You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeremy Morton <ad...@game-point.net> on 2009/06/05 19:58:05 UTC
New slew of spams
Hi,
I've suddenly started getting a new slew of spams that are making their
way through my SpamAssassin filter. Here's an example of one:
http://pastebin.com/m586e296c
As you can see they tend to hit a couple of blacklists, but don't get a
high enough score to be marked as spam. What do your SpamAssassin
analyses give of this e-mail, and any tips as to how I can get these
marked as spam?
Best regards,
Jeremy Morton (Jez)
Re: New slew of spams
Posted by Adam Katz <an...@khopis.com>.
Jeremy Morton wrote:
> I've suddenly started getting a new slew of spams that are making their
> way through my SpamAssassin filter. Here's an example of one:
>
> http://pastebin.com/m586e296c
>
> As you can see they tend to hit a couple of blacklists, but don't get a
> high enough score to be marked as spam. What do your SpamAssassin
> analyses give of this e-mail, and any tips as to how I can get these
> marked as spam?
Install iXhash and activate Razor2.
Additionally, I recommend this rule to bump up the iXhash scores (note
that the meta line wraps here but should not in your config file):
meta IXHASH_CHECK GENERIC_IXHASH || NIXSPAM_IXHASH || CTYME_IXHASH ||
HOSTEUROPE_IXHASH
describe IXHASH_CHECK BODY: MD5 checksum matches known spam
score IXHASH_CHECK 0 2 0 2
Re: New slew of spams
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 5, 2009 19:58, Jeremy Morton wrote:
> http://pastebin.com/m586e296c
http://cbl.abuseat.org/lookup.cgi?ip=93.5.36.134
do you use zen.spamhaus.org in exim ?
http://www.wpbl.info/cgi-bin/detail.cgi?ip=93.5.36.134
if the ip is not sending ham to you block the ip localy
--
http://localhost/ 100% uptime and 100% mirrored :)
Re: New slew of spams
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-06-05 at 20:33 +0200, Raymond Dijkxhoorn wrote:
> Hi!
>
> >> http://pastebin.com/m586e296c
> >>
> >> As you can see they tend to hit a couple of blacklists, but don't get a
> >> high enough score to be marked as spam. What do your SpamAssassin
> >> analyses give of this e-mail, and any tips as to how I can get these
> >> marked as spam?
>
> > But;
> >
> > 93.5.36.134 listed in b.barracudacentral.org.
> > 93.5.36.134 listed in XBL NJABL
> > 93.5.36.134 listed in PBL (SPAMHAUS)
> > 93.5.36.134 listed in cbl.abuseat.org.
> >
> > So they could have been blocked ?
>
> Perhaps now, but most of them end up after the first runs ... ;)
> Most likely at time of the run they were not listed (yet).
>
> Bye,
> Raymond.
>
Even in the breakdown you've posted they are listed on at least one
black list. Personally, I would have dropped them on connecting IP
before wasting spamassassin on scanning them - but that opens a can of
worms and people have differing views on doing that.
Re: New slew of spams
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> http://pastebin.com/m586e296c
>>
>> As you can see they tend to hit a couple of blacklists, but don't get a
>> high enough score to be marked as spam. What do your SpamAssassin
>> analyses give of this e-mail, and any tips as to how I can get these
>> marked as spam?
> But;
>
> 93.5.36.134 listed in b.barracudacentral.org.
> 93.5.36.134 listed in XBL NJABL
> 93.5.36.134 listed in PBL (SPAMHAUS)
> 93.5.36.134 listed in cbl.abuseat.org.
>
> So they could have been blocked ?
Perhaps now, but most of them end up after the first runs ... ;)
Most likely at time of the run they were not listed (yet).
Bye,
Raymond.
Re: New slew of spams
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-06-05 at 18:58 +0100, Jeremy Morton wrote:
> Hi,
>
> I've suddenly started getting a new slew of spams that are making their
> way through my SpamAssassin filter. Here's an example of one:
>
> http://pastebin.com/m586e296c
>
> As you can see they tend to hit a couple of blacklists, but don't get a
> high enough score to be marked as spam. What do your SpamAssassin
> analyses give of this e-mail, and any tips as to how I can get these
> marked as spam?
>
> Best regards,
> Jeremy Morton (Jez)
But;
93.5.36.134 listed in b.barracudacentral.org.
93.5.36.134 listed in XBL NJABL
93.5.36.134 listed in PBL (SPAMHAUS)
93.5.36.134 listed in cbl.abuseat.org.
So they could have been blocked ?
Re: New slew of spams
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Jun 2009, ktn wrote:
>> By default, the spamd daemon does not allow user defined rules.
>> Hostmonster needs to set "allow_user_rules" to 1 in the system
>> configuration file. I asked about this and that's something that they
>> will not do.
...which is completely reasonable in a shared-hosting environment. You
don't want to risk someone malicious adding a denial-of-service rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: New slew of spams
Posted by John Hardin <jh...@impsec.org>.
On Wed, 10 Jun 2009, LuKreme wrote:
> On 9-Jun-2009, at 07:42, Adam Katz wrote:
>>
>> No, I'd consider that a rather sane decision. Back when my distribution
>> had user accounts with shell access, I had custom rules disabled too.
>
> Sue, but how long ago was that? The way to properly host people now is
> with virtualization. They have their 'own' machine and what they muck up
> can only much up THEIR "machine".
That's fine for you and me, but not everyone wants to be (or has the
skills or time to be) a system administrator, and I doubt most hosting
companies would be able to provide administered single-user VMs at a
reasonable price point. With a shared VM the administration costs are
shared across many customers.
I was going to suggest moving to a VM, but I didn't know whether ktn felt
that was an option. I suppose it's reasonable to ask: ktn, would you be
willing to move to a self-administered hosted VM in order to get full
control of SA?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If "healthcare is a Right" means that the government is obligated
to provide the people with hospitals, physicians, treatments and
medications at low or no cost, then the right to free speech means
the government is obligated to provide the people with printing
presses and public address systems, the right to freedom of
religion means the government is obligated to build churches for the
people, and the right to keep and bear arms means the government is
obligated to provide the people with guns, all at low or no cost.
-----------------------------------------------------------------------
51 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: New slew of spams
Posted by Adam Katz <an...@khopis.com>.
I said:
>> I'd consider that a rather sane decision. Back when my distribution
>> had user accounts with shell access, I had custom rules disabled too.
LuKreme wrote:
> Sue, but how long ago was that?
Not sure I approve of that nickname... That was ~3y ago.
> The way to properly host people now is with virtualization. They
> have their 'own' machine and what they muck up can only much up
> THEIR "machine". Might not be the best choice for a small hosting
> company, but for a large one anything else seems senseless. Heck,
> even for me, if I ever get back into hosting it is going to be
> purely with virtualized machines. You want ftp and non-secure
> email? Knock yourself out. I have a restore image handy to put the
> system back when you get totally pwned.
Ah, you're talking provider-level deployments while I'm talking
corporate-level deployments. Even at your higher level, I think it's
a waste of IT time and resources to dedicate servers on a per-customer
basis (unless the customer is a giant and actually needs such
allocation), regardless of whether the server is virtual or not.
Mail is its own thing and should be dedicated rather than with
separate servers for each tenant or hosted on a server that serves
other purposes. At the provider-level, mail is provided as IMAP
accounts rather than configurable servers. The most the users should
be able to do is train Bayes and perhaps tweak their accounts' SA
user_prefs. For web and ftp et al, I fully agree that you should hand
off a VM or jail (recently found to be more efficient, as noted at
http://bsd.slashdot.org/story/09/06/02/0043258/#) and let them at it.
>> The reason is that some people don't understand how to write
>> rules, putting mundane words, often without word-breaks, or
>> enormous globs that just destroy the system's efficiency. Then
>> they score these poorly-written rules with ten points and wonder
>> why they're missing so much mail.
>
> Yes, and people buy chainsaw to cut down trees and take off their
> legs. This is not the fault of the store selling the chainsaws.
> This is why you make sure they can only touch their own trees.
You're proposing wasting IT resources on providing tons and tons of
trees (legs?), presumably at little or no cost to the customer, for
customers who don't understand their chainsaws. Customers tend to
prefer advice or configurations that prevent them from severing a leg,
or even more important (to you), from severing another customer's leg.
If somebody wants to roll their own hosted mail server, let them buy a
VM and do it from scratch, fully outside of your clean and efficient
multi-tenant implementation, but this shouldn't be marketed at all; it
should be an option for the tenant that wants more than you can
offer/support and has the in-house expertise to get it done.
-Adam
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: New slew of spams
Posted by LuKreme <kr...@kreme.com>.
On 9-Jun-2009, at 07:42, Adam Katz wrote:
> ktn wrote:
>>>> By default, the spamd daemon does not allow user defined rules.
>>>> Hostmonster needs to set "allow_user_rules" to 1 in the system
>>>> configuration file. I asked about this and that's something that
>>>> they will not do.
>
> LuKreme wrote:
>> It's a good thing there are other hosting companies that are not
>> willfully retarded, isn't it?
>
> No, I'd consider that a rather sane decision. Back when my
> distribution
> had user accounts with shell access, I had custom rules disabled too.
Sue, but how long ago was that? The way to properly host people now
is with virtualization. They have their 'own' machine and what they
muck up can only much up THEIR "machine". Might not be the best choice
for a small hosting company, but for a large one anything else seems
senseless. Heck, even for me, if I ever get back into hosting it is
going to be purely with virtualized machines. You want ftp and non-
secure email? Knock yourself out. I have a restore image handy to put
the system back when you get totally pwned.
> The reason is that some people don't understand how to write rules,
> putting mundane words, often without word-breaks, or enormous globs
> that
> just destroy the system's efficiency. Then they score these
> poorly-written rules with ten points and wonder why they're missing so
> much mail.
Yes, and people buy chainsaw to cut down trees and take off their
legs. This is not the fault of the store selling the chainsaws. This
is why you make sure they can only touch their own trees.
--
I know you won't believe it's true
I only went with her cuz she looked like you
Re: New slew of spams
Posted by Adam Katz <an...@khopis.com>.
ktn wrote:
>>> By default, the spamd daemon does not allow user defined rules.
>>> Hostmonster needs to set "allow_user_rules" to 1 in the system
>>> configuration file. I asked about this and that's something that
>>> they will not do.
LuKreme wrote:
> It's a good thing there are other hosting companies that are not
> willfully retarded, isn't it?
No, I'd consider that a rather sane decision. Back when my distribution
had user accounts with shell access, I had custom rules disabled too.
The reason is that some people don't understand how to write rules,
putting mundane words, often without word-breaks, or enormous globs that
just destroy the system's efficiency. Then they score these
poorly-written rules with ten points and wonder why they're missing so
much mail.
And my users are mostly software engineers.
Instead, I've encouraged my users to send me tips and whatnot, and if
they want to create rules, they can do so by emailing me. The few times
this has happened, I've had to reveal that similar but better-written
rules already exist, or that the rules are too general, or that I could
rewrite them for safety, efficiency, and to catch a wider range of spams.
While it's not as clearly advantageous to do this with
white/blacklisting, the same applies for that. I browse the offending
mails, look for something to filter on, possibly (though unlikely) write
a minor rule, then report it and teach the global bayes, then add it to
AWL for the temporary 30 point swing.
Re: New slew of spams
Posted by LuKreme <kr...@kreme.com>.
On 8-Jun-2009, at 11:19, ktn wrote:
>> By default, the spamd daemon does not allow user defined rules.
>> Hostmonster needs to set "allow_user_rules" to 1 in the system
>> configuration file. I asked about this and that's something that
>> they will
>> not do.
It's a good thing there are other hosting companies that are not
willfully retarded, isn't it?
--
The person on the other side was a young woman. Very obviously a
young woman. There was no possible way that she could have been
mistaken for a young man in any language, especially Braille.
Re: New slew of spams
Posted by ktn <j_...@kawasaki-tn.com>.
I can edit 'user_prefs' and customize scores for existing tests, but when I
tried to add custom rules to 'user_prefs' they somehow got ignored. Weird.
Here's the details from a hostmonster
http://www.hostmonsterforum.com/showthread.php?t=2364 forum post :
> First off, hostmonster does not use the "spamassassin" command to run SA,
> they use the server/client spamd/spamc method. Therefore if you want to
> duplicate what is happening when you email arrives, you will need to do
> this in a shell:
>
> % spamc < <mail_message>
>
> If you try to use "spamassassin" from the shell, then things don't quite
> work right, namely it won't find the site configuration file AND it will
> process your $HOME/.spamassassin/user_prefs file differently than if you
> had run "spamc"
>
> By default, the spamd daemon does not allow user defined rules.
> Hostmonster needs to set "allow_user_rules" to 1 in the system
> configuration file. I asked about this and that's something that they will
> not do.
>
Charles Gregory wrote:
>
> On Mon, 8 Jun 2009, ktn wrote:
>> I am also starting to get a lot of these ".rtf attachment only with no
>> email body text" spams. Unfortunately, we use hostmonster.com for our
>> email so my ability to customize SA is greatly limited (i.e. I cannot
>> use custom rules).
>
> Do you mean that they won't allow 'local.cf' or that
> they won't allow 'user_prefs'? I'd be a bit surprised if the latter
> were not available....
>
--
View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23928476.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New slew of spams
Posted by Charles Gregory <cg...@hwcn.org>.
On Mon, 8 Jun 2009, ktn wrote:
> I am also starting to get a lot of these ".rtf attachment only with no
> email body text" spams. Unfortunately, we use hostmonster.com for our
> email so my ability to customize SA is greatly limited (i.e. I cannot
> use custom rules).
Do you mean that they won't allow 'local.cf' or that
they won't allow 'user_prefs'? I'd be a bit surprised if the latter
were not available....
- Charles
Re: sa-update and SA versions
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2009-06-10 at 17:39 -0400, Adam Katz wrote:
> Karsten Bräckelmann wrote:
> > That said, I seem to recall that at least published SARE rule-sets
> > have been mentioned to be added to stock and thus obsoleted.
>
> I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
> (read: runs the DNS), but they are not configured to obsolete nicely:
Err... No. Actually, I was specifically about backhair or one of those
rule-sets. Note the "added to stock" part.
As for *all* SARE rule-sets, there is *one* definite source of status.
Rulesemporium. The very front page claims loudly the stuff is not
maintained. Each rule-set got a hint about last updated, last mass-
checked, and there are lots of sets specifically mentioning a SA version
number it is intended for.
Daryl provides a mirror of that stuff for anyone who deliberately WANTS
these rules. He is not to blame, but the admin who installs 5 years old
rules.
There is no way for sa-update to fade out or obsolete a rule-set. There
is a version number to indicate an update. Installing them is on the
discretion of the admin.
Oh, and some, well, one(?) are actually updated these days and alive.
> > Also, there's no communications channel announcing sa-update rule
> > updates in detail.
>
> Ooh, I like the idea of an RSS feed or a bot that posts to this list
> (or the dev list), specifically for retractions/removals and security
> updates, and hopefully not for any minor score tweak (or perhaps a
> ~weekly digest of such things). This might be as simple as a script
> monitoring SVN checkins.
There is an svn checkins list.
> > Speaking about rules posted to the list: Those often will be
> > changed slightly in the sandbox after the initial post. Let alone
> > some rules being posted in various versions on this list -- which
> > one do you run?
>
> I'm not sure if you actually want this, but ... Rules I've pushed to
> and taken from this list are attached.
While I'm glad to see a couple KB prefixed rules right at the top... :)
No, I did not mean you to post them. That was a remark for the reader to
*think* about the various versions posted, and how many (read all) of
them are spread around thousands of systems.
That effectively means that a note about such rules going into stock
needs to include all of the versions, mentioning their specific overlap,
fuzziness, ... Impossible.
Let alone local tweaks to those rules. Ultimately, the admin is
responsible for ANY third-party stuff he installed.
BTW, all my RATWARE_OUTLOOK variants are super-sets of the 08 one, as I
have mentioned on this list when I first posted them here. The 08 one is
the one, the rest where meant for debugging only.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sa-update and SA versions
Posted by Adam Katz <an...@khopis.com>.
Karsten Bräckelmann wrote:
> That said, I seem to recall that at least published SARE rule-sets
> have been mentioned to be added to stock and thus obsoleted.
I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
(read: runs the DNS), but they are not configured to obsolete nicely:
$ host -t txt 0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net
0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net descriptive text
"200701151000"
$ host -t txt 4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net
4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net descriptive text
"200705210700"
Obsoleted rules should be ... obsoleted. This means fixing those DNS
wildcard entries well *before* any pre/alpha releases that might
consider their versions 3.3+
> Also, there's no communications channel announcing sa-update rule
> updates in detail.
Ooh, I like the idea of an RSS feed or a bot that posts to this list
(or the dev list), specifically for retractions/removals and security
updates, and hopefully not for any minor score tweak (or perhaps a
~weekly digest of such things). This might be as simple as a script
monitoring SVN checkins.
> Speaking about rules posted to the list: Those often will be
> changed slightly in the sandbox after the initial post. Let alone
> some rules being posted in various versions on this list -- which
> one do you run?
I'm not sure if you actually want this, but ... Rules I've pushed to
and taken from this list are attached. The pushed rules are a small
sub-set of those available through my publicly accessible sa-update
channels, http://khopesh.com/Anti-spam#sa-update_channels
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: sa-update and SA versions
Posted by LuKreme <kr...@kreme.com>.
On 9-Jun-2009, at 11:36, Karsten Bräckelmann wrote:
> Smart move asking one of the more recent additions to the dev
> team... ;)
So... how long until 3.3 is ready, then, huh? huh? how long?
... whistles innocently ...
--
Lisa Bonet ate no Basil
RE: sa-update and SA versions
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> > The differences between 3.2.x versions are code fixes. There
> > is no difference in rules, when using sa-update.
> >
> > While it is possible to publish per micro version updates,
> > this is not necessary and thus not used for 3.2.x. They all
> > share the very same rules and updates.
>
> Karsten,
>
> what about when we consider and migrate from 3.2.5 to 3.3.x once it is
> officially released ?
Smart move asking one of the more recent additions to the dev team... ;)
> will there be info from the SA Team about what rules have changes and what
> "mods" that have come from the list that most of us are using in 3.2.5 that
> should be double checked for and removed in terms of rules and otherwise?
>
> anything you can clue us in on before hand?
Well, I joined the SA dev team about a year ago, after 3.2.0 has been
released. Since I am going entirely from memory and observations as a
user, take this with a grain of salt.
However, from what I recall when 3.2.0 was released, there was no
detailed list of modified, added or dropped rules. Frankly, it is my
understanding this would be impossible to do in a way for a human to
grok anyway. Rules have been evolving during the entire time, and the GA
run decides which rules to incorporate and about their scores.
That said, I seem to recall that at least published SARE rule-sets have
been mentioned to be added to stock and thus obsoleted.
Speaking about rules posted to the list: Those often will be changed
slightly in the sandbox after the initial post. Let alone some rules
being posted in various versions on this list -- which one do you run?
As with all custom rules and scores, it's the admin's duty to check they
are reasonable. After all, a new stock rule not posted here before might
overlap with your home-brew code, too.
Also, there's no communications channel announcing sa-update rule
updates in detail.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: sa-update and SA versions (was: Re: New slew of spams)
Posted by RobertH <ro...@abbacomm.net>.
> From: Karsten Bräckelmann
> The differences between 3.2.x versions are code fixes. There
> is no difference in rules, when using sa-update.
>
> While it is possible to publish per micro version updates,
> this is not necessary and thus not used for 3.2.x. They all
> share the very same rules and updates.
>
Karsten,
what about when we consider and migrate from 3.2.5 to 3.3.x once it is
officially released ?
will there be info from the SA Team about what rules have changes and what
"mods" that have come from the list that most of us are using in 3.2.5 that
should be double checked for and removed in terms of rules and otherwise?
anything you can clue us in on before hand?
thanks in advance...
- rh
sa-update and SA versions (was: Re: New slew of spams)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-06-08 at 07:57 -0700, John Hardin wrote:
> That is correct. I hope (when I get write access to the repo) to add them
> to the 3.2.5 rules so they will go out via sa-update. Is there any way you
> can upgrade to 3.2.5?
The differences between 3.2.x versions are code fixes. There is no
difference in rules, when using sa-update.
While it is possible to publish per micro version updates, this is not
necessary and thus not used for 3.2.x. They all share the very same
rules and updates.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] New slew of spams
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Jun 2009, ktn wrote:
> We haven't been with hostmonster long, but considering that they're running
> 3.2.4 right now, I would assume at some point that they will update to
> 3.2.5. Until then, I can be patient. I'm just glad to hear that a standard
> rule for this kind of spam will be added to SA! Many thanks.
Don't hold your breath. I'm still new to this, there may be a lot of delay
that I'm not aware of before those new rules get added to the 3.2.5 base.
> John Hardin wrote:
>>
>> Does hostmonster run sa-update at all?
>>
>>> So if I understand correctly: currently there is no standard rule in SA
>>> (we use 3.2.4) for filtering out mail with attachments but no text.
>>
>> That is correct. I hope (when I get write access to the repo) to add them
>> to the 3.2.5 rules so they will go out via sa-update. Is there any way you
>> can upgrade to 3.2.5?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If guards and searches and metal detectors can't keep a gun out of
a maximum-security solitary confinement prisoner's cell, how will
a disciplinary policy and some signs keep guns out of a university?
-----------------------------------------------------------------------
49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: [sa] New slew of spams
Posted by ktn <j_...@kawasaki-tn.com>.
We haven't been with hostmonster long, but considering that they're running
3.2.4 right now, I would assume at some point that they will update to
3.2.5. Until then, I can be patient. I'm just glad to hear that a standard
rule for this kind of spam will be added to SA! Many thanks.
John Hardin wrote:
>
> Does hostmonster run sa-update at all?
>
>> So if I understand correctly: currently there is no standard rule in SA
>> (we use 3.2.4) for filtering out mail with attachments but no text.
>
> That is correct. I hope (when I get write access to the repo) to add them
> to the 3.2.5 rules so they will go out via sa-update. Is there any way you
> can upgrade to 3.2.5?
>
--
View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23926488.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [sa] New slew of spams
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Jun 2009, ktn wrote:
> I am also starting to get a lot of these ".rtf attachment only with no
> email body text" spams. Unfortunately, we use hostmonster.com for our
> email so my ability to customize SA is greatly limited (i.e. I cannot
> use custom rules).
Bummer.
Does hostmonster run sa-update at all?
> So if I understand correctly: currently there is no standard rule in SA
> (we use 3.2.4) for filtering out mail with attachments but no text.
That is correct. I hope (when I get write access to the repo) to add them
to the 3.2.5 rules so they will go out via sa-update. Is there any way you
can upgrade to 3.2.5?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government wants to do everything it can "for the children,"
except sparing them crushing tax burdens.
-----------------------------------------------------------------------
49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: [sa] New slew of spams
Posted by ktn <j_...@kawasaki-tn.com>.
Martin,
Do you mean not use hostmonster for email hosting at all? To run our own
mail server?
Martin Gregorie-2 wrote:
>
> On Mon, 2009-06-08 at 07:17 -0700, ktn wrote:
>> I am also starting to get a lot of these ".rtf attachment only with no
>> email
>> body text" spams. Unfortunately, we use hostmonster.com for our email so
>> my
>> ability to customize SA is greatly limited (i.e. I cannot use custom
>> rules).
>>
> You can, of course, run your own copy of SA 3.2.5 if you have a house or
> office server that's running a private MTA to service a private LAN.
>
--
View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23942169.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [sa] New slew of spams
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2009-06-08 at 07:17 -0700, ktn wrote:
> I am also starting to get a lot of these ".rtf attachment only with no email
> body text" spams. Unfortunately, we use hostmonster.com for our email so my
> ability to customize SA is greatly limited (i.e. I cannot use custom rules).
>
You can, of course, run your own copy of SA 3.2.5 if you have a house or
office server that's running a private MTA to service a private LAN.
Martin
Re: [sa] New slew of spams
Posted by ktn <j_...@kawasaki-tn.com>.
I am also starting to get a lot of these ".rtf attachment only with no email
body text" spams. Unfortunately, we use hostmonster.com for our email so my
ability to customize SA is greatly limited (i.e. I cannot use custom rules).
So if I understand correctly: currently there is no standard rule in SA (we
use 3.2.4) for filtering out mail with attachments but no text.
Charles Gregory wrote:
>
> On Fri, 5 Jun 2009, Jeremy Morton wrote:
>> I've suddenly started getting a new slew of spams that are making their
>> way
>> through my SpamAssassin filter.
>
> These are examples of the new variant on 'image only' spams, having only a
> rtf file attachment, instead of an image. Check the archives and you will
> find rules to tag messages with 'octet-stream mime part but no text part'.
> Quite effective.
>
--
View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23924941.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [sa] New slew of spams
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 5 Jun 2009, Jeremy Morton wrote:
> I've suddenly started getting a new slew of spams that are making their way
> through my SpamAssassin filter. Here's an example of one:
> http://pastebin.com/m586e296c
These are examples of the new variant on 'image only' spams, having only a
rtf file attachment, instead of an image. Check the archives and you will
find rules to tag messages with 'octet-stream mime part but no text part'.
Quite effective.
- Charles
Re: New slew of spams
Posted by RW <rw...@googlemail.com>.
On Fri, 05 Jun 2009 14:05:40 -0400
Rob McEwen <ro...@invaluement.com> wrote:
> An occassional legit e-mail will have RDNS_NONE, and an occassional
> legit e-mail will have RCVD_IN_PBL. But even extreme fewer legit
> emails will have hits on BOTH of these. So I'd suggest scoring the
> combination of the two either just above threshold, or (at the
> least...) just below threshold.
You need to be a little careful about that if you have an extended
internal network outside your control. Not all servers record rnds and
authentication.
Re: New slew of spams
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 5, 2009 20:05, Rob McEwen wrote:
> I highly recommend scoring RDNS_NONE at much higher than "0.1", and
> scoring RCVD_IN_PBL at much higher than 0.9
meta SPAM_LOCAL (RDNS_NONE && RCVD_IN_PBL)
describe SPAM_LOCAL Meta: it hits both RDNS_NONE and RCVD_IN_PBL
score SPAM_LOCAL 5.0
--
http://localhost/ 100% uptime and 100% mirrored :)
Re: New slew of spams
Posted by Rob McEwen <ro...@invaluement.com>.
Jeremy Morton wrote:
> I've suddenly started getting a new slew of spams that are making
> their way through my SpamAssassin filter. Here's an example of one:
>
> http://pastebin.com/m586e296c
>
> As you can see they tend to hit a couple of blacklists, but don't get
> a high enough score to be marked as spam. What do your SpamAssassin
> analyses give of this e-mail, and any tips as to how I can get these
> marked as spam?
I highly recommend scoring RDNS_NONE at much higher than "0.1", and
scoring RCVD_IN_PBL at much higher than 0.9
If you don't feel comfortable having these combine to score higher than
threshold, then consider bumping each of these up at least by a whole a
point or two... and then add a metarule that might add an additional
point or two if BOTH of these have been triggered.
An occassional legit e-mail will have RDNS_NONE, and an occassional
legit e-mail will have RCVD_IN_PBL. But even extreme fewer legit emails
will have hits on BOTH of these. So I'd suggest scoring the combination
of the two either just above threshold, or (at the least...) just below
threshold.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: New slew of spams
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 Jun 2009, Jeremy Morton wrote:
> I've suddenly started getting a new slew of spams that are making their
> way through my SpamAssassin filter. Here's an example of one:
>
> http://pastebin.com/m586e296c
Look for the MIME_NO_TEXT ruleset I posted a few days ago.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
Tomorrow: the 65th anniversary of D-Day