On Wed, 2009-06-17 at 11:18 -0700, omehegan wrote:
Lately a lot of 419 and investment spams
have been getting through with very low SA scores. Can anyone take a look at
these and see if there's another ruleset I should use to trap them?
One thing I've been fiddling with for a while is a
Owen B. Mehegan wrote:
Lately a lot of 419 and investment spams have been getting through
with very low SA scores. Can anyone take a look at these and see
if there's another ruleset I should use to trap them?
Owen, particularly with 419/scam spams, it's VERY helpful if you
tell us more about your
On Fri, June 19, 2009 07:59, Chip M. wrote:
Always VERY good advice, particularly given the age difference. :)
it should be noted that sa-update does not just fetch all new rules in
newer sa versions, but it can be backported to have most rules if one want
to make the work with it
--
xpoint
On Fri, 19 Jun 2009, Chip M. wrote:
3. use a country of origin/route plugin
#3 is somewhat controversial, and if implemented must be done
VERY carefully.
I've been looking into country-based IP blocking and it seems to boil down
to two choices:
1) A Spamassassin Plugin named 'relaycountry',
://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24118534.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
-scam-and-investment-spams-getting-through-suddenly-tp24079208p24118767.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
At 22:59 18-06-2009, Chip M. wrote:
Here's a dump of the complete Countries routes of your samples
(frequency first, then square brackets around the IP immediately
outside your own network):
2 [France], Nigeria
Do you really get such emails from Nigeria? :-)
Regards,
-sm
On Fri, 2009-06-19 at 15:12 -0700, SM wrote:
At 22:59 18-06-2009, Chip M. wrote:
Here's a dump of the complete Countries routes of your samples
(frequency first, then square brackets around the IP immediately
outside your own network):
2 [France], Nigeria
Do you really get such emails
At 15:36 19-06-2009, McDonald, Dan wrote:
Of course. Don't you? Although usually the Nigerians relay through
Italy, and sometimes Hong Kong.
I don't see any email of that type originating from Nigeria in terms
of SMTP. Most of these emails originate from other
countries. Blocking Italy
On Fri, 19 Jun 2009 16:30:29 -0700
SM s...@resistor.net wrote:
At 15:36 19-06-2009, McDonald, Dan wrote:
Of course. Don't you? Although usually the Nigerians relay through
Italy, and sometimes Hong Kong.
I don't see any email of that type originating from Nigeria in terms
of SMTP. Most
On 19 Jun 2009 05:59:50 -
Chip M. sa_c...@iowahoneypot.com wrote:
I would NEVER block the Netherlands (it _IS_ one of the Geekiest
nations on the planet!), however it does have many freemailers who
are often compromised, so when it occurs in COMBINATION with an
unlikely nation like
On Sat, June 20, 2009 03:27, RW wrote:
It would be nice to automate this and keep track of real statistics, so
spammy routes could be auto-discovered.
AWL plugin already does this pr /16
can be changed to track /24 /32 if one wants a bigger database :)
--
xpoint
At 17:26 19-06-2009, RW wrote:
The last hop into the internal network is rarely from Nigeria, but I
find it turns up in X-Spam-Relay-Countries in about 9% of my own spam.
Can you send me a sample of the email headers off-list?
Regards,
-sm
Hi,
My results below...
omehegan wrote:
SNIP
Here are two more of a type that have been getting through CONSTANTLY.
They're always almost exactly the same, and I keep training them into my
bayes DB but it's not hitting on them :(
http://www.nerdnetworks.org/spam/spam7
Content
On Wed, 17 Jun 2009, omehegan wrote:
Please trim irrelecant content when you reply, thanks.
I have site-wide bayes, and yeah its rules are owned by the same user
that SA is running as.
That's not what I asked - are you _training_ as that user? That's often
the problem when bayes isn't
://www.nerdnetworks.org/spam/spam6
--
View this message in context:
http://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24079208.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On Wed, 17 Jun 2009, omehegan wrote:
Lately a lot of 419 and investment spams have been getting through with
very low SA scores.
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
http://www.nerdnetworks.org/spam/spam4
the SARE fraud
ruleset, and verified that it's getting loaded, but it doesn't hit on any of
these sample messages.
--
View this message in context:
http://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24081502.html
Sent from the SpamAssassin - Users mailing
but it's not hitting on them :(
http://www.nerdnetworks.org/spam/spam7
http://www.nerdnetworks.org/spam/spam8
--
View this message in context:
http://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24086061.html
Sent from the SpamAssassin - Users mailing list
On Wed, 17 Jun 2009, omehegan wrote:
http://www.nerdnetworks.org/spam/spam1
http://www.nerdnetworks.org/spam/spam2
http://www.nerdnetworks.org/spam/spam3
http://www.nerdnetworks.org/spam/spam4
http://www.nerdnetworks.org/spam/spam5
http://www.nerdnetworks.org/spam/spam6
Here are two more of a
autolearned as ham.
I could upgrade SA, I didn't think that would help because I do run
sa-update every night at midnight.
--
View this message in context:
http://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24086404.html
Sent from the SpamAssassin
21 matches
Mail list logo