You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2009/04/24 12:55:30 UTC

spam, one line, word attachment, no space ratio?

this spam, http://pastebin.com/m504b4262

one line in email, word document.  I didn't see it trigger any of the 
space ratio rules.

(sanesecurity guys, also see word doc attachment, 'sig at 11'? :-)?

usually when I see ab empty (or near empty) spam I see one if not 
several of the space ratio rules triggered.

I also don't see the 'ALL CAPS' rule anymore?

I still see it in rules:
20_head_tests.cf:header SUBJ_ALL_CAPS           eval:subject_is_all_caps()
50_scores.cf:score SUBJ_ALL_CAPS 2.299 1.806 1.926 2.077

(that extra 2 points would have pushed it over the threshold?)

debug shows text cat thinks it short:
[42304] dbg: textcat: message too short for language analysis

(I don't see this in debug? subject_is_all_caps)

did I disable some plugin somehow?
#loadplugin Mail::SpamAssassin::Plugin::Hashcash
#loadplugin Mail::SpamAssassin::Plugin::Pyzor
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
#loadplugin Mail::SpamAssassin::Plugin::AccessDB
#loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
#loadplugin Mail::SpamAssassin::Plugin::DomainKeys
#loadplugin Mail::SpamAssassin::Plugin::ASN
(side note, I upgraded, in place, this system from freebsd 6.4 32bit, to 
64bit.. yes, lots of work, so, what perl script or so did I forget to 
re-compile?)
I didn't see any errors


loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::SPF
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
loadplugin Mail::SpamAssassin::Plugin::PDFInfo 
/usr/local/etc/mail/spamassassin/PDFInfo.pm
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
loadplugin Mail::SpamAssassin::Plugin::DKIM
loadplugin Mail::SpamAssassin::Plugin::Check
loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
loadplugin Mail::SpamAssassin::Plugin::URIDetail
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::Bayes
loadplugin Mail::SpamAssassin::Plugin::BodyEval
loadplugin Mail::SpamAssassin::Plugin::DNSEval
loadplugin Mail::SpamAssassin::Plugin::HTMLEval
loadplugin Mail::SpamAssassin::Plugin::HeaderEval
loadplugin Mail::SpamAssassin::Plugin::MIMEEval
loadplugin Mail::SpamAssassin::Plugin::RelayEval
loadplugin Mail::SpamAssassin::Plugin::URIEval
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
loadplugin Mail::SpamAssassin::Plugin::VBounce
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
loadplugin Mail::SpamAssassin::Plugin::ImageInfo


[42304] dbg: message: ---- MIME PARSER START ----
[42304] dbg: message: parsing multipart, got boundary: 
001636417e2558d1a0046847ba9f
[42304] dbg: message: found part of type multipart/alternative, 
boundary: 001636417e2558d199046847ba9d
[42304] dbg: message: added part, type: multipart/alternative
[42304] dbg: message: found part of type application/msword, boundary: 
001636417e2558d1a0046847ba9f
[42304] dbg: message: added part, type: application/msword
[42304] dbg: message: parsing multipart, got boundary: 
001636417e2558d199046847ba9d
[42304] dbg: message: found part of type text/plain, boundary: 
001636417e2558d199046847ba9d
[42304] dbg: message: added part, type: text/plain
[42304] dbg: message: found part of type text/html, boundary: 
001636417e2558d199046847ba9d
[42304] dbg: message: added part, type: text/html
[42304] dbg: message: parsing normal part
[42304] dbg: message: parsing normal part
[42304] dbg: message: parsing normal part
[42304] dbg: message: ---- MIME PARSER END ----
[42304] dbg: message: decoding other encoding type (7bit), ignoring
[42304] dbg: message: decoding other encoding type (7bit), ignoring
[42304] dbg: textcat: message too short for language analysis
[42304] dbg: textcat: X-Languages: "", X-Languages-Length: 49


no errors that I see.

spamassassin -L < /tmp/email.eml > /dev/null
[42575] warn: netset: cannot include 10.1.1.1/32 as it has already been 
included
[42575] warn: netset: cannot include 204.89.241.129/32 as it has already 
been included
[42575] warn: netset: cannot include 204.89.241.130/32 as it has already 
been included
[42575] warn: netset: cannot include 204.89.241.136/32 as it has already 
been included
[42575] warn: netset: cannot include 204.89.241.241/32 as it has already 
been included
[42575] warn: netset: cannot include 204.89.241.242/32 as it has already 
been included
[42575] warn: netset: cannot include 216.134.223.38/32 as it has already 
been included

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

Re: spam, one line, word attachment, no space ratio?

Posted by John Wilcock <jo...@tradoc.fr>.

Le 24/04/2009 12:55, Michael Scheidell a écrit :
> this spam, http://pastebin.com/m504b4262
>
> one line in email, word document.  I didn't see it trigger any of the
> space ratio rules.

Nor me.

> I also don't see the 'ALL CAPS' rule anymore?

I suspect, without having checked the eval code, that subjects must have 
a certain minimum length to trigger that rule. SUBJ_ALL_CAPS certainly 
hits plenty of other messages here.

Other rules that do hit for me include FREEMAIL_REPLYTO and 
FREEMAIL_FROM_D2, as well as a couple of homebrew meta rules that 
trigger on "Content-Transfer-Encoding: 7bit" with an inherently 8 bit 
charset (not a good enough spam sign by itself, but worthwhile in 
conjunction with other rules).

> full      __local_BAD7BIT         /Content-Type: text\/plain;.{1,40}charset=['"]?(?:iso-8859-[1-9]|windows-125[0-9]|utf-8)['"]?.{1,40}Content-Transfer-Encoding: 7bit/is
> header    __local_MULTIPART       Content-Type =~ m'multipart/(?:mixed|related)'i
>
> meta      local_BAD7BIT_RDNS_NONE (__local_BAD7BIT && __local_MULTIPART && RDNS_NONE)
> describe  local_BAD7BIT_RDNS_NONE 8 bit charset with 7 bit encoding, no RDNS
> score     local_BAD7BIT_RDNS_NONE 2.0
>
> ifplugin Mail::SpamAssassin::Plugin::FreeMail
> meta      local_BAD7BIT_FREEMAIL  (__local_BAD7BIT && __local_MULTIPART && FREEMAIL_REPLYTO)
> describe  local_BAD7BIT_FREEMAIL  Too few bits for charset, plain, freemail
> score     local_BAD7BIT_FREEMAIL  0.5
>endif


John.

-- 
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr