Re: Suggestions to block this spam
please post a URL to a sample message, or via pastebin so that we can run it through our installations and see what it hits. what is your SA installation hitting and scoring it as ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Kathryn Allan [EMAIL PROTECTED] wrote: Hi all, Getting tones of this sort of email through have been learning it as spam for the last few days but so far not much luck. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Suggestions to block this spam
The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. That appears to be the message body, but we would ideally like to see the entire message with all of the headers. There is a lot of data in headers that makes the spam easier to detect. If you are using Outlook getting the headers can be a pain, but in most other mail programs there is some fairly easy way to view the entire raw message as text. Loren
Re: Suggestions to block this spam
Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the Expire this post in: pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my sought.cf ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of today's spam messages as they change rapidly. Bob
Re: Suggestions to block this spam
Hi Bob, Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 Thanks again Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the Expire this post in: pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my sought.cf ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of today's spam messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Hmm the update changed the link i think http://pastebin.ca/910320 Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the Expire this post in: pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my sought.cf ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of today's spam messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote:
Thanks I will try the suggestions in the other post.
I have updated the pastebin with header - i think : )
http://pastebin.ca/910315
It is a multipart/alternative message -- in this case HTML. ;) For
reference, please, always paste the entire, raw message. Don't
copy-n-paste what your MUA displays as body. (I was going to reply to
your previous mail, but you beat me to it.)
Also, there now are three copies. ;) The other one you pasted just a
minute after this got an expiration time. However, it much too short for
mailing list conversation. 4 hours is not sufficient.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Suggestions to block this spam
I have removed the extras and changed the expiry. http://pastebin.ca/910360 Thanks for the help Kate Karsten Bräckelmann wrote: On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. guenther -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Karsten Bräckelmann wrote: It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Definitely posting the raw message in its entirety is best. In this particular case this spam is very common and we have all seen it many times so it doesn't really matter. But for other random spam being able to pick apart the headers and encoding is an important part of the forensic study. Using pastebin on the spamassassin users mailing list is still relatively new so it will probably take a while before people get used to it. But I think it is a really good way to do things and so I definitely suggest sticking to it through the startup learning. Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. I suggest the 1 month setting for most spam related email related to mailing list discussion. After a month it isn't really topical anymore. Three months would be fine too but there wouldn't be much point for longer. On an IRC channel where things are happening immediately then four hours to one day is probably sufficient with even one week being overkill for IRC. (shrug.) As long as it _eventually_ expires then ultimately everything will get cleaned up and the exact time isn't very important. Too bad there isn't a default expire there as on other pastebins. Bob
Re: Suggestions to block this spam
I too am getting dozens of these emails that are going right through SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I just installed razor2 today to try to combat real men. Most get through w/ a score of 2 or less. Many of them seem to trigger spamcop so i bumped that up to 3.5. If you need more examples let me know -bazooka On Feb 19, 2008 2:04 PM, Kathryn Allan [EMAIL PROTECTED] wrote: I have removed the extras and changed the expiry. http://pastebin.ca/910360 Thanks for the help Kate Karsten Bräckelmann wrote: On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. guenther -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
On Wed, 2008-02-20 at 09:13 +1300, Kathryn Allan wrote:
Getting tones of this sort of email through have been learning it as
spam for the last few days but so far not much luck.
Now that we've settled on the technical difficulties of pastebins, and
since we've all seen that one before anyway... ;)
The scores on my side for that particular spam vary greatly, with a
couple blacklists hitting occasionally. They do tend to be rather sneaky
for a default SA install. However, there are a bunch of characteristics
to match on. Just checked again on a few of them, otherwise going from
memory here.
They all got a blogspot URI, claim to be sent by the Bat, and yet are
direct MUA to MX delivered.
uri KB_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b,
describe KB_URI_BLOGSPOT blogspot.com throwaway URI
scoreKB_URI_BLOGSPOT 1.0
header __X_MAILER_THE_BAT X-Mailer =~ /^The Bat! /
header __CLIENT_TO_MX X-Spam-Relays-Untrusted =~ /^\[ [^\[]+$/
meta THEBAT_MUA_TO_MX__X_MAILER_THE_BAT __CLIENT_TO_MX
describe THEBAT_MUA_TO_MXThe Bat! does not do direct MX connections
scoreTHEBAT_MUA_TO_MX1.5
Note that I did *not* test the __CLIENT_TO_MX and meta rule. The other
ones pretty much are copied from some general local rules.
Also, it probably should be rather easy to match on the empty anchor
tags with 4 chars relative names in these spams, but I would have to
mass-check that first.
a name=3D#tppt/a
And of course you should keep training your Bayes on these. HTH
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Suggestions to block this spam
On Tue, 19 Feb 2008 14:21:53 -0800 Bazooka Joe [EMAIL PROTECTED] wrote: I too am getting dozens of these emails that are going right through SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I just installed razor2 today to try to combat real men. Most get through w/ a score of 2 or less. Many of them seem to trigger spamcop so i bumped that up to 3.5. If you need more examples let me know If you can mind the overhead, the ClamAV plugin with Sane Security definitions are catching this spam. All of mine in the past few days have been directing into a spambox via a rule in my MTA. X-Spam-Virus: Yes (Email.Spam.Gen2588.Sanesecurity.08021808) X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) X-Spam-Level: xx X-Spam-Status: Reqd:5.0 Hits:10.5 Learn:no Tests:BAYES_50=0.001,CLAMAV=10, HTML_MESSAGE=0.5 --- _|_ (_| |
Re: Suggestions to block this spam
I just implemented Justins ruleset and it looks as if they will now be caught YAY thanks for the tip. Has anyone had trouble with fp's using this ruleset the ones its hitting seem to score high (4) Thanks Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the Expire this post in: pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my sought.cf ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of today's spam messages as they change rapidly. Bob
RE: Suggestions to block this spam
-Original Message- From: Bazooka Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 February 2008 11:22 a.m. To: users@spamassassin.apache.org Subject: Re: Suggestions to block this spam I too am getting dozens of these emails that are going right through SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I just installed razor2 today to try to combat real men. Most get through w/ a score of 2 or less. Many of them seem to trigger spamcop so i bumped that up to 3.5. You'll be lucky to catch them on anything other than phrase matching, as they're very simple in design, those spam messages. Much like the downlooadable sooftware one's we used to get. To a program, there's not much that looks like Spam about these messages. Whilst phrase matching works, however, it would be interesting to see how much load it puts on SA when using a few phrases with alternately spelt words ie : (downloadable|downloaadable|downloadablee) (software|sooftware) Hmm, food for thought. Cheers, Mike
RE: Suggestions to block this spam
On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote:
You'll be lucky to catch them on anything other than phrase matching, as
they're very simple in design, those spam messages. Much like the
downlooadable sooftware one's we used to get. To a program, there's
not much that looks like Spam about these messages.
This is not true. :) I posted a meta rule that doesn't even look at the
body earlier.
Also, while URIs arguably could be considered phrase matching, I
personally don't. Cause I don't even care about the content or
advertising phrases at all, but sniper these annoying, abused domains.
The quite characteristic HTML markup and the fact that this stupid
spammer uses all lower-case, single word subjects exclusively makes them
identifiable without matching on phrases. The almost constant length of
both multipart/related MIME parts and its overall structure of 2 blobs
gives another hint. Score if all are true.
Plus, the various blacklists, identifying the sending machines as
zombies and the MX handing over IP as end-user intended.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
