Re: low scoring spam
On Friday 14 July 2017 at 15:29:38, Charles Amstutz wrote: > Hello, > > I keep having spam come through that hits on almost zero rules, (or very > few) . I get this is definitely possibly, but it's annoying as its > obviously spam. I guess my question is, if what we have in place isn't > hitting on much, then aside from learning it to Bayes, what do we do? I don't think we can really answer that until we know "what you have in place". We either need to see some examples of spam (DON'T paste here - put on pastebin or similar and then provide a link) with all the headers so we can see what scores you're getting, or we at least need to know what configuration you have so we might be able to suggest anything that seems missing. You help us and we might be able to help you :) The more information you give us, the better we understand what the question is. Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please *don't* CC me.
low scoring spam
Hello, I keep having spam come through that hits on almost zero rules, (or very few) . I get this is definitely possibly, but it's annoying as its obviously spam. I guess my question is, if what we have in place isn't hitting on much, then aside from learning it to Bayes, what do we do? Even that isn't enough it seems as it learns it to Bayes_50 and not Bayes_99. Even Bayes_99 is not enough to catch it as spam typically if it doesn't trip anything else. (as it only 3.5 for Bayes_99 and many users are set to default to 4 or 5)
Re: Interesting Low Scoring SPAM with odd script
On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. clamav does have some kind og javascript decopding engine. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: Interesting Low Scoring SPAM with odd script
Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. It's plain spam - personally I don't want clamav to deal with spam. clamav does have some kind og javascript decopding engine. It's goobledegook, not really a script. /Per Jessen, Zürich
Re: Interesting Low Scoring SPAM with odd script
On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. clamav does have some kind og javascript decopding engine. If I'm fair to Clam, Matus, it did catch it :-) X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase.
Re: Interesting Low Scoring SPAM with odd script
Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. clamav does have some kind og javascript decopding engine. If I'm fair to Clam, Matus, it did catch it :-) X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. /Per Jessen, Zürich
Re: [SPAM:9.6] Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010 12:15:41 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? IT's the kind of content that should be captured by clamav imho. clamav does have some kind og javascript decopding engine. If I'm fair to Clam, Matus, it did catch it :-) X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. /Per Jessen, Zürich Call me suspicious ;-)
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010, Per Jessen wrote: Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The third basic rule of firearms safety: Keep your booger hook off the bang switch! --- 5 days until Benjamin Franklin's 304th Birthday
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010 10:56:09 -0800 (PST) John Hardin jhar...@impsec.org wrote: On Tue, 12 Jan 2010, Per Jessen wrote: Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? That was also my thought. Spammers never do something without a reason, but they do screw up. My initial thoughts were 'is this some kind of obfuscated Java-script? But the more I look at it, the less I think it is anything useful. I guess it could poison a bayes at best if marked as spam?
Re: Interesting Low Scoring SPAM with odd script
John Hardin wrote: On Tue, 12 Jan 2010, Per Jessen wrote: Christian Brel wrote: On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote: On 12.01.10 06:48, Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? Bayes poisoning? Dunno, but it isn't executable javascript. /Per Jessen, Zürich
Re: Interesting Low Scoring SPAM with odd script
I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? By no means a JS coder, and haven't dug deeper to find out, but couldn't it be pre-compiled JS and not just random text?
Re: Interesting Low Scoring SPAM with odd script
On Tue 12 Jan 2010 07:48:23 AM CET, Christian Brel wrote http://pastebin.com/m66a5a2ae X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Interesting Low Scoring SPAM with odd script
Jason Bertoch wrote: By no means a JS coder, and haven't dug deeper to find out, but couldn't it be pre-compiled JS and not just random text? Doubtful. I don't believe JavaScript has a bytecode or any other (except in some JavaScript engines internal representation) compiled format. Francis
Re: Interesting Low Scoring SPAM with odd script
On Tue, 12 Jan 2010, Jason Bertoch wrote: I'm just interested in the kind of java-script(?) munging that has gone on there and what it is in 'English' for want of a better phrase. Nothing was munged, it's just random text. If so, what's the point to it? By no means a JS coder, and haven't dug deeper to find out, but couldn't it be pre-compiled JS and not just random text? Me neither; I'd expect some sort of flag on the script tag to indicate precompiled code, if that were an option. Obfuscated code at the very least has _some_ recognizable javascript that implements the deobfuscator. I think it's just garbage. The question is: is it accidental garbage, or intentional garbage? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 5 days until Benjamin Franklin's 304th Birthday
Re: Interesting Low Scoring SPAM with odd script
On Wed, 13 Jan 2010 00:41:00 +0100 Benny Pedersen m...@junc.org wrote: On Tue 12 Jan 2010 07:48:23 AM CET, Christian Brel wrote http://pastebin.com/m66a5a2ae X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL) Err, yes - I had already *highlighted* that, it was posted because the content was interesting ;-)
Re: Interesting Low Scoring SPAM with odd script
Christian Brel wrote: http://pastebin.com/m66a5a2ae Anyone seen script like that? Yeah, I saw a couple of those last week. /Per Jessen, Zürich
Re: Dealing with low scoring spam - tighter MTA integration
--On Thursday, March 05, 2009 7:43 AM +0100 Andrzej Adam Filip a...@onet.eu wrote: What I would like to see is a option to make spam assassin to produce weighted scores based on subset of all tests capable to work on subset of the final data available *before* message headersbody are transfered in SMTP session. Before you get the DATA part, you only have the EHLO and envelope. Not a real need for a full-blown SA scan at that point. What rules would you apply that couldn't be done with a simple Perl function? (For lurkers, MIMEDefang allows one to write a Sendmail milter in Perl, by providing a C-to-Perl translation layer.)
Re: Dealing with low scoring spam - tighter MTA integration
Kenneth Porter sh...@sewingwitch.com wrote: --On Thursday, March 05, 2009 7:43 AM +0100 Andrzej Adam Filip a...@onet.eu wrote: What I would like to see is a option to make spam assassin to produce weighted scores based on subset of all tests capable to work on subset of the final data available *before* message headersbody are transfered in SMTP session. Before you get the DATA part, you only have the EHLO and envelope. At RCPT TO: stage there are available: * connecting client IP address (last mail hop) so big part of DNSBL and DNSWL tests *CAN* be used * envelope sender for SPF based tests * envelope sender and envelope recipient for auto white/black listing (producing some kind of grey-listing based for first attempt from unknown reputation source) Not a real need for a full-blown SA scan at that point. I try hard to preach that SA methodology of creating spam score based on weighted tests *CAN* be applied at this point too. I would like too apply such test in milter (MIMEDefang) that uses SA anyway in my installation. What rules would you apply that couldn't be done with a simple Perl function? SA is not a simple set of perl functions? ;-) Delivering such functionality via SA would assure keeping sync of weights with changing spamming patterns. Some spammers are smart, many spammers are smart enough to follow so quality of maintenance team and maintenance methodology does make difference. (For lurkers, MIMEDefang allows one to write a Sendmail milter in Perl, by providing a C-to-Perl translation layer.) -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu You can't have everything. Where would you put it? -- Steven Wright
Re: Dealing with low scoring spam - tighter MTA integration
Andrzej Adam Filip wrote: At RCPT TO: stage there are available: * connecting client IP address (last mail hop) so big part of DNSBL and DNSWL tests *CAN* be used * envelope sender for SPF based tests * envelope sender and envelope recipient for auto white/black listing (producing some kind of grey-listing based for first attempt from unknown reputation source) Are you thinking that it might be good to tie this in to the SpamAssassin AWL score? So a sender with an existing low AWL might be allowed through even if the sending host gets on one or two DNSBLs? And you’re missing the possibility of doing reverse DNS lookups, too. James. -- E-mail: james@ | A: Because people don’t normally read bottom to top. aprilcottage.co.uk | Q: Why is top-posting such a bad thing? | A: Top-posting. | Q: What is the most annoying thing in e-mail and usenet?
Re: Dealing with low scoring spam - tighter MTA integration
James Wilkinson sa-u...@aprilcottage.co.uk wrote: Andrzej Adam Filip wrote: At RCPT TO: stage there are available: * connecting client IP address (last mail hop) so big part of DNSBL and DNSWL tests *CAN* be used * envelope sender for SPF based tests * envelope sender and envelope recipient for auto white/black listing (producing some kind of grey-listing based for first attempt from unknown reputation source) Are you thinking that it might be good to tie this in to the SpamAssassin AWL score? So a sender with an existing low AWL might be allowed through even if the sending host gets on one or two DNSBLs? I want a platform allowing many people to contribute small improvements e.g. whilte-listing based on combination of sender address and ASN (or routing prefix). And you’re missing the possibility of doing reverse DNS lookups, too. I have considered it to be obvious derivate of connecting client IP address -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Seek simplicity -- and distrust it. -- Alfred North Whitehead
Re: Dealing with low scoring spam - tighter MTA integration
--On Thursday, March 05, 2009 10:31 PM +0100 Andrzej Adam Filip a...@onet.eu wrote: I try hard to preach that SA methodology of creating spam score based on weighted tests *CAN* be applied at this point too. I would like too apply such test in milter (MIMEDefang) that uses SA anyway in my installation. A cheap way of doing it would be to construct an artificial message from the information available. One would probably want to use a custom set of rules (ie. strip out most of the normal rules that assume a full set of headers and a regular body). At RCPT TO: stage there are available: * connecting client IP address (last mail hop) so big part of DNSBL and DNSWL tests *CAN* be used * envelope sender for SPF based tests * envelope sender and envelope recipient for auto white/black listing (producing some kind of grey-listing based for first attempt from unknown reputation source) Instead of running all of SA, perhaps you could just invoke the individual plugins from their Perl entry points. I'm not familiar enough with SA's architecture to know how practical that is, though.
Dealing with low scoring spam - tighter MTA integration [was: 2 + 2 != 4 - Spamassassin needs a new paradigm]
Karsten Bräckelmann guent...@rudersport.de wrote: On Tue, 2009-03-03 at 08:32 -0800, Marc Perkel wrote: Spamassassin works by adding up points. Rule A is 2 points, Rule B is 2 points therefore the score is 4 points. But is this the best way to score? I don't think so. [...] Anyhow - just throwing this out there for people to chew on and think about. Oh, and another problem with this: About 98-99% of my spam in-stream scores as high, that any such proposal results in a useless increase of the score. The problem lies with the LOW scoring spam. Alas, these do not tend to trigger on a solid subset or meta as you proposed. In particular, RBL hits are quite rare, even more so for multiple hits. The few rules hit by low scorers are quite diverse, which complicates this. May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? [ test based on: sending IP address, envelope sender, envelope recipient, and name in helo/ehlo ] Possible recommended actions: accept, temporary reject, permanent reject - with choice based on spam score *AND* mail source reputation. Temporary reject in SMTP session should increase chances of DNSBL hits by reducing blind spot period of newly created spam sources. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu The difference between science and the fuzzy subjects is that science requires reasoning while those other subjects merely require scholarship. -- Robert Heinlein
Re: Dealing with low scoring spam - tighter MTA integration [was: 2 + 2 != 4 - Spamassassin needs a new paradigm]
On Wed, 2009-03-04 at 16:02 +0100, Andrzej Adam Filip wrote: Karsten Bräckelmann guent...@rudersport.de wrote: About 98-99% of my spam in-stream scores as high, that any such proposal results in a useless increase of the score. The problem lies with the LOW scoring spam. Alas, these do not tend to trigger on a solid subset or meta as you proposed. In particular, RBL hits are quite rare, even more so for multiple hits. The few rules hit by low scorers are quite diverse, which complicates this. May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? [ test based on: sending IP address, envelope sender, envelope recipient, and name in helo/ehlo ] This would be an entirely different application, not SA, wouldn't it? Well, this probably could be done in SA using a multi-level protocol capable of returning values at different stages. However, this seems perfectly suited for a lightweight tool, rather than a hog that is designed to scan and process entire messages. :) Possible recommended actions: accept, temporary reject, permanent reject - with choice based on spam score *AND* mail source reputation. Temporary reject in SMTP session should increase chances of DNSBL hits by reducing blind spot period of newly created spam sources. Experience with grey-listing, tempfail or whatever varies wildly given the posts to this list. Some do report, that the zombies won't retry anyway after being tempfailed once. So a later DNSBL hit after the list catching up and DNS propagation may be even irrelevant. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Dealing with low scoring spam - tighter MTA integration
Karsten Bräckelmann guent...@rudersport.de wrote: On Wed, 2009-03-04 at 16:02 +0100, Andrzej Adam Filip wrote: Karsten Bräckelmann guent...@rudersport.de wrote: About 98-99% of my spam in-stream scores as high, that any such proposal results in a useless increase of the score. The problem lies with the LOW scoring spam. Alas, these do not tend to trigger on a solid subset or meta as you proposed. In particular, RBL hits are quite rare, even more so for multiple hits. The few rules hit by low scorers are quite diverse, which complicates this. May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? [ test based on: sending IP address, envelope sender, envelope recipient, and name in helo/ehlo ] This would be an entirely different application, not SA, wouldn't it? It can be developed using the same spam score logic, based subset of all tests requiring only the subset of final data available during classic run. I do think that promoting tools that encourage postmaster to care very much about mail server (IP address) reputation can make real difference e.g. caring to be above reputation none in DNSWL to avoid grey-listing. Well, this probably could be done in SA using a multi-level protocol capable of returning values at different stages. However, this seems perfectly suited for a lightweight tool, rather than a hog that is designed to scan and process entire messages. :) During initial tests/deployment *much* simpler implementation can be used with recommended action based on spam score: It would require redesign of 50_scores.cf structure. e.g. instead of score RCVD_IN_DNSWL_HI 0 -8 0 -8 something like that # N - Network, B - Bayes, nX - no X, R - RCPT TO: score RCVD_IN_DNSWL_HI nNnB=0 NnB=-8 nNB=0 NB=-8 R=-8 or shorter score RCVD_IN_DNSWL_HI N=-8 R=-8 Possible recommended actions: accept, temporary reject, permanent reject - with choice based on spam score *AND* mail source reputation. Temporary reject in SMTP session should increase chances of DNSBL hits by reducing blind spot period of newly created spam sources. Experience with grey-listing, tempfail or whatever varies wildly given the posts to this list. Some do report, that the zombies won't retry anyway after being tempfailed once. So a later DNSBL hit after the list catching up and DNS propagation may be even irrelevant. There are DUL zombies that effectively do frequent IP address hoping and static NAT zombies. The former are bigger in number, the later produce higher spam volume (IMHO). -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu All the taxes paid over a lifetime by the average American are spent by the government in less than a second. -- Jim Fiebig
Re: Dealing with low scoring spam - tighter MTA integration
On Wed, 4 Mar 2009, Andrzej Adam Filip wrote: This would be an entirely different application, not SA, wouldn't it? It can be developed using the same spam score logic, based subset of all tests requiring only the subset of final data available during classic run. So in other words something like SMTP-time DNSBL tests that score points towards rejection rather than being pass/fail? That sounds like a good idea. I do think that promoting tools that encourage postmaster to care very much about mail server (IP address) reputation can make real difference e.g. caring to be above reputation none in DNSWL to avoid grey-listing. Agreed. But, performing major redesign of SA to achieve this pre-RCPT is going to be a tough sell. Well, this probably could be done in SA using a multi-level protocol capable of returning values at different stages. However, this seems perfectly suited for a lightweight tool, rather than a hog that is designed to scan and process entire messages. :) During initial tests/deployment *much* simpler implementation can be used with recommended action based on spam score: It would require redesign of 50_scores.cf structure. e.g. instead of score RCVD_IN_DNSWL_HI 0 -8 0 -8 something like that # N - Network, B - Bayes, nX - no X, R - RCPT TO: score RCVD_IN_DNSWL_HI nNnB=0 NnB=-8 nNB=0 NB=-8 R=-8 or shorter score RCVD_IN_DNSWL_HI N=-8 R=-8 Why would SA be served by _major_ modifications like this, rather than writing a new milter that focuses on determining the reputation of an IP? Are you really willing to break _all_ existing SA installations for this? Please don't try to make SA a do everything tool, you'll likely weaken what it does an outstanding job of today. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 4 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Dealing with low scoring spam - tighter MTA integration
John Hardin jhar...@impsec.org wrote: On Wed, 4 Mar 2009, Andrzej Adam Filip wrote: This would be an entirely different application, not SA, wouldn't it? It can be developed using the same spam score logic, based subset of all tests requiring only the subset of final data available during classic run. So in other words something like SMTP-time DNSBL tests that score points towards rejection rather than being pass/fail? That sounds like a good idea. I do think that promoting tools that encourage postmaster to care very much about mail server (IP address) reputation can make real difference e.g. caring to be above reputation none in DNSWL to avoid grey-listing. Agreed. But, performing major redesign of SA to achieve this pre-RCPT is going to be a tough sell. Well, this probably could be done in SA using a multi-level protocol capable of returning values at different stages. However, this seems perfectly suited for a lightweight tool, rather than a hog that is designed to scan and process entire messages. :) During initial tests/deployment *much* simpler implementation can be used with recommended action based on spam score: It would require redesign of 50_scores.cf structure. e.g. instead of score RCVD_IN_DNSWL_HI 0 -8 0 -8 something like that # N - Network, B - Bayes, nX - no X, R - RCPT TO: score RCVD_IN_DNSWL_HI nNnB=0 NnB=-8 nNB=0 NB=-8 R=-8 or shorter score RCVD_IN_DNSWL_HI N=-8 R=-8 Why would SA be served by _major_ modifications like this, rather than writing a new milter that focuses on determining the reputation of an IP? Are you really willing to break _all_ existing SA installations for this? Please don't try to make SA a do everything tool, you'll likely weaken what it does an outstanding job of today. 0) Such _major_ modification means introducing it in next _major_ spamassassin release unless it can be made downward compatible e.g. by using *separate* score file for at RCPT TO: tests. Where there's a Will, there's a way 1) I want milter(s) (MIMEDefang's filtering script in perl) to use spamassassin in such role. I personally prefer such tools from teams with well established maintenance reputation. I also believe that SA score tuning methodology would fit very well too. 2) Anyway limiting scores to *only* four cases *SHOULD NOT* stay forever. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin -- They Might Be Giants
Re: Dealing with low scoring spam - tighter MTA integration [was: 2 + 2 != 4 - Spamassassin needs a new paradigm]
At 07:02 04-03-2009, Andrzej Adam Filip wrote: May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? [ test based on: sending IP address, envelope sender, envelope recipient, and name in helo/ehlo ] SpamAssassin processes the message and returns the result. The way it is designed, it can be integrated in different environments as it is MTA agnostic. The change you propose could be done by introducing a new command in the protocol to evaluate the envelope information only. It would be easier to do all that through a milter as there is less overhead. The downside is that you will get more false positives. Regards, -sm
Re: Dealing with low scoring spam - tighter MTA integration [was: 2 + 2 != 4 - Spamassassin needs a new paradigm]
--On Wednesday, March 04, 2009 4:02 PM +0100 Andrzej Adam Filip a...@onet.eu wrote: May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? Check out http://mimedefang.org/ MIMEDefang includes SA integration.
Re: Dealing with low scoring spam - tighter MTA integration
Kenneth Porter sh...@sewingwitch.com wrote: --On Wednesday, March 04, 2009 4:02 PM +0100 Andrzej Adam Filip a...@onet.eu wrote: May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? Check out http://mimedefang.org/ MIMEDefang includes SA integration. I know MIMEDefang and I use it on one installation. What I would like to see is a option to make spam assassin to produce weighted scores based on subset of all tests capable to work on subset of the final data available *before* message headersbody are transfered in SMTP session. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Treaties are like roses and young girls -- they last while they last. -- Charles DeGaulle
Re: OT Alert: Forward low scoring SPAM to sa-learn.
On 17.07.07 10:40, Anthony Kamau wrote: I'm faced with a dilemma on how to use sa-learn with mail forwarded from a user's inbox on Exchange to the sendmail server. Since we just recently started using sendmail as a front end server, our bayes system is still in its infancy and spam is getting through to user inboxes with scores lower than our threshold of 10 and thus not being clearly identified as spam on the subject line. My intention is to have a user forward spam back to sendmail server and use sa-learn to help the scoring system get better fast. my experience tells that exchange rewrites mails very often in such a horrible way that mail from exchange should be never used for SA training. Try to send all copies of received e-mail to special mailbox on your front-end server and whenever your user reports false positive/negative, run sa-learn (or spamassasin -r/-k) over the copy. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
RE: OT Alert: Forward low scoring SPAM to sa-learn.
-Original Message- From: Michael Scheidell [mailto:[EMAIL PROTECTED] Sent: Tuesday, 17 July 2007 2:51 PM To: Anthony Kamau; users@spamassassin.apache.org Subject: RE: OT Alert: Forward low scoring SPAM to sa-learn. Only hope it to create shared, public folders for them to move the email to and have a separate program use imap to that folder to read the email (again, google is your friend, there are several programs like this for SA out there) Thanks Michael. I've always known that Google is my friend, but creativity with search terms eludes me -:). After reading your response, I quickly Googled imap exchange sa-learn and up came 794 links. The link at the top [1] provides all the details I need! [1] - http://www.ctdx.net/2006/10/27/spamassassin-linux-exchange-imap/ Cheers, AK.
RE: OT Alert: Forward low scoring SPAM to sa-learn.
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, 17 July 2007 11:35 AM To: Anthony Kamau Cc: users@spamassassin.apache.org Subject: Re: OT Alert: Forward low scoring SPAM to sa-learn. That said, if you're just doing a forward as attachment type operation, you should be able to get any standard mime attachment extractor tool.. Thanks Matt, I was planning on having the users forward the spam/ham as an attachment, but that was before I read Michael's post. All should be well unless I have other issues with the script... Cheers, AK.
OT Alert: Forward low scoring SPAM to sa-learn.
Hello all. I'm faced with a dilemma on how to use sa-learn with mail forwarded from a user's inbox on Exchange to the sendmail server. Since we just recently started using sendmail as a front end server, our bayes system is still in its infancy and spam is getting through to user inboxes with scores lower than our threshold of 10 and thus not being clearly identified as spam on the subject line. My intention is to have a user forward spam back to sendmail server and use sa-learn to help the scoring system get better fast. Here's what I've done so far: I have created two email addresses for this purpose; [EMAIL PROTECTED] for spam and [EMAIL PROTECTED] for false positives. I have created a connector that forwards all email destined for mail.domain.com back to the sendmail server and messages are getting into the appropriate mailboxes. The next step is what has me stunned - is there a standard marker to look out for that segregates the attachment from the mail sending the attachment? Any help would be mightily appreciated. Cheers, AK.
Re: OT Alert: Forward low scoring SPAM to sa-learn.
Anthony Kamau wrote: Hello all. I'm faced with a dilemma on how to use sa-learn with mail forwarded from a user's inbox on Exchange to the sendmail server. Since we just recently started using sendmail as a front end server, our bayes system is still in its infancy and spam is getting through to user inboxes with scores lower than our threshold of 10 and thus not being clearly identified as spam on the subject line. My intention is to have a user forward spam back to sendmail server and use sa-learn to help the scoring system get better fast. Here's what I've done so far: I have created two email addresses for this purpose; [EMAIL PROTECTED] for spam and [EMAIL PROTECTED] for false positives. I have created a connector that forwards all email destined for mail.domain.com back to the sendmail server and messages are getting into the appropriate mailboxes. The next step is what has me stunned - is there a standard marker to look out for that segregates the attachment from the mail sending the attachment? Standard? There's nothing that's standard about forwarding email. That said, if you're just doing a forward as attachment type operation, you should be able to get any standard mime attachment extractor tool.. ie: http://search.cpan.org/dist/ppt/bin/mimedecode If you're using an ordinary forward, don't bother. The message has been completely rebuilt and only has a visible-text resemblance to the original. Generally a normal forward does the following, any of which is more-or-less a different message as far as SA is concerned, but the header ones are pretty catastrophic unless you can do major reconstruction. 1) discard ALL of the original message headers, and build new ones, copying a minimal amount of text: -The message is now From: the forwardee, not the spammer. -All of the Received: headers are new. -Any out-of-the-ordinary headers are generally gone (ie: X-Id, X-Originating-IP, etc) -Even the subject is generally changed to include Fwd: or something similar. -Obviously the X-Mailer and/or User-Agent is replaced with the one for your MUA, not the original. 2) Significant changes to the body text: - For multipart/alternative messages, many mail clients will discard the original text/plain, and build a new one based on the contents of the text/html - Most add some kind of Forwarded message follows text - Most will re-do any character encodings. ie: a message that was base64 encoded will probably not be. - Most will re-do line-wraps to suit their own tastes. - All will generate completely new mime boundaries which will generally not be remotely similar to the originals.
RE: OT Alert: Forward low scoring SPAM to sa-learn.
-Original Message- From: Anthony Kamau [mailto:[EMAIL PROTECTED] Sent: Monday, July 16, 2007 8:40 PM To: users@spamassassin.apache.org Subject: OT Alert: Forward low scoring SPAM to sa-learn. Hello all. The next step is what has me stunned - is there a standard marker to look out for that segregates the attachment from the mail sending the attachment? No, and even if you could talk your users through forwarding the email as an attachment (google is your friend) is would still be messed up. Only hope it to create shared, public folders for them to move the email to and have a separate program use imap to that folder to read the email (again, google is your friend, there are several programs like this for SA out there) Or, you could create a vbscript that sends it to a waiting spamd daemon, that could work also. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: Low scoring spam
Ok Im sorry I mis understood. I ran it the way you suggested and it did come with headers this time. I attached the results. I still feel like something else is wrong. Thanks Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 10:38 AM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: RE: Low scoring spam At 11:59 AM 2/24/2005, [EMAIL PROTECTED] wrote: spamd is aliases to spamassassin. Ok... May I ask why? (I excluded the rest of the headers for privacy reasons, but its just the top part of a regular email header) X-Mailer: Apple Mail (2.619.2) X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on milkyway.digitalphx.com X-Spam-Level: ** X-Spam-Status: No, score=3.0 required=5.0 tests=EXCUSE_3,NO_DNS_FOR_FROM, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 debug: SpamAssassin version 3.0.1 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/kerberos/sbin', keeping. debug: PATH included '/usr/kerberos/bin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', which doesn't exist, dropping. debug: Final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: using /etc/mail/spamassassin/init.pre for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using /usr/share/spamassassin for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/70_sare_adult.cf debug: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf debug: config: read file /etc/mail/spamassassin/70_sare_header.cf debug: config: read file /etc/mail/spamassassin/70_sare_highrisk.cf debug: config: read file /etc/mail/spamassassin/70_sare_html.cf debug: config: read file /etc/mail/spamassassin/70_sare_oem.cf debug: config: read file /etc/mail/spamassassin/70_sare_random.cf debug: config: read file /etc/mail/spamassassin/70_sare_specific.cf debug: config: read file /etc/mail/spamassassin/70_sare_spoof.cf debug: config: read file /etc/mail/spamassassin/70_sare_unsub.cf debug: config: read file /etc/mail/spamassassin/70_sare_uri.cf debug: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf debug: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf debug: config: read file /etc/mail/spamassassin/99_FVGT_Tripwire.cf debug: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf debug: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf debug: config: read file /etc/mail/spamassassin/chickenpox.cf debug: config: read file /etc/mail/spamassassin/evilnumbers.cf debug: config: read file /etc/mail/spamassassin/local.cf debug: config: read file /etc/mail/spamassassin/weeds2.cf debug: using /root/.spamassassin for user state dir debug: using /root/.spamassassin/user_prefs for user prefs file debug: config: read file
RE: Low scoring spam
Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? Thanks Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 10:38 AM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: RE: Low scoring spam At 11:59 AM 2/24/2005, [EMAIL PROTECTED] wrote: spamd is aliases to spamassassin. Ok... May I ask why?
RE: Low scoring spam
Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? Thanks Robert From your logs. debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen debug: Score set 1 chosen. debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen It is my understanding that bayes does not work untilo there are 200 spams and 200 hams learned. Either by auto learning or feeding with sa-learn. There are some starter bayes databases out there as well search the list and/or google. Hope this helps. Ken Goods Network Administrator AIA Insurance, Inc.
RE: Low scoring spam
Thanks for the input. I found this site: http://www.fsl.com/support/index.html My question is the zipped files gives you: bayes/bayes.mutex bayes/bayes_toks bayes/bayes_seen Does that mean I have to replace what I already have or is there a way to import it? Thanks Robert -Original Message- From: Ken Goods [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 5:43 PM To: users@spamassassin.apache.org Subject: RE: Low scoring spam Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? Thanks Robert From your logs. debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen debug: Score set 1 chosen. debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen It is my understanding that bayes does not work untilo there are 200 spams and 200 hams learned. Either by auto learning or feeding with sa-learn. There are some starter bayes databases out there as well search the list and/or google. Hope this helps. Ken Goods Network Administrator AIA Insurance, Inc.
RE: Low scoring spam
Another question, since auto white list was on while the ALL_TRUSTED issue was going on, should I delete the auto white list file in the root spamassassin folder? Robert -Original Message- From: Ken Goods [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 5:43 PM To: users@spamassassin.apache.org Subject: RE: Low scoring spam Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? Thanks Robert From your logs. debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen debug: Score set 1 chosen. debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen It is my understanding that bayes does not work untilo there are 200 spams and 200 hams learned. Either by auto learning or feeding with sa-learn. There are some starter bayes databases out there as well search the list and/or google. Hope this helps. Ken Goods Network Administrator AIA Insurance, Inc.
RE: Low scoring spam
I went ahead and instead feed it some ham around the office :) Now it is using the bayes db, so that old spam log showed 2.99, with bayes now working it scored it a 7 Thanks again! Robert -Original Message- From: Ken Goods [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 5:43 PM To: users@spamassassin.apache.org Subject: RE: Low scoring spam Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? Thanks Robert From your logs. debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen debug: Score set 1 chosen. debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 debug: bayes: untie-ing debug: bayes: untie-ing db_toks debug: bayes: untie-ing db_seen It is my understanding that bayes does not work untilo there are 200 spams and 200 hams learned. Either by auto learning or feeding with sa-learn. There are some starter bayes databases out there as well search the list and/or google. Hope this helps. Ken Goods Network Administrator AIA Insurance, Inc.
Re: Low scoring spam
Without seeing the actual spam it is hard to say how high it could score. However, getting enough ham into Bayes such that it will run will up the score considerably. Loren
Re: Low scoring spam
Hmm.. I wonder if it is even using the bayes db at all. I keep seeing it It isn't. find it but I dont see it actually being used. If that is the case how do I make sure Bayes will be used for each message? debug: bayes: Not available for scanning, only 48 ham(s) in Bayes DB 200 Make sure that you have at least 200 hams and 200 spams loaded into bayes. Loren
Re: Low scoring spam
Robert Bartlett wrote: Ok Im sorry I mis understood. I ran it the way you suggested and it did come with headers this time. I attached the results. I still feel like something else is wrong. Install Razor.
Re: Low scoring spam
Now that I got bayes working my next question is should I reactivate autowhitelist and autolearn? Thanks Robert
RE: Low scoring spam
Well all I did was run spamd -D /path/to/message Here is my local.cf. Am I missing something out of here? user_scores_dsn DBI:mysql:spamassassin:localhost:3306 user_scores_sql_password * user_scores_sql_username * user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC score ALL_TRUSTED 0 report_safe 1 use_bayes 1 bayes_auto_learn0 use_dcc 1 ok_languagesen ok_locales en use_auto_whitelist 0 If I am missing something that would make it check the headers please let me know. The command line that runs in the init.d file is: -q -x -d -m10 -H -v -u spamuser Thanks Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 8:44 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: RE: Low scoring spam At 10:31 AM 2/23/2005, Robert Bartlett wrote: Do you suggest until resolved disable this? If to disable it what exactly do I need to disable? Upon closer inspection are you sure you fed SA the actual message with complete headers? Are you sure that's not the output of spamassasin --lint?? It looks like the test message is missing a LOT of headers.. No Subject, no Date, no From:, no Received headers. Note it doesn't look like it failed to parse the Received: headers.. it looks like the are absent entirely.. There's no complaint about an unparsable Received header in the debug..There's no mention of even trying to parse one... This part looks very much like --lint: debug: all '*From' addrs: [EMAIL PROTECTED] Also suspicious: MISSING_DATE,MISSING_SUBJECT
Re: Low scoring spam
Hello Robert, Not directly related to your problem, I don't think, but from your debug listing I see you're using the following rules files: debug: config: read file ... debug: config: read file /etc/mail/spamassassin/70_sare_random.cf ... debug: config: read file /etc/mail/spamassassin/random.current.cf If I remember correctly, random.current.cf is an ancient name for 70_sare_random.cf -- you may be overlaying current rules with ancient ones. Worth looking into. Bob Menschel
RE: Low scoring spam
At 08:06 PM 2/23/2005, Robert Bartlett wrote: Well all I did was run spamd -D /path/to/message Is that a typo of spamc, or did you really try to feed a message to spamd?
RE: Low scoring spam
At 08:06 PM 2/23/2005, Robert Bartlett wrote: Well all I did was run spamd -D /path/to/message Wait.. even if it is a typo, it still won't work. You need to redirect things when calling spamc.. You can't pass it a filename. And spamc doesn't take a -D parameter, only spamd does... but spamd does not accept message input like that. Try this instead: spamassassin -D /path/to/message *or* add -D to your spamd startup script, restart spamd and use spamc /path/to/message
RE: Low scoring spam
spamd is aliases to spamassassin. I forgot to insert the part in my email but that is what I did. Robert At 08:06 PM 2/23/2005, Robert Bartlett wrote: Well all I did was run spamd -D /path/to/message Wait.. even if it is a typo, it still won't work. You need to redirect things when calling spamc.. You can't pass it a filename. And spamc doesn't take a -D parameter, only spamd does... but spamd does not accept message input like that. Try this instead: spamassassin -D /path/to/message *or* add -D to your spamd startup script, restart spamd and use spamc /path/to/message
RE: Low scoring spam
At 11:59 AM 2/24/2005, [EMAIL PROTECTED] wrote: spamd is aliases to spamassassin. Ok... May I ask why?
Low scoring spam
I have one client who gets 15-20 spam emails a day. Currently Im using SA 3.0.1. I had auto whitelist and auto learn on and since turned this off. I ran spamd -D on one of the emails that got through that should of been marked spam. I noticed it scored a 2.6 with the regex test at the beginning but hit the meta test and went to negative number? Anyway please let me know if additional info is needed. Im using bayes but I manually feed it each day. Thanks Robert debug: SpamAssassin version 3.0.1 debug: Score set 0 chosen. debug: Storable module v2.09 found debug: Preloading modules with HOME=/tmp/spamd-18280-init debug: ignore: test message to precompile patterns and load modules debug: using /etc/mail/spamassassin/init.pre for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using /usr/share/spamassassin for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/70_sare_adult.cf debug: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf debug: config: read file /etc/mail/spamassassin/70_sare_header.cf debug: config: read file /etc/mail/spamassassin/70_sare_highrisk.cf debug: config: read file /etc/mail/spamassassin/70_sare_html.cf debug: config: read file /etc/mail/spamassassin/70_sare_oem.cf debug: config: read file /etc/mail/spamassassin/70_sare_random.cf debug: config: read file /etc/mail/spamassassin/70_sare_specific.cf debug: config: read file /etc/mail/spamassassin/70_sare_spoof.cf debug: config: read file /etc/mail/spamassassin/70_sare_unsub.cf debug: config: read file /etc/mail/spamassassin/70_sare_uri.cf debug: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf debug: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf debug: config: read file /etc/mail/spamassassin/99_FVGT_Tripwire.cf debug: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf debug: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf debug: config: read file /etc/mail/spamassassin/chickenpox.cf debug: config: read file /etc/mail/spamassassin/evilnumbers.cf debug: config: read file /etc/mail/spamassassin/local.cf debug: config: read file /etc/mail/spamassassin/random.current.cf debug: config: read file /etc/mail/spamassassin/weeds2.cf debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa87b0cc) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa87c770) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa87b0cc) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa88fa40) inhibited further callbacks debug: plugin:
Re: Low scoring spam
At 10:09 AM 2/23/2005, Robert Bartlett wrote: I have one client who gets 15-20 spam emails a day. Currently Im using SA 3.0.1. I had auto whitelist and auto learn on and since turned this off. I ran spamd -D on one of the emails that got through that should of been marked spam. From your log: debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Looks like SA can't parse your received headers and thus assumes all trusted because there's no untrusted... Yet another reason why 3949 needs fixing. http://bugzilla.spamassassin.org/show_bug.cgi?id=3949
RE: Low scoring spam
Do you suggest until resolved disable this? If to disable it what exactly do I need to disable? Thanks again! Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 8:28 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: Low scoring spam At 10:09 AM 2/23/2005, Robert Bartlett wrote: I have one client who gets 15-20 spam emails a day. Currently Im using SA 3.0.1. I had auto whitelist and auto learn on and since turned this off. I ran spamd -D on one of the emails that got through that should of been marked spam. From your log: debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Looks like SA can't parse your received headers and thus assumes all trusted because there's no untrusted... Yet another reason why 3949 needs fixing. http://bugzilla.spamassassin.org/show_bug.cgi?id=3949
Re: Low scoring spam
Robert set the score to zero in local.cf score ALL_TRUSTED 0 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Robert Bartlett wrote: Do you suggest until resolved disable this? If to disable it what exactly do I need to disable? Thanks again! Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 8:28 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: Low scoring spam At 10:09 AM 2/23/2005, Robert Bartlett wrote: I have one client who gets 15-20 spam emails a day. Currently Im using SA 3.0.1. I had auto whitelist and auto learn on and since turned this off. I ran spamd -D on one of the emails that got through that should of been marked spam. From your log: debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Looks like SA can't parse your received headers and thus assumes all trusted because there's no untrusted... Yet another reason why 3949 needs fixing. http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: Low scoring spam
Thanks for the help everyone. Here is the new spam log running against the same email now using the solution given below in the local.cf file. Is there anything else you see that might be causing any other issues? Thanks Robert -Original Message- From: Martin Hepworth [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 8:33 AM To: [EMAIL PROTECTED] Cc: 'Matt Kettler'; users@spamassassin.apache.org Subject: Re: Low scoring spam Robert set the score to zero in local.cf score ALL_TRUSTED 0 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Robert Bartlett wrote: Do you suggest until resolved disable this? If to disable it what exactly do I need to disable? Thanks again! Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 8:28 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: Low scoring spam At 10:09 AM 2/23/2005, Robert Bartlett wrote: I have one client who gets 15-20 spam emails a day. Currently Im using SA 3.0.1. I had auto whitelist and auto learn on and since turned this off. I ran spamd -D on one of the emails that got through that should of been marked spam. From your log: debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Looks like SA can't parse your received headers and thus assumes all trusted because there's no untrusted... Yet another reason why 3949 needs fixing. http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ** debug: SpamAssassin version 3.0.1 debug: Score set 0 chosen. debug: Storable module v2.09 found debug: Preloading modules with HOME=/tmp/spamd-8541-init debug: ignore: test message to precompile patterns and load modules debug: using /etc/mail/spamassassin/init.pre for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using /usr/share/spamassassin for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/70_sare_adult.cf debug: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf debug: config: read file /etc/mail/spamassassin/70_sare_header.cf debug: config: read file /etc/mail/spamassassin/70_sare_highrisk.cf debug: config: read file /etc/mail/spamassassin/70_sare_html.cf debug: config: read file /etc/mail/spamassassin/70_sare_oem.cf debug: config: read file /etc/mail/spamassassin/70_sare_random.cf debug: config: read file /etc/mail/spamassassin/70_sare_specific.cf debug: config: read file /etc/mail/spamassassin/70_sare_spoof.cf debug: config: read file /etc/mail/spamassassin/70_sare_unsub.cf debug: config: read file /etc/mail/spamassassin/70_sare_uri.cf debug: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf debug: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
RE: Low scoring spam
At 10:31 AM 2/23/2005, Robert Bartlett wrote: Do you suggest until resolved disable this? If to disable it what exactly do I need to disable? Upon closer inspection are you sure you fed SA the actual message with complete headers? Are you sure that's not the output of spamassasin --lint?? It looks like the test message is missing a LOT of headers.. No Subject, no Date, no From:, no Received headers. Note it doesn't look like it failed to parse the Received: headers.. it looks like the are absent entirely.. There's no complaint about an unparsable Received header in the debug..There's no mention of even trying to parse one... This part looks very much like --lint: debug: all '*From' addrs: [EMAIL PROTECTED] Also suspicious: MISSING_DATE,MISSING_SUBJECT
low scoring SPAM
I've recently (about a month ago) installed a new mail server and upgraded to SA 3.01. I've been training the bayes database by hand (most of our mail is japanese and the autolearning wasn't a good way to start the bayes learning) anyways, I'm not using any custom or 3rd party rules. I'm a little baffled why the following email scored so low. i'm also a little puzzled why the BAYES_99 has such a low score. i'm tempted to crank it up a bit, but concerned about how that will effect the system in general and also concerned about false positives. can anyone give me some insight? thanks alan P.S. in the past i've refrained from sending the why didn't this mail score higher types of messages to the list, but I've been seeing a pattern of hitting BAYES_99 and not many other rules. Original Message Return-Path: [EMAIL PROTECTED] Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23]) by mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906 for [EMAIL PROTECTED]; Sat, 4 Dec 2004 02:54:29 +0900 Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec 2004 18:49:21 +0100 Date: Fri, 3 Dec 2004 09:49:21 -0800 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, WINSTON lick. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on mail.mydomain.tld X-Spam-Score: 3.339 / 5.000: 23.339% X-Spam-Tests: BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007) X-Spam-Level: *** X-Spam-Disposition: Suspected X-Scanned-By: MIMEDefang 2.49 on 127.0.0.1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.valueclick.jp id iB3HsScd004906 FROM: THE DESK OF BARR, KEN MARK. MARKLAWCHAMBERS NO, 56 WARF ROAD APAPA LAGOS NIGERIA. Email; [EMAIL PROTECTED] TO: lick, I am Barrister Mark Ken green, a solicitor. I am the private Attorney to Mr. Winston lick, a National of your country, who used to work with Strabag Construction Company in Nigeria. On the 21st of April were involved in a car accident along Sagbama Express Road. All occupants of the vehicle unfortunately lost their lives. Since then I have made several enquiries to your Embassy to locate any of my client's relatives, this has also proved unsuccessful. After these several unsuccessful attempts, I decided to trace his last name over the Internet, to locate any member of his family hence I contacted you. I have contacted you to assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the Finance Company where this huge deposits were lodged where the deceased had an account valued at about 10 Million Dollars has issued me a notice! To provide the next of kin or have the account confiscated. Since I have been unsuccessful in locating the relatives for over 2 years now I seek your consent to present you as the next of kin of the deceased since you have the same last name so that the proceeds of this account valued at 10 Million Dollars can be paid to you and then you and me can share the money. 50% for me and 40% for you and 10% will be used for any expenses that this might cost on the process of this transaction. I have all necessary legal documents that can be used to back up any claim we may make. All I required is your honest co-operation to enable us see this deal through. I guarantee that this transaction will be executed under a legitimate arrangement that will protect you from any breach of the law. It is 100% risk-free. Please get in touch with me by my private email address, [EMAIL PROTECTED] to enable us discuss further Awaiting to hear from you soon. Thanks and God bless you, Mark Ken green (Esq. __ Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis! Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free piu' veloce in Italia. In piu', se ti abboni entro il 13 dicembre 2004, navighi gratis fino al 31 marzo 2005 e non paghi il costo di adesione. http://abbonati.tiscali.it/adsl/
RE: low scoring SPAM
|-Original Message- |From: alan premselaar [mailto:[EMAIL PROTECTED] |Sent: 04 December 2004 15:23 |To: users@spamassassin.apache.org |Subject: low scoring SPAM | |I've recently (about a month ago) installed a new mail server and |upgraded to SA 3.01. I've been training the bayes database by hand |(most of our mail is japanese and the autolearning wasn't a good way to |start the bayes learning) | |anyways, I'm not using any custom or 3rd party rules. I'm a little |baffled why the following email scored so low. i'm also a little |puzzled why the BAYES_99 has such a low score. |i'm tempted to crank it up a bit, but concerned about how that will |effect the system in general and also concerned about false positives. | |can anyone give me some insight? | |thanks | |alan | |P.S. in the past i've refrained from sending the why didn't this mail |score higher types of messages to the list, but I've been seeing a |pattern of hitting BAYES_99 and not many other rules. | I upped my scoring almost stright the way, the explanations I have heard for it being so low is to lower the number of FP's but lower bayes matches score higher which makes no comon sense at all, I use the following scores and they work well for me but you will have to make your own judgment on that:- score BAYES_00 0 0 -1.665 -4.9 score BAYES_05 0 0 -0.925 -2.5 score BAYES_20 0 0 -0.730 -1.0 score BAYES_40 0 0 -0.276 -0.5 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 0.5 score BAYES_80 0 0 3.608 1.0 score BAYES_95 0 0 3.514 2.5 score BAYES_99 0 0 4.070 4.9 It's the RH column which counts for me, ignore the LH one, think that's the default Martin
Re: low scoring SPAM
I've recently (about a month ago) installed a new mail server and upgraded to SA 3.01. I've been training the bayes database by hand (most of our mail is japanese and the autolearning wasn't a good way to start the bayes learning) anyways, I'm not using any custom or 3rd party rules. I'm a little baffled why the following email scored so low. i'm also a little puzzled why the BAYES_99 has such a low score. i'm tempted to crank it up a bit, but concerned about how that will effect the system in general and also concerned about false positives. can anyone give me some insight? thanks alan P.S. in the past i've refrained from sending the why didn't this mail score higher types of messages to the list, but I've been seeing a pattern of hitting BAYES_99 and not many other rules. Original Message Return-Path: [EMAIL PROTECTED] Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23]) by mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906 for [EMAIL PROTECTED]; Sat, 4 Dec 2004 02:54:29 +0900 Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec 2004 18:49:21 +0100 Date: Fri, 3 Dec 2004 09:49:21 -0800 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, WINSTON lick. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on mail.mydomain.tld X-Spam-Score: 3.339 / 5.000: 23.339% X-Spam-Tests: BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007) X-Spam-Level: *** Hi, as far as I recall, the 2.x series of spamassassin would also throw in some votes for the YELLING SUBJECT These seem to have gone with 3.0 Wolfgang Hamann
low scoring spam
Hi List. I have been receiving some very low scoring spam messages lately. Any ideas on how to increase the scores a bit. Here are the results: @:ö0 Start SpamAssassin results -- This mail is probably spam. The original message has been altered so you can recognise or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content analysis details: (3.7 hits, 4.4 required) 2.5 HEAD_LONG Message headers are very long -3.3 ALL_TRUSTEDDid not pass through any untrusted hosts 2.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.1 MISSING_HEADERSMissing To: header 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: patsmail.com] 1.2 MISSING_SUBJECTMissing Subject: header End of SpamAssassin results --- I have attached the message aswell. SPAM: 5.0: When she went into Kitty's little room, a pretty, pink little room, fu... Regards, Tom ---BeginMessage--- lockout tie port hurling proclamations f Adobe PhojtoShop CS 8.0 Oinly for $40 - retiail pricje $650 alsehood readyi For examplje: shop - 299$ , us - 30$ . http://geocities.com/cardinal_wright_47/ ng mind infused smokable bridli Take just a ciandy and becomxe ready for 36 hourxs of love ng recommender st This is most moxdern and safe wiay not to cxover with sxhame Only 15 miinutes to wait FDA Axpproved. http://geocities.com/sinclair_cooper_33/ ---End Message---
Re: low scoring spam
Well, first off I'd send a note to Geocities letting them know they are being used as a spam host. That may not appreciate that, and take appropriate action. Second I'd look to some of the SARE rules. The OEM rules *might* have added a point or two to this spam. However, it only mentions a single product reasonably by name, and that may be below the threshhold. However, the obfuscation on the name might be enough to trigger a rule. Third, you didn't show the received headers, but you obviously have a problem there. I would presume that the All Trusted rule should not have fired on the received path. So you probably have a misconfiguration somehow, and fixing that will add 3.3 points to this spam. It may also cause other rules to fire, as the received headers are a goldmine of stuff for detecting spam. Loren