Re: SA cannot block messages with attached zip

Fri, 20 May 2016 01:47:46 -0700 


Am 20.05.2016 um 10:32 schrieb Reindl Harald:

Am 20.05.2016 um 08:31 schrieb Emin Akbulut:

I tried to train SA with tons of spam messages which contains zip file
(includes .js)
The max spam score was lesser than 5 so I did set 4 to delete messsages.

Then same kind of spam messages appear with the score of lesser than 2.

In short; training the SA seems not helpful.

What do you suggest to fight these spams?


Raw message:

http://pastebin.com/gPREh54L


just get a proper clamav setup

the real good question is why the hell that message does not get bayes
classified at all here when pipe your download through spamc/spmad while
other messages are

also a good question is why your header don't contain a single DNSBL and
if that happens all the time - without blacklists you have no good
chances for proper reject (for the trolls - YES a FULL SETUP rejects)
many junk



well, and another good question is why a mail listed on so many 
blacklists makes it to your contenfilter at all



get a proper MTA setup (containing a local dns-resolver doing recursion 
and NOT forwarding) and your inbound MX runs with zero load most of the 
time, facing a spam attack the last two days on a domain previously had 
10000 valid rcpt triggering 150 rejects per minute and much more not 
pass the 12 sconds pregreet-phase, 100 Mhz loda on the VM running 
postfix/spamassassin/clamav hust because nothing of this crap makes it 
to a smtpd proess


postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*7
 dnsbl.inps.de=127.0.0.2*7
 dnsbl.sorbs.net=127.0.0.7*4
 hostkarma.junkemailfilter.com=127.0.0.2*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 ix.dnsbl.manitu.net=127.0.0.2*4
 psbl.surriel.com=127.0.0.2*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 bl.spamcannibal.org=127.0.0.2*3
 zen.spamhaus.org=127.0.0.2*3
 score.senderscore.com=127.0.4.[0..20]*3
 dnsbl.sorbs.net=127.0.0.6*3
 dnsbl.sorbs.net=127.0.0.8*2
 hostkarma.junkemailfilter.com=127.0.0.4*2
 dnsbl.sorbs.net=127.0.0.9*2
 dnsbl-1.uceprotect.net=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 bl.nszones.com=127.0.0.[2;3]*1
 dnsbl-2.uceprotect.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.4*1
 score.senderscore.com=127.0.4.[0..69]*1
 dnsbl.sorbs.net=127.0.0.3*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 dnsbl.sorbs.net=127.0.0.15*1
 ips.backscatterer.org=127.0.0.2*1
 bl.nszones.com=127.0.0.5*-1
 score.senderscore.com=127.0.4.[90..100]*-1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 ips.whitelisted.org=127.0.0.2*-2
 list.dnswl.org=127.0.[0..255].0*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5


X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE
autolearn=no autolearn_force=no version=3.4.1
_________________________________

/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND
/var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

----------- VIRUS-SCAN SUMMARY -----------
Infected files: 1
Time: 0.005 sec (0 m 0 s)
Content analysis details:   (37.6 points, 5.5 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net)
                            [213.252.170.66 listed in dnsbl.sorbs.net]
 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net
                            (virus.dnsbl.sorbs.net)
 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net)
 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net
                            (ips.backscatterer.org)
                  [213.252.170.66 listed in
dnsbl-backscatterer.thelounge.net]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
                      [213.252.170.66 listed in
hostkarma.junkemailfilter.com]
 1.0 CUST_DNSBL_24_UCE1     RBL: dnsbl-uce.thelounge.net
                            (dnsbl-1.uceprotect.net)
                            [213.252.170.66 listed in
dnsbl-uce.thelounge.net]
 2.5 CUST_DNSBL_16_PSBL     RBL: dnsbl-surriel.thelounge.net
                            (psbl.surriel.com)
                        [213.252.170.66 listed in
dnsbl-surriel.thelounge.net]
 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
                            [213.252.170.66 listed in bl.spamcop.net]
 3.0 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
                            [213.252.170.66 listed in bl.mailspike.net]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
                            [213.252.170.66 listed in zen.spamhaus.org]
 1.5 CUST_DNSBL_19_SENDERSC_HIGH RBL: score.senderscore.com
                            (senderscore.com High)
                            [213.252.170.66 listed in
score.senderscore.com]
 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
                            (senderscore.com Medium)
 5.0 CUST_DNSBL_7_CUDA      RBL: b.barracudacentral.org
                            [213.252.170.66 listed in
b.barracudacentral.org]
 2.5 CUST_DNSBL_13_SEM      RBL: bl.spameatingmonkey.net
                            [213.252.170.66 listed in
bl.spameatingmonkey.net]
 2.5 RDNS_NONE              Delivered to internal network by a host with
no rDNS
 0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
 0.5 HELO_MISC_IP           Looking for more Dynamic IP Relays





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to