Re: autolearn=ham was wrong, howto retrain ?
On 2011-04-04 9:54, Andreas Schulze wrote: Hello Im using spamassassin inside amavisd-new to filter mails. Today I noticed a mail with these headers: X-Spam-Flag: NO X-Spam-Score: -0.007 X-Spam-Level: X-Spam-Status: No, score=-0.007 tagged_above=-999 required=5 tests=[HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MTX_NONE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on andreasschulze.de How can I tell SA this was spam ? I would try sa-learn -spammessagefile But does this let SA really forget the previous state ham ? http://spamassassin.apache.org/full/3.3.x/doc/sa-learn.txt -forget Forget a message
Re: autolearn=ham was wrong, howto retrain ?
Hi, -forget Forget a message I do sa-learn --forget message; sa-learn --spam message right ? -- Viele Grüße Andreas Schulze
Re: Problems with sorbs and this list Fwd: Re: What blacklists are you using at your MTA?
On 03.04.11 21:56, dar...@chaosreigns.com wrote: If you go through the garbage required to register to get to the contents of this link, you'll see that this IP hits two listings, Escalated entries, and DUHL entries, both of which are colored green, which it says means Historical Listings (inactive). But it's still listed: $ host 171.225.210.67.dnsbl.sorbs.net 171.225.210.67.dnsbl.sorbs.net has address 127.0.0.10 - Forwarded message from Jonathan Nichols jnich...@pbp.net - users@spamassassin.apache.org: host mx1.eu.apache.org[192.87.106.230] said: 550 Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?67.210.225.171 (in reply to RCPT TO command) - End forwarded message - oh... with 300 TTL we should better not trust you this is NOT dynamic IP. It's one of things mentioned at SORBS page... 171.225.210.67.in-addr.arpa. 300 IN PTR heap.pbp.net. ;; AUTHORITY SECTION: 225.210.67.in-addr.arpa. 300IN NS heap.pbp.net. ;; ADDITIONAL SECTION: heap.pbp.net. 300 IN A 67.210.225.171 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: autolearn=ham was wrong, howto retrain ?
On 04.04.11 10:34, Andreas Schulze wrote: -forget Forget a message I do sa-learn --forget message; sa-learn --spam message right ? you don't need to forget the message. Learning it again will do change values properly. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Hijacked email accounts
Hello, I have noticed that recently almost all spam that makes it pass my spam filters come from hijacked email accounts. Usually on services like hotmail and yahoo ( sometimes from .com sometimes from country specific domains ). I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. David
RE: Hijacked email accounts
Hi David -Original Message- From: David [mailto:wiki.apache@spam.lublink.net] Sent: 4. april 2011 17:36 To: users@spamassassin.apache.org Subject: Hijacked email accounts Hello, I have noticed that recently almost all spam that makes it pass my spam filters come from hijacked email accounts. Usually on services like hotmail and yahoo ( sometimes from .com sometimes from country specific domains ). I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. I am seeing the same thing with my systems. Most spam that makes it past the filters are from hacked accounts. I'm not really sure if punishing all the innocent freemail users is the answer? It should be relatively easy to do if you want to though. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 København S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:7020 0978 Web: www.techbiz.dk
Re: Hijacked email accounts
I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. there is already freemail plugin freemail_domain hotmail.com freemail_whitelist ab...@hotmail.com freemail_whitelist postmas...@hotmail.com if you know somebody that really NOT sending spam from a freemail domain, then add more freemail_whitelist hotmail.com is already listed as freemail, but i just showed how to use it i have seen this problem before, but i belive that its not hijacked more that hotmail not consider forged senders in there own networking, resulting in that recipient see it as spf pass, i verifyed that sender did not send this so called hijacked email
Re: Hijacked email accounts
Hello, Yahoo doesn't do SPF, and hotmail is still ~all. The emails to which I refer where sent by email accounts stolen by viruses on computers running Windows. The virus steals the password, and sends it to the spammer who than uses the account to send out spam. So the emails are coming from Hotmail and Yahoo's servers. David On 2011-04-04 11:49, Benny Pedersen wrote: I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. there is already freemail plugin freemail_domain hotmail.com freemail_whitelist ab...@hotmail.com freemail_whitelist postmas...@hotmail.com if you know somebody that really NOT sending spam from a freemail domain, then add more freemail_whitelist hotmail.com is already listed as freemail, but i just showed how to use it i have seen this problem before, but i belive that its not hijacked more that hotmail not consider forged senders in there own networking, resulting in that recipient see it as spf pass, i verifyed that sender did not send this so called hijacked email
Re: Hijacked email accounts
On 4/4/11 11:03 AM, David wiki.apache@spam.lublink.net wrote:
Hello,
Yahoo doesn't do SPF, and hotmail is still ~all.
The emails to which I refer where sent by email accounts stolen by
viruses on computers running Windows.
The virus steals the password, and sends it to the spammer who than uses
the account to send out spam.
So the emails are coming from Hotmail and Yahoo's servers.
I've noticed most of the compromised accounts are exploited from
elsewhere. I'm sorry if this rule is US centric, but it appears to work,
somewhat, for me:
headerRELAY_NOT_USX-Relay-Countries =~
/\b[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}\b/
describeRELAY_NOT_USRelayed though any country other than the US
scoreRELAY_NOT_US0.01
metaAE_FOREIGN_FREEFREEMAIL_FROM RELAY_NOT_US
describeAE_FOREIGN_FREEFreemail that originated somewhere other than
the US
scoreAE_FOREIGN_FREE0.5
I also find this to be pretty useful in cleaning out the hacked mail...
meta AE_SHORT_FREEFREEMAIL_FROM (URIBL_DBL_SHORT ||
URIBL_SU_JMF)
describeAE_SHORT_FREEhas shortened URL from a freemail account
scoreAE_SHORT_FREE2.0
Now if I could just find a list of url shorteners that included j.mp ...
David
On 2011-04-04 11:49, Benny Pedersen wrote:
I wonder if perhaps a rule in spamassassin should add between 0.5 and
1.5 to the spam rating when it comes from a free webmail service like
hotmail and yahoo.
there is already freemail plugin
freemail_domain hotmail.com
freemail_whitelist ab...@hotmail.com
freemail_whitelist postmas...@hotmail.com
if you know somebody that really NOT sending spam from a freemail domain,
then add more freemail_whitelist
hotmail.com is already listed as freemail, but i just showed how to use it
i have seen this problem before, but i belive that its not hijacked more
that hotmail not consider forged senders in there own networking, resulting
in that recipient see it as spf pass, i verifyed that sender did not send
this so called hijacked email
Re: Hijacked email accounts
On 2011/04/04 12:12 PM, Daniel McDonald wrote: Now if I could just find a list of url shorteners that included j.mp ... DecodeShortURLs plugin from Steve Freegard http://www.fsl.com/support/DecodeShortURLs.pm http://www.fsl.com/support/DecodeShortURLs.cf -- /Jason
Re: Hijacked email accounts
On 04/04, Benny Pedersen wrote: freemail_domain hotmail.com freemail_whitelist ab...@hotmail.com freemail_whitelist postmas...@hotmail.com SpamAssassin already has 2,133 domains listed via freemail_domain, so you shouldn't need to add that part for any domain. If you do, you should file a bug to get it added. The rule that goes with this is FREEMAIL_FROM, which has a default score of 0.001 (basically nothing), because it hits 21.6% of non-spam (11.4% of spam). But if you want it to actually do anything, you'd need to increase the score via something like: score FREEMAIL_FROM 1 But these scores are chosen by some pretty extensive real world data analysis: http://ruleqa.spamassassin.org/20110321-r1083702-n/FREEMAIL_FROM/detail It looks like the way to just penalize a single domain would be: blacklist_from *@yahoo.com score USER_IN_BLACKLIST 1 By default it has a score of 100, which would usually block everything. I was actually doing something with a similar effect, to hotmail for a while. I recently noticed yahoo is much worse, I think this graph deserves its own post: http://www.chaosreigns.com/dnswl/dnswlabusehistory.svg On 04/04, David wrote: The emails to which I refer where sent by email accounts stolen by viruses on computers running Windows. I had always assumed the spammers just registered the accounts directly. Why do you think they were stolen, by viruses or otherwise? -- Life is but a walking shadow, a poor player that struts and frets his hour upon the stage--and then is heard no more. It is a tale told by an idiot, full of sound and fury, signifying nothing. - William Shakespeare http://www.ChaosReigns.com
DNSWL abuse reports by domain, over time
Top 20, linear Y scale: http://www.chaosreigns.com/dnswl/dnswlabusehistory.svg Top 10, logarithmic Y scale: http://www.chaosreigns.com/dnswl/dnswlabusehistory_log.svg DNSWL.org groups IPs by domain. So I was able to count up the number of abuse reports per domain, per month. I graphed the percentage because I figure reporter activity could fluctuate too much to make absolute counts of reports useful. So from this data, yahoo has by far sent the most spam of all legitimate mail sources during this period (since January 2001). They got better over the last month (or everybody else has gotten worse...). tp.pl is currently second worst; aol.com is third. The domains in the key are listed in descending order of total spam during the period. I think it's great that google does as well as they do. I think it's interesting that both postini and messagelabs show up in this top 20. One of the things I found interesting in this is that I had an impression that hotmail.com was by far the worst, and apparently it never has been. At least in this period. I'm curious if there's a story behind orange.fr's spike in June 2010. -- The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents. http://www.ChaosReigns.com
RE: Hijacked email accounts
I have also noticed a lot of emails coming from valid domain services. I have also noticed many of the stolen accounts are used to authenticate with my blog posting engine to post spam to my blogs. It never reaches the blog because I approve each entry, but it's been happening with increased frequency. The truth is, this is not a new trick, its comes and goes. Your real protection is in the bayes rules and making sure you do not whitelist a service like these. If it helpsto assist with users who have accounts on gmail(or any domain) who are sending email to internal customers, I apply an outbound hidden line of text in every email that amounts to code. If the code is seen in a reply, the email is given a -100 score, thus reducing false positives for replied messages. It also ensures the conversation will most likely not be interrupted. Its not 100% all the time since some users clients delete replied sections of the email, but it does help. body BK_RespondedTo /\bxXYyzb262011qa\b/i score BK_RespondedTo -100.0 I think adding a rule as you suggest will only end up causing more false positives. -Brent -Original Message- From: David [mailto:wiki.apache@spam.lublink.net] Sent: Monday, April 04, 2011 11:36 AM To: users@spamassassin.apache.org Subject: Hijacked email accounts Hello, I have noticed that recently almost all spam that makes it pass my spam filters come from hijacked email accounts. Usually on services like hotmail and yahoo ( sometimes from .com sometimes from country specific domains ). I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. David
