Checking FROM FIELD for Keywords
We've seen a recent explosion in spam that SpamAssassin does not flag, it seems mainly because the FROM (sender) field is being used for subject content, eg: VIAGRA, PORN etc etc Can anyone tell me how far off a standard filter update might be to carry out checks on the FROM field? Thanks. -- View this message in context: http://old.nabble.com/Checking-FROM-FIELD-for-Keywords-tp29962674p29962674.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Constant .info domain spam
On 2:59 PM, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. dot info domains hadn't crossed my radar, but I decided to look anyway and found that my logs agree with your notion that 99% (100%?) of dot info From: addresses are spam. Roughly 75% of mine are caught at the door by RBL's at the MTA level. Of the ones that get through, another 75% score above my reject threshold. A simple rule to bump the points of any dot info From: address has now pushed everything to the tag level, and even many of the tags to rejects. For what it's worth, the ones making it past the RBL's in the MTA do not match any stock RCVD_IN_* rules. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Checking FROM FIELD for Keywords
On Thu, 14 Oct 2010, wvpTV wrote: We've seen a recent explosion in spam that SpamAssassin does not flag, it seems mainly because the FROM (sender) field is being used for subject content, eg: VIAGRA, PORN etc etc Can anyone tell me how far off a standard filter update might be to carry out checks on the FROM field? There is a FROM_IN_TO_AND_SUBJ rule in my sandbox that is performing well in masschecks. I believe it's in the current sa-update. http://ruleqa.spamassassin.org/20101013-r1022028-n/FROM_IN_TO_AND_SUBJ/detail?srcpath=jhardin You might want to check your scores, though; it hasn't been around long enough to go through a net masscheck so some of the scores are still unset. http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/scores/72_scores.cf?view=markup If this rule isn't appropriate, could you post a spample to pastebin so I can get a look at the headers? Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People seem to have this obsession with objects and tools as being dangerous in and of themselves, as though a weapon will act of its own accord to cause harm. A weapon is just a force multiplier. It's *humans* that are (or are not) dangerous. --- 64 days until TRON Legacy
Re: Checking FROM FIELD for Keywords
Use the From:name check. Example: headerBAD_NAMEFrom:name =~ /(Penny Auctions|\bFree\b|\bCialis\b|\bViagra)/i score BAD_NAME5.0 Use caution, as always. Mind your regexes. For instance, in this example, heaven forbid a user named Joe Viagraola sends an Email, blah, blah, blah. Regards, Jared Hall General Telecom, LLC. wvpTV wrote: We've seen a recent explosion in spam that SpamAssassin does not flag, it seems mainly because the FROM (sender) field is being used for subject content, eg: VIAGRA, PORN etc etc Can anyone tell me how far off a standard filter update might be to carry out checks on the FROM field? Thanks.
Re: What happened to SOUGHT rules' server?
On 2010/03/16 5:03 PM, Karsten Bräckelmann wrote: How is this messing you up? This should not affect any of your other channels. The only effect is that the sought rules don't get updated. I'm not sure how everyone else is doing it, but my script checks for updates using --channelfile, then runs sa-compile if sa-update returns 0. If a channel fails, sa-update returns something other than 0. Sure, my old rules are intact and the server continues to run normally, but I'm not getting the benefit of updates in other channels. This sounds like an improvement to sa-compile would be beneficial, so as to distinguish 'some updates available' from 'none' and 'all ok, updated'. Please open a feature request. s/compile/update/# :) In order to properly open a feature request, I'd like to get a better idea where you're going with this. It seems to me that a new exit code from sa-update would be more appropriate than running sa-compile every time just in case. Maybe I misunderstand? Yup, seems that is it. There are only all-or-nothing exit codes (0 and 4 respectively) in this scenario. It looks like the SOUGHT server is having issues again, so Bug 6380 is again relevant. Does anyone know the status of the SOUGHT server or if any work has been done on the bug? https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6380 -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Checking FROM FIELD for Keywords
Jared Hall-2 wrote: Use the From:name check. Example: headerBAD_NAMEFrom:name =~ /(Penny Auctions|\bFree\b|\bCialis\b|\bViagra)/i score BAD_NAME5.0 Thanks Jared -- View this message in context: http://old.nabble.com/Checking-FROM-FIELD-for-Keywords-tp29962674p29964438.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
which LWP::UserAgent for 3.3.1 install?
Looking at the 3.3.1 install, it wants (well, would like...) module LWP::UserAgent. OK ... off to CPAN, but no simple LWP-UserAgent, only a bunch of LWP-UserAgent-whatever. So, which one do I want? TIA, rnd
Solved: which LWP::UserAgent for 3.3.1 install?
CPAN search is my friend... it's in libwww-perl! You get too soon old and too late smart... :-) rnd _ From: Diffenderfer, Randy Sent: Thursday, October 14, 2010 4:24 PM To: 'users@spamassassin.apache.org' Subject: which LWP::UserAgent for 3.3.1 install? Looking at the 3.3.1 install, it wants (well, would like...) module LWP::UserAgent. OK ... off to CPAN, but no simple LWP-UserAgent, only a bunch of LWP-UserAgent-whatever. So, which one do I want? TIA, rnd
Re: What happened to SOUGHT rules' server?
On Thu, 2010-10-14 at 12:30 -0400, Jason Bertoch wrote:
On 2010/03/16 5:03 PM, Karsten Bräckelmann wrote:
In order to properly open a feature request, I'd like to get a better
idea where you're going with this. It seems to me that a new exit code
from sa-update would be more appropriate than running sa-compile every
time just in case. Maybe I misunderstand?
Yup, seems that is it. There are only all-or-nothing exit codes (0 and 4
respectively) in this scenario.
It looks like the SOUGHT server is having issues again, so Bug 6380 is
again relevant. Does anyone know the status of the SOUGHT server or if
*Had* have issues today, for about 10 hours +/- 2 according to my logs.
Granted, you sent this shortly before the issue has been resolved. ;)
I can confirm there have been issues with a missing update tarball, the
server appeared to be responsive all the while. I also can confirm
operation is back to normal since a couple hours ago.
any work has been done on the bug?
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6380
According to the bug, quite obviously, no one has been working on it.
Until your patch just today. Thanks!
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RAZOR2 and SpamAssassin version or configuration
We have a couple of mail servers running SpamAssassin. One is stock CentOS5 and therefore running SA 3.2.4. The other is a test platform running SA 3.3.1 (installed from rpmforge in case that matters). Both have the latest sa-update configurations for their respective versions. On both hosts, when I put the 3.3.1 sample-spam.txt message through spamassassin, it reports RAZOR2_CHECK as expected. If I run with -D, SA3.2.4 reports that it is using razor2 version 2.82, and SA3.3.1 reports razor2 version 2.84. Again this is as I expect. However, I have another message received from outside, which when put through spamassassin 3.2.4 reports a hit on RAZOR2_CHECK, but when put through 3.3.1 it does not. Run with -D, it does appear that the razor server is being contacted in both cases, but I confess I haven't yet resorted to sniffing traffic to be sure. Where should I be looking for a configuration difference that would cause this?
Re: Checking FROM FIELD for Keywords
On Thu, 14 Oct 2010, John Hardin wrote: On Thu, 14 Oct 2010, wvpTV wrote: We've seen a recent explosion in spam that SpamAssassin does not flag, it seems mainly because the FROM (sender) field is being used for subject content, eg: VIAGRA, PORN etc etc Can anyone tell me how far off a standard filter update might be to carry out checks on the FROM field? There is a FROM_IN_TO_AND_SUBJ rule in my sandbox that is performing well in masschecks. Argh. I totally misinterpreted what you're asking. Sorry for the noise! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government wants to do everything it can for the children, except sparing them crushing tax burdens. --- 64 days until TRON Legacy
Re: What happened to SOUGHT rules' server?
On 10/14/2010 5:30 PM, Karsten Bräckelmann wrote: any work has been done on the bug? https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6380 According to the bug, quite obviously, no one has been working on it. Until your patch just today. Thanks! Yes, I decided this was a logic issue and probably required little knowledge of perl, in which I have none. In the end, the change was trivial, to me at least. We'll see what the real devs think, though. /Jason
Re: Constant .info domain spam
On 10/14/2010 8:26 PM, Julian Yap wrote: On Thu, Oct 14, 2010 at 4:24 AM, Jason Bertochja...@i6ix.com wrote: On 2:59 PM, Julian Yap wrote: NOTE: I changed the domains below to 'dot info' as the mailing list rejected my initial submission. I'm pretty sure it's not just me but there is some constant spamming from dot info domains. Perhaps for the past 2 months or so. Often they send hundreds per day and consistently from the same IP's. dot info domains hadn't crossed my radar, but I decided to look anyway and found that my logs agree with your notion that 99% (100%?) of dot info From: addresses are spam. Roughly 75% of mine are caught at the door by RBL's at the MTA level. Of the ones that get through, another 75% score above my reject threshold. A simple rule to bump the points of any dot info From: address has now pushed everything to the tag level, and even many of the tags to rejects. For what it's worth, the ones making it past the RBL's in the MTA do not match any stock RCVD_IN_* rules. I think I'm going to write my own logic and block things at the MTA level. Implement my own local RBL based on some algorithms. For what it's worth, the rule I'm using is: # .info domains 99% spam (100%?) header JB_FROM_INFO_TLD From:addr =~ /\...@*\.info$/i describe JB_FROM_INFO_TLD From: address in .info TLD score JB_FROM_INFO_TLD .01 Although broad rules such as this are generally discouraged, a score of 3 has proven effective based on my mail flow. /Jason
