Re: Penalty for no/bad SPF

[Joseph Brennan]

I've noticed anecdotally that many times when a legitimate source has no 
PTR on the mail host, or has a PTR with no matching A record, the domain 
does have a SPF record authorizing the host. This carelessness is probably 
born from ignorance or overwork. The PTR pass could be used to balance out 
the PTR fail. I have not had a chance yet to test this out in real mail 
flow to see how close it comes to being something good enough to reject 
mail.


Joseph Brennan

Re: New idea for stopping spam

[Joseph Brennan]

Ted Mittelstaedt  wrote:


I have noticed that spam tracks current events.



We've had a run of spam recently with a teaser subject that Megyn Kelly 
might q	uit Fox news. That's a little less than current!


Joseph Brennan

Re: Scoring Issues

[Benny Pedersen]

Daniele Duca skrev den 2018-01-27 11:35:


You are spot on, spammers are much more competent in setting up
spf/dkim than most of legit mail administrators.


sadly true

I personally score spf/dkim that passes at 0 and only penalize the 
fails


score 0 is disable tag if it littery 0

i just whitelist spammers that does not spam

Re: Scoring Issues

[Ralph Seichter]

On 27.01.18 16:32, Daniele Duca wrote:

> > score SPF_PASS -0.001
> > score SPF_HELO_PASS -0.001
>
> I know, I meant to write that I score them at 0.001 (no minus sign in
> my case) but I'm lazy :)

I trust you are aware that you actually penalise senders which pass the
SPF check if you use a greater-than-zero score? Minus signs matter. ;-)

-Ralph

Re: Scoring Issues

[Daniele Duca]

On 27/01/2018 14:01, David Jones wrote:



If you set those to 0, then you could be disabling many other helpful 
meta rules that use them.  It is recommended to set them to a very 
small non-zero number as others have said:


score SPF_PASS -0.001
score SPF_HELO_PASS -0.001

I know, I meant to write that I score them at 0.001 (no minus sign in my 
case) but I'm lazy :)

Re: New idea for stopping spam

[Axb]

Where I sit this is done by feeding spamtraps to Bayes.
No need to name it something fancy.
It's been working for over a decade and will keep on feeding my 30GB 
Bayes/Redis DB.


On 01/26/2018 08:49 PM, Ted Mittelstaedt wrote:

Hi All,

OK I've been doing some sociological analysis of the spam I've been 
getting on my honeypot, Bays feeder email boxes (dangerous, I know)

and I've come up with what I think MIGHT be a way to fight spam
that I wanted to run up the flagpole.

We all know ONE basic thing about spam:

Spammers send it BECAUSE IT WORKS.  That is, it gets OPENED and read.

Now obviously anyone reading this list probably has the smarts to
not be reading spam.  But we all know that SOMEONE must be reading it,
otherwise the spammers would give up and find some other criminal
activity to engage in because it wouldn't work.

So, my idea on killing spam is this:

1) Build a "spam victim archetype" filter.
2) Feed titles of current news articles into it
3) Modify the output of high scoring current news articles
into common spam titles.
4) Feed that into Bays as spam.

I think that when spammers create titles for spam, they MUST be already 
using a "spam victim archetype" program.


For example, have you EVER gotten a piece of spam that said
something like:

"Doctors find that eating lots of green vegetables is healthy"
or
"Trump says if you work hard and save money you can be financially secure"

By contrast how many times have we all gotten spam that says
stuff like

"Doctors find a food you can eat that makes you a stud in the bedroom"
or
"Learn Trumps secrets of making lots of money"

Clearly, the spam victim archetype must LIKE titles that imply they
can eat 200 pounds of sugar a day, have enormous junk that makes
women jump all over them, and get a fat bank account by lying around
and being a lazy-ass.

They must DISLIKE titles that imply they can be thin and healthy with
a moderate diet, and have to work hard to be financially secure.

There's a PATTERN in there folks!  There is definitely a pattern in
spam titles.  I think we can all see it and it must work because it's
snaring people.

I have noticed that spam tracks current events.  When there are 
elections we get a ton of spam about elections.  When Megyn Kelly

leaves a job we get a ton of spams about that.  Clearly the
spammers must have realized they need to keep generating new
grist for the mill they cannot re-use old spam titles and get a
response.

So, I think they are feeding titles of current events news stories
into an AI program that has a victim archetype in it and what gets
scored highly, is fed into a title bank then sent out the door.

All we have to do is get there first - that is, develop the same
victim archetype, feed it the same input from current events,
and feed the output into the bayes learner in an effort to guess
the titles the spammers are going to use BEFORE THEY USE THEM.
We don't have to wait any longer to get the spams, we can stop them
before the first one is received.

Do you think this approach might work?

Ted

Re: Scoring Issues

[David Jones]

On 01/27/2018 04:35 AM, Daniele Duca wrote:

On 26/01/2018 23:54, David B Funk wrote:



Regardless, giving -1 score for SPF_PASS and another -1 for 
SPF_HELO_PASS is nontrivial DainBRamage.


It's trivial for a spammer to set up SPF on a throw-away domain and 
thus waltz thru that kind of filtering.


You are spot on, spammers are much more competent in setting up spf/dkim 
than most of legit mail administrators.


I personally score spf/dkim that passes at 0 and only penalize the fails

Daniele


If you set those to 0, then you could be disabling many other helpful 
meta rules that use them.  It is recommended to set them to a very small 
non-zero number as others have said:


score SPF_PASS -0.001
score SPF_HELO_PASS -0.001

--
David Jones

Re: Scoring Issues

[Matus UHLAR - fantomas]

On 26/01/2018 23:54, David B Funk wrote:
Regardless, giving -1 score for SPF_PASS and another -1 for 
SPF_HELO_PASS is nontrivial DainBRamage.


It's trivial for a spammer to set up SPF on a throw-away domain and 
thus waltz thru that kind of filtering.


On 27.01.18 11:35, Daniele Duca wrote:
You are spot on, spammers are much more competent in setting up 
spf/dkim than most of legit mail administrators.


I personally score spf/dkim that passes at 0 and only penalize the fails


note that score of "0" disables a rule, so this disables rules that depend
on SPF_PASS or SPF_HELO_PASS.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states. 

Re: Scoring Issues

[Daniele Duca]

On 26/01/2018 23:54, David B Funk wrote:



Regardless, giving -1 score for SPF_PASS and another -1 for 
SPF_HELO_PASS is nontrivial DainBRamage.


It's trivial for a spammer to set up SPF on a throw-away domain and 
thus waltz thru that kind of filtering.


You are spot on, spammers are much more competent in setting up spf/dkim 
than most of legit mail administrators.


I personally score spf/dkim that passes at 0 and only penalize the fails

Daniele

Re: Scoring Issues

[Matus UHLAR - fantomas]

On 26.01.18 14:39, b...@inter-control.com wrote:
I have an issue with my setup somehow and it may be in amavis-new, 
most spam gets detected and delt with, some gets through and the 
scoring seems odd.

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,


score SPF_PASS -0.001
score SPF_HELO_PASS -0.001

...who the hell configured SPF_PASS and SPF_HELO_PASS to score -1?
Neither of them is a sign of non-spam. in fact, spammers exploit this.

SPF only talks about FORGERY (often spam sign), not about spamminess.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.