You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Owen Mehegan <ow...@nerdnetworks.org> on 2006/07/18 00:20:44 UTC

Stock/image-only spam still getting through

First, the prerequisites:

SpamAssassin version 3.1.1, running on Perl version 5.8.4
Debian Linux, 2.6.10 kernel
Using spamd

I've been inundated with maddening image-only stock spam lately. I've just today sat down to try and tweak my rules up to weed this out. I added sare_stocks and sare_obfu, updated my version of rules du jour for good measure, and restarted spamd. I tested these changes on an example message, and neither of those new rule sets hit on it at all. A few minutes later, ANOTHER of these messages came through! Argh! And I just realized, looking at its headers, these messages are getting through my greylisting too! Clever bastards.

I've attached the one that just got through. spamassassin -t reports the following for it:

 0.8 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type= entry
 2.9 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
                            IP)
 1.3 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif


The highest scores are for the HELO? We've got to be able to do better than that... what am I missing?

-- 
Owen B. Mehegan (owen@nerdnetworks.org)
Cell: 617-230-3679

Re: Stock/image-only spam still getting through

Posted by Loren Wilton <lw...@earthlink.net>.

> I've attached the one that just got through. spamassassin -t reports the 
> following for it:
>
> 0.8 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type= 
> entry
> 2.9 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
>                            IP)
> 1.3 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
> 0.0 HTML_MESSAGE           BODY: HTML included in message
> 0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif

Well, I get

Content analysis details:   (12.2 points, 4.6 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.7 HOST_EQ_D_D_D_D        HOST_EQ_D_D_D_D
 0.9 HOST_EQ_D_D_D_DB       HOST_EQ_D_D_D_DB
 0.8 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split 
IP)
 1.1 HELO_EQ_IP_ADDR        HELO using IP Address (not private)
 0.1 RCVD_BY_IP             Received by mail server with no name
 0.3 IP_NOT_FRIENDLY        IP_NOT_FRIENDLY
 1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
 0.2 HTML_20_30             BODY: Message is 20% to 30% HTML
 0.0 HTML_MESSAGE           BODY: HTML included in message
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 0.9948]
 0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif
 0.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see 
<http://www.spamcop.net/bl.shtml?67.134.10.152>]
 0.9 FM_NO_STYLE            FM_NO_STYLE

Now 5 points is from Bayes_99.  But even without that it seems to do pretty 
well.

        Loren

Re: Stock/image-only spam still getting through

Posted by Theo Van Dinter <fe...@apache.org>.

On Mon, Jul 17, 2006 at 06:20:44PM -0400, Owen Mehegan wrote:
> The highest scores are for the HELO? We've got to be able to do better than that... what am I missing?

sa-update?  with just local rules:

[19640] dbg: check: is spam? score=16.082 required=5
[19640] dbg: check:
tests=BAYES_99,EXTRA_MPART_TYPE,HELO_DYNAMIC_SPLIT_IP,HTML_20_30,HTML_MESSAGE,RCVD_NUMERIC_HELO,TVD_FW_GRAPHIC_ID1,TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID

even without bayes it'll be > 5.

-- 
Randomly Generated Tagline:
Bender: Well I don't have anything else planned for today, let's get drunk!

Re: Stock/image-only spam still getting through

Posted by Andy Jezierski <aj...@stepan.com>.

Owen Mehegan <ow...@nerdnetworks.org> wrote on 07/17/2006 05:20:44 PM:

> I've been inundated with maddening image-only stock spam lately. 
> I've just today sat down to try and tweak my rules up to weed this 
> out. I added sare_stocks and sare_obfu, updated my version of rules 
> du jour for good measure, and restarted spamd. I tested these 
> changes on an example message, and neither of those new rule sets 
> hit on it at all. A few minutes later, ANOTHER of these messages 
> came through! Argh! And I just realized, looking at its headers, 
> these messages are getting through my greylisting too! Clever bastards.

Getting trapped over here....

X-Spam-Status: Yes, score=10.1 required=5.0 tests=BAYES_50,
        EXTRA_MPART_TYPE,HELO_DYNAMIC_SPLIT_IP,HTML_MESSAGE,
        RCVD_IN_BL_SPAMCOP_NET,RCVD_NUMERIC_HELO,TVD_FW_GRAPHIC_ID1,
        TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID
        autolearn=unavailable version=3.1.3

Andy