Re: SPAM and procmail

[Jeff Macdonald]

On Thu, 2004-01-15 at 10:46, Jeff Macdonald wrote:
> On Wed, 2004-01-14 at 15:37, Chris wrote:
> > >
> > > You're likely to see more of this.  It's an attempt to bypass bayesian
> > > style mail filters.  I'm not using one yet, so I don't know how
> > > successful this tactic is.  Irregardless, I'm still of the opinion that
> > > spammers are lower life forms than even SCO executives.
> > >
> > 
> > Unfortunately, the Bayesian filters don't filter these out too successfully
> > file:///tmp/evolution-file:///tmp/evolution-500-2785/drag-n-drop-liiyFT/Re: EY, 
> > important of those500-2785/drag-n-drop-onEGhp/Re: EY, important of those
> 
> I thought that too. It turned out that I didn't have the perl module
> Net::DNS installed on my machine which allows RBL checks to happen. Once
> I installed Net::DNS, SA started feeding those type of messages to the
> Bayesian filter and those messages are now being scored high by the
> Bayesian filter in addition to the RBL checks. I'll send a sample
> message once I have some more spam (I just cleaned out my spam folder).
> 

Attached is such a message. This will probably set off some filters, but
note the bayes_99 rule matching and the mostly random words.


>From [EMAIL PROTECTED] Thu Jan 15 12:36:06 2004
Received: from localhost [127.0.0.1] by server1.virtualbuilder.com with
SpamAssassin (2.61 1.212.2.1-2003-12-09-exp); Thu, 15 Jan 2004 12:36:06
-0600
From: "Kathie Keys" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: EY, important of those
Date: Thu, 15 Jan 2004 01:30:46 +0100
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
server1.virtualbuilder.com
X-Spam-Status: Yes, hits=9.5 required=5.0 tests=BAYES_99,HTML_MESSAGE,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,
RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP autolearn=no version=2.61
X-Spam-Level: *
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_4006DD96.E31F6D71"
X-Evolution-Source: imap://[EMAIL PROTECTED]/

This is a multi-part message in MIME format.

=_4006DD96.E31F6D71
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "server1.virtualbuilder.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
[EMAIL PROTECTED] for details.

Content preview:  robe orthodontic dialectic buzzard deaconess glottis
  thetis censor annuli dungeon stressful haven plume countryman casino
  widen turpentine diadem Free CableTV!No more pay!%
  URI:http://www.3002hosting.com/cable/
  URI:http://www.3002hosting.com/fiter1.jpg arcturus contradistinct
  iconoclast rundown burnout marino biddy discriminant bodybuilder
  hydrangea rothschild landfill scoundrel rangeland atlantica vivo sub
  sure bayport inordinate calcite churchmen roughish timeout drainage
  resent inhale halocarbon chaise schlieren shop peek connect sumner
  celanese signature coquette arcadia area substitutionary cellar billie
  cotillion merle caveat afterward campus provocation orifice threshold
  antipathy convulse checkerberry analeptic persecution cabinetmake usaf
  babble antigen beecham poetic bystander permutation gerry kennan lenore
  forlorn chalmers polarogram reub acrylate sympathy reflect ac cyclopean
  dyadic irreversible appointe abetting view magneto vorticity grope
  audiotape amen cognition waltham moravia zion distraught scottsdale
  conflagration abandon chrysolite elastic bran poncho dropout actuarial
  columbine cleft ace appalachia prologue allowance aptitude floorboard
  courtier bell astronaut polygon drainage pivotal appearance photolytic
  screech conundrum licensor cryptogram collimate geochemistry butternut
  indicter mete burke w inertial burglar kremlin iroquois rough ia
  doleful rhythmic scrimmage baghdad desist gallantry reprieve orville
  adirondack macrostructure grandpa kennel semblance tammany palermo
  attache archipelago pabst committeewomen bimetallic greatcoat
  protophyta corpora beaten articulate biennium deniable caribou
  basepoint dryad bimodal incommunicable schoolwork silicate durkee
  anyplace historian external capsule shrunken microscopy macroscopic
  custer embedder locomotor cannon aloha his balkan teleprocessing
  declamatory scrawny lev cumulate quotation brownian lisp pravda
  bespectacled scour sugar bet decimal preservation monte detest pewter
  eliot hurst breed ciliate feast treadle bergland wilfred adjourn
  bibliophile jay rhesus chalcedony egypt dachshund pledge wardrobe
  arcane shriek absence cavil concordant taurus embroil mongoose bellmen
  zimmerman ame [...] 

Content analysis details:   (9.5 points, 5.0 required)

 pts rule name  description
 -- 

Re: SPAM and procmail

[Jeff Macdonald]

On Wed, 2004-01-14 at 15:37, Chris wrote:
> >
> > You're likely to see more of this.  It's an attempt to bypass bayesian
> > style mail filters.  I'm not using one yet, so I don't know how
> > successful this tactic is.  Irregardless, I'm still of the opinion that
> > spammers are lower life forms than even SCO executives.
> >
> 
> Unfortunately, the Bayesian filters don't filter these out too successfully
> 

I thought that too. It turned out that I didn't have the perl module
Net::DNS installed on my machine which allows RBL checks to happen. Once
I installed Net::DNS, SA started feeding those type of messages to the
Bayesian filter and those messages are now being scored high by the
Bayesian filter in addition to the RBL checks. I'll send a sample
message once I have some more spam (I just cleaned out my spam folder).



___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[Chris]

Cole Tuininga wrote:

> On Wed, 2004-01-14 at 12:37, Chris wrote:
> > Lately I have noticed that the spammers are using random word generators in
> > both the subject and sometimes in the From:
> >
> > Here are a couple of examples
> >
> > Subject   perfidious behemoth doused o pk okbct rhy lc n
> > bevel emancipate aerobacter
> > etc..
>
> You're likely to see more of this.  It's an attempt to bypass bayesian
> style mail filters.  I'm not using one yet, so I don't know how
> successful this tactic is.  Irregardless, I'm still of the opinion that
> spammers are lower life forms than even SCO executives.
>

Unfortunately, the Bayesian filters don't filter these out too successfully

--
IBA #15631


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[Cole Tuininga]

On Wed, 2004-01-14 at 12:37, Chris wrote:
> Lately I have noticed that the spammers are using random word generators in
> both the subject and sometimes in the From:
> 
> Here are a couple of examples
> 
> Subject   perfidious behemoth doused o pk okbct rhy lc n
> bevel emancipate aerobacter
> etc..

You're likely to see more of this.  It's an attempt to bypass bayesian
style mail filters.  I'm not using one yet, so I don't know how
successful this tactic is.  Irregardless, I'm still of the opinion that
spammers are lower life forms than even SCO executives.

-- 
Those who live by the sword get shot by those who don't.

Cole Tuininga
Lead Developer
Code Energy, Inc
[EMAIL PROTECTED]
PGP Key ID: 0x43E5755D


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[Chris]

Brian Chabot wrote:

> Brian wrote:
> > For anyone interested... It seems that a lot of spam is starting to slip
> > through Spam Assassin again.
>
> I've had some pretty good luck using a combination of server and client
> spam filters.
>
> On the server side I've been using Spam Bouncer www.spambouncer.org and
> since it came out I've used Mozilla's built-in junkmail filter.  95% of
> the time between the two, I don't see much spam.
>
> ___
> gnhlug-discuss mailing list
> [EMAIL PROTECTED]
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Lately I have noticed that the spammers are using random word generators in
both the subject and sometimes in the From:

Here are a couple of examples

Subject   perfidious behemoth doused o pk okbct rhy lc n
bevel emancipate aerobacter
etc..

--
IBA #15631


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[brian]

On Wed, 2004-01-14 at 11:30, Brian Chabot wrote:
> Brian wrote:
> > For anyone interested... It seems that a lot of spam is starting to slip
> > through Spam Assassin again.
> 
> I've had some pretty good luck using a combination of server and client 
> spam filters.

I like to do all my filtering/processing directly on the mail server.  I
read email (using IMAP) via Evolution both at home and at work.  It's
too much of a pain to keep the local filters updated in 2 locations,
plus with the large volume of email I get, it's much faster to not make
Evolution process the messages.

However, I do know a number of other people who use your approach quite
well.

> On the server side I've been using Spam Bouncer www.spambouncer.org and 
> since it came out I've used Mozilla's built-in junkmail filter.  95% of 
> the time between the two, I don't see much spam.

Will have to check that one out, thanks for the link


> "But I don't want *ANY* spam!"
> 

I hear ya!.
-- 
brian <[EMAIL PROTECTED]>

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[Brian Chabot]

Brian wrote:
For anyone interested... It seems that a lot of spam is starting to slip
through Spam Assassin again.
I've had some pretty good luck using a combination of server and client 
spam filters.

On the server side I've been using Spam Bouncer www.spambouncer.org and 
since it came out I've used Mozilla's built-in junkmail filter.  95% of 
the time between the two, I don't see much spam.

Also on the server, I have a cron job that updated Spambouncer from it's 
FTP site and extracts the new files.  A couple links and a decent 
procmailrc and voila - constantly up to date spam filters... well, at 
least as up to date as spambouncer gets.

In Mozilla, it takes about 2 weeks to teach the filters what is spam and 
the spammers have to be really creative to get past this... and when 
they do, I just mark it as junk and it's gone along with anything like it.

Next time I have a new mail server to play with, I'll probably play with 
Spamassassin, possibly in addition to what I'm using now.

"But I don't want *ANY* spam!"

(The other) Brian

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

RE: SPAM and procmail

[brian]

On Wed, 2004-01-14 at 08:11, Travis Roy wrote:
> > I see no chance of Habeas actually
> > suing someone over copyright infringement and/or having any net effect.
> 
> 
> Except according to their website, they have, and they won.

One case (at least from what I saw), and it's still a HUGE delay loop:

 1) I get SPAM
 2) I report it
 3) They investigate/sue
 4) Trial process
 5) I get  in return?

I still don't like the first 2 steps (requires too much action/trouble
on my end).  Maybe in time this would become a deterrent to spammers,
but I really don't see it making an impact, due to too many forged
headers, off-shore operations, etc.

Could be that I'm just bitter and pessimistic though.  :)
-- 
brian <[EMAIL PROTECTED]>

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

RE: SPAM and procmail

[Travis Roy]

> I see no chance of Habeas actually
> suing someone over copyright infringement and/or having any net effect.


Except according to their website, they have, and they won.

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

RE: SPAM and procmail

[Travis Roy]

I noticed that too, then I looked at the headers:

X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam.  Please report use of this
X-Habeas-SWE-9: mark in spam to 

I went to their site and it seems they partner with a lot of people that do
spam blocking (including spam assassin) and if these headers are in the
email then the email gets through.

If you look around the habeas site you'll see that the first three lines of
those headers are a copyrighted poem and a registered trademark. So, if a
spammer, like the one sending that viagra spam, uses the headers to get
around spam filters they get sued for copyright and trademark infringement.

Since I saw no use for anything Habeas would send me, I just made a rule to
block stuff with those headers in it as well :)





> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Brian
> Sent: Wednesday, January 14, 2004 6:42 AM
> To: Greater NH Linux User Group
> Subject: SPAM and procmail
>
>
> For anyone interested... It seems that a lot of spam is starting to slip
> through Spam Assassin again.  The majority of the messages seem to
> either have "obvious" subject lines, or have ALT-- in the message
> body to try to hide dummy words to throw off the weighting.  I came up
> with these two procmail recipes the other day that have done a good job
> of catching what SA doesn't.  The first looks for various forms of drug
> keywords in the subject line, and the second just dumps any message with
> the ALT stuff in the body to an altinmessage mailbox (I have yet to see
> a valid use of the ALT stuff in the message body (for that matter I've
> yet to see a valid use of HTML in an email message, but that is another
> story)).
>
> Anyway, I thought I would share in case anyone else found these useful,
> or wanted to build off of them.
>
> :0:
> *
> ^Subject:.*([EMAIL PROTECTED]@])|([Ss5].?[oO0].
> [EMAIL PROTECTED])|([EMAIL PROTECTED]@].?[xX])
> meds
>
> :0B:
> * ^ALT--*
> altinmessage
>
>
> Another common technique that is foiling SA is hiding bogus tags in
> words (ie "viagra").  They always seem to be closing tags in the
> messages I've looked at.  If I get the time, I want to pre-parse all
> email before it gets sent to SA and remove all non-real HTML tags, which
> should allow SA to better read and score the message.  This is more of a
> job for piping the message to an external script/program (much like
> filtering it through SA).
>
> And for those that are wondering, yes this *can* get a little processor
> intensive on a busy mailserver with a lot of users, but for the price of
> hardware these days, it's been affordable to provide effective spam
> scanning.
> --
> Brian <[EMAIL PROTECTED]>
>
> ___
> gnhlug-discuss mailing list
> [EMAIL PROTECTED]
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>
>


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

RE: SPAM and procmail

[brian]

On Wed, 2004-01-14 at 08:04, Travis Roy wrote:
> I noticed that too, then I looked at the headers:
> 
> X-Habeas-SWE-1: winter into spring
> Since I saw no use for anything Habeas would send me, I just made a rule to
> block stuff with those headers in it as well :)


I have only (so far) gotten a couple of Habeas headers.  And like you, I
just block all the Habeas stuff, I see no chance of Habeas actually
suing someone over copyright infringement and/or having any net effect.

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: SPAM and procmail

[Matt Brodeur]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Jan 14, 2004 at 06:41:49AM -0500, Brian wrote:

> For anyone interested... It seems that a lot of spam is starting to slip
> through Spam Assassin again.  The majority of the messages seem to
> either have "obvious" subject lines, or have ALT-- in the message
> body to try to hide dummy words to throw off the weighting.

   I have seen probably 10-20 messages in the past week that have a
Habeas Warrant Mark (www.habeas.com), but are obviously spam.  The
default SA configuration will assign -8.0 points for this, usually
outweighing other indicators and letting the message through.  This
line in your user_prefs or local.cf could help:

score HABEAS_SWE 0.00

   I chose to completely disable the Habeas check, since it just seems
too easy to forge.  You might want to instead assign it a more
reasonable score (like -2.0 or so), so that a really spammy message
will still count as a hit.
   As an interesting note, all of the messages that have slipped
through due to the Habeas issue have also scored 90+ on the Bayes
test.  Since my BAYES_99 score is 7.5, the HABEAS_SWE of -8.0 was
completely nullifying that result.  By lowering the effect of the
Warrant Mark these messages will be properly tagged.


- -- 
Matt BrodeurRHCE
[EMAIL PROTECTED]http://www.NextTime.com

Anytime things appear to be going better, you have overlooked something.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFABT2yc8/WFSz+GKMRAh2NAJ9OwdGUm43UGOdHOycMk2v3Q4bCWACfWLnN
Pv9I2CHPoef8EfTMIW7GoJk=
=vTzk
-END PGP SIGNATURE-
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss