Re: [luau] SpamAssassin and Exchange Webmail
- Original Message - From: Vince Hoang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 30, 2003 5:51 PM Subject: Re: [luau] SpamAssassin and Exchange Webmail On Mon, Jun 30, 2003 at 04:45:59PM -1000, Matthew John Darnell wrote: We are on 2.55 and even if it is marked SPAM it doesn't add any attachments, just adds ***SPAM** to the beginning of the subject. I believe recent versions of SA have report_safe enabled by default. One of the advantages is this approach prevents web bugs from loading in HTML-enabled mail. If the image loads, the spammer _knows_ you read the message. -Vince spamassassin-2.55 and the soon to be released 2.60 have this new spam handling behavior which can be enabled. Rather than modifying the body of the spam, it moves the original intact spam message into the attachment of a new message, and within the body of the new message are detailed reasons why the message was marked as spam, and some text from the message so they usually don't need to open the attachment. The user can optionally open the attachment to read the original message, which works for HTML mail too since the message is completely intact. http://togami.com/~warren/archive/2003/example-spamassassin.mbox Here is one intact-spam-into-attachment message in mbox format directly from my SPAM folder. It works properly when viewing the original attached message when viewed from Outlook Express and Outlook in Windows. Warren Togami [EMAIL PROTECTED]
Re: [luau] SpamAssassin and Exchange Webmail
On Tue, Jul 01, 2003 at 04:59:12PM -1000, Warren Togami wrote: spamassassin-2.55 and the soon to be released 2.60 have this new spam handling behavior which can be enabled. Rather than modifying the body of the spam, it moves the original intact spam message into the attachment of a new message, and within the body of the new message are detailed reasons why the message was marked as spam, and some text from the message so they usually don't need to open the attachment. Yes. This is enabled by default, which may annoy some users just because it is different. But leaving this enabled will help prevent the embedded web bugs from alerting the spammers that the message was read. man Mail::SpamAssassin::Conf report_safe { 0 | 1 | 2 } (default: 1) if this option is set to 1, if an incoming message is tagged as spam, instead of modifying the original message, SpamAssassin will create a new report message and attach the original message as a message/rfc822 MIME part (ensuring the original message is completely preserved, not easily opened, and easier to recover). -Vince
Re: [luau] SpamAssassin and Exchange Webmail
On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote: Debian stable uses SpamAssassin 2.2 While not a recent version, it does format the tagged mail so that I can read it at a later time even with an html enabled reader. The spam is not put into an attachment making its sordid contents easy to look over. FWIW, one of the developers for SA is the maintainer for the Debian SA package. Since SA is such a moving target, I would really recommend moving to testing, if possible, and pinning SA to use the unstable package. The version of SA in stable works, but the version in unstable is vastly improved. Warren mentioned earlier that the entire message is now an attachment in recent versions of SA rather than just the message portion of the message. I believe this was because the developers realized that the new approach was much less error prone. -Vince
Re: [luau] SpamAssassin and Exchange Webmail
On Tue, 2003-07-01 at 22:03, Vince Hoang wrote: On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote: Debian stable uses SpamAssassin 2.2 While not a recent version, it does format the tagged mail so that I can read it at a later time even with an html enabled reader. The spam is not put into an attachment making its sordid contents easy to look over. FWIW, one of the developers for SA is the maintainer for the Debian SA package. Since SA is such a moving target, I would really recommend moving to testing, if possible, and pinning SA to use the unstable package. The version of SA in stable works, but the version in unstable is vastly improved. Warren mentioned earlier that the entire message is now an attachment in recent versions of SA rather than just the message portion of the message. I believe this was because the developers realized that the new approach was much less error prone. Also more informative for the user because of the very clear message body describing why the message was scored to be spam, and it prevents the user from accidentally previewing the message and getting cracked by an Outlook/Internet Explorer security hole due to script execution. Otherwise it prevents the user from alerting the spammer when Outlook downloads images that your e-mail address is valid and active, meaning spam more! Warren
Re: [luau] SpamAssassin and Exchange Webmail
On Tuesday, July 1, 2003, at 10:27 PM, Warren Togami wrote: On Tue, 2003-07-01 at 22:03, Vince Hoang wrote: On Tue, Jul 01, 2003 at 05:56:46PM -1000, R. Scott Belford wrote: Debian stable uses SpamAssassin 2.2 While not a recent version, it does format the tagged mail so that I can read it at a later time even with an html enabled reader. The spam is not put into an attachment making its sordid contents easy to look over. FWIW, one of the developers for SA is the maintainer for the Debian SA package. Since SA is such a moving target, I would really recommend moving to testing, if possible, and pinning SA to use the unstable package. The version of SA in stable works, but the version in unstable is vastly improved. Warren mentioned earlier that the entire message is now an attachment in recent versions of SA rather than just the message portion of the message. I believe this was because the developers realized that the new approach was much less error prone. Also more informative for the user because of the very clear message body describing why the message was scored to be spam, and it prevents the user from accidentally previewing the message and getting cracked by an Outlook/Internet Explorer security hole due to script execution. Otherwise it prevents the user from alerting the spammer when Outlook downloads images that your e-mail address is valid and active, meaning spam more! Warren In defense of debian stable's implementation of SpamAssassin, please find below the beginning of a tagged message that has been rendered safe for viewing by an html compatible mail viewer and as such safe from either opening a hyperlink or executing a script. It does not handle spam like my redhat boxes, but I for one like the whole thing in the message rather than as an attachment tempting me to click it. The key is that the html email not be executed in any way. I guess it is not best, but I have been pleased with how debian-stable tags and neuters my spam; I'll have to try pinning to the unstable version. Thanks for the info and feedback. -scott From: Elvin Rutherford [EMAIL PROTECTED] Date: Wed Jul 2, 2003 12:44:06 AM Pacific/Honolulu To: [EMAIL PROTECTED] Subject: *SPAM* Re: Important Info Enclosed Reply-To: Elvin Rutherford [EMAIL PROTECTED] SPAM: Start SpamAssassin results -- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (14 hits, 5 required) SPAM: Hit! (-1.4 points) Sent with 'X-Msmail-Priority' set to high SPAM: Hit! (2.0 points) From: contains numbers mixed in with letters SPAM: Hit! (1.7 points) Sent with 'X-Priority' set to high SPAM: Hit! (2.1 points) BODY: Talks about opting in SPAM: Hit! (-0.3 points) URI: Includes a link to send a mail with a subject SPAM: Hit! (4.8 points) BODY: Frontpage used to create the message SPAM: Hit! (2.1 points) BODY: FONT Size +2 and up or 3 and up SPAM: Hit! (3.0 points) BODY: Includes a form which will send an email SPAM: Hit! (0.0 points) BODY: Includes a URL link to send an email SPAM: SPAM: End of SpamAssassin results - --43_EB.06_._FE..9FB1E_38 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable html head meta http-equiv=3DContent-Language content=3Den-us meta http-equiv=3DContent-Type content=3Dtext/html; charset=3Dwindows-= 1252 meta name=3DGENERATOR content=3DMicrosoft FrontPage 4.0 meta name=3DProgId content=3DFrontPage.Editor.Document titleEARN/title /head body more spam below. ...
Re: [luau] SpamAssassin and Exchange Webmail
On Tue, Jul 01, 2003 at 10:42:46PM -1000, R. Scott Belford wrote: It does not handle spam like my redhat boxes, but I for one like the whole thing in the message rather than as an attachment tempting me to click it. The key is that the html email not be executed in any way. I guess it is not best, but I have been pleased with how debian-stable tags and neuters my spam Actually, your preference is even more safe. On recent versionf of SA, what you want is to add 'report_safe 2' to your local configuration. It replaced the defang_mime option. Again, `man Mail::SpamAssassin::Conf`: report_safe { 0 | 1 | 2 } (default: 1) If this option is set to 2, then original messages will be attached with a content type of text/plain instead of message/rfc822. This setting may be required for safety reasons on certain broken mail clients that automatically load attachments without any action by the user. This setting may also make it somewhat more difficult to extract or view the original message. -Vince
Re: [luau] SpamAssassin and Exchange Webmail
This is how it is tagged with a recent version of SA on Red Hat 7.2. I have to agree that it is much safer and informative the newer way than it is via debian stable. --scott This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: LUSTFUL and SEX-STARVED TEENS! http://girlsthatgo.com/click.php?id104748campain_id88type=textsite_id4 The HOTTEST YOUNG MODELS... The BEST PHOTOGRAPHY... The NAUGHTIEST SEX ACTS... http://girlsthatgo.com/click.php?id104748campain_id88type=textsite_id4 [...] Content analysis details: (15.70 points, 5 required) FROM_ENDS_IN_NUMS (0.7 points) From: ends in numbers NASTY_GIRLS(2.8 points) BODY: Possible porn - Nasty Girls PORN_16(2.9 points) BODY: Possible porn - nasty, dirty, little etc. HTML_WEB_BUGS (0.1 points) BODY: Image tag with an ID code to identify you HTML_IMAGE_ONLY_10 (0.5 points) BODY: HTML has images with 800-1000 bytes of words HTML_50_60 (0.5 points) BODY: Message is 50% to 60% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_FONT_COLOR_BLUE (0.1 points) BODY: HTML font color is blue HTML_LINK_CLICK_HERE (0.1 points) BODY: HTML link text says click here MIME_HTML_NO_CHARSET (0.8 points) RAW: Message text in HTML without specified charset HTTP_WITH_EMAIL_IN_URL (0.3 points) URI: 'remove' URL contains an email address MAILTO_TO_REMOVE (0.3 points) URI: Includes a 'remove' email address REMOVE_PAGE(0.3 points) URI: URL of page called remove MSG_ID_ADDED_BY_MTA_3 (0.7 points) 'Message-Id' was added by a relay (3) DATE_IN_PAST_96_XX (1.6 points) Date: is 96 hours or more before Received: date FORGED_MUA_OUTLOOK (3.5 points) Forged mail pretending to be from MS Outlook CLICK_BELOW(0.1 points) Asks you to click below FROM_ALL_NUMS (0.3 points) From an address that is all numbers (non-phone) The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.
Re: [luau] SpamAssassin and Exchange Webmail
On Tue, 2003-07-01 at 22:42, R. Scott Belford wrote: Also more informative for the user because of the very clear message body describing why the message was scored to be spam, and it prevents the user from accidentally previewing the message and getting cracked by an Outlook/Internet Explorer security hole due to script execution. Otherwise it prevents the user from alerting the spammer when Outlook downloads images that your e-mail address is valid and active, meaning spam more! Warren In defense of debian stable's implementation of SpamAssassin, please find below the beginning of a tagged message that has been rendered safe for viewing by an html compatible mail viewer and as such safe from either opening a hyperlink or executing a script. It does not handle spam like my redhat boxes, but I for one like the whole thing in the message rather than as an attachment tempting me to click it. The key is that the html email not be executed in any way. I guess it is not best, but I have been pleased with how debian-stable tags and neuters my spam; I'll have to try pinning to the unstable version. Thanks for the info and feedback. -scott The only drawback to this is that it is confusing and difficult to read for the legitimate HTML mail that is marked as spam. The new make into attachment behavior totally does not modify the message, so it is at least possible and easy to read the original message for inexperienced users. For the windows and mac users that I have given a choice, they much preferred the attachment option to the old report_safe behavior, or no body modification at all. Be aware that spamassassin-2.2 is extremely old and its spam detection ability would be far less precise than recent versions. Even 2.4 has problems in marking legitimate mail scores too high, and spam scores too low. Spammers found that they could easily add several MUA headers to a message and force spamassassin scores wayyy low. This was fixed in 2.55. 2.55 also has the benefit of bayesian filtering, making the filter learn and become more precise over time. (2.55 has a flaw where it poisons your bayes database if you use the -r option though. Let me know if you plan on using -r to report spam, and I'll send you a patch to fix this problem.) Warren
[luau] SpamAssassin and Exchange Webmail
Anybody here with any ideas why Spam Assassin scores a messages lower when sent via Outlook but scores it higher when sending the same exact message via Exchange's webmail? Randall
Re: [luau] SpamAssassin and Exchange Webmail
If you look at the messge header it should tell you exactly what the triggers were. You can adjust the points given to each test if you experience dictates so. -Matt - Original Message - From: Randall Oshita [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 30, 2003 12:10 PM Subject: [luau] SpamAssassin and Exchange Webmail Anybody here with any ideas why Spam Assassin scores a messages lower when sent via Outlook but scores it higher when sending the same exact message via Exchange's webmail? Randall ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
RE: [luau] SpamAssassin and Exchange Webmail
The thing is we took this out because it adds a text file to the message as an attachment. People gets confused etc... Any other way of finding this? Thanks. Randall If you look at the messge header it should tell you exactly what the triggers were. You can adjust the points given to each test if you experience dictates so. -Matt
RE: [luau] SpamAssassin and Exchange Webmail
On Mon, 2003-06-30 at 14:19, Randall Oshita wrote: The thing is we took this out because it adds a text file to the message as an attachment. People gets confused etc... Any other way of finding this? Thanks. Randall What version of spamassassin is that? 2.55? Warren
Re: [luau] SpamAssassin and Exchange Webmail
We are on 2.55 and even if it is marked SPAM it doesn't add any attachments, just adds ***SPAM** to the beginning of the subject. Here is the header of mail not marked as SPAM Return-Path: [EMAIL PROTECTED] Received: from mx11.sjc.ebay.com (mxpool06.ebay.com [66.135.197.12]) by www.comtelweb.com (8.11.6/8.11.6) with ESMTP id h5PLB0L28225 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 11:11:01 -1000 Received: from sj-cgi3008.sjc.ebay.com (sj-cgi3008.sjc.ebay.com [10.6.17.247]) by mx11.sjc.ebay.com (8.12.3/8.12.3) with SMTP id h5PLBmjE008293 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 14:11:49 -0700 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Comment: 0.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Subject: eBay Request Payment Information for Item#3420552097 (Avaya partner-18D euro telephone nice) Date: Wed, 25 Jun 2003 14:11:56 PDT X-Spam-Status: No, hits=-0.7 required=5.0 tests=CLICK_BELOW,GENUINE_EBAY_RCVD,NO_REAL_NAME version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-UIDL: U'3!!D2##!!!+#!/_B! The auto white list is how it gets a negative nubmer. Aloha, Matt - Original Message - From: Randall Oshita [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 30, 2003 2:37 PM Subject: RE: [luau] SpamAssassin and Exchange Webmail 2.50 Mimedefang 2.3 What version of spamassassin is that? 2.55? ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
Re: [luau] SpamAssassin and Exchange Webmail
On Mon, Jun 30, 2003 at 02:19:15PM -1000, Randall Oshita wrote: The thing is we took this out because it adds a text file to the message as an attachment. People gets confused etc... Any other way of finding this? I suspect Outlook vs. OWA adds different headers and has different rules to match against. If you want a long term solution to let you easily troubleshoot, shove the scores into the headers. Upgrading to a recent version of SA might give you a better score distribution so you will not have to worry about the difference between the two MUAs. -Vince
Re: [luau] SpamAssassin and Exchange Webmail
On Mon, Jun 30, 2003 at 04:45:59PM -1000, Matthew John Darnell wrote: We are on 2.55 and even if it is marked SPAM it doesn't add any attachments, just adds ***SPAM** to the beginning of the subject. I believe recent versions of SA have report_safe enabled by default. One of the advantages is this approach prevents web bugs from loading in HTML-enabled mail. If the image loads, the spammer _knows_ you read the message. -Vince