You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by cpayne <cp...@magigames.net> on 2007/10/18 04:08:53 UTC
How to block the bat!
Guys,
I am getting a lot mail which I know is from a mail program use by
spammers, called the bat.
I like to know how can I write a rule to give lets say two or three
points for this in the header.
X-Mailer: The Bat! (v2.00.6) Educational
Thanks for any help you can give me.
Payne
Re: How to block the bat!
Posted by Michelle Konzack <li...@freenet.de>.
Am 2007-10-17 22:08:53, schrieb cpayne:
> Guys,
>
> I am getting a lot mail which I know is from a mail program use by
> spammers, called the bat.
>
> I like to know how can I write a rule to give lets say two or three
> points for this in the header.
>
> X-Mailer: The Bat! (v2.00.6) Educational
>
> Thanks for any help you can give me.
I have the same problem... (Bat and Outlook) and I use procmail and a
small script to get rid of forged "User-Agents"
I do:
Filter all incoming Bat/Outlook messages into a "possible_spam" folder
and store the From/To/Cc in a flat database. If the From: appears a
second time, move all two messages into a folder for "manual_approval".
If the sender is OK, whitlist it and the messages will bypass the
"possible_spam" folder.
(I am on the Debian BTS and there I get per day over 1000 Outlook spams)
Thanks, Greetings and nice Day
Michelle Konzack
Tamay Dogan Network
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: How to block the bat!
Posted by Matthias Haegele <mh...@linuxrocks.dyndns.org>.
Robert Braver schrieb:
> Hello Payne,
>
> On Wednesday, October 17, 2007, 9:43:25 PM, you wrote:
>
> c> spam I am using is coming from the mail program.
>
> c> http://www.ritlabs.com/en/products/thebat/
>
> Just to be clear, I doubt highly that the spam you are seeing is
> coming from an actual copy of The Bat.
>
> Spamassassin will tag and score messages that claim to be from the
> Bat that it can tell isn't really (just as is does for obviously
> false Outlook x-mailer headers). The only problem is that this rule
> falsely fires sometimes on messages that have been relayed through a
> mailing list.
Exactly. Is there a known workaround for this (false hits with
Bat-Messages send through ML)?
What would you suggest?.
I am having this "problem" regarding a german mailinglist.:
(AWL Score seems to be too quick and dirty ...)
> X-Spam-Status: No, score=2.763 required=3.5 tests=[AWL=0.521, BAYES_00=-2.599,
> FORGED_MUA_THEBAT_CS=2.2, REPTO_OVERQUOTE_THEBAT=2.641]
> X-Mailer: The Bat! (v3.99.24) Professional
The user is known to me and he is using The Bat.
btw:
It seems to be the same with "Microsoft Internet Mail Service".
>
--
GrĂ¼sse/Greetings
MH
Dont send mail to: ubecatcher@linuxrocks.dyndns.org
--
Re[2]: How to block the bat!
Posted by Robert Braver <rb...@ohww.norman.ok.us>.
Hello Payne,
On Wednesday, October 17, 2007, 9:43:25 PM, you wrote:
c> spam I am using is coming from the mail program.
c> http://www.ritlabs.com/en/products/thebat/
Just to be clear, I doubt highly that the spam you are seeing is
coming from an actual copy of The Bat.
Spamassassin will tag and score messages that claim to be from the
Bat that it can tell isn't really (just as is does for obviously
false Outlook x-mailer headers). The only problem is that this rule
falsely fires sometimes on messages that have been relayed through a
mailing list.
--
Best regards,
Robert Braver
rbraver@ohww.norman.ok.us
Re: How to block the bat!
Posted by Loren Wilton <lw...@earthlink.net>.
> But no spammer is going to be foolish enough to put:
>
> User-Agent: Storm Worm Botnet v 3.12.0
Well, that sort of thing did happen in the early days of spamming, when the
spam tool used would advertise itself. I never figured out who the intended
audience was. I suppose the assumption was that the recipients would be so
impressed with the quality of the spam delivery that they would want to buy
a copy and make their own spams.
>
> But we can all dream... :)
Yup. :-)
Loren
Re: How to block the bat!
Posted by Jeff Chan <je...@surbl.org>.
Quoting Matt Kettler <mk...@verizon.net>:
> cpayne wrote:
> > Robert Braver wrote:
> >> Hello Payne,
> >>
> >> On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:
> >>
> >> c> I am getting a lot mail which I know is from a mail program use by
> >> c> spammers, called the bat.
> >>
> >>
> > Yea, I did a search. And found you are right, shame that most of the
> > spam I am using is coming from the mail program.
>
> Correction. The spam *claims* to be coming from The Bat!.
>
> With near perfect certainty, I can tell you the spam was not generated
> by The Bat, Outlook, or whatever other program might appear in the
> User-Agent or X-Mailer header. It is no more believable than the From:
> header, and it is forged just as often (ie: nearly always). It is
> generally advisable for spammers to fake this header to look like a real
> mail client, as best they can, because it makes spam detection harder.
> So they do.
>
> In reality nearly all spam is generated by custom software that runs in
> the background on infected PCs in botnets.
Matt is right. Please don't block all mail from The Bat. The Bat is one of the
best Windows mail clients available. It is better than any open source Linux
graphical mail client I could find. The Bat has extensive sorting and
filtering by folder using PCRE perl regular expressions.
Just because some spamware claims to be The Bat does not mean it is.
Jeff C.
Re: How to block the bat!
Posted by Matt Kettler <mk...@verizon.net>.
cpayne wrote:
> Robert Braver wrote:
>> Hello Payne,
>>
>> On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:
>>
>> c> I am getting a lot mail which I know is from a mail program use by
>> c> spammers, called the bat.
>>
>>
> Yea, I did a search. And found you are right, shame that most of the
> spam I am using is coming from the mail program.
Correction. The spam *claims* to be coming from The Bat!.
With near perfect certainty, I can tell you the spam was not generated
by The Bat, Outlook, or whatever other program might appear in the
User-Agent or X-Mailer header. It is no more believable than the From:
header, and it is forged just as often (ie: nearly always). It is
generally advisable for spammers to fake this header to look like a real
mail client, as best they can, because it makes spam detection harder.
So they do.
In reality nearly all spam is generated by custom software that runs in
the background on infected PCs in botnets.
Think about it, the mail viruses that infected the PC in the first place
can generate emails to spread themselves.. Spamming activity is simply
good reuse of the same code.
So, your spam was probably generated by a fragment of code from the
Storm worm, mydoom, bagel, etc, possibly glued together with some other
code for the differing payload needs.
But no spammer is going to be foolish enough to put:
User-Agent: Storm Worm Botnet v 3.12.0
But we can all dream... :)
Re: How to block the bat!
Posted by cpayne <cp...@magigames.net>.
Robert Braver wrote:
> Hello Payne,
>
> On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:
>
> c> I am getting a lot mail which I know is from a mail program use by
> c> spammers, called the bat.
>
> This comes up on the list from time to time.
>
> No, The Bat is a legitimate email client (such as Outlook and
> Eudora) which, like Outlook and Eudora, is often falsely inserted
> into the headers by spamware.
>
> I first thought that The Bat was spamware when I first saw it in
> spam headers. I quickly found out that it was not, and after
> looking into it further, found it to be the Windows email client
> that I dislike the least. I've been using it now for over 5 years.
>
>
Yea, I did a search. And found you are right, shame that most of the
spam I am using is coming from the mail program.
http://www.ritlabs.com/en/products/thebat/
Oh. Well. Thanks.
Re: How to block the bat!
Posted by Robert Braver <rb...@ohww.norman.ok.us>.
Hello Payne,
On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:
c> I am getting a lot mail which I know is from a mail program use by
c> spammers, called the bat.
This comes up on the list from time to time.
No, The Bat is a legitimate email client (such as Outlook and
Eudora) which, like Outlook and Eudora, is often falsely inserted
into the headers by spamware.
I first thought that The Bat was spamware when I first saw it in
spam headers. I quickly found out that it was not, and after
looking into it further, found it to be the Windows email client
that I dislike the least. I've been using it now for over 5 years.
--
Best regards,
Robert Braver
rbraver@ohww.norman.ok.us
Re: How to block the bat!
Posted by OliverScott <ol...@fhsinternet.com>.
If you want to reduce the spam you get which claims to be from the bat then
do the following:
Create a rule which looks for the bat as a header with a 0.001 score.
Create a meta rule which looks for email which is caught by the above rule
AND hits Bayes_99 AND/OR (you choose based on how worried you are about FPs)
which hits BOTNET. Give this meta rule a score of 5 or more.
Thats how I would handle it (if my current config wern't already catching
all these emails).
--
View this message in context: http://www.nabble.com/How-to-block-the-bat%21-tf4644470.html#a13362545
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.