Cyrillic spam
For some strange reason, I'm seeing Cyrillic spams very frequently lately. None of my users read any Eastern European languages- is there a quick way to catch these? thanks -Mike
Re: Trying to catch spoofed ToCc
Loren Wilton wrote:
Nasty to do without using a plugin or eval rule, but it can be done.
The following is off the top of my head, and I almost guarantee it won't
work correctly without testing and some minor tweak somewhere. But you
can try it and/or fool with it if you like.
header __SENT_TO_MEALL ~=
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME!__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it
for half an hour to get it to work right. Or maybe it will work now.
Loren
That looks pretty good, but I think that sort of user-specific action
might be best done in the user's procmail file-
(Well, assuming of course that that the user is using procmail!)
but something like
# if it's not to or cc me at this point, it's probably spam
:0
* !^(To|Cc).*{my email address}
possibly-spam
Towards the very end of the procmail script does the trick.
-Mike
Secure Quotes spam
Hi all, just a curiosity question: I seem to be getting an average of about 30 spams a week that all contain URLs that point to sites that look just like this (sample image, with several tabs with different URLs that point to identical copies of the same thing) http://www.doki-doki.net/~lamune/temp/spam1.png Does this look familiar to anyone? It seems pretty phishy to me, especially given that there's apparently no contact information on any of these pages. -Mike
OT: HELO setting in Sendmail
Hi folks, this is a bit off topic, but I figured someone here may have an inkling as to what I could do. Some mail servers are now rejecting my email: (reason: 550 Don't like your HELO/EHLO. Hostname must contain a dot.) I checked and sure enough, the HELO just spits out the hostname, not the fqdn. Is there a setting in Sendmail to override what it spits out? I've been googling and can't seem to find anything that indicates that it can be done. It's sendmail 8.13.1-3 on a FC4 box. thanks -Mike
Re: OCR plugin doesn't seem to work
decoder wrote: Which OCR plugin are you using there? If it is the original OcrPlugin, then you might try FuzzyOcr instead. The original OcrPlugin was more proof-of-concept, and will cause you lots of headaches with the current image spam... I did upgrade to FuzzyOCR after I read your message. But, I don't think it's working- however other rules seem to be catching these stock gifs. Here's the headers from one of them: Content analysis details: (10.6 points, 5.0 required) pts rule name description -- -- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7765] 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [71.197.31.248 listed in dnsbl.sorbs.net] I don't see OCR mentioned in there at all. I still don't think it's working. Spamassassin --lint doesn't indicate anything is wrong. How can I test it? -Mike
OCR plugin doesn't seem to work
Hey guys, Running SA 3.1.1, on Fedora Core 3, with Perl 5.8.5 I installed gocr and imagemagick packages, copied the Ocr.pm and cf files into /etc/mail/spamassassin The tests don't seem to run, the pump 'n dump GIFs are still arriving and I don't see that the test is being run in the headers. Other SARE and custom rules in that directory are running though. The permissions are the same, etc. Anyone have any ideas? # ls 70_sare_adult.cf 70_sare_uri1.cf spamassassin-default.rc 70_sare_obfu0.cf 99_sare_fraud_post25x.cf spamassassin-helper.sh 70_sare_obfu1.cf 99_sare_fraud_pre25x.cf spamassassin-spamc.rc 70_sare_oem.cf cathy_caparula.cf tripwire.cf 70_sare_random.cfinit.pre v310.pre 70_sare_specific.cf local.cf WebRedirect.cf 70_sare_spoof.cf Ocr.cfWebRedirect.pm 70_sare_stocks.cfOcr.pm 70_sare_uri0.cf RulesDuJour -Mike
Re: Bouncing spam vs. Blackholing spam
My personal opinion is that the spammers don't care either way. My guess would be that they probably don't even bother checking the logs of what worked and what didn't on the zombie PCs they hijack to send the crap in the first place. Probably far easier to just fire and forget. -Mike Marc Perkel wrote: I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts?
same message, different scores
Hi folks, I got two spams through today and I'm a little confused as to why. Spam 1: From [EMAIL PROTECTED] Sat Apr 22 01:28:34 2006 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on quadzilla X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=5.0 tests=BAYES_80 autolearn=no version=3.1.1 Received: from fen.com ([221.155.184.221]) by quadzilla.doki-doki.net (8.13.1/8.13.1) with SMTP id k3M5SUHj028409 for [EMAIL PROTECTED]; Sat, 22 Apr 2006 01:28:32 -0400 Message-ID: [EMAIL PROTECTED] Date: Fri, 21 Apr 2006 23:11:16 -0700 From: Lyle Grisham [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Sylera/1.2.4 MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: FWD: Cathy Caparula, Ref # QG3836-I34V Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on localhost X-Virus-Status: Clean Status: R Content-Length: 215 X-Keywords: ATTN: Cathy Caparula, After a lookover of all your infomation, I'm delighted to inform you of your acceptance. http://5ag420.iscool.net Just fill-out your details on our web site above. God Bless, Lyle Grisham Now, I run it through sa manually, and the report looks like: Content analysis details: (10.0 points, 5.0 required) pts rule name description -- -- 4.0 CATHY_CAPARULA BODY: Email addressed to Cathy Caparula 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?221.155.184.221] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [221.155.184.221 listed in sbl-xbl.spamhaus.org] -2.9 AWLAWL: From: address is in the auto white-list The second spam is almost identical to the first. I guess the question is: why such radically different scores? is the auto-scanning not using my custom CATHY_CAPARULA rule?
Re: same message, different scores
We need some background on your setup: How do you call SA to get your mail scanned at delivery time? Do you use spamd to scan your mail? If so, did you restart spamd after adding your rule? Where is your CATHY_CAPARULA rule declared (ie: what file)? Hi Matt, The system is FC3, running SA 3.1.1 I use procmail piping the messages through spamd. I'm not sure if I restarted spamd after I made that custom rule, but that rule lives in /etc/mail/spamassassin If I don't restart spamd, and I modify rules, would that cause what I am seeing? Would running spamassassin directly evaluate the message differently than going through spamd? -Mike
SA 3.1.1 post-install error
Hi all, I built SA 3.1.1 on my FC3 system as an RPM Two errors I noted. First, the spamassasin rc startup script is not executable, so it fails to start. Not a big deal to fix, but it makes the post-install script error out since it can't start the service. Also, when I do this: # spamd --version I get this: SpamAssassin Server version 3.1.1 running on Perl 5.8.5 [3086] error: Can't locate IO/Socket/SSL.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/bin/spamd line 103. How do I find out what's missing? Thanks -Mike
Re: Training SA with Thunderbird Junk folder
mouss wrote: Edward Diener a écrit : Does anybody know the instructions for training SA with the contents of the Thunderbird Junk folder ? My web host, where SA is tunning, suggests I do this in order to reduce the amount of spam I get, and I can login to my web host, transfer files from my local machine to my web host, and run SA commands. so the messages are accessible on your SA system? if so, then run spamassassin or spamc with the right option. what I would like to see is a plugin to J a message... If your mail server and users are using IMAP, the Junk E-mail folder is on the server already. I've got a script that runs from cron that will learn from that folder and then delete its contents several times a day. looks like this: #!/bin/bash sa-learn --spam --mbox ./mail/Junk E-mail rm ./mail/Junk E-mail touch ./mail/Junk E-mail you could probably adapt the concept to work system-wide, though I'm not sure how your hosting people would take to it. -Mike
Re: Updated Pump and Dump rules. 2006-02-18
Doc Schneider wrote: I just committed version 01.00.06 of this ruleset to: http://rulesemporium.com/rules/70_sare_stocks.cf It should appear within the hour. Enjoy. -Doc (SA/SARE/URIBL/SURBL -- Ninja) Why can't I add this to rules_du_jour? I added SARE_STOCKS to the rulesets thusly: TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 \ SARE_URI1 SARE_FRAUD SARE_FRAUD_PRE25X SARE_SPOOF SARE_OEM \ SARE_RANDOM SARE_SPECIFIC SARE_STOCKS ...but when I run it I get this: No index found for ruleset named SARE_STOCKS. Check that this ruleset is still valid. am I doing something wrong?
is teaching SA ham it already marked as ham bad?
I've been feeding messages from my inbox into a folder that SA reads as ham for quite some time now. Suddenly it occurs to me that this may be a bad idea, and I should only have SA learn messages as ham that it believes is spam. This strikes me as being as bad as forcing SA to re-learn spam as spam again. Am I correct in this assumption, or is re-learning good email as ham safe? I'm hoping that I can finally put an end to these new and especially annoying timepiece emails that sneak through. thanks -Mike
sa-stats.pl generates a zero report
Hi all, Any pointers on how to make sa-stats.pl work? I ran it in debug mode and it's scanning the right log, but at the end I get a report with all zeros. Maybe I'm missing a perl module? sample report: Report Title : SpamAssassin - Spam Statistics Report Date : 2005-08-03 Period Beginning : Wed 03 Aug 2005 01:46:29 PM EDT Period Ending: Thu 04 Aug 2005 01:46:29 PM EDT Reporting Period : 24.00 hrs -- Note: 'ham' = 'nonspam' Total spam detected:0 ( 0.00%) Total ham accepted :0 ( 0.00%) --- Total emails processed :0 (0/hr) Average spam threshold :0.00 Average spam score :0.00 Average ham score :0.00 Spam kbytes processed :0 (0 kb/hr) Ham kbytes processed :0 (0 kb/hr) Total kbytes processed :0 (0 kb/hr) Spam analysis time :0 s (0 s/hr) Ham analysis time :0 s (0 s/hr) Total analysis time:0 s (0 s/hr) Statistics by Hour Hour Spam Ham ---- 2005-08-03 13 0 ( 0%) 0 ( 0%) 2005-08-03 14 0 ( 0%) 0 ( 0%) 2005-08-03 15 0 ( 0%) 0 ( 0%) 2005-08-03 16 0 ( 0%) 0 ( 0%) 2005-08-03 17 0 ( 0%) 0 ( 0%) 2005-08-03 18 0 ( 0%) 0 ( 0%) 2005-08-03 19 0 ( 0%) 0 ( 0%) 2005-08-03 20 0 ( 0%) 0 ( 0%) 2005-08-03 21 0 ( 0%) 0 ( 0%) 2005-08-03 22 0 ( 0%) 0 ( 0%) 2005-08-03 23 0 ( 0%) 0 ( 0%) 2005-08-04 00 0 ( 0%) 0 ( 0%) 2005-08-04 01 0 ( 0%) 0 ( 0%) 2005-08-04 02 0 ( 0%) 0 ( 0%) 2005-08-04 03 0 ( 0%) 0 ( 0%) 2005-08-04 04 0 ( 0%) 0 ( 0%) 2005-08-04 05 0 ( 0%) 0 ( 0%) 2005-08-04 06 0 ( 0%) 0 ( 0%) 2005-08-04 07 0 ( 0%) 0 ( 0%) 2005-08-04 08 0 ( 0%) 0 ( 0%) 2005-08-04 09 0 ( 0%) 0 ( 0%) 2005-08-04 10 0 ( 0%) 0 ( 0%) 2005-08-04 11 0 ( 0%) 0 ( 0%) 2005-08-04 12 0 ( 0%) 0 ( 0%) 2005-08-04 13 0 ( 0%) 0 ( 0%) Done. Report generated in 3 sec by sa-stats.pl, version 6256.
Re: not whitelist, but why are spams getting through?
There are two fairly obvious possibilities here: 1.Your server isn't normally running with net tests enabled, but they were for the manual test. Why would that be? 2.You ran the manual test 1/2hr after the automatic scan, and by then the domain had made it into all of the blacklists. There was a delay between the manual test and the email's arrival, so that may be possible. Since awl kicked in on the manual test and didn't on the automatic test, you may have configuration differences. I'd look for some configuration difference that may be keeping net tests from running normally. Also feed this to bayes. Assuming it really is spam, it should be getting a lot higher than a 60. Loren I did feed it in. Oddly enough, this morning when I went to check email there were no spurious spams in the inbox. Seems like it decided it wants to work now. Mysterious.
not whitelist, but why are spams getting through?
OK, so it's not the autowhitelist doing it, but over the last couple of weeks an extraordinary amount of spam is getting through and I don't know why. A particular message just came into my inbox, with the following headers: X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on quadzilla X-Spam-Level: X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_60, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO autolearn=no version=3.0.4 yet, when I run spamassassin message , I get this result: X-Spam-Prev-Subject: Hi funstuff..,,.beryllium X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on quadzilla X-Spam-Level: X-Spam-Status: Yes, score=13.0 required=5.0 tests=AWL,BAYES_60, RCVD_HELO_IP_MISMATCH,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL, RCVD_NUMERIC_HELO,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.0.4 Looks like the automatic scanning via spamd is running different tests than when I run the message through manually. Why would this be? System is fairly stock fedora core 3.
auto-whitelist is making spams sneak through
I'm getting more and more spams sneaking through lately. I'm running SA 3.0.4 on Fedora Core 3. In analyzing the ones that make it through, I see that other users in my domain are CC, which causes the auto-whitelist to score the spam lower than if I run it through manually without that test. I've just set auto-whitelist to 0 in my .spamassassin/user_prefs.cf which I hope will stop that from happening, but in the meantime is there some way to manipulate or even reset my whitelist database? thanks -Mike
