Re: EuroPharmacie
On Jun 22, 2008, at 9:18, Arvid Ephraim Picciani <[EMAIL PROTECTED]> wrote: On Sunday 22 June 2008 15:10:09 mouss wrote: Did anybody see ham coming out of *.retail.telecomitalia.it? we're blocking the entire network at smtp time since they ignore abuse reports and 20% of our spam comes from that network. No i've never seen ham, but we don't have any contact to actual italian companies or individuals. So as usually it depends on your environment. We too block the entire network at SMTP -- not a modicum of ham during the last two years.
Re: EuroPharmacie
On Sunday 22 June 2008 15:10:09 mouss wrote: > Did anybody see ham coming out of *.retail.telecomitalia.it? we're blocking the entire network at smtp time since they ignore abuse reports and 20% of our spam comes from that network. No i've never seen ham, but we don't have any contact to actual italian companies or individuals. So as usually it depends on your environment. -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
Re: EuroPharmacie
phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: by mail.x.fr (Postfix, from userid 513) id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr X-Spam-Level: * X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) by mail.infodev.fr (Postfix) with ESMTP id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) In addition to what has already been said, the sending host was listed on CBL at 13:00 that day. http://cbl.abuseat.org/lookup.cgi?ip=79.21.166.121&.submit=Lookup Even if it was not, you may want to block /^host.*dynamic\..*\.relail\.telecomitalia\.it$/ in your postfix with a check_client_access and/or with a check_helo_access. Did anybody see ham coming out of *.retail.telecomitalia.it? [snip]
Re: EuroPharmacie
On Fri, 2008-06-20 at 23:15 +0200, Benny Pedersen wrote:
> On Fri, June 20, 2008 22:34, Evan Platt wrote:
>
> > I guess you missed my point.. If the default of 5 was used, the message
> > would have been marked as spam. :)
>
> and this have nothing to do with bayes was or is bad trained
Yeah, just like your recommendation to arbitrarily lower the
required_score threshold, from an arbitrary value. Or maybe I just don't
see how this is related to Bayes...
There have been more than sufficient tweaks and hints given in this
thread, to bomb that easy to catch spam into oblivion.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: EuroPharmacie
On Fri, June 20, 2008 22:34, Evan Platt wrote: > I guess you missed my point.. If the default of 5 was used, the message > would have been marked as spam. :) and this have nothing to do with bayes was or is bad trained Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
Benny Pedersen wrote: On Fredag, 20/6 2008, 20:49, Evan Platt wrote: What's wrong with the default of 5? nothing :) if bayes was better trained I guess you missed my point.. If the default of 5 was used, the message would have been marked as spam. :)
Re: EuroPharmacie
On Fredag, 20/6 2008, 20:49, Evan Platt wrote: > What's wrong with the default of 5? nothing :) if bayes was better trained Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
Benny Pedersen wrote: i would set scores required to 5.8 and begin train bayes What's wrong with the default of 5?
Re: EuroPharmacie
On Fredag, 20/6 2008, 15:51, phil89 wrote: > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, > URIBL_SBL autolearn=no version=3.x.x i would set scores required to 5.8 and begin train bayes Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
On Fri, 20 Jun 2008, phil89 wrote: We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50 Train them as spam. That should get a BAYES_99 if it's very common. Why have you changed your required from 5.0 to 6.2? All of the stock rules are tuned for 5.0, increasing the required score will increase your FN rate. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern --- 14 days until the 232nd anniversary of the Declaration of Independence
RATWARE_MSGID (was: Re: EuroPharmacie)
> X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
Why is your SA version a state secret? Taking a guess -- based on the
build date, it is 3.1.8 (released exactly that day) or earlier. *shrug*
> X-Spam-Level: *
> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL,
> URIBL_SBL autolearn=no version=3.x.x
As Duane and Evan already pointed out, a required_score 5.0 threshold is
the default, and would have classified this message as spam. (Dudes,
hint, he included the full headers. ;)
There's nothing wrong with being paranoid and raising this slightly if
you prefer. However, more spam sneaking through is to be expected, and
you either will have to write your own rules to counter it, or live with
more FNs. You raised that value deliberately.
> From: Les pilules ici <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
> Date: Fri, 20 Jun 2008 13:37:14 +0100
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="=_NextPart_000_0006_01C8D2DA.BFA4A100"
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Message-ID: <[EMAIL PROTECTED]>
This is a spam alright. :) This line alone tells me. See bug 5830. [1]
Here's an easy rule that triggers on about 10% spam with no FPs in
nightly mass-checks [2]. (The 2 ham hits are already verified to be a
dirty corpus and being removed from the ham corpus.)
Enjoy
guenther
# Ratware generated 8$8$8 style Message-Ids, broken Microsoft Outlook forgery.
# The first hex is some time token, but the leading 4 chars are missing. See
# HeaderEval.pm::check_outlook_message_id().
header __KB_MSGID_OUTLOOK_888 Message-Id =~
/^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
header __KB_OUTLOOK_MUAX-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
meta KB_RATWARE_MSGID __KB_MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA
describe KB_RATWARE_MSGID Ratware Message-Id
scoreKB_RATWARE_MSGID 3.0
[1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5830
[2] http://ruleqa.spamassassin.org/20080620-r669824-n/KB_RATWARE_MSGID/detail
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: EuroPharmacie
On Fri, 20 Jun 2008, phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Only 5.9? 5.0 is the SA default score. You must have changed that.
Re: EuroPharmacie
On 20.06.08 06:51, phil89 wrote: > We receive some mails with EuroPharmacie > How could i avoid theses > SCORE is only 5.9 upgrade your spamassassin and/or rules (sa-update). turn on network ruless you can (razor, pyzor, DCC, uribl's) > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: by mail.x.fr (Postfix, from userid 513) > id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) > X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr > X-Spam-Level: * > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, > URIBL_SBL autolearn=no version=3.x.x RCVD_IN_DYNABLOCK does not exist for some time. You rules are old and possibly not as effective as newer are. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: +++Spam+++: EuroPharmacie
On Fri, 2008-06-20 at 06:51 -0700, phil89 wrote: > Hi > > We receive some mails with EuroPharmacie > How could i avoid theses > SCORE is only 5.9 The botnet plugin probably would have given this a little boost. I use a botnet/p0f combination under amavisd-new that is reasonably accurate at assigning scores. grey-listing would have delayed it enough to have hit uribl-black > > Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it > (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) > by mail.infodev.fr (Postfix) with ESMTP > id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: EuroPharmacie
On Friday, June 20, 2008, 6:51:44 AM, phil89 phil89 wrote: > Hi > We receive some mails with EuroPharmacie > How could i avoid theses > SCORE is only 5.9 > Regards > Philippe > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: by mail.x.fr (Postfix, from userid 513) > id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) > X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr > X-Spam-Level: * > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, > > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, > URIBL_SBL autolearn=no version=3.x.x > Received: from > host121-166-dynamic.21-79-r.retail.telecomitalia.it > (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) > by mail.infodev.fr (Postfix) with ESMTP > id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) [...] > http://wroteprove.com Use SURBLs. Enable network tests: http://www.surbl.org/faq.html#nettest jp.surbl.org blacklisted that domain at 14:33 CEST Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: EuroPharmacie
5.0 is generally considered a level you can consider something Spam at. This scored a 5.9. What's your Spam level set at? phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe
EuroPharmacie
Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: by mail.x.fr (Postfix, from userid 513) id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr X-Spam-Level: * X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) by mail.infodev.fr (Postfix) with ESMTP id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) Received: from [79.21.166.121] by gateway10.tnb.com; Fri, 20 Jun 2008 13:37:14 +0100 From: Les pilules ici <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous Date: Fri, 20 Jun 2008 13:37:14 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0006_01C8D2DA.BFA4A100" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-ID: <[EMAIL PROTECTED]> Status: This is a multi-part message in MIME format. --=_NextPart_000_0006_01C8D2DA.BFA4A100 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Le EuroPharmacie boutique en ligne vous propose de passer a une veritable securite, tout en achetant des medicaments. Nous obtenons nos pilules directement chez le fabricant de l'usine afin qu'ils ne passent pas par les mains de toute intermediaires. Rendez-vous sur notre pharmacie et acheter un http://wroteprove.com --=_NextPart_000_0006_01C8D2DA.BFA4A100 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable http://www.w3.org/TR/REC-html= 40"> Le EuroPharmacie boutique en ligne vous= propose de passer a une veritable securite, tout en achetant des medicam= ents. Nous obtenons nos pilules directement chez le fabricant de l'usine = afin qu'ils ne passent pas par les mains de toute intermediaires.<= br> 3D"http://wrote= Rendez-vous sur notre pharmacie et acheter un http://wroteprove.com --=_NextPart_000_0006_01C8D2DA.BFA4A100-- -- View this message in context: http://www.nabble.com/EuroPharmacie-tp18030043p18030043.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
