Re: Help in writing rules to catch SREA stock spams
arni wrote: Suhas Ingale schrieb: Can someone help me writing rules to catch below content spam? * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=87.226.203.3,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=87.226.203.3] * 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: otcpicks.com] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?87.226.203.3] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [87.226.203.3 listed in zen.spamhaus.org] * 0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy * [URIs: otcpicks.com] * 1.5 UPPERCASE_75_100 message body is 75-100% uppercase Another SREA spam easily busted with BOTNET and BAYES, i dont really see the need for a content rule. arni That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time.
Re: Help in writing rules to catch SREA stock spams
Suhas Ingale schrieb: Can someone help me writing rules to catch below content spam? * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=87.226.203.3,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=87.226.203.3] * 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: otcpicks.com] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?87.226.203.3] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [87.226.203.3 listed in zen.spamhaus.org] * 0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy * [URIs: otcpicks.com] * 1.5 UPPERCASE_75_100 message body is 75-100% uppercase Another SREA spam easily busted with BOTNET and BAYES, i dont really see the need for a content rule. arni
Re: Help in writing rules to catch SREA stock spams
Marc Perkel schrieb: That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time. I was more trying to show him that installing the botnet plugin alone, together with a decent bayes or 1 or 2 more rules already does the job and instead of writing a new rule for each stock spam that comes out, this will catch almost all of it (all of it in my case) arni
Re: Help in writing rules to catch SREA stock spams
arni wrote: Marc Perkel schrieb: That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time. I was more trying to show him that installing the botnet plugin alone, together with a decent bayes or 1 or 2 more rules already does the job and instead of writing a new rule for each stock spam that comes out, this will catch almost all of it (all of it in my case) arni Actually the fastest way to get rid of stoc/botnet spam is with fake MX records. fake 10 real 20 fake 30 fake 40
Re: Help in writing rules to catch SREA stock spams
Marc Perkel schrieb: Actually the fastest way to get rid of stoc/botnet spam is with fake MX records. fake 10 real 20 fake 30 fake 40 I dont like the idea of making life harder for ham (forcing a properly working mailserver to make at least 2 connections) acompanied with the same delays as greylisting. Why make life harder for ham if you can detect the spam easily? arni
Re: Help in writing rules to catch SREA stock spams
together with a decent bayes or 1 or 2 more rules already does the job and Where do I get the botnet plugin(prefer rpm) and how do I make Spamassassin use it? Matt
Re: Help in writing rules to catch SREA stock spams
Matt schrieb: together with a decent bayes or 1 or 2 more rules already does the job and Where do I get the botnet plugin(prefer rpm) and how do I make Spamassassin use it? Matt http://people.ucsc.edu/~jrudd/spamassassin/ docs inside the archive - botnet is really one of the most effective plugins i use these days (make sure you set your internal nets properly otherwise it sometimes doesnt work properly, especially SOHO detection for me) arni
Re: Help in writing rules to catch SREA stock spams
http://people.ucsc.edu/~jrudd/spamassassin/ docs inside the archive - botnet is really one of the most effective plugins i use these days (make sure you set your internal nets properly I have Spamassassin setup to whitelist all my own IP pools. Do I need to do anything else? Matt otherwise it sometimes doesnt work properly, especially SOHO detection for me) arni
Re: Help in writing rules to catch SREA stock spams
Matt schrieb: I have Spamassassin setup to whitelist all my own IP pools. Do I need to do anything else? Matt make sure that anything that is an MX for x@allyourdomains.com is in your internal_networks arni
Re: Help in writing rules to catch SREA stock spams
On Fri, 2007-06-22 at 17:03 +0200, arni wrote: Marc Perkel schrieb: That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time. I was more trying to show him that installing the botnet plugin alone, together with a decent bayes or 1 or 2 more rules already does the job and instead of writing a new rule for each stock spam that comes out, this will catch almost all of it (all of it in my case) Well, bayes is very hard to implement on a mid-span spamassassin implementation (no feedback loop for missed spam or false ham). In my case, I use spamassassin under amavisd-new as a front-end filter, discard/quarantine the trash, then deliver to MS Exchange for end users to read. And I've been catching actual customers and vendors right-and-left with the botnet plugin. Too many false positives, even combining it with p0f, for me to feel very good about it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
