RE: Spam from compromised web mails
> > When running site wide, how do you get ham to train bayes? I > can manage spam by spam reporting and such, but getting ham > without breaching the privacy of our users is my problem. > > raj > Raj, one potential option is to setup bayes autolearn thresholds with proper scores for your specific installs/setups. perldoc Mail::SpamAssassin::Conf http://wiki.apache.org/spamassassin/BasicConfiguration - rh
Re: Spam from compromised web mails
On 12/16/2009 9:42 AM, Rajkumar S wrote: On Wed, Dec 16, 2009 at 1:07 PM, Yet Another Ninja wrote: I don't do any "manual" training, ever. SA's butler, "autolearn", does it for me. bayes_auto_learn 1 In this case if a new spam comes and it does not score on any other rules, Would't this be classified as a ham? Also I need bayes to help me with border line cases, like those scoring say 3 - 5 if my required_score is 6.5. Most of the new spam that get past score in the range of 3 - 5 in my system. auto learn does not help here either. I am also testing auto learn, just wondering how others are handling these issues. The primary defense against zero-day spam... is, I think, to greylist. Hopefully, by the time it comes around again to retry, the honeypot projects will have blacklisted the IP address or URL in various blacklists. (Or it will be listed in Pyzor, Razor, DCC...) In general, I don't rely on auto-learn for the marginal stuff, too big a chance that it will learn incorrectly. So I don't train if the message falls inside the -2 to +10 score range. What does fall inside that range gets manually sorted into "train as spam/ham" folders.
Re: Spam from compromised web mails
On Wed, Dec 16, 2009 at 1:07 PM, Yet Another Ninja wrote: > I don't do any "manual" training, ever. SA's butler, "autolearn", does it > for me. > > bayes_auto_learn 1 In this case if a new spam comes and it does not score on any other rules, Would't this be classified as a ham? Also I need bayes to help me with border line cases, like those scoring say 3 - 5 if my required_score is 6.5. Most of the new spam that get past score in the range of 3 - 5 in my system. auto learn does not help here either. I am also testing auto learn, just wondering how others are handling these issues. raj
Re: Spam from compromised web mails
On 12/15/2009 12:49 PM, LuKreme wrote: On 15-Dec-2009, at 09:12, RW wrote: On Tue, 15 Dec 2009 09:44:50 -0500 I'm exactly the opposite, hardly any of the lists I subscribe to do that, and I find it annoying when it's done. Every list mail comes with a List-Id header so you can filter, tag or whatever. I'd find it annoying to look at a list where every single message starts with "[sa-user]". I actually strip that kruft out of subject headers and I HATE lists that waste space in the Subject line for static text. :0 hf * ^Subject:.*\[ * $ ^Subject:$WS*((Re|Fwd):$WS*)*\[[^]]*\] | sed 's/\[[^]]*\] // I don't mind the tags, as long as they're short (under 8 chars). It helps me identify stuff that might've gotten misfiled. Sometimes I screw up the server-side Sieve rules, so everything ends up in my inbox for a day or two until I fix them. I can't say off-hand what the longest and most obnoxious pre-tag that I've seen yet is. If the SA list used something like "[spamassassin-users]" as the pre-tag, I'd be annoyed. (Also, some mail clients only let you sort by subject or sender, and not arbitrary mail headers.)
Re: Spam from compromised web mails
On 12/16/2009 8:24 AM, Rajkumar S wrote: On Tue, Dec 15, 2009 at 9:07 PM, Yet Another Ninja wrote: even using site wide, autolearning will help your detection a LOT. Don't underestimate it... When running site wide, how do you get ham to train bayes? I can manage spam by spam reporting and such, but getting ham without breaching the privacy of our users is my problem. raj I don't do any "manual" training, ever. SA's butler, "autolearn", does it for me. bayes_auto_learn 1 h2h Axb
Re: Spam from compromised web mails
On Tue, Dec 15, 2009 at 9:07 PM, Yet Another Ninja wrote: > even using site wide, autolearning will help your detection a LOT. > Don't underestimate it... When running site wide, how do you get ham to train bayes? I can manage spam by spam reporting and such, but getting ham without breaching the privacy of our users is my problem. raj
Re: Spam from compromised web mails
On Tue, 15 Dec 2009, LuKreme wrote: As you may have noticed, I've got my procmail set to insert one (as seen above). But this has the unfortunate side-effect of messing with threading in some threaded mail clients and archives :( I just see "Subject: Re: Re: Spam from…" Changing the subject is not polite, btw. (nod) So I make a point (up-up-up-up-up-del-del-del-del-del-del-down-down-down-down-down) :) of removing my inserted tag, so that subject remains the same as the original sent from the list. Though I often forget :( - C
Re: Spam from compromised web mails
On 15-Dec-2009, at 09:44, Charles Gregory wrote: > On Tue, 15 Dec 2009, Jeff Koch wrote: >> I have to say that it is extremely annoying that this mailing list does not >> put a tag identifying itself in the subject line. Every other mailing list >> of a similar technical nature that I participate in has a tag. A tag of two >> characters would allow users to quickly identify the email as coming from >> the SA mailing list and decide whether the email is worth opening. > > +1 > > As you may have noticed, I've got my procmail set to insert one (as seen > above). But this has the unfortunate side-effect of messing with threading in > some threaded mail clients and archives :( I just see "Subject: Re: Re: Spam from…" Changing the subject is not polite, btw. -- Help me, Obi-wan Kenobi. You're my only hope.
Re: Spam from compromised web mails
On 15-Dec-2009, at 09:12, RW wrote: > On Tue, 15 Dec 2009 09:44:50 -0500 > Jeff Koch wrote: > >> >> I have to say that it is extremely annoying that this mailing list >> does not put a tag identifying itself in the subject line. Every >> other mailing list of a similar technical nature that I participate >> in has a tag. > > I'm exactly the opposite, hardly any of the lists I subscribe to do > that, and I find it annoying when it's done. Every list mail comes with > a List-Id header so you can filter, tag or whatever. > > I'd find it annoying to look at a list where every single message > starts with "[sa-user]". I actually strip that kruft out of subject headers and I HATE lists that waste space in the Subject line for static text. :0 hf * ^Subject:.*\[ * $ ^Subject:$WS*((Re|Fwd):$WS*)*\[[^]]*\] | sed 's/\[[^]]*\] // -- 'I'm not a thief, madam. But if I were, I would be the kind that steals fire from the gods.' 'We've already got fire.' 'There must be an upgrade by now.' --Hogfather
Re: [sa] Re: Spam from compromised web mails
On Tue, 15 Dec 2009, Toni Mueller wrote: As you may have noticed, I've got my procmail set to insert one (as seen above). But this has the unfortunate side-effect of messing with threading in some threaded mail clients and archives :( I don't know the abilities of Alpine, but if you use procmail anyway, why can't you simply sort on the List-Id header? I don't sort. I use just one inbox. Half the time I just read mail straight through in order. But when I'm a bit short on time, that tag allows me to quickly skip over list mail and get to the important work-related mail. I imagine this same thinking applies to any number of people using a 'basic' mail client and not bothering to 'sort' mail into alternate delivery folders which they must then 'remember' to read. - Charles
Re: Spam from compromised web mails
Hi, On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory wrote: > On Tue, 15 Dec 2009, Jeff Koch wrote: >> I have to say that it is extremely annoying that this mailing list does >> not put a tag identifying itself in the subject line. Every other >> mailing list of a similar technical nature that I participate in has a >> tag. A tag of two characters would allow users to quickly identify the >> email as coming from the SA mailing list and decide whether the email >> is worth opening. > > +1 -100 > As you may have noticed, I've got my procmail set to insert one (as seen > above). But this has the unfortunate side-effect of messing with > threading in some threaded mail clients and archives :( I don't know the abilities of Alpine, but if you use procmail anyway, why can't you simply sort on the List-Id header? :0 * ^List-Id: .users.spamassassin.apache.org $MAILDIR/spamassassin/ Kind regards, --Toni++
Re: [sa] Re: Spam from compromised web mails
On Tue, 15 Dec 2009, Jeff Koch wrote: I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening. +1 As you may have noticed, I've got my procmail set to insert one (as seen above). But this has the unfortunate side-effect of messing with threading in some threaded mail clients and archives :( But I would much rather the list added the tag itself. :) - C
Re: Spam from compromised web mails
On Tue, 15 Dec 2009 09:44:50 -0500 Jeff Koch wrote: > > I have to say that it is extremely annoying that this mailing list > does not put a tag identifying itself in the subject line. Every > other mailing list of a similar technical nature that I participate > in has a tag. I'm exactly the opposite, hardly any of the lists I subscribe to do that, and I find it annoying when it's done. Every list mail comes with a List-Id header so you can filter, tag or whatever. I'd find it annoying to look at a list where every single message starts with "[sa-user]".
Re: Spam from compromised web mails
Yet Another Ninja wrote on Tue, 15 Dec 2009 16:37:35 +0100: > even using site wide, autolearning will help your detection a LOT. Definitely. Been using site-wide for all my servers for years. No problems. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Spam from compromised web mails
On 12/15/2009 10:37 AM, Yet Another Ninja wrote: > even using site wide, autolearning will help your detection a LOT. > Don't underestimate it... Heartily agreed. Site-wide bayes here (single database for 2000+ users) catches 40% of the spam here. It could certainly catch more, but the first 55% is caught by clamav/sanesecurity first. (This leaves only the last 5% to get scooped up by SA.)
Re: Spam from compromised web mails
On 12/15/2009 4:07 PM, Rajkumar S wrote: On Tue, Dec 15, 2009 at 8:29 PM, Matt Garretson wrote: Do you use Bayes? Bogofilter (another bayesian filter) catches those here. The one you posted scored 0.94 here and would have been dropped. I am not using bayes as of now, SA is site wide and so proper training is a problem. even using site wide, autolearning will help your detection a LOT. Don't underestimate it...
Re: Spam from compromised web mails
On 15-Dec-2009, at 04:39, Rajkumar S wrote: > On Tue, Dec 15, 2009 at 3:51 PM, Mike Cardwell > wrote: >> That particular email was sent from a host in Nigeria connecting to a host >> in Brazil. The Nigerian host is listed on Barracuda, the SBL and the XBL. > > Is there a way to write a rule to tag mails which are hitting web > mails via proxy? > > Received: from 189.85.80.211 (proxying for 41.220.75.17) >(SquirrelMail authenticated user kyho...@bigrivertel.net) >by webmail.bigrivertel.net with HTTP; Mon, Sure, just check the Received headers for "proxying". -- Lister: What d'ya think of Betty? Cat: Betty Rubble? Well, I would go with Betty... but I'd be thinking of Wilma. Lister: This is crazy. Why are we talking about going to bed with Wilma Flintstone? Cat: You're right. We're nuts. This is an insane conversation. Lister: She'll never leave Fred, and we know it.
Re: Spam from compromised web mails
On Tue, Dec 15, 2009 at 8:29 PM, Matt Garretson wrote: > Do you use Bayes? Bogofilter (another bayesian filter) catches > those here. The one you posted scored 0.94 here and would have > been dropped. I am not using bayes as of now, SA is site wide and so proper training is a problem. raj
Re: Spam from compromised web mails
On 12/15/2009 9:31 AM, The Doctor wrote: > On Tue, Dec 15, 2009 at 12:55:00PM +0530, Rajkumar S wrote: >> Occasionally I receive mail from compromised web mails asking user >> name and password from my users. The source IPs are usually clean (as >> they are legitimate mail servers) and do not catch any ip based rules. Do you use Bayes? Bogofilter (another bayesian filter) catches those here. The one you posted scored 0.94 here and would have been dropped.
Re: Spam from compromised web mails
On tir 15 dec 2009 15:44:50 CET, Jeff Koch wrote in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening. in the header: List-Id: in sieve filter: # spamassassin if anyof ( header :comparator "i;ascii-casemap" :contains "List-Id" "users.spamassassin.apache.org", header :comparator "i;ascii-casemap" :contains "List-Id" "dev.spamassassin.apache.org" ) { fileinto "maillists.spamassassin"; stop; } -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spam from compromised web mails
I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening. At 08:25 AM 12/15/2009, you wrote: On tir 15 dec 2009 08:25:00 CET, Rajkumar S wrote I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 http://sa.hege.li/ to me it looks like a gmail user trying to get more users sending there login and passwords then what ever it really is ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html Best Regards, Jeff Koch, Intersessions
Re: Spam from compromised web mails
On Tue, Dec 15, 2009 at 12:55:00PM +0530, Rajkumar S wrote: > Hi, > > Occasionally I receive mail from compromised web mails asking user > name and password from my users. The source IPs are usually clean (as > they are legitimate mail servers) and do not catch any ip based rules. > Usually one or two mail accounts are used to pump mails via web mail > after authentication. > > I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 > > It is interesting to note that the victim was using Barracuda anti > spam appliance which also failed to catch this spam. Any ideas to > tackle such spam is very much welcome. > > with regards, > > raj Seeing the same thing here. We are trying to remove the scrit spurce but it is disguised. Just a matter of time to pin the source. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.myspace.com/502748630 Merry Christmas 2009 and Happy New Year 2010
Re: Spam from compromised web mails
On tir 15 dec 2009 08:25:00 CET, Rajkumar S wrote I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 http://sa.hege.li/ to me it looks like a gmail user trying to get more users sending there login and passwords then what ever it really is ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spam from compromised web mails
On Tue, Dec 15, 2009 at 3:51 PM, Mike Cardwell wrote: > That particular email was sent from a host in Nigeria connecting to a host > in Brazil. The Nigerian host is listed on Barracuda, the SBL and the XBL. Is there a way to write a rule to tag mails which are hitting web mails via proxy? Received: from 189.85.80.211 (proxying for 41.220.75.17) (SquirrelMail authenticated user kyho...@bigrivertel.net) by webmail.bigrivertel.net with HTTP; Mon, While not conclusive, hitting web mails via a proxy and having user name and password string along with destination domain name in body of the mail is a good indication of a password phishing mail. raj
Re: Spam from compromised web mails
On 15/12/2009 07:25, Rajkumar S wrote: Occasionally I receive mail from compromised web mails asking user name and password from my users. The source IPs are usually clean (as they are legitimate mail servers) and do not catch any ip based rules. Usually one or two mail accounts are used to pump mails via web mail after authentication. I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399 It is interesting to note that the victim was using Barracuda anti spam appliance which also failed to catch this spam. Any ideas to tackle such spam is very much welcome. That particular email was sent from a host in Nigeria connecting to a host in Brazil. The Nigerian host is listed on Barracuda, the SBL and the XBL. The From header uses a domain name that isn't registered (swinepro.net) and a freemail Reply-To. It's also currently hitting Pyzor. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ Technical Blog: https://secure.grepular.com/blog/