RE: [Mimedefang] Seeing a lot of these lately
What version of SpamAssassin are you running? If it's 3.1.1, you might try running sa-update. I was pleasantly surprised to see a bunch of new rules in 80_additional.cf (most of them seem to start with TVD_) which detect these messages quite handily, kicking the score above our reject threshold of 10. Yes, I'm running 3.1.1. Yours is an excellent idea, Nels. (I didn't know about the sa-update command). Thanks. :) Ken ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Seeing a lot of these lately
On 10 Apr 2006 at 15:26, Cormack, Ken wrote: SNIP description of stock image spam Have been seeing a number of these lately here, and I'm wondering if anyone has ideas how best to go about blocking some of these things. What version of SpamAssassin are you running? If it's 3.1.1, you might try running sa-update. I was pleasantly surprised to see a bunch of new rules in 80_additional.cf (most of them seem to start with TVD_) which detect these messages quite handily, kicking the score above our reject threshold of 10. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: SARE and RJD (was RE: [Mimedefang] Seeing a lot of these lately)
On Mon, 2006-04-10 at 15:45 -0500, -ray wrote: On Mon, 10 Apr 2006, Cormack, Ken wrote: I run other SARE rulesets, updated w/ RDJ, but hadn't looked at that ruleset. I would like to ask the list members who all uses SARE rulesets with RDJ. And which rule sets do you enable? I'd like to start using them, so just a quick survey on which rule sets are 'no brainers, definitely you should use these' and which ones might be a little more iffy or questionable. Thanks for any info. ray TRUSTED_RULESETS=TRIPWIRE BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HTML SARE_SPECIFIC SARE_OBFU SARE_GENLSUBJ SARE_UNSUB SARE_URI SARE_WHITELIST_RCVD SARE_WHITELIST_SPF; signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Seeing a lot of these lately
Cormack, Ken wrote: content of the message... a spam in the form of a bitmap image? The subject, too, is typically one or two random words meant to sneak past a bayes engine. Have been seeing a number of these lately here, and I'm wondering if anyone has ideas how best to go about blocking some of these things. I've had some luck with this SARE ruleset for SpamAssassin: http://www.rulesemporium.com/rules/70_sare_stocks.cf -David ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Seeing a lot of these lately
Cormack, Ken wrote: Have others been noticing a lot of spams recently, that tend to be html-based (big surprise there, eh?), contain obvious (and visible) random text intended to pollute a bayes store, both above and below the real content of the message... a spam in the form of a bitmap image? The subject, too, is typically one or two random words meant to sneak past a bayes engine. Have been seeing a number of these lately here, and I'm wondering if anyone has ideas how best to go about blocking some of these things. Ken Yes, they seem to have been showing up steadily for the last two weeks or so. The first few came through, but they've been being flagged since. Unfortunately I haven't seen enough for Bayes to get a clue it appears, but here's the analysis of the last one I just noticed: 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_40_50 BODY: Message is 40% to 50% HTML -2.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [24.91.213.212 listed in dnsbl.sorbs.net] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?24.91.213.212] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [24.91.213.212 listed in combined.njabl.org] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [24.91.213.212 listed in sbl-xbl.spamhaus.org] Charles ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Seeing a lot of these lately
I run other SARE rulesets, updated w/ RDJ, but hadn't looked at that ruleset. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Eisner Sent: Monday, April 10, 2006 3:41 PM To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Seeing a lot of these lately Cormack, Ken wrote: content of the message... a spam in the form of a bitmap image? The subject, too, is typically one or two random words meant to sneak past a bayes engine. Have been seeing a number of these lately here, and I'm wondering if anyone has ideas how best to go about blocking some of these things. I've had some luck with this SARE ruleset for SpamAssassin: http://www.rulesemporium.com/rules/70_sare_stocks.cf -David ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
SARE and RJD (was RE: [Mimedefang] Seeing a lot of these lately)
On Mon, 10 Apr 2006, Cormack, Ken wrote: I run other SARE rulesets, updated w/ RDJ, but hadn't looked at that ruleset. I would like to ask the list members who all uses SARE rulesets with RDJ. And which rule sets do you enable? I'd like to start using them, so just a quick survey on which rule sets are 'no brainers, definitely you should use these' and which ones might be a little more iffy or questionable. Thanks for any info. ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems EngineerSoutheastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: SARE and RJD (was RE: [Mimedefang] Seeing a lot of these lately)
- Original Message - From: -ray [EMAIL PROTECTED] I would like to ask the list members who all uses SARE rulesets with RDJ. And which rule sets do you enable? I'd like to start using them, so just a quick survey on which rule sets are 'no brainers, definitely you should use these' and which ones might be a little more iffy or questionable. Thanks for any info. My Current list is: TRUSTED_RULESETS=BOGUSVIRUS TRIPWIRE ANTIDRUG EVILNUMBERS SARE_RANDOM SARE_SPECIFIC SARE_HEADER0 SARE_HTML0 SARE_BAYES_POISON_NXM SARE_ADULT SARE_OEM SARE_SPOOF SARE_FRAUD SARE_STOCKS I fell into the trap initially when using RDJ, of putting some of the LARGE rulesets in the list and SpamAssassin's Memory consumption went skyhigh, bringing my gateway to it's knees. So be warned! :) Cheers, Roland ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Seeing a lot of these lately
Cormack, Ken wrote: Have others been noticing a lot of spams recently, that tend to be html-based (big surprise there, eh?), contain obvious (and visible) random text intended to pollute a bayes store, both above and below the real content of the message... a spam in the form of a bitmap image? The subject, too, is typically one or two random words meant to sneak past a bayes engine. We see a lot of these. Almost all of them are stopped by a combination of Bayes and the SARE Stock Scam rules. (Our Bayes database is rather large, containing some 390,000 e-mails and around 4 million words and word pairs...) Aditionally, I use a feature of our filtering software that holds any e-mails containing images in the trap, unless the sender is whitelisted. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang