RE: mail slipping through
> All BAYES_50? Silly question, but are you sure you're properly > training? > Running sa-learn as the right user, and all that? > I must have been tired. I thought I had run sa-learn --dump ealier, but I guess I didn't. It looks like the new server has a very high ham rate and a low spam rate. I'm thinking that maybe in our divine wisdom of script writing that someone loaded a bunch of spams using the ham script. That's the best I can figure. I checked the scripts and they are indeed using the correct user id. So, I will dump the database and retrain today. That will probably fix it. OLD SERVER 0.000 0 3 0 non-token data: bayes db version 0.000 01179630 0 non-token data: nspam 0.000 0 830497 0 non-token data: nham 0.000 0 128519 0 non-token data: ntokens 0.000 0 1250654065 0 non-token data: oldest atime 0.000 0 1250780279 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1250708192 0 non-token data: last expiry atime 0.000 0 54835 0 non-token data: last expire atime delta 0.000 0 34281 0 non-token data: last expire reduction count NEW SERVER 0.000 0 3 0 non-token data: bayes db version 0.000 0 5490 0 non-token data: nspam 0.000 0 10678 0 non-token data: nham 0.000 0 141755 0 non-token data: ntokens 0.000 0 1240965283 0 non-token data: oldest atime 0.000 0 1250779298 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1250735397 0 non-token data: last expiry atime 0.000 0 86400 0 non-token data: last expire atime delta 0.000 0 56262 0 non-token data: last expire reduction count > All but one have subsecond scan times. Did you score an old Cray or > something? :) That might indicate a problem, not sure. > > So you have any SMTP-time DNSBL checks in place on the public MTA? > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >W-w-w-w-w-where did he learn to n-n-negotiate like that? > --- > 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
On Thu, 20 Aug 2009, Gary Smith wrote: Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RH S_DOB scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10. 80.65.9,raddr=10.80.65.9,rport=53097,mid=<509800d.5...@biblegame.info>, bayes=0.498828,autolearn=no All BAYES_50? Silly question, but are you sure you're properly training? Running sa-learn as the right user, and all that? All but one have subsecond scan times. Did you score an old Cray or something? :) That might indicate a problem, not sure. So you have any SMTP-time DNSBL checks in place on the public MTA? I will look into the bayes issue. It is possible that I'm not training as the proper user. Normally we always use the user "filter". Everything else seems to be working right. Not sure why the scan time is sub second on those emails. As for the MTA, yes, we do use RBL's (listed below) reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, Remove cbl.abuseat.org. It is duplicated within zen.spamhaus.org. reject_rbl_client rhsbl.ahbl.org, reject_rbl_client dnsbl-1.uceprotect.net, Scan time on the ones below, that were marked as spam, still had very low scan times. Aug 18 04:25:47 hsoakmsa03l02 spamd[21306]: spamd: result: Y 10 - BAYES_95,DATE_IN_PAST_03_06,URIBL_BLACK,URIBL_JP_SURBL scantime=0.2,size=3331,user=filter,uid=124,required_scor e=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=39455,mid=,bayes=0.971262,autolearn=no Aug 18 04:29:34 hsoakmsa03l02 spamd[21306]: spamd: result: Y 29 - BAYES_99,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MPART_ALT_DIFF_COUNT,SUBJECT_NEEDS_ENCODING,SUBJ _YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RED,URIBL_WS_SURBL scantime=0.4,size=3376,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rpo rt=41968,mid=<0.0.18.6fd.1ca1fdc484bc7b4.13a...@mail.provisionmoo.com>,bayes=1.00,autolearn=spam Anyway, I will look into the bayes as to why these are being seen as bayes_50 and also look into the bayes training scripts. One quick question. On out old SA boxes I believe we had several SARE rules in place. This box doesn't. It's been a while since I've kept up with the recommended rules for general SA machines. Is it recommended to put SARE rules in place anymore? Gary
RE: mail slipping through
> > Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - > > > BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RH > S_DOB > > > scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10. > 80.65.9,raddr=10.80.65.9,rport=53097,mid=<509800d.5...@biblegame.info>, > bayes=0.498828,autolearn=no > > All BAYES_50? Silly question, but are you sure you're properly > training? > Running sa-learn as the right user, and all that? > > All but one have subsecond scan times. Did you score an old Cray or > something? :) That might indicate a problem, not sure. > > So you have any SMTP-time DNSBL checks in place on the public MTA? I will look into the bayes issue. It is possible that I'm not training as the proper user. Normally we always use the user "filter". Everything else seems to be working right. Not sure why the scan time is sub second on those emails. As for the MTA, yes, we do use RBL's (listed below) reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client rhsbl.ahbl.org, reject_rbl_client dnsbl-1.uceprotect.net, Scan time on the ones below, that were marked as spam, still had very low scan times. Aug 18 04:25:47 hsoakmsa03l02 spamd[21306]: spamd: result: Y 10 - BAYES_95,DATE_IN_PAST_03_06,URIBL_BLACK,URIBL_JP_SURBL scantime=0.2,size=3331,user=filter,uid=124,required_scor e=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=39455,mid=,bayes=0.971262,autolearn=no Aug 18 04:29:34 hsoakmsa03l02 spamd[21306]: spamd: result: Y 29 - BAYES_99,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MPART_ALT_DIFF_COUNT,SUBJECT_NEEDS_ENCODING,SUBJ _YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RED,URIBL_WS_SURBL scantime=0.4,size=3376,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rpo rt=41968,mid=<0.0.18.6fd.1ca1fdc484bc7b4.13a...@mail.provisionmoo.com>,bayes=1.00,autolearn=spam Anyway, I will look into the bayes as to why these are being seen as bayes_50 and also look into the bayes training scripts. One quick question. On out old SA boxes I believe we had several SARE rules in place. This box doesn't. It's been a while since I've kept up with the recommended rules for general SA machines. Is it recommended to put SARE rules in place anymore? Gary
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=<503bb52.5...@biblegame.info>,bayes=0.499430,autolearn=no Here are some more from the same set/type of senders. Aug 19 14:39:46 hsoakmsa03l02 spamd[28319]: spamd: result: Y 2 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_RHS_DOB scantime=0.2,size=4584,user=filter,uid=124, required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=37185,mid=<1359ae2.5...@parishstore.info>,bayes=0.490932,autolearn=no Aug 19 14:45:18 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4516,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33643,mid=<509800d.5...@biblegame.info>,bayes=0.498825,autolearn=no Aug 19 14:46:52 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4511,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33664,mid=<2b19fe.5...@apostlesblog.info>,bayes=0.499484,autolearn=no Aug 19 14:48:58 hsoakmsa03l02 spamd[29369]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=4.0,size=4610,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54478,mid=<1359ae2.5...@parishstore.info>,bayes=0.490647,autolearn=no Aug 19 14:50:54 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4554,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54515,mid=<5b96444.5...@parishstore.info>,bayes=0.446187,autolearn=no Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=<503bb52.5...@biblegame.info>,bayes=0.499430,autolearn=no Aug 19 14:53:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=5905,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58363,mid=<503bb52.5...@biblegame.info>,bayes=0.496882,autolearn=no Aug 19 14:53:43 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4579,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58369,mid=<5b96444.5...@parishstore.info>,bayes=0.446202,autolearn=no Aug 19 14:55:38 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4508,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58422,mid=<2b19fe.5...@biblegame.info>,bayes=0.499487,autolearn=no Aug 19 14:56:17 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4545,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58442,mid=<1a25f92.5...@biblegame.info>,bayes=0.498743,autolearn=no Aug 19 14:58:42 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4594,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=52316,mid=<1a25f92.5...@parishstore.info>,bayes=0.487605,autolearn=no Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=53097,mid=<509800d.5...@biblegame.info>,bayes=0.498828,autolearn=no All BAYES_50? Silly question, but are you sure you're properly training? Running sa-learn as the right user, and all that? All but one have subsecond scan times. Did you score an old Cray or something? :) That might indicate a problem, not sure. So you have any SMTP-time DNSBL checks in place on the public MTA? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? ---
RE: mail slipping through
> > Ah. Okay. You might also be able to look up the Message-ID in > /var/log/maillog, if you're using spamd. > Didn't think of that. Here is the corresponding spam result for the pastbin entry (http://pastebin.com/m51fd9344) <503bb52.5...@biblegame.info> Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: processing message <503bb52.5...@biblegame.info> for filter:124 Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=<503bb52.5...@biblegame.info>,bayes=0.499430,autolearn=no ++ | spam_threshold | ++ | 7 | ++ Here are some more from the same set/type of senders. Aug 19 14:39:46 hsoakmsa03l02 spamd[28319]: spamd: result: Y 2 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_RHS_DOB scantime=0.2,size=4584,user=filter,uid=124, required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=37185,mid=<1359ae2.5...@parishstore.info>,bayes=0.490932,autolearn=no Aug 19 14:45:18 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4516,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33643,mid=<509800d.5...@biblegame.info>,bayes=0.498825,autolearn=no Aug 19 14:46:52 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4511,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33664,mid=<2b19fe.5...@apostlesblog.info>,bayes=0.499484,autolearn=no Aug 19 14:48:58 hsoakmsa03l02 spamd[29369]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=4.0,size=4610,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54478,mid=<1359ae2.5...@parishstore.info>,bayes=0.490647,autolearn=no Aug 19 14:50:54 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4554,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54515,mid=<5b96444.5...@parishstore.info>,bayes=0.446187,autolearn=no Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=<503bb52.5...@biblegame.info>,bayes=0.499430,autolearn=no Aug 19 14:53:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=5905,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58363,mid=<503bb52.5...@biblegame.info>,bayes=0.496882,autolearn=no Aug 19 14:53:43 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4579,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58369,mid=<5b96444.5...@parishstore.info>,bayes=0.446202,autolearn=no Aug 19 14:55:38 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4508,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58422,mid=<2b19fe.5...@biblegame.info>,bayes=0.499487,autolearn=no Aug 19 14:56:17 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4545,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58442,mid=<1a25f92.5...@biblegame.info>,bayes=0.498743,autolearn=no Aug 19 14:58:42 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4594,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=52316,mid=<1a25f92.5...@parishstore.info>,bayes=0.487605,autolearn=no Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=53097,mid=<509800d.5...@biblegame.info>,bayes=0.498828,autolearn=no This servers average scores (not too many domains going through this one right now). Count Score 3 -1 267 -10 47 -11 26 -12 22 -13 53 -14 7 -15 9 -16 8 -17 6 -18 10 -19 2 -2 4 -20
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says. Huh? You've lost me. Sorry for the confusion. I had meant that there are no SA headers because the script that processes the message will only return the marked up email message (from SA) if it's higher than the users threshold. By default, the score threshold in our system is 0.0, which marks most things as spam, but we have a lookup where each user sets their own score, and if it's higher than the score, they get the marked up email. So in order for me to show the marked up headers I need to turn the logging up on the SA servers, wait for the message to come in, and then get the details from the log. Ah. Okay. You might also be able to look up the Message-ID in /var/log/maillog, if you're using spamd. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? --- 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
> > That was in the comment right after the pastebin attachment. I will > > enable debugging on the SA server so I can save it there tonight and > see > > what it says. > > Huh? You've lost me. > > And I meant to say "disclaimer text", the "Any such information we > gather > shall never be shared with" blah blah. Multitasking error, sorry. :) > Sorry for the confusion. I had meant that there are no SA headers because the script that processes the message will only return the marked up email message (from SA) if it's higher than the users threshold. By default, the score threshold in our system is 0.0, which marks most things as spam, but we have a lookup where each user sets their own score, and if it's higher than the score, they get the marked up email. So in order for me to show the marked up headers I need to turn the logging up on the SA servers, wait for the message to come in, and then get the details from the log.
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: I'd think that disclaimer code would be good bayes fodder, if the spams are as consistent as you say. That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says. Huh? You've lost me. And I meant to say "disclaimer text", the "Any such information we gather shall never be shared with" blah blah. Multitasking error, sorry. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
> > I'd think that disclaimer code would be good bayes fodder, if the spams > are as consistent as you say. That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says.
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: Anyway, Header: http://pastebin.com/m51fd9344 I don't see any SA markup. What rules hit? body: http://pastebin.com/m7fe4c798 I'd think that disclaimer code would be good bayes fodder, if the spams are as consistent as you say. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item.-- John C. Randolph --- 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
> Is it pretty much the same body, just different senders? Yes and no. They are all the same body layout, some with different items in it. You can take a look at the body content here (screen captures of the content): http://www.localassociates.com/?page_id=7 Wares range from auto warrantee's to shoes. Anyway, Header: http://pastebin.com/m51fd9344 body: http://pastebin.com/m7fe4c798 Please note, I use a perl script for doing the SA check. If the score is lower than a specific user threshold then the original email is attached. In the cases of all of these emails, they are to my personal account (or our testing accounts). So, no headers doesn't equal bad. Each message is indeed checked. I'm going to turn on debugging on one of the SA servers and see what the logs report for these actual requests (which will have to wait for 4 hours or so -- when most of the clients aren't using email). > > If it's just the senders you could easily blacklist the domains, none > of these domains look all that legit. I was thinking that would be the easy way to fix these couple domains, but I'm sure they have more bogus ones as well. > Can you copy a message or two (with full headers) to pastebin so we > can have a look? > > --Dennis
Re: mail slipping through
Quoting Gary Smith : I've been having a pretty good hit rate on spam until recently (about two weeks). Two types of email have been coming through at a good rate. I'm receiving at least four per hour from the domains included below. I've also been training bayes with them as well, to no avail. Is it pretty much the same body, just different senders? *...@chocolatebearbear .INFO *...@biblegame .info *...@clickbetterthere .info If it's just the senders you could easily blacklist the domains, none of these domains look all that legit. Can you copy a message or two (with full headers) to pastebin so we can have a look? --Dennis
mail slipping through
I've been having a pretty good hit rate on spam until recently (about two weeks). Two types of email have been coming through at a good rate. I'm receiving at least four per hour from the domains included below. I've also been training bayes with them as well, to no avail. *...@chocolatebearbear .INFO *...@biblegame .info *...@clickbetterthere .info To make matters worse, they seem to be using normal SMTP process of some type as they are getting through sqlgrey, without any problem. I blew away the all entries from sqlgrey for awl and the connection log, yet they came right back. +-+---+---+-+-+ | sender_name | sender_domain | src | first_seen | last_seen | +-+---+---+-+-+ | evcoieytabo | apostlesblog.info | 208.110.94| 2009-08-19 14:22:51 | 2009-08-19 14:35:15 | | edfluzvpbio | apostlesblog.info | 208.110.94.34 | 2009-08-19 14:26:23 | 2009-08-19 14:46:51 | | flnkaxscfue | parishstore.info | 76.73.123 | 2009-08-19 14:27:34 | 2009-08-19 14:39:46 | | qmfeypysuno | parishstore.info | 76.73.123 | 2009-08-19 14:36:40 | 2009-08-19 14:48:53 | | xomdaygtyqi | parishstore.info | 76.73.2 | 2009-08-19 14:45:04 | 2009-08-19 14:58:41 | | hnmuelcljhu | biblegame.info| 76.73.85 | 2009-08-19 14:33:29 | 2009-08-19 14:45:18 | | cfkgytorpxe | biblegame.info| 76.73.85.250 | 2009-08-19 14:41:28 | 2009-08-19 14:56:16 | | obzfyowgbse | biblegame.info| 76.73.85.250 | 2009-08-19 14:40:57 | 2009-08-19 14:55:38 | ... +-+---+---+-+-+ Anyway, I'm using sorbs and spamhaus in postfix, but these guys aren't listed on either of the two. I know some time ago SA had a list of fresh top X daily/weekly spammers. Does that still exist? Anyone have any recommended action to take on this. My SA config is pretty basic and is hitting lots of other spams, just not these guys.
