Re: SPAM from legit a Yahoo/Gmail account
One likely scenario may be that the spammer managed to hack into an existing account, then use it to send out their garbage. One way to fix that is to ensure all humans with computer access always employ best practices for choosing and protecting secure passwords. Another possible scenario is the spammer created their own account just so their spam would look more legitimate. This is another human behavior issue for which (like the one above) there is unlikely ever to be an acceptable technological solution. You're never going to stop ALL the spam, and for situations that represent, as you said, only a few the effort to catch them is often more trouble than it's worth - or the problem may just go away (the freemail host notices and closes the account) by the time you start trying to think of a solution. Kaleb Hosie kho...@spectraaluminum.com 03/31/10 12:18 PM I'm wondering if anyone else has an issue with SPAM that comes from a real yahoo or gmail account? I've noticed a few emails get let into our organization everyday that is sent from a free email account such as yahoo and gmail. When I do a rDNS lookup, of the IP, it points back to a real server (not a spam server). Here's an example of one that just got let in: Mar 31 12:05:34 mailgate2 spamd[14709]: spamd: processing message 39701.814...@web36505.mail.mud.yahoo.com for apache:48 Mar 31 12:05:38 mailgate2 spamd[14709]: spamd: clean message (-0.1/4.4) for apache:48 in 3.8 seconds, 22865 bytes. Mar 31 12:05:38 mailgate2 spamd[14709]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,T_RP_MATCHES_RCVD The subject of this is email was: Launch of www.girlsandwomen.com G(irls) 20 Summit Website Does anyone have any recommendations on how to fixing that? Thanks! Kaleb
Re: bayes, numbers of tokens and performance
It doesn't really work that way. Bayes is just one part of the picture and in order to get good results you have to turn the full toolkit loose on the problem; I'm not sure Bayes by itself should be expected to achieve 95% recognition anyway. The main flaw in your current plan is that once you re-activate the BLs then your Bayes content will begin to get stale - and effectiveness is likely then to decline over time. Bayes tends to work better when trained continuously on current traffic. Rather than stop using other tools, just to get some spam to train with, perhaps you should focus more on training Bayes more actively with the spam that gets through otherwise. You're not likely ever to detect ALL the spam traffic, no matter what combination of tools you deploy - there will always be clever spammers working on ways to bypass them. tonjg t...@freeuk.com 03/18/10 11:04 AM Matus UHLAR - fantomas wrote: DNS available? no well, why? DNS helps very much for catching spam. all blacklists use DNS (afaik) sorry, when you said dns I didn't know you were referring to the dnsbl's. I know the black lists are excellent for filtering spam but I've got those switched off so I can actually accumulate some spam for the sa-learn. I figured if I get spamassassin working really well first (ie: a 95% success rate) I would then switch the bl's back on and use both.
Re: Checking Rules
It applies all the rules, in the sense of testing each message for each condition. If a message matches the conditions of a rule then that is considered a hit on that rule. Rules that hit on a message are listed in the report. Messages that appear, to the human observer, to be very similar, are not necessarily actually similar when judged by the precision of rule evaluation criteria. A human might think these two messages both contain references to medications but for the same rules to hit the particular elements in messages that the rules test for must be alike, not merely similar. For example, a rule designed to catch references to penicillin can't catch ALL the many variant spellings and use of numerals that resemble letters that spammers employ specifically to get around such filtering techniques. Personal Técnico tecni...@caos.uab.es 02/22/10 7:02 AM Hi, I would like to know how SA determines what rules are aplied while scanning a mail and what rules not, because I have received two mails with similar body but applied rules were different. Another question: is there any way for configuring SA for getting a detailed score of rules in a mail when X-Spam-Status: No. By default, SA does a detailed score when mail is marked as SPAM, but not in HAM cases. Thanks.
Re: bayes learning '0 messages found'
If what you presented in your message is actually the command you used, then it might be looking for some input from the keyboard - you don't illustrate having specified the particular file you want it to use following the '--mbox' option, you have --ham in that position on the line. I have not done any testing, so I can't say exactly how it would behave in that situation. tonjg t...@freeuk.com 01/28/10 2:02 PM Mark Martinec wrote: If the argument is a single mbox file, precede it with a --mbox option, not with --dir . thanks for your response but I've got a further problem now (I think). I'm trying to do the same thing with the ham command# sa-learn --showdots --mbox --ham but nothing's happening. When I did the spam command it showed a progression of dots and ended with a confirmation message of tokens found and 216 emails scanned. But with the ham command there's nothing happening - the cursor just dropped to the next line and it's been there for half an hour now. Is this normal?
Re: Mail not scanned
In this situation I believe Spock would say Insufficient Data . . . What o/s are you running? What is your mail handling software? How does that mail handling software interface to SpamAssassin? Are you sure the items were not scanned, or are you simply bothered that they were not marked as spam by the scan? Have you placed a complete sample with all headers on pastebin and given us the link to that so we can evaluate the message? Lars Ebeling lars.ebel...@leopg9.no-ip.org 10/21/09 11:40 AM Why aren't mail from United Parcel Service scanned? The last 24 hours have i got about 20 of them and none scanned. -- Regards Lars Ebeling http://leopg9.no-ip.org Hobbithobbyist I am not young enough to know everything. -- Oscar Wilde
Re: Problem with SA
That doesn't look much like a SpamAssassin option there, to me. Perhaps you may get more useful responses if you give us more detail about your system configuration. What mailserver are you running? How does it invoke SpamAssassin? Do you have a virus scanner installed? What operating system do you use? Luis campo lcr_2...@hotmail.com 09/29/09 2:44 PM Dear Sirs, I have a problem with the SA, I have added the option Spam-x since that time the SA is no return emails, no subject or message body, prodria be the problem which. greetings
Re: Converting spam to email message
SpamAssassin does not handle mail. SpamAssassin analyzes a message and returns a score/report to whatever asked for the analysis. That is all. Other products do things with mail - store/reject/accept/deliver, etc. - and some of those products use a SpamAssassin score as part of the basis for choosing what action they take. You are more likely to get better assistance by asking your question in a forum that is devoted to the product which actually does the function you want assistance with. MySQL Student mysqlstud...@gmail.com 08/27/09 2:54 PM Hi, I thought I understood, but I'm still having trouble converting a message in the quarantine back into a normal email message that I can forward on to a recipient. Does anyone know how to do this? Maybe I missed something, but SpamAssassin doesn't have a quarantine. http://wiki.apache.org/spamassassin/SpamQuarantine Yes, my apologies. I guess it would then be amavisd-new that's managing the quarantine. I didn't realize that amavisd manipulated the mail in that way. Hopefully someone can still help. Thanks, Alex
Re: Any one interested in using a proper forum?
Let me see if I follow you correctly there . . . you are administrator of an email server, but you do not like to read and write email? Also, I am not a lawyer, but I think I read something somewhere a while ago that there is some intellectual property rights ownership associated with 'spamassassin' in some context somewhere, did you inquire about that before choosing your new domain name? I could be wrong, and I have no idea who the owner of such rights might be. snowweb pe...@snowweb.co.uk 07/28/09 10:31 AM OK! Thanks guys for all your inputs, regardless off which side of the discussion you're leaning towards. I read and considered all your pro's and con's carefully. I'm not trying to pry anyone away from your list (and I'm sure I won't). I'm just trying to reach out to those who don't want to be a part of an email list. My personal calculation mixed with intuition, indicate to me that this is huge number of spamassassin users. I think my biggest problem will be to provide the hardware resources to maintain the performance of a dedicated forum for a piece of software as popular as Spamassassin. I have now registered http://www.spamassassin-forum.com spamassassin-forum.com and I will make sure that the first sticky thread on the forum to be, contains a link to your list, so that our users are free to choose. I'm not doing this to compete but to complement. I hope you understand. Thank you all for your input. You're all class guys here :) Peter Snow
Re: [NEW SPAM FLOOD] www.shopXX.net
(apologies for top posting, but the email software here does not really do quoting in a way that works out well otherwise) If your mail contains SpamAssassin headers then it was (obviously) processed through SpamAssassin. Just because you have BL checks in your MTA does not necessarily mean that all spam items will be blocked at that level. Lots of spam can pass some BL checks and then be scored high as the result of other things. My comments were not meant to say that BL checks stop spam. I was responding specifically to your inquiry about a rule being 'overlooked' if there happened to be a message it would hit that also had something in it that would hit a blacklist too. I think you're reading too much complexity into things. Or maybe not enough. The basic idea is something like this: a) You have some stuff specified for Postfix to do, it starts doing those things, and if it gets through them (without deciding to reject the message) to the point where you specify a call to SA, then it passes the item to SA for scoring. b) SA applies the rules (which usually include querying various blacklists based on things found within the message) and tallies up the score, then it gives the results to whatever asked it to analyze the message. c) Then whatever that was (in your case, Postfix) looks at the results and decides what to do next, based on what you specified for it. SpamAssassin does not block mail. SpamAssassin analyzes a message and assigns a score. Mail handlers reject/quarantine/discard/deliver mail. SpamAssassin is not a mail handler. If you don't understand the effects of entries in your Postfix configuration, you probably will get better assistance in a Postfix-specific forum. Dan Schaefer d...@performanceadmin.com 07/23/09 10:22 AM It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process?
Re: [NEW SPAM FLOOD] www.shopXX.net
It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. And those rules did not hit on the message because there isn't anything in there that they are designed to find. It does not represent another variation on the theme. But since there is a lot of other stuff that other rules did hit on, why are you worrying so much about just these few? Dan Schaefer d...@performanceadmin.com 07/22/09 3:56 PM Benny Pedersen wrote: On Wed, July 22, 2009 21:39, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 reject it with rbl testing in mta, and its found in blacklist, reason it not found in obfu is that its not obfu :) Does this mean that if I have a custom rule to search for exactly the via site, my rule will be overlooked because the site is in a blacklist? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: custom rule no work (as expected) and log score
The most obvious problem is that you are re-using the rule name. While the configuration is parsed the 2nd line replaces the first then the 3rd line replaces the 2nd line. If you want three rules give them three different names, for example: whitelist_from_luser1 whitelist_from_luser2 whitelist_from_luser3 Alternatively, consider writing a single expression to detect the 3 domains with OR logical conditions. This is left as an exercise for the reader. Bazooka Joe fastf...@gmail.com 07/14/09 3:54 PM any idea why this rule never works for domain1 or domain2 but only domain3 header whitelist_from_luser From =~ /domain1\.com/i header whitelist_from_luser From =~ /domain2\.com/i header whitelist_from_luser From =~ /domain3\.com/i score whitelist_from_luser -2.5 How do I log the score for each rule that is triggered? -bazooka
RE: [NEW SPAM FLOOD] www.shopXX.net
Benny Pedersen m...@junc.org 06/28/09 12:42 AM On Sun, June 28, 2009 05:38, Cory Hawkless wrote: I agree, wouldn't it be easier to uniformly feed all of these type of URL's though the already existing SA filters. As Jason suggested maybe by collapsing whitespaces? lets redefine how a url is in the first place ? www localhost localdomain www.localhost.localdomain one of them does not work :) spammers more or less just use the first one, so what ? Sounds like the obvious solution to me? Any problems with this? If not how can it be done? just show a working ReplaceTags for spaces, and then all can be solved to make rules with how spaces can rebuild into no spaces, eg in my above example will be . and then sa see the last url and first url imho this is what replacetags does but as long webbrowsers does not work on both, is it a big problem so ? It is folly to underestimate the stupidity and/or gullibility of humans. Just because the link won't work as-is in the message does NOT mean people out there won't retype it, corrected, into their browser address box. It is my opinion that if the spammers weren't getting traffic to the websites from the email, they would stop sending the email. Since the emails continue, we must presume that they are having some success in attracting victims to the sites. Therefore, the URL obfuscation by omitting the dots seems to be a viable spam indicator. The tricky part is in figuring out how to detect this trait reliably without tripping over other similar traits that are not good spam indicators.
Re: BOTNET timeouts?
Well I suppose you could always take the product that you dislike so badly back to the store and ask for a refund of your purchase price. Sometimes it really amazes me how much, and how severely, some people will gripe about free products that exist only because other people volunteer their time to a project. Henrik K h...@hege.li 06/11/09 2:53 PM On Thu, Jun 11, 2009 at 10:21:18AM -0700, John Rudd wrote: As said elsewhere, the primary issue is how DNS is being set up, both by the sender and the recipient. But that's outside of the scope of Botnet. Within Botnet, the actual thing to be solved is moving toward SA's internal DNS routines, not expending effort on improving its interaction with Net::DNS. The latter is addressing a surface issue, not an actual problem. Gee, I wonder why SA has a rbl_timeout setting then. To address a surface issue in Net::DNS (which SA also happens to use)? Maybe it should just leave such trivial things to setup of sender and recipient. :) We are only trying to point out a simple flaw that I'm not sure you even understand. Lookups should have a sane timeout, in this case the default is bad for the type of work SA does. It's fixable with a simple option. But it's your right to make the few people look for silly patches when they have a problem.
Re: Whitelist_From Woes
Well maybe you should figure out what is going on with these two: RE_PASSWORD 100.00, RE_PASSWORDV 100.00 since your choice of -100 (it is not a magic pass value, just another factor in the arithmetic) for your manual whitelist only counteracts one of them ... or run your manual whitelist score to an even larger value. In other words, you are apparently NOT having a problem getting the domain whitelisted - you are having a problem fully balancing the effects of spammy-ness elements in their mail. Michael Lyon mjl...@gmail.com 05/13/09 12:16 PM We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a whitelist_from *...@domain.com to my /opt/MailScanner/etc/spam.assassin.prefs.conf file. Now, however, my maillog shows the messages as being marked as spam. Yesterday, I added a spam.whitelist.rules, which takes -100 down from the score, but the message is still marked as spam and not delivered: /var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) SO...I see the USER_IN_WHITELIST -100 score, but it never is delivered... Thoughts? Thanks, Mike
Re: sa-learn process overhwelming the server
Yes, the learn client does not try to keep up with what it has done, or not done, before - that is handled by the server (the Bayes engine). I believe there is no reasonable way for the client to achieve this, anyway - it cannot reliably modify your maildir in such a way that it can be assured of finding things again, since your email software might discard whatever the learn client put there for the memory of what it processed. And a maildir is not the only kind of input it recognizes, so it could be quite unmanageable to try to implement as many ways of 'remembering' as there are ways of giving it things to process. So I would say the better solution is to adjust the way you run your learning, so that it will discard, or move elsewhere, the items it has processed. Perhaps put things you want learned into a place that no other process touches, run the learn on that, then move that stuff to another place if you want to keep it around for a while. LuKreme krem...@kreme.com 05/06/09 4:23 PM On 6-May-2009, at 07:13, RW wrote: On Wed, 6 May 2009 01:43:08 -0600 lbut...@covisp.net wrote: The trouble appears to me to be that sa-learn has no concept of whether or not it has learned a message or not. It does, they are stored in the bayes_seen file if you are using db storage. It odes int aht it doesn't relearn then, but it doesn't in terms of processing them. Lemme explain. If I have a maildir with 109 messages, 9 of which are new, running sa- learn might take X minutes. If I have a maildir with 9 messages, all of which are new, sa-learn takes much less than X minutes. If I have a maildir with 2893 messages, 9 of which are new, it will take much much more than X minutes.
Re: URI with spaces are not recognized
Artificial intelligence will never overcome natural stupidity (or the clever ingenuity of criminals) ... if people actually DO that (copy the url and remove the spaces) there is some temptation to say they get what they deserve ... but on the other hand most of the spam/scam stuff out there is based on the premise that plenty of people are greedy, gullible, uninformed, overly trusting, stupid, or some combination of the above. Franz Schwartau fr...@electromail.org 02/13/09 2:18 PM C'mon... Patient: Doctor, if I press down here it really hurts... Doctor: Don't press there then. You won't solve a problem by defining there is no problem. In these spams people are requested to remove the spaces when entering the given string (url) in their browser. Benny Pedersen wrote: On Thu, February 12, 2009 18:26, Franz Schwartau wrote: www . abcdef . net After reading the source for a while I found that $schemelessRE in line 1720 of Mail::SpamAssassin::PerMsgStatus.pm seems to be responsible for that. Unfortunally this regexp doesn't care about whitespaces. give me a url to a browser that can show above url is simple :) even my firefox in my nokia phone wont show this, did i miss another one ? Has anyone a solution? none so far have a problem ? Would be fine if I could use the uri directive or even some uribl on this kind of urls. it will if there was a problem
Re: Question regarding recipient notification of blocked email
Spamassassin did not put the message in the spam folder. SA does not know if the item is going to be put in a folder (spam or otherwise) or tossed into the bit bucket. SA doesn't even, necessarily, actually know who the item is to - or which of possible multiple recipients might want to be notified - thus there is no way it could undertake such notification. In some situations there may be a dozen different instances of SA running in high-volume load-balancing service configurations, and each one of them might process one or more items for each potential recipient every day - would your end-user want to see a dozen different notices about how many spam items were sent to them, based on how they flowed through the various paths? The application that actually made the choice to store the item in the folder has responsibility for notifying about what it has done. All Spamassassin does is analyze items and assign a score. It does not block email. It does not deposit email in folders. Other software does things with the messages and has opportunity to generate notifications about the actions taken. TWR tra...@lhtc.net 02/03/09 9:02 AM I am running qmail with spamassassin so that any message flagged as 'spam' is deposited into a users 'spam' folder. The user has to manually login to their webmail.domain.com spam folder in order to view these messages. Is there a way for spamassassin to notify the end user once a day that (x)number of spam messages has been quarantined. Perhaps the message could include the subject line and contain a hyperlink to their webmail based spam folder.
Re: Question regarding recipient notification of blocked email
I suppose theoretically a Spamassassin plugin could be developed to handle this task, but I seriously doubt that is the most effective approach. I believe you should evaluate this situation within the context of your mail delivery system, not the spam scanning context. The question you really are asking is not about what did SA think of the messages but more: what did the mail-handler do with the messages. So explore what your mail handler options are, and if they don't suit you then explore what you can do to/with/inside the mail system itself. If you can't get the count-keeping and notice-writing to work on the fly while mail is being processed, maybe an after-the-fact application can count items-per-folder and write the users a note saying you have N spam items that are Y days old perhaps. TWR tra...@lhtc.net 02/03/09 10:50 AM Point well taken. Spamassassin is scanning the email, qmail-scanner does the labeling as spam and mailfilter is then shooting it email to the spam folder. I was hoping there was a way that spamassassin could log that user a received x number of spam and then notify the recipient that the email had been blocked as such. From my understanding there is no option available short of writing a program. Would this be correct? Kevin Parris-2 wrote: Spamassassin did not put the message in the spam folder. SA does not know if the item is going to be put in a folder (spam or otherwise) or tossed into the bit bucket. SA doesn't even, necessarily, actually know who the item is to - or which of possible multiple recipients might want to be notified - thus there is no way it could undertake such notification. In some situations there may be a dozen different instances of SA running in high-volume load-balancing service configurations, and each one of them might process one or more items for each potential recipient every day - would your end-user want to see a dozen different notices about how many spam items were sent to them, based on how they flowed through the various paths? The application that actually made the choice to store the item in the folder has responsibility for notifying about what it has done. All Spamassassin does is analyze items and assign a score. It does not block email. It does not deposit email in folders. Other software does things with the messages and has opportunity to generate notifications about the actions taken. TWR tra...@lhtc.net 02/03/09 9:02 AM I am running qmail with spamassassin so that any message flagged as 'spam' is deposited into a users 'spam' folder. The user has to manually login to their webmail.domain.com spam folder in order to view these messages. Is there a way for spamassassin to notify the end user once a day that (x)number of spam messages has been quarantined. Perhaps the message could include the subject line and contain a hyperlink to their webmail based spam folder.
Re: Problem with faked return-path or something like that...!
support [EMAIL PROTECTED] 12/11/08 2:52 AM Prempting some responses: What about external remote workers? What about those who email stuff to themselves? I hear this kind of thing all the time when people moan about spoofing. On Wed, 2008-12-10 at 12:19 -0500, Kevin Parris wrote: You do not have a SpamAssassin problem, you have a Communigate problem. Present this issue to your support resources for that product. The basics of what you want to do are something like this: When a message is arriving from the internet, and has your own domain in the Return-path, it should be REJECTED immediately. The detection of this condition, and the Rejecting of the message, should occur entirely within Communigate so that the item does not survive long enough to be presented to SA for analysis. I believe the common wisdom is something like: your own remote users will be configured for some sort of VPN or other authentication mechanism, therefore the mail they send will not be arriving from the internet thus the mailserver can distinguish their items from those that need to be rejected. People who email stuff to themselves will either be local in the office, or remote and authenticated as above, therefore the items they generate will not be arriving from the internet thus the mailserver can distinguish them from those that need to be rejected. If you have a mailserver that is not able to make this distinction, or you have remote users who do not have a VPN or other authentication mechanism, you should consider replacing or reconfiguring some components in your facilities.
Re: Problem with faked return-path or something like that...!
You do not have a SpamAssassin problem, you have a Communigate problem. Present this issue to your support resources for that product. The basics of what you want to do are something like this: When a message is arriving from the internet, and has your own domain in the Return-path, it should be REJECTED immediately. The detection of this condition, and the Rejecting of the message, should occur entirely within Communigate so that the item does not survive long enough to be presented to SA for analysis. On Tue, December 9, 2008 23:37, hofmae wrote: We are using Communigate Pro with Spamassasin, now we have a problem with specific spammail and don't know how to solve it. The spammer sends us spam e-mails which includes as return-path one of our mail-adressess.
Re: Honeypot Email Addresses
Maybe this is a completely crazy notion, but if the mail for these accounts is in fact actually flowing into/through your system, and being sent through SA already, you might create a rule so that any item with one of those addresses in it gets a high score so in turn your auto-learn threshold would trigger and process the item. And if that works, then you don't have to do anything else. [EMAIL PROTECTED] 08/18/08 2:08 PM On Mon, Aug 18, 2008 at 1:59 PM, John Hardin [EMAIL PROTECTED] wrote: On Mon, 18 Aug 2008, [EMAIL PROTECTED] wrote: Long time SA user here. I have googled much for an answer for this. I have a few email addresses that are clearly now spam only. I would like to blacklist them and use them as a honeypot to help train my Bayes through autolearn, does anyone have any suggestions on how to do this? Training from those users' mailboxes is pretty straightforward using sa-learn in a script run from cron. I wouldn't worry about trying to get autolearn involved. -- I guess I should have been more clear. Most of these email addresses have been forwarding into a junkemail gmail account and have no 'local' mailboxes of their own, and I would like to keep it that way. I am also using MailScanner if thats of any use. Basically I want (yes I dont care if a spambot gets this addy) [EMAIL PROTECTED] to always only be recognized as spam content and have it learned. Since there isnt a mailbox how would this best be accomplished? Thanks! Richard Ahlquist
Re: Pharma spam getting through
You could write yourself a rawbody rule to match on the string: tdNEVOB/td with a high score, and that will take care of this particular set (and seems to me, personally, to be at very low risk of FP- but then I'm American and have no idea what that word might mean in other languages), but you will have to write a new rule for the next mutation (this is the third or fourth variant I've seen already). and the next mutation. and the next.. Some BAYES training might help with detection, also, but even that won't necessarily push their score over the threshold, by itself. Dietmar Maurer [EMAIL PROTECTED] 08/14/08 1:53 AM Recently there are tons of simple mails like: ftp://pve.proxmox.com/tmp/sample-spam1.txt ftp://pve.proxmox.com/tmp/sample-spam2.txt Seems that they trigger some network tests, but many get through with low score. Does anybody know a way to block them effectively without using network tests? - Dietmar
mysterious spam - what is this trying to do?
Sample posted here: http://pastebin.com/m7d993dc7 Have seen several similar to this, the message contains only random words, no images, no web links. What's the point? It's not advertising, or trying to lure victims to a site, or carrying any payload. Commentary anyone?
Re: [OT] Odd spammer tactic?
Spammers operate on the premise that lots of stupid people read email. For example, only stupid people would actually respond to an offer to sell medications, from a service that does not spell the product name correctly (they are either too stupid to recognize the deviant spelling even though the correct version is all over TV and magazines, or too stupid to realize it means the offeror is ethics challenged). But these offers are getting responses, or the spammers would not keep sending them. The spammers are spending other people's money, since much of their work is done by hijacked machines, thus they do not care how 'expensive' their project might be, and any responses they do get are practically pure profit. So to probe a million targets and find even one vulnerable is worth the trouble since it is not their own trouble. The flaw in your logic is that you are thinking logically, working from the premise that any intelligent administrator (such as yourself) would never create a machine that is susceptible to this particular attack. Maybe YOUR server is not a viable avenue for the spammer, but there are SO many servers out there - finding a few that ARE viable is almost a certainty, since some people who connect systems to the internet are not so well-informed as we here. I believe that until a technique is discovered to eliminate ignorance and gullibility from the human population, there will be no solution to the spam problem. Christopher Bort [EMAIL PROTECTED] 07/21/08 3:30 PM This is really not a SpamAssassin issue, but since this list is populated by people who are interested in spammer behavior, I'm throwing it out for comment. If it's too far off topic, my apologies and I'll let it go at that. At $DAYJOB I run a mail server and a name server for several domains, both our own and for clients. At home, I run a mail server and a name server for a couple of personal domains. The home name server is a slave for most of the domains hosted at $DAYJOB. The home mail server is _not_ configured to handle mail for any of the $DAYJOB domains and it is _not_ an MX for any of those domains. The only connection is that it is an NS for the $DAYJOB domains. These domains _do_ have $DAYJOB mail server as their MX. For a while now, I've been seeing attempts to send mail to the home server for addresses in $DAYJOB domains. This is not a problem since the volume is low and they are being properly rejected as third-party relay attempts (authentication required - relay not permitted). However, the fact that someone is apparently trying to send mail to an NS instead of an existing MX has piqued my curiosity. It looks like it's all spam (the sender addresses tend to support that). So, has anyone else seen this sort of behavior and what could be the rationale for trying to deliver mail to an NS like this? -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: Experimental - use my server for your high fake MX record
Well now, if a spambot actually does start recognizing and avoiding his system, doesn't that mean he wins and the spammer loses? John Hardin [EMAIL PROTECTED] 05/08/08 12:11 PM On Thu, 8 May 2008, Marc Perkel wrote: To participate all you have to do is set your highest numbered MX to point to: tarbaby.junkemailfilter.com Several people have asked me how I'm doing this and can they have my code to do it themselves. My situation is unique enough that it just won't work very easilly any place else and it's definitely not clean enough for just anyone to install. You should make an effort to clean it up so that others *can* install it as a standalone daemon, as I suggested. Why? How long will it be before the spambots explicitly refuse to contact your honeypot if it is listed as an MX for the domain they're attacking?
Re: Spam content checker
Maybe this is overstating the excruciatingly obvious, but why don't you just compose the email you anticipate sending, and SEND IT to yourself so that it comes into your email box by way of your SpamAssassin with score report headers added, and take a peek at that result? Or if you're working with some mass-mail service, subscribe yourself to a test list and distribute your anticipated message via that and see how it looks when it arrives? Sg [EMAIL PROTECTED] 01/09/08 12:05 AM Hi Thanks for your reply. How to find the email body content(no header) spam value using any API (php, perl, python)? Thanks Sg
Re: Mondo bayes_toks - millions of entries
If I have followed the discussion correctly so far, the explanation for manual-learn not being distinguished from auto-learn is this: no matter what mode of learning caused a token to appear in the database, if there is ongoing mail traffic that hits on the token then said token will not expire out anyway. In other words, tokens don't expire because of where or how they came to be listed, they expire because no more incoming mail traffic references them. If you manually train a message that is the ONLY instance of that particular spam to slip through your other filter, and your Bayes never sees another message that matches the tokens it generated, then those tokens are irrelevant regardless of learn mode. Wes [EMAIL PROTECTED] 11/30/07 11:56 AM The whole reason bayes works is the fact that there's a *LOT* of tokens that are repeated over and over and over again for any given kind of mail. So the set of tokens acted on by one message are 95% the same as the ones in another, provided the general type of email is the same (and by general type, I'm thinking all email fits into maybe 20 types, I'm talking really broad categories like conversation newsletter spam nonspam ad, etc..) Guess I need to read up on Bayes some more. I was thinking more along the lines of separate databases for auto and manual learning that are combined for a result, giving more weight to manual learning. Maybe that just isn't reasonable, though. I can't see (at least here) that manual learning would get any kind of significant volume. Someone's only going to send in a message for manual learning if it is a leaked spam or a false positive, and then only if they bother to do it. I'd be surprised if the manual learning volume was 1 in 10,000 of the messages going through the auto-learning. Wes
Re: Scanning mailer-daemon bounces generated by localhost
I think it might be easier if you would simply have a conversation with the techy folks at your customers- invite them to configure THEIR system so that either everything from YOUR system is OK no matter what spam status it has (they can route it to bit-bucket or whatever) or turn off the reject-notice function on such messages, and then you won't have to worry about the problem. Alternatively, just as a point of goofy curiosity, if they don't want your system doing spam filtering for them, why do they even bother having your system in the path for the traffic anyway? Why not just point their MX record straight to their machine? sacoo sacoo [EMAIL PROTECTED] 8/22/2007 8:10:58 AM Well, maybe I didn't explain it properly we are not providing relay for the outgoing mail, we are only filtering for viruses/spam the incoming mails and the part that are junk of them are the ones bouncing to us and giving problems.