Need rules to catch this kind of spam
This is the content of the spam. I get a lot of these and like to see a rule specifically targeting it. You probably have seen it. Lots of low contrast colors and font size changes and one link visible. html head meta http-equiv=Content-Type content=text/html; charset=utf-8 / title/title /head body pFONT face=Arial Narrow, sans-serif size=+1 color=#f4f2ffit/FONT FONT face=Impact, Times New Roman size=+2 color=#f2f0fdto/FONT FONT face=Century Gothic, Arial size=2 color=#e8e4feAllan/FONT FONT face=Lucida Console, Arial size=2 color=#e4e0faRamsay.[43:2]/FONT FONT face=Times New Roman, Times, serif size=2 color=#e8e4ffI/FONT FONT face=Lucida Console, Monaco, monospace size=2 color=#e4e0fbfind/FONT FONT face=Comic Sans MS, cursive size=2 color=#f9f8ffthe/FONT FONT face=Georgia size=3 color=#f2f0feingenious/FONT FONT face=Courier New, Courier, monospace size=-2 color=#e4e0fcauthor, FONT face=Impact, Times New Roman size=-1 color=#e4e0fdwhoever/FONT FONT face=Microsoft Sans Serif, Times New Roman size=-1 color=#f2f0ffhe/FONT FONT face=Geneva, Arial, Helvetica, sans-serif size=-2 color=#e4e0febe,/FONT/p pFONT face=Impact, Times New Roman size=3 color=#08Cheers, handsome. I'm in your area. I am romantic. a href=http://igtivilo.php0h.com/;Click for more info/a/FONT/p pFONT face=Garamond, Times New Roman size=5 color=#e4e0ffridicules/FONT FONT face=Tahoma, sans-serif size=+1 color=#fefeffthe/FONT FONT face=Garamond, Arial size=4 color=#fdfdfenew/FONT FONT face=Lucida Sans Unicode, Lucida Grande, sans-serif size=3 color=#fcfcfdmethod/FONT FONT face=Courier New, Courier, monospace size=-1 color=#fbfbfcof/FONT FONT face=Courier New, monospace size=4 color=#fafafbspelling,/FONT FONT face=Arial size=2 color=#f9f9faas/FONT FONT face=Impact, Times New Roman size=3 color=#f8f8f9he/FONT FONT face=Impact, Times New Roman size=5 color=#fdfdffcalls FONT face=Comic Sans MS, Times New Roman size=4 color=#fcfcfeit;/FONT/p pFONT face=Comic Sans MS, Arial size=+2 color=#10http://zouqqihu.isthe.name//FONT/p pFONT face=Lucida Sans Unicode, Lucida Grande, sans-serif size=2 color=#fbfbfdbut/FONT FONT face=Charcoal, sans-serif size=+1 color=#fafafcthat/FONT FONT face=Book Antiqua, Times New Roman size=-2 color=#f9f9fbmethod/FONT FONT face=Palatino, serif size=+2 color=#f8f8faof/FONT FONT face=Lucida Sans Unicode, Lucida Grande, sans-serif size=2 color=#f6f6f8spelling/FONT FONT face=Microsoft Sans Serif, Arial size=5 color=#f4f4f6_honor_,/FONT FONT face=Georgia, serif size=5 color=#f2f2f4instead/FONT FONT face=Bookman Old Style, Arial size=2 color=#f0f0f2of/FONT FONT face=Geneva, sans-serif size=-2 color=#fcfcff_honour_,/p pFONT face=Georgia size=4 color=#fbfbfewas/FONT FONT face=Trebuchet MS, sans-serif size=2 color=#fafafdLord/FONT FONT face=Book Antiqua, Arial size=2 color=#f9f9fcBolingbroke's,/FONT FONT face=Book Antiqua, Times New Roman size=3 color=#f8f8fbDr./FONT FONT face=Arial Narrow, Arial size=4 color=#f6f6f9Middleton's,/FONT FONT face=Arial size=3 color=#fbfbffand/FONT/p pFONT face=Arial Narrow, sans-serif size=5 color=#fafafeMr./FONT FONT face=Book Antiqua, Times New Roman size=+1 color=#f9f9fdPope's;/FONT FONT face=Book Antiqua, Arial size=3 color=#f8f8fcbesides/FONT FONT face=Bookman Old Style, Arial size=+2 color=#f6f6famany/FONT FONT face=Geneva, sans-serif size=2 color=#f4f4f8other/FONT/p pFONT face=Lucida Sans Unicode, Arial size=-1 color=#f2f2f6/FONT /p /body /html -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: malformed To: header blocks further parsing
Il 06/06/13 11:51, Matteo Dessalvi ha scritto: Hi Fabio. Have you tried also the 'Language options' of SpamAssassin? Like the one described here: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#language_options Matteo Hi, thanks for your reply. I totally misunderstood SpamAssassin's rule description: it was referring to a NUL byte in the body, not to a body with a lenght of 0 bytes. SpamAssassin's parsing is working perfectly :) Thanks again, Fabio
Re: MariaDB replacing MySQL for Bayes
On 06/06/2013 09:03 PM, Marc Perkel wrote: So - after a couple of weeks it just works. I recommend getting rid of MySQL in favor of MariaDB. Besides bayes I'm using it on my web server and it just works and it's a lot more solid. My 2 centz If you like MariaDB Bayes speed, you should try Bayes with Redis. that is FAST!
Re: Need rules to catch this kind of spam
On Fri, 7 Jun 2013, Marc Perkel wrote: This is the content of the spam. I get a lot of these and like to see a rule specifically targeting it. You probably have seen it. Lots of low contrast colors and font size changes and one link visible. Mark, could you forward one such to me as an RFC822 attachment so that I have a full sample? There's one obvious thing in there that looks like good rule fodder to me. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government wants to do everything it can for the children, except sparing them crushing tax burdens. --- 372 days since the first successful private support mission to ISS (SpaceX)
Re: MariaDB replacing MySQL for Bayes
As far as I understand only the 3.4 (devel branch) version of SA is supporting Redis as a Bayes storage. Are you using this version in production? Can you tell us, approximately, the volume of the email traffic? Are you running a configuration with multiple SA connected to a single Redis instance? Thanks. Matteo - Messaggio originale - Da: Axb axb.li...@gmail.com A: users@spamassassin.apache.org Cc: Inviato: Venerdì 7 Giugno 2013 15:47 Oggetto: Re: MariaDB replacing MySQL for Bayes On 06/06/2013 09:03 PM, Marc Perkel wrote: So - after a couple of weeks it just works. I recommend getting rid of MySQL in favor of MariaDB. Besides bayes I'm using it on my web server and it just works and it's a lot more solid. My 2 centz If you like MariaDB Bayes speed, you should try Bayes with Redis. that is FAST!
Re: MariaDB replacing MySQL for Bayes
On 06/07/2013 05:05 PM, Matteo Dessalvi wrote: As far as I understand only the 3.4 (devel branch) version of SA is supporting Redis as a Bayes storage. Yes Are you using this version in production? Yes - Since January 2013 Can you tell us, approximately, the volume of the email traffic? A few million /day Are you running a configuration with multiple SA connected to a single Redis instance? Yes! - in autolearn mode. Thanks. Matteo - Messaggio originale - Da: Axb axb.li...@gmail.com A: users@spamassassin.apache.org Cc: Inviato: Venerdì 7 Giugno 2013 15:47 Oggetto: Re: MariaDB replacing MySQL for Bayes On 06/06/2013 09:03 PM, Marc Perkel wrote: So - after a couple of weeks it just works. I recommend getting rid of MySQL in favor of MariaDB. Besides bayes I'm using it on my web server and it just works and it's a lot more solid. My 2 centz If you like MariaDB Bayes speed, you should try Bayes with Redis. that is FAST!
Subscriber spam
Hi, I'm receiving what I think is spam but looks like it's from a subscription-based list, yet the domain isn't blacklisted even after receiving messages similar to these for at least a week: http://pastebin.com/N7Dw03sG The domain is gbresponder.com. The LOCAL_SURBL is a local DNSBL I've created and includes the gbresponder.com domain in it, but not enough other points for it to be marked as spam. It also shows in the headers that DKIM has failed. I'm confused. I can't see how someone would intentionally sign up for this (I realize they may have been subscribed without knowing) or would mind if I just rejected the domain outright. I received another variation this morning with the subject of Doctorate Degrees, so I'm thinking to just reject it. Thanks for any ideas. Alex
Re: Subscriber spam
On Fri, 2013-06-07 at 12:04 -0400, Alex wrote: Hi, I'm receiving what I think is spam but looks like it's from a subscription-based list, yet the domain isn't blacklisted even after receiving messages similar to these for at least a week: http://pastebin.com/N7Dw03sG The domain is gbresponder.com. There are two relevant domains: - the From and Reply-To headers use rocketmail.com, which seems to be wholly owned by Yahoo and so can be assumed to share their attitude to spam. - gpresponder.com is an e-mail marketing outfit based in Miami Beach, so it seems likely that sending spam is their main business model. Adding gbresponder.com to your local DNSBL seems quite reasonable to me. Martin
Single-link spam
Hi all, I'm also receiving a ton of single-link spam that none of my single-link spam rules seem to be triggering on sufficiently to block. They are all routed through yahoo.com and typically have a very small body. I've created one meta with a small body and a single link from a freemail domain, but I can't detect anything further in the headers that may help. I hoped someone could help me investigate: http://pastebin.com/DVEGBE3j http://pastebin.com/Z97tBVE4 After training, they are hitting bayes99. The IP from one example (98.138.120.233) still isn't listed in SBL or XBL. Shouldn't it be by now? I've also created a few local rules based on a specific subject, but that obviously doesn't scale well. Typically by the time I can evaluate the FNs, they have hit zen or other RBLs, but they aren't hitting those RBLs when I'm receiving them, so I really hoped there was something else in the message that could be used since I seem to be at the top of the spammers list and receive these before zen. Thanks for any ideas. Alex
Re: Single-link spam
Alex wrote: I'm also receiving a ton of single-link spam http://pastebin.com/DVEGBE3j http://pastebin.com/Z97tBVE4 After training, they are hitting bayes99. The IP from one example (98.138.120.233) still isn't listed in SBL or XBL. Shouldn't it be by now? No, and neither should 72.30.239.77 from the other message. Both are legitimate Yahoo! relays that handed these messages to your MX. Feel free to blacklist Yahoo! if you like... 79.120.163.57 and 223.207.210.39 possibly could be listed on a DNSBL, since those are the IPs the messages entered Yahoo! from. But most DNSBLs aren't intended for the deep header scans that would be needed for them to hit. -kgd
Re: Single-link spam
On Fri, 2013-06-07 at 13:20 -0400, Alex wrote: I'm also receiving a ton of single-link spam that none of my single-link spam rules seem to be triggering on sufficiently to block. They are all routed through yahoo.com and typically have a very small body. I've created one meta with a small body and a single link from a freemail domain, but I can't detect anything further in the headers that may help. I hoped someone could help me investigate: http://pastebin.com/DVEGBE3j http://pastebin.com/Z97tBVE4 I'm recognising bodies that contain just a URL with metarule, MG_BARE_URL, that ANDs this: rawbody __MG_BU1/^\s{0,10}(\S{1,80}|http:\S{1,70})\s{0,10}$/ with either this: body __MG_BU2/http:\S{1,70}/i or a domain thats in a private URIBL. Finally, I'm using another meta that fires if the msg-id says that yahoo originated the message. That caught both of your examples. I'm not convinced MG_BARE_URL is foolproof, but on my message stream, anyway, it isn't generating false positives, while at the same time its general enough to hit messages where the plain text contains a URL surrounded by whitespace pretty much regardless of anything else. Martin
Re: Single-link spam
Hi, http://pastebin.com/DVEGBE3j http://pastebin.com/Z97tBVE4 I'm recognising bodies that contain just a URL with metarule, MG_BARE_URL, that ANDs this: rawbody __MG_BU1/^\s{0,10}(\S{1,80}|http:\S{1,70})\s{0,10}$/ with either this: body __MG_BU2/http:\S{1,70}/i or a domain thats in a private URIBL. Finally, I'm using another meta that fires if the msg-id says that yahoo originated the message. That caught both of your examples. That seems to help, thanks. I've also been using your yahoo msg-id rule for some time, and have had some success with it. Not sure why it didn't trigger here with the samples I posted. Kris, thanks for your help as well. It looks like body checks are all that's feasible with spam like this. Thanks, Alex