Re: 20_sought.cf problems?
oops. I need to classify more spam/ham :( --j. On Sat, Apr 11, 2009 at 18:07, John Hardin wrote: > Justin: > > In digging around to see what's up with the SARE sa-update failing at my > site I took a peek in the yerp.org subdirectory, and was somewhat surprised > to see: > > r...@ga /var/lib/spamassassin/3.002005/sought_rules_yerp_org # ll > total 388 > -rw-r--r-- 1 root root 114 Apr 11 04:08 20_sought.cf > -rw-r--r-- 1 root root 382812 Apr 11 04:08 20_sought_fraud.cf > -rw-r--r-- 1 root root 29 Apr 11 04:08 MIRRORED.BY > > All that's in 20_sought.cf is: > > meta JM_SOUGHT_1 (0) > score JM_SOUGHT_1 0 > describe JM_SOUGHT_1 Body contains frequently-spammed text patterns > > Is the 20_sought bot busted? > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > An entitlement beneficiary is a person or special interest group > who didn't earn your money, but demands the right to take your > money because they *want* it. -- John McKay, _The Welfare State: > No Mercy for the Middle Class_ > --- > 2 days until Thomas Jefferson's 266th Birthday > >
Re: I love you
On Fri, 2009-04-10 at 23:20 -0400, BChasm wrote:
> I guess the spammer figures it only takes one click...and there are
> neurotic people out there desperate to believe that a computerized
> stranger loves them (as long as they click).
Sure. Did I miss an emoticon or two? ;) That was meant to be a
rhetorical question.
Hope the link was amusing. Well, for those who remember the days...
> On 4/10/09, Karsten Bräckelmann wrote:
> Why does any spammer believe a subject like "I love you" would be a
> good idea?
> http://ars.userfriendly.org/cartoons/?id=2512
>
> Oh, and don't forget to read the classy one the day before. :) *sigh*
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
On Fri, 2009-04-10 at 23:29 -0400, martes wrote:
> I have to admit that I am still fresh-newbie to SA administration,
> however, the "integration" method is simply to pipe mail from citadel
> to spamd, which happens to be on the same server, and then if the
> filtration passes, then the mail gets passed back to the email server.
Given that SA appears to be working, you are however not seeing any SA
headers...
There are different possible ways to integrate SA. The preferred one is
to use it as a *filter*, so SA can add its own headers. It appears
Citadel is using SA merely to classify, not as a filter -- no different
spamminess levels but a black and white decision only.
> however, I think that the integration of SA with citadel is simply to
> pipe unknown email to the filter, and then let the filter manage it.
> There seems to be a notification within the citadel logs which
> indicates a -1 status and the requisite "rejected by filter" message,
> however, I don't see where the mail is held. Hence my interest in
> getting further involved in the administrative tasks, since time is
> permitting, now.
I guess you want to follow up with Citadel folks...
> However, I do want to know about the "tagging" facilities that I am
> supposed to be seeing. Any further information on that topic is much
> appreciated, because spamd is obviously doing its job because int the
> time that it took to take spamd down, remove it, recompile, and
> install it, I recieved about fifteen spam mail messages. So there must
> have been something which was out of date on the system, because I can
> see about five to ten messages every 15 to 30 minutes being deflected
> in the logs.
Deflected? I seriously hope Citadel -- whatever that is -- rejects the
messages at SMTP level, based on SA result. And does not bounce after
accepting the message...
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
On Sat, 2009-04-11 at 09:14 -0400, martes wrote:
> Greetings Karsten.
>
> How can you tell that the header was mangled?
>
> I have not gotten that deep into email analysis yet, however, I don't
> see what you mean.
Your pastebin sample expired -- so here goes from memory.
The Received headers, injected by the MTAs, are below the sender
generated headers. That's obviously been rewritten. Also, in addition to
personal information, the Organization header read something like "my
organization", just like my-address and stuff. Appears to have been
altered by you.
> I also have to "train" my bayesian filter, so that could be why some
> mail is slipping through.
>
> In response to some other inquiries, citadel simply shoots the mail to
> spamd on the requisit host, and then relies on spamd to evaluate the
> message. There are no SA headers because of the process that was just
> described. This must be specific to citadel.
See my previous post. While you're right that it probably is Citadel
specific, SA can be used as a filter just fine. Maybe Citadel knows how
to do that, too.
> Can anyone let me know where spamassassin stores spam on a default
> install?
It doesn't -- default or not. SA does not reject mail, store or deliver
mail, or whatever else. SA classifies and scores mail. Any action
whatsoever is the duty of other tools in your mail processing chain.
Citadel in your case.
Yup, you want to follow up with Citadel folks... ;)
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
spam not classified
Hello! Since a month, I always get the same spam again and again. Has somebody else this problem whith such mails: http://pastebin.com/m63db288f thx Bru
Re: spam not classified
On Sun, 12 Apr 2009, stefan novak wrote: Since a month, I always get the same spam again and again. Has somebody else this problem whith such mails: http://pastebin.com/m63db288f Thanks for posting a spample, but in the future please remember to include _all_ of the message headers. Not having the message headers limits the analysis we can perform and the advice we can provide. If you're getting the same spam again and again, bayes should easily catch it. Is your bayes working? Are you training it with misses? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- Tomorrow: Thomas Jefferson's 266th Birthday
Re: spam not classified
I've updatet the file with the headers: http://pastebin.com/m6e31520c
Re: spam not classified
On Sun, 2009-04-12 at 09:49 -0700, John Hardin wrote:
> On Sun, 12 Apr 2009, stefan novak wrote:
>
> > Since a month, I always get the same spam again and again. Has somebody
> > else this problem whith such mails: http://pastebin.com/m63db288f
>
> Thanks for posting a spample, but in the future please remember to include
> _all_ of the message headers. Not having the message headers limits the
> analysis we can perform and the advice we can provide.
Very true... However, I believe I got a couple of these myself.
> If you're getting the same spam again and again, bayes should easily
> catch it. Is your bayes working? Are you training it with misses?
Again, true. :) Always scores BAYES_99 here.
Also quite a few RCVD_IN_* network tests. You do have network tests
enabled, right? And always hits iXhash [1] and a simple and cheap local
rule adding 0.5 for direct MUA to MX submissions.
By a quick glimpse, all of them do score at least these. Typically high
hitter, no one sample less than a total score of 15...
[1] http://ixhash.net/ third-party plugin
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spam not classified
stefan novak wrote: > I've updatet the file with the headers: > > http://pastebin.com/m6e31520c Scored high here: Content analysis details: (32.9 points, 10.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.2 TO_MALFORMED To: has a malformed address 1.0 RELAY_AR Relayed through Argentina 0.5 BOTNET_BADDNS Relay doesn't have full circle DNS [botnet_baddns,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar] 0.5 RCVD_IN_UCEPROTECT_3 RBL: Sender listed in UCEPROTECT_3 [190.51.32.122 listed in dnsbl-3.uceprotect.net] 1.0 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK [190.51.32.122 listed in hostkarma.junkemailfilter.com] 1.0 RCVD_IN_UCEPROTECT_2 RBL: Sender listed in UCEPROTECT_2 [190.51.32.122 listed in dnsbl-2.uceprotect.net] 2.0 RCVD_IN_UCEPROTECT_1 RBL: Sender listed in UCEPROTECT_1 [190.51.32.122 listed in dnsbl-1.uceprotect.net] 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [190.51.32.122 listed in zen.spamhaus.org] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL 1.5 RCVD_IN_BARRACUDA RBL: Sender listed in Barracuda Relay Black List [190.51.32.122 listed in b.barracudacentral.org] 2.5 RCVD_IN_NERDS_AR RBL: Received from Argentina [190.51.32.122 listed in zz.countries.nerd.dk] 0.5 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,maildomain=alfa.com,baddns,client,ipinhostname] 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar] 0.5 BOTNET_CLIENT Relay has a client-like hostname [botnet_client,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,ipinhostname] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 LONGWORDS_15 BODY: string of 15+ random letters 1.0 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net 1.0 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.5 KAM_UNIV Diploma Mill Rule 2.0 BOTNET_WU BOTNET_WU 1.0 SAGREY Adds 1.0 to spam from first-time senders Might consider adding some of the available plugins and using sa-update to grab Justin's "sought" rules, if not already doing so. Bill
Re: spam not classified
I checked my configuration and had a misconfiguration in my mimedefang setup. # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. skip_rbl_checks 0 skip_rbl_checks was set to 1 :( thx for your help
Re: Further information on tweaking tips...
On Fri, 2009-04-10 at 13:29 -0500, McDonald, Dan wrote:
> X-Spam-Report:
> * 2.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
> * Barracuda
> * [121.58.201.246 listed in b.barracudacentral.org]
> * 3.0 BARE_GEOCITIES URI: Body contains spammed domain
> * 3.0 KB_RATWARE_MSGID Ratware Message-Id
Ah, nice... :) Thanks.
> The only custom rule that it hit was:
> uri BARE_GEOCITIES m'^http://geocities\.com\b'i
> if you don't count the baracuda rule:
Actually, my RATWARE_MSGID rule is custom, too. ;) After all, it lives
in my sandbox and isn't part of 3.2.x stock rule-set.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
SUBJ_ALL_CAPS anti-Asian
How unfair: this triggered SUBJ_ALL_CAPS: Subject: RE: 請教無線電掃瞄 A little capital E and it gets slammed with SUBJ_ALL_CAPS, no matter how much Chinese follows. (source: Subject: =?utf-8?B?UkU6IOiri+aVmeeEoee3mumbu+aOg+eehA==?=)
Re: spam not classified
stefan novak wrote: Hello! Since a month, I always get the same spam again and again. Has somebody else this problem whith such mails: http://pastebin.com/m63db288f thx Bru I've been hitting these with a rule that matches the phone no's they use. Here's the phone no rule I have at the moment: body LOCAL_SCAM_PHONE_NO /(267.?697.?5.?89[0-9]|302.?565.?4.?88[0-9]|302.?442.?4.?07[0-9]|305.?390.?0.?26[0-9]|309.?409.?4.?50[0-9]|312.?260.?7.?94[0-9]|603.?509.?2.?00[0-9]|646.?537.?1.?73[0-9]|718.?989.?2.?17[0-9]|718.?989.?5.?74[0-9]|832.?550.?3.?16[0-9]|845.?709.?8.?04[0-9])/ score LOCAL_SCAM_PHONE_NO 4 describeLOCAL_SCAM_PHONE_NO Contains Scam Phone Number Score it as you see fit, and add new phone no's as they arise. Detecting obfuscated words (with "1" replacing "l", for example) can be quite effective against these too - your example contains a couple of such instances.
Re: 20_sought.cf problems?
Justin Mason wrote: oops. I need to classify more spam/ham :( --j. Thanks Jason - looks like these are back in business now :) This rule made me chuckle though, not sure how many hits I'll get on it: body __SEEK_JRZRF8 /Dear jmas...@users\.sourceforge\.net,/ :-D
Re: 20_sought.cf problems?
On Mon, 2009-04-13 at 01:43 +0100, Ned Slider wrote:
> Thanks Jason - looks like these are back in business now :)
They are indeed... :)
> This rule made me chuckle though, not sure how many hits I'll get on it:
>
> body __SEEK_JRZRF8 /Dear jmas...@users\.sourceforge\.net,/
Nice catch, Nider. ;) Something missed by the sanitizer?
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
