Re: getting tons of SPAM

[Matus UHLAR - fantomas]

On 06/26/2014 04:23 PM, motty cruz wrote:

as you can see, looks like Amavisd did not scan, spamassassing should have
stop this email.


yes, it really looked in the original mail that amavis did not scan it. The
question is why it did not scan it. 
check the logs to see the reason - if amavis does not scan e-mail, it's

impossible to block it

(if you use amavis there's no apparent reason to use spamassassin
separately, since amavis uses spamassassin)

On 26.06.14 08:02, motty cruz wrote:

I apologize, I did not articulate my questions correctly. Spamassassin is
enable but did not block spam, I know my configuration is wrong. I was
wondering if someone can help me figure out.



# languages allow
ifplugin Mail::SpamAssassin::Plugin::TextCat

ok_languagesen es
ok_locales  en es


you should understant that ok_locales has nothing with TextCat plugin.
It only detect charset class, now it scores non-latin alphabets like
cyrillic, chinese etc.


whitelist_from mtc-dist.com


it's very unsafe to use whitelist_from, spammers forge sender domains to
work around this! 


finally, don't play with scores, but check out if you use network checks and
have loaded plugins like razor/pyzor/dcc, and also if the razor/pyzor/dcc
are installed on your system.


## Optional Score Increase last 4.0 increase to 4.5
score BAYES_50 1.800
score BAYES_60 2.200
score BAYES_80 3.200
score BAYES_95 3.500
score BAYES_99 4.500
score BODY_ENHANCEMENT 2.513
score BODY_ENHANCEMENT2 1.513
score DRUGS_ERECTILE 3.513
score DRUG_ED_SILD 2.013
score HELO_DYNAMIC_DHCP 2.513
score HS_INDEX_PARAM 1.513
score ONLINE_PHARMACY 3.013
score RDNS_DYNAMIC 1.013
score RDNS_NONE 2.013
score STOX_REPLY_TYPE 2.013
score SUBJ_BUY 2.013
score TVD_VISIT_PHARMA 2.913
score TVD_SPACE_RATIO 1.913


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: Funky HARP Spam

[RW]

On Thu, 26 Jun 2014 19:02:42 -0600
Philip Prindeville wrote:


 
 Since #x042C is outside the US-ASCII character set, this would be an
 encoding violation.

It's not.

In HTML #x042C is an ASCII representation of a unicode character. It
represents a character within HTML, but as far as mime is concerned
it's 7 characters - that's the whole point of allowing unicode to be
represented this way. Actually the mime section it's in is text/html,
not text/plain, but it's legal either way.


As I mentioned before, the real violation is in the previous mime
section, which claims 7bit, but contains octets with the high-bit set. 

Re: getting tons of SPAM

[motty cruz]

Thank you,
I can't figureout why spammy email get very little score,

X-Quarantine-ID: 4QFxoaNchYOk
X-Virus-Scanned: amavisd-new at fqdn.com
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of
header
X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level:
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3
tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001,
T_RP_MATCHES_RCVD=-0.01]
---
Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri, 27
Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com)
From: Pimsleur Approach l...@cuxrrb.com
Date: Fri, 27 Jun 2014 08:58:12 -0400
Subject: Want to speak a foreign language but don't have a lot of time?

Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com
Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hinbi...@cuxrrb.com

MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451


--b89161365ddc621bf5b4340f2659783e69.692014062755451
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

You've received the alternative text version of an HTML email.

If you'd like a good view of this email, please open it in your computer.


!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN 
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html
head
meta http-equiv=Content-Type content=text/html; charset=UTF-8 /
TITLELanguage Learning/TITLE
/head
body style=



On Fri, Jun 27, 2014 at 12:06 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

 On 06/26/2014 04:23 PM, motty cruz wrote:

 as you can see, looks like Amavisd did not scan, spamassassing should
 have
 stop this email.


 yes, it really looked in the original mail that amavis did not scan it. The
 question is why it did not scan it. check the logs to see the reason - if
 amavis does not scan e-mail, it's
 impossible to block it

 (if you use amavis there's no apparent reason to use spamassassin
 separately, since amavis uses spamassassin)


 On 26.06.14 08:02, motty cruz wrote:

 I apologize, I did not articulate my questions correctly. Spamassassin is
 enable but did not block spam, I know my configuration is wrong. I was
 wondering if someone can help me figure out.


  # languages allow
 ifplugin Mail::SpamAssassin::Plugin::TextCat

 ok_languagesen es
 ok_locales  en es


 you should understant that ok_locales has nothing with TextCat plugin.
 It only detect charset class, now it scores non-latin alphabets like
 cyrillic, chinese etc.

  whitelist_from mtc-dist.com


 it's very unsafe to use whitelist_from, spammers forge sender domains to
 work around this!
 finally, don't play with scores, but check out if you use network checks
 and
 have loaded plugins like razor/pyzor/dcc, and also if the razor/pyzor/dcc
 are installed on your system.


  ## Optional Score Increase last 4.0 increase to 4.5
 score BAYES_50 1.800
 score BAYES_60 2.200
 score BAYES_80 3.200
 score BAYES_95 3.500
 score BAYES_99 4.500
 score BODY_ENHANCEMENT 2.513
 score BODY_ENHANCEMENT2 1.513
 score DRUGS_ERECTILE 3.513
 score DRUG_ED_SILD 2.013
 score HELO_DYNAMIC_DHCP 2.513
 score HS_INDEX_PARAM 1.513
 score ONLINE_PHARMACY 3.013
 score RDNS_DYNAMIC 1.013
 score RDNS_NONE 2.013
 score STOX_REPLY_TYPE 2.013
 score SUBJ_BUY 2.013
 score TVD_VISIT_PHARMA 2.913
 score TVD_SPACE_RATIO 1.913


 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Linux IS user friendly, it's just selective who its friends are...

Re: getting tons of SPAM

[Matus UHLAR - fantomas]

On 27.06.14 07:50, motty cruz wrote:

I can't figureout why spammy email get very little score,



X-Quarantine-ID: 4QFxoaNchYOk
X-Virus-Scanned: amavisd-new at fqdn.com
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of
   header


This might explain much. seems that the mail was broken somehow.
Did you use default configs for spamassassin and amavis?


X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level:
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3
   tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1,
   DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001,
   T_RP_MATCHES_RCVD=-0.01]
---
Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri, 27
Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com)
From: Pimsleur Approach l...@cuxrrb.com
Date: Fri, 27 Jun 2014 08:58:12 -0400
Subject: Want to speak a foreign language but don't have a lot of time?

Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com
Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hinbi...@cuxrrb.com



MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: Funky HARP Spam

[Philip Prindeville]

On Jun 27, 2014, at 7:30 AM, RW rwmailli...@googlemail.com wrote:

 
 As I mentioned before, the real violation is in the previous mime
 section, which claims 7bit, but contains octets with the high-bit set. 


Yup.  Just submitted a patch for this:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7063

SOLVED: Re: Bayer Filter Not Working

[Bruce Sackett]

 On Jun 25, 2014, at 8:45 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
 
 On Tue, 24 Jun 2014 15:42:22 -0700
 Bruce Sackett wrote:
 I apologize, I’m sure it’s been covered, but I have not been
 successful finding results in searches on the web or through the
 history of the list.  I get no BAYES results in the headers, so I
 don’t see any working.
 
 On Jun 25, 2014, at 5:44 AM, RW rwmailli...@googlemail.com wrote:
 Have you trained it? It requires 200 spam and 200 ham emails before it
 starts to classify.
 
 On 25.06.14 08:22, Bruce Sackett wrote:
 I have older Ubuntu’s that work, so I kinda know the process, but it’s a
 big package.  Any help is appreciated.  The main thing that worries me is
 the Logger.pm error - is that stopping the Bayes processing
 
 are you sure you have trained into the right database?
 it seems you are using amavis and that it's using site-wide BAYES database.
 
 I have trained it:
 0.000  0  3  0  non-token data: bayes db version
 0.000  0   6664  0  non-token data: nspam
 0.000  0473  0  non-token data: nham
 0.000  0 134908  0  non-token data: ntokens
 0.000  0 1370728914  0  non-token data: oldest atime
 0.000  0 1403706445  0  non-token data: newest atime
 0.000  0 1402120803  0  non-token data: last journal sync 
 atime
 0.000  0 1400652018  0  non-token data: last expiry atime
 0.000  01382400  0  non-token data: last expire atime 
 delta
 0.000  0  26988  0  non-token data: last expire 
 reduction c
 
 Jun 25 07:53:29.670 [13397] dbg: bayes: tie-ing to DB file R/W 
 /var/lib/amavis/.spamassassin/bayes_toks
 Jun 25 07:53:29.672 [13397] dbg: bayes: tie-ing to DB file R/W 
 /var/lib/amavis/.spamassassin/bayes_seen
 
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 I'm not interested in your website anymore.
 If you need cookies, bake them yourself.


I found the rather unusual solution to this problem, and I believe it may be 
unique to Ubuntu 12.04.

The way I fixed it was one command: 
mv /usr/share/perl5/Mail/SpamAssassin/Logger.pm 
/usr/local/share/perl/5.14.2/Mail/SpamAssassin/

The babes filter immediately started working and the Logger.pm message went 
away.

SA rule to detect prior SA pass?

[David B Funk]

Looking at my mail streams I see evidence that spammers sometimes
add faked SpamAssassin headers to their messages (I assume to try
to trick recipients into thinking that the message has already been
given a clean bill-of-health).

I wrote a few test rules to look for these pre-existing X-Spam-
headers to test to see if it could be used as a spam detector.
However I got no hits on these rules even on hand crafted test
messages that contained such stuff.

Checking the SA source I found in PerMsgStatus.pm a line of code:
  $self-{msg}-delete_header('X-Spam-.*');
that ran before any tests. So looking for SA headers inside of SA
is pointless.

So does anybody have any ideas how to test for evidence of a
prior SA pass?



--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: SA rule to detect prior SA pass?

[Jari Fredriksson]

28.06.2014 04:43, David B Funk kirjoitti:
 Looking at my mail streams I see evidence that spammers sometimes
 add faked SpamAssassin headers to their messages (I assume to try
 to trick recipients into thinking that the message has already been
 given a clean bill-of-health).

 I wrote a few test rules to look for these pre-existing X-Spam-
 headers to test to see if it could be used as a spam detector.
 However I got no hits on these rules even on hand crafted test
 messages that contained such stuff.

 Checking the SA source I found in PerMsgStatus.pm a line of code:
   $self-{msg}-delete_header('X-Spam-.*');
 that ran before any tests. So looking for SA headers inside of SA
 is pointless.

 So does anybody have any ideas how to test for evidence of a
 prior SA pass?




This is my script /etc/maildroprc

# IF ALREADY SCANNED AND FOUND SPAM, DO NOT RE-SCAN
if (/^X-Spam-Status: Yes/:h)
{
 # strip markup, and re-test
 if (/^X-FredSpamComment\: SpamAssassin called at jarif\.iki\.fi\./)
 {
  # Already scanned by us, this is when spam resends mail to
users when they are clean.
  SCAN_SPAM=0
 }
 else
 {
  xfilter /usr/bin/spamassassin --remove-markup --nocreate-prefs
 }
}



-- 
jarif.bit




signature.asc
Description: OpenPGP digital signature

Re: SA rule to detect prior SA pass?

[Jari Fredriksson]

28.06.2014 05:47, Jari Fredriksson kirjoitti:
 28.06.2014 04:43, David B Funk kirjoitti:
 Looking at my mail streams I see evidence that spammers sometimes
 add faked SpamAssassin headers to their messages (I assume to try
 to trick recipients into thinking that the message has already been
 given a clean bill-of-health).

 I wrote a few test rules to look for these pre-existing X-Spam-
 headers to test to see if it could be used as a spam detector.
 However I got no hits on these rules even on hand crafted test
 messages that contained such stuff.

 Checking the SA source I found in PerMsgStatus.pm a line of code:
   $self-{msg}-delete_header('X-Spam-.*');
 that ran before any tests. So looking for SA headers inside of SA
 is pointless.

 So does anybody have any ideas how to test for evidence of a
 prior SA pass?



 This is my script /etc/maildroprc

 # IF ALREADY SCANNED AND FOUND SPAM, DO NOT RE-SCAN
 if (/^X-Spam-Status: Yes/:h)
 {
  # strip markup, and re-test
  if (/^X-FredSpamComment\: SpamAssassin called at jarif\.iki\.fi\./)
  {
   # Already scanned by us, this is when spam resends mail to
 users when they are clean.
   SCAN_SPAM=0
  }
  else
  {
   xfilter /usr/bin/spamassassin --remove-markup --nocreate-prefs
  }
 }




And the glue. Later (lots later!) in the same script:

#
# Here we go! (Death to Spam lol)
#
if ( $SCAN_SPAM == 1 )
{
 xfilter spamc -H -x --max-size=500 -d spamd -u spam
 xfilter reformail -A'X-FredSpamComment: SpamAssassin called at
tempest.fredriksson.dy.fi'
}

If you want to write our own glue, you have the Force. If you rely on SA
alone or Amavis it's harder.

-- 
jarif.bit




signature.asc
Description: OpenPGP digital signature