You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rocco Scappatura <Ro...@sttspa.it> on 2007/03/28 12:06:55 UTC
Big trouble
Since some day, It's increased the number of spams which SA doesn't
block.
Every time I'm going to analyse the message:
1) Save the message in mbox format 'message.mbox'
2) su - amavis -c "spamassassin -t < message.mbox"
And I get that the score is greater the 5.0 and often I get:
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?71.175.150.184>]
That is, if the message is sent just now, the message is rejected (?).
So I feel that every time that I receive a spam, the system spend a
period of time to 'learn' that that message is spam.
If this is the truth, I would like to figure out how I can block these
messages in advance..
Could someone give me an hint?
TIA,
rocsca
RE: Big trouble
Posted by --,
,
UxBoD,
,
-- <ux...@splatnix.net>.
If you wish to reject at MTA level then please read http://www.postfix.org/uce.html under the section "Client hostname/address restrictions" as you are able to specify a list of RBLs.
Regards,
UxBoD
On Wed, 28 Mar 2007 12:20:16 +0200, "Rocco Scappatura" <Ro...@sttspa.it> wrote:
>> What MTA are you using ?
>
> Postfix+MySQL+Amavisd-new
>
> rocsca
>
>
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: uxbod@sip.splatnix.net
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
RE: Big trouble
Posted by Rocco Scappatura <Ro...@sttspa.it>.
> What MTA are you using ?
Postfix+MySQL+Amavisd-new
rocsca
Re: Big trouble
Posted by --,
,
UxBoD,
,
-- <ux...@splatnix.net>.
What MTA are you using ?
On Wed, 28 Mar 2007 12:06:55 +0200, "Rocco Scappatura" <Ro...@sttspa.it> wrote:
> Since some day, It's increased the number of spams which SA doesn't
> block.
>
> Every time I'm going to analyse the message:
>
> 1) Save the message in mbox format 'message.mbox'
> 2) su - amavis -c "spamassassin -t < message.mbox"
>
> And I get that the score is greater the 5.0 and often I get:
>
> 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> <http://www.spamcop.net/bl.shtml?71.175.150.184>]
>
> That is, if the message is sent just now, the message is rejected (?).
>
> So I feel that every time that I receive a spam, the system spend a
> period of time to 'learn' that that message is spam.
>
> If this is the truth, I would like to figure out how I can block these
> messages in advance..
>
> Could someone give me an hint?
>
> TIA,
>
> rocsca
>
>
>
>
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: uxbod@sip.splatnix.net
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Re: Big trouble
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Mar 29, 2007 at 12:37:56PM +0100, Justin Mason wrote:
> > Could it be that the combined-HIB.dnsiplists.completewhois.com
> > chokes under the load of a GA/perceptron run and stops responding?
> > I've seen it unresponsive yesterday for about half an hour.
>
> odd. I guess that's a possibility... :(
Well, no actually, it couldn't possibly have anything to do with that --
the GA and perceptron simply process log files, they don't make queries.
If you mean the score generation run, which finished weeks ago btw, it's
possible but super highly unlikely. We only have a handful of people
doing a run, and at max any of them are only going to be doing maybe 8
or 10 queries/sec, but much more likely it'd be 2-3 queries/sec.
If RBL servers can't handle the massive 30 queries/sec that we'd be
putting out, find another RBL. :)
--
Randomly Selected Tagline:
"Has everybody had a cosmic breath? Ok, let's continue." - Susan Vick
Re: Big trouble
Posted by Mark Martinec <Ma...@ijs.si>.
Rocco,
> > > 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on
> > I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
>
> I don't understand.. maybe my remark is wrong,
> but I [do] get this score for the rules above
I said '3.2.0-rc1', didn't I?
Btw, I got 1800 messages hitting RCVD_IN_WHOIS_BOGONS in the
last 24 hours since I re-enabled the rule. (like 50.30.64.209,
180.48.158.64, 94.130.200.203, ...); 6 of these were possibly
false positives (unconfirmed, half of them from the same mailing list).
Could it be that the combined-HIB.dnsiplists.completewhois.com
chokes under the load of a GA/perceptron run and stops responding?
I've seen it unresponsive yesterday for about half an hour.
Mark
RE: Big trouble
Posted by Rocco Scappatura <Ro...@sttspa.it>.
> > 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on
> bogons IP block
> > [102.176.29.76 listed in
> > combined-HIB.dnsiplists.completewhois.com]
>
> I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
> (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED,
> which are nonzero)
>
> rules/50_scores.cf :
> score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3
I don't understand.. maybe my remark is wrong, but I get this score for
the rules above:
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP
block
[102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
Anyway, what implies you that the score for RCVD_IN_WHOIS_BOGONS is 0?
rocsca
Re: Big trouble
Posted by Mark Martinec <Ma...@ijs.si>.
> 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
> [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com]
I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
(unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, which are nonzero)
rules/50_scores.cf :
score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3
Mark
Re: Big trouble
Posted by Anthony Peacock <a....@chime.ucl.ac.uk>.
Hi,
Rocco Scappatura wrote:
>> There is another discussion on this list about rules that
>> catch these sorts of messages. Check that out for ideas.
>>
>> For what it is worth these are the rules I get:
>>
>> Content analysis details: (10.5 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of
>> non-vowel letters
>> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
>> 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain
>> signs some
>> mails
>> 0.6 J_CHICKENPOX_14 BODY: 1alpha-pock-4alpha
>> 3.5 BAYES_99 BODY: Bayesian spam probability
>> is 99 to 100%
>> [score: 1.0000]
>> 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on
>> bogons IP block
>> [102.176.29.76 listed in
>> combined-HIB.dnsiplists.completewhois.com]
>> 1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL
>> [102.176.29.76 listed in
>> rbl-plus.mail-abuse.ja.net]
>> 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
>
> I get:
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel
> letters
> 0.1 TW_GD BODY: Odd Letter Triples with GD
> 0.1 TW_LG BODY: Odd Letter Triples with LG
> -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40%
> [score: 0.3955]
> 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP
> block
> [102.176.29.76 listed in
> combined-HIB.dnsiplists.completewhois.com]
> 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
> 0.6 AWL AWL: From: address is in the auto white-list
>
> But only after some hours that I have received the messages..
>
> I suppose that at that time the score assigned by your SA was lower than
> you just report above.. (maybe at that time, the IP 102.176.29.76 was
> "not-DNSBListed" ).
>
> Anyway, I figure out that your SA use different rulesets of mine..
>
> Could you instruct me about a good set of ruleset I have to use to lower
> the chance that spam pass trhough my spam-scanner, maintaining a good
> level of performance?
The biggest difference is that my Bayes system scored it as BAYES_99
which adds 3.5 points, and your Bayes system scored it as BAYES_40 which
subtracted 0.2 points.
I did get a few of those emails come through at the start, but by
feeding them into my Bayes system they now get caught.
--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have an apple and we exchange apples
then you and I will still each have one apple. But if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
RE: Big trouble
Posted by Rocco Scappatura <Ro...@sttspa.it>.
> There is another discussion on this list about rules that
> catch these sorts of messages. Check that out for ideas.
>
> For what it is worth these are the rules I get:
>
> Content analysis details: (10.5 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of
> non-vowel letters
> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain
> signs some
> mails
> 0.6 J_CHICKENPOX_14 BODY: 1alpha-pock-4alpha
> 3.5 BAYES_99 BODY: Bayesian spam probability
> is 99 to 100%
> [score: 1.0000]
> 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on
> bogons IP block
> [102.176.29.76 listed in
> combined-HIB.dnsiplists.completewhois.com]
> 1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL
> [102.176.29.76 listed in
> rbl-plus.mail-abuse.ja.net]
> 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
I get:
pts rule name description
---- ----------------------
--------------------------------------------------
2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel
letters
0.1 TW_GD BODY: Odd Letter Triples with GD
0.1 TW_LG BODY: Odd Letter Triples with LG
-0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40%
[score: 0.3955]
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP
block
[102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
0.6 AWL AWL: From: address is in the auto white-list
But only after some hours that I have received the messages..
I suppose that at that time the score assigned by your SA was lower than
you just report above.. (maybe at that time, the IP 102.176.29.76 was
"not-DNSBListed" ).
Anyway, I figure out that your SA use different rulesets of mine..
Could you instruct me about a good set of ruleset I have to use to lower
the chance that spam pass trhough my spam-scanner, maintaining a good
level of performance?
TIA,
rocsca
Re: Big trouble
Posted by Anthony Peacock <a....@chime.ucl.ac.uk>.
Hi,
Rocco Scappatura wrote:
>> Before anyone can you give you a hint on how to block the
>> messages, we would need to see what the messages are.
>>
>> Same form as before, save the message (with full headers) and
>> place it somewhere where we can download it.
>
> http://www.rocsca.it/INBOX
There is another discussion on this list about rules that catch these
sorts of messages. Check that out for ideas.
For what it is worth these are the rules I get:
Content analysis details: (10.5 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
mails
0.6 J_CHICKENPOX_14 BODY: 1alpha-pock-4alpha
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL
[102.176.29.76 listed in
rbl-plus.mail-abuse.ja.net]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have an apple and we exchange apples
then you and I will still each have one apple. But if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
RE: Big trouble
Posted by Rocco Scappatura <Ro...@sttspa.it>.
> Before anyone can you give you a hint on how to block the
> messages, we would need to see what the messages are.
>
> Same form as before, save the message (with full headers) and
> place it somewhere where we can download it.
http://www.rocsca.it/INBOX
rocsca
Re: Big trouble
Posted by Anthony Peacock <a....@chime.ucl.ac.uk>.
Hi Rocco,
Rocco Scappatura wrote:
> Since some day, It's increased the number of spams which SA doesn't
> block.
>
> Every time I'm going to analyse the message:
>
> 1) Save the message in mbox format 'message.mbox'
> 2) su - amavis -c "spamassassin -t < message.mbox"
>
> And I get that the score is greater the 5.0 and often I get:
>
> 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> <http://www.spamcop.net/bl.shtml?71.175.150.184>]
>
> That is, if the message is sent just now, the message is rejected (?).
>
> So I feel that every time that I receive a spam, the system spend a
> period of time to 'learn' that that message is spam.
>
> If this is the truth, I would like to figure out how I can block these
> messages in advance..
>
> Could someone give me an hint?
Before anyone can you give you a hint on how to block the messages, we
would need to see what the messages are.
Same form as before, save the message (with full headers) and place it
somewhere where we can download it.
--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have an apple and we exchange apples
then you and I will still each have one apple. But if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw