Re: FW: Suggestions to block this spam
Bazooka Joe wrote: Do you think anyone has notified blogspot.com that their site is being abused by spammers? I have submitted urls 4 or 5 times to them. I've never heard back but the sites did vanish pretty quickly. You can do it here http://help.blogger.com/?page=troubleshooter.cs&problem=&ItemType=spam&contact_type=Spam&Submit=Continue Regards, Rick
Re: FW: Suggestions to block this spam
Do you think anyone has notified blogspot.com that their site is being abused by spammers? On Feb 19, 2008 7:27 PM, Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: > On Wed, 2008-02-20 at 16:08 +1300, Michael Hutchinson wrote: > > From: Karsten Bräckelmann [mailto:[EMAIL PROTECTED] > > > On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote: > > > > You'll be lucky to catch them on anything other than phrase matching, as > > > > they're very simple in design, those spam messages. Much like the > > > > "downlooadable sooftware" one's we used to get. To a program, there's > > > > not much that looks like Spam about these messages. > > > > > > This is not true. :) I posted a meta rule that doesn't even look at the > > > body earlier. > [...] > > Ah yes, I saw that one earlier on. I hadn't employed it as my phrases > > are working well, but I do intend to tweak a meta based on the one you > > posted, once I've had time to fully test the CLIENT_TO_MX part :) > > That much should be easy. ;) The internal meta header holds all relays, > in this case the untrusted ones. Each relay's data inside square > brackets. The simple rule just enforces there be exactly one opening > square bracket, and thus exactly one external relay. (Note that you > definitely need to have your trusted network set up correctly.) > > And the disclaimer, in the wise words of Donald E. Knuth: Beware of > bugs in the above program. I proved it correct, I did not try it. > > > guenther > > > -- > char *t="[EMAIL PROTECTED]"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} > >
Re: FW: Suggestions to block this spam
On Wed, 2008-02-20 at 16:08 +1300, Michael Hutchinson wrote: > From: Karsten Bräckelmann [mailto:[EMAIL PROTECTED] > > On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote: > > > You'll be lucky to catch them on anything other than phrase matching, as > > > they're very simple in design, those spam messages. Much like the > > > "downlooadable sooftware" one's we used to get. To a program, there's > > > not much that looks like Spam about these messages. > > > > This is not true. :) I posted a meta rule that doesn't even look at the > > body earlier. [...] > Ah yes, I saw that one earlier on. I hadn't employed it as my phrases > are working well, but I do intend to tweak a meta based on the one you > posted, once I've had time to fully test the CLIENT_TO_MX part :) That much should be easy. ;) The internal meta header holds all relays, in this case the untrusted ones. Each relay's data inside square brackets. The simple rule just enforces there be exactly one opening square bracket, and thus exactly one external relay. (Note that you definitely need to have your trusted network set up correctly.) And the disclaimer, in the wise words of Donald E. Knuth: Beware of bugs in the above program. I proved it correct, I did not try it. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
FW: Suggestions to block this spam
> -Original Message- > From: Karsten Bräckelmann [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 20 February 2008 3:33 p.m. > To: users@spamassassin.apache.org > Subject: RE: Suggestions to block this spam > > On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote: > > You'll be lucky to catch them on anything other than phrase matching, as > > they're very simple in design, those spam messages. Much like the > > "downlooadable sooftware" one's we used to get. To a program, there's > > not much that looks like Spam about these messages. > > This is not true. :) I posted a meta rule that doesn't even look at the > body earlier. > > Also, while URIs arguably could be considered "phrase matching", I > personally don't. Cause I don't even care about the content or > advertising phrases at all, but sniper these annoying, abused domains. > > The quite characteristic HTML markup and the fact that this stupid > spammer uses all lower-case, single word subjects exclusively makes them > identifiable without matching on phrases. The almost constant length of > both multipart/related MIME parts and its overall structure of 2 blobs > gives another hint. Score if all are true. > > Plus, the various blacklists, identifying the sending machines as > zombies and the MX handing over IP as end-user intended. Ah yes, I saw that one earlier on. I hadn't employed it as my phrases are working well, but I do intend to tweak a meta based on the one you posted, once I've had time to fully test the CLIENT_TO_MX part :) Cheers, Michael Hutchinson
RE: Suggestions to block this spam
On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote: > You'll be lucky to catch them on anything other than phrase matching, as > they're very simple in design, those spam messages. Much like the > "downlooadable sooftware" one's we used to get. To a program, there's > not much that looks like Spam about these messages. This is not true. :) I posted a meta rule that doesn't even look at the body earlier. Also, while URIs arguably could be considered "phrase matching", I personally don't. Cause I don't even care about the content or advertising phrases at all, but sniper these annoying, abused domains. The quite characteristic HTML markup and the fact that this stupid spammer uses all lower-case, single word subjects exclusively makes them identifiable without matching on phrases. The almost constant length of both multipart/related MIME parts and its overall structure of 2 blobs gives another hint. Score if all are true. Plus, the various blacklists, identifying the sending machines as zombies and the MX handing over IP as end-user intended. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Suggestions to block this spam
> -Original Message- > From: Bazooka Joe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 20 February 2008 11:22 a.m. > To: users@spamassassin.apache.org > Subject: Re: Suggestions to block this spam > > I too am getting dozens of these emails that are going right through > SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I > just installed razor2 today to try to combat real men. > > Most get through w/ a score of 2 or less. Many of them seem to > trigger spamcop so i bumped that up to 3.5. You'll be lucky to catch them on anything other than phrase matching, as they're very simple in design, those spam messages. Much like the "downlooadable sooftware" one's we used to get. To a program, there's not much that looks like Spam about these messages. Whilst phrase matching works, however, it would be interesting to see how much load it puts on SA when using a few phrases with alternately spelt words ie : (downloadable|downloaadable|downloadablee) (software|sooftware) Hmm, food for thought. Cheers, Mike
Re: Suggestions to block this spam
I just implemented Justins ruleset and it looks as if they will now be caught YAY thanks for the tip. Has anyone had trouble with fp's using this ruleset the ones its hitting seem to score high (4) Thanks Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob
Re: Suggestions to block this spam
On Tue, 19 Feb 2008 14:21:53 -0800 "Bazooka Joe" <[EMAIL PROTECTED]> wrote: > I too am getting dozens of these emails that are going right through > SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I > just installed razor2 today to try to combat real men. > > Most get through w/ a score of 2 or less. Many of them seem to > trigger spamcop so i bumped that up to 3.5. > > If you need more examples let me know If you can mind the overhead, the ClamAV plugin with Sane Security definitions are catching this spam. All of mine in the past few days have been directing into a spambox via a rule in my MTA. X-Spam-Virus: Yes (Email.Spam.Gen2588.Sanesecurity.08021808) X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) X-Spam-Level: xx X-Spam-Status: Reqd:5.0 Hits:10.5 Learn:no Tests:BAYES_50=0.001,CLAMAV=10, HTML_MESSAGE=0.5 --- _|_ (_| |
Re: Suggestions to block this spam
On Wed, 2008-02-20 at 09:13 +1300, Kathryn Allan wrote: > Getting tones of this sort of email through have been learning it as > spam for the last few days but so far not much luck. Now that we've settled on the technical difficulties of pastebins, and since we've all seen that one before anyway... ;) The scores on my side for that particular spam vary greatly, with a couple blacklists hitting occasionally. They do tend to be rather sneaky for a default SA install. However, there are a bunch of characteristics to match on. Just checked again on a few of them, otherwise going from memory here. They all got a blogspot URI, claim to be sent by the Bat, and yet are direct MUA to MX delivered. uri KB_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b, describe KB_URI_BLOGSPOT blogspot.com throwaway URI scoreKB_URI_BLOGSPOT 1.0 header __X_MAILER_THE_BAT X-Mailer =~ /^The Bat! / header __CLIENT_TO_MX X-Spam-Relays-Untrusted =~ /^\[ [^\[]+$/ meta THEBAT_MUA_TO_MX__X_MAILER_THE_BAT && __CLIENT_TO_MX describe THEBAT_MUA_TO_MXThe Bat! does not do direct MX connections scoreTHEBAT_MUA_TO_MX1.5 Note that I did *not* test the __CLIENT_TO_MX and meta rule. The other ones pretty much are copied from some general local rules. Also, it probably should be rather easy to match on the empty anchor tags with 4 chars relative names in these spams, but I would have to mass-check that first. And of course you should keep training your Bayes on these. HTH guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Suggestions to block this spam
Karsten Bräckelmann wrote: > It is a multipart/alternative message -- in this case HTML. ;) For > reference, please, always paste the entire, raw message. Don't > copy-n-paste what your MUA displays as body. (I was going to reply to > your previous mail, but you beat me to it.) Definitely posting the raw message in its entirety is best. In this particular case this spam is very common and we have all seen it many times so it doesn't really matter. But for other random spam being able to pick apart the headers and encoding is an important part of the forensic study. Using pastebin on the spamassassin users mailing list is still relatively new so it will probably take a while before people get used to it. But I think it is a really good way to do things and so I definitely suggest sticking to it through the startup learning. > Also, there now are three copies. ;) The other one you pasted just a > minute after this got an expiration time. However, it much too short for > mailing list conversation. 4 hours is not sufficient. I suggest the "1 month" setting for most spam related email related to mailing list discussion. After a month it isn't really topical anymore. Three months would be fine too but there wouldn't be much point for longer. On an IRC channel where things are happening immediately then four hours to one day is probably sufficient with even one week being overkill for IRC. (shrug.) As long as it _eventually_ expires then ultimately everything will get cleaned up and the exact time isn't very important. Too bad there isn't a default expire there as on other pastebins. Bob
Re: Suggestions to block this spam
I too am getting dozens of these emails that are going right through SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I just installed razor2 today to try to combat real men. Most get through w/ a score of 2 or less. Many of them seem to trigger spamcop so i bumped that up to 3.5. If you need more examples let me know -bazooka On Feb 19, 2008 2:04 PM, Kathryn Allan <[EMAIL PROTECTED]> wrote: > I have removed the extras and changed the expiry. > http://pastebin.ca/910360 > > Thanks for the help > Kate > > > Karsten Bräckelmann wrote: > > On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: > > > > > >> Thanks I will try the suggestions in the other post. > >> I have updated the pastebin with header - i think : ) > >> http://pastebin.ca/910315 > >> > > > > It is a multipart/alternative message -- in this case HTML. ;) For > > reference, please, always paste the entire, raw message. Don't > > copy-n-paste what your MUA displays as body. (I was going to reply to > > your previous mail, but you beat me to it.) > > > > Also, there now are three copies. ;) The other one you pasted just a > > minute after this got an expiration time. However, it much too short for > > mailing list conversation. 4 hours is not sufficient. > > > > guenther > > > > > > > > -- > > > Kate Kleinschafer > Internet Services > GetRheel > > /A division of Rheel Electronics Ltd / > Phone +64-3-386 3070 Fax +64-3-386-3071 > Mobile +64-21-386-394 > > email: [EMAIL PROTECTED] > www.getrheel.co.nz > > This e-mail together with any attachments is confidential, may be > subject to legal privilege and may contain proprietary information, > including information protected by copyright. If you are not the > intended recipient, please do not copy, use or disclose this e-mail; > please notify us immediately by return e-mail and then delete this e-mail. >
Re: Suggestions to block this spam
I have removed the extras and changed the expiry. http://pastebin.ca/910360 Thanks for the help Kate Karsten Bräckelmann wrote: On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. guenther -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: > Thanks I will try the suggestions in the other post. > I have updated the pastebin with header - i think : ) > http://pastebin.ca/910315 It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Suggestions to block this spam
Hmm the update changed the link i think http://pastebin.ca/910320 Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Hi Bob, Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 Thanks again Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Kathryn Allan wrote: > The url to pastebin is http://pastebin.ca/910275 > apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob
Re: Suggestions to block this spam
The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. That appears to be the message body, but we would ideally like to see the entire message with all of the headers. There is a lot of data in headers that makes the spam easier to detect. If you are using Outlook getting the headers can be a pain, but in most other mail programs there is some fairly easy way to view the entire raw message as text. Loren
Re: Suggestions to block this spam
Hi, The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Thanks Kate --[ UxBoD ]-- wrote: please post a URL to a sample message, or via pastebin so that we can run it through our installations and see what it hits. what is your SA installation hitting and scoring it as ? Regards, -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
please post a URL to a sample message, or via pastebin so that we can run it through our installations and see what it hits. what is your SA installation hitting and scoring it as ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - "Kathryn Allan" <[EMAIL PROTECTED]> wrote: > Hi all, > > Getting tones of this sort of email through have been learning it as > spam for the last few days but so far not much luck. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Suggestions to block this spam
Hi all, Getting tones of this sort of email through have been learning it as spam for the last few days but so far not much luck. -->start of message 2 examples Aloha,*** Real men!* Milliions of people acrosss the world have already tested THIS Goedendag, *** Real men!* * *MMillions of people acrross the world have already tested THIS thanks kate