Re: sa with spamass-milter UNPARSEABLE_RELAY problem - fixed

[Dave Funk]

On Fri, 1 May 2009, mark wrote:


Just posting this for others who may encounter this:-

This turned out to be an interaction between milter-greylist and 
spamass-milter.   In sendmail.mc the following grey list config was included 
as part of the greylist setup:-


define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl

however for the spamass-milter to work properly the following needs to be 
set:


define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _')dnl

and I commented out: dnl define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl

[snip..]

Mark,
When configuring multiple milters in a sendmail instance, make that 
"confMILTER_MACROS_ENVRCPT" macro contain the union of all the attributes
that the various milters want. That sets the list of variables that are 
offered to each milter instance. A given milter does not have to look at 
all the variables offered but it cannot 'see' any that are not offered.

So when in doubt give it more than it needs.

EG for your instance, set that confMILTER_MACROS_ENVRCPT to be:

 define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _, {greylist}')dnl


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Bombed by PNG spam and spamassassin say its HAM

[Dave Funk]

On Thu, 30 Apr 2009, Bob Proulx wrote:


Michelle Konzack wrote:

I get since some days over 43 (yes four hundred tirty thausend)  PNG
spams of arround 14-16 kByte and spamassassin tags them all as ham.


I have been getting pummeled by the image only spam messages too.


Does someone know HOW to reject this crap eectively?


I was about to write the list and ask if there is a rule that could be
triggered when a message no only an image part but no text parts.  I
have no idea how to create it but that would be very useful for me and
this type of spam.  As far as I can tell that would work great here
and for me no false positives.

Bob


There should already be rules for that exact format. We see FPs
on them when users e-mail in a windows screen capture to show us a 
particular error they're getting. They'll put the complaint in the

subject line, paste the image into their Outlook & hit 'send'.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: sa with spamass-milter UNPARSEABLE_RELAY problem - fixed

[mark]

I have created case 6103 - but this may be a milter-issue, although
the same version of the milter worked very well on centos-4 i386 and
SA 3.1

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6103

thanks in advance
mark



This is a spamass-milter bug. They generate a malformed fake sendmail
header and it's unparseable.

There's a fix for spamass-milter in the debian bug:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510665
  

Just posting this for others who may encounter this:-

This turned out to be an interaction between milter-greylist and 
spamass-milter.   In sendmail.mc the following grey list config was 
included as part of the greylist setup:-


define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl

however for the spamass-milter to work properly the following needs to 
be set:


define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _')dnl

and I commented out: dnl define(`confMILTER_MACROS_ENVRCPT', 
`{greylist}')dnl


setting the following for the spamass-milter:

EXTRA_FLAGS="-m -r 5"

rejects mail that scores over 5 without delivery.  This is particularly 
useful when the box forwards mails via virtusertble / /etc/aliases


example: 
May  1 16:06:50 host spamd[15382]: spamd: result: Y 5 - 
DYN_RDNS_AND_INLINE_IMAGE,FH_HELO_EQ_D_D_D_D,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_DYNAMIC
May  1 16:06:50 host sendmail[15382]: n4146fZ6015382: 
to=, delay=00:00:08, pri=31489, stat=Blocked by 
SpamAssassin




System: Centos 5.3 + std sendmail, spamass-milter-0.3.1 - with fixes in

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510665

and spamassassin-3.2.5-1.el5
milter-greylist-3.0-2.el5.rf

Re: Bombed by PNG spam and spamassassin say its HAM

[Bob Proulx]

Michelle Konzack wrote:
> I get since some days over 43 (yes four hundred tirty thausend)  PNG
> spams of arround 14-16 kByte and spamassassin tags them all as ham.

I have been getting pummeled by the image only spam messages too.

> Does someone know HOW to reject this crap eectively?

I was about to write the list and ask if there is a rule that could be
triggered when a message no only an image part but no text parts.  I
have no idea how to create it but that would be very useful for me and
this type of spam.  As far as I can tell that would work great here
and for me no false positives.

Bob

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 18:47, Adam Katz wrote:

LuKreme wrote:

DSC? Yes. .PNG? None that I've seen...


Not specifically, but I, for example, convert photos I want to use  
for
Desktops to .png format, and I often don't rename them. If I email  
them
to someone they would match that pattern. I have 6 desktop images  
that
match DSC[0-90{4}\.png and about 5 more that would match a more  
generic

[:alpha:]{3}[0-9]{4}\.png

I'm just saying, this has a real potential of catching real messages.


A tip:  the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).


Actually, the PNGs load considerably faster for me as desktop images,  
which is why I convert them.



--
It was intended that when Newspeak had been adopted once and for
all and Oldspeak forgotten, a heretical thought...should be
literally unthinkable, at least so far as thought is dependent
on words.

Re: Almost no score

[Adam Katz]

LuKreme wrote:
>> DSC? Yes. .PNG? None that I've seen...
> 
> Not specifically, but I, for example, convert photos I want to use for
> Desktops to .png format, and I often don't rename them. If I email them
> to someone they would match that pattern. I have 6 desktop images that
> match DSC[0-90{4}\.png and about 5 more that would match a more generic
> [:alpha:]{3}[0-9]{4}\.png
> 
> I'm just saying, this has a real potential of catching real messages.

A tip:  the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).

If you're editing it, keep the original high-res JPG saved in some
more useful lossless format (like PSD or XCF) and export it back to
JPG when done editing.

Re: Almost no score

[Chris]

On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
> Hi all,
> 
> I just upgraded to 3.2.5  ran sa-update and I got this message with only one
> rule tripped
> 
> I'm putting a link to the message as well as the headers
> 
> If anyone can shed some light here , I would appreciate it.
> 
> ftp://ftp.fcimail.org/IT/SA/headers.txt
> 
> ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
> %20pain%20and%20dysfunctions.htm
> 
> TIA
> 
> J
I couldn't get the whole message so just ran against the headers:

3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
[85.75.94.188 listed in
bb.barracudacentral.org]
 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
 5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaakiekkolaakarit.com,client,clientwords]
 4.1 BAYES_80   BODY: Bayesian spam probability is 80 to 95%
[score: 0.8897]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1117; Body=1]
 1.0 SAGREY Adds 1.0 to spam from first-time senders


-- 
KeyID 0xE372A7DA98E6705C



signature.asc
Description: This is a digitally signed message part

Re: Bombed by PNG spam and spamassassin say its HAM

[John Hardin]

On Fri, 1 May 2009, Michelle Konzack wrote:

I get since some days over 43 (yes four hundred tirty thausend) 
PNG spams of arround 14-16 kByte and spamassassin tags them all as ham.


Check the list archives for today, there's been some discussion of 
detecting them via ImageInfo.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 8 days until the 64th anniversary of VE day

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 12:01, Jean-Paul Natola wrote:
Have the scoring methods changed in SA I noticed in your rules there  
are no

scores



This is what I have in local.cf

(single lines)
header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: <([0-9a-f]{8})\ 
$([0-9a-f]{8})\$.{100,400}boundary="=_NextPart_000__\1\.\2/ 
msi  # "


header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: <([0-9a-f]{8})\ 
$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="=_NextPart_000__ 
\1\.\2/msi  # "


header  KB_RATWARE_BOUNDARYALL =~ /^Message-Id: <([0-9a-f]{8})\ 
$[0-9a-f]{8}\$.{100,400}boundary="=_NextPart_000__\1\./msi  # "


score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1


--
Exit, pursued by a bear.

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 11:10, John Hardin wrote:

On Thu, 30 Apr 2009, LuKreme wrote:

Clarke's Law: Sufficiently advanced technology is indistinguishable
 from magic


somebody's corollary to Clarke's law: Any technology distinguishable  
from magic is insufficiently advanced.


O, that's nice!


--
This above all, to thine own self be true And it must follow, as
the night the day, Thou canst not then be false to any man.

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 10:50, Evan Platt wrote:

At 09:33 AM 4/30/2009, you wrote:

mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/


I'd be very careful with that rule (or any related).  This file name
pattern is a quite standard pattern for pictures from digital  
cameras.


DSC? Yes. .PNG? None that I've seen...


Not specifically, but I, for example, convert photos I want to use for  
Desktops to .png format, and I often don't rename them. If I email  
them to someone they would match that pattern. I have 6 desktop images  
that match DSC[0-90{4}\.png and about 5 more that would match a more  
generic [:alpha:]{3}[0-9]{4}\.png


I'm just saying, this has a real potential of catching real messages.

--
and I swear it happened just like this: / a sigh, a cry, a hungry
kiss, the Gates of Love they budged an inch / I can't say much
has happened since / but CLOSING TIME

Re: Bombed by PNG spam and spamassassin say its HAM

[Wolfgang Zeikat]

Michelle Konzack wrote:


Does someone know HOW to reject this crap eectively?


SpamAssassin does not reject mail. But with the clamav plugin and the 
3rd party clamav signatures from sanesecurity.com, it detects them 
pretty well here.


Hope this helps,

wolfgang

Re: 'anti' AWL

[LuKreme]

On 30-Apr-2009, at 11:50, Charles Gregory wrote:

On Thu, 30 Apr 2009, LuKreme wrote:
First off, I suppose that if you get real mail from someone who has  
only ever been seen as a spam sender, then yes, the first mail  
would be penalized.  But is this ever the case?


(nod) Any time someone's address has been used as a spoofed sender  
before that legitimate sender makes first contact with a new  
correspondent. But as I understand your logic, there is no 'rule' to  
distinguish the 'first' AWL entry as 'special' from all the rest...  
just that 'others' exist...


Right.


Let's lay out the logic here:
2 AWL is positive or does not exist
a Check for other AWL entries using same address but different hosts.
  i   If there is an AWL with a negative score, then multiply by  
-0.2 and

  add to score


So any AWL with a negative score still helps the new mail be negative?
The sender's legit mail helps new spam?


No, the senders AWL HURTS new spam.  I fthe score is -2 from the AWL  
then -2 * -0.2 = 0.4


  ii  If there is an AWL with a positive score, under 5.0, then  
multiply by

  0.1 and add
  iii If there is an AWL with a positive score over 5.0, then  
multiply it

  by 0.4 and add


So in the unlikely event that spam (from a different server)  
precedes legitimate mail, the legit sender gets a postitive  
adjustment before they have a chance to score negative...


As I understand it the AWL is added after all others, but yes, the  
FIRST legitimate mail will be penalized.


Note that this logic will also be problematic when sender has  
multiple mail servers. Many senders get a few points positive...


This will only be an issue if those multiple servers have positive AWL  
scores.


c if total amount added is over some threshold, normalize on that  
threshold

(3 points? 5? 8?)


Now let's presume that the sender is spoofed by spammers on ten  
different
IP's, producing ten different AWL entries. How will you distinguish  
the legit sender's IP (except by hoping they have scored  
negative?)... You will simply add up ALL the IP AWL's and score  
*any* mail from the sender

with a significant positive adjustment


As far as I can tell, though it's not easy to be sure, legitimate  
senders have negative AWL scores.



3 AWL is negative
{ crickets }


But how often does that really happen? As I said, most people get a  
*few* points on legit mail.


But it's not the points on the mail, it is only the AWL listing that  
we're looking at.


The idea being that an average score of 0.8 will 'average' with a  
fluke spammy mail and keep the score lower But your way is  
adding those small scores to essentially ALL mail unless the lucky  
sender never mentioned viag ooops. There goes *my* score LOL


OK, how do we parse out the AWL numbers then so we can see what sorts  
of AWL numbers exist for legit senders.  As I understand it, if an  
email comes in from a know sender who was average 0.8 and this email  
scores 3.0, a negative AWL will be applied to normalize the email  
closer to 0.8, right? The AWL score is not 0.8, but 3.0 - (AWL value)?


Maybe it makes sense to only do this check if the message has at  
least scored positive?


Again, a significant proportion of ham gets a few points.

So yes, if b...@example.com has never emailed me except for a bunch  
of spam, then yeah, the message is going to get bumped up in its  
score, but how often does that happen?  Does that ever happen?


Happens for me all the time. I get dictionary spam with a random  
client's address as sender, and then I get an inquiry from the  
client about all these 'bounces' they are receiving. Naturally, they  
quote the bounce, which includes some spam sign, and the client is  
off to a good start with a moderately spammy mail to me. (smile)


But bob could also e-mail you three or four times, getting a small  
positive score, then you get spammed "from Bob" with high scores  
from a botnet (and I usually get several copies of a spam like  
that), and the next time bob e-mails, he gets logic 2.a.ii spplied  
above for each and every AWL for his address. Could be hefty


Er.. ok.  Perhaps I am misunderstanding the AWL.  As I understand it,  
if a bunch of spam comes in from a server with average scores of 7.0  
and a new message comes in with a score of 4, it will have a POSITIVE  
AWL applied to normalize at 7.0.  If a message comes from a know  
sender with an average score of 2, and this email scores 4, it will  
get a NEGATIVE AWL score to normalize closer to 2.0, right?  Since  
this is a negative AWL 2.a.ii would not apply because the AWL is  
negative, so section 2 is skipped entirely and we are at 3. AWL is  
negative => {crickets}.


Also, lets say b...@example.com sends a message after a bunch of  
spams have been sent, and say that message scores -1.0, plus an AWL  
adjustment of 5.0 based on the above.


I'm sure there are some people who *would* 'fit your model' and have  
negative scores on t

Bombed by PNG spam and spamassassin say its HAM

[Michelle Konzack]

Hello Geeks,

I get since some days over 43 (yes four hundred tirty thausend)  PNG
spams of arround 14-16 kByte and spamassassin tags them all as ham.

This becomes now annoying because they are actualy over  6 GByte  and  I
can catch thenm only in a procmail recipe when it is to late to reject.

OK, maybe I should use the "localmailfilter" function  in  courier,  but
curently I have no experience with it.

Does someone know HOW to reject this crap eectively?

Note:   I get the same crap over the Debian BTS (arround 1200 messages
a day and unfortunately the BTS-Owner does not respond)

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   Apt. 917
   50, rue de Soultz
Jabber linux4miche...@jabber.ccc.de   67100 Strasbourg/France
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: Almost no score

[Evan Platt]

At 11:31 AM 4/30/2009, you wrote:


But digital cameras generally produce jpg, not png Yes?


Yep. Exactly the point I made. TIF, JPG or ORF or RAW. 

Re: 'anti' AWL

[mouss]

RW a écrit :
> On Wed, 29 Apr 2009 20:49:29 +0200
> mouss  wrote:
> 
> 
>> on the other hand, a spammer can forge Received headers. and this is a
>> serious problem. Using "untrusted" received headers is broken.
> 
> The point of AWL is to tweak ham scores towards the mean to avoid
> outlying high-scores causing FPs. 

The "W" in AWL is a (historical) misnomer. ARL (automatic reputation
list) is probably a better name. in short, it works in both directions.

> The AWL score arithmetic doesn't
> involve BAYES scores or whitelisting scores, so a spammer that
> spoofs an existing AWL entry isn't going to pickup all that much
> advantage.

if you check the archives, you'll find that sometimes, some entries in
AWL get a very significant score, enough to move the message to the
wrong class.

and since Mark named it, AWL poisoning is not hard if using untrusted
headers.

> Most spam either wouldn't be protected by spoofing an
> entry, or scores low-enough without it. And spammers don't know
> much about your AWL database in the first place.
> 

while it's not trivial, the risk is here. and I personally don't feel
confortable. maybe someone can do a better assessment and qualify the
real risk. but I don't see the benefit of using an untrusted header.
yes, I understand the issue with large *SPs but this can be fixed, and I
believe it should be anyway: currently the trust path parsing is
(almost) binary. it could be either extended (bu adding more layers than
internal and trusted) or made "dynamic" (adding code that handles
different situations).

> [snip]

Re: trying to score based on image name and image size

[aixenv]

aha i fixed it with the following:

# rule to block annoying viagra spam with scraped text based off image size, 
# name and having other rule hits
# 4/30/09 8:45AM
body __ZL_PNG_240_400 eval:image_size_exact('png',240,400)
body __ZL_CAM eval:image_name_regex('/^DS[CL]\d{4}\.png$/')
meta ZL_VIAGRAIMG (HTML_MESSAGE && __ZL_CAM && __ZL_PNG_240_400)
describe ZL_VIAGRAIMG Includes 240x400 viagra png image
score ZL_VIAGRAIMG 2.0

i also set in the v310.pre

loadplugin SareImageInfo SareImageInfo.pm

and I also changed the package line for the Sare ImageInfo plugin

(found here: http://www.rulesemporium.com/plugins.htm#imageinfo)

 so it wouldnt conflict with the SA version of ImageInfo

:)

tests have it working !

2.0 ZL_VIAGRAIMG   Includes 240x400 viagra png image

based on that exact image size, that reg_ex image name and it being an html
msg 




aixenv wrote:
> 
> thanks for the reply:
> 
> from the spamassassin -D plugin --lint , i got:
> 
> [20759] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from
> @INC
> 
> running -D imageinfo against the msg i get:
> 
> mx1:~/spam# cat spam6 |spamassassin -D imageinfo
> [21510] dbg: imageinfo: png image DSC5051.png is 240 x 400 pixels (96000
> pixels sq.)
> [21510] dbg: imageinfo: image name DSC5051.png found
> [21510] dbg: imageinfo: adding 240x400 to dems_all
> [21510] dbg: imageinfo: image ratio=0.0353, min=0.000
> max=0.008
> [21510] dbg: imageinfo: image ratio=0.05692708, min=0.000
> max=0.015
> 
> 
> ahh it reads it as 240x400 and my rule has 400x240, i bet that's the
> issue. let me retry the rule as 240x400
> 
> 
> 
> 
> 
> Theo Van Dinter-2 wrote:
>> 
>> There could be various reasons ranging from "plugin isn't loaded"
>> (though you'd get an error w/ the rules then) to "image isn't exactly
>> that size", to "plugin can't determine width+height from image", to
>> ...
>> 
>> Assuming the plugin is loaded ("spamassassin -D plugin --lint" would
>> tell you), and you've verified that the size is what you think it is
>> using some method ...   For option 3, run the message through
>> "spamassassin -D imageinfo" and see what it spits out.  If you don't
>> see something like:
>> 
>> imageinfo: png image FOO.PNG is 400 x 240 pixels (96000 pixels sq.)
>> 
>> Then it didn't figure out the height + width.  If it does output that,
>> compare the height and width to what you expected.
>> 
>> 
>> On Thu, Apr 30, 2009 at 1:57 PM, aixenv  wrote:
>>>
>>> I notice there's a:
>>>
>>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# ls -lah ImageInfo.pm
>>> -rw-r--r-- 1 root root 11K Aug  8  2007 ImageInfo.pm
>>>
>>> and within that there's two subs 'image_named' and 'image_size_exact'
>>>
>>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
>>> image_named
>>>  $self->register_eval_rule ("image_named");
>>> sub image_named {
>>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
>>> exact
>>>  $self->register_eval_rule ("image_size_exact");
>>> sub image_size_exact {
>>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin#
>>>
>>> I am trying the following rule and it is not scoring, what am i
>>> missing?:
>>>
>>> (this rule is in my local.cf)
>>>
>>> # rule to block annoying viagra spam with scraped text based off image
>>> size,
>>> # name and having other rule hits
>>> # 4/30/09 8:45AM
>>> body __ZL_PNG_400_240 eval:image_size_exact('png',400,240)
>>> body __ZL_CAM eval:image_named('/^DS[CL]\d{4}\.png$/')
>>> meta ZL_VIAGRAIMG HTML_MESSAGE && __ZL_CAM && __ZL_PNG_400_240
>>> describe ZL_VIAGRAIMG Includes 400x240 viagra png image
>>> score ZL_VIAGRAIMG 1.00
>>>
>>> any help is appreciate thanks
>>>
>>> aixenv
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23321365.html
>>> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>>>
>>>
>> 
>> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23322593.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: trying to score based on image name and image size

[aixenv]

thanks for the reply:

from the spamassassin -D plugin --lint , i got:

[20759] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC

running -D imageinfo against the msg i get:

mx1:~/spam# cat spam6 |spamassassin -D imageinfo
[21510] dbg: imageinfo: png image DSC5051.png is 240 x 400 pixels (96000
pixels sq.)
[21510] dbg: imageinfo: image name DSC5051.png found
[21510] dbg: imageinfo: adding 240x400 to dems_all
[21510] dbg: imageinfo: image ratio=0.0353, min=0.000 max=0.008
[21510] dbg: imageinfo: image ratio=0.05692708, min=0.000 max=0.015


ahh it reads it as 240x400 and my rule has 400x240, i bet that's the issue.
let me retry the rule as 240x400





Theo Van Dinter-2 wrote:
> 
> There could be various reasons ranging from "plugin isn't loaded"
> (though you'd get an error w/ the rules then) to "image isn't exactly
> that size", to "plugin can't determine width+height from image", to
> ...
> 
> Assuming the plugin is loaded ("spamassassin -D plugin --lint" would
> tell you), and you've verified that the size is what you think it is
> using some method ...   For option 3, run the message through
> "spamassassin -D imageinfo" and see what it spits out.  If you don't
> see something like:
> 
> imageinfo: png image FOO.PNG is 400 x 240 pixels (96000 pixels sq.)
> 
> Then it didn't figure out the height + width.  If it does output that,
> compare the height and width to what you expected.
> 
> 
> On Thu, Apr 30, 2009 at 1:57 PM, aixenv  wrote:
>>
>> I notice there's a:
>>
>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# ls -lah ImageInfo.pm
>> -rw-r--r-- 1 root root 11K Aug  8  2007 ImageInfo.pm
>>
>> and within that there's two subs 'image_named' and 'image_size_exact'
>>
>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
>> image_named
>>  $self->register_eval_rule ("image_named");
>> sub image_named {
>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
>> exact
>>  $self->register_eval_rule ("image_size_exact");
>> sub image_size_exact {
>> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin#
>>
>> I am trying the following rule and it is not scoring, what am i missing?:
>>
>> (this rule is in my local.cf)
>>
>> # rule to block annoying viagra spam with scraped text based off image
>> size,
>> # name and having other rule hits
>> # 4/30/09 8:45AM
>> body __ZL_PNG_400_240 eval:image_size_exact('png',400,240)
>> body __ZL_CAM eval:image_named('/^DS[CL]\d{4}\.png$/')
>> meta ZL_VIAGRAIMG HTML_MESSAGE && __ZL_CAM && __ZL_PNG_400_240
>> describe ZL_VIAGRAIMG Includes 400x240 viagra png image
>> score ZL_VIAGRAIMG 1.00
>>
>> any help is appreciate thanks
>>
>> aixenv
>>
>> --
>> View this message in context:
>> http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23321365.html
>> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: 
http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23322575.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: trying to score based on image name and image size

[Theo Van Dinter]

There could be various reasons ranging from "plugin isn't loaded"
(though you'd get an error w/ the rules then) to "image isn't exactly
that size", to "plugin can't determine width+height from image", to
...

Assuming the plugin is loaded ("spamassassin -D plugin --lint" would
tell you), and you've verified that the size is what you think it is
using some method ...   For option 3, run the message through
"spamassassin -D imageinfo" and see what it spits out.  If you don't
see something like:

imageinfo: png image FOO.PNG is 400 x 240 pixels (96000 pixels sq.)

Then it didn't figure out the height + width.  If it does output that,
compare the height and width to what you expected.


On Thu, Apr 30, 2009 at 1:57 PM, aixenv  wrote:
>
> I notice there's a:
>
> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# ls -lah ImageInfo.pm
> -rw-r--r-- 1 root root 11K Aug  8  2007 ImageInfo.pm
>
> and within that there's two subs 'image_named' and 'image_size_exact'
>
> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
> image_named
>  $self->register_eval_rule ("image_named");
> sub image_named {
> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep exact
>  $self->register_eval_rule ("image_size_exact");
> sub image_size_exact {
> mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin#
>
> I am trying the following rule and it is not scoring, what am i missing?:
>
> (this rule is in my local.cf)
>
> # rule to block annoying viagra spam with scraped text based off image size,
> # name and having other rule hits
> # 4/30/09 8:45AM
> body __ZL_PNG_400_240 eval:image_size_exact('png',400,240)
> body __ZL_CAM eval:image_named('/^DS[CL]\d{4}\.png$/')
> meta ZL_VIAGRAIMG HTML_MESSAGE && __ZL_CAM && __ZL_PNG_400_240
> describe ZL_VIAGRAIMG Includes 400x240 viagra png image
> score ZL_VIAGRAIMG 1.00
>
> any help is appreciate thanks
>
> aixenv
>
> --
> View this message in context: 
> http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23321365.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>

Re: Almost no score

[Charles Gregory]

On Thu, 30 Apr 2009, LuKreme wrote:

mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
I'd be very careful with that rule (or any related).  This file name 
pattern is a quite standard pattern for pictures from digital cameras.


But digital cameras generally produce jpg, not png Yes?

- C

Personal SPF

[Charles Gregory]

Hello!

Wild idea time: I won't be surprised if this is shot down...

Proposal: "Personal SPF" - A DNS-based lookup system to allow individual 
sender's of e-mail to publish a *personal* SPF record within the context 
of their domain's SPF records, that would identify an IP or range of IP's 
which they would be 'stating' are the only possible sources of their mail.


Why 'personal'? Because I run an ISP where user's *may* send their mail 
via any number of DSL connections, so I can't publish 'positive' SPF 
records for our whole domain. But if I could have member's opt-in to a 
'personal' registry, and have spamassassin check for 
'1.1.1.1.address.personalspf.domain.tld' and treat it like an SPF lookup, 
then a lot of people who currently do not enjoy SPF protection could 'sign 
up' and help clear the iway of junk. :)


A sender could 'opt-in' with a range of addresses, or, if the sender does 
not choose one, they get a 'neutral' result. Totally non-existent 
addresses would get a special response to distinguish the result from 
simple 'host not found' responses, and thus this Personal SPF could also 
serve as a more efficient mechanism for sender existence verification.


Such a mechanism would enjoy the benefits of DNS caching, and avoid the 
problematic aspects of sender 'callback' SMTP verification, which, the 
more I read, the less I like. :(


Obviously there would be 'details' to work out, but fundamentally, the 
question is, would the same mechanism that handles SPF be able to handle 
the additional 'load' of personal SPF? Or would this be a bigger burden 
than SMTP callbacks?


- Charles

RE: Almost no score

[Jean-Paul Natola]

On 30-Apr-2009, at 09:53, Jean-Paul Natola wrote:
> Where did you get the KB_RATWARE rules from?


Karsten Bräkelmann (guent...@rudersport.de)

>> You can find KB_RATWARE_BOUNDARY in my sandbox, where it's still  
>> badly
>> named KB_RATWARE_OUTLOOK_08. I need to rename it and get rid of the
>> other testing variants with varying fuzziness eventually...
>>
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf?v
iew=markup

Best new rules I've added to my SA install in... ages.

-- 

Have the scoring methods changed in SA I noticed in your rules there are no
scores 

Previously  in my 
/usr/local/etc/mail/spamassassin  directory  all the rules (.cf files)  had 
Body 
Describe
Score

Now that Im looking at your rules as well as the rules  in 

/var/db/spamassassin/3.002005/updates_spamassassin_org.cf

None seem to have scores in them- 

Are the rules in 
/usr/local/etc/mail/spamassassin still used in 3.2.5

trying to score based on image name and image size

[aixenv]

I notice there's a:

mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# ls -lah ImageInfo.pm 
-rw-r--r-- 1 root root 11K Aug  8  2007 ImageInfo.pm

and within that there's two subs 'image_named' and 'image_size_exact'

mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep
image_named
  $self->register_eval_rule ("image_named");
sub image_named {
mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# cat ImageInfo.pm |grep exact
  $self->register_eval_rule ("image_size_exact");
sub image_size_exact {
mx1:/usr/share/perl5/Mail/SpamAssassin/Plugin# 

I am trying the following rule and it is not scoring, what am i missing?:

(this rule is in my local.cf)

# rule to block annoying viagra spam with scraped text based off image size, 
# name and having other rule hits
# 4/30/09 8:45AM
body __ZL_PNG_400_240 eval:image_size_exact('png',400,240)
body __ZL_CAM eval:image_named('/^DS[CL]\d{4}\.png$/')
meta ZL_VIAGRAIMG HTML_MESSAGE && __ZL_CAM && __ZL_PNG_400_240
describe ZL_VIAGRAIMG Includes 400x240 viagra png image
score ZL_VIAGRAIMG 1.00

any help is appreciate thanks

aixenv

-- 
View this message in context: 
http://www.nabble.com/trying-to-score-based-on-image-name-and-image-size-tp23321365p23321365.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: 'anti' AWL

[Charles Gregory]

On Thu, 30 Apr 2009, LuKreme wrote:
First off, I suppose that if you get real mail from someone who has only 
ever been seen as a spam sender, then yes, the first mail would be 
penalized.  But is this ever the case?


(nod) Any time someone's address has been used as a spoofed sender before 
that legitimate sender makes first contact with a new correspondent. But 
as I understand your logic, there is no 'rule' to distinguish the 'first' 
AWL entry as 'special' from all the rest... just that 'others' exist...



Let's lay out the logic here:
2 AWL is positive or does not exist
 a Check for other AWL entries using same address but different hosts.
   i   If there is an AWL with a negative score, then multiply by -0.2 and
   add to score


So any AWL with a negative score still helps the new mail be negative?
The sender's legit mail helps new spam?


   ii  If there is an AWL with a positive score, under 5.0, then multiply by
   0.1 and add
   iii If there is an AWL with a positive score over 5.0, then multiply it
   by 0.4 and add


So in the unlikely event that spam (from a different server) precedes 
legitimate mail, the legit sender gets a postitive adjustment before 
they have a chance to score negative...


Note that this logic will also be problematic when sender has multiple 
mail servers. Many senders get a few points positive...



 c if total amount added is over some threshold, normalize on that threshold
 (3 points? 5? 8?)


Now let's presume that the sender is spoofed by spammers on ten different
IP's, producing ten different AWL entries. How will you distinguish the 
legit sender's IP (except by hoping they have scored negative?)... You 
will simply add up ALL the IP AWL's and score *any* mail from the sender

with a significant positive adjustment


3 AWL is negative
 { crickets }


But how often does that really happen? As I said, most people get a *few* 
points on legit mail. The idea being that an average score of 0.8 will 
'average' with a fluke spammy mail and keep the score lower But your 
way is adding those small scores to essentially ALL mail unless the lucky 
sender never mentioned viag ooops. There goes *my* score LOL


Maybe it makes sense to only do this check if the message has at least 
scored positive?


Again, a significant proportion of ham gets a few points.

So yes, if b...@example.com has never emailed me except for a bunch of 
spam, then yeah, the message is going to get bumped up in its score, but 
how often does that happen?  Does that ever happen?


Happens for me all the time. I get dictionary spam with a random client's 
address as sender, and then I get an inquiry from the client about all 
these 'bounces' they are receiving. Naturally, they quote the bounce, 
which includes some spam sign, and the client is off to a good start with a 
moderately spammy mail to me. (smile)


But bob could also e-mail you three or four times, getting a small 
positive score, then you get spammed "from Bob" with high scores from a 
botnet (and I usually get several copies of a spam like that), and the 
next time bob e-mails, he gets logic 2.a.ii spplied above for each and 
every AWL for his address. Could be hefty


Also, lets say b...@example.com sends a message after a bunch of spams 
have been sent, and say that message scores -1.0, plus an AWL adjustment 
of 5.0 based on the above.


I'm sure there are some people who *would* 'fit your model' and have 
negative scores on their legit mail and not be hurt by the proposed rule.

But there would be too many with positive scores that would be hurt

The point is (as it seems to me) that people who send mail from 
'accou...@bankofamerica.com' from their botnets will very quickly scale up 
the AWL modification to the maximal threshold.


And the people who get legit mail from bank of america will also very 
quickly scale up - I doubt BoA mail scores negative. :)


This all assumes that the server that is checked is the last non-local 
server (that is, the first one listed in the headers in typical order)


Which, for any yahoo mailing list will be a different server many times.
And so if your yahoo list scores slightly positive, all those different 
yahoo servers will all add to the score. Ditto hotmail, gmail, etc.


I can see what you *want* to do. I just don't see a practical way to do 
it.


Though I'm toying with a few ideas... I'll start a separate thread.

Thanks.

- Charles

Re: my emailBL is live!

[Adam Katz]

Jeff Moss wrote:
> The chance of a collision really is much smaller than I thought, even
> including the birthday paradox.  But rather than just say it's small and
> ask you to take my word for it I'm providing a link.  The Wikipedia page
> for Birthday Attack has a chart that shows the probability of collision
> for hashes of various lengths.
> 
> http://en.wikipedia.org/wiki/Birthday_attack

Well nuts.  Unless my estimation is wrong, my half-length MD5sum would
be 64-bit and thus the 10^-18 probability of collisions would require
a db of 190 entries rather than full-length MD5sum's 820 billion.

Unless corrected, I'll revise my algorithm this evening.

Re: [SA] 419 emailBL?

[Adam Katz]

>> And if bandwidth at the server is a problem, would publishing the ruleset
>> updates via the Coral Cache network work?
> 
> Unfortunately, no.  In fact, they kind of suck as a CDN.  We
> originally were putting updates through there and would regularly have
> issues w/ 404s, corrupt or incomplete downloads, etc.
> 
> It may have improved since the 2005 or so timeframe when we started w/
> updates, but ...  Haven't checked in a while.

Still has the same issues.  I'll be removing them from my sa-update
channels mirror files very soon.

Re: Almost no score

[John Hardin]

On Thu, 30 Apr 2009, LuKreme wrote:


Clarke's Law: Sufficiently advanced technology is indistinguishable
 from magic


somebody's corollary to Clarke's law: Any technology distinguishable 
from magic is insufficiently advanced.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  When I say "I don't want the government to do X", do not
  automatically assume that means I don't want X to happen.
---
 8 days until the 64th anniversary of VE day

Re: Almost no score

[John Hardin]

On Thu, 30 Apr 2009, LuKreme wrote:


On 30-Apr-2009, at 09:03, John Wilcock wrote:


mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/


I'd be very careful with that rule (or any related).  This file name 
pattern is a quite standard pattern for pictures from digital cameras.


I was going to say the same thing, but I'm not aware of any digital camera 
that saves to .PNG by default. It's not well suited to continuous-tone 
images. If the rule was for DSC\d+\.jpg then there would be big red flags 
waving around...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  When I say "I don't want the government to do X", do not
  automatically assume that means I don't want X to happen.
---
 8 days until the 64th anniversary of VE day

RE: Almost no score

[Evan Platt]

At 10:02 AM 4/30/2009, Jean-Paul Natola wrote:

>I'd be very careful with that rule (or any related).  This file name
>pattern is a quite standard pattern for pictures from digital cameras.

>DSC? Yes. .PNG? None that I've seen...

Actually   png is portable network graphics
And DSC  is the default file name on sony digital cameras


I understand that. My point was no camera I've seen uses PNG. 

RE: Almost no score

[Jean-Paul Natola]

-Original Message-
From: Evan Platt [mailto:e...@espphotography.com] 
Sent: Thursday, April 30, 2009 12:50 PM
To: users@spamassassin.apache.org
Subject: Re: Almost no score

At 09:33 AM 4/30/2009, you wrote:

>>mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
>I'd be very careful with that rule (or any related).  This file name
>pattern is a quite standard pattern for pictures from digital cameras.

>DSC? Yes. .PNG? None that I've seen... 

Actually   png is portable network graphics 
And DSC  is the default file name on sony digital cameras

Re: Almost no score

[Evan Platt]

At 09:33 AM 4/30/2009, you wrote:


mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/


I'd be very careful with that rule (or any related).  This file name
pattern is a quite standard pattern for pictures from digital cameras.


DSC? Yes. .PNG? None that I've seen... 

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 09:03, John Wilcock wrote:

Le 30/04/2009 15:23, Jean-Paul Natola a écrit :

If anyone can shed some light here , I would appreciate it.

ftp://ftp.fcimail.org/IT/SA/headers.txt



Content-Type: image/png;
name="DSC0080.png"


Over the last week or so I'd been having some success looking for  
this pattern, suggested on this list:


mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/


I'd be very careful with that rule (or any related).  This file name  
pattern is a quite standard pattern for pictures from digital cameras.



--
Clarke's Law: Sufficiently advanced technology is indistinguishable
from magic

Re: Almost no score

[Charles Gregory]

On Thu, 30 Apr 2009, John Wilcock wrote:

mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/

Looks like they've changed from DSL to DSC! I have a few with DSC in 
today's quarantine, but they were caught by BOTNET rules. Methinks its 
time to update the above rule to look for DS[A-Z][0-9]{4}\.png or maybe 
even [A-Z]{3}[0-9]{4}\.png


Overly general regex's run the risk of more false positives.
However, if you toss in a 'full' test for an image being
at the top of the body, that might help prevent FP's...

LOC_IMG_AT_TOP full /\n*(<[^>]>)?

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 09:53, Jean-Paul Natola wrote:

Where did you get the KB_RATWARE rules from?



Karsten Bräkelmann (guent...@rudersport.de)

You can find KB_RATWARE_BOUNDARY in my sandbox, where it's still  
badly

named KB_RATWARE_OUTLOOK_08. I need to rename it and get rid of the
other testing variants with varying fuzziness eventually...
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf?view=markup


Best new rules I've added to my SA install in... ages.

--
No matter how fast light travels it finds the darkness has always
go there first, and is waiting for it.

Re: 'anti' AWL

[LuKreme]

On 30-Apr-2009, at 09:40, Charles Gregory wrote:

On Wed, 29 Apr 2009, LuKreme wrote:

On 29-Apr-2009, at 15:31, Charles Gregory wrote:
Apologies for original brevity, but my comment was a criticism of  
the proposal to start weighing *all* mail from a specific sender  
according to whether the IP was the 'most common' used for that  
address Essentially changing it from what you state above.
But the only way it would really penalize a legitimate sender is i  
there mail is quite sammy to begin with.


This statement is untrue in the context of the OP's suggestion to  
START
weighting one server IP be based upon the scores from OTHER server  
IP's. Please read the original post if this is unclear. I quoted the  
relevant portion in my critique.


I am the OP.

First off, I suppose that if you get real mail from someone who has  
only ever been seen as a spam sender, then yes, the first mail would  
be penalized.  But is this ever the case?


Let's lay out the logic here:

1 Check AWL

2 AWL is positive or does not exist
  a Check for other AWL entries using same address but different hosts.
i   If there is an AWL with a negative score, then multiply by  
-0.2 and add to score
ii  If there is an AWL with a positive score, under 5.0, then  
multiply by 0.1 and add
iii If there is an AWL with a positive score over 5.0, then  
multiply it by 0.4 and add

  b go to a
  c if total amount added is over some threshold, normalize on that  
threshold (3 points? 5? 8?)

3 AWL is negative
  { crickets }

Maybe it makes sense to only do this check if the message has at least  
scored positive?


So yes, if b...@example.com has never emailed me except for a bunch of  
spam, then yeah, the message is going to get bumped up in its score,  
but how often does that happen?  Does that ever happen?


Also, lets say b...@example.com sends a message after a bunch of spams  
have been sent, and say that message scores -1.0, plus an AWL  
adjustment of 5.0 based on the above.


Well, now b...@example.com has his own AWL entry, and it's at -1.0  
since AWL scores are not counted toward the AWL, right?


(of course -0.2 and 0.1 and 0.4 are just numbers I made up, and I'm  
not suggesting these are the appropriate numbers).


The point is (as it seems to me) that people who send mail from 'accou...@bankofamerica.com 
' from their botnets will very quickly scale up the AWL modification  
to the maximal threshold.


This all assumes that the server that is checked is the last non-local  
server (that is, the first one listed in the headers in typical order)


Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by mail.covisp.net (Postfix) with SMTP id 27D5A118B989
for ; Tue, 28 Apr 2009 11:14:30 -0600 (MDT)

140.211.11.3 should be the server checked because it is the only non- 
local server who's address I am sure of.


--
Imagine all the people
Sharing all the world

RE: Almost no score

[Jean-Paul Natola]

-Original Message-
From: LuKreme [mailto:krem...@kreme.com] 
Sent: Thursday, April 30, 2009 10:40 AM
To: users@spamassassin.apache.org
Subject: Re: Almost no score


On 30-Apr-2009, at 07:23, Jean-Paul Natola wrote:

> Hi all,
>
> I just upgraded to 3.2.5  ran sa-update and I got this message with  
> only one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt

Content analysis details:   (6.6 points, 5.0 required)

  pts rule name  description
 --  
--
  0.1 KB_RATWARE_OUTLOOK_16  KB_RATWARE_OUTLOOK_16
  1.0 KB_RATWARE_OUTLOOK_12  KB_RATWARE_OUTLOOK_12
  2.0 KB_RATWARE_BOUNDARYKB_RATWARE_BOUNDARY
  2.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 [85.75.94.188 listed in zen.spamhaus.org]
  0.5 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
  0.1 RDNS_NONE  Delivered to trusted network by a host  
with no rDNS

---

Where did you get the KB_RATWARE rules from?

Re: [-4.0] Re: 'anti' AWL

[Charles Gregory]

On Wed, 29 Apr 2009, LuKreme wrote:

On 29-Apr-2009, at 15:31, Charles Gregory wrote:
Apologies for original brevity, but my comment was a criticism of the 
proposal to start weighing *all* mail from a specific sender according to 
whether the IP was the 'most common' used for that address Essentially 
changing it from what you state above.
But the only way it would really penalize a legitimate sender is i 
there mail is quite sammy to begin with.


This statement is untrue in the context of the OP's suggestion to START
weighting one server IP be based upon the scores from OTHER server 
IP's. Please read the original post if this is unclear. I quoted the 
relevant portion in my critique.


- Charles

Re: Almost no score

[John Wilcock]

Le 30/04/2009 15:23, Jean-Paul Natola a écrit :

If anyone can shed some light here , I would appreciate it.

ftp://ftp.fcimail.org/IT/SA/headers.txt



Content-Type: image/png;
name="DSC0080.png"


Over the last week or so I'd been having some success looking for this 
pattern, suggested on this list:


mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/

Looks like they've changed from DSL to DSC! I have a few with DSC in 
today's quarantine, but they were caught by BOTNET rules. Methinks its 
time to update the above rule to look for DS[A-Z][0-9]{4}\.png or maybe 
even [A-Z]{3}[0-9]{4}\.png


John.

--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: sa-update and trusted_networks

[John Hardin]

On Thu, 30 Apr 2009, Matt Kettler wrote:

An errant trusted_networks isn't going to hurt sa-update, and is 
probably a cosmetic bug.


That's what I thought, I just wanted to confirm.

Thanks!

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control enables genocide while doing little to reduce crime.
---
 8 days until the 64th anniversary of VE day

Re: Almost no score

[LuKreme]

On 30-Apr-2009, at 07:23, Jean-Paul Natola wrote:


Hi all,

I just upgraded to 3.2.5  ran sa-update and I got this message with  
only one

rule tripped

I'm putting a link to the message as well as the headers

If anyone can shed some light here , I would appreciate it.

ftp://ftp.fcimail.org/IT/SA/headers.txt


Content analysis details:   (6.6 points, 5.0 required)

 pts rule name  description
 --  
--

 0.1 KB_RATWARE_OUTLOOK_16  KB_RATWARE_OUTLOOK_16
 1.0 KB_RATWARE_OUTLOOK_12  KB_RATWARE_OUTLOOK_12
 2.0 KB_RATWARE_BOUNDARYKB_RATWARE_BOUNDARY
 2.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
 0.5 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
 0.1 RDNS_NONE  Delivered to trusted network by a host  
with no rDNS


of course, KB_RATWARE or non-standard and it may not have been in the  
XBL/PBL yet.


--
Nothing like grilling a kosher dog over human hair to bring out the
subtle flavors.

Re: Almost no score

[Ned Slider]

Jean-Paul Natola wrote:

Hi all,

I just upgraded to 3.2.5  ran sa-update and I got this message with only one
rule tripped

I'm putting a link to the message as well as the headers

If anyone can shed some light here , I would appreciate it.

ftp://ftp.fcimail.org/IT/SA/headers.txt

ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
%20pain%20and%20dysfunctions.htm

TIA

J



Same here other than a few hits against DNSBLs.


X-Spam-Report:
*  3.0 RCVD_IN_SBLXBL RBL: Received via a relay in Spamhaus SBL-XBL
*  [85.75.94.188 listed in sbl-xbl.spamhaus.org]
*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
*  [score: 0.5014]
*  3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in
*  dnsbl-2.uceprotect.net
*  [85.75.94.188 listed in dnsbl-2.uceprotect.net]
*  2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in
*  dnsbl-3.uceprotect.net
*  [85.75.94.188 listed in dnsbl-3.uceprotect.net]
*  0.0 RCVD_IN_UCE_COMBINED Received via a relay in UCEProtect
*  1.0 RDNS_NONE Delivered to trusted network by a host with no 
rDNS



Obviously my scoring is a little higher than yours and I catch it but 
there's not a lot to go on.


Spamhaus catches it in 2 of it's lists (PBL and XBL). I would really 
recommend implementing zen.spmauaus.org at the MTA (smtp) level as this 
will block much of this junk before it ever gets near SA.

Almost no score

[Jean-Paul Natola]

Hi all,

I just upgraded to 3.2.5  ran sa-update and I got this message with only one
rule tripped

I'm putting a link to the message as well as the headers

If anyone can shed some light here , I would appreciate it.

ftp://ftp.fcimail.org/IT/SA/headers.txt

ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
%20pain%20and%20dysfunctions.htm

TIA

J

 

RE: my emailBL is live!

[Jeff Moss]

Rob McEwen wrote:

>>> A word of caution.  Be very careful how you use the list.
>>
>> OK. I was wrong. Due to this discussion, I'm convinced that MD5 of the
>> whole (lower case!) e-mail address is best, with the entire e-mail
>> address still showing up in plain text in the DNS txt record.
>>
>> But I have some questions:
>>
>> (1) is MD5 of the entire address reasonably safe from collisions.
>> (consider the 'birthday paradox' before being too quick to answer)
>
>Yes. The chance of a collision is ridiculously small. Not worth worrying
>about.

The chance of a collision really is much smaller than I thought, even including 
the birthday paradox.  But rather than just say it's small and ask you to take 
my word for it I'm providing a link.  The Wikipedia page for Birthday Attack 
has a chart that shows the probability of collision for hashes of various 
lengths.

http://en.wikipedia.org/wiki/Birthday_attack

  Jeff Moss

Re: Code Rot?

[Justin Mason]

cool.  good to hear it guys ;)  I'll get this rigged up soon... right now I'm on
jury service :(

--j.

On Tue, Apr 28, 2009 at 16:29, John Hardin  wrote:
> On Tue, 28 Apr 2009, Matt wrote:
>
>> Steve Freegard wrote:
>>>
>>>  Is it possible to get SVN access just to the sandboxes though? I'd be
>>>  happy to submit rules for testing.
>>
>> Ditto
>>
>
> +1
>
> --
>  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>  jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  Windows Genuine Advantage (WGA) means that now you use your
>  computer at the sufferance of Microsoft Corporation. They can
>  kill it remotely without your consent at any time for any reason;
>  it also shuts down in sympathy when the servers at Microsoft crash.
> ---
>  10 days until the 64th anniversary of VE day
>
>