You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Emin Akbulut <em...@gmail.com> on 2017/01/10 07:48:45 UTC
Low spam score: -1.9
Hi all,
Recently we receive spam messages and SA cannot block them.
I've also checked the raw message at http://spamcheck.postmarkapp.com/
and score was very low either.
I've trained the SA and it worked for a while but now it's useless.
How can I prevent those spams? They look like poems
* * * * * * * * * * * * * * *
I am a tender and passionate girl-student.
I assure satisfaction and all the pleasures to my lover!
I will be alone on Christmas holidays((
Would you like to keep company?
Myphotos and questionnaire are waiting for you! <http://link.removed>
* * * * * * * * * * * * * * *
Message source:
http://pastebin.com/nnN0jGw8
P.S: I know I didn't supply any system info so if you ask
I'll tell the details, I'm not sure what data is required yet.
Thanks.
Re: Low spam score: -1.9
Posted by Emin Akbulut <em...@gmail.com>.
Hi all
I've disabled autolearn for a week and trained SA with tons of spams.
I still receive same spam messages with "random" scores. I've attached the
zip
file that contains same template with different sender addresses. Scores
seem
randomly to me; from 0 to 2.6, etc. Sample spam messages attached:
https://www.dropbox.com/s/h9kennmy0kerjc3/_spams.zip?dl=0
We have got 500+ inboxes but a few addresses are the victims of mass spams
these days;
same users got 20+ very same spams per day, maybe more There are a few
different
spam templates. I search for specific words like "profile is", "Ginger",
"hot date",
"Appswarm" in files less than 5KB.
I also found a weird break point; one message has score of 1.6 and the very
next same
message has score of -1.1. The two files are here to examine:
https://www.dropbox.com/s/kiv81gclyaaqmsq/_high-and-then-low.zip?dl=0
I think I'm gonna install a fresh new SA.
On Wed, Jan 18, 2017 at 9:43 AM, Emin Akbulut <em...@gmail.com> wrote:
> Hi all
>
> I've disabled autolearn for a week and trained SA with tons of spams.
> I still receive same spam messages with "random" scores. I've attached the
> zip
> file that contains same template with different sender addresses. Scores
> seem
> randomly to me; from 0 to 2.6, etc. Sample spam messages attached:
> https://www.dropbox.com/s/h9kennmy0kerjc3/_spams.zip?dl=0
>
> We have got 500+ inboxes but a few addresses are the victims of mass spams
> these days;
> same users got 20+ very same spams per day, maybe more There are a few
> different
> spam templates. I search for specific words like "profile is", "Ginger",
> "hot date",
> "Appswarm" in files less than 5KB.
>
> I also found a weird break point; one message has score of 1.6 and the
> very next same
> message has score of -1.1. The two files are here to examine:
> https://www.dropbox.com/s/kiv81gclyaaqmsq/_high-and-then-low.zip?dl=0
>
>
> I think I'm gonna install a fresh new SA.
>
>
> On Tue, Jan 10, 2017 at 7:22 PM, John Hardin <jh...@impsec.org> wrote:
>
>> On Tue, 10 Jan 2017, Emin Akbulut wrote:
>>
>> I've trained the SA and it worked for a while but now it's useless.
>>>
>>>
>>> How can I prevent those spams? They look like poems
>>>
>>> * * * * * * * * * * * * * * *
>>>
>>> I am a tender and passionate girl-student.
>>>
>>> I assure satisfaction and all the pleasures to my lover!
>>>
>>> I will be alone on Christmas holidays((
>>>
>>> Would you like to keep company?
>>>
>>> Myphotos and questionnaire are waiting for you! <http://link.removed>
>>>
>>> * * * * * * * * * * * * * * *
>>>
>>
>> That looks like it contains some good Bayes fodder. Question: how are you
>> training? Is this a large install where you allow users to directly fee the
>> corpus, or do you hand-review every message in your training corpus?
>>
>> You might want to do the following:
>>
>> (1) review your entire ham and spam corpora again.
>> (2) wipe your bayes database and re-learn from your saved corpora
>> (3) disable autolearn if you have it enabled.
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> Markley's Law (variant of Godwin's Law): As an online discussion
>> of gun owners' rights grows longer, the probability of an ad hominem
>> attack involving penis size approaches 1.
>> -----------------------------------------------------------------------
>> 7 days until Benjamin Franklin's 311th Birthday
>>
>
>
Re: Low spam score: -1.9
Posted by John Hardin <jh...@impsec.org>.
On Tue, 10 Jan 2017, Emin Akbulut wrote:
> I've trained the SA and it worked for a while but now it's useless.
>
>
> How can I prevent those spams? They look like poems
>
> * * * * * * * * * * * * * * *
>
> I am a tender and passionate girl-student.
>
> I assure satisfaction and all the pleasures to my lover!
>
> I will be alone on Christmas holidays((
>
> Would you like to keep company?
>
> Myphotos and questionnaire are waiting for you! <http://link.removed>
>
> * * * * * * * * * * * * * * *
That looks like it contains some good Bayes fodder. Question: how are you
training? Is this a large install where you allow users to directly fee
the corpus, or do you hand-review every message in your training corpus?
You might want to do the following:
(1) review your entire ham and spam corpora again.
(2) wipe your bayes database and re-learn from your saved corpora
(3) disable autolearn if you have it enabled.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Markley's Law (variant of Godwin's Law): As an online discussion
of gun owners' rights grows longer, the probability of an ad hominem
attack involving penis size approaches 1.
-----------------------------------------------------------------------
7 days until Benjamin Franklin's 311th Birthday
Re: Low spam score: -1.9
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> On 10.01.17 14:13, RW wrote:
>> >The pastebin example was auto-learned as ham, it may be hard to
>> >counter this with manual training.
>On Wed, 11 Jan 2017 09:29:51 +0100
>Matus UHLAR - fantomas wrote:
>> depends... I found out proper trainning can fix quite fast
On 11.01.17 14:49, RW wrote:
>Since manual training unlearns before it relearns, it's feasible to
>undo all the damage, but it's difficult to do that outside of a single
>user database. If you don't catch them all, you aren't fixing it, you
>are just working around the damage.
otoh, some part of ham/spam is got properly, you only need to train the
other part...
>> >bayes_auto_learn_threshold_nonspam should be set lower.
>>
>> I agree, and would set that to -0.1 max. However this requires network
>> checks on, since there are nearly no rules other than network and
>> bayes with negative score.
>
>And some of those are arguably pay-to-spam lists.
>
>IMO there's no good way to autolearn ham unless you are prepared to
>write enough local rules to positively identify it. It should be seen
>as a last resort.
it's a good start that will help you in training manually :)
>If you are in a position to train manually then IMO autotraining is
>more trouble than it's worth, except perhaps augmenting manual training
>with something like:
>
> bayes_auto_learn_on_error 1
> bayes_auto_learn_threshold_nonspam -1000
>
>This lets Bayes do some useful spam learning in real-time, without
>much risk of mistraining.
I'm afraid that bayes_auto_learn_on_error will only cause ham trained as spam
(because not hit) and vice versa, after you train your DB properly ...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
Re: Low spam score: -1.9
Posted by RW <rw...@googlemail.com>.
On Wed, 11 Jan 2017 09:29:51 +0100
Matus UHLAR - fantomas wrote:
> >> On 10.01.17 10:48, Emin Akbulut wrote:
> >> >Recently we receive spam messages and SA cannot block them.
> [deleted]
> >> >Message source:
> >> >http://pastebin.com/nnN0jGw8
>
> >On Tue, 10 Jan 2017 10:43:40 +0100 Matus UHLAR - fantomas wrote:
> >> clear case of mistrained BAYES causing message being marked as ham.
> >> you just have to re-train such spams as spam, it may take some time
> >> (not very long) until it starts hitting properly.
>
> On 10.01.17 14:13, RW wrote:
> >The pastebin example was auto-learned as ham, it may be hard to
> >counter this with manual training.
>
> depends... I found out proper trainning can fix quite fast
Since manual training unlearns before it relearns, it's feasible to
undo all the damage, but it's difficult to do that outside of a single
user database. If you don't catch them all, you aren't fixing it, you
are just working around the damage.
> >bayes_auto_learn_threshold_nonspam should be set lower.
>
> I agree, and would set that to -0.1 max. However this requires network
> checks on, since there are nearly no rules other than network and
> bayes with negative score.
And some of those are arguably pay-to-spam lists.
IMO there's no good way to autolearn ham unless you are prepared to
write enough local rules to positively identify it. It should be seen
as a last resort.
If you are in a position to train manually then IMO autotraining is
more trouble than it's worth, except perhaps augmenting manual training
with something like:
bayes_auto_learn_on_error 1
bayes_auto_learn_threshold_nonspam -1000
This lets Bayes do some useful spam learning in real-time, without
much risk of mistraining.
Re: Low spam score: -1.9
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> On 10.01.17 10:48, Emin Akbulut wrote:
>> >Recently we receive spam messages and SA cannot block them.
[deleted]
>> >Message source:
>> >http://pastebin.com/nnN0jGw8
>On Tue, 10 Jan 2017 10:43:40 +0100 Matus UHLAR - fantomas wrote:
>> clear case of mistrained BAYES causing message being marked as ham.
>> you just have to re-train such spams as spam, it may take some time
>> (not very long) until it starts hitting properly.
On 10.01.17 14:13, RW wrote:
>The pastebin example was auto-learned as ham, it may be hard to
>counter this with manual training.
depends... I found out proper trainning can fix quite fast
>bayes_auto_learn_threshold_nonspam should be set lower.
I agree, and would set that to -0.1 max. However this requires network
checks on, since there are nearly no rules other than network and bayes with
negative score.
(ALL_TRUSTED and RP_MATCHES_RCVD should not be taken into account when
autoleatning, whitelists are already ignored).
>clear the Bayes database and train from manually sorted mail.
may not be needed - enough of re-trainings can fix the DB within a few days
having plugins and netowrk checks should help much
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Re: Low spam score: -1.9
Posted by RW <rw...@googlemail.com>.
On Tue, 10 Jan 2017 10:43:40 +0100
Matus UHLAR - fantomas wrote:
> On 10.01.17 10:48, Emin Akbulut wrote:
> >Recently we receive spam messages and SA cannot block them.
>
> why should it? They seem ham to is.
>
> >I've also checked the raw message at
> >http://spamcheck.postmarkapp.com/ and score was very low either.
> >
> >I've trained the SA and it worked for a while but now it's useless.
> >
> >
> >How can I prevent those spams? They look like poems
>
> >Message source:
> >http://pastebin.com/nnN0jGw8
>
> clear case of mistrained BAYES causing message being marked as ham.
> you just have to re-train such spams as spam, it may take some time
> (not very long) until it starts hitting properly.
The pastebin example was auto-learned as ham, it may be hard to
counter this with manual training.
bayes_auto_learn_threshold_nonspam should be set lower. If possible
clear the Bayes database and train from manually sorted mail.
Re: Low spam score: -1.9
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 10.01.17 10:48, Emin Akbulut wrote:
>Recently we receive spam messages and SA cannot block them.
why should it? They seem ham to is.
>I've also checked the raw message at http://spamcheck.postmarkapp.com/
>and score was very low either.
>
>I've trained the SA and it worked for a while but now it's useless.
>
>
>How can I prevent those spams? They look like poems
>Message source:
>http://pastebin.com/nnN0jGw8
clear case of mistrained BAYES causing message being marked as ham.
you just have to re-train such spams as spam, it may take some time (not
very long) until it starts hitting properly.
Note that it's important you train the messages under which is used to check
(e.g. amavis user) - it's useless to train different user.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Re: Low spam score: -1.9
Posted by Marc Stürmer <ma...@marc-stuermer.de>.
Am 2017-01-10 08:48, schrieb Emin Akbulut:
> Hi all,
>
> Recently we receive spam messages and SA cannot block them.
> I've also checked the raw message at http://spamcheck.postmarkapp.com/
> and score was very low either.
>
> I've trained the SA and it worked for a while but now it's useless.
>
> How can I prevent those spams? They look like poems
You should evaluate using third party rule sets with SpamAssassin or
maybe making your own.
If you are using Postfix, using Postscreen might also help to reduce
your spam load.
Re: Low spam score: -1.9
Posted by Jari Fredriksson <ja...@iki.fi>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Reindl Harald kirjoitti 21.1.2017 22:33:
> Am 21.01.2017 um 21:21 schrieb Jari Fredriksson:
>> Emin Akbulut kirjoitti 10.1.2017 9:48:
>>
>>> Hi all,
>>>
>>> Recently we receive spam messages and SA cannot block them.
>>> I've also checked the raw message at http://spamcheck.postmarkapp.com/
>>> and score was very low either.
>>>
>>> I've trained the SA and it worked for a while but now it's useless.
>>>
>>>
>>> How can I prevent those spams? They look like poems
>>>
>>> * * * * * * * * * * * * * * *
>>>
>>
>> Please do NOT post spam to list. Put it to a pastebin.ca or similar and
>> post a link. The spam you spew might poison our SA...
>
> then fix your SA not to train manually every crap and do it proper at your own
Oh well. Well, my SA does not train SA lists anyhow, but this was just a
common thing. Sorry about that.
- --
jarif@iki.fi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAliDyh0ACgkQKL4IzOyjSrZZZgCffdlLPoZDmGDJfkCqS6HWxjYw
bV4AoJRXGaA7EJGXlcwTp2EFggIruN+V
=lKgd
-----END PGP SIGNATURE-----
Re: Low spam score: -1.9
Posted by Jari Fredriksson <ja...@iki.fi>.
Emin Akbulut kirjoitti 10.1.2017 9:48:
> Hi all,
>
> Recently we receive spam messages and SA cannot block them.
> I've also checked the raw message at http://spamcheck.postmarkapp.com/
> and score was very low either.
>
> I've trained the SA and it worked for a while but now it's useless.
>
> How can I prevent those spams? They look like poems
>
> * * * * * * * * * * * * * * *
Please do NOT post spam to list. Put it to a pastebin.ca or similar and
post a link. The spam you spew might poison our SA...
--
jarif@iki.fi