How can I catch these messages?
I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc. I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1 SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets. All I want to do is push the scores into the spam range. And frankly I think I could lower the bar, too. Are their rulesets that might help, or custom rules that I could write, and as a single user I don't need perfection, I just want something like a 95% catch ratio instead of the 60% I am currently getting. Foobar replaces a couple of the words in the headers that I am sensitive about releasing to the net. Here are the headers for brevity: Return-Path: [EMAIL PROTECTED] Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Fri, 19 Nov 2004 01:59:35 -0600 Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 1-995-125-995-132708-13-1100851174 for mta010.foobar.net; Fri, 19 Nov 2004 01:59:36 -0600 From: Hair Care Specialist[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Medical Hair Restoration - A Permanent Solution Date: 19 Nov 2004 02:52:49 -0500 Message-Id: [EMAIL PROTECTED]/peno MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=09845039450394qame.kjY-mkxGxhki/penoirmar X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99, HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: --09845039450394qame.kjY-mkxGxhki/penoirmar Content-Type: text/plain; charset = ISO-8859-1 Content-Transfer-Encoding: 8bit Next: Return-Path: [EMAIL PROTECTED] Received: from lamx25.havagreayday.com ([192.168.1.2]) by mta005.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Fri, 19 Nov 2004 00:27:28 -0600 Received: from lamx25.havagreayday.com (66.63.182.25) by sc011pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 3-32004-215-32004-58673-27-1100845648 for mta005.foobar.net; Fri, 19 Nov 2004 00:27:29 -0600 From: Natural Beauty[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Welcome Gifts from Yves Rocher Date: 19 Nov 2004 01:24:22 -0500 Message-Id: [EMAIL PROTECTED]/peno MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=09845039450394qame.kjY-mkxGxhki/penoirmar X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_99,HTML_50_60, HTML_MESSAGE,HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,HTML_WEB_BUGS, SARE_HTML_P_JUSTIFY autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: --09845039450394qame.kjY-mkxGxhki/penoirmar Content-Type: text/plain; charset = ISO-8859-1 Content-Transfer-Encoding: 8bit next: Return-Path: [EMAIL PROTECTED] Received: from xxx.lt ([192.168.1.4]) by mta019.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED]; Thu, 18 Nov 2004 17:27:42 -0600 Received: from xxx.lt (211.230.54.86) by sc010pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 2-9271-77-9271-60461-1-1100820446 for mta019.foobar.net; Thu, 18 Nov 2004 17:27:43 -0600 Received: from 197.126.123.141 by smtp.leira.no; Thu, 18 Nov 2004 23:29:34 + Message-ID: [EMAIL PROTECTED] From: Brooke Corbett [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Order Rolex or other Swiss watches online Date: Thu, 18 Nov 2004 19:29:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MSGID_DOLLARS autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: next: Return-Path: [EMAIL PROTECTED] Received: from lamx26.havagreatday.com ([192.168.1.3]) by mta013.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Thu, 18 Nov 2004 10:58:11 -0600 Received: from lamx26.havagreatday.com (66.63.182.26) by sc009pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 1-995-202-995-129387-4-1100797090 for mta013.foobar.net; Thu, 18
Re: How can I catch these messages?
On Friday, November 19, 2004, 6:40:41 PM, Rob Blomquist wrote: I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc. I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1 SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets. All I want to do is push the scores into the spam range. And frankly I think I could lower the bar, too. Are their rulesets that might help, or custom rules that I could write, and as a single user I don't need perfection, I just want something like a 95% catch ratio instead of the 60% I am currently getting. Foobar replaces a couple of the words in the headers that I am sensitive about releasing to the net. Here are the headers for brevity: Return-Path: [EMAIL PROTECTED] Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Fri, 19 Nov 2004 01:59:35 -0600 Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 1-995-125-995-132708-13-1100851174 for mta010.foobar.net; Fri, 19 Nov 2004 01:59:36 -0600 From: Hair Care Specialist[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Medical Hair Restoration - A Permanent Solution Date: 19 Nov 2004 02:52:49 -0500 Message-Id: [EMAIL PROTECTED]/peno MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=09845039450394qame.kjY-mkxGxhki/penoirmar X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99, HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: --09845039450394qame.kjY-mkxGxhki/penoirmar Content-Type: text/plain; charset = ISO-8859-1 Content-Transfer-Encoding: 8bit Do any of these have URIs (web links) in their message bodies? Are you using SURBLs? Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: How can I catch these messages?
On Fri, 19 Nov 2004, Rob Blomquist wrote:
I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc.
I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1
SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD
SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets.
All I want to do is push the scores into the spam range. And frankly I think I
could lower the bar, too. Are their rulesets that might help, or custom rules
that I could write, and as a single user I don't need perfection, I just want
something like a 95% catch ratio instead of the 60% I am currently getting.
Any reason why you aren't using net-tests? Every one of your examples
hit three or more DNSBL lists.
Here's the output from a little DNSBL checker script I have for the
sender IP from one of your example spams:
% rss_check 211.230.54.86
host 211.230.54.86 resolves to 127.1.0.2 from RBL-Plus
host 211.230.54.86 resolves to 127.0.0.2 from list.dsbl.org
host 211.230.54.86 resolves to 127.0.0.2 from unconfirmed.dsbl.org
host 211.230.54.86 resolves to 127.0.0.2 from bl.spamcop.net
host 211.230.54.86 resolves to 127.0.0.4 from xbl.spamhaus.org
host 211.230.54.86 resolves to 127.0.0.3 from dynablock.njabl.org
host 211.230.54.86 resolves to 127.0.0.10 from dnsbl.sorbs.net
host 211.230.54.86 resolves to 127.0.0.2 from cbl.abuseat.org
I don't use all of those DNSBLs in my live spamassassin filtering,
but I do use several, so those scores alone would have been enough
to have caused that spam to hit my reject threshold.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: How can I catch these messages?
On Friday 19 November 2004 10:27 pm, Rob Blomquist wrote: On Friday 19 November 2004 7:32 pm, Chris wrote: On Friday 19 November 2004 08:40 pm, Rob Blomquist wrote: I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc. X-Spam-Level: ** X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK, I have better than a 99.99% catch rate. I gotta love it. And I see that you guys are the pros at this. But with network testing, I find that it really slows down Kmail, as the filtering is done by it, piping the messages through spamc. Do you folks have any idea what sort of hit on my machine it would be like to filter as you guys do, with SpamCop, pyzor, razor and network tests? Rob, I run the same setup you do, Kmail w/spamc. My processing times vary anywhere from 3.5 up to as high as 15 seconds or a bit more. I really don't mind the lag time if its going up my catch rate. And believe me, I'm definately no pro at this :) -- Chris Registered Linux User 283774 http://counter.li.org 10:34pm up 16 days, 3:01, 1 user, load average: 0.44, 0.73, 0.70 The first time Microsoft makes something that doesn't suck is when they start making vacuum cleaners.
Re: How can I catch these messages?
Rob Blomquist wrote: I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc. I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1 SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets. All I want to do is push the scores into the spam range. And frankly I think I could lower the bar, too. Are their rulesets that might help, or custom rules that I could write, and as a single user I don't need perfection, I just want something like a 95% catch ratio instead of the 60% I am currently getting. Foobar replaces a couple of the words in the headers that I am sensitive about releasing to the net. Here are the headers for brevity: Return-Path: [EMAIL PROTECTED] Received: from 43.bevivek.com ([192.168.1.3]) by mta010.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Fri, 19 Nov 2004 01:59:35 -0600 Received: from 43.bevivek.com (66.63.188.43) by sc009pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 1-995-125-995-132708-13-1100851174 for mta010.foobar.net; Fri, 19 Nov 2004 01:59:36 -0600 From: Hair Care Specialist[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Medical Hair Restoration - A Permanent Solution Date: 19 Nov 2004 02:52:49 -0500 Message-Id: [EMAIL PROTECTED]/peno MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=09845039450394qame.kjY-mkxGxhki/penoirmar X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99, HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: --09845039450394qame.kjY-mkxGxhki/penoirmar Content-Type: text/plain; charset = ISO-8859-1 Content-Transfer-Encoding: 8bit Next: Return-Path: [EMAIL PROTECTED] Received: from lamx25.havagreayday.com ([192.168.1.2]) by mta005.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Fri, 19 Nov 2004 00:27:28 -0600 Received: from lamx25.havagreayday.com (66.63.182.25) by sc011pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 3-32004-215-32004-58673-27-1100845648 for mta005.foobar.net; Fri, 19 Nov 2004 00:27:29 -0600 From: Natural Beauty[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Welcome Gifts from Yves Rocher Date: 19 Nov 2004 01:24:22 -0500 Message-Id: [EMAIL PROTECTED]/peno MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=09845039450394qame.kjY-mkxGxhki/penoirmar X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_99,HTML_50_60, HTML_MESSAGE,HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,HTML_WEB_BUGS, SARE_HTML_P_JUSTIFY autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: --09845039450394qame.kjY-mkxGxhki/penoirmar Content-Type: text/plain; charset = ISO-8859-1 Content-Transfer-Encoding: 8bit next: Return-Path: [EMAIL PROTECTED] Received: from xxx.lt ([192.168.1.4]) by mta019.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED]; Thu, 18 Nov 2004 17:27:42 -0600 Received: from xxx.lt (211.230.54.86) by sc010pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 2-9271-77-9271-60461-1-1100820446 for mta019.foobar.net; Thu, 18 Nov 2004 17:27:43 -0600 Received: from 197.126.123.141 by smtp.leira.no; Thu, 18 Nov 2004 23:29:34 + Message-ID: [EMAIL PROTECTED] From: Brooke Corbett [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Order Rolex or other Swiss watches online Date: Thu, 18 Nov 2004 19:29:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on Timmy X-Spam-Level: X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MSGID_DOLLARS autolearn=no version=3.0.1 X-UID: Status: RO X-Status: RC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: next: Return-Path: [EMAIL PROTECTED] Received: from lamx26.havagreatday.com ([192.168.1.3]) by mta013.foobar.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Thu, 18 Nov 2004 10:58:11 -0600 Received: from lamx26.havagreatday.com (66.63.182.26) by sc009pub.foobar.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id 1-995-202-995-129387-4-1100797090 for mta013.foobar.net; Thu, 18 Nov 2004 10:58:11
Re: How can I catch these messages?
On Saturday 20 Nov 2004 04:27, Rob Blomquist wrote: X-Spam-Level: ** X-Spam-Status: Yes, score=53.2 required=5.0 tests=BAYES_99,DCC_CHECK, I have better than a 99.99% catch rate. I gotta love it. And I see that you guys are the pros at this. But with network testing, I find that it really slows down Kmail, as the filtering is done by it, piping the messages through spamc. Do you folks have any idea what sort of hit on my machine it would be like to filter as you guys do, with SpamCop, pyzor, razor and network tests? Maybe I have to do my own testing, but back last summer I was catching 99.9% with basic filtering and no hit to my machine or kmail. I'm certainly no pro but run spamassassin on my home machine - I collect all the mail from the ISP using fetchmail, then spam and virus check it using amavisd to call spamassassin (which also calls Pyzor, Razor2 and DCC) and clamav/fprot antivirus. Works like a charm - I just run the standard 3.01 rules and am getting about a 99.99% catch rate. -- Regards, Bob
Re: How can I catch these messages?
Hello Rob, Friday, November 19, 2004, 6:40:41 PM, you wrote: RB I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1 RB SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD RB SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 and BOGUSVIRUS as my rulesets. Are you running SARE_HTML1 and SARE_HTML2 without SARE_HTML0? SARE_HTML0 is the more powerful rules file in that family, of which SARE_HTML1 is the less effective smaller brother. RB All I want to do is push the scores into the spam range. And frankly I think I RB could lower the bar, too. Are their rulesets that might help, or custom rules RB that I could write, and as a single user I don't need perfection, I just want RB something like a 95% catch ratio instead of the 60% I am currently getting. Check into the SARE_HEADER family also, and SARE_SPECIFIC. But even without these, 60% seems awfully low. RB X-Spam-Status: No, score=3.1 required=5.0 tests=ALL_NATURAL,BAYES_99, RB HTML_IMAGE_RATIO_04,HTML_MESSAGE autolearn=no version=3.0.1 If your Bayes database is well trained, bump up the score for BAYES_99. I run with Bayes_99 = my required-hits threshold. I also notice you don't have any of the SURBL or other Network tests showing. If you can enable network testing I suspect you'll catch a lot more of your spam. Bob Menschel
Re: How can I catch these messages?
On Saturday 20 November 2004 04:27, Rob Blomquist wrote: I gotta love it. And I see that you guys are the pros at this. But with network testing, I find that it really slows down Kmail, as the filtering is done by it, piping the messages through spamc. Fetchmail - [spamc] - local /var/spool/mail Tell kmail to then fetch from /var/spool/mail This avoids the i/o issue in KMail, and lets you do fun things like check for duplicate mails etc, which KMail can't do. Maybe I have to do my own testing, but back last summer I was catching 99.9% with basic filtering and no hit to my machine or kmail. Times change, pure rule based isn't always good enough these days.
