Increase in Image Spam
I've been seeing a pretty big increase in image spam over the last month or so. I remember using FuzzyOCR years ago when image spam was a much bigger problem. Since FuzzyOCR hasn't been maintained in several years, is there an alternative that would work? Or is there another way to try and catch them? They don't really hit on any rules X-Spam-Status: No, score=3.5 required=5.0 tests=BAYES_99,HTML_MESSAGE, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.0-rc5 Thanks Andy
Re: Increase in Image Spam
On Feb 11, 2014, at 10:25 AM, Andy Jezierski ajezier...@stepan.com wrote: They don't really hit on any rules A number of image spams have certain template formats and I've written custom rules to catch many... however, I've been hesitant to release those rules publicly since spammers could just change their templates easily to circumvent this. (Most image spams for me hit moderate or very low Bayes scores, sometimes Bayes_00, presumably due to the low amount of spammy tokens and large amount of innocuous/hammy tokens...) I could release the rules publicly but that may end up backfiring, per above. John, Kevin, what do you guys think? --- Amir
Re: Increase in Image Spam
On Tue, 11 Feb 2014, Amir Caspi wrote: I could release the rules publicly but that may end up backfiring, per above. John, Kevin, what do you guys think? Spammers can install SpamAssassin as easily as anyone else, that's a known risk. Any rules we provide they can potentially test against their spams to minimize score. How much they actually *do* this I can't say. We could try it with one of your rules, and if it suddenly stops hitting then the spammers are reacting. I think it has value, even if they do react. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- Tomorrow: Abraham Lincoln's and Charles Darwin's 205th Birthdays
Re: Increase in Image Spam
On 2014-02-11 18:25, Andy Jezierski wrote: They don't really hit on any rules X-Spam-Status: No, score=3.5 required=5.0 tests=BAYES_99,HTML_MESSAGE, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.0-rc5 bayes is seeing it as spam, so it might be in vain :) well if bayes is well trained you can add more meta score to that hit, but also maybe meta it with not user in spf whitelist or something ? eg if spf pass domain is spamming remove it from local.cf as whitelisted for that envelope sender, not From: header meta UNTRUSTED_SPF_PASS (SPF_PASS !USER_IN_SPF_WHITELIST) score based on that meta to distingt that this is usefull add whitelist_from_spf *@foo.example.com to local.cf for sender domains that is not spaming same meta can be made with dkim
Re: Increase in Image Spam
On Tue, 11 Feb 2014 20:22:00 +0100 Benny Pedersen wrote: On 2014-02-11 18:25, Andy Jezierski wrote: They don't really hit on any rules X-Spam-Status: No, score=3.5 required=5.0 tests=BAYES_99,HTML_MESSAGE, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.0-rc5 bayes is seeing it as spam, so it might be in vain :) well if bayes is well trained you can add more meta score to that hit, but also maybe meta it with not user in spf whitelist or something ? Actually I find BAYES_99 to be so reliable that I'd be happy to score it above 5.0. Other have made similar comments too.
Re: Increase in Image Spam
On 2014-02-11 20:59, RW wrote: Actually I find BAYES_99 to be so reliable that I'd be happy to score it above 5.0. Other have made similar comments too. there is a number of ways to punish spf pass domains for spamming :) blacklist_from *@foo.example.org and for the bayes on could make another meta like: meta NOT_BAYES_HAM_SPF_PASS (!BAYES_00 SPF_PASS) or simple reject sender domain in mta
ANNOUNCE: Apache SpamAssassin 3.4.0 available
On behalf of the project, I am please to announce the availability of Apache SpamAssassin version 3.4.0. The Press Release is available on the ASF Blog at http://s.apache.org/G6b Release Notes follow. Downloads are available at http://spamassassin.apache.org/downloads.cgi with some mirror issues possible as mirrors continue to update for the new release. Sincerely, Kevin A. McGrail aka KAM VP Chair, ASF SpamAssassin Project Release Notes -- Apache SpamAssassin -- Version 3.4.0 Introduction This is a major release. It introduces over two years of bug fixes and features since the release of SpamAssassin 3.3.2 on June 16, 2011. 3.4.0 includes the Bayes Redis (http://redis.io/) back-end (bug 6879), EDNS0 changes (bug 6910), native IPv6 support, numerous URIBL.pm changes or features and a small API change in libspamc (bug 6562) with many other subtle changes. SpamAssassin was tested on perl 5.18.2, and (out of curiosity) also on a Raspberry Pi (ARM6, Raspbian / Debian 7.2 Wheezy, perl 5.14.2) ... yes, it is 20 times slower compared to i7-960 CPU, but all tests pass! Overall, this release has been tested on many production-level environments for nearly a year, including testing on an IPv6-only host. It is highly recommended and stable. NOTE: Complete changes are available at http://svn.apache.org/repos/asf/spamassassin/branches/3.4/Changes Notable Sendmail Bug Sendmail 8.14.5 and below contain a canonicalization misfeature / bug that can cause DKIM failures. See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6462. Compatibility with version 3.3.2 * DNS queries generated by SpamAssassin now enable option EDNS0 in query packets and specify a buffer size of 4096 bytes by default. This allows DNS replies larger than 512 bytes to be returned in one UDP datagram, avoiding a need for re-issuing a failed query over a TCP protocol. This default setting is well suited if a DNS resolver (i.e. a recursive DNS server) is located on the same LAN as a host running SpamAssassin, which is the usual setup for all but perhaps some home uses of SpamAssassin. The option should be disabled (by 'dns_options noedns0') when a recursive DNS server is only reachable through some old-fashioned firewall or through some picky router with deep packet inspection which bans DNS UDP messages larger than 512 bytes, or blocks fragmented UDP datagrams. The 'dns_options' setting is documented in Mail::SpamAssassin::Conf POD or man page, more details in bug 6910 and bug 6862. * A default setting for option 'dns_available' was changed from 'test' to 'yes' (bug 6770, bug 6769), so SpamAssassin now assumes by default that it is running on a host with an internet connection and a working DNS resolver. If this is not the case, please configure this option explicitly. The change avoids surprises on an otherwise well connected host which may experience a temporary DNS unavailability at the system startup time or a temporary network outage when spamd was starting, and the initial failed test would disable DNS queries permanently. The option is documented in the Mail::SpamAssassin::Conf POD or man page. * When Bayes classification is in use and messages are 'learned' as spam or ham and stored in a database, the Bayes plugin generates internal message IDs of learned messages and stores them in a 'seen' database to avoid re-learning duplicates and accidental un-learning messages that were not previously learned. With changes in bug 5185, the calculation of message IDs in a bayes 'seen' database has changed, so new code can no longer associate new messages with those learned before the change. Note that this change does not affect recognition of old tokens and the classification algorithm, only duplicate detection and unlearning of old messages is affected. Because of this change, if you use Bayes and you are upgrading from a version prior to 3.4.0, you may consider wiping your Bayes database and starting fresh. However, this is not mandatory. If you choose to keep your current database tokens, these are the ramifications: 1 - If you re-process emails that have already been learned before, it will create duplicate entries because of the new msg_id format. The duplicates will expire, eventually, and should cause minimal impact unless it occurs frequently. 2 - If you try and unlearn or reclassify an email processed prior to the upgrade, the system will be unable to do so because of the new msg_id format. If unlearning a message (that was learned before the change) is important, consider just clearing your Bayes store and starting from scratch. Dependency changes since version 3.3.2 -- Dependency on the following Perl modules were dropped: Net::Ident, IP::Country::Fast and IP::Country. Dependency on a perl module LWP::UserAgent as used by sa-update is now made optional if any of programs
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 11.02.14 20:21 schrieb Kevin A. McGrail kmcgr...@apache.org: On behalf of the project, I am please to announce the availability of Apache SpamAssassin version 3.4.0. The Press Release is available on the ASF Blog at http://s.apache.org/G6b Release Notes follow. Downloads are available at http://spamassassin.apache.org/downloads.cgi with some mirror issues possible as mirrors continue to update for the new release. Sincerely, Kevin A. McGrail aka KAM VP Chair, ASF SpamAssassin Project Hello, I've had upgraded of version 3.4.0 and now I'm getting that errors from cron --snip test -e /usr/sbin/amavisd-new-cronjob /usr/sbin/amavisd-new-cronjob sa-clean plugin: failed to parse plugin (from @INC): decode_dns_question_entry is not exported by the Mail::SpamAssassin::Util module Can't continue after import errors at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192 BEGIN failed--compilation aborted at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192. Compilation failed in require at (eval 90) line 1 --snap Util.pm ans AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Lord, what fools these mortals be! (William Shakespeare)
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
On 2014-02-12 02:33, Jim Knuth wrote: Util.pm ans AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007 as i read it you have found a bug, with i created a ticket for now
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 12.02.14 02:39 schrieb Benny Pedersen m...@junc.eu: On 2014-02-12 02:33, Jim Knuth wrote: Util.pm ans AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007 as i read it you have found a bug, with i created a ticket for now really? Thank you. :) For now I have deactivated the entry in v340.pre. -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Die Reiche der Zukunft sind Reiche des Geistes. [Churchill]
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
On 2014-02-12 02:48, Jim Knuth wrote: really? Thank you. :) For now I have deactivated the entry in v340.pre. if you have found workaround aswell post it to the ticket :) i might be wroung
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 12.02.14 02:50 schrieb Benny Pedersen m...@junc.eu: On 2014-02-12 02:48, Jim Knuth wrote: really? Thank you. :) For now I have deactivated the entry in v340.pre. if you have found workaround aswell post it to the ticket :) i might be wroung yes, I'll do that. -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Nichts teilen wir so gerne an andre mit als das Siegel der Verschwiegenheit - samt dem, was darunter ist. [Nietzsche]
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 12.02.14 02:50 schrieb Benny Pedersen m...@junc.eu: On 2014-02-12 02:48, Jim Knuth wrote: really? Thank you. :) For now I have deactivated the entry in v340.pre. if you have found workaround aswell post it to the ticket :) i might be wroung https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007#c1 -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Alles was viel bedacht wird, ist bedenklich! (Friedrich Nietzsche)
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
Benny Pedersen wrote: On 2014-02-12 02:33, Jim Knuth wrote: Util.pm and AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007 as i read it you have found a bug, with i created a ticket for now The Bug 7007 does not have a problem description. Jim Knuth wrote: I've had upgraded of version 3.4.0 and now I'm getting that errors from cron test -e /usr/sbin/amavisd-new-cronjob /usr/sbin/amavisd-new-cronjob sa-clean What is amavisd-new-cronjob and what does it do? It is not something that comes with amavisd-new. plugin: failed to parse plugin (from @INC): decode_dns_question_entry is not exported by the Mail::SpamAssassin::Util module Can't continue after import errors at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192 BEGIN failed--compilation aborted at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192. Compilation failed in require at (eval 90) line 1 The decode_dns_question_entry *is* exported by the Mail::SpamAssassin::Util module. Perhaps you are running a new plugin while an old Util.pm is installed on the system (which doesn't have that sub exported). Util.pm ans AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. Try fully installing the 3.4.0 before running a test. Mark
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 12.02.14 03:20 schrieb Mark Martinec mark.martinec...@ijs.si: Benny Pedersen wrote: On 2014-02-12 02:33, Jim Knuth wrote: Util.pm and AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007 as i read it you have found a bug, with i created a ticket for now The Bug 7007 does not have a problem description. now it is complete. , I overlooked, Sorry Jim Knuth wrote: I've had upgraded of version 3.4.0 and now I'm getting that errors from cron test -e /usr/sbin/amavisd-new-cronjob /usr/sbin/amavisd-new-cronjob sa-clean What is amavisd-new-cronjob and what does it do? It is not something that comes with amavisd-new. it comes with Debian. Make sa-clean. See above. plugin: failed to parse plugin (from @INC): decode_dns_question_entry is not exported by the Mail::SpamAssassin::Util module Can't continue after import errors at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192 BEGIN failed--compilation aborted at /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/AskDNS.pm line 192. Compilation failed in require at (eval 90) line 1 The decode_dns_question_entry *is* exported by the Mail::SpamAssassin::Util module. Perhaps you are running a new plugin while an old Util.pm is installed on the system (which doesn't have that sub exported). Util.pm ans AskDNS.pm both are available. What must I do? Any ideas or solution greatly appreciated. Thanks. Try fully installing the 3.4.0 before running a test. I have installing that over CPAN. Mark -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Ich hab nichts gegen Gott. Nur seine Fanclubs gehen mir auf den Sack!
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
Jim, what did you comment out more specifically? Jim Knuth j...@jkart.de wrote: am 12.02.14 02:50 schrieb Benny Pedersen m...@junc.eu: On 2014-02-12 02:48, Jim Knuth wrote: really? Thank you. :) For now I have deactivated the entry in v340.pre. if you have found workaround aswell post it to the ticket :) i might be wroung https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007#c1 -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Alles was viel bedacht wird, ist bedenklich! (Friedrich Nietzsche) Regards, KAM
Re: ANNOUNCE: Apache SpamAssassin 3.4.0 available
am 12.02.14 03:50 schrieb Kevin A. McGrail kmcgr...@pccc.com: Jim, what did you comment out more specifically? Jim Knuth j...@jkart.de wrote: am 12.02.14 02:50 schrieb Benny Pedersen m...@junc.eu: On 2014-02-12 02:48, Jim Knuth wrote: really? Thank you. :) For now I have deactivated the entry in v340.pre. if you have found workaround aswell post it to the ticket :) i might be wroung https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7007#c1 Regards, KAM 1. My workaround. I've overlooked that Benny no description make. Sorry. 2. The complete description of the bug. And I have show me the Perl modules. They are all of the new version of SA. -- Mit freundlichen Grüßen, with kind regards, Jim Knuth - Man muß sein Leben aus dem Holz schnitzen, das man zur Verfügung hat. (Theodor Storm)