Re: Spam US$350,000 not tripped
On tir 19 okt 2010 23:34:04 CEST, Dennis German wrote http://www.Real-World-Systems.com/mail/spam.un sqirrelmail is old :) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spam US$350,000 not tripped
On Wed, 2010-10-20 at 06:26 +0100, Ned Slider wrote: On 19/10/10 22:56, Karsten Bräckelmann wrote: On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote: It hits a stack of rules here (some are my own scoring) - looks like * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [148.208.170.3 listed in bb.barracudacentral.org] Seriously? Or is that a score typo in your cf files? I did say above some are my own scoring. I've been evaluating BRBL to see if it's a candidate to use at the smtp level and need to identify possible false positives. Giving it a ridiculously high score ensures any hits end up in quarantine where I can examine. No FPs of note yet. Yes, you did state some scores are adjusted. That one really stuck out, though, and with such a ridiculously high score (your own words, let me just stress the point ;) being a typo was not unlikely. Your usage as test-phase for possible SMTP rejection makes sense and puts it into perspective. I've also tweaked the Basian scoring for my own preferences. I still see a fair amount of spam caught by Bayes alone and manually train Bayes with confirmed ham/spam only. I have high confidence in my Bayesian setup and whitelisting invariably catches any potential FP hits. *nod* With a well-trained Bayes DB, that's entirely possible. In general, I wouldn't recommend users tweak the default scoring too much. Thanks. :) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Spam US$350,000 not tripped
I am surprised this plain text spam did not trip for US$350,000 sa 3.2.4 http://www.Real-World-Systems.com/mail/spam.un
Re: Spam US$350,000 not tripped
On 19/10/10 22:34, Dennis German wrote: I am surprised this plain text spam did not trip for US$350,000 sa 3.2.4 http://www.Real-World-Systems.com/mail/spam.un It hits a stack of rules here (some are my own scoring) - looks like it's time to upgrade to SA 3.3.1. X-Spam-Report: * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.] * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [148.208.170.3 listed in bb.barracudacentral.org] * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad) * [148.208.170.3 listed in hostkarma.junkemailfilter.com] * 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail * and suggests discarding the rest * 1.0 MISSING_HEADERS Missing To: header * 0.0 T_LOTS_OF_MONEY Huge... sums of money * 1.6 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns * 3.4 FILL_THIS_FORM_LONG Fill in a form with personal information * 0.0 T_FILL_THIS_FORM Fill in a form with personal information * 1.5 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) * 3.3 ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) * 0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) * 0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money * 0.9 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form * 1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money * 0.8 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form * 0.5 MONEY_FRAUD_5 Lots of money and many fraud phrases * 0.8 MONEY_FRAUD_8 Lots of money and very many fraud phrases * 0.5 MONEY_FRAUD_3 Lots of money and several fraud phrases * 0.5 FORM_FRAUD_5 Fill a form and many fraud phrases * 0.5 FORM_FRAUD_3 Fill a form and several fraud phrases
Re: Spam US$350,000 not tripped
On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote: On 19/10/10 22:34, Dennis German wrote: I am surprised this plain text spam did not trip for US$350,000 sa 3.2.4 Uhm, a generic amount of money on it's own is not a sign of spam. You know, some people do deal with and talk about money... It hits a stack of rules here (some are my own scoring) - looks like it's time to upgrade to SA 3.3.1. * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.] * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [148.208.170.3 listed in bb.barracudacentral.org] Seriously? Or is that a score typo in your cf files? * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad) * [148.208.170.3 listed in hostkarma.junkemailfilter.com] BRBL and JMF are easy enough to add to an existing 3.2.x installation. * 1.0 MISSING_HEADERS Missing To: header Stock 3.2.x, scored even slightly higher. * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns Easy enough to add to 3.2.x via sa-update. Recommended. Bayes of course also is part of stock 3.2.x. ;) Plethora of new fraud rules snipped. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam US$350,000 not tripped
On Oct 19, 2010, at 5:56 PM, Karsten Bräckelmann wrote: On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote: On 19/10/10 22:34, Dennis German wrote: I am surprised this plain text spam did not trip for US$350,000 sa 3.2.4 Uhm, a generic amount of money on it's own is not a sign of spam. You know, some people do deal with and talk about money... It hits a stack of rules here (some are my own scoring) - looks like it's time to upgrade to SA 3.3.1. * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.] * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [148.208.170.3 listed in bb.barracudacentral.org] Seriously? Or is that a score typo in your cf files? * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad) * [148.208.170.3 listed in hostkarma.junkemailfilter.com] BRBL and JMF are easy enough to add to an existing 3.2.x installation. * 1.0 MISSING_HEADERS Missing To: header Stock 3.2.x, scored even slightly higher. * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns Easy enough to add to 3.2.x via sa-update. Recommended. Bayes of course also is part of stock 3.2.x. ;) Plethora of new fraud rules snipped. Karsten, Thank you fro the suggestion of adding BRBL and JMF. Can you please point me to some detailed information explaining how to do that. PS I am on a shared server without root access. ( or I would have upgraded SA)
Re: Spam US$350,000 not tripped
On Tue, 2010-10-19 at 19:29 -0400, Dennis German wrote: Thank you fro the suggestion of adding BRBL and JMF. Can you please point me to some detailed information explaining how to do that. PS I am on a shared server without root access. ( or I would have upgraded SA) The actual rules to be added are documented in SA bugzilla. The Sought channel is documented in the wiki. However, no root access -- neither of these are user preferences, it is impossible to add with mere tweaking of user_prefs [1]. You can only do this, if you have access to the site-wide config, commonly referred to as local.cf. This might be possible, even on a shared, virtual server. If you ever could add rules yourself, you can do this, too. [1] Unless allow_user_rules is enabled, which is rather unlikely. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam US$350,000 not tripped
On 19/10/10 22:56, Karsten Bräckelmann wrote: On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote: On 19/10/10 22:34, Dennis German wrote: I am surprised this plain text spam did not trip for US$350,000 sa 3.2.4 Uhm, a generic amount of money on it's own is not a sign of spam. You know, some people do deal with and talk about money... It hits a stack of rules here (some are my own scoring) - looks like it's time to upgrade to SA 3.3.1. * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.] * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [148.208.170.3 listed in bb.barracudacentral.org] Seriously? Or is that a score typo in your cf files? I did say above some are my own scoring. I've been evaluating BRBL to see if it's a candidate to use at the smtp level and need to identify possible false positives. Giving it a ridiculously high score ensures any hits end up in quarantine where I can examine. No FPs of note yet. I've also tweaked the Basian scoring for my own preferences. I still see a fair amount of spam caught by Bayes alone and manually train Bayes with confirmed ham/spam only. I have high confidence in my Bayesian setup and whitelisting invariably catches any potential FP hits. In general, I wouldn't recommend users tweak the default scoring too much.