Re: spamassassin.cf Vim syntax file
Am 24. Apr 2009 um 00:39 CEST schrieb Adam Katz: I wrote: Here's a syntax file I created for Vim to highlight SpamAssassin config files ... I've since done some major editing, including spell-check on the bits that should have it and better support for languages and other things, plus some bug-fixing of various elements imported from the perl highlighting that I started with as a base. Thanks Stefan Luetje wrote: au BufRead,BufNewFile *.cf,user_prefs setfiletype spamassassin Thanks, Stefan. I'm glad you find the script useful enough to tweak. That line should now look like this: au BufRead,BufNewFile user_prefs,*.cf,*.pre setfiletype spamassassin Nice when I can help, spamassassin.vim is very useful for me. I added 'uricountry' for URICountry.cf: ,[ spamassassin.vim ] | syn keyword saType header describe score meta body rawbody full lang contained | --- | syn keyword saType header describe score meta body rawbody full lang uricountry contained ` The updated syntax file is now published at http://www.vim.org/scripts/script.php?script_id=2617 Greets Stefan -- Stefan Lütje stefan.lue...@t-online.deske...@jabber.ccc.de Key fingerprint = BCB2 48E4 9211 C975 5A3F B192 9B6E CCCF 99CC 44FA signature.asc Description: Digital signature
spam, one line, word attachment, no space ratio?
this spam, http://pastebin.com/m504b4262 one line in email, word document. I didn't see it trigger any of the space ratio rules. (sanesecurity guys, also see word doc attachment, 'sig at 11'? :-)? usually when I see ab empty (or near empty) spam I see one if not several of the space ratio rules triggered. I also don't see the 'ALL CAPS' rule anymore? I still see it in rules: 20_head_tests.cf:header SUBJ_ALL_CAPS eval:subject_is_all_caps() 50_scores.cf:score SUBJ_ALL_CAPS 2.299 1.806 1.926 2.077 (that extra 2 points would have pushed it over the threshold?) debug shows text cat thinks it short: [42304] dbg: textcat: message too short for language analysis (I don't see this in debug? subject_is_all_caps) did I disable some plugin somehow? #loadplugin Mail::SpamAssassin::Plugin::Hashcash #loadplugin Mail::SpamAssassin::Plugin::Pyzor #loadplugin Mail::SpamAssassin::Plugin::AntiVirus #loadplugin Mail::SpamAssassin::Plugin::AccessDB #loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject #loadplugin Mail::SpamAssassin::Plugin::DomainKeys #loadplugin Mail::SpamAssassin::Plugin::ASN (side note, I upgraded, in place, this system from freebsd 6.4 32bit, to 64bit.. yes, lots of work, so, what perl script or so did I forget to re-compile?) I didn't see any errors loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::PDFInfo /usr/local/etc/mail/spamassassin/PDFInfo.pm loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold loadplugin Mail::SpamAssassin::Plugin::TextCat loadplugin Mail::SpamAssassin::Plugin::MIMEHeader loadplugin Mail::SpamAssassin::Plugin::ReplaceTags loadplugin Mail::SpamAssassin::Plugin::DKIM loadplugin Mail::SpamAssassin::Plugin::Check loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch loadplugin Mail::SpamAssassin::Plugin::URIDetail loadplugin Mail::SpamAssassin::Plugin::Shortcircuit loadplugin Mail::SpamAssassin::Plugin::Bayes loadplugin Mail::SpamAssassin::Plugin::BodyEval loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::MIMEEval loadplugin Mail::SpamAssassin::Plugin::RelayEval loadplugin Mail::SpamAssassin::Plugin::URIEval loadplugin Mail::SpamAssassin::Plugin::WLBLEval loadplugin Mail::SpamAssassin::Plugin::VBounce loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody loadplugin Mail::SpamAssassin::Plugin::ImageInfo [42304] dbg: message: MIME PARSER START [42304] dbg: message: parsing multipart, got boundary: 001636417e2558d1a0046847ba9f [42304] dbg: message: found part of type multipart/alternative, boundary: 001636417e2558d199046847ba9d [42304] dbg: message: added part, type: multipart/alternative [42304] dbg: message: found part of type application/msword, boundary: 001636417e2558d1a0046847ba9f [42304] dbg: message: added part, type: application/msword [42304] dbg: message: parsing multipart, got boundary: 001636417e2558d199046847ba9d [42304] dbg: message: found part of type text/plain, boundary: 001636417e2558d199046847ba9d [42304] dbg: message: added part, type: text/plain [42304] dbg: message: found part of type text/html, boundary: 001636417e2558d199046847ba9d [42304] dbg: message: added part, type: text/html [42304] dbg: message: parsing normal part [42304] dbg: message: parsing normal part [42304] dbg: message: parsing normal part [42304] dbg: message: MIME PARSER END [42304] dbg: message: decoding other encoding type (7bit), ignoring [42304] dbg: message: decoding other encoding type (7bit), ignoring [42304] dbg: textcat: message too short for language analysis [42304] dbg: textcat: X-Languages: , X-Languages-Length: 49 no errors that I see. spamassassin -L /tmp/email.eml /dev/null [42575] warn: netset: cannot include 10.1.1.1/32 as it has already been included [42575] warn: netset: cannot include 204.89.241.129/32 as it has already been included [42575] warn: netset: cannot include 204.89.241.130/32 as it has already been included [42575] warn: netset: cannot include 204.89.241.136/32 as it has already been included [42575] warn: netset: cannot include 204.89.241.241/32 as it has already been included [42575] warn: netset: cannot include 204.89.241.242/32 as it has already been included [42575] warn: netset: cannot include 216.134.223.38/32 as it has already been included -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide *
Re: spam, one line, word attachment, no space ratio?
Le 24/04/2009 12:55, Michael Scheidell a écrit :
this spam, http://pastebin.com/m504b4262
one line in email, word document. I didn't see it trigger any of the
space ratio rules.
Nor me.
I also don't see the 'ALL CAPS' rule anymore?
I suspect, without having checked the eval code, that subjects must have
a certain minimum length to trigger that rule. SUBJ_ALL_CAPS certainly
hits plenty of other messages here.
Other rules that do hit for me include FREEMAIL_REPLYTO and
FREEMAIL_FROM_D2, as well as a couple of homebrew meta rules that
trigger on Content-Transfer-Encoding: 7bit with an inherently 8 bit
charset (not a good enough spam sign by itself, but worthwhile in
conjunction with other rules).
full __local_BAD7BIT /Content-Type:
text\/plain;.{1,40}charset=[']?(?:iso-8859-[1-9]|windows-125[0-9]|utf-8)[']?.{1,40}Content-Transfer-Encoding:
7bit/is
header__local_MULTIPART Content-Type =~
m'multipart/(?:mixed|related)'i
meta local_BAD7BIT_RDNS_NONE (__local_BAD7BIT __local_MULTIPART
RDNS_NONE)
describe local_BAD7BIT_RDNS_NONE 8 bit charset with 7 bit encoding, no RDNS
score local_BAD7BIT_RDNS_NONE 2.0
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta local_BAD7BIT_FREEMAIL (__local_BAD7BIT __local_MULTIPART
FREEMAIL_REPLYTO)
describe local_BAD7BIT_FREEMAIL Too few bits for charset, plain, freemail
score local_BAD7BIT_FREEMAIL 0.5
endif
John.
--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr
Re: URIDNSBL
I am using the 3.0 line of SpamAssassin and it's being invoked through amavisd-maia (Maia Mailguard.) I have a certain domain name that's blocked in several of the URIDNSBL lists as fm.interia.pl however my DNSBL checks are only doing interia.pl Just as I'm curious, what does SA score that mail? X-Spam-Status: Yes, score=35.341 tag=- tag2=6.3 kill=6.3 tests=[BAYES_99=6.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=0.001, FM_SEX_HELO=1.851, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, LOGINHASH=4.5, LOGINHASH2=2.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, TVD_RCVD_IP=1.931] autolearn=spam Using amavisd-new 2.6.2 and SA 3.2.5.
Re: Pyzor ?
On Wed, April 22, 2009 08:50, Matus UHLAR - fantomas wrote: OTOH, FP's were reported by pyzor (i can confirm for e.g. monthli list membership notices, apparently some people are feeding pyzor with autodected spam), On 22.04.09 13:39, Benny Pedersen wrote: is bad ?, why ? afaik (not sure, though), pyzor should only be manually fed with confirmed spam. However feeding any ham to PYZOR should be imho classified as service misuse. What is antispam service good for if it allows feeding of misclassified mail? so some people here already decided to switch PYZOR off. still running here as server and client client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: Pyzor ?
On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
3.2.5 upgrade - getting clobbered
Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Jean-Paul
Re: 3.2.5 upgrade - getting clobbered
On 24.04.09 09:56, Jean-Paul Natola wrote: Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Did you configure your modules and configs the same way as before? Did you sa-update (and reload spamd) after installation? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: bayes options
Helmut Schneider wrote: where can I find a complete set of (bayes) options for local.cf? Either it's well hidden or even http://spamassassin.apache.org/ does not provide such a list. On 23.04.09 08:03, Matt Kettler wrote: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#learning_options Or, on your machine, man Mail::SpamAssassin::Conf, and page to the Learning Options section. manual page is not installed on all systems, e.g. gentoo -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: 3.2.5 upgrade - getting clobbered
On Fri, 2009-04-24 at 09:56 -0400, Jean-Paul Natola wrote:
Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a
day to about 15
Assuming these are FNs...
Did I over look something?
What was your previous version? Did you inherit your configuration, say,
from 3.1.x? Did you read the upgrade notes?
Sounds like a broken configuration to me. Network tests enabled, etc?
As usual, we can not point out issues if you don't provide any evidence.
A link to a sample or two, uploaded somewhere, would be useful to
identify which rules are missing.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: 3.2.5 upgrade - getting clobbered
On 24.04.09 09:56, Jean-Paul Natola wrote: Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Did you configure your modules and configs the same way as before? Did you sa-update (and reload spamd) after installation? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. HM never seen this before sa-update Can't locate URI.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.9 /usr/local/lib/perl5/5.8.9/BSDPAN /usr/local/lib/perl5/site_perl/5.8.9/mach /usr/local/lib/perl5/5.8.9/mach /usr/local/lib/perl5/5.8.9) at (eval 13) line 3. Compilation failed in require at /usr/local/lib/perl5/site_perl/5.8.9/HTTP/Request.pm line 3. Compilation failed in require at /usr/local/lib/perl5/site_perl/5.8.9/LWP/UserAgent.pm line 10. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.8.9/LWP/UserAgent.pm line 10. Compilation failed in require at /usr/local/bin/sa-update line 76. BEGIN failed--compilation aborted at /usr/local/bin/sa-update line 76.
Re: Pyzor ?
On 4/24/2009 3:51 PM, Matus UHLAR - fantomas wrote: On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? Yesterday: grep PYZOR /var/log/maillog.1 | wc -l 8507
Re: 3.2.5 upgrade - getting clobbered
On 24.04.09 09:56, Jean-Paul Natola wrote: Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Did you configure your modules and configs the same way as before? Did you sa-update (and reload spamd) after installation? On 24.04.09 10:25, Jean-Paul Natola wrote: HM never seen this before sa-update Can't locate URI.pm in @INC (@INC contains: you are apparently missing perl modules which may cause many rules not to be run. What OS/distribution do you have? How did you install SA? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
RE: 3.2.5 upgrade - getting clobbered
I have freebsd running exim clam and sa sitewide config- I upgraded from 3.1.8 if memeory serves- Everything installed from ports via cli -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Friday, April 24, 2009 10:49 AM To: users@spamassassin.apache.org Subject: Re: 3.2.5 upgrade - getting clobbered On 24.04.09 09:56, Jean-Paul Natola wrote: Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Did you configure your modules and configs the same way as before? Did you sa-update (and reload spamd) after installation? On 24.04.09 10:25, Jean-Paul Natola wrote: HM never seen this before sa-update Can't locate URI.pm in @INC (@INC contains: you are apparently missing perl modules which may cause many rules not to be run. What OS/distribution do you have? How did you install SA? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Bot spam increasing?
Has anyone else noticed an increase in bot spam? My black list has grown by about 1/3 in the last month.
Re: Bot spam increasing?
Marc Perkel wrote: Has anyone else noticed an increase in bot spam? My black list has grown by about 1/3 in the last month. We have seen an increase of over 50% in spam volume this month. A lot of it does seem to be coming from bots. -- Andy Dorman Ironic Design, Inc. AnteSpam.com, HomeFreeMail.com, ComeHome.net
RE: 3.2.5 upgrade - getting clobbered
So I installed the URI perl module tried to run sa-update and it tell me that Im missing the IO/Zlib module- but when I go to install it, it tells me the io/zlib is already installed I'm a bit confused- any help would be greatly appreciated -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Friday, April 24, 2009 10:49 AM To: users@spamassassin.apache.org Subject: Re: 3.2.5 upgrade - getting clobbered On 24.04.09 09:56, Jean-Paul Natola wrote: Hi all I just upgraded to 3.2.5 and I went from receiving about 2 spams a day to about 15 Did I over look something? Did you configure your modules and configs the same way as before? Did you sa-update (and reload spamd) after installation? On 24.04.09 10:25, Jean-Paul Natola wrote: HM never seen this before sa-update Can't locate URI.pm in @INC (@INC contains: you are apparently missing perl modules which may cause many rules not to be run. What OS/distribution do you have? How did you install SA? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: 3.2.5 upgrade - getting clobbered
Jean-Paul, I have freebsd running exim clam and sa sitewide config- I upgraded from 3.1.8 if memeory serves- So I installed the URI perl module tried to run sa-update and it tell me that Im missing the IO/Zlib module- but when I go to install it, it tells me the io/zlib is already installed I'm a bit confused- any help would be greatly appreciated Possibly caused by a recent upgrade of Perl on FreeBSD ports (to 5.8.9, and also 5.10.0 was made available - I'd recommend 5.10.0 (lang/perl5.10), the 5.8.9 brought in some ugly problems). If perl was indeed upgraded recently on your system, I'd suggest removing all p5-* ports and reinstalling SpamAssassin from ports, which will bring in all required dependencies and install them in the correct perl lib subdirectory. Something like: update your ports (e.g. csup /etc/cvsup/ports; make fetchindex) pkg_delete -f 'p5-*' portinstall -R mail/p5-Mail-SpamAssassin Mark
Why is the advertising for certain berry not caught
I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i
Re: Why is the advertising for certain berry not caught
On Fri, Apr 24, 2009 at 11:41:31AM -0500, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt By the way, look at these spams. The afiliate URL is mentioned once or twice, and then the remove URL. The remove URL is like affiliate URL, different by one character only. i These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i Would be caught here. X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK Regards, Rick
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: http://igor.chudov.com/tmp/spam007.txt [...] Am I missing some rulesets or what? Check Razor2 with this command: spamassassin --lint -D 21 |grep -C2 Razor it should say module installed: Razor2::Client::Agent and loading Mail::SpamAssassin::Plugin::Razor2 (and since --lint only runs local tests, it should skip it). If you don't have it loaded, un-comment its loadplugin line in your v310.pre file. You may also need the following Ubuntu/Debian command: sudo aptitude install razor Rick Macdougall wrote: Would be caught here. X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK Either Igor doesn't have Razor2 configured, or the message hadn't yet found its way into Vipul's index. Also, it's unfair to assume anything about somebody else's Bayes db, so assuming you (Rick) are on the default scores, that means you got 6.4 including 2.8 from Razor2. It only hit one more check for me, and that was a custom one (see my khop-lists channel at http://khopesh.com/Anti-Spam ), designed to lightly penalize any bulk or automated message. (In case you're wondering, 0.1 points for KHOP_SENDER_BOT, which triggered on the nore...@* address.) I don't recommend khop-lists for general use; my other channels are far more safe and useful. -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
DATE_IN_FUTURE
I was stumped on a question today about DATE_IN_FUTURE. My googling offered me nothing more than the obvious 'The message has a date in the future. Thing is, I could not see it. The time stamp was 24 Apr 2009 14:20:32 +0800 and matched the firewall connection log OK. Can anyone point me to a sensible explanation of what this rule looks at so I can troubleshoot it?
Re: DATE_IN_FUTURE
On Fri, 24 Apr 2009, Rik wrote: I was stumped on a question today about DATE_IN_FUTURE. My googling offered me nothing more than the obvious 'The message has a date in the future. Thing is, I could not see it. The time stamp was 24 Apr 2009 14:20:32 +0800 and matched the firewall connection log OK. Can anyone point me to a sensible explanation of what this rule looks at so I can troubleshoot it? Did you remember to adjust for timezones? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- Today: Max Planck's 151st birthday
Re: 3.2.5 upgrade - getting clobbered
On Apr 24, 2009, at 11:34 AM, Mark Martinec wrote: Jean-Paul, I have freebsd running exim clam and sa sitewide config- I upgraded from 3.1.8 if memeory serves- So I installed the URI perl module tried to run sa-update and it tell me that Im missing the IO/Zlib module- but when I go to install it, it tells me the io/zlib is already installed I'm a bit confused- any help would be greatly appreciated Possibly caused by a recent upgrade of Perl on FreeBSD ports (to 5.8.9, and also 5.10.0 was made available - I'd recommend 5.10.0 (lang/perl5.10), the 5.8.9 brought in some ugly problems). If perl was indeed upgraded recently on your system, I'd suggest removing all p5-* ports and reinstalling SpamAssassin from ports, which will bring in all required dependencies and install them in the correct perl lib subdirectory. Something like: update your ports (e.g. csup /etc/cvsup/ports; make fetchindex) pkg_delete -f 'p5-*' portinstall -R mail/p5-Mail-SpamAssassin Mark If perl was upgrade on freebsd run 'perl-after-upgrade' to fix things up. I have notes from three recent upgrades if someone needs them. Joe
Re: DATE_IN_FUTURE
You'd really want to post the message headers in pastebot or something so people can look at them. It's not just the Date header, the rule also looks at the Received headers, etc. On Fri, Apr 24, 2009 at 1:44 PM, Rik hlug090...@buzzhost.co.uk wrote: I was stumped on a question today about DATE_IN_FUTURE. My googling offered me nothing more than the obvious 'The message has a date in the future. Thing is, I could not see it. The time stamp was 24 Apr 2009 14:20:32 +0800 and matched the firewall connection log OK. Can anyone point me to a sensible explanation of what this rule looks at so I can troubleshoot it?
Re: Pyzor ?
Matus UHLAR - fantomas wrote: On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? Yep, got 5 hits from pyzor in the past 10 minutes. Bill
Another bad kind of spams, for Pfizer knockoffs with image
I get plenty of these also, and cannot get them to score well. These advertise knockoffs of bestselling Pfizer products. The text is meaningless garbage text. The sales message is contained in a PNG image, but it could be other image types like jpeg. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? i
Re: Bot spam increasing?
On Fri, 24 Apr 2009, Marc Perkel wrote: Has anyone else noticed an increase in bot spam? My black list has grown by about 1/3 in the last month. Yes, I just checked the numbers for the last few weeks. Volume was in line with the weekly average for March through two weeks ago, last week shows a 55% increase over the March levels, and this week is above 96% already with two days to go before a log rotation. Nearly all of it is coming from the typical set of compromised machines. Does this actually amount to anything more than a curiosity? From my perspective, it's just more of the same. For what it's worth, the SA numbers haven't changed significantly -- it's not even getting a crack at this latest spate, the SMTP checks are doing the job. -Rob
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, 24 Apr 2009, Igor Chudov wrote: The sales message is contained in a PNG image http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? I've been scoring the attachment name pattern with a 'full' test. But this will only work until they figure ways to randomize the attachment names On my system I also have SMTP-callbacks, so if the envelope sender is not deliverable *and* has an attachment DSL.png (or latest, a gif file with no name), I score twice as heavy. - C
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, 24 Apr 2009, Igor Chudov wrote: I get plenty of these also, and cannot get them to score well. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? Do you have administrative access to ak74.algebra.com? That looks like it's your MX host. If so, a MTA rule that rejects any message from the internet having a HELO without a period may block a lot of that. I'm seeing an increase in the number of messages with that particular flaw: 217 Mar 23 129 Mar 24 208 Mar 25 212 Mar 26 207 Mar 27 149 Mar 28 143 Mar 29 138 Mar 30 135 Mar 31 172 Apr 1 155 Apr 2 83 Apr 3 121 Apr 4 123 Apr 5 126 Apr 6 141 Apr 7 124 Apr 8 151 Apr 9 125 Apr 10 144 Apr 11 139 Apr 12 199 Apr 13 332 Apr 14 197 Apr 15 249 Apr 16 279 Apr 17 385 Apr 18 440 Apr 19 355 Apr 20 419 Apr 21 531 Apr 22 326 Apr 23 If not, a SA rule that looks for such a HELO in the Received: header that ak74.algebra.com adds might help. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- Today: Max Planck's 151st birthday
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, 24 Apr 2009, Igor Chudov wrote: The sales message is contained in a PNG image, but it could be other image types like jpeg. Is it time to dust off FuzzyOCR again? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- Today: Max Planck's 151st birthday
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, Apr 24, 2009 at 01:31:37PM -0700, John Hardin wrote: On Fri, 24 Apr 2009, Igor Chudov wrote: I get plenty of these also, and cannot get them to score well. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? Do you have administrative access to ak74.algebra.com? That looks like it's your MX host. Yep, it is my MX host. I have root access, it is a 5 year old Fedora 3 server. If so, a MTA rule that rejects any message from the internet having a HELO without a period may block a lot of that. I'm seeing an increase in the number of messages with that particular flaw: 217 Mar 23 129 Mar 24 208 Mar 25 212 Mar 26 207 Mar 27 149 Mar 28 143 Mar 29 138 Mar 30 135 Mar 31 172 Apr 1 155 Apr 2 83 Apr 3 121 Apr 4 123 Apr 5 126 Apr 6 141 Apr 7 124 Apr 8 151 Apr 9 125 Apr 10 144 Apr 11 139 Apr 12 199 Apr 13 332 Apr 14 197 Apr 15 249 Apr 16 279 Apr 17 385 Apr 18 440 Apr 19 355 Apr 20 419 Apr 21 531 Apr 22 326 Apr 23 If not, a SA rule that looks for such a HELO in the Received: header that ak74.algebra.com adds might help. Do you have examples of both kinds of such rules? I am especially interested in the mailserver side, as I have a lot of accounts handled by that server. i
SMTP-callbacks (aka Sender Verify, Sender callouts, SAV)
Charles Gregory wrote: On my system I also have SMTP-callbacks, so if the envelope sender is not deliverable ... I read recently that that's a Bad Thing (and I'm leaning on agreeing): http://www.backscatterer.org/?target=sendercallouts Sure, you can justify it with CAN-SPAM mentality (you're required to facilitate one transaction for the opt-out, etc), but it's an interesting point nonetheless. I had (once upon a time) though about implementing a system where it uses a series of fail-overs, so e.g. try DKIM, then SPF, then SAV (Sender Address Verify, a.k.a. Sender callouts, a.k.a. SMTP-callbacks). This means that SAV would not be used for any domain that already has DKIM or SPF. Since I also have greylisting in front of all of that, that would make the invasive SAV calls far more rare and targeted mostly at legit senders rather than forged ones. Thoughts?
Re: Another bad kind of spams, for Pfizer knockoffs with image
Igor Chudov wrote: I get plenty of these also, and cannot get them to score well. These advertise knockoffs of bestselling Pfizer products. The text is meaningless garbage text. The sales message is contained in a PNG image, but it could be other image types like jpeg. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? sanesecurity and mrbl image signatures. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, 24 Apr 2009, Igor Chudov wrote: On Fri, Apr 24, 2009 at 01:31:37PM -0700, John Hardin wrote: Do you have administrative access to ak74.algebra.com? That looks like it's your MX host. Yep, it is my MX host. I have root access, it is a 5 year old Fedora 3 server. Cool. If so, a MTA rule that rejects any message from the internet having a HELO without a period may block a lot of that. If not, a SA rule that looks for such a HELO in the Received: header that ak74.algebra.com adds might help. Do you have examples of both kinds of such rules? I am especially interested in the mailserver side, as I have a lot of accounts handled by that server. I do that check using milter-regex. A sample config file is at http://www.impsec.org/~jhardin/antispam/ - you'd have to edit it to match your needs for domain names and local MTA IP addresses. I don't have a rule for SA, as I block that at the MTA. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- Today: Max Planck's 151st birthday
Re: Another bad kind of spams, for Pfizer knockoffs with image
At 13:12 24-04-2009, Igor Chudov wrote:
I get plenty of these also, and cannot get them to score well.
These advertise knockoffs of bestselling Pfizer products. The text is
meaningless garbage text. The sales message is contained in a PNG
image, but it could be other image types like jpeg.
The following rule may help. You'll need the ImageInfo plugin.
body PNG_200_400 eval:image_size_range('png', 200, 400, 250, 450)
describe PNG_200_400 Contains png 200-250 x 400-450
score PNG_200_400 0.1
Adjust the score to fit your needs.
Regards,
-sm
Re: Another bad kind of spams, for Pfizer knockoffs with image
Stefan and guys!!! You are awesome!!! All I did was aptitude install fuzzyocr. Nothing else. I re-ran the test again, and this particular spam scored for fuzzyOCR and got a score of 16!!! Here's the new score: # pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5085] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.236.102.45 listed in zen.spamhaus.org] 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL 0.8 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 12 FUZZY_OCR BODY: Mail contains an image with common spam text inside [Words found:] [cia*** in 3 lines] [via*** in 3 lines] [(9 word occurrences found)] On Fri, Apr 24, 2009 at 10:52:30PM +0200, Stefan Luetje wrote: Am 24. Apr 2009 um 22:12 CEST schrieb Igor Chudov: I get plenty of these also, and cannot get them to score well. These advertise knockoffs of bestselling Pfizer products. The text is meaningless garbage text. The sales message is contained in a PNG image, but it could be other image types like jpeg. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? You can install FuzzyOcr http://wiki.apache.org/spamassassin/FuzzyOcrPlugin , | X-Spam-Status: Yes, score=19.8 required=5.0 tests=BADRELAY,BAYES_99,FUZZY_OCR, | HK_IMGSPAM,HTML_MESSAGE,SAGREY autolearn=no version=3.2.5 | X-Spam-Relay-Country: US TR | X-Spam-Report: =?ISO-8859-1?Q? | * 3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100% | * [score: 1.] | * 0.3 HTML_MESSAGE BODY: Nachricht enth=e4lt HTML | * 2.5 BADRELAY bad Relay | * 2.0 HK_IMGSPAM Inline image in message, Bayes think it's spam | * 10 FUZZY_OCR BODY: | * 1.0 SAGREY Adds 1.0 to spam from first-time senders ` ,[ fuzzyocr.log ] | 2009-04-24 22:30:08 [9756] Scanset ocrad found word cialis with fuzz of 0. | line: ur prce viagra cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word cialis with fuzz of 0. | line: lgg cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0. | line: ur prce viagra cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0.1667 | line: l ls lo x vagra loo mg lo x cals omg | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0. | line: viagra hot offer | 2009-04-24 22:30:08 [9756] Scanset ocrad generates enough hits (5), skipping further scansets... | 2009-04-24 22:30:08 [9756] Message is spam, score = 10.500 | 2009-04-24 22:30:08 [9756] Adding Hash to /home/stefan/.fuzzyocr/FuzzyOcr.hashdb | 2009-04-24 22:30:08 [9756] Words found: | cialis in 2 lines | viagra in 3 lines | (7.5 word occurrences found) ` Greets Stefan
Re: Another bad kind of spams, for Pfizer knockoffs with image
Charles Gregory wrote: I've been scoring the attachment name pattern with a 'full' test. But this will only work until they figure ways to randomize the attachment names The mimeheader plugin can do that and is much cheaper. The STYLE Abody Ahead /STYLE part of the HTML seems to be a good spam sign, too. I can’t come up with a test (other than a full test) that will actually match all of that with 3.2.x: the rawbody rule matches one line at a time. A meta on both Abody and Ahead in the rawbody seems to do a pretty good job. To what extent should Windows Mail be counted as a variant of Outlook/Outlook Express? It’s not caught in __ANY_OUTLOOK_MUA: should it be? Hope this helps, James. -- E-mail: james@ | ... a sign carefully conveying in pictograms the fact aprilcottage.co.uk | that you should not leave wheelchairs on a certain river | bank as they would roll down the hill and the crocs would | eat the passenger.-- Skud
Re: Another bad kind of spams, for Pfizer knockoffs with image
Igor Chudov wrote: Stefan and guys!!! You are awesome!!! 12 FUZZY_OCR BODY: Mail contains an image with common spam text inside [Words found:] [cia*** in 3 lines] [via*** in 3 lines] [(9 word occurrences found)] I wouldn't trust FUZZY_OCR with anything. 12 points is *WAY* too high for any single thing. I had to disable this plugin a year or three ago because it assigned 20+ points to legit screenshots in ham (and that was /after/ I trimmed its flagging words file down in size)! IMHO, very very few tests should score more than BAYES_99 (3.5 of a needed 5.0 points). That's the whole point of using SpamAssassin - a best-of-breed so that you need multiple angles to kill any message, thus vastly reducing the false positive chance.
Re: Another bad kind of spams, for Pfizer knockoffs with image
Am 24. Apr 2009 um 22:12 CEST schrieb Igor Chudov: I get plenty of these also, and cannot get them to score well. These advertise knockoffs of bestselling Pfizer products. The text is meaningless garbage text. The sales message is contained in a PNG image, but it could be other image types like jpeg. http://igor.chudov.com/tmp/spam008.txt Any ides what I can do? You can install FuzzyOcr http://wiki.apache.org/spamassassin/FuzzyOcrPlugin , | X-Spam-Status: Yes, score=19.8 required=5.0 tests=BADRELAY,BAYES_99,FUZZY_OCR, | HK_IMGSPAM,HTML_MESSAGE,SAGREY autolearn=no version=3.2.5 | X-Spam-Relay-Country: US TR | X-Spam-Report: =?ISO-8859-1?Q? | * 3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100% | * [score: 1.] | * 0.3 HTML_MESSAGE BODY: Nachricht enth=e4lt HTML | * 2.5 BADRELAY bad Relay | * 2.0 HK_IMGSPAM Inline image in message, Bayes think it's spam | * 10 FUZZY_OCR BODY: | * 1.0 SAGREY Adds 1.0 to spam from first-time senders ` ,[ fuzzyocr.log ] | 2009-04-24 22:30:08 [9756] Scanset ocrad found word cialis with fuzz of 0. | line: ur prce viagra cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word cialis with fuzz of 0. | line: lgg cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0. | line: ur prce viagra cialis special offer | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0.1667 | line: l ls lo x vagra loo mg lo x cals omg | 2009-04-24 22:30:08 [9756] Scanset ocrad found word viagra with fuzz of 0. | line: viagra hot offer | 2009-04-24 22:30:08 [9756] Scanset ocrad generates enough hits (5), skipping further scansets... | 2009-04-24 22:30:08 [9756] Message is spam, score = 10.500 | 2009-04-24 22:30:08 [9756] Adding Hash to /home/stefan/.fuzzyocr/FuzzyOcr.hashdb | 2009-04-24 22:30:08 [9756] Words found: | cialis in 2 lines | viagra in 3 lines | (7.5 word occurrences found) ` Greets Stefan -- ,-. | Stefan Lütje| Die Zukunft wird morgen besser sein. | | stefan.lue...@t-online.de | George W. Bush | `Key fingerprint = BCB2 48E4 9211 C975 5A3F B192 9B6E CCCF 99CC 44FA-' signature.asc Description: Digital signature
Re: Pyzor ?
On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... On 24.04.09 15:51, Matus UHLAR - fantomas wrote: no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? OK, thank you. I see the problem is apparently on our side, I'll look for it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: DATE_IN_FUTURE
On 24.04.09 18:44, Rik wrote: Date: Fri, 24 Apr 2009 18:44:07 +0100 I was stumped on a question today about DATE_IN_FUTURE. My googling offered me nothing more than the obvious 'The message has a date in the future. Thing is, I could not see it. The time stamp was 24 Apr 2009 14:20:32 +0800 and matched the firewall connection log OK. Can anyone point me to a sensible explanation of what this rule looks at so I can troubleshoot it? If you got the mentioned mail BEFORE you sent this one, it was in the future: the time you sent the mail was 24 Apr 2009 19:44:07 GMT the time reported was 25 Apr 2009 00:20:32 GMT. Apparently the sender does not have correct timezone set (quite common problem). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Phishing
One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about Your EDU webmail account is expiring. Please send us your username and password to fix it. We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College (413) 572-8245 Red Hat Certified Technician (RHCT) smime.p7s Description: S/MIME cryptographic signature
Re: Phishing
On Friday, April 24, 2009, 5:05:38 PM, Thomas Casartello wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about Your EDU webmail account is expiring. Please send us your username and password to fix it. We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? If the phishes are claiming to come from your own domain, then use SPF or DKIM on your real outbound mail. Then any message claiming to be from your domain that doesn't match the SPF record or DKIM key can be considered a forgery and handled appropriately. Cheers, Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/
Re: Pyzor ?
On Fri, 2009-04-24 at 15:51 +0200, Matus UHLAR - fantomas wrote: On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? I have just in the past few days: X-spam-pyzor: Reported 42 times. X-spam-pyzor: Reported 3 times. 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
RE: Phishing
The phish are coming from real hacked accounts (Basically people that have gotten the phish email and fallen for it) at other Educational institutes (We already use SPF). Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: Jeff Chan [mailto:je...@surbl.org] Sent: Friday, April 24, 2009 9:43 PM To: Casartello, Thomas Cc: users@spamassassin.apache.org Subject: Re: Phishing On Friday, April 24, 2009, 5:05:38 PM, Thomas Casartello wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about Your EDU webmail account is expiring. Please send us your username and password to fix it. We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? If the phishes are claiming to come from your own domain, then use SPF or DKIM on your real outbound mail. Then any message claiming to be from your domain that doesn't match the SPF record or DKIM key can be considered a forgery and handled appropriately. Cheers, Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/ smime.p7s Description: S/MIME cryptographic signature
Re: SMTP-callbacks (aka Sender Verify, Sender callouts, SAV)
On Fri, 24 Apr 2009, Adam Katz wrote: I read recently that that's a Bad Thing (and I'm leaning on agreeing): http://www.backscatterer.org/?target=sendercallouts The most compelling argument on that site is one that almost slips by un-noticed. A spammer could very well forge a honeypot as a sender address, causing my system to 'send mail' (a verify) to a honeypot, and possibly get blacklisted. And this would also open up a way for spammers to 'poison' honey pots by having them blacklist so many legitimate servers that the blacklists have to be thrown out Ouch. Mind you, I receive mail on a different IP address than my outgoing mail. So even if the incoming server was blacklisted for verifies, this wouldn't impede my legitimate outgoing mail. Or would it? H.. - Charles
Re: Why is the advertising for certain berry not caught
On 24-Apr-2009, at 10:41, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt Scores very high here. Content analysis details: (9.6 points, 5.0 required) pts rule name description -- -- 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: tgifriday.info] 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 DIET_1 BODY: Lose Weight Spam 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -- I hear hurricanes a-blowing, I know the end is coming soon. I fear rivers over-flowing. I hear the voice of rage and ruin.
Re: Phishing
Maybe I can clarify how these phishes work. A phisher would send emails to a large number of people saying, literally, I am your email administrator, your account is to be suspended, please send me your username and password. Any cursory examinationof these letters would make it obvious that they are fake. Most people do not fall for it, but the dumbest ones do fall for it. Once they send these emails, the spammers gain control of those email accounts and can abuse them however they want, including propagating of phishing, spamming, etc. DKIM will not work, as this is purely a social engineering attack. i
Bayes and MySQL ? performance ...
Hi Actually, i have a small lot of SpamAssassin server in 3.2.5 (new install in beta), Each server have a Baye database ... Do you think's that the best solution are a Mutual Bayes Database on one MySQL serveur ? For best performance and HA, what is the best configuration ? One MySQL General Server and a local replication on each spamassassin server ? Thanks for your help jerome
Sa-update == List of best channel ?
Hi actually, i use SA-Update with: Sare with: http://daryl.dostech.ca/sa-update/sare And classic Spamassassin .. they have other channel with good result of detection ? Thanks jerome
Re: Phishing
At 17:05 24-04-2009, Casartello, Thomas wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about Your EDU webmail account is expiring. Please send us your username and password to fix it. We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It is going to be a lot of work to keep the rules updated to catch these emails. Analyze the emails instead of trying to apply the usual techniques to catch them. Instead of considering the emails as coming from legitimate sites, you should treat that as a data point as part of the patterns to identify. The words in the emails might change but the sender relies on some information for the phish to work. You should be able to parse the mail traffic for that information. BTW, there is a larger problem if there are hacked accounts available on the sending network and on your network. Regards, -sm
Re: Sa-update == List of best channel ?
Phibee Network Operation Center wrote: Hi actually, i use SA-Update with: Sare with: http://daryl.dostech.ca/sa-update/sare And classic Spamassassin .. they have other channel with good result of detection ? Justin Mason's sought rules seemed to work well last I played with them: http://taint.org/2007/08/15/004348a.html
Re: Another bad kind of spams, for Pfizer knockoffs with image
On Fri, Apr 24, 2009 at 05:14:21PM -0400, Adam Katz wrote: Igor Chudov wrote: Stefan and guys!!! You are awesome!!! 12 FUZZY_OCR BODY: Mail contains an image with common spam text inside [Words found:] [cia*** in 3 lines] [via*** in 3 lines] [(9 word occurrences found)] I wouldn't trust FUZZY_OCR with anything. 12 points is *WAY* too high for any single thing. I had to disable this plugin a year or three ago because it assigned 20+ points to legit screenshots in ham (and that was /after/ I trimmed its flagging words file down in size)! You do realize that it's configurable? Who to blame if you just run things blindly.
spamassassin -D don't start ?
Hi when i start a spamassassin -D, he stop at Net::DNS ... after 1 hours, no change .. CTRL-C for stop it [r...@spam spamassassin]# spamassassin -D [6451] dbg: logger: adding facilities: all [6451] dbg: logger: logging level is DBG [6451] dbg: generic: SpamAssassin version 3.2.5 [6451] dbg: config: score set 0 chosen. [6451] dbg: util: running in taint mode? yes [6451] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [6451] dbg: util: PATH included '/sbin', keeping [6451] dbg: util: PATH included '/usr/sbin', keeping [6451] dbg: util: PATH included '/bin', keeping [6451] dbg: util: PATH included '/usr/bin', keeping [6451] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [6451] dbg: util: PATH included '/usr/local/bin', keeping [6451] dbg: util: PATH included '/usr/local/sbin', keeping [6451] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin [6451] dbg: dns: is Net::DNS::Resolver available? yes [6451] dbg: dns: Net::DNS version: 0.63 I have a error ? Thanks jerome
Re: spamassassin -D don't start ?
Phibee Network Operation Center wrote: Hi when i start a spamassassin -D, he stop at Net::DNS ... after 1 hours, no change .. CTRL-C for stop it [r...@spam spamassassin]# spamassassin -D [6451] dbg: logger: adding facilities: all [6451] dbg: logger: logging level is DBG [6451] dbg: generic: SpamAssassin version 3.2.5 [6451] dbg: config: score set 0 chosen. [6451] dbg: util: running in taint mode? yes [6451] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [6451] dbg: util: PATH included '/sbin', keeping [6451] dbg: util: PATH included '/usr/sbin', keeping [6451] dbg: util: PATH included '/bin', keeping [6451] dbg: util: PATH included '/usr/bin', keeping [6451] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [6451] dbg: util: PATH included '/usr/local/bin', keeping [6451] dbg: util: PATH included '/usr/local/sbin', keeping [6451] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin [6451] dbg: dns: is Net::DNS::Resolver available? yes [6451] dbg: dns: Net::DNS version: 0.63 I have a error ? Well, what did you expect it to do? The spamassassin command line isn't a deamon, so it's waiting for you to enter a message into it to be processed. Since you've not redirected the input, it's expecting you one to be typed in :) Normal usage on a command line would be something like this: spamassassin message.in message.out But that's not really practical for real mail volumes. Really, the spamassassin command is only intended for configuration test use on one or two messages . It's not a reasonable way to scan real volumes of mail. Nearly everyone integrates SA into their mail chain so this happens automatically, usually using the spamd/spamc pairing in some fashion, but there are a few integration options that invoke the perl API (ie: MailScanner, MimeDefang): See: http://wiki.apache.org/spamassassin/IntegratedInMta http://wiki.apache.org/spamassassin/IntegratedInMua
Re: spamassassin -D don't start ?
Phibee Network Operation Center a écrit : Hi when i start a spamassassin -D, he stop at Net::DNS ... after 1 hours, no change .. CTRL-C for stop it [r...@spam spamassassin]# spamassassin -D [6451] dbg: logger: adding facilities: all [6451] dbg: logger: logging level is DBG [6451] dbg: generic: SpamAssassin version 3.2.5 [6451] dbg: config: score set 0 chosen. [6451] dbg: util: running in taint mode? yes [6451] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [6451] dbg: util: PATH included '/sbin', keeping [6451] dbg: util: PATH included '/usr/sbin', keeping [6451] dbg: util: PATH included '/bin', keeping [6451] dbg: util: PATH included '/usr/bin', keeping [6451] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [6451] dbg: util: PATH included '/usr/local/bin', keeping [6451] dbg: util: PATH included '/usr/local/sbin', keeping [6451] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin [6451] dbg: dns: is Net::DNS::Resolver available? yes [6451] dbg: dns: Net::DNS version: 0.63 I have a error ? Thanks jerome oups i don't have put --lint
what is netset: cannot include 127.0.0.1/32 as it has already been included
Hi my logs of spamassassin put: netset: cannot include 127.0.0.1/32 as it has already been included anyone know what is this ? thanks jerome
Re: what is netset: cannot include 127.0.0.1/32 as it has already been included
Phibee Network Operation Center wrote: Hi my logs of spamassassin put: netset: cannot include 127.0.0.1/32 as it has already been included anyone know what is this ? I'd guess you tried to declare 127.0.0.1 in either your trusted_networks, or internal_networks. However, this is a hard-coded assumption, and doesn't need adding. (If you can't trust yourself, who can you trust? :-)
