Re: check old config against current versions
dar...@chaosreigns.com writes: Thanks for the helpful input... well appreciated here. > You should be able to just load it up in a current version of SA and see if > it throws any errors. > > There's nothing that pops out at me as more problematic for the current > version than an old version, but > > On 10/15, Harry Putnam wrote: >> trusted_networks 192.168.0. > I don't think that was ever necessary, I think 192.168.0.* is included in > SA's default guesses if you don't specify a trusted_networks. But I guess > that's not documented, and I don't feel like checking the code for it at > the moment. Not a problem anyway. Will declaring it like that limit the guessing and just set that one as trusted? >> skip_rbl_checks 1 >> dns_available no > Disabling network checks causes spamassassin to be wrong 5 times as often. Point taken... that may have been done under circumstances where bandwidth was a problem... I do recall having some trouble like that some time ago. I'm going to enable both now, after hearing your reasoning, and see how it goes. Thanks.
Re: Why doesn't anything at all get these botnet spammers?
On Sun, 2011-10-16 at 21:53 -0300, Christian Grunfeld wrote:
> easier than that !
> you dont need to check any ratio at all ... as legitimate mails dont
> have non-word characters between characters !
> Non spamer people don´t write subjects like that !
^
> Spamers had to do that in order to avoid sex, porn, xxx, viagra
> directly in subject (which is more or less easily detected)...but when
^^^
> they put things in between you can be 99.999% confident it is spam !
^^^
Yup, there never ever are non-word chars between word chars in human
generated legit mail...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Why doesn't anything at all get these botnet spammers?
John Hardin wrote:
>
>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>> have to be quick to see the actual results... :)
>
I wrote a couple a days ago about these subjects, did not get a response
however. I came up with something rather straightforward:
header __MN_PUNC00 Subject =~ /~/
header __MN_PUNC02 Subject =~ /`/
header __MN_PUNC03 Subject =~ /\#/
header __MN_PUNC04 Subject =~ /\$/
header __MN_PUNC05 Subject =~ /%/
header __MN_PUNC06 Subject =~ /\^/
header __MN_PUNC07 Subject =~ /&/
header __MN_PUNC08 Subject =~ /\*/
header __MN_PUNC09 Subject =~ /\(|\)/
header __MN_PUNC10 Subject =~ /\?/
header __MN_PUNC11 Subject =~ /\+/
header __MN_PUNC12 Subject =~ /=/
header __MN_PUNC13 Subject =~ /\{|\}/
# header __MN_PUNC14 Subject =~ /\[|\]/
header __MN_PUNC15 Subject =~ /\|/
header __MN_PUNC16 Subject =~ /\"/
header __MN_PUNC17 Subject =~ /\;/
header __MN_PUNC18 Subject =~ /\:/
header __MN_PUNC19 Subject =~ /\//
header __MN_PUNC20 Subject =~ /_/
meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
__MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
__MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
__MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
__MN_PUNC20 >= 3)
score MN_PUNCTUATION 0.1
PUNC14 gave too much false positives with forums and such where [ForumName]
is send in the subject. The actual score for this kind of punctuation is
low, I use the rule in a meta with URL shortening, free websites, free
blogs, stuff like that, and it is hovering above the kill switch. Also note
that is does not choke on subjects like ===, where a multiple would.
--
View this message in context:
http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why doesn't anything at all get these botnet spammers?
Yeah, you catch my point !
I think it's easier to find a non-alphanum character than trying to
decode/desobfucate/guess the subject hidden word !
Why do we have to waste resources in trying to guess "Sex Movie" out
of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
can directly trigger a rule !
2011/10/17 Mynabbler :
>
>
> John Hardin wrote:
>>
>>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>>> have to be quick to see the actual results... :)
>>
> I wrote a couple a days ago about these subjects, did not get a response
> however. I came up with something rather straightforward:
>
> header __MN_PUNC00 Subject =~ /~/
> header __MN_PUNC02 Subject =~ /`/
> header __MN_PUNC03 Subject =~ /\#/
> header __MN_PUNC04 Subject =~ /\$/
> header __MN_PUNC05 Subject =~ /%/
> header __MN_PUNC06 Subject =~ /\^/
> header __MN_PUNC07 Subject =~ /&/
> header __MN_PUNC08 Subject =~ /\*/
> header __MN_PUNC09 Subject =~ /\(|\)/
> header __MN_PUNC10 Subject =~ /\?/
> header __MN_PUNC11 Subject =~ /\+/
> header __MN_PUNC12 Subject =~ /=/
> header __MN_PUNC13 Subject =~ /\{|\}/
> # header __MN_PUNC14 Subject =~ /\[|\]/
> header __MN_PUNC15 Subject =~ /\|/
> header __MN_PUNC16 Subject =~ /\"/
> header __MN_PUNC17 Subject =~ /\;/
> header __MN_PUNC18 Subject =~ /\:/
> header __MN_PUNC19 Subject =~ /\//
> header __MN_PUNC20 Subject =~ /_/
> meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
> __MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
> __MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
> __MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
> __MN_PUNC20 >= 3)
> score MN_PUNCTUATION 0.1
>
> PUNC14 gave too much false positives with forums and such where [ForumName]
> is send in the subject. The actual score for this kind of punctuation is
> low, I use the rule in a meta with URL shortening, free websites, free
> blogs, stuff like that, and it is hovering above the kill switch. Also note
> that is does not choke on subjects like ===, where a multiple would.
>
>
> --
> View this message in context:
> http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
RE: Why doesn't anything at all get these botnet spammers?
Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done! Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a spam-fighting tool! Write it as users@sa, show you mean business. Back to the subject: We are under the false assumption that he is mangling the subjects with gibberish or with porn words. His target is to get the URL accross. As I mentioned, I get as many emails without any punctuation or porn words (see below). In fact, since I started this discussion, I got about 2 mangled headers versus 100+ like the one below (before at least the ratio was 50/50)! What baffles me is why it takes so long for RBLs to catch up on the URL. He was spamming me (i have different domains) for a good one month before his URL got dropped into an RBL, another one was never in an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is already working with one of hte RBLs and has access to the honeypot emails. Jenny Date: Sun, 16 Oct 2011 16:01:48 +0200 From: Ckoe To: michael_ott...@ymail.com Subject: pznvm baniouq ljqtzfghf. tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
Re: Why doesn't anything at all get these botnet spammers?
On 17/10/11 19:07, Jenny Lee wrote: Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done! Then stop posting spam to the list. You can see what rules you're hitting in the headers of your posts: X-ASF-Spam-Status: No, hits=9.8 required=10.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL If you want to post examples, please make them available on a pastebin and provide the link - that is the etiquette here on this list.
RE: Why doesn't anything at all get these botnet spammers?
From: Jenny Lee > Also how ironic is it to write: users -at- spamassassin.apache.org on the > website!!! What a confidence in a > spam-fighting tool! Write it as users@sa, show you mean business. Ever hear of defense in depth?
Re: Why doesn't anything at all get these botnet spammers?
On Mon, 17 Oct 2011, Christian Grunfeld wrote:
> Yeah, you catch my point !
>
> I think it's easier to find a non-alphanum character than trying to
> decode/desobfucate/guess the subject hidden word !
>
> Why do we have to waste resources in trying to guess "Sex Movie" out
> of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
> can directly trigger a rule !
>
However you need to be careful how you craft/use this kind of rule.
I regularly get legit messages with subjects like:
New ProTrav - Req Trav, Fac/Stf
Re: [Imap-protocol] FETCH (rfc822) response
SANS NewsBites Vol. 13 Num. 81 : Military Drone Cockpit Computers Infected
With Malware; AmEx Site Exposing Data; Calif. Governor Vetoes Bill Requiring
Warrant for Searching Mobile Phones
Cron /exlibris/backup/scripts/exec_backup_main s2
FINAL DAYS: *Free to Choose* - Save 50% - All
[InCommon] IAM Online Weds., Oct. 12 - IAM Governance
Those kinds of rules may be good for making meta rules to
combine with other indications but be careful using them
by themselves.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
RE: Why doesn't anything at all get these botnet spammers?
> Date: Mon, 17 Oct 2011 19:26:21 +0100 > From: n...@unixmail.co.uk > To: users@spamassassin.apache.org > Subject: Re: Why doesn't anything at all get these botnet spammers? > > On 17/10/11 19:07, Jenny Lee wrote: > > > > Every 2nd of my emails to this list from hotmail is returning as a > > nondeliverable. Hotmail does not give any info as to what failed but I am > > assuming it is the SPAM filters of the mailing list. Well done! > > > > Then stop posting spam to the list. You can see what rules you're > hitting in the headers of your posts: > > X-ASF-Spam-Status: No, hits=9.8 required=10.0 > tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL Just because I posted a single blacklisted URL does not mean my message should be tagged as SPAM on a mailing list. Perhaps you need to tune these filters for accuracy: FREEMAIL_ENVFROM_END_DIGIT: With a freaking 1.2 billion freemail users, I would like to see a freemail account that does not end in a digit. I surely do not have anybody on my contact list that does not end with one. FREEMAIL_FROM: As above... 1.2 billion. HTML_MESSAGE: That is default on freemail accounts. URIBL_BLACK: 1.7 on my system URIBL_SBL: 1.6 on my system So I still would like to see how I get over 10 sending legit convo and having a blacklisted URL. Deliverable happenned to me when I was posting the pastebin URL during a conversation. I, in fact, asked another user on this list if he could post my pastebin! Jenny
Re: Why doesn't anything at all get these botnet spammers?
On Mon, 17 Oct 2011, Mynabbler wrote: John Hardin wrote: On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote: Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll have to be quick to see the actual results... :) I wrote a couple a days ago about these subjects, did not get a response however. You just did. Work and personal matters sometimes intrude on providing somewhat-tested rulesets quickly. :) On Mon, 17 Oct 2011, Christian Grunfeld wrote: I think it's easier to find a non-alphanum character than trying to decode/desobfucate/guess the subject hidden word ! Why do we have to waste resources in trying to guess "Sex Movie" out of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you can directly trigger a rule ! Agreed. I don't try to do that, and I don't think anybody has suggested that as an approach to catching these. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- 312 days since the first successful private orbital launch (SpaceX)
Re: Why doesn't anything at all get these botnet spammers?
On Mon, 17 Oct 2011, David B Funk wrote: However you need to be careful how you craft/use this kind of rule. I regularly get legit messages with subjects like: New ProTrav - Req Trav, Fac/Stf Re: [Imap-protocol] FETCH (rfc822) response SANS NewsBites Vol. 13 Num. 81 : Military Drone Cockpit Computers Infected With Malware; AmEx Site Exposing Data; Calif. Governor Vetoes Bill Requiring Warrant for Searching Mobile Phones Cron /exlibris/backup/scripts/exec_backup_main s2 FINAL DAYS: *Free to Choose* - Save 50% - All [InCommon] IAM Online Weds., Oct. 12 - IAM Governance Those kinds of rules may be good for making meta rules to combine with other indications but be careful using them by themselves. Indeed: SPAM% HAM%S/O RANKSCORE NAME 6.5107 18.6870 0.258 0.45 (n/a) __SUBJ_OBFU_PUNCT 1.0281 3.5456 0.225 0.41 0.01 T_SUBJ_OBFU_PUNCT_FEW 0.0031 0.9589 0.003 0.220.01T_SUBJ_OBFU_PUNCT_MANY Time to work on the FPs... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- 312 days since the first successful private orbital launch (SpaceX)
Re: Why doesn't anything at all get these botnet spammers?
On 10/17/2011 3:15 PM, Jenny Lee wrote: > > Date: Mon, 17 Oct 2011 19:26:21 +0100 > > From: n...@unixmail.co.uk > > > > X-ASF-Spam-Status: No, hits=9.8 required=10.0 > > > tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL > > Just because I posted a single blacklisted URL does not mean my > message should be tagged as SPAM on a mailing list. > > Perhaps you need to tune these filters for accuracy: > > FREEMAIL_ENVFROM_END_DIGIT: With a freaking 1.2 billion freemail > users, I would like to see a freemail account that does not end in a > digit. I surely do not have anybody on my contact list that does not > end with one. > FREEMAIL_FROM: As above... 1.2 billion. > HTML_MESSAGE: That is default on freemail accounts. > URIBL_BLACK: 1.7 on my system > URIBL_SBL: 1.6 on my system Apache must have adjusted their scoring. On my system, a message hitting those rules would have scored about 3.5 -- same as your system apparently. Everything except the two URIBL hits has a minimal score. (The freemail and html rules are mostly informational and useful for META rules) -- Bowie
Re: Why doesn't anything at all get these botnet spammers?
One way you can get rid of about 1/4 of your botnet spam is to set your highest numbered MX record as follows: tarbaby.junkemailfilter.com It always returns a 4xx error but it does two things. Botnets often try the highest MX first - and they don't retry. So 1/4 or so of your botnet spam never comes to you. AND - I get to harvest some of the spambot data to improve the HOSTKARMA blacklist. On 10/15/2011 12:55 PM, Jenny Lee wrote: Hello Everyone, Is there any way to get these people? Instead of doing greylisting, I started doing SA+Greylisting 3 months ago. Since then, this guy always gets through until I modify our custom ruleset to block his URLs. Currently I have: uri OUR_CUSTOM_URI /\.(tumblr\.com|de\.tl|fileave\.com|ripway\.com)\// Bayes is on, and it gets trained with his emails. Bayes is 100% accurate for us with no false-positives. This is requiring constant maintenance. There surely must be a solution. Thank you. Jenny Return-Path: X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_50, MSGID_FROM_MTA_HEADER,OUR_CUSTOM_URI autolearn=no version=3.3.1 X-Spam-Report: * 5.0 OUR_CUSTOM_URI URI: Botnet spammers * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5769] * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 0.2 AWL AWL: From: address is in the auto white-list X-Spam-Checker-Version: SPAMASSASSIN 3.3.1 (20/09/2011) Received: from netup.it (netup.consultingweb.it [195.128.235.186]) by our_domain.comt (version_here) with ESMTP id p8QGoDc9030358 for; Mon, 26 Sep 2011 20:50:15 +0400 Message-Id:<201109261650.p8qgodc9030...@ourdomain.com> Received: from uvecfhputwix ([93.176.234.155]) by netup.it with MailEnable ESMTP; Sun, 25 Sep 2011 21:07:46 +0200 Date: Sun, 25 Sep 2011 22:02:06 +0200 From: sabr...@lbstudio.eu User-Agent: Thunderbird 2.0.0.27 (Windows/20090808) MIME-Version: 1.0 To: blessedpinkan...@aol.com Subject: [SPAM] T !r (a -n*n =l&e ` S !e .x| Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Delayed for 00:00:00 by milter-greylist-4.3.9 (ourdomain.com [1.1.1.1]); Mon, 26 Sep 2011 20:50:16 +0400 (MUT) X-CENSOR-Robot: SPAM BUSTER v4.0 (08/08/2011) Active Mode X-Spam-Prev-Subject: T !r (a -n*n =l&e ` S !e .x| X-CENSOR-Class: SPAM fwoicka odrp jbguybf etvwmbwm i aluawj ggn. http://darrentanch1.tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu. or a more recent one: Subject: Se^x M-o ^v ~l e - zp, qtw iqgcjlmkyk bnwbspnoix dzgujz f v tdovsp. http://hnungarid.fileave.com/index.html czqrrgdmud ymlfkdv wh jhuaemf dus iv wztppda nqq vwoq nppfb. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
RE: Why doesn't anything at all get these botnet spammers?
On Mon, 17 Oct 2011, Jenny Lee wrote:
[snip..]
> What baffles me is why it takes so long for RBLs to catch up on the URL. He
> was spamming me (i have different domains) for a good one month before his
> URL got dropped into an RBL, another one was never in an RBL. Perhaps I am
> misunderstanding RBL concept. Or perhaps he is already working with one of
> hte RBLs and has access to the honeypot emails.
>
> Jenny
>
>
> Date: Sun, 16 Oct 2011 16:01:48 +0200
> From: Ckoe
> To: michael_ott...@ymail.com
> Subject: pznvm
>
> baniouq ljqtzfghf.
> tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv
> kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
>
>
Jenny,
Most URI-RBLs work on just the hostname part of the URL. IE with a
spamvertized ULR of http://ha.blah.com/snort_ya/index.html, they only
look at the 'blah.com' part.
For your example, http://h1.ripway.com/..., the hostname part is
'ripway.com' which is a generic web-hosting provider, thus not a good
candidate for blacklisting (IE it would FP all over the place).
Most reputable URI-RBLs want to avoid FPs at almost any cost, so will not
list such names, even if they're frequently used in spam.
Another example of the same phenomenon is URL-shortener (EG bit.ly).
regularly abused in spam but you'll almost never see them listed in
URI-RBLs.
Most good web-hosting providers & URL-shortener will take down the
offending spam site/link if you report it to them. (sigh, I know,
a wack-a-mole task but that's the game).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Chickenpoxed subjects
On 10/15/2011 03:37 PM, John Hardin wrote:
> On Thu, 13 Oct 2011, Mynabbler wrote:
>
>> Typically the chickenpox rules do not get a lot of love abroad,
>> since they tend to trip over other languages than English. However,
>> does someone have an idea how to use the logic in chickenpox for
>> subjects like these:
>>
>> ... or does someone have a decent rule to tag this kind of crap?
>
> I've got something in local masscheck right now, should commit later
> today. Check my sandbox tomorrow.
header __SUBJ_OBFU_PUNCT Subject =~
/(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z])/i
How does this differ from a negation, like:
/[^\[\]'\w\s][a-z][^\[\]'\w]|[a-z][^\[\]'\w\s-][a-z]/i
and how does this not FP all over the place with subjects like:
Time for F-U-N
I like D&D and rock&roll
/var/spool/mail is full
I think this would satisfy the original request:
header __SUBJ_LACKS_WORDS
Subject !~ /(?!^.{0,15}$)(?:^|\s)[a-z]{3,15}(?:\s|$)/
(I have not checked that in, feel free if you like it.)
signature.asc
Description: OpenPGP digital signature
Re: Chickenpoxed subjects
On 10/17/2011 02:29 PM, Adam Katz wrote:
> I think this would satisfy the original request:
>
> header __SUBJ_LACKS_WORDS
> Subject !~ /(?!^.{0,15}$)(?:^|\s)[a-z]{3,15}(?:\s|$)/
>
> (I have not checked that in, feel free if you like it.)
Okay, that needed a little work (boo to double-negatives). Also, I
hadn't noticed the new thread (sorry).
Just checked this in:
header __SUBJ_NOT_SHORTSubject =~ /^.{16}/
header __SUBJ_HAS_WORDSSubject =~ /(?:^|\s)[^\W0-9_]{3,15}(?:\s|$)/
meta SUBJ_LACKS_WORDS __SUBJ_NOT_SHORT && !__SUBJ_HAS_WORDS &&
!__SUBJECT_ENCODED_B64
describe SUBJ_LACKS_WORDS Non-short subject lacks words
Even this will hit a fair amount of ham, especially with foreign
languages (I tried to work around this with [^\W0-9_] instead of [a-z]
in the event a locale is in use).
signature.asc
Description: OpenPGP digital signature
DNSWL.org enforcement of free usage limits
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html This came up in the "Spam email many have RCVD_IN_DNSWL_MED" thread. DNSWL.org made an announcement about it with more details. Basically, free use only allows 100,000 queries per organization per day. Go over that enough, and you may get "RCVD_IN_DNSWL_HI" hitting all your email. If you're handling more than 100,000 emails a day, and don't want to pay for dnswl.org data, add to your spamassassin config: score RCVD_IN_DNSWL_HI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_NONE 0 Disclaimer: I'm a dnswl.org admin. More discussion of network test free usage limits here: http://www.spamtips.org/2011/01/usage-limits-of-spamassassin-network.html Yes, it would still be nice if spamassassin had an option to just disable all of these. Maybe just commented out options in a config file? Something like this, based on that last link: # spamhaus.org score DKIMDOMAIN_IN_DWL 0 score DKIMDOMAIN_IN_DWL_UNKNOWN 0 score RCVD_IN_CSS 0 score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score URIBL_DBL_ERROR 0 score URIBL_DBL_SPAM 0 score URIBL_SBL 0 # Others set RCVD_IN_PSBL 0 set RCVD_IN_BL_SPAMCOP_NET 0 set RCVD_IN_BRBL_LASTEXT 0 set DNS_FROM_AHBL_RHSBL 0 # Sorbs.net set RCVD_IN_SORBS_HTTP0 set RCVD_IN_SORBS_SOCKS 0 set RCVD_IN_SORBS_MISC0 set RCVD_IN_SORBS_SMTP0 set RCVD_IN_SORBS_WEB 0 set RCVD_IN_SORBS_BLOCK 0 set RCVD_IN_SORBS_ZOMBIE 0 set RCVD_IN_SORBS_DUL 0 # NJABL.org set RCVD_IN_NJABL_RELAY 0 set RCVD_IN_NJABL_SPAM 0 set RCVD_IN_NJABL_MULTI 0 set RCVD_IN_NJABL_CGI 0 set RCVD_IN_NJABL_PROXY 0 # rfc-ignorant.org DNS_FROM_RFC_DSN DNS_FROM_RFC_BOGUSMX # DNSWL.org score RCVD_IN_DNSWL_HI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_NONE 0 # ReturnPath.net set RCVD_IN_RP_CERTIFIED 0 set RCVD_IN_RP_RNBL 0 set RCVD_IN_RP_SAFE 0 # SuretyMail / isipp.com set RCVD_IN_IADB_VOUCHED 0 set RCVD_IN_IADB_DK 0 set RCVD_IN_IADB_DOPTIN 0 set RCVD_IN_IADB_DOPTIN_GT50 0 set RCVD_IN_IADB_DOPTIN_LT50 0 set RCVD_IN_IADB_EDDB 0 set RCVD_IN_IADB_EPIA 0 set RCVD_IN_IADB_GOODMAIL 0 set RCVD_IN_IADB_LISTED 0 set RCVD_IN_IADB_LOOSE 0 set RCVD_IN_IADB_MI_CPEAR 0 set RCVD_IN_IADB_MI_CPR_30 0 set RCVD_IN_IADB_MI_CPR_MAT 0 set RCVD_IN_IADB_ML_DOPTIN 0 set RCVD_IN_IADB_NOCONTROL 0 set RCVD_IN_IADB_OOO 0 set RCVD_IN_IADB_OPTIN 0 set RCVD_IN_IADB_OPTIN_GT50 0 set RCVD_IN_IADB_OPTIN_LT50 0 set RCVD_IN_IADB_OPTOUTONLY 0 set RCVD_IN_IADB_RDNS 0 set RCVD_IN_IADB_SENDERID 0 set RCVD_IN_IADB_SPF 0 set RCVD_IN_IADB_UNVERIFIED_1 0 set RCVD_IN_IADB_UNVERIFIED_2 0 set RCVD_IN_IADB_UT_CPEAR 0 set RCVD_IN_IADB_UT_CPR_30 0 set RCVD_IN_IADB_UT_CPR_MAT 0 # SURBL.org set URIBL_SC_SURBL 0 set URIBL_WS_SURBL 0 set URIBL_PH_SURBL 0 set URIBL_OB_SURBL 0 set URIBL_AB_SURBL 0 set URIBL_JP_SURBL 0 # DCC set DCC_CHECK 0 set DCC_REPUT_00_12 0 set DCC_REPUT_70_89 0 set DCC_REPUT_90_94 0 set DCC_REPUT_95_98 0 set DCC_REPUT_99_100 0 -- "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man." - George Bernard Shaw http://www.ChaosReigns.com
RE: Why doesn't anything at all get these botnet spammers?
> One way you can get rid of about 1/4 of your botnet spam is to set your > highest numbered MX record as follows: > > tarbaby.junkemailfilter.com Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* of it with greylisting since 3-4 years. No need for bothering with MXes. The problem started after I implemented spamassassin couple of months ago. Even though I have near ~100% accuracy with bayes (over 1 million SPAM, zero FP), this guy always gets through. We get about 10-20 legit emails (everyone uses internal IM) with 4-5 SPAM a day. Most of which is same-sender/same-receipient rejected at transaction stage. Spamd processes about 10K a day. When we were implementing only greylisting, no spam except ebolamonkey 419 spam passed through. That was easy to discard with simple procmail filters. However, our client's RHEL5 sendmail did not play well with greylisting, so we decided to do sa+grey. Working very well, but needing constant attention because of this one pos. Jenny
Re: Why doesn't anything at all get these botnet spammers?
On 10/15, Jenny Lee wrote: > fwoicka odrp jbguybf etvwmbwm > i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl ipcvlhboht > ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu. Is anybody else having a problem with this kind of spam? I definitely find it interesting. It doesn't sound likely to be very profitable. On 10/17, Jenny Lee wrote: >What baffles me is why it takes so long for RBLs to catch up on the >URL. Are you reporting them? On 10/17, Jenny Lee wrote: >Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* >of it with greylisting since 3-4 years. No need for bothering with MXes. So why don't you go back to greylisting without spamassassin? Nobody profits from you using SA, use whatever works for you. >The problem started after I implemented spamassassin couple of months ago. >Even though I have near ~100% accuracy with bayes (over 1 million SPAM, >zero FP), this guy always gets through. Or if your bayes is so accurate, just increase the scores for those rules? score BAYES_00 -5 score BAYES_05 -4 score BAYES_20 -3 score BAYES_40 -2 score BAYES_50 5 score BAYES_60 6 score BAYES_80 7 score BAYES_95 8 score BAYES_99 9 (To be clear, I don't recommend this for most people, only if you have bayes results as accurate as Jenny.) With such accurate bayes results, that should override most other results. And if you're just using bayes, might as well not use spamassassin and go with a dedicated bayesian filter like spamprobe. Bayesian filters generally ignore words they haven't seen before, like the garbage non-words you're seeing. They could be modified to penalize non-words. You would need a thoroughly trained filter keeping around records of almost all real words though. >We get about 10-20 legit emails (everyone uses internal IM) with >4-5 SPAM a day. Most of which is same-sender/same-receipient >rejected at transaction stage. Spamd processes about 10K a day. Blocking more than 99% of spam, without blocking a problematic amount of non-spam, is hard. >When we were implementing only greylisting, no spam except ebolamonkey 419 >spam passed through. That was easy to discard with simple procmail >filters. However, our client's RHEL5 sendmail did not play well with >greylisting, so we decided to do sa+grey. Postfix + postgrey worked great for me, when I last felt a need to use greylisting. -- "Democracy is the theory that the common people know what they want, and deserve to get it good and hard." - H. L. Mencken http://www.ChaosReigns.com
Re: Chickenpoxed subjects
On Mon, 17 Oct 2011, Adam Katz wrote:
header __SUBJ_OBFU_PUNCT Subject =~
/(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z])/i
How does this differ from a negation, like:
/[^\[\]'\w\s][a-z][^\[\]'\w]|[a-z][^\[\]'\w\s-][a-z]/i
I suppose which you'd choose would be based on how conservative you want
to be. Matching on specific types of obfuscation (as mine does), or being
less selective (as yours does).
and how does this not FP all over the place with subjects like:
Time for F-U-N
I like D&D and rock&roll
/var/spool/mail is full
It must hit more than a specified number of times. __SUBJ_OBFU_PUNCT isn't
scored, SUBJ_OBFU_PUNCT_FEW and SUBJ_OBFU_PUNCT_MANY are.
I think this would satisfy the original request:
header __SUBJ_LACKS_WORDS
Subject !~ /(?!^.{0,15}$)(?:^|\s)[a-z]{3,15}(?:\s|$)/
(I have not checked that in, feel free if you like it.)
When I get home tonight.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Insofar as the police deter by their presence, they are very, very
good. Criminals take great pains not to commit a crime in front of
them. -- Jeffrey Snyder
---
312 days since the first successful private orbital launch (SpaceX)
Re: Chickenpoxed subjects
On 10/17/2011 04:36 PM, John Hardin wrote:
> On Mon, 17 Oct 2011, Adam Katz wrote:
>> Time for F-U-N
>> I like D&D and rock&roll
>> /var/spool/mail is full
>
> It must hit more than a specified number of times. __SUBJ_OBFU_PUNCT
> isn't scored, SUBJ_OBFU_PUNCT_FEW and SUBJ_OBFU_PUNCT_MANY are.
Each of my examples hits SUBJ_OBFU_PUNCT_FEW, and it wouldn't be hard
for them to hit SUBJ_OBFU_PUNCT_MANY either.
>> I think this would satisfy the original request:
>>
>> header __SUBJ_LACKS_WORDS
>> Subject !~ /(?!^.{0,15}$)(?:^|\s)[a-z]{3,15}(?:\s|$)/
>>
>> (I have not checked that in, feel free if you like it.)
>
> When I get home tonight.
See my other email, already checked in :-)
signature.asc
Description: OpenPGP digital signature
RE: Why doesn't anything at all get these botnet spammers?
On Mon, 17 Oct 2011 18:07:15 +, Jenny Lee wrote: Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done! X-Spam-Status No, score=-4.445 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_THREADED=-0.1, NO_USER_AGENT=0.1, NO_X_MAILER=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_RP_SAFE=-2, RELAY_US=0.01, RP_MATCHES_RCVD=-0.504, SPF_PASS=-0.001, URIBL_BLACK=1.725, URIBL_DBL_REDIRECTOR=1.5, URIBL_SBL=1.623] autolearn=no your msg tags here :-) dont post spam urls to maillists, but use pastebin and post link to it Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a spam-fighting tool! Write it as , show you mean business. nabble users get used to it :-) Back to the subject: We are under the false assumption that he is mangling the subjects with gibberish or with porn words. His target is to get the URL accross. As I mentioned, I get as many emails without any punctuation or porn words (see below). In fact, since I started this discussion, I got about 2 mangled headers versus 100+ like the one below (before at least the ratio was 50/50)! What baffles me is why it takes so long for RBLs to catch up on the URL. He was spamming me (i have different domains) for a good one month before his URL got dropped into an RBL, another one was never in an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is already working with one of hte RBLs and has access to the honeypot emails. he might use a url redirector ? Jenny Date: Sun, 16 Oct 2011 16:01:48 +0200 From: Ckoe To: Subject: pznvm baniouq ljqtzfghf. tgbc, czatiaibw csa lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
One-line URI body spam
Hi, I'm having difficulty with figuring out how to tag spam where the body is only one line with a URL in it. Here is an example: http://pastebin.com/Y9mX1DRV I'd appreciate any ideas of what I may be missing to catch these. Thanks, Alex
Rule to count freemail recipients?
I'm using a couple rules I found here that hits when there are 5-9 or 10+ recipients: header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/ tflags __COUNT_RCPTS multiple meta RCPTS_5_10 (__COUNT_RCPTS >= 5) score RCPTS_5_10 1.0 describe RCPTS_5_10 Message has 5 or more recipients meta RCPTS_10_PLUS (__COUNT_RCPTS >= 10) score RCPTS_10_PLUS 1.0 describe RCPTS_10_PLUS Message has 10 or more recipients I'm seeing a bunch of spams that are being sent to some of my users where there are multiple other recipients, and most, if not all of the other recipients are various freemail accounts. Anyone have any ideas on how to identify when the other recipients are freemail users, so that this can be scored even higher?
Re: One-line URI body spam
On 10/17, Alex wrote: > I'm having difficulty with figuring out how to tag spam where the body > is only one line with a URL in it. Here is an example: > > http://pastebin.com/Y9mX1DRV It would be more helpful if you provided several examples. It would be easy enough to write a rule that matched just this example. Not helpful, but just interesting: In 2002, Paul Graham wrote A Plan for Spam, which included: Assuming they could solve the problem of the headers, the spam of the future will probably look something like this: Hey there. Thought you should check out the following: http://www.27meg.com/foo because that is about as much sales pitch as content-based filtering will leave the spammer room to make. (Indeed, it will be hard even to get this past filters, because if everything else in the email is neutral, the spam probability will hinge on the url, and it will take some effort to make that look neutral.) - http://www.paulgraham.com/spam.html I guess he thought spammers wouldn't think that would be worth sending. -- "A ship in a port is safe, but that's not what ships are built for." -Grace Murray Hopper http://www.ChaosReigns.com
Re: Rule to count freemail recipients?
On 10/17, Tom wrote: > Anyone have any ideas on how to identify when the other recipients are > freemail users, so that this can be scored even higher? My guess is you'd need to write a plugin based on the FreeMail plugin: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/FreeMail.pm?view=markup 20_freemail.cf 20_freemail_domains.cf include some relevant rules. It defines a huge list of known freemail domains. -- "We will be dead soon. Is this how we want to live?" http://www.ChaosReigns.com
Re: One-line URI body spam
Hi, >> I'm having difficulty with figuring out how to tag spam where the body >> is only one line with a URL in it. Here is an example: >> >> http://pastebin.com/Y9mX1DRV > > It would be more helpful if you provided several examples. It would be > easy enough to write a rule that matched just this example. Yes, I thought that might happen. I've included some others here: http://pastebin.com/P0cJdf2V Great example from Paul Graham. The URI filters apparently can't respond quickly enough. Thanks again, Alex
