Re: Adding SpamBouncer phishing data to ph.surbl.org
Any domain names in a phishing email code are most likely going to be legit domain names such as, ebay.com, bankofamerica,com, southtrustbank.com etc.. These are the domains visible to the target/sucker. On the other hand, I just got a phish insisting I had to update my wellsfargo account (which if course I've never had). There are only two urls in the message body: pimg src=http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i mg/eal_logo_gen.gif/p pDear Wells Fargo customer,/p p As you may already know, we at Wells Fargo guarantee your a href=http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONSERROR_CODE/ index.htm The akamai site is really common in phish these days, since it seems to have all of the logos for the various financial institutions readily available to phishers. The other site, you will not, is NOT using a dotquad. Loren
Re: Adding SpamBouncer phishing data to ph.surbl.org
On Sunday, July 31, 2005, 11:37:44 PM, Loren Wilton wrote: pimg src=http://a248.e.akamai.net/7/248/1856/6fbc90232ac38d/www.wellsfargo.com/i mg/eal_logo_gen.gif/p pDear Wells Fargo customer,/p p As you may already know, we at Wells Fargo guarantee your a href=http://aurum.vup.hr/%7Ewolf/cgi-bin/wellsfargo/signon/CONSERROR_CODE/ index.htm The akamai site is really common in phish these days, since it seems to have all of the logos for the various financial institutions readily available to phishers. The other site, you will not, is NOT using a dotquad. Sure. Phishes probably have three categories of target URIs: 1. IPs: http://1.2.3.4/ 2. self-registered domains: http://fake-paypal.foo/ 3. hacked sites: http://victim-domain.foo/hacked/subdirectory/ Your example appears to be #3. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: PHD comic strip
-Original Message- From: Mathieu Bouchard [mailto:[EMAIL PROTECTED] Sent: Saturday, July 30, 2005 2:02 AM To: SpamAssassin Users Subject: PHD comic strip Spam Filtering gets a (neat) mention in the PHD comic strip: http://www.phdcomics.com/comics/archive.php?comicid=608 LOL! Thanks that was great! --Chris (If its not about hockey, food, or video games, its unsolicited!)
RE: Personal Bayes Score
Dankos, Put this into your /etc/mail/spamassassin/local.cf: user_scores_sql_custom_querySELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '@GLOBAL' OR username = _DOMAIN_ ORDER BY username ASC That will make per-user preferences priority, and then roll back to the GLOBAL if the user doesn't have a preference specified. Matt -- Matthew Yette Senior Engineer - NOC/Operations MA Polce Consulting, Inc. [EMAIL PROTECTED] 315-838-1644 (w) 315-356-0597 (f) AIM/Yahoo: MAPolceNOC MSN: [EMAIL PROTECTED] -Original Message- From: Dhanny Kosasih [mailto:[EMAIL PROTECTED] Sent: Sunday, July 31, 2005 3:09 AM To: users@spamassassin.apache.org Subject: Personal Bayes Score Hi, I installed qmail (only for smtp proxy) + spamassassin (userpref, bayes, awl store in mySQL). I use spamd and spamc to scan every email, but how can spamc scan email with personal configuration after scan with global configuration ? I want my user can configure bayesian, userpref, or awl for him self via web base, how can i do this ? This is the architecture : email -- qmail (proxy) -- qmail -- inbox OS : Redhat Fedora Core 3 SpamAssassin 3.0.4 MySQL Regards, Dankos.
Re: Forcing autolearn
Magnus Holmgren wrote: DISCLAIMER: I *really* think it's a bad idea to adjust this. But if you insist, it is possible. I want there to still be some difficulty to intimidate you from changing this without some consideration. (it shouldn't be hard to find the setting knowing what file it's in, so this isn't much of a hurdle) You can always hack the source, and yes, it was easy to find. :-) Now for the consideration part: First, we don't want to learn anything as spam that isn't. With a default lower limit of 12 points that's very unlikely and as already mentioned I haven't yet noticed a single false positive in my case. Second, we don't want bayes poisoning, i.e. hammy words recorded as spammy. I guess the reasoning is that if the header scores lots of points while the body scores low or even zero, then the body isn't spammy enough and shouldn't be learnt from. Conversely, if the header is clean then any (at least 9!) body points are probably just coincidence. Right? Now, whether bayes poisoning is really is an issue is debated. Someone pointed out that the random words hidden by spammers in the message in various ways aren't likely to resemble typical legit correspondence; indeed they are just random noise that doesn't contribute in any direction. In my case most real messages are in Swedish, meaning less problem with those (but slightly more with English ones). Also, many body points doesn't mean there is no bayes poison. Finally, when spam slips through, the user would want to feed it to sa-learn regardless of any bayes poison. Yes, bayes poison should be trained without worry. However, bayes poison is not the topic of discussion here. We are talking about mis-learning, something COMPLETELY different. Mis-learning a ham message as spam is always bad, and can have a minor or severe impact depending on the circumstances. There is no question of that mis-learning should be avoided whenever possible. Learning bayes poison as spam isn't a matter of oh, it doesn't matter because it's in the random noise it's a matter of accurate training. You WANT SA to learn about common tokens that are used by both categories. This is important to SA's accuracy, as it's a fact of reality. Mis-learning is not random noise, it doesn't reflect reality, and it is not the same thing as bayes poison. Not at ALL the same. It's just bad. In conclusion, I feel confident in letting SA learn from every message that I am certain that it can be certain is spam. Are you sure your conclusions are based on accurate perceptions of the consequences?
Re: unwanted breakthrough
Loren Wilton wrote: what is the \b for? Word break. There has to be a space or some other non-word character following the things in parends. Which is why peinss manages to not be hit. Word breaks are usually used to keep from hitting on unexpected things, like the middle of a word that is benign. Offhand I'm not positive that it is needed in the given rule. But I suspect that it was probably put in because something there would hit where it shouldn't if the \b wasn't there. I may hit The penist, Lepeniste and probably other words, but is this really important? how many ham would contain those? I'd be interested in seeing the results of different mass checks, with and without \b. otherwise, it may be intersting to add the same rule without breaks but with a lower score?
Install Issue
[EMAIL PROTECTED] Mail-SpamAssassin-3.0.0]# perl Makefile.PL Perl v5.6.1 required--this is only v5.6.0, stopped at Makefile.PL line 2. Now what can I do? RH 7.2 Dan Straka Casper College (307)268-2399 ** Visit Casper College Online at www.caspercollege.edu **
Re: unwanted breakthrough
mouss wrote: Loren Wilton wrote: what is the \b for? Word break. There has to be a space or some other non-word character following the things in parends. Which is why peinss manages to not be hit. Word breaks are usually used to keep from hitting on unexpected things, like the middle of a word that is benign. Offhand I'm not positive that it is needed in the given rule. But I suspect that it was probably put in because something there would hit where it shouldn't if the \b wasn't there. I may hit The penist, Lepeniste and probably other words, but is this really important? how many ham would contain those? I'd be interested in seeing the results of different mass checks, with and without \b. otherwise, it may be intersting to add the same rule without breaks but with a lower score? SARE_ADLTSUB2 Subject =~ /\b(?:blow|climax |enlarg(e|ment)|fuck|inter+acial|lick|porn|penis|pervert|pussy|tits|tight|vagina|virgins?)\b/i Without the trailing \b this rule would also match: tighten, tightened, tighter, tightening. I broke the bolt tightening it down. blower, blown, blowing, blows Winds blowing over 50mph Virginia Virginia state legislature passes new spam bill Enlarger, enlarges. Leaving off the starting \b adds things like: slick And that's just off the top of my head... Leaving off the \b's is generally bad, as the number of words you can hit explodes rapidly. Especially with a multi-possibility regex like this one. Fix the rule, don't ditch the \b's for such a broad rule.. Besides, the whole rule is subject to all kinds of obfuscation tricks. P.e.n.i.s still won't match, nor any other character-insertion obfuscation. Removing the \b's fixes only a few obfuscation cases, but adds many extra undesirable FP cases. I'd suggest creating obfu rules to detect obfuscations, and don't try to expand the scope of this already over-broad rule. (which will match a few FP cases as-is such as your photo enlargement is ready)
Re: Install Issue
Daniel Straka wrote: [EMAIL PROTECTED] Mail-SpamAssassin-3.0.0]# perl Makefile.PL Perl v5.6.1 required--this is only v5.6.0, stopped at Makefile.PL line 2. Now what can I do? RH 7.2 Perl 5.6.0 is no good. Upgrade to 5.6.1. You can get packages from fedoralegacy.org and you might want to upgrade to RH 7.3 while you are at it. Also, make sure you get SpamAssassin 3.0.4!!
Re: Install Issue
Daniel Straka wrote: [EMAIL PROTECTED] Mail-SpamAssassin-3.0.0]# perl Makefile.PL Perl v5.6.1 required--this is only v5.6.0, stopped at Makefile.PL line 2. Now what can I do? RH 7.2 Upgrade your perl, upgrade your OS to a more recent RedHat, or use SA 2.64 (requires perl 5.005 or higher). Besides, you wouldn't want to install 3.0.0 anyway.. if you're going to install a 3.0 series, install 3.0.4. (which also requires perl 5.6.1 or higher, but is less buggy) 3.0.0 was a little rough around the edges and had some significant bugs that consumed a lot of memory, and 3.0.1-3.0.3 are subject to DoS vulnerabilities. Really the only two SA releases that are worth considering are 2.64 (for old perl) and 3.0.4 (for recent perl versions). Anything outside those two is very old, subject to a DoS, or buggy.
RE: Install Issue
Daniel Straka wrote: [EMAIL PROTECTED] Mail-SpamAssassin-3.0.0]# perl Makefile.PL Perl v5.6.1 required--this is only v5.6.0, stopped at Makefile.PL line 2. Now what can I do? RH 7.2 Dan Straka Casper College (307)268-2399 ** Visit Casper College Online at www.caspercollege.edu ** v5.6.1 required--this is only v5.6.0 seems pretty obvious. Upgrade RH to a newer version, 7.3 includes 5.6.1. You can also upgrade Perl to a newer version (current is 5.8.7), but this may have some side-effects (not familiar with RH). I'm pretty sure Google can answer your question much faster and better than this maillinglist btw ;-) Kind regards, Sander Holthaus PS: Sorry for the short answer, but answering it completely would be somewhat offtopic and long. More important, you will learn much more by finding the answer yourself (including learning how to find answers :-) ).
RE: Load balancing spamd
Do you happen to have any firewall rules in place on the LVS instance? Have you specified which IP's are allowed to access the instance? Both of the above are what I ran into on the default RH build (even though I don't run LVS). spamd -s local5 -d -c -m10 -H -A 10.0.8.0/21 I believe without the -A and IP range the machine will only answer to localhost. This is more than likely your problem since I don't see you mentioning even playing with that. -Original Message- From: email builder [mailto:[EMAIL PROTECTED] Sent: Monday, August 01, 2005 2:43 PM To: users@spamassassin.apache.org Subject: Load balancing spamd Hi, I am looking for advice on how to load balance spamd servers. I (think I) understand that the -d option used with -H for spamc will randomize multiple addresses from a DNS lookup of the given hostname (and still include failover support???). However, I am wanting to do weighted load balancing ala something more substantial like LVS' ldirector. I am very much a newb to LVS in general, but have it installed (ultramonkey.org) and working for HTTP from the outside world to two different Apache boxes. But there seems to be a difference between balancing requests that come from external interfaces and requests that are completely internal. That is, I point my MTA to connect to a spamd port on the ldirector box, make the appropriate settings in ldirector, but the connection doesn't even seem to happen at all. Do I need to run another instance of ldirector on an internal interface somehow? How are other people doing this? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: Load balancing spamd
Do you happen to have any firewall rules in place on the LVS instance? Have you specified which IP's are allowed to access the instance? As best I can tell, we have no firewall restrictions blocking intranet packets at all. Both of the above are what I ran into on the default RH build (even though I don't run LVS). spamd -s local5 -d -c -m10 -H -A 10.0.8.0/21 I believe without the -A and IP range the machine will only answer to localhost. This is more than likely your problem since I don't see you mentioning even playing with that. Oh, no, I didn't mean to give that impression. I am fully ready to take such connections as far as I know: /usr/bin/spamd -d -q -x --max-children=5 -H /etc/razor -u maildrop -r /var/run/spamd/spamd.pid -i 10.10.10.170 -p 2054 -A 10.10. Even if I had forgotten the -A, I think I would have been seeing connection refused notices, but right now, it just seems to time out. I'm pretty sure this is a LVS question more than a spamc/d question, since I've no problems with the latter -- I am only asking here to see if anyone else does SA weighted load balancing. Thanks! From: email builder [mailto:[EMAIL PROTECTED] Sent: Monday, August 01, 2005 2:43 PM To: users@spamassassin.apache.org Subject: Load balancing spamd Hi, I am looking for advice on how to load balance spamd servers. I (think I) understand that the -d option used with -H for spamc will randomize multiple addresses from a DNS lookup of the given hostname (and still include failover support???). However, I am wanting to do weighted load balancing ala something more substantial like LVS' ldirector. I am very much a newb to LVS in general, but have it installed (ultramonkey.org) and working for HTTP from the outside world to two different Apache boxes. But there seems to be a difference between balancing requests that come from external interfaces and requests that are completely internal. That is, I point my MTA to connect to a spamd port on the ldirector box, make the appropriate settings in ldirector, but the connection doesn't even seem to happen at all. Do I need to run another instance of ldirector on an internal interface somehow? How are other people doing this? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: Personal Bayes Score
Hello Dhanny, Sunday, July 31, 2005, 12:08:51 AM, you wrote: DK Hi, DKI installed qmail (only for smtp proxy) + spamassassin (userpref, DK bayes, awl store in mySQL). I use spamd and spamc to scan every email, DK but how can spamc scan email with personal configuration after scan DK with global configuration ? Do you need two scans, global then personal? Or will one scan, global with personal overrides, do? SA is designed to do the latter. You need to have qmail (or the equivalent) identify which user the email is being delivered to, and call spamd/spamc specifying that user's id. Then spamc will automatically grab the system configs, the user's user_prefs, bayes, and awl, and apply that combination to the scan. I don't know to what extent that's possible with qmail, but that's the point at which the userid needs to be identified and passed to spamd. Bob Menschel
Re: unwanted breakthrough
Hello hamann, Sunday, July 31, 2005, 1:01:45 AM, you wrote: H for some reason the spam sample at H http://wolfgang.remsnet.de/medspam.txt is only classified by html H rules, and by various dns tests, but the common drugs and human H body part rules missed it. Anyone would have an idea why this is H so? The rules missed it because the rules weren't written to catch these examples. More likely, as Loren said, the spammer spent some serious time finding some way to get his words past the filters. I've captured your sample, and will include it in my analysis the next time I work on the obfuscation rule set. Bob Menschel
Re[2]: unwanted breakthrough
Hello Herb, Sunday, July 31, 2005, 4:00:58 PM, you wrote: HM 60_whitelist.cf HM 70_sare_adult.cf HM 70_sare_bayes_poison_nxm.cf HM 70_sare_evilnum0.cf HM 70_sare_evilnum1.cf HM 70_sare_genlsubj.cf HM 70_sare_genlsubj0.cf HM 70_sare_genlsubj1.cf HM 70_sare_genlsubj2.cf HM 70_sare_genlsubj3.cf the 70_sare_genlsubj.cf includes all of the next four, so you can get rid of them. HM 70_sare_genlsubj_arc.cf HM 70_sare_genlsubj_eng.cf HM 70_sare_header.cf HM 70_sare_header0.cf HM 70_sare_header1.cf HM 70_sare_header2.cf HM 70_sare_header3.cf Ditto -- those last four above are duplicated within 70_sare_header.cf HM 70_sare_header_eng.cf HM 70_sare_highrisk.cf HM 70_sare_html.cf HM 70_sare_html0.cf HM 70_sare_html1.cf HM 70_sare_html2.cf HM 70_sare_html4.cf You don't have 70_sare_html3.cf? html3.cf is more effective than 70_sare_html4.cf HM 70_sare_html_eng.cf HM 70_sare_obfu.cf HM 70_sare_obfu2.cf HM 70_sare_oem.cf HM 70_sare_random.cf HM 70_sare_ratware.cf 70_sare_ratware.cf is empty. You can delete that. HM 70_sare_specific.cf HM 70_sare_spoof.cf HM 70_sare_unsub.cf HM 70_sare_uri0.cf HM 70_sare_uri1.cf HM 70_sare_uri3.cf HM 70_sare_uri_eng.cf HM 70_sare_whitelist.cf HM 70_sare_whitelist_pre30.cf Drop 70_sare_whitelist_pre30.cf -- if 70_sare_whitelist.cf does not error-out for you, then the pre30.cf version is not needed. HM 70_sc_top200.cf HM 72_sare_bml_post25x.cf HM 72_sare_redirect_post3.0.0.cf HM 88_FVGT_body.cf HM 88_FVGT_headers.cf HM 88_FVGT_rawbody.cf HM 88_FVGT_subject.cf HM 88_FVGT_uri.cf HM 999_antidrug.cf antidrug.cf is included within 3.0.x, so there's no need for you to have your own copy. HM 999_backhair.cf HM 999_chickenpox.cf HM 999_mangled.cf HM 999_weeds_2.cf HM 99_FVGT_Tripwire.cf HM 99_FVGT_meta.cf HM 99_sare_fraud_post25x.cf HM bogus-virus-warnings.cf HM random.cf HM tripwire.cf 99_FVGT_Tripwire.cf and tripwire.cf are the same rules, different names. Use whichever one is more recently updated, and not the other. Bob Menschel
Qmail + spamassassin + squirellmail
Hi, Any body know, how to install qmail + spamassassin + squirellmail (can tell spam to spamassassin) ? And how to make spamassassin can autolearn for spam ? Regards, dankos. ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
Re: unwanted breakthrough
... Hello hamann, Sunday, July 31, 2005, 1:01:45 AM, you wrote: H for some reason the spam sample at H http://wolfgang.remsnet.de/medspam.txt is only classified by html H rules, and by various dns tests, but the common drugs and human H body part rules missed it. Anyone would have an idea why this is H so? The rules missed it because the rules weren't written to catch these examples. More likely, as Loren said, the spammer spent some serious time finding some way to get his words past the filters. I've captured your sample, and will include it in my analysis the next time I work on the obfuscation rule set. Bob Menschel Leo Kuvayev - Leo claims to have an IQ of 145 (but it wasn't a normally accepted test and a Stanford-Binet isn't very accurate above about 125-130. JJPLANULARCH. INFO - currently active Westbury stooges registered to a Mailboxes Etc. address in London with a Brooklyn telephone number. The same guy who operated all the multitrade domains and the Mather Platt domains also. Currently #3 with a bullet on Spamhaus' list. Paul Shupak [EMAIL PROTECTED] Leo, you out there?