RE: GIF stock spams
I'm getting hammered by these as well, usually scoring below 2 points. I'm running most of the standard SARE rules (including SARE_STOCKS). Any advice? Bayes training has (so far) been ineffective. -Shawn -Original Message- From: Chris Conn [mailto:[EMAIL PROTECTED] Sent: Friday, February 24, 2006 11:35 AM To: users@spamassassin.apache.org Subject: GIF stock spams Hello, Has anyone written any rules to catch the following types of spam http://nisk.creenet.com/~cconn/sa/ They consist of a few lines of text (sometimes), and a .gif attachment that is in fact some penny stock being pushed. Thanks in advance, Chris
RE: User getting spammed to death
I had this problem a couple years back with our education email address. While the account got moderate levels of spam, it was absolutely inundated with virus backscatter. After a few months of trying to block the majority of it, we deemed the effort futile and abandoned the address. It was a nuisance as our website and brochures all had to be updated but its 2 years later and I still reject about 2000/day at our MTA... -Shawn -- Shawn Beairsto Network Administrator Data Kinetics Ltd. / Smart Telecom http://www.dkl.com http://www.smarttelecom.ca -Original Message- From: Peter Marshall [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 1:16 PM To: SpamAssassin list Subject: User getting spammed to death I am not sure if there is anything that I can do ... But our marketing email address is getting spammed to death. We are getting about 2000 messages an hour. It is getting to be a problem. Do any of you have a suggestion other than simply turfing the email address ? Thanks Peter
MISSING_SUBJECT always firing
Hi everyone, I'm running SA 3.02 for a few weeks now together with amavisd-new-20030616 and it seems that MISSING_SUBJECT is firing on every mail even if there is a Subject: header and it's not empty. Has anyone experienced this problem or have an idea whats going on? I've googled around some, but not found much. -- Shawn Beairsto Network Administrator Data Kinetics Ltd. http://www.dkl.com
RE: Porn E-Mail
If you are running the 70_SARE_HTML1.CF file, increase the value of SARE_HTML_A_HIDE in your local.cf... this spammer always hits this rule. I've been doing this for several months now, with no false positives. I've set mine to 3 points (5 required). HTH, Shawn -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 8:23 AM To: [EMAIL PROTECTED] Subject: Porn E-Mail Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 - Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from <[EMAIL PROTECTED]>, uid 503) with qmail-scanner-1.23 (spamassassin: 2.64. Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):. Processed in 5.891302 secs); 26 Feb 2005 15:18:08 - X-Spam-Status: No, hits=2.1 required=4.5 X-Spam-Level: ++ Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 26 Feb 2005 15:18:02 - Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it [151.11.128.151]) by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp id 98CA9A8736 for <[EMAIL PROTECTED]>; Sat, 26 Feb 2005 07:17:59 -0800 Message-ID: <[EMAIL PROTECTED]> From: "Lithest T. Helper" <[EMAIL PROTECTED]> To: Adelewilcox <[EMAIL PROTECTED]> Subject: Excuse me... :) Date: Sat, 26 Feb 2005 07:17:59 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0011_582242D6.106C5F2A" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-RAV-Antivirus: This e-mail has been scanned for viruses on host: p7146-ipad04yosida.nagano.ocn.ne.jp This is a multi-part message in MIME format. --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/plain Content-Transfer-Encoding: 7bit Well well well! http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.htm Oversleeping will never make one's dreams come true. Shalai po http://kytheras.com/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg==.html --=_NextPart_000_0011_582242D6.106C5F2A Content-Type: text/html Content-Transfer-Encoding: quoted-printable How're you doing?http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ehtm"; target=3d"ensemble"> http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/ZVXw/BdqV=2ejpeg"; alt=3d"mundanes" border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/BwYLPwsQDg4FDRYTDQ8ODg8WCzAGSQkHEg=3d=3d=2ejpg"; border=3d'0'>http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/TWRXIoLhNa/HJb5FTKL/ccc6dWo=2egif"; border=3d0>Khudaa haafizWarayna I have a feeling this is destiny=2e [On the eve of her third marriage] Man in general, if reduced to himself, is too wicked to be free=2eRemember, every time you open your mouth to talk, your mind walks out and parades up and down the words=2eThe most splendid achievement of all is the constant striving to surpass yourself and to be worthy of your own approval=2eThere are only two ways of getting on in the world: by one's own industry, or by the stupidity of others=2e A lot of good arguments are spoiled by some fool who knows what he is talking about=2eIt is always sound business to take any obtainable net gain, at any cost and at any risk to the rest of the community=2e There is a time to take counsel of your fears, and there is a time to never listen to your fear=2eDon't change horses while crossing a stream=2eI dream of you to wake would that I might Dream of you and not wake but slumber on=2e=2e=2eSome of these people need ten years of therapy --ten sentences of mine do not equal ten years of therapy=2e No great thing is created suddenly=2eShelving hard decisions is the least ethical course=2e Read nothing that you do not care to remember, and remember nothing you do not mean to use=2e Perhaps all artists were, in a sense, housewives: tenders of the earth household=2eThe noblest search is the search for excellence=2eComedy is simply a funny way of being serious=2eThe construction of life is at present in the power of facts far more than convictions=2e http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/oWenQK=2ehtml"; target=3d"heartbeat">http://kytheras=2ecom/b245de2dbd2efe9e06d1a822a/nb0=2egif"; border=3d0> --=_NextPart_000_0011_582242D6.106C5F2A--
F.P. with SARE rule
Good morning everyone, I just got a F.P. using one of the SARE rulesets, looks like the SARE_SUB_PENIS_OB rule might need some tweaking. Seems like it fired from the word pennies: Content preview: Pennies From Heaven The Daily Reckoning [...] Content analysis details: (7.9 points, 5.0 required) pts rule name description -- -- 3.3 SARE_SUB_PENIS_OB subject has obfuscated spammer topic 1.9 LOW_INTEREST BODY: Lower Interest Rates 1.5 MORTGAGE_BEST BODY: Information on mortgages 1.2 BANG_MORE BODY: Talks about more with an exclamation! 0.0 HTML_MESSAGE BODY: HTML included in message -- Shawn Beairsto Network Administrator Data Kinetics Ltd. http://www.dkl.com
RE: Problems with SURBL and catching stuff..
Hi Matt, I've mentioned this before as well. This spammer is really good at not hitting most of the stock rules. We get hit with about a dozen of them before the SURBL's catch on. To catch them all the time, make sure you are using 70_sare_html1.cf from rulesemporium.com. Add to your local.cf score SARE_HTML_A_HIDE 5.0 (or whatever you are using for the spam score) He always hits this rule. I've had no false positives by making this change. Hope this helps! Shawn -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 4:35 PM To: users@spamassassin.apache.org Subject: Problems with SURBL and catching stuff.. Hi, Perhaps someone can help here. I have recently added the SURBL functionality to my SpamAssassin installation, and things seem to work wonderfully. However, we do on a fairly regular basis seem to be the "first" to get hit with the spam. What I mean is that spamassassin will catch it only scoring around 2.3 or so.. based on mostly images and HTML, but won't get the URL or score it past 5 points.A few hours later if I run the URL through an e-mail it will come up [SPAM]. Any suggestions how to get these mails marked as spam ? I don't want to set my score criterion too low to avoid FPs.
RE: spam slippin through
If its the spam I think it is, I stopped it by using the SARE_70_HTML1.CF file and adding this to my local.cf score SARE_HTML_A_HIDE 5.0 They always hit this rule ;) Shawn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 12:26 PM To: users@spamassassin.apache.org Subject: spam slippin through running a site wide SA 2.6 setup, some XXX html only mails are impossible to stop, getting scores as low as 2.0 the email just calls images, and thats about it. should i paste the subject here, they are quite distinct, and im sure others are getting them.
RE: Those sneaky porno spammers
I've been being hit by this type of spam quite hard lately, but finally found a way to stop it. Make sure you are running the SARE html and adult rulesets. Then add to your local CF: score SARE_HTML_URI_NODOT2 2.0 score SARE_HTML_A_HIDEtst2 4.0 This spammer's emails ALWAYS hit these 2 rules, so I bumped up the scores quite a bit. I haven't had any false positives as a result. My users were getting quite annoyed because these spam messages were quite offensive and always sneaking through intil they hit the SURBL's. After making this change, I'm catching 100% of them. Shawn -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Friday, September 03, 2004 2:56 PM To: 'Gordon Thagard' Cc: Spamassassin-Talk (E-mail) Subject: RE: Those sneaky porno spammers >-Original Message- >From: Gordon Thagard [mailto:[EMAIL PROTECTED] >Sent: Friday, September 03, 2004 2:29 PM >To: users@spamassassin.apache.org >Subject: Those sneaky porno spammers > > >Solaris 9 >Postfix 2.1.x >Spamassassin 2.64 >Amavisd-new-20030616-p10 >Clamav-0.74 >Bayes >Razor >DCC > >Hello All, > >I have setup what I consider to be a very good MTA for our >College which >is fending off a 49/51% SPAM/HAM ratio and dealing with many thousands >of emails a day. While the system does a very good job of detecting >SPAM, there is one brand of porno SPAM that is constantly evading our >defenses. It usually has a white, grey, blue or purple background, >giberish words and hardcore, explicit porno pics from an >third-party web >server. I've turned off viewing non-local images. Plus I have lowered >the SPAM threshold to 4.0 and setup Bayes learning with access limited >to our domain only. After setting up Bayes, I didn't get this >particlar >porno SPAM for a few days but then it started up again and >nothing I do >can stop it. One of two things happens: > >1. There are zero spam headers added to the email in my INBOX or, >2. It gets a 3.8 spam rating and is delivered. > >I have included both examples from today's barrage as attachments. Any >help would be greatly appreciated. > >-- One of those is already in SURBL. erimomisaki.com is 201.12.78.140 [ rbl lookup ] domain registered: 08-27-2004 [ full whois ] * URIBL: ws.surbl.org: not listed [ report ] * URIBL: sc.surbl.org: listed [Message body contains SpamCop spamvertised domain.] * URIBL: ob.surbl.org: listed [Blocked, See: http://www.surbl.org/lists.html#ob] * URIBL: multi.surbl.org: listed [Blocked, erimomisaki.com on lists [sc][ob], See: http://www.surbl.org/lists.html] * URIBL: ab.surbl.org: not listed The other would be soon, but we have some technical dificulties in the submission department today :) So I say use SURBL. --Chris