You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Owen Mehegan <ow...@nerdnetworks.org> on 2006/07/18 00:20:44 UTC
Stock/image-only spam still getting through
First, the prerequisites:
SpamAssassin version 3.1.1, running on Perl version 5.8.4
Debian Linux, 2.6.10 kernel
Using spamd
I've been inundated with maddening image-only stock spam lately. I've just today sat down to try and tweak my rules up to weed this out. I added sare_stocks and sare_obfu, updated my version of rules du jour for good measure, and restarted spamd. I tested these changes on an example message, and neither of those new rule sets hit on it at all. A few minutes later, ANOTHER of these messages came through! Argh! And I just realized, looking at its headers, these messages are getting through my greylisting too! Clever bastards.
I've attached the one that just got through. spamassassin -t reports the following for it:
0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
1.3 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
The highest scores are for the HELO? We've got to be able to do better than that... what am I missing?
--
Owen B. Mehegan (owen@nerdnetworks.org)
Cell: 617-230-3679
Re: Stock/image-only spam still getting through
Posted by Loren Wilton <lw...@earthlink.net>.
> I've attached the one that just got through. spamassassin -t reports the
> following for it:
>
> 0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=
> entry
> 2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
> IP)
> 1.3 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
Well, I get
Content analysis details: (12.2 points, 4.6 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.7 HOST_EQ_D_D_D_D HOST_EQ_D_D_D_D
0.9 HOST_EQ_D_D_D_DB HOST_EQ_D_D_D_DB
0.8 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
1.1 HELO_EQ_IP_ADDR HELO using IP Address (not private)
0.1 RCVD_BY_IP Received by mail server with no name
0.3 IP_NOT_FRIENDLY IP_NOT_FRIENDLY
1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9948]
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
0.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?67.134.10.152>]
0.9 FM_NO_STYLE FM_NO_STYLE
Now 5 points is from Bayes_99. But even without that it seems to do pretty
well.
Loren
Re: Stock/image-only spam still getting through
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Jul 17, 2006 at 06:20:44PM -0400, Owen Mehegan wrote:
> The highest scores are for the HELO? We've got to be able to do better than that... what am I missing?
sa-update? with just local rules:
[19640] dbg: check: is spam? score=16.082 required=5
[19640] dbg: check:
tests=BAYES_99,EXTRA_MPART_TYPE,HELO_DYNAMIC_SPLIT_IP,HTML_20_30,HTML_MESSAGE,RCVD_NUMERIC_HELO,TVD_FW_GRAPHIC_ID1,TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID
even without bayes it'll be > 5.
--
Randomly Generated Tagline:
Bender: Well I don't have anything else planned for today, let's get drunk!
Re: Stock/image-only spam still getting through
Posted by Andy Jezierski <aj...@stepan.com>.
Owen Mehegan <ow...@nerdnetworks.org> wrote on 07/17/2006 05:20:44 PM:
> I've been inundated with maddening image-only stock spam lately.
> I've just today sat down to try and tweak my rules up to weed this
> out. I added sare_stocks and sare_obfu, updated my version of rules
> du jour for good measure, and restarted spamd. I tested these
> changes on an example message, and neither of those new rule sets
> hit on it at all. A few minutes later, ANOTHER of these messages
> came through! Argh! And I just realized, looking at its headers,
> these messages are getting through my greylisting too! Clever bastards.
Getting trapped over here....
X-Spam-Status: Yes, score=10.1 required=5.0 tests=BAYES_50,
EXTRA_MPART_TYPE,HELO_DYNAMIC_SPLIT_IP,HTML_MESSAGE,
RCVD_IN_BL_SPAMCOP_NET,RCVD_NUMERIC_HELO,TVD_FW_GRAPHIC_ID1,
TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID
autolearn=unavailable version=3.1.3
Andy