You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Debbie D <we...@beautytech.com> on 2006/12/23 14:47:41 UTC
"insider information" slipping through
Can someone try and help me understand why this keeps slipping through.. in
2+ days I have 40 or more of these to various addresses of my own on the
server
http://sial.org/pbot/21945
(Thanks Theo for the link)
Re: "insider information" slipping through
Posted by Ed Kasky <ed...@esson.net>.
At 05:47 AM Saturday, 12/23/2006, you wrote -=>
>Can someone try and help me understand why this keeps slipping through.. in
>2+ days I have 40 or more of these to various addresses of my own on the
>server
>
>http://sial.org/pbot/21945
>
>
>(Thanks Theo for the link)
Scored 7.4 on my setup. Notice where it got most of the score:
Content analysis details: (7.4 points, 6.9 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
2.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.2 DIGEST_MULTIPLE Message hits more than one network digest check
Are you using Pyzor and DCC checks?
Ed
. . . . . . . . . . . . . . . . . .
Randomly Generated Quote (316 of 1124):
A place for everything and everything in its place.
-- Isabella Mary Beeton, "The Book of Household Management"
[Quoted in "VMS Internals and Data Structures", V4.4, when
referring to memory management system services.]
Re: "Present" slipping through - same as "insider information"
Posted by Chris <cp...@earthlink.net>.
On Thursday 28 December 2006 8:12 am, Vernon Webb wrote:
> I have a ton of these emails getting through that have the sender's name
> and the word Present getting through and they are the same as the insider
> information from last week. I have MailScanner, SpamAssassin, SARE, Botnet,
> Razor2, Pyzor, ClamAv and f-prot all installed and as far as I know working
> properly. Anyone else having this issue?
>
> Thanks
They're not slipping through here:
Content analysis details: (45.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.7,ip=70.62.66.95,hostname=rrcs-70-62-66-95.midsouth.biz.rr.com,maildomain=ace-ina.com,client,ipinhostname]
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
1.5 IXHASH BODY: Classified as spam at iX Magazine, Germany
1.5 LOGINHASH2 BODY: Classified as spam at unknown company,
Germany
1.5 LOGINHASH1 BODY: Spam at LogIn&Solutions AG, Germany
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
1.0 SAGREY Adds 1.0 to spam from first-time senders
Are you running any network tests? Any SARE rule sets installed? Steve Basford
does a fantastic job with his add-on clamav signature files for phishing and
scam messages. This one was tagged as X-Spam-Virus: Yes
(Email.Stk.Gen124.Sanesecurity.06122204). But even without the clamav tag
this would have still been picked up as spam.
HTH
--
Chris
http://learn.to/quote
Re: "Present" slipping through - same as "insider information"
Posted by Duane Hill <d....@yournetplus.com>.
Vernon Webb wrote:
> I have a ton of these emails getting through that have the sender's name and the word
> Present getting through and they are the same as the insider information from last
> week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot
> all installed and as far as I know working properly. Anyone else having this issue?
>
> Thanks
>
I, like Chris who posted results, don't have hardly any slipping through
here either. I don't have Pyzor, DCC or Razor running and have bayes
trained up. I do keep rules that I keep updated on a daily basis using
sa-update. Here is a header from one such message that was trapped:
X-Spam-Level: xxxxxxxxxxxxxx
X-Spam-Status: Hits:14.6 Learn:no Tests:BAYES_99,HELO_DYNAMIC_IPADDR,
RCVD_FORGED_WROTE,SARE_LWSHORTT,SARE_MLB_Stock1,SARE_MLB_Stock2
Re: "Present" slipping through - same as "insider information"
Posted by maillist <ma...@emailacs.com>.
Vernon Webb wrote:
> I have a ton of these emails getting through that have the sender's name and the word
> Present getting through and they are the same as the insider information from last
> week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot
> all installed and as far as I know working properly. Anyone else having this issue?
>
> Thanks
>
>
I do not have that issue. Are you using sa-learn to learn the messages
as spam?
-=Aubrey=-
"Present" slipping through - same as "insider information"
Posted by Vernon Webb <ve...@comp-wiz.com>.
I have a ton of these emails getting through that have the sender's name and the word
Present getting through and they are the same as the insider information from last
week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot
all installed and as far as I know working properly. Anyone else having this issue?
Thanks
Re: "insider information" slipping through
Posted by Vernon Webb <ve...@comp-wiz.com>.
I've been following this thread as I am also receiving this SPAM and it is not labeled
as such. Looking through old SPAM I have I noticed that I have most of the things
mentioned in my headers for SPAM that I do have, however I know I have PYZOR installed
but am seeing nothing labeled with the correct heading for PYZOR. Is there something
that needs to be turned on in SA that will enable it? If so where?
Thanks
Re: "insider information" slipping through
Posted by Debbie D <we...@beautytech.com>.
Thanks every one.. I see that I really need to tweak my SA, I am not using
many of its features evidently.. I never saw any rule that would mark a
mail because ClamAV found a virus attached.. I can;t find anywhere this
RCVD_FORGED_WROTE rule either.. that alone would have made a huge difference
and gotten rid of it, almost every one I get is scored at 4.0 or higher
My personal SA is set to 4.9 and I have Eudora filter any score over 4.0 to
its own mailbox so I can see what's going on.. almost every one of these end
up in there..
Re: "insider information" slipping through
Posted by Chris <cp...@earthlink.net>.
On Saturday 23 December 2006 7:47 am, Debbie D wrote:
> Can someone try and help me understand why this keeps slipping through.. in
> 2+ days I have 40 or more of these to various addresses of my own on the
> server
>
> http://sial.org/pbot/21945
>
Hi Debbie, this scored fairly high here:
> Content analysis details: (35.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
--------------------------------------------------
> 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> 0.0 BOTNET_BADDNS IP address doesn't have full circle DNS
> 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
> 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
> 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
> 2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
> 10 CLAMAV Clam AntiVirus detected a virus
> 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
> [82.201.215.234 listed in combined.njabl.org]
> 0.8 DIGEST_MULTIPLE Message hits more than one network digest check
> 0.0 BOTNET_CLIENT Hostname looks like a client hostname
> 5.0 BOTNET The submitting mail server looks like part of a
Botnet
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
Of course 15 of those points came from the clamav and botnet plugins. I didn't
see any bayes score on your sample. You can always go and save these then run
sa-learn --spam against them. I also don't see any network test, do you have
them enabled? Any of the above would have been enough to kick it over the
threshold to spam.
--
Chris
http://learn.to/quote
Re: "insider information" slipping through
Posted by Ray Anderson <rs...@rb-com.com>.
Debbie D wrote:
> Can someone try and help me understand why this keeps slipping through.. in
> 2+ days I have 40 or more of these to various addresses of my own on the
> server
>
> http://sial.org/pbot/21945
>
>
> (Thanks Theo for the link)
>
>
Scores for me:
Content analysis details: (19.5 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
10 GMD_FAKETZ GMD_FAKETZ
2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[124.106.8.240 listed in dnsbl.sorbs.net]
2.6 DNS_FROM_RFC_DSN RBL: Envelope sender in dsn.rfc-ignorant.org