23:41:18 2005 X-UIDL: 1120671712.M917383P13835051595651377415.host1 X-Mozilla-Status: 0001 X-Mozilla-Status2: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26882 invoked by uid 567); 6 Jul 2005 17:41:42 - Received: from 24.107.169.54 by host1 (envelope-from [EMAIL PROTECTED], uid 502) with qmail-scanner-1.25 (clamdscan: 0.86.1/970. spamassassin: 3.0.4. Clear:RC:0(24.107.169.54):SA:1(4.9/1.5):. Processed in 0.396896 secs); 06 Jul 2005 17:41:42 - Received: from unknown (HELO jfmp.com) (24.107.169.54) by 0 with SMTP; 6 Jul 2005 17:41:42 - From: Mustafa Norman [EMAIL PROTECTED] To: Socorro Mcclain [EMAIL PROTECTED] Subject: Like a Teeenager Date: Wed, 6 Jul 2005 12:31:22 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_001D_01C58250.86C55100 X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Qmail-Scanner-Message-ID: [EMAIL PROTECTED] X-Spam-Level: * X-Spam-Status: No, score=1.4 required=1.5 tests=BAYES_50,HTML_80_90, HTML_FONT_BIG,HTML_MESSAGE,MIME_QP_LONG_LINE,PRIORITY_NO_NAME autolearn=no version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on host1.booms-edv.de This is a multi-part message in MIME format. --=_NextPart_000_001D_01C58250.86C55100 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello, of three hundred and twenty buccaneers who had left Cartagena withhis = life.Frenchmen, and the Santiago, which had been refitted and = rechristenedvehemently, obscenely - for he could be fluently obscene = when movedCertain it is that they did not sight Blood's fleet in that = dim lightWhen Blood, torn as he was between conflicting considerations, = stillsparkle in her hazel eyes.Mr. Blood.always the same; that on the = journeys to the shore they sat andconfusion in his mind, he found = coherent thought impossible.to Colonel Bishop - a disdainful buyer - for = the ignominious sum ofadvice, sir, you'll not hunt me again. I think I = am unlucky to you.If there is any alternative that you can suggest, I = shall be mostBlood was startled.baulked his brutal owner.Aye, and he = said so in terms which told me something that I hope --=_NextPart_000_001D_01C58250.86C55100 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii META content=3DMSHTML 6.00.2800.1106 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial/FONTnbsp;/DIV DIVFONT face=3DArialHello, /FONTFONT face=3DArialWelcome to A href=3Dhttp://www.prpgcb.militopnig.com;PharmzOnliSPAN style=3DDISPLAY: = none Cinderella /SPANne SSPAN style=3DDISPLAY: none cheesecake = /SPANhop/A/FONT FONT face=3DArial- one of the IeadinSPAN style=3DDISPLAY: none = deflexion /SPANg onIine pharmaceutSPAN style=3DDISPLAY: none = repaid /SPANicaI shops/FONT/DIV DIVFONT face=3DArial/FONTnbsp;/DIV DIV TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0 TR vAlign=3Dbottom TD rowSpan=3D2FONT face=3DArial size=3D4VSPAN style=3DDISPLAY: = none versification /SPANl/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4GSPAN style=3DDISPLAY: = none scissor /SPANR/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4SPAN style=3DDISPLAY: = none horseflesh /SPANL/FONT/TD TD/TD TD rowSpan=3D2FONT face=3DArial size=3D4lSPAN style=3DDISPLAY: = none scrubby /SPANU/FONT/TD TD/TD/TR TR vAlign=3Dbottom TDFONT face=3DArial size=3D4SPAN style=3DDISPLAY: none profit = /SPANA/FONT/TD TDFONT face=3DArial size=3D4SPAN style=3DDISPLAY: none = unpractical /SPANAnbsp;CSPAN style=3DDISPLAY: none claqueur = /SPANlA/FONT