Re: Scoring question
Rick Zeman schrieb: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? SA 3.2.1 run within Maia with autolearning on. Tnx BAYES_50 means that bayes thinks that its 50% chance to be ham and 50% chance to be spam - so bayes should stay neutral because it has no opinion on this message. arni
simple rule idea
I just had the following rule idea to prevent false positives (i have no problem scoring spam high enough, i rather want to find ways to lower the score on ham) I want to reward -2 points for people that know my very distinctive lastname and include it in the message or the To field - however i also use email addresses that already contain my last name - in this case i dont want to reward points because it was an obvious guess, here is how i'd do it: body __SENDER_KNOWS_REALNAME_BODY /\b__lastname\b/i header __SENDER_KNOWS_REALNAME_HEAD To =~ /.*__lastname.*.*/i header __REALNAME_WAS_OBVIOUS To =~ /.*__lastname.*/i meta SENDER_KNOWS_REALNAME ((__SENDER_KNOWS_REALNAME_BODY || __SENDER_KNOWS_REALNAME_HEAD) !__REALNAME_WAS_OBVIOUS) comments? arni
Re: Bored girls spams
Anders Norrbring schrieb: arni skrev: Igor Chudov schrieb: I am receiving a lot of spams from bored girls, that ask me to email to some .info email addresses. Just curious what these spams are promoting, what is the scam behind them? i probably to verify the addresses they tried because then they gain a lot of value and can be sold for much more Even more interesting would be, how can we tag them higher in a safe way so it won't cause false hits? Anders. this is the lowest scoring mail of this type i could find: X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.0 BOTNET_BADDNS Relay doesn't have full circle DNS * [botnet_baddns,ip=190.8.157.162,rdns=helo=] * 3.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=190.8.157.162,hostname=helo=,baddns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date * 1.5 IXHASH BODY: This mail has been classified as spam @ iX Magazine, * Germany * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company, * Germany * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogInSolutions arni * AG, Germany
Re: Bored girls spams
Igor Chudov schrieb: I am receiving a lot of spams from bored girls, that ask me to email to some .info email addresses. Just curious what these spams are promoting, what is the scam behind them? i probably to verify the addresses they tried because then they gain a lot of value and can be sold for much more
Re: Bye for good FuzzyOCR
Loren Wilton schrieb: I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren I'm not saying that it doesnt work well anymore, i'm just saying that i dont need it anymore to bring my spam to above 10 points, what happened for me lately was the following: image spam was above 10 pts already and fuzzyocr didnt run so fuzzyocr only ran for ham with images completely wasting resources so i uninstalled it
Re: Bye for good FuzzyOCR
Bill Landry schrieb: I'm running SA 3.2.1 and FuzzyOCR is running just fine here. Bill ran fine on 3.2.0 for me ...
Bye for good FuzzyOCR
Hi, i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) arni
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. arni
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. How do u get DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO? Using ImageInfo? must be on updates.spamassassin.org or saupdates.openprotect.com, otherwise i wouldnt have them arni
Rule suggestion - smtp sanity
From large providers i sometimes recieve messages through encrypted smtp, the header looks smth like this (qmail): ... with (AES256-SHA encrypted) SMTP; ... Would it be a good idea to give a minimal negative score on this -0.1 or -0.2 if this happens on the last hop? - It proves that the sending smtp server is very protocol sane, which spambots are usually not. arni
PDF Decoder - Show of concept
Hi, what i'm going to show you is purely show or prove of concept - there is no way you should use the code in a productional environment, because it most likely has exploitable bugs as well as inacuracies that will not be able to parse all mail properly. I put this together within an around an hour to show how its possible to cope with pdf spam - the script compeltely decodes the pdf attachment into text and images and reattaches them. Like this the text is fully available to all means of sa processing, as well as the images to FuzzyOCR, if installed. The code is php, because thats easiest for me to write. It also has a nice side effect, that you are able to see the text from a pdf without having to open it ;-) If someone could make a sa plugin that can do the same thing in a clean and safe manner, this would be great, arni Content-type: text/html X-Powered-By: PHP/4.3.9 ? $mail = str_replace("\n\r", "\n", join('',file("test.eml"))); list($header, $body) = explode("\n\n", $mail, 2); preg_match("/boundary=\"([^\"]*)\"/m", $mail, $border); $border = $border[1]; $parts = preg_split("/-*$border-*/", $body); array_shift($parts); array_pop($parts); $mailout = $header . "\n\n"; foreach($parts AS $part) { list($phead, $pbody) = explode("\n\n", $part, 2); $mailout .= "--$border"; $mailout .= $part; if(strpos($phead, "pdf") !== false) { $binary = base64_decode($pbody); $tmpname = rand("1", "9"); $out = fopen("$tmpname.pdf", "w"); fputs($out, $binary); fclose($out); exec("pdftotext -htmlmeta -nopgbrk $tmpname.pdf $tmpname.txt 2 /dev/null"); $text = join('', file("$tmpname.txt")); unlink("$tmpname.txt"); if(trim(strip_tags($text)) != "") { $mailout .= "--$border\n"; $mailout .= "Content-Type: text/html; charset = \"iso-8859-1\"\nContent-Transfer-Encoding: 8bit\nContent-Disposition: attachment; filename=\"pdftext.htm\"\n\n"; $mailout .= $text."\n"; } exec("pdfimages -j $tmpname.pdf $tmpname 2 /dev/null"); $cnt = 0; $handle=opendir('.'); while ($file = readdir($handle)) { if($file != "." $file != ".." is_file($file)) { if(substr($file, 0, strlen($tmpname)) == $tmpname) { @list($name, $ext) = explode(".",$file); if($ext == "ppm") { exec("ppmtogif $file $file.gif 2 /dev/null"); $binary = join('', file("$file.gif")); unlink("$file.gif"); $mailout .= "--$border\n"; $mailout .= "Content-Type: image/gif;\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment; filename=\"pdfimage$cnt.gif\"\n\n"; $cnt++; $mailout .= wordwrap(base64_encode($binary), 76, "\n", 1)."\n"; } elseif($ext == "jpg") { $binary = join('', file($file)); $mailout .= "--$border\n"; $mailout .= "Content-Type: image/jpeg;\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment; filename=\"pdfimage$cnt.jpg\"\n\n"; $cnt++; $mailout .= wordwrap(base64_encode($binary), 76, "\n", 1)."\n"; } unlink($file); } } } closedir($handle); } } $mailout .= "--$border--\n"; $out = fopen("out.eml", "w"); fputs($out, $mailout);
Re: how do I block this stock promotion spam?
Hi, i'd block it like this: X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 0.9997] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?63.147.147.222] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [63.147.147.222 listed in zen.spamhaus.org] * 3.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=63.147.147.222,maildomain=southwest.com.au,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=63.147.147.222] Generally means: ether install botnet and hope for beeing a late reciever (spamcop) or train your bayes on it (also together with the botnet plugin) arni Andrew Xiang schrieb: how do I block this stock promotion spam? thanks Andrew
Re: Several messages a day are not getting scanned (no X-Spam-Status)
esposj schrieb: I have recently upgraded to SA3.2 (via ISPConfig) and have several users seeing messages come through without any SA processing. On my personal account, I see 2-5 messages a day which don't have a X-Spam-Status and are very obviously spam. SA is called through PROCMAIL and I have confirmed that the messages getting through aren't too big to get blocked by the PROCMAIL script. My thoughts are to write another procmail rule at the end to check for the X-Spam-Status header and if missing feed back into the SA rule. This seems like an unneeded hack, and I hope someone could point me at some other troubleshooting ideas. Thanks, Joe Esposito The Seagroatt Companies Albany, NY you might be using the to: field to determine who the mail is to and scan acording to that - thats not a safe way because it can be forged, use headers such as envelope-to or delivered-to as added by your mta to find out where a mail is really going arni
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
jdow schrieb: You are if you're the only one dumb enough to run email from this list through SpamAssassin then you might be. I dont exactly know why you have to flame people on this mailinglist but i'm gonna explain it to you: This list offers a great way to learn bayes with spam related ham, which is in my opinion on of the best hams around. It is spam related, so it might contain tokens that are also found in spam and it a great way to show bayes that these tokens are not only present in spam, but can also be in ham. arni
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
am i the only one getting a pretty solid false positive on the previous post? X-Spam-Report: * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com * 2.0 SPOOF_COM2OTH URI: URI contains .com in middle * 2.5 SARE_SPOOF_COM2OTH URI: a.com.b.c * 2.3 SPOOF_COM2COM URI: URI contains .com in middle and end * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.]
Re: Spam PDF
Mikael Syska schrieb: Kind a new to spam ... and especially how people use bayes. So how many ham mails do you get per day ? wandering if I could do something to my system so bayes may score higher I have read some where that spam mails in bayes should be alot higher than ham mails ... is that true ? Cause I'm doing spam scans for multiple domains .. my mail volume isnt high, i do it only for myself and some friends, some stats on my bayes db: 0.000 0 4556 0 non-token data: nspam 0.000 0 1356 0 non-token data: nham 0.000 0 280877 0 non-token data: ntokens i get about 20 ham and 150 spams per day (on my personal box) - bayes is only learned by spamtraps and autolearn. arni
Re: Spam PDF
[EMAIL PROTECTED] schrieb: arni wrote: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] schrieb: Sounds more like if we didn't rely on other people to have seen this particular abusive host before us and our learning system to have seen past examples of spam that looks a whole lot like this one from headers alone to detect this particular spam, we'd fail to catch it until we've trained our system and the abusive host has been reported to various lists. That's what makes policy (e.g. MTA checks, BOTNET) and behavior based detection work as well as it does, it's proactive instead of reactive. I have no spam that doesnt score at least BAYES_80 - BAYES_80 is 3.5 points here, BOTNET is 3 points here, makes 6.5 total and a bust. Doesnt have anything to do with beeing a late reciever as i recieve this spam on a whole lot of addresses and not just one - please dont tell me you think i'm a late reciever on all. arni No all BAYES is saying you've received and trained spam in the past that has bits and pieces that look like this new spam. If a spammer reduces the amount of tokens that can match negatively and does nothing else they'll end up with a meaningless bayes score (right around BAYES_50). Add a bit of likely to be trained as ham bits from a common mailing list from the day before, and use that in combination with an image/attachment/short spam and you've got a nice low bayes score. Works great against large site-wide bayes databases, not so much against per-user unless the user happens to be subscribed to whatever ham source the spammer is using. jokeMaybe we should train all our mailing lists as spam!/joke i will use one of the best quotes here that were ever created on the internet: You make your mouth full of technical bullshit when only facts talk By some random guy ;-) arni
Re: Spam PDF
[EMAIL PROTECTED] schrieb: arni wrote: i will use one of the best quotes here that were ever created on the internet: You make your mouth full of technical bullshit when only facts talk By some random guy ;-) arni So you're saying you want my stock spam with mailing list filler? It's real and has been for a year or more and makes site-wide bayes useless against it. yes, actually i do, just for the fun of it. would be nice if you could send 3 to 5 as an attachment including all headers to the list or only my address. ofc you'll want to chose spam with a low score to prove me wrong ;-) arni
Re: A different approach to scoring spamassassin hits
Tom Allison schrieb: Many Thanks for those of you who have read this far for your patience and consideration. Sorry for only giving you such a short reply to your long and great post, but i have to say this now: The proposal is brilliant and i thought about this before myself but never got around to put it into words. arni
Re: Spam PDF
[EMAIL PROTECTED] schrieb: Sounds more like if we didn't rely on other people to have seen this particular abusive host before us and our learning system to have seen past examples of spam that looks a whole lot like this one from headers alone to detect this particular spam, we'd fail to catch it until we've trained our system and the abusive host has been reported to various lists. That's what makes policy (e.g. MTA checks, BOTNET) and behavior based detection work as well as it does, it's proactive instead of reactive. I have no spam that doesnt score at least BAYES_80 - BAYES_80 is 3.5 points here, BOTNET is 3 points here, makes 6.5 total and a bust. Doesnt have anything to do with beeing a late reciever as i recieve this spam on a whole lot of addresses and not just one - please dont tell me you think i'm a late reciever on all. arni
Re: Spam PDF
Raymond Myren schrieb: Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond as i said several times on this maillist now, i've never had any of these mails get through, here is how the current ones score: X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE autolearn=no version=3.2.0 X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?85.138.88.254] * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [85.138.88.254 listed in zen.spamhaus.org] * 3.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=85.138.88.254,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=85.138.88.254] * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company, * Germany * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogInSolutions * AG, Germany * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) arni
Re: Spam PDF
Robert Schetterer schrieb: arni schrieb: aymond as i said several times on this maillist now, i've never had any of these mails get through, here is how the current ones score: you are in a luck, you are a late reciever of that spam, so it was detected by others before ( look at your headers ) but it wasnt detected by i.e a plain pdf_spam rule/solution ( like fuzzy_ocr etc ) this is what i am looking for I looked for the lowest scoring email of the past 2 days (dont save them longer), this is the one: X-Spam-Status: Yes, score=10.7 required=5.0 tests=BAYES_99,DCC_CHECK, DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1,LOGINHASH2,MIME_HTML_MOSTLY autolearn=no version=3.2.0 X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company, * Germany * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogInSolutions * AG, Germany * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) Note that already a well trained BAYES can take these mails out on its own on my system. If you find your bayes to score really acurate then its a good idea to increase the scores. For me bayes is fed from 2 spamtrap addresses with around 50 pieces of the finest spam every day. Doing this, bayes scores BAYES_99 on 99.5% of my remaining spam - i hardly ever see it score below BAYES_80 and thats just great. So maybe training bayes better or increasing the score will put and end to this for you. arni
Re: Spam PDF
[EMAIL PROTECTED] schrieb: Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP) and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks to the BOTNET plugin (which is amazing btw). That hit was all from late-receiver effect. That sounds a bit like if we stopped trying to detect spam, we'd fail to catch it
pdf spam solution idea
Hi, its come up several times now that people ask for a way to directly detect pdf spam by the pdf content and not only through headers or other means (hashes, bayes). I've found a solution that should be pretty easy to realise in a Fuzzy-OCR like plugin. Here is what it should do: Use xpdf (http://www.foolabs.com/xpdf/download.html) to read the pdf document export the images to ppm files using `pdfimages` export the text parts to a simple text using `pdftotext` This plugin should run as one of the first to make the raw text read available (for example by attaching it as an extra mime part or somehow internally) as well as make the images available to FuzzyOCR or similar by the same means as above. Unfortunately i wont be able to write such a plugin myself, it should be rather easy to do but i cant start to learn pearl just for this ;-) Maybe i gave some hints ... arni
Re: Botnet Score
Matt schrieb: I have added botnet to my Spamassassin install. It seems to have helped quite a bit so far. I am just wandering about the 5 points it gives for a hit. Is that too much? Does it have alot of false positives or not? Matt i'm using the default 5 and until now i had one false positive (but bayes and awl saved it) thinking about it i might reduce the score to 3, but not lower because its really doing a great job over here arni
Re: Botnet Score
Jari Fredriksson schrieb: Matthias Haegele wrote: Jari Fredriksson schrieb: Matt wrote: I have added botnet to my Spamassassin install. It seems to have helped quite a bit so far. I am just wandering about the 5 points it gives for a hit. Is that too much? Does it have alot of false positives or not? Matt I have yet to see a hit, none so far in production (botnet been on for 5 days now). Perhaps you use greylisting or similiar solutions already, or messages get blocked by Blacklists on MTA-Level? No, no such measures. But starting spamd -D tells this Seems that botnet disables itself? No trusted relays? 127.0.0.1 should be automatically trusted and you should add all your MX'es ip's so botnet can work properly arni
Re: Botnet Score
Jari Fredriksson schrieb: 127.0.0.1 should be automatically trusted and you should add all your MX'es ip's so botnet can work properly Add to where? I have internal_networks and trusted_networks set up in local.cf then that should be ok
Re: Botnet Score
Mark Martinec schrieb: The accuracy of botnet can be greatly enhanced it is when tamed down by p0f results (passive operating system fingerprinting). I cant fully agree with that because allmost all xDSL or Cable users use some kind of hardware router which usually runs some kind of embedded unix or propetary system which will behave like unix. So from my experience you often see unix from the internet's point of view where its actually windows. arni
Re: Help in writing rules to catch SREA stock spams
Suhas Ingale schrieb: Can someone help me writing rules to catch below content spam? * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=87.226.203.3,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=87.226.203.3] * 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: otcpicks.com] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?87.226.203.3] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [87.226.203.3 listed in zen.spamhaus.org] * 0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy * [URIs: otcpicks.com] * 1.5 UPPERCASE_75_100 message body is 75-100% uppercase Another SREA spam easily busted with BOTNET and BAYES, i dont really see the need for a content rule. arni
Re: Help in writing rules to catch SREA stock spams
Marc Perkel schrieb: That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time. I was more trying to show him that installing the botnet plugin alone, together with a decent bayes or 1 or 2 more rules already does the job and instead of writing a new rule for each stock spam that comes out, this will catch almost all of it (all of it in my case) arni
Re: Help in writing rules to catch SREA stock spams
Marc Perkel schrieb: Actually the fastest way to get rid of stoc/botnet spam is with fake MX records. fake 10 real 20 fake 30 fake 40 I dont like the idea of making life harder for ham (forcing a properly working mailserver to make at least 2 connections) acompanied with the same delays as greylisting. Why make life harder for ham if you can detect the spam easily? arni
Re: Help in writing rules to catch SREA stock spams
Matt schrieb: together with a decent bayes or 1 or 2 more rules already does the job and Where do I get the botnet plugin(prefer rpm) and how do I make Spamassassin use it? Matt http://people.ucsc.edu/~jrudd/spamassassin/ docs inside the archive - botnet is really one of the most effective plugins i use these days (make sure you set your internal nets properly otherwise it sometimes doesnt work properly, especially SOHO detection for me) arni
Re: Help in writing rules to catch SREA stock spams
Matt schrieb: I have Spamassassin setup to whitelist all my own IP pools. Do I need to do anything else? Matt make sure that anything that is an MX for x@allyourdomains.com is in your internal_networks arni
Re: Spam slipped
Suhas Ingale schrieb: Wht score do others get on this? Can you please please forward spam only as an attachment, thanks. If you forward inline you: * May have the message marked as spam * Mis learn other peoples bayes * May get beaten by AWL's next time you send smth arni
Re: Spam slipped
SM schrieb: At 06:37 21-06-2007, arni wrote: If you forward inline you: * May have the message marked as spam * Mis learn other peoples bayes * May get beaten by AWL's next time you send smth That won't happen if you whitelist this mailing list. Regards, -sm did i mention that spam without headers is useless?
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Marc Perkel schrieb: I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. 56th reinvention of the square wheel You might wanna search this lists archive for further comments ... arni
Re: Spam slipped
Suhas Ingale schrieb: Any custom rules to catch this? without headers i cant tell but i had the same spam, so here is my report: * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?86.124.176.33] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [86.124.176.33 listed in zen.spamhaus.org] * 0.0 BOTNET_BADDNS Relay doesn't have full circle DNS * [botnet_baddns,ip=86.124.176.33,rdns=86-124-176-033.iasi.fiberlink.ro] * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=86.124.176.33,hostname=86-124-176-033.iasi.fiberlink.ro,baddns,client,ipinhostname] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address * [botnet_ipinhosntame,ip=86.124.176.33,rdns=86-124-176-033.iasi.fiberlink.ro] * 0.0 BOTNET_CLIENT Relay has a client-like hostname * [botnet_client,ip=86.124.176.33,hostname=86-124-176-033.iasi.fiberlink.ro,ipinhostname] * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with * dynamic-looking rDNS arni
Re: stock spam with pdf
Robert Schetterer schrieb: http://www.forbes.com/security/2007/06/20/stock-spam-internet-tech-security-cx_ag_0620spam.html Got like 7 of them, all look pretty much like this: X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 0.9998] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=89.234.73.196,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=89.234.73.196] * 0.0 HTML_MESSAGE BODY: HTML included in message
Re: iXhash list @ ix.dnsbl.manitu.net being ddos'ed
[EMAIL PROTECTED] schrieb: Hi, list, the DNS server of manitu.net, Germany, currently the only server hosting the iXhash blacklist @ ix.dnsbl.manitu.net, is apparently being ddos'ed. Admins using the iXhash plugin should either temporarily disable using that server or request being included in a whitelist the provider has set up. Mails should be directed at [EMAIL PROTECTED] Dirk Oh that sucks, i love that service, please add 87.118.96.151 and 87.118.97.151 thanks, arni
Re: Innovative Host Blacklisting Idea
[EMAIL PROTECTED] schrieb: BTW: at one time I was quite happy with some pre-filtering on my private mail (which is fetchmail ultimately feeding to SA) until I found that SA would no longer recognize some spam in the bayes section. So, if capacity permits, it might be a good idea to feed (a random sampling of) pre-filtered spam to sa-learn Wolfgang Whats the problem with spamassassin and fetchmail? I'm using it myself and I only get complaints that 127.0.0.1 doesnt have a reverse dns. arni
Re: iXhash list @ ix.dnsbl.manitu.net being ddos'ed
Marc Perkel schrieb: Dude - that sucks! Anything I can do to help? Guess in the long term it might be a good idea if someone provided a second level i.e. non-rootzone alternate dns server that provides data from all 3 companies that use the IXhash system. Unfortunately i'm not good with nameservers :-/ arni
Re: Innovative Host Blacklisting Idea
Jerry Durand schrieb: I have a few spamtrap addresses that feed directly to sa-learn. Seems to work pretty well. I do almost the same, but i first check email coming into the spamtraps and require a score of 2 before learning it to avoid poisening my bayes in case a real ham should come in. arni
Re: DUL Lists? - OT
Dan Barker schrieb: I'm receiving a lot of 421 rejects with: Unexpected connection response from server: 421 mails from 74.254.46.133 refused: local dynamic IP address 74.254.46.133 Does anybody recognize the text of the message? I'd like to confirm that there are no popular DUL lists showing 74.254.46.133 as dynamic, but the 421 message says very little. DNSReport says it's clean. I've tried to contact some postmaster accounts (using Yahoo.com, since I can't use my own mailer) but they appear to be RFC ignorant too. Unfortunately, it's not just one ISP in Germany and I'd like to understand if there's anything I can do on my side. The only thing that comes to mind is that my rDNS is delegated to my own name server. Maybe there's some sort of DNS software out in the wild that doesn't support delegation? I'm really at a loss. Dan 133.46.254.74.in-addr.arpa is an alias for 133.128.46.254.74.in-addr.arpa. 133.128.46.254.74.in-addr.arpa domain name pointer mail.visioncomm.net. probably a not so clever blacklist considering your ip dynamic because the alias has its own ip in the alias name arni
Re: DUL Lists? - OT
Dan Barker schrieb: Dan Barker follows up: I think you confirmed that my delegated rDNS is proper and that the 421 message is in error. But I'm not certain. Can you please confirm your assessment? My ISP provides me a /26 subnet out of the 74.254.46.0 class C, so the rDNS delegation is done with CNAMEs from the class C subnet to my 74.254.46.128/26 subnet's DNS servers. They serve the appropriate PTR records. Thanks again for the bandwidth; Dan I'd advise you to just give the ip you send email from a real, non aliased reverse dns entry which is the same as your HELO and also points back to your IP through an A record. Guess thats just the easiest way to solve it. Making the foreign admins aware of their buggy system is gonna be more complicated. arni
Re: DUL Lists? - OT
Dan Barker schrieb: Definitions: right: follow the CNAME to get a PTR wrong: return the CNAME as an answer. Yes thats what I meant, the script on the other side seems to be to stupid to realise that the first lookup isnt the final answer, in this wrong answer it finds the own ip and considers it a sign of a dynamic ip. arni
Rejecting spam during SMTP session
Hi, for a while i've been watching my spamassassin perform great on almost all spam - i've never had any false positives and also a very low count of false negatives. So I thought about rejecting sure spam during the SMTP session and came up with a few bits of shellscript code thats rejecting spam with a score of 10 and above (I normally mark spam at 5). But i'm not really sure if i'm doing it correct - it apears to me like i'm not rejecting mail but i'm bouncing it which is surely not what i want. Here is my code which is called as a qmail-command in my .qmail file. #!/bin/sh message=`/usr/bin/spamassassin 2/dev/null` if [ $? -eq 1 ]; then # sa returned an error, make sure we dont lose the mail exit 111 else printf %s\n $message | grep -qs X-Spam-Level: \*\*\*\*\*\*\*\*\*\* if [ $? -eq 0 ]; then echo Message was permanently rejected as spam 2 exit 100 else printf %s\n $message | maildir ./Maildir/ exit $? fi fi If you want to test the setup, you can send a mail with for example GTUBE to [EMAIL PROTECTED] Your advice will be welcome, arni
Re: DNS tests getting aborted
[EMAIL PROTECTED] schrieb: Server .116 The email attached has been identified by one of our team as legitimate but unfortunately was incorrectly tagged as SPAM. The email address has been whitelisted to ensure this will not happen again and we are currently looking into the reasons why this happened. No mail has been lost as the quarantined mail folder is continuously checked by members of Team Genesis, but please accept our apologies for any inconvenience caused. Your SPAM scanning system; Ullyses is continually being upgraded and refined so we anticipate a steadily decreasing number of incidents like this as the system learns your personal profile. If you feel that you are receiving an inappropriate amount of SPAM then can we ask you to contact us either by email to: [EMAIL PROTECTED] or call your Genesis representative who will be happy to assist. Please do not reply to this email address as it has been automatically generated, but email any queries to: [EMAIL PROTECTED] Thank you and take care Mark are you realising, that you're spamming a mailinglist here?
Re: Rulesemporium down?
Gene Heskett schrieb: On Saturday 09 June 2007, Dallas Engelken wrote: Yet Another Ninja wrote: On 6/9/2007 6:50 PM, Jerry Durand wrote: At 09:19 AM 6/9/2007, Dallas Engelken wrote: Rulesemporium.com will be coming back online at approximately 1800 GMT. Special thanks to Prolexic (http://www.prolexic.com) for the DDoS protection. Great news and good work! I assume we can re-enable sa-update for tonight's run. Thanks for keeping this running. Guys There's really no need to automate RDJ SARE rules aren't being updated too frequently and any rule change will be announced on the list. Each RDJ empty hit adds to traffic, which, atm , is a precious luxury. Pls be considerate and help SARE keep the site alive. Prolexic will be providing proper caching of the rules shortly, so this shouldnt be much of an issue going forward. As long as people would keep their automation at 1-2 times a day, its cool. And I've moved my sa-update script from /etc/cron.daily, to /etc/cron.weekly, plus added a day field valid number to the crontab that runs rdj that is not sunday. I hope this helps. If everyone did this, your load should go down quite a bit. I really appreciate the service and I thank this group very much. Between this and some really aggressive procmail rules, I'm getting only 2 to 4 trash messages a day squeeking through. http://saupdates.openprotect.com/ is made for automation - sa-update is also more efficient for empty hits
Re: Botnet Plugin
Claude Frantz schrieb: Hi. This is the qmail-send program at rds27912.i4e-server.de. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: 137.193.10.37 does not like recipient. Remote host said: 551 5.7.1 Sorry, but we do not accept email from systems whose hostnames cannot be validated. Your hostname with IP address 87.118.96.151 reports as being forged. Please fix your DNS and try again. Giving up on 137.193.10.37. --- Below this line is a copy of the message. Return-Path: [EMAIL PROTECTED] Received: (qmail 13318 invoked from network); 8 Jun 2007 14:34:02 +0200 Received: from p54a78418.dip0.t-ipconnect.de (HELO ?192.168.1.151?) ([EMAIL PROTECTED]) by ns2.rds27912.i4e-server.de with SMTP; 8 Jun 2007 14:34:02 +0200 Message-ID: [EMAIL PROTECTED] Date: Fri, 08 Jun 2007 14:34:03 +0200 From: arni [EMAIL PROTECTED] User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) Can you tell me what you thin i'm doing wrong?
Re: Botnet Plugin
Where do i find this botnet plugin? arni
Re: Botnet Plugin
Daniel J McDonald schrieb: On Fri, 2007-06-08 at 14:53 +0200, arni wrote: Can you tell me what you thin i'm doing wrong? [EMAIL PROTECTED] Desktop]$ host 87.118.96.151 151.96.118.87.in-addr.arpa domain name pointer ns.rds27912.i4e-server.de. [EMAIL PROTECTED] Desktop]$ host ns.rds27912.i4e-server.de. Host ns.rds27912.i4e-server.de not found: 3(NXDOMAIN) Compare with a good one: [EMAIL PROTECTED] Desktop]$ host 24.173.248.67 67.248.173.24.in-addr.arpa domain name pointer ns1.austinnetworkdesign.com. [EMAIL PROTECTED] Desktop]$ host ns1.austinnetworkdesign.com. ns1.austinnetworkdesign.com has address 24.173.248.67 stupid me, should have checked for a real problem beforehand - looks like a temporary problem at my sucky provider ... usually both forward and backward resolve properly. arni
Re: These are getting through SA...
Luis HernĂ¡n Otegui schrieb: Hi, could somebody run this mail trough SA and give me the scores? They aren't scoring very much here... Hi, your mailing probably broke half of the email so these scores are only an estimate - if you want me to try again attach the mail as a raw text (or .eml as many clients call it) X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 0.0 MISSING_DATE Missing Date: header * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 1.3 MISSING_HEADERS Missing To: header * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: teethcat.hk] * 1.8 MISSING_SUBJECT Missing Subject: header arni
Re: A bit off topic for spamassassin but whats up with rulesemporium.com?
Kevin W. Gagel schrieb: I'm not able to get to www.rulesemporium.com, what's up there? Any one know? Do you read also or just write?
Re: bayes rules
Sujit Acharyya-Choudhury schrieb: We are using spamassassin at the gateway level with exim. Is it a good idea to use bayes as we don't know which is ham or spam - and the users are unlikely to give us the feed back from different system. In that case bayes learning ability will be compromised. I dont feed much information back into bayes ether, but still the autolearning does a good job. For example it could happen that a mail with the same spam content first hits lots of DNSBL's and is thus marked and learned as spam. next time you get the same spam it could be from different spamservers and not hit many rules. Thats when its a great help if bayes already knows the spam and can fire acordingly. So even if you dont manually feed back data into bayes, it can still help to classify something as spam. arni
Re: Bayes Misidentification
Jari Fredriksson schrieb: I had similar problem a week or two ago. Are you both using autolearn only, or do you manually learn with sa-learn (or similar) ? You probably poisened you bayes db by learning ham as spam. If you're using autolearning: Adjust your scores and generally make sure you dont have false positves as these are very bad. If you're manually learning: You cant trust your user's to classify spam for your global database. Users are users and 99% of all mistakes happen in front of the keyboard. Solution for now: If you can still find out what ham you learned wrong, unlearn it - if you cant, you'll have to revert to a bayes backup. If you dont have one you'll have to start new. arni
Re: Bayes Misidentification
Ben Lentz schrieb: My bayes configuration is based on a little IMAP-derived user feed back data, but by vast majority is trained by the auto-learning system. You cant trust your users, they will put newsletters they ordered but dont know how to stop and other non-spam into the spamfolder. arni
Re: SpamAssassin 3.2 compatiblity
Nix schrieb: On 1 Jun 2007, Henrik Krohns spake thusly: On Wed, May 30, 2007 at 09:40:43PM +0100, Nix wrote: The FuzzyOCR score is a cumulation of the variosu subtests it hits. There are a handful of configuration options that can set scores, multipliers, and limits for various things. Yeah, but there isn't an upper bound :/ Why don't you just set: focr_base_score 5 focr_add_score 0 [...] I'll try to whip something up that feeds the words back into Bayes. I think the main problem with that will be, that FuzzyOCR always runs as one of the last rules and even thats conditionall in the default config. But generally it sounds like a good idea to make the text that the ocr plugin recognised back to bayes. arni