Re: Another bad kind of spams, for Pfizer knockoffs with image

[Benny Pedersen]

On Fri, April 24, 2009 22:56, John Hardin wrote:
> I do that check using milter-regex. A sample config file is at
> http://www.impsec.org/~jhardin/antispam/ - you'd have to edit it to match
> your needs for domain names and local MTA IP addresses.

tempfail "helo and ip does not resolve"
helo /\./n and \
connect /\[.*\..*\]/ //

home made :)

i liked to make it as dns test rule but so far it works good as is also

> I don't have a rule for SA, as I block that at the MTA.

will send email privately after this, have a rule more for milter-regex

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Henrik K]

On Fri, Apr 24, 2009 at 05:14:21PM -0400, Adam Katz wrote:
> Igor Chudov wrote:
> > Stefan and guys!!! You are awesome!!!
> 
> >   12 FUZZY_OCR  BODY: Mail contains an image with common spam 
> > text inside
> > [Words found:]
> > ["cia***" in 3 lines]
> > ["via***" in 3 lines]
> > [(9 word occurrences found)]
> 
> I wouldn't trust FUZZY_OCR with anything.  12 points is *WAY* too high
> for any single thing.  I had to disable this plugin a year or three
> ago because it assigned 20+ points to legit screenshots in ham (and
> that was /after/ I trimmed its flagging words file down in size)!

You do realize that it's configurable? Who to blame if you just run things
blindly.

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Adam Katz]

Igor Chudov wrote:
> Stefan and guys!!! You are awesome!!!

>   12 FUZZY_OCR  BODY: Mail contains an image with common spam 
> text inside
> [Words found:]
> ["cia***" in 3 lines]
> ["via***" in 3 lines]
> [(9 word occurrences found)]

I wouldn't trust FUZZY_OCR with anything.  12 points is *WAY* too high
for any single thing.  I had to disable this plugin a year or three
ago because it assigned 20+ points to legit screenshots in ham (and
that was /after/ I trimmed its flagging words file down in size)!


IMHO, very very few tests should score more than BAYES_99 (3.5 of a
needed 5.0 points).  That's the whole point of using SpamAssassin - a
best-of-breed so that you need multiple angles to kill any message,
thus vastly reducing the false positive chance.

Re: Another bad kind of spams, for Pfizer knockoffs with image

[James Wilkinson]

Charles Gregory wrote:
> I've been scoring the attachment name pattern with a 'full' test.
> But this will only work until they figure ways to randomize the 
> attachment names

The mimeheader plugin can do that and is much cheaper.

The

Abody
Ahead

part of the HTML seems to be a good spam sign, too. I can’t come up with
a test (other than a full test) that will actually match all of that
with 3.2.x: the rawbody rule matches one line at a time. A meta on both
Abody and Ahead in the rawbody seems to do a pretty good job.

To what extent should Windows Mail be counted as a variant of
Outlook/Outlook Express? It’s not caught in __ANY_OUTLOOK_MUA: should it
be?

Hope this helps,

James.

-- 
E-mail: james@ | ... a sign carefully conveying in pictograms the fact
aprilcottage.co.uk | that you should not leave wheelchairs on a certain river
   | bank as they would roll down the hill and the crocs would
   | eat the passenger.-- Skud

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Igor Chudov]

Stefan and guys!!! You are awesome!!!

All I did was aptitude install fuzzyocr. Nothing else. I re-ran the
test again, and this particular spam scored for fuzzyOCR and got a
score of 16!!!

Here's the new score:

#

 pts rule name  description
 -- --
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5085]
 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[88.236.102.45 listed in zen.spamhaus.org]
 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
 0.8 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
 0.1 RDNS_NONE  Delivered to trusted network by a host with no rDNS
  12 FUZZY_OCR  BODY: Mail contains an image with common spam text 
inside
[Words found:]
["cia***" in 3 lines]
["via***" in 3 lines]
[(9 word occurrences found)]

On Fri, Apr 24, 2009 at 10:52:30PM +0200, Stefan Luetje wrote:
> Am 24. Apr 2009 um 22:12 CEST schrieb Igor Chudov:
> > I get plenty of these also, and cannot get them to score well. 
> > 
> > These advertise knockoffs of bestselling Pfizer products. The text is
> > meaningless garbage text. The sales message is contained in a PNG
> > image, but it could be other image types like jpeg. 
> > 
> >http://igor.chudov.com/tmp/spam008.txt
> > 
> > Any ides what I can do?
> 
> You can install FuzzyOcr
> 
> 
> ,
> | X-Spam-Status: Yes, score=19.8 required=5.0 
> tests=BADRELAY,BAYES_99,FUZZY_OCR,
> | HK_IMGSPAM,HTML_MESSAGE,SAGREY autolearn=no version=3.2.5
> | X-Spam-Relay-Country: US TR
> | X-Spam-Report: =?ISO-8859-1?Q?
> | *  3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100%
> | *  [score: 1.]
> | *  0.3 HTML_MESSAGE BODY: Nachricht enth=e4lt HTML
> | *  2.5 BADRELAY bad Relay
> | *  2.0 HK_IMGSPAM Inline image in message, Bayes think it's spam
> | *   10 FUZZY_OCR BODY:
> | *  1.0 SAGREY Adds 1.0 to spam from first-time senders
> `
> 
> ,[ fuzzyocr.log ]
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "cialis" with fuzz of 
> 0.
> |   line: "ur prce viagra  cialis special offer"
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "cialis" with fuzz of 
> 0.
> |   line: "lgg cialis special offer"
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
> 0.
> |   line: "ur prce viagra  cialis special offer"
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
> 0.1667
> |   line: "l ls lo x vagra loo mg  lo x cals omg"
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
> 0.
> |   line: " viagra hot offer"
> | 2009-04-24 22:30:08 [9756] Scanset "ocrad" generates enough hits (5), 
> skipping further scansets...
> | 2009-04-24 22:30:08 [9756] Message is spam, score = 10.500
> | 2009-04-24 22:30:08 [9756] Adding Hash to 
> "/home/stefan/.fuzzyocr/FuzzyOcr.hashdb"
> | 2009-04-24 22:30:08 [9756] Words found:
> |   "cialis" in 2 lines
> |   "viagra" in 3 lines
> |   (7.5 word occurrences found)
> `
> 
> 
> Greets
> Stefan
>   

Re: Another bad kind of spams, for Pfizer knockoffs with image

[SM]

At 13:12 24-04-2009, Igor Chudov wrote:

I get plenty of these also, and cannot get them to score well.

These advertise knockoffs of bestselling Pfizer products. The text is
meaningless garbage text. The sales message is contained in a PNG
image, but it could be other image types like jpeg.


The following rule may help.  You'll need the ImageInfo plugin.

body PNG_200_400 eval:image_size_range('png', 200, 400, 250, 450)
describe PNG_200_400 Contains png 200-250 x 400-450
score   PNG_200_400  0.1

Adjust the score to fit your needs.

Regards,
-sm   

Re: Another bad kind of spams, for Pfizer knockoffs with image

[John Hardin]

On Fri, 24 Apr 2009, Igor Chudov wrote:


On Fri, Apr 24, 2009 at 01:31:37PM -0700, John Hardin wrote:


Do you have administrative access to ak74.algebra.com? That looks like
it's your MX host.


Yep, it is my MX host. I have root access, it is a 5 year old Fedora 3
server.


Cool.

If so, a MTA rule that rejects any message from the internet having a 
HELO without a period may block a lot of that.


If not, a SA rule that looks for such a HELO in the Received: header 
that ak74.algebra.com adds might help.


Do you have examples of both kinds of such rules?

I am especially interested in the mailserver side, as I have a lot of
accounts handled by that server.


I do that check using milter-regex. A sample config file is at 
http://www.impsec.org/~jhardin/antispam/ - you'd have to edit it to match 
your needs for domain names and local MTA IP addresses.


I don't have a rule for SA, as I block that at the MTA.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 Today: Max Planck's 151st birthday

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Stefan Luetje]

Am 24. Apr 2009 um 22:12 CEST schrieb Igor Chudov:
> I get plenty of these also, and cannot get them to score well. 
> 
> These advertise knockoffs of bestselling Pfizer products. The text is
> meaningless garbage text. The sales message is contained in a PNG
> image, but it could be other image types like jpeg. 
> 
>http://igor.chudov.com/tmp/spam008.txt
> 
> Any ides what I can do?

You can install FuzzyOcr


,
| X-Spam-Status: Yes, score=19.8 required=5.0 tests=BADRELAY,BAYES_99,FUZZY_OCR,
|   HK_IMGSPAM,HTML_MESSAGE,SAGREY autolearn=no version=3.2.5
| X-Spam-Relay-Country: US TR
| X-Spam-Report: =?ISO-8859-1?Q?
|   *  3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100%
|   *  [score: 1.]
|   *  0.3 HTML_MESSAGE BODY: Nachricht enth=e4lt HTML
|   *  2.5 BADRELAY bad Relay
|   *  2.0 HK_IMGSPAM Inline image in message, Bayes think it's spam
|   *   10 FUZZY_OCR BODY:
|   *  1.0 SAGREY Adds 1.0 to spam from first-time senders
`

,[ fuzzyocr.log ]
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "cialis" with fuzz of 
0.
|   line: "ur prce viagra  cialis special offer"
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "cialis" with fuzz of 
0.
|   line: "lgg cialis special offer"
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
0.
|   line: "ur prce viagra  cialis special offer"
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
0.1667
|   line: "l ls lo x vagra loo mg  lo x cals omg"
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" found word "viagra" with fuzz of 
0.
|   line: " viagra hot offer"
| 2009-04-24 22:30:08 [9756] Scanset "ocrad" generates enough hits (5), 
skipping further scansets...
| 2009-04-24 22:30:08 [9756] Message is spam, score = 10.500
| 2009-04-24 22:30:08 [9756] Adding Hash to 
"/home/stefan/.fuzzyocr/FuzzyOcr.hashdb"
| 2009-04-24 22:30:08 [9756] Words found:
|   "cialis" in 2 lines
|   "viagra" in 3 lines
|   (7.5 word occurrences found)
`


Greets
Stefan
  
-- 
,-.
| Stefan Lütje|   "Die Zukunft wird morgen besser sein."   |
|  stefan.lue...@t-online.de  |   George W. Bush   |
`Key fingerprint = BCB2 48E4 9211 C975 5A3F  B192 9B6E CCCF 99CC 44FA-'



signature.asc
Description: Digital signature

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Michael Scheidell]

Igor Chudov wrote:
I get plenty of these also, and cannot get them to score well. 


These advertise knockoffs of bestselling Pfizer products. The text is
meaningless garbage text. The sales message is contained in a PNG
image, but it could be other image types like jpeg. 


   http://igor.chudov.com/tmp/spam008.txt

Any ides what I can do?
  

sanesecurity and mrbl image signatures.

--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best Anti-Spam Product 2008, Network Products Guide
   * King of Spam Filters, SC Magazine 2008

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Igor Chudov]

On Fri, Apr 24, 2009 at 01:31:37PM -0700, John Hardin wrote:
> On Fri, 24 Apr 2009, Igor Chudov wrote:
>
>> I get plenty of these also, and cannot get them to score well.
>>
>>   http://igor.chudov.com/tmp/spam008.txt
>>
>> Any ides what I can do?
>
> Do you have administrative access to ak74.algebra.com? That looks like  
> it's your MX host.

Yep, it is my MX host. I have root access, it is a 5 year old Fedora 3
server. 

> If so, a MTA rule that rejects any message from the internet having a 
> HELO without a period may block a lot of that. I'm seeing an increase in 
> the number of messages with that particular flaw:
>
> 217 Mar 23
> 129 Mar 24
> 208 Mar 25
> 212 Mar 26
> 207 Mar 27
> 149 Mar 28
> 143 Mar 29
> 138 Mar 30
> 135 Mar 31
> 172 Apr 1
> 155 Apr 2
>  83 Apr 3
> 121 Apr 4
> 123 Apr 5
> 126 Apr 6
> 141 Apr 7
> 124 Apr 8
> 151 Apr 9
> 125 Apr 10
> 144 Apr 11
> 139 Apr 12
> 199 Apr 13
> 332 Apr 14
> 197 Apr 15
> 249 Apr 16
> 279 Apr 17
> 385 Apr 18
> 440 Apr 19
> 355 Apr 20
> 419 Apr 21
> 531 Apr 22
> 326 Apr 23
>
> If not, a SA rule that looks for such a HELO in the Received: header that 
> ak74.algebra.com adds might help.
>

Do you have examples of both kinds of such rules? 

I am especially interested in the mailserver side, as I have a lot of
accounts handled by that server. 

i

Re: Another bad kind of spams, for Pfizer knockoffs with image

[John Hardin]

On Fri, 24 Apr 2009, Igor Chudov wrote:

The sales message is contained in a PNG image, but it could be other 
image types like jpeg.


Is it time to dust off FuzzyOCR again?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 Today: Max Planck's 151st birthday

Re: Another bad kind of spams, for Pfizer knockoffs with image

[John Hardin]

On Fri, 24 Apr 2009, Igor Chudov wrote:


I get plenty of these also, and cannot get them to score well.

  http://igor.chudov.com/tmp/spam008.txt

Any ides what I can do?


Do you have administrative access to ak74.algebra.com? That looks like 
it's your MX host.


If so, a MTA rule that rejects any message from the internet having a HELO 
without a period may block a lot of that. I'm seeing an increase in the 
number of messages with that particular flaw:


217 Mar 23
129 Mar 24
208 Mar 25
212 Mar 26
207 Mar 27
149 Mar 28
143 Mar 29
138 Mar 30
135 Mar 31
172 Apr 1
155 Apr 2
 83 Apr 3
121 Apr 4
123 Apr 5
126 Apr 6
141 Apr 7
124 Apr 8
151 Apr 9
125 Apr 10
144 Apr 11
139 Apr 12
199 Apr 13
332 Apr 14
197 Apr 15
249 Apr 16
279 Apr 17
385 Apr 18
440 Apr 19
355 Apr 20
419 Apr 21
531 Apr 22
326 Apr 23

If not, a SA rule that looks for such a HELO in the Received: header that 
ak74.algebra.com adds might help.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 Today: Max Planck's 151st birthday

Re: Another bad kind of spams, for Pfizer knockoffs with image

[Charles Gregory]

On Fri, 24 Apr 2009, Igor Chudov wrote:

 The sales message is contained in a PNG image
  http://igor.chudov.com/tmp/spam008.txt
Any ides what I can do?


I've been scoring the attachment name pattern with a 'full' test.
But this will only work until they figure ways to randomize 
the attachment names


On my system I also have SMTP-callbacks, so if the envelope sender is not 
deliverable *and* has an attachment "DSL.png" (or latest, a gif 
file with no name), I score twice as heavy.


- C

Another bad kind of spams, for Pfizer knockoffs with image

[Igor Chudov]

I get plenty of these also, and cannot get them to score well. 

These advertise knockoffs of bestselling Pfizer products. The text is
meaningless garbage text. The sales message is contained in a PNG
image, but it could be other image types like jpeg. 

   http://igor.chudov.com/tmp/spam008.txt

Any ides what I can do?

i