Re: New stock spam (2/14/07)
* Jonathan Nichols wrote (15/02/07 05:19): Maciej Friedel wrote: On 02/14/07 Jonathan wrote: http://www.pbp.net/~jnichols/spam2.txt 0.0 BOTNET_NORDNS IP address has no PTR record 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5002] 5.0 BOTNET The submitting mail server looks like part of a Botnet i think botnet is a good idea maciek I thought botnet was unstable.. is it working ok now? It's not (in my experience) unstable. It's excellent. But the default score of 5 is way too high. It gets a lot of false positives, especially (again, in my experience) from small mail-order operations who don't understand dns (Exchange users, I rather uncharitably assume). I score botnet at 2 and I'm very happy with it. I reckon better network tests are the future of spam filtering, now that spammers are sending blocks of text from Harry Potter books along with undetectable URLs containing spaces etc. Chris
Re: New stock spam (2/14/07)
On 14-Feb-2007, at 16:43, Jonathan Nichols wrote: http://www.pbp.net/~jnichols/spam2.txt X-Spam-Status: Yes, score=12.2 required=5.0 tests=BOTNET,BOTNET_NORDNS, HTML_FONT_BIG,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL, SARE_LWSHORTT,SARE_PROLOSTOCK_SYM3 autolearn=spam version=3.1.7 0.0 BOTNET_NORDNS IP address has no PTR record 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.0 HTML_MESSAGE BODY: HTML included in message 0.3 HTML_FONT_BIG BODY: HTML tag for a big font size 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml? 211.48.218.5] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [211.48.218.5 listed in zen.spamhaus.org] 5.0 BOTNET The submitting mail server looks like part of a Botnet BOTNET and Zen for the win! -- You too will get old. And when you do you'll fantasize that when you were young prices where reasonable, politicians were noble, and children respected their elders.
Re: New stock spam (2/14/07)
Jonathan Nichols wrote: Any rulesets to deal with them? They're scoring lower and lower all the time. The one I linked to scored -2 :-( It looks like it tripped BAYES_00. Have you been running these through sa-learn as spam? That should help, to start. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: New stock spam (2/14/07)
On 02/14/07 Jonathan wrote: http://www.pbp.net/~jnichols/spam2.txt 0.0 BOTNET_NORDNS IP address has no PTR record 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5002] 5.0 BOTNET The submitting mail server looks like part of a Botnet i think botnet is a good idea maciek -- |_|0|_| Maciej Friedel [EMAIL PROTECTED] |_|_|0| http://wwv.pl - usługi hostingowe |0|0|0| http://eprogram.pl - projektowanie stron www
RE: New stock spam (2/14/07)
From: Maciej Friedel [mailto:[EMAIL PROTECTED] On 02/14/07 Jonathan wrote: http://www.pbp.net/~jnichols/spam2.txt 0.0 BOTNET_NORDNS IP address has no PTR record 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5002] 5.0 BOTNET The submitting mail server looks like part of a Botnet i think botnet is a good idea 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8750] 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?211.48.218.5] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [211.48.218.5 listed in zen.spamhaus.org] I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) Giampaolo maciek -- |_|0|_| Maciej Friedel [EMAIL PROTECTED] |_|_|0| http://wwv.pl - usługi hostingowe |0|0|0| http://eprogram.pl - projektowanie stron www
RE: New stock spam (2/14/07)
On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote: I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) I agree, mine scored it in a similar way: Content analysis details: (11.5 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?211.48.218.5] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [211.48.218.5 listed in zen.spamhaus.org] Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410
RE: New stock spam (2/14/07)
From: Quinn Comendant [mailto:[EMAIL PROTECTED] On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote: I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) I agree, mine scored it in a similar way: Content analysis details: (11.5 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] Nah! You cheat! Bayes did already learn this message, right? :) Giampaolo 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?211.48.218.5] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [211.48.218.5 listed in zen.spamhaus.org] Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410
Re: New stock spam (2/14/07)
On Feb 14, 2007, at 8:48 PM, Giampaolo Tomassoni wrote: From: Quinn Comendant [mailto:[EMAIL PROTECTED] On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote: I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) I agree, mine scored it in a similar way: Content analysis details: (11.5 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] Nah! You cheat! Bayes did already learn this message, right? :) Giampaolo Then we both cheated: (no previous learns on this one that I'm aware of) score=13.8 required=4.5 * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 2.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=211.48.218.5,maildomain=amante.ro,nordns] * 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT * 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam * 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.2 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml? 211.48.218.5] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [211.48.218.5 listed in zen.spamhaus.org]
RE: New stock spam (2/14/07)
On Thu, 15 Feb 2007 02:48:44 +0100, Giampaolo Tomassoni wrote: Nah! You cheat! Bayes did already learn this message, right? :) ;DDD Not intentionally... but we use bayes_auto_learn, so maybe it found it already. Here's an idea for fun: run a who scores the highest competition. Put online 50-100 recent, common, and not-so-common spam emails, then use a shell script to loop through all the messages scoring them and add up the total score. Give the script to the list and let the games begin. Winner receives ... a can of spam. No cheating! ;P Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410
Re: New stock spam (2/14/07)
Here is a one I've been getting.. I use a older version of spambot, SARE, and Network tests.. to no avail.. http://www.pastebin.ca/356543 - Original Message - From: Brian Wilson [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, February 14, 2007 9:37 PM Subject: [SPAM] Re: New stock spam (2/14/07) On Feb 14, 2007, at 8:48 PM, Giampaolo Tomassoni wrote: From: Quinn Comendant [mailto:[EMAIL PROTECTED] On Thu, 15 Feb 2007 01:18:46 +0100, Giampaolo Tomassoni wrote: I think SARE and some network tests are even better (scores 11.5 with my surprising Bayes :) I agree, mine scored it in a similar way: Content analysis details: (11.5 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] Nah! You cheat! Bayes did already learn this message, right? :) Giampaolo Then we both cheated: (no previous learns on this one that I'm aware of) score=13.8 required=4.5 * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 2.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=211.48.218.5,maildomain=amante.ro,nordns] * 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT * 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam * 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.2 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml? 211.48.218.5] * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [211.48.218.5 listed in zen.spamhaus.org]
Re: New stock spam (2/14/07)
Scored very highly for me Content analysis details: (19.0 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=211.48.218.5,maildomain=amante.ro,nordns] 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9990] 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?211.48.218.5] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [211.48.218.5 listed in zen.spamhaus.org]
Re: New stock spam (2/14/07)
Maciej Friedel wrote: On 02/14/07 Jonathan wrote: http://www.pbp.net/~jnichols/spam2.txt 0.0 BOTNET_NORDNS IP address has no PTR record 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5002] 5.0 BOTNET The submitting mail server looks like part of a Botnet i think botnet is a good idea maciek I thought botnet was unstable.. is it working ok now? And i see others got hits on the Spamcop list. I score that with 5 points - but sadly, that spam didn't hit spamcop for me. Yes, I'm feeding all of them through Bayes. But we're still just getting hammered with these. :-(
Re: New stock spam (2/14/07)
At 03:43 PM 2/14/2007, Jonathan Nichols wrote: Ugh! http://www.pbp.net/~jnichols/spam2.txt I've been getting absolutely hammered with these spams. I had over 50 in my inbox this morning. Any rulesets to deal with them? They're scoring lower and lower all the time. The one I linked to scored -2 :-( I too am getting hammered with them. I'm adding some of the common phrases to my /etc/postfix/body_checks, but most fall through scoring low. X-Spam-Status: No, score=3.3 required=5.0 tests=BAYES_50,HTML_50_60, HTML_MESSAGE,RAZOR2_CHECK,STRONG_BUY autolearn=no version=3.1.7 X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_50,HTML_50_60, HTML_MESSAGE,TVD_FUZZY_SYMBOL autolearn=no version=3.1.7 Please tell me I'm missing something obvious. Yes, I am learning all of them.
Re: New stock spam (2/14/07)
On Wed, 14 Feb 2007 22:41:45 -0500, Billy Huddleston wrote: Here is a one I've been getting.. I use a older version of spambot, SARE, and Network tests.. to no avail.. http://www.pastebin.ca/356543 I get... Content analysis details: (13.4 points, 4.9 required) pts rule name description -- -- 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 2.7 STRONG_BUY BODY: Tells you about a strong buy 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 96] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 96] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.8 DIGEST_MULTIPLEMessage hits more than one network digest check Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410