Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Warren Togami 
- Original Message -
From: Vince Hoang [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 30, 2003 5:51 PM
Subject: Re: [luau] SpamAssassin and Exchange Webmail


 On Mon, Jun 30, 2003 at 04:45:59PM -1000, Matthew John Darnell wrote:
  We are on 2.55 and even if it is marked SPAM it doesn't add any
attachments,
  just adds ***SPAM** to the beginning of the subject.

 I believe recent versions of SA have report_safe enabled by
 default. One of the advantages is this approach prevents web
 bugs from loading in HTML-enabled mail. If the image loads, the
 spammer _knows_ you read the message.

 -Vince


spamassassin-2.55 and the soon to be released 2.60 have this new spam
handling behavior which can be enabled.  Rather than modifying the body of
the spam, it moves the original intact spam message into the attachment of a
new message, and within the body of the new message are detailed reasons why
the message was marked as spam, and some text from the message so they
usually don't need to open the attachment.

The user can optionally open the attachment to read the original message,
which works for HTML mail too since the message is completely intact.

http://togami.com/~warren/archive/2003/example-spamassassin.mbox
Here is one intact-spam-into-attachment message in mbox format directly from
my SPAM folder.  It works properly when viewing the original attached
message when viewed from Outlook Express and Outlook in Windows.

Warren Togami
[EMAIL PROTECTED]

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Vince Hoang 
On Tue, Jul 01, 2003 at 04:59:12PM -1000, Warren Togami wrote:
 spamassassin-2.55 and the soon to be released 2.60 have this
 new spam handling behavior which can be enabled. Rather than
 modifying the body of the spam, it moves the original intact
 spam message into the attachment of a new message, and within
 the body of the new message are detailed reasons why the
 message was marked as spam, and some text from the message so
 they usually don't need to open the attachment.

Yes. This is enabled by default, which may annoy some users just
because it is different. But leaving this enabled will help
prevent the embedded web bugs from alerting the spammers that the
message was read.

man Mail::SpamAssassin::Conf

   report_safe { 0 | 1 | 2 } (default: 1)

   if this option is set to 1, if an incoming message
   is tagged as spam, instead of modifying the original
   message, SpamAssassin will create a new report message
   and attach the original message as a message/rfc822
   MIME part (ensuring the original message is completely
   preserved, not easily opened, and easier to recover).

-Vince

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Vince Hoang 
On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote:
 Debian stable uses SpamAssassin 2.2 While not a recent version,
 it does format the tagged mail so that I can read it at a later
 time even with an html enabled reader. The spam is not put into
 an attachment making its sordid contents easy to look over.

FWIW, one of the developers for SA is the maintainer for the
Debian SA package. Since SA is such a moving target, I would
really recommend moving to testing, if possible, and pinning SA
to use the unstable package. The version of SA in stable works,
but the version in unstable is vastly improved.

Warren mentioned earlier that the entire message is now an
attachment in recent versions of SA rather than just the message
portion of the message. I believe this was because the developers
realized that the new approach was much less error prone.

-Vince

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Warren Togami 
On Tue, 2003-07-01 at 22:03, Vince Hoang wrote:
 On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote:
  Debian stable uses SpamAssassin 2.2 While not a recent version,
  it does format the tagged mail so that I can read it at a later
  time even with an html enabled reader. The spam is not put into
  an attachment making its sordid contents easy to look over.
 
 FWIW, one of the developers for SA is the maintainer for the
 Debian SA package. Since SA is such a moving target, I would
 really recommend moving to testing, if possible, and pinning SA
 to use the unstable package. The version of SA in stable works,
 but the version in unstable is vastly improved.
 
 Warren mentioned earlier that the entire message is now an
 attachment in recent versions of SA rather than just the message
 portion of the message. I believe this was because the developers
 realized that the new approach was much less error prone.

Also more informative for the user because of the very clear message
body describing why the message was scored to be spam, and it prevents
the user from accidentally previewing the message and getting cracked by
an Outlook/Internet Explorer security hole due to script execution. 
Otherwise it prevents the user from alerting the spammer when Outlook
downloads images that your e-mail address is valid and active, meaning
spam more!

Warren

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread R. Scott Belford 

On Tuesday, July 1, 2003, at 10:27 PM, Warren Togami wrote:


On Tue, 2003-07-01 at 22:03, Vince Hoang wrote:

On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote:

Debian stable uses SpamAssassin 2.2 While not a recent version,
it does format the tagged mail so that I can read it at a later
time even with an html enabled reader. The spam is not put into
an attachment making its sordid contents easy to look over.


FWIW, one of the developers for SA is the maintainer for the
Debian SA package. Since SA is such a moving target, I would
really recommend moving to testing, if possible, and pinning SA
to use the unstable package. The version of SA in stable works,
but the version in unstable is vastly improved.

Warren mentioned earlier that the entire message is now an
attachment in recent versions of SA rather than just the message
portion of the message. I believe this was because the developers
realized that the new approach was much less error prone.


Also more informative for the user because of the very clear message
body describing why the message was scored to be spam, and it prevents
the user from accidentally previewing the message and getting cracked 
by

an Outlook/Internet Explorer security hole due to script execution.
Otherwise it prevents the user from alerting the spammer when Outlook
downloads images that your e-mail address is valid and active, meaning
spam more!

Warren


In defense of debian stable's implementation of SpamAssassin, please 
find below the beginning of a tagged message that has been rendered 
safe for viewing by an html compatible mail viewer and as such safe 
from either opening a hyperlink or executing a script.  It does not 
handle spam like my redhat boxes, but I for one like the whole thing in 
the message rather than as an attachment tempting me to click it.  The 
key is that the html email not be executed in any way.  I guess it is 
not best, but I have been pleased with how debian-stable tags and 
neuters my spam; I'll have to try pinning to the unstable version.  
Thanks for the info and feedback.


-scott


From: Elvin Rutherford [EMAIL PROTECTED]
Date: Wed Jul 2, 2003  12:44:06 AM Pacific/Honolulu
To: [EMAIL PROTECTED]
Subject: *SPAM* Re: Important Info Enclosed
Reply-To: Elvin Rutherford [EMAIL PROTECTED]

SPAM:  Start SpamAssassin results 
--

SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (14 hits, 5 required)
SPAM: Hit! (-1.4 points) Sent with 'X-Msmail-Priority' set to high
SPAM: Hit! (2.0 points)  From: contains numbers mixed in with letters
SPAM: Hit! (1.7 points)  Sent with 'X-Priority' set to high
SPAM: Hit! (2.1 points)  BODY: Talks about opting in
SPAM: Hit! (-0.3 points) URI: Includes a link to send a mail with a 
subject

SPAM: Hit! (4.8 points)  BODY: Frontpage used to create the message
SPAM: Hit! (2.1 points)  BODY: FONT Size +2 and up or 3 and up
SPAM: Hit! (3.0 points)  BODY: Includes a form which will send an email
SPAM: Hit! (0.0 points)  BODY: Includes a URL link to send an email
SPAM:
SPAM:  End of SpamAssassin results 
-



--43_EB.06_._FE..9FB1E_38
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

html

head
meta http-equiv=3DContent-Language content=3Den-us
meta http-equiv=3DContent-Type content=3Dtext/html; 
charset=3Dwindows-=

1252
meta name=3DGENERATOR content=3DMicrosoft FrontPage 4.0
meta name=3DProgId content=3DFrontPage.Editor.Document
titleEARN/title
/head

body

 more spam below. ...

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Vince Hoang 
On Tue, Jul 01, 2003 at 10:42:46PM -1000, R. Scott Belford wrote:
 It does  not handle spam  like my redhat  boxes, but I  for one
 like  the  whole  thing  in  the  message  rather  than  as  an
 attachment tempting  me to click it.  The key is that  the html
 email not be executed in any way. I guess it is not best, but
 I have been pleased with  how debian-stable tags and neuters my
 spam

Actually, your preference is even more safe.

On recent versionf of SA, what you want is to add 'report_safe 2'
to your local configuration.  It replaced the defang_mime option.
Again, `man Mail::SpamAssassin::Conf`:

   report_safe { 0 | 1 | 2 } (default: 1)

   If this  option is  set to  2, then  original messages
   will  be attached  with a  content type  of text/plain
   instead  of   message/rfc822.  This  setting   may  be
   required  for safety  reasons on  certain broken  mail
   clients  that automatically  load attachments  without
   any action  by the  user. This  setting may  also make
   it  somewhat more  difficult  to extract  or view  the
   original message.

-Vince

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread R. Scott Belford 
This is how it is tagged with a recent version of SA on Red Hat 7.2.  I have
to agree that it is much safer and informative the newer way than it is via
debian stable.

--scott



This mail is probably spam.  The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future.  See http://spamassassin.org/tag/ for more details.

Content preview:  LUSTFUL and SEX-STARVED TEENS!

http://girlsthatgo.com/click.php?id104748campain_id88type=textsite_id4
  The HOTTEST YOUNG MODELS... The BEST PHOTOGRAPHY... The NAUGHTIEST SEX
  ACTS...

http://girlsthatgo.com/click.php?id104748campain_id88type=textsite_id4
  [...]

Content analysis details:   (15.70 points, 5 required)
FROM_ENDS_IN_NUMS  (0.7 points)  From: ends in numbers
NASTY_GIRLS(2.8 points)  BODY: Possible porn - Nasty Girls
PORN_16(2.9 points)  BODY: Possible porn - nasty, dirty, little
etc.
HTML_WEB_BUGS  (0.1 points)  BODY: Image tag with an ID code to identify
you
HTML_IMAGE_ONLY_10 (0.5 points)  BODY: HTML has images with 800-1000 bytes
of words
HTML_50_60 (0.5 points)  BODY: Message is 50% to 60% HTML
HTML_MESSAGE   (0.1 points)  BODY: HTML included in message
HTML_FONT_COLOR_BLUE (0.1 points)  BODY: HTML font color is blue
HTML_LINK_CLICK_HERE (0.1 points)  BODY: HTML link text says click here
MIME_HTML_NO_CHARSET (0.8 points)  RAW: Message text in HTML without
specified charset
HTTP_WITH_EMAIL_IN_URL (0.3 points)  URI: 'remove' URL contains an email
address
MAILTO_TO_REMOVE   (0.3 points)  URI: Includes a 'remove' email address
REMOVE_PAGE(0.3 points)  URI: URL of page called remove
MSG_ID_ADDED_BY_MTA_3 (0.7 points)  'Message-Id' was added by a relay (3)
DATE_IN_PAST_96_XX (1.6 points)  Date: is 96 hours or more before Received:
date
FORGED_MUA_OUTLOOK (3.5 points)  Forged mail pretending to be from MS
Outlook
CLICK_BELOW(0.1 points)  Asks you to click below
FROM_ALL_NUMS  (0.3 points)  From an address that is all numbers
(non-phone)

The original message did not contain plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Re: [luau] SpamAssassin and Exchange Webmail

2003-07-01 Thread Warren Togami 
On Tue, 2003-07-01 at 22:42, R. Scott Belford wrote:
  Also more informative for the user because of the very clear message
  body describing why the message was scored to be spam, and it prevents
  the user from accidentally previewing the message and getting cracked 
  by
  an Outlook/Internet Explorer security hole due to script execution.
  Otherwise it prevents the user from alerting the spammer when Outlook
  downloads images that your e-mail address is valid and active, meaning
  spam more!
 
  Warren
 
 In defense of debian stable's implementation of SpamAssassin, please 
 find below the beginning of a tagged message that has been rendered 
 safe for viewing by an html compatible mail viewer and as such safe 
 from either opening a hyperlink or executing a script.  It does not 
 handle spam like my redhat boxes, but I for one like the whole thing in 
 the message rather than as an attachment tempting me to click it.  The 
 key is that the html email not be executed in any way.  I guess it is 
 not best, but I have been pleased with how debian-stable tags and 
 neuters my spam; I'll have to try pinning to the unstable version.  
 Thanks for the info and feedback.
 
 -scott
 

The only drawback to this is that it is confusing and difficult to read
for the legitimate HTML mail that is marked as spam.  The new make into
attachment behavior totally does not modify the message, so it is at
least possible and easy to read the original message for inexperienced
users.  For the windows and mac users that I have given a choice, they
much preferred the attachment option to the old report_safe behavior, or
no body modification at all.

Be aware that spamassassin-2.2 is extremely old and its spam detection
ability would be far less precise than recent versions.  Even 2.4 has
problems in marking legitimate mail scores too high, and spam scores too
low.  Spammers found that they could easily add several MUA headers to a
message and force spamassassin scores wayyy low.  This was fixed in
2.55.  2.55 also has the benefit of bayesian filtering, making the
filter learn and become more precise over time.

(2.55 has a flaw where it poisons your bayes database if you use the -r
option though.  Let me know if you plan on using -r to report spam, and
I'll send you a patch to fix this problem.)

Warren

[luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Randall Oshita 
Anybody here with any ideas why Spam Assassin scores a messages lower
when sent via Outlook but scores it higher when sending the same exact
message via Exchange's webmail?

Randall

Re: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Matthew John Darnell 
If you look at the messge header it should tell you exactly what the
triggers were.

You can adjust the points given to each test if you experience dictates so.

-Matt



- Original Message - 
From: Randall Oshita [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 30, 2003 12:10 PM
Subject: [luau] SpamAssassin and Exchange Webmail


 Anybody here with any ideas why Spam Assassin scores a messages lower
 when sent via Outlook but scores it higher when sending the same exact
 message via Exchange's webmail?

 Randall
 ___
 LUAU mailing list
 [EMAIL PROTECTED]
 http://videl.ics.hawaii.edu/mailman/listinfo/luau

RE: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Randall Oshita 
The thing is we took this out because it adds a text file to the message
as an attachment. People gets confused etc... 
Any other way of finding this?
Thanks.
Randall



If you look at the messge header it should tell you exactly 
what the triggers were.

You can adjust the points given to each test if you 
experience dictates so.

-Matt

RE: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Warren Togami 
On Mon, 2003-06-30 at 14:19, Randall Oshita wrote:
 The thing is we took this out because it adds a text file to the message
 as an attachment. People gets confused etc... 
 Any other way of finding this?
 Thanks.
 Randall

What version of spamassassin is that?  2.55?

Warren

Re: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Matthew John Darnell 
We are on 2.55 and even if it is marked SPAM it doesn't add any attachments,
just adds ***SPAM** to the beginning of the subject.

Here is the header of mail not marked as SPAM

Return-Path: [EMAIL PROTECTED]
Received: from mx11.sjc.ebay.com (mxpool06.ebay.com [66.135.197.12])
 by www.comtelweb.com (8.11.6/8.11.6) with ESMTP id h5PLB0L28225
 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 11:11:01 -1000
Received: from sj-cgi3008.sjc.ebay.com (sj-cgi3008.sjc.ebay.com
[10.6.17.247])
 by mx11.sjc.ebay.com (8.12.3/8.12.3) with SMTP id h5PLBmjE008293
 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 14:11:49 -0700
Message-Id: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Comment: 0.0.0
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Subject: eBay Request Payment Information for Item#3420552097 (Avaya
partner-18D euro telephone nice)
Date: Wed, 25 Jun 2003 14:11:56 PDT
X-Spam-Status: No, hits=-0.7 required=5.0
 tests=CLICK_BELOW,GENUINE_EBAY_RCVD,NO_REAL_NAME
 version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-UIDL: U'3!!D2##!!!+#!/_B!


The auto white list is how it gets a negative nubmer.

Aloha,
Matt








- Original Message - 
From: Randall Oshita [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 30, 2003 2:37 PM
Subject: RE: [luau] SpamAssassin and Exchange Webmail


 2.50
 Mimedefang 2.3

 What version of spamassassin is that?  2.55?
 
 ___
 LUAU mailing list
 [EMAIL PROTECTED]
 http://videl.ics.hawaii.edu/mailman/listinfo/luau

Re: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Vince Hoang 
On Mon, Jun 30, 2003 at 02:19:15PM -1000, Randall Oshita wrote:
 The thing is we took this out because it adds a text file to
 the message as an attachment. People gets confused etc... Any
 other way of finding this?

I suspect Outlook vs. OWA adds different headers and has
different rules to match against.

If you want a long term solution to let you easily troubleshoot,
shove the scores into the headers.

Upgrading to a recent version of SA might give you a better score
distribution so you will not have to worry about the difference
between the two MUAs.

-Vince

Re: [luau] SpamAssassin and Exchange Webmail

2003-06-30 Thread Vince Hoang 
On Mon, Jun 30, 2003 at 04:45:59PM -1000, Matthew John Darnell wrote:
 We are on 2.55 and even if it is marked SPAM it doesn't add any attachments,
 just adds ***SPAM** to the beginning of the subject.

I believe recent versions of SA have report_safe enabled by
default. One of the advantages is this approach prevents web
bugs from loading in HTML-enabled mail. If the image loads, the
spammer _knows_ you read the message.

-Vince