You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Casey King <ck...@lovebox.com> on 2005/11/22 15:56:14 UTC
New Spammer?
This morning we have been getting drilled by spam/virus emails. 40 so
far. Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the files,
and tagging it as spam, but what worries me, is the low scores these
messages are receiving. I start tagging spam, at 3.5 so each message
has been tagged, but still sent through. Any one else seeing these
emails?
Header:
Return-Path: < g>
Received: from bohoqsobp.us (12-219-139-163.client.mchsi.com
[12.219.139.163])
by mail.lovebox.com (8.13.4/8.13.4) with SMTP id jALMiLIS008948;
Mon, 21 Nov 2005 16:44:22 -0600
From: webmaster@dfa.state.ny.us
To: XPost@lovebox.com
Date: Mon, 21 Nov 2005 22:41:54 UTC
Subject: Mail delivery failed
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <5d...@dfa.state.ny.us>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="======5d580c.aff4910fa20fafbb2a"
Content-Transfer-Encoding: 7bit
Subject: Mail delivery failed
Report:
MailScanner: Executable DOS/Windows programs are dangerous in email
(File-packed_da.exe)
Inoculate: File ./jALMiLIS008948/mail_body.zip is infected by virus:
Win32/Sober.W!Worm Inoculate: File
./jALMiLIS008948/mail_body.zip/File-packed_dataInfo.exe/ is infected by
virus: Win32/Sober.W!Worm
ClamAV: mail_body.zip contains Worm.Sober.U
Inoculate: File ./jALMiLIS008948/File-packed_dataInfo.exe is infected by
virus: Win32/Sober.W!Worm ClamAV: File-packed_dataInfo.exe contains
Worm.Sober.U
MailScanner: Executable DOS/Windows programs are dangerous in email
(File-packed_dataInfo.exe)
MailScanner: Executable DOS/Windows programs are dangerous in email
(File-packed_da.exe)
Inoculate: File ./jALMiLIS008948/File-packed_dataInfo.exe is infected by
virus: Win32/Sober.W!Worm
ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U
MailScanner: Executable DOS/Windows programs are dangerous in email
(File-packed_dataInfo.exe)
SpamAssassin Score: 3.85
Spam Report:
Score Matching Rule Description-1.80 ALL_TRUSTED
Did not pass through any untrusted hosts
2.19 INVALID_DATE Invalid Date: header (not RFC 2822)
0.96 NO_REAL_NAME From: does not include a real name
0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
1.50 RAZOR2_CF_RANGE_E4_51_100
0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
/var/log/maillog
Nov 21 16:44:42 wks-lin12 MailScanner[21338]: Saved archive copies of
jALMiUOJ008973 jALMiLIS008948
Nov 21 16:44:52 wks-lin12 MailScanner[21338]: Message jALMiLIS008948
from 12.219.139.163 (webmaster@dfa.state.ny.us) to lovebox.com is spam,
SpamAssassin (score=3.854, required 3, ALL_TRUSTED -1.80, INVALID_DATE
2.19, NO_REAL_NAME 0.96, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50)
Nov 21 16:44:53 wks-lin12 MailScanner[21338]: Spam Actions: message
jALMiLIS008948 actions are store,deliver,striphtml
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/var/spool/MailScanner/incoming/21338/./jALMiLIS008948/File-packed_dataI
nfo.exe is infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip is
infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip<Fil
e-packed_dataInfo.exe> is infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:57 wks-lin12 MailScanner[21338]:
/var/spool/MailScanner/incoming/21338/./jALMiLIS008948/File-packed_dataI
nfo.exe: Worm.Sober.U FOUND
Nov 21 16:44:57 wks-lin12 MailScanner[21338]:
/var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip:
Worm.Sober.U FOUND
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Infected message
jALMiLIS008948 came from 12.219.139.163
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks:
Windows/DOS Executable (jALMiLIS008948 File-packed_dataInfo.exe)
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks:
Windows/DOS Executable (jALMiLIS008948 File-packed_dataInfo.exe)
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved entire message to
/var/spool/MailScanner/quarantine/20051121/jALMiLIS008948
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"File-packed_da.exe" to
/var/spool/MailScanner/quarantine/20051121/jALMiLIS008948
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"mail_body.zip" to
/var/spool/MailScanner/quarantine/20051121/jALMiLIS008948
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"File-packed_dataInfo.exe" to
/var/spool/MailScanner/quarantine/20051121/jALMiLIS008948
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Logging message
jALMiLIS008948 to SQL
Nov 21 16:44:57 wks-lin12 MailScanner[1488]: jALMiLIS008948: Logged to
MailWatch SQL
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948: to=dfair,
ctladdr=<eB...@lovebox.com> (8/0), delay=00:00:36, mailer=local,
pri=285904, dsn=5.1.1, stat=User unknown
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948:
to=awray@imap.lovebox.com,root@imap.lovebox.com,tprice@imap.lovebox.com,
delay=00:00:36, xdelay=00:00:00, mailer=esmtp, pri=285904,
relay=imap.lovebox.com. [172.16.3.106], dsn=2.0.0, stat=Sent
(jALMiw1A006072 Message accepted for delivery)
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948:
jALMivMA009046: DSN: User unknown
Re: New Spammer?
Posted by sa...@nacnud.force9.co.uk.
On Tuesday 22 Nov 2005 14:56, Casey King wrote:
> messages are receiving. I start tagging spam, at 3.5 so each message
> has been tagged, but still sent through. Any one else seeing these
> emails?
New Sober outbreak, not spam, virus.
Just junk them totally, stripping is a waste of time for Sober (and most other
W32/* viruses).
Re: New Spammer?
Posted by Menno van Bennekom <mv...@xs4all.nl>.
>
> Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
> I get the best of both worlds. Creative use of BLs also helps.
>
Very pleased with ClamAV too, but just ClamAV is not enough for us. The
last hours some virus-types were not recognized by ClamAV, even not with
the most recent database (just submitted the samples to clamav). Luckily
they were catched because we allow only password-protected zip files if
they contain executable files. And we have 4 other virus-scanners on our
exchange-server.
The virus-types change so fast now that ClamAV has difficulty to keep up.
Regards
Menno van Bennekom
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
No problem. I do like to help people when I can given time and knowledge.
If it works you got lucky.
{^_-}
----- Original Message -----
From: "Leonard SA" <sp...@pcnetsources.com>
> J,
>
> Outstanding explanation :) Thank you..
>
> I don't have the all_trusted setting; just the trusted_networks and the
> internal_networks .. I've made some adjustment to the other IP address with
> too much weight since this is a static IP and I can place the full address
> as a trusted network. This is my home static IP. the server is owned by me,
> runs publicly. is a qmail, apache, etc server.. so I can control it as
> necessary ..
>
> Thanks again for all of your help
>
> Regards ..
>
> Leonard
> ----- Original Message -----
> From: "jdow" <jd...@earthlink.net>
>
>> The key to understanding "trusted" is that these are mail transfer agents
>> that you can trust not to forge headers. If you fetch from an ISP then it
>> is, perforce, the ISP's pop3 or imap client through which you fetch mail
>> with the fetchmail utility or equivalent. Such is my case. If you run an
>> smtp server yourself and receive from the world then that server, by all
>> its known addresses, is the extent of your trusted network. These are NOT
>> collections of addresses you "trust not to spam you." They ARE a very few
>> addresses that can be trusted not to forge headers and nothing more.
>>
>> That is why the bl tests throw up their hands and fail if trusted_networks
>> is set wrong. It has to find at least ONE header, starting from the
>> bottom,
>> that it trusts. From the last address working upwards in the Received
>> headers it can't trust so it performs the lookup.
>>
>> If I remember correctly you were hitting ALL_TRUSTED. That is an
>> indication
>> that you have this setup messed up. Misunderstanding the use of the
>> trusted_network concept is usually the problem. If you CAN change the
>> local.cf then with a little work Bob's your uncle. (I remember my
>> fortunately brief struggle with this. At the moment mine looks much like
>> this:
>> trusted_networks 127/8 207.217.121/24
>> internal_networks 192.168/16
>>
>> The 207 address space I accept is where Earthlink.net's pop3 servers live.
>> I use fetchmail from them.
>>
>> I hope this helps.
>> {^_^}
>> ----- Original Message -----
>> From: "Leonard SA" <sp...@pcnetsources.com>
>>
>>
>>> J,
>>>
>>> sorry about that offline email .. :(
>>>
>>> Thanks for the answer also. I will definitely make some changes to adjust
>>> a more secure setup ..
>>>
>>> Regards ..
>>>
>>> Leonard
>>> ----- Original Message -----
>>> From: "jdow" <jd...@earthlink.net>
>>>
>>>> That is the general format. I do not have your original message to know
>>>> if the data is correct. It almost looks like you are trusting WAY too
>>>> much at the 70.119. part. Trust only the mail server(s) from which you
>>>> expect to never forge emails itself. In my case I trust the set of
>>>> mail servers earthlink lumps as pop3.earthlink.net outside of the local
>>>> network.
>>>>
>>>> {^_^}
>>>> ----- Original Message -----
>>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>>
>>>>> J,
>>>>>
>>>>> Is the trusted_network your speaking of in the local.cf file as I have
>>>>> below?
>>>>>
>>>>> trusted_networks 192.168.2. 127.0.0.1 70.119.
>>>>>
>>>>> I also use badmailfrom which will block mail at the SMTP level .. is SA
>>>>> able to stop spam with some sort of BL / WL rules?
>>>>>
>>>>> Regards ..
>>>>>
>>>>> Leonard
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "jdow" <jd...@earthlink.net>
>>>>> To: <us...@spamassassin.apache.org>
>>>>> Sent: Tuesday, November 22, 2005 6:23 PM
>>>>> Subject: Re: New Spammer?
>>>>>
>>>>>
>>>>>> Nowhere if he has no trusted network setup. That's his problem in a
>>>>>> nutshell. He cannot usefully run network tests.
>>>>>> {^_^}
>>>>>> ----- Original Message -----
>>>>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>>>>
>>>>>>
>>>>>>> Where are BLs setup at?
>>>>>>>
>>>>>>> Thanks in advance..
>>>>>>>
>>>>>>> Regards ..
>>>>>>>
>>>>>>>
>>>>>>> Leonard Bernstein
>>>>>>>
>>>>>>> -------------------------------------
>>>>>>> | Email leonardb@pcnetsources.com
>>>>>>> | Mobile (917) 807-3883
>>>>>>> | BlackBerry PIN 40082120
>>>>>>> | Technology Consultant
>>>>>>> -------------------------------------
>>>>>>> ----- Original Message -----
>>>>>>> From: "jdow" <jd...@earthlink.net>
>>>>>>> To: <us...@spamassassin.apache.org>
>>>>>>> Sent: Tuesday, November 22, 2005 5:37 PM
>>>>>>> Subject: Re: New Spammer?
>>>>>>>
>>>>>>>
>>>>>>>> From: "Matt Kettler" <mk...@comcast.net>
>>>>>>>>
>>>>>>>>> At 09:56 AM 11/22/2005, Casey King wrote:
>>>>>>>>>
>>>>>>>>>>This morning we have been getting drilled by spam/virus emails.
>>>>>>>>>
>>>>>>>>> Are they spam, or viruses? Not the same thing.
>>>>>>>>>
>>>>>>>>>>40 so far.
>>>>>>>>>
>>>>>>>>> I should be so lucky to see as few as 40/hour during any kind of
>>>>>>>>> outbreak
>>>>>>>>>
>>>>>>>>>> Been getting a lot of phone calls from across the company about
>>>>>>>>>> these emails. At least my mailscanner boxes are stripping the
>>>>>>>>>> files, and tagging it as spam, but what worries me, is the low
>>>>>>>>>> scores these messages are receiving.
>>>>>>>>>
>>>>>>>>> SpamAssassin is a spam scanner. It's official policy is to
>>>>>>>>> EXPLICITLY not care about virus emails. No effort is made to try to
>>>>>>>>> catch them, because doing so would dilute the scores of the spam
>>>>>>>>> ruleset. No effort is made to try to avoid tagging them either.
>>>>>>>>> They're just removed from the corpus and handled by the developers
>>>>>>>>> as if they don't exist.
>>>>>>>>
>>>>>>>> Heh, I use the ClamAV plugin for SA and give it a hefty score. That
>>>>>>>> way
>>>>>>>> I get the best of both worlds. Creative use of BLs also helps.
>>>>>>>>
>>>>>>>> {^_^}
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
And as it turns out I had an address wrong and had slightly fooed up what
was minimum needed for trusted. It turns out that this setup works just
fine with fetchmail.
trusted_networks 127/8
internal_networks 192.168/16
It appears I was slightly overtrusting since Earthlink's pop3 and its smtp
servers which don't use authentication share the same addresses. The above
works quite nicely and should some idiot play with Earthlink.net's smtp
to send spam it won't get the ALL_TRUSTED hit.
I'm glad I got motivated to look at this a little closer. This header
seems to be key for being trusted via localhost.
Received: from smtp.earthlink.net [209.86.93.210]
by localhost with POP3 (fetchmail-6.2.5)
for jdow@XXX.XXX.XXX (single-drop); Tue, 22 Nov 2005 15:24:50 -0800 (PST)
Suits me fine!
{^_^}
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
> By the way, aside from that the BLs are setup out of the box just
> about the way I use them.
> {^_^}
> ----- Original Message -----
> From: "Leonard SA" <sp...@pcnetsources.com>
>
>> J,
>>
>> Outstanding explanation :) Thank you..
>>
>> I don't have the all_trusted setting; just the trusted_networks and the
>> internal_networks .. I've made some adjustment to the other IP address with
>> too much weight since this is a static IP and I can place the full address
>> as a trusted network. This is my home static IP. the server is owned by me,
>> runs publicly. is a qmail, apache, etc server.. so I can control it as
>> necessary ..
>>
>> Thanks again for all of your help
>>
>> Regards ..
>>
>> Leonard
>
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
By the way, aside from that the BLs are setup out of the box just
about the way I use them.
{^_^}
----- Original Message -----
From: "Leonard SA" <sp...@pcnetsources.com>
> J,
>
> Outstanding explanation :) Thank you..
>
> I don't have the all_trusted setting; just the trusted_networks and the
> internal_networks .. I've made some adjustment to the other IP address with
> too much weight since this is a static IP and I can place the full address
> as a trusted network. This is my home static IP. the server is owned by me,
> runs publicly. is a qmail, apache, etc server.. so I can control it as
> necessary ..
>
> Thanks again for all of your help
>
> Regards ..
>
> Leonard
Re: New Spammer?
Posted by Leonard SA <sp...@pcnetsources.com>.
J,
Outstanding explanation :) Thank you..
I don't have the all_trusted setting; just the trusted_networks and the
internal_networks .. I've made some adjustment to the other IP address with
too much weight since this is a static IP and I can place the full address
as a trusted network. This is my home static IP. the server is owned by me,
runs publicly. is a qmail, apache, etc server.. so I can control it as
necessary ..
Thanks again for all of your help
Regards ..
Leonard
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
To: <us...@spamassassin.apache.org>
Sent: Tuesday, November 22, 2005 9:41 PM
Subject: Re: New Spammer?
> The key to understanding "trusted" is that these are mail transfer agents
> that you can trust not to forge headers. If you fetch from an ISP then it
> is, perforce, the ISP's pop3 or imap client through which you fetch mail
> with the fetchmail utility or equivalent. Such is my case. If you run an
> smtp server yourself and receive from the world then that server, by all
> its known addresses, is the extent of your trusted network. These are NOT
> collections of addresses you "trust not to spam you." They ARE a very few
> addresses that can be trusted not to forge headers and nothing more.
>
> That is why the bl tests throw up their hands and fail if trusted_networks
> is set wrong. It has to find at least ONE header, starting from the
> bottom,
> that it trusts. From the last address working upwards in the Received
> headers it can't trust so it performs the lookup.
>
> If I remember correctly you were hitting ALL_TRUSTED. That is an
> indication
> that you have this setup messed up. Misunderstanding the use of the
> trusted_network concept is usually the problem. If you CAN change the
> local.cf then with a little work Bob's your uncle. (I remember my
> fortunately brief struggle with this. At the moment mine looks much like
> this:
> trusted_networks 127/8 207.217.121/24
> internal_networks 192.168/16
>
> The 207 address space I accept is where Earthlink.net's pop3 servers live.
> I use fetchmail from them.
>
> I hope this helps.
> {^_^}
> ----- Original Message -----
> From: "Leonard SA" <sp...@pcnetsources.com>
>
>
>> J,
>>
>> sorry about that offline email .. :(
>>
>> Thanks for the answer also. I will definitely make some changes to adjust
>> a more secure setup ..
>>
>> Regards ..
>>
>> Leonard
>> ----- Original Message -----
>> From: "jdow" <jd...@earthlink.net>
>>
>>> That is the general format. I do not have your original message to know
>>> if the data is correct. It almost looks like you are trusting WAY too
>>> much at the 70.119. part. Trust only the mail server(s) from which you
>>> expect to never forge emails itself. In my case I trust the set of
>>> mail servers earthlink lumps as pop3.earthlink.net outside of the local
>>> network.
>>>
>>> {^_^}
>>> ----- Original Message -----
>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>
>>>> J,
>>>>
>>>> Is the trusted_network your speaking of in the local.cf file as I have
>>>> below?
>>>>
>>>> trusted_networks 192.168.2. 127.0.0.1 70.119.
>>>>
>>>> I also use badmailfrom which will block mail at the SMTP level .. is SA
>>>> able to stop spam with some sort of BL / WL rules?
>>>>
>>>> Regards ..
>>>>
>>>> Leonard
>>>>
>>>> ----- Original Message -----
>>>> From: "jdow" <jd...@earthlink.net>
>>>> To: <us...@spamassassin.apache.org>
>>>> Sent: Tuesday, November 22, 2005 6:23 PM
>>>> Subject: Re: New Spammer?
>>>>
>>>>
>>>>> Nowhere if he has no trusted network setup. That's his problem in a
>>>>> nutshell. He cannot usefully run network tests.
>>>>> {^_^}
>>>>> ----- Original Message -----
>>>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>>>
>>>>>
>>>>>> Where are BLs setup at?
>>>>>>
>>>>>> Thanks in advance..
>>>>>>
>>>>>> Regards ..
>>>>>>
>>>>>>
>>>>>> Leonard Bernstein
>>>>>>
>>>>>> -------------------------------------
>>>>>> | Email leonardb@pcnetsources.com
>>>>>> | Mobile (917) 807-3883
>>>>>> | BlackBerry PIN 40082120
>>>>>> | Technology Consultant
>>>>>> -------------------------------------
>>>>>> ----- Original Message -----
>>>>>> From: "jdow" <jd...@earthlink.net>
>>>>>> To: <us...@spamassassin.apache.org>
>>>>>> Sent: Tuesday, November 22, 2005 5:37 PM
>>>>>> Subject: Re: New Spammer?
>>>>>>
>>>>>>
>>>>>>> From: "Matt Kettler" <mk...@comcast.net>
>>>>>>>
>>>>>>>> At 09:56 AM 11/22/2005, Casey King wrote:
>>>>>>>>
>>>>>>>>>This morning we have been getting drilled by spam/virus emails.
>>>>>>>>
>>>>>>>> Are they spam, or viruses? Not the same thing.
>>>>>>>>
>>>>>>>>>40 so far.
>>>>>>>>
>>>>>>>> I should be so lucky to see as few as 40/hour during any kind of
>>>>>>>> outbreak
>>>>>>>>
>>>>>>>>> Been getting a lot of phone calls from across the company about
>>>>>>>>> these emails. At least my mailscanner boxes are stripping the
>>>>>>>>> files, and tagging it as spam, but what worries me, is the low
>>>>>>>>> scores these messages are receiving.
>>>>>>>>
>>>>>>>> SpamAssassin is a spam scanner. It's official policy is to
>>>>>>>> EXPLICITLY not care about virus emails. No effort is made to try to
>>>>>>>> catch them, because doing so would dilute the scores of the spam
>>>>>>>> ruleset. No effort is made to try to avoid tagging them either.
>>>>>>>> They're just removed from the corpus and handled by the developers
>>>>>>>> as if they don't exist.
>>>>>>>
>>>>>>> Heh, I use the ClamAV plugin for SA and give it a hefty score. That
>>>>>>> way
>>>>>>> I get the best of both worlds. Creative use of BLs also helps.
>>>>>>>
>>>>>>> {^_^}
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
The key to understanding "trusted" is that these are mail transfer agents
that you can trust not to forge headers. If you fetch from an ISP then it
is, perforce, the ISP's pop3 or imap client through which you fetch mail
with the fetchmail utility or equivalent. Such is my case. If you run an
smtp server yourself and receive from the world then that server, by all
its known addresses, is the extent of your trusted network. These are NOT
collections of addresses you "trust not to spam you." They ARE a very few
addresses that can be trusted not to forge headers and nothing more.
That is why the bl tests throw up their hands and fail if trusted_networks
is set wrong. It has to find at least ONE header, starting from the bottom,
that it trusts. From the last address working upwards in the Received
headers it can't trust so it performs the lookup.
If I remember correctly you were hitting ALL_TRUSTED. That is an indication
that you have this setup messed up. Misunderstanding the use of the
trusted_network concept is usually the problem. If you CAN change the
local.cf then with a little work Bob's your uncle. (I remember my
fortunately brief struggle with this. At the moment mine looks much like
this:
trusted_networks 127/8 207.217.121/24
internal_networks 192.168/16
The 207 address space I accept is where Earthlink.net's pop3 servers live.
I use fetchmail from them.
I hope this helps.
{^_^}
----- Original Message -----
From: "Leonard SA" <sp...@pcnetsources.com>
> J,
>
> sorry about that offline email .. :(
>
> Thanks for the answer also. I will definitely make some changes to adjust a
> more secure setup ..
>
> Regards ..
>
> Leonard
> ----- Original Message -----
> From: "jdow" <jd...@earthlink.net>
>
>> That is the general format. I do not have your original message to know
>> if the data is correct. It almost looks like you are trusting WAY too
>> much at the 70.119. part. Trust only the mail server(s) from which you
>> expect to never forge emails itself. In my case I trust the set of
>> mail servers earthlink lumps as pop3.earthlink.net outside of the local
>> network.
>>
>> {^_^}
>> ----- Original Message -----
>> From: "Leonard SA" <sp...@pcnetsources.com>
>>
>>> J,
>>>
>>> Is the trusted_network your speaking of in the local.cf file as I have
>>> below?
>>>
>>> trusted_networks 192.168.2. 127.0.0.1 70.119.
>>>
>>> I also use badmailfrom which will block mail at the SMTP level .. is SA
>>> able to stop spam with some sort of BL / WL rules?
>>>
>>> Regards ..
>>>
>>> Leonard
>>>
>>> ----- Original Message -----
>>> From: "jdow" <jd...@earthlink.net>
>>> To: <us...@spamassassin.apache.org>
>>> Sent: Tuesday, November 22, 2005 6:23 PM
>>> Subject: Re: New Spammer?
>>>
>>>
>>>> Nowhere if he has no trusted network setup. That's his problem in a
>>>> nutshell. He cannot usefully run network tests.
>>>> {^_^}
>>>> ----- Original Message -----
>>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>>
>>>>
>>>>> Where are BLs setup at?
>>>>>
>>>>> Thanks in advance..
>>>>>
>>>>> Regards ..
>>>>>
>>>>>
>>>>> Leonard Bernstein
>>>>>
>>>>> -------------------------------------
>>>>> | Email leonardb@pcnetsources.com
>>>>> | Mobile (917) 807-3883
>>>>> | BlackBerry PIN 40082120
>>>>> | Technology Consultant
>>>>> -------------------------------------
>>>>> ----- Original Message -----
>>>>> From: "jdow" <jd...@earthlink.net>
>>>>> To: <us...@spamassassin.apache.org>
>>>>> Sent: Tuesday, November 22, 2005 5:37 PM
>>>>> Subject: Re: New Spammer?
>>>>>
>>>>>
>>>>>> From: "Matt Kettler" <mk...@comcast.net>
>>>>>>
>>>>>>> At 09:56 AM 11/22/2005, Casey King wrote:
>>>>>>>
>>>>>>>>This morning we have been getting drilled by spam/virus emails.
>>>>>>>
>>>>>>> Are they spam, or viruses? Not the same thing.
>>>>>>>
>>>>>>>>40 so far.
>>>>>>>
>>>>>>> I should be so lucky to see as few as 40/hour during any kind of
>>>>>>> outbreak
>>>>>>>
>>>>>>>> Been getting a lot of phone calls from across the company about
>>>>>>>> these emails. At least my mailscanner boxes are stripping the
>>>>>>>> files, and tagging it as spam, but what worries me, is the low
>>>>>>>> scores these messages are receiving.
>>>>>>>
>>>>>>> SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY
>>>>>>> not care about virus emails. No effort is made to try to catch them,
>>>>>>> because doing so would dilute the scores of the spam ruleset. No
>>>>>>> effort is made to try to avoid tagging them either. They're just
>>>>>>> removed from the corpus and handled by the developers as if they
>>>>>>> don't exist.
>>>>>>
>>>>>> Heh, I use the ClamAV plugin for SA and give it a hefty score. That
>>>>>> way
>>>>>> I get the best of both worlds. Creative use of BLs also helps.
>>>>>>
>>>>>> {^_^}
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: New Spammer?
Posted by Leonard SA <sp...@pcnetsources.com>.
J,
sorry about that offline email .. :(
Thanks for the answer also. I will definitely make some changes to adjust a
more secure setup ..
Regards ..
Leonard
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
To: "Leonard SA" <sp...@pcnetsources.com>
Sent: Tuesday, November 22, 2005 8:09 PM
Subject: Re: New Spammer?
> That is the general format. I do not have your original message to know
> if the data is correct. It almost looks like you are trusting WAY too
> much at the 70.119. part. Trust only the mail server(s) from which you
> expect to never forge emails itself. In my case I trust the set of
> mail servers earthlink lumps as pop3.earthlink.net outside of the local
> network.
>
> {^_^}
> ----- Original Message -----
> From: "Leonard SA" <sp...@pcnetsources.com>
> To: "jdow" <jd...@earthlink.net>
> Sent: 2005 November, 22, Tuesday 16:38
> Subject: Re: New Spammer?
>
>
>> J,
>>
>> Is the trusted_network your speaking of in the local.cf file as I have
>> below?
>>
>> trusted_networks 192.168.2. 127.0.0.1 70.119.
>>
>> I also use badmailfrom which will block mail at the SMTP level .. is SA
>> able to stop spam with some sort of BL / WL rules?
>>
>> Regards ..
>>
>> Leonard
>>
>> ----- Original Message -----
>> From: "jdow" <jd...@earthlink.net>
>> To: <us...@spamassassin.apache.org>
>> Sent: Tuesday, November 22, 2005 6:23 PM
>> Subject: Re: New Spammer?
>>
>>
>>> Nowhere if he has no trusted network setup. That's his problem in a
>>> nutshell. He cannot usefully run network tests.
>>> {^_^}
>>> ----- Original Message -----
>>> From: "Leonard SA" <sp...@pcnetsources.com>
>>>
>>>
>>>> Where are BLs setup at?
>>>>
>>>> Thanks in advance..
>>>>
>>>> Regards ..
>>>>
>>>>
>>>> Leonard Bernstein
>>>>
>>>> -------------------------------------
>>>> | Email leonardb@pcnetsources.com
>>>> | Mobile (917) 807-3883
>>>> | BlackBerry PIN 40082120
>>>> | Technology Consultant
>>>> -------------------------------------
>>>> ----- Original Message -----
>>>> From: "jdow" <jd...@earthlink.net>
>>>> To: <us...@spamassassin.apache.org>
>>>> Sent: Tuesday, November 22, 2005 5:37 PM
>>>> Subject: Re: New Spammer?
>>>>
>>>>
>>>>> From: "Matt Kettler" <mk...@comcast.net>
>>>>>
>>>>>> At 09:56 AM 11/22/2005, Casey King wrote:
>>>>>>
>>>>>>>This morning we have been getting drilled by spam/virus emails.
>>>>>>
>>>>>> Are they spam, or viruses? Not the same thing.
>>>>>>
>>>>>>>40 so far.
>>>>>>
>>>>>> I should be so lucky to see as few as 40/hour during any kind of
>>>>>> outbreak
>>>>>>
>>>>>>> Been getting a lot of phone calls from across the company about
>>>>>>> these emails. At least my mailscanner boxes are stripping the
>>>>>>> files, and tagging it as spam, but what worries me, is the low
>>>>>>> scores these messages are receiving.
>>>>>>
>>>>>> SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY
>>>>>> not care about virus emails. No effort is made to try to catch them,
>>>>>> because doing so would dilute the scores of the spam ruleset. No
>>>>>> effort is made to try to avoid tagging them either. They're just
>>>>>> removed from the corpus and handled by the developers as if they
>>>>>> don't exist.
>>>>>
>>>>> Heh, I use the ClamAV plugin for SA and give it a hefty score. That
>>>>> way
>>>>> I get the best of both worlds. Creative use of BLs also helps.
>>>>>
>>>>> {^_^}
>>>>>
>>>>>
>>>
>>>
>
>
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
----- Original Message -----
From: "Leonard SA" <sp...@pcnetsources.com>
> Where are BLs setup at?
>
> Thanks in advance..
>
> Regards ..
>
>
> Leonard Bernstein
>
> -------------------------------------
> | Email leonardb@pcnetsources.com
> | Mobile (917) 807-3883
> | BlackBerry PIN 40082120
> | Technology Consultant
> -------------------------------------
> ----- Original Message -----
> From: "jdow" <jd...@earthlink.net>
> To: <us...@spamassassin.apache.org>
> Sent: Tuesday, November 22, 2005 5:37 PM
> Subject: Re: New Spammer?
>
>
>> From: "Matt Kettler" <mk...@comcast.net>
>>
>>> At 09:56 AM 11/22/2005, Casey King wrote:
>>>
>>>>This morning we have been getting drilled by spam/virus emails.
>>>
>>> Are they spam, or viruses? Not the same thing.
>>>
>>>>40 so far.
>>>
>>> I should be so lucky to see as few as 40/hour during any kind of outbreak
>>>
>>>> Been getting a lot of phone calls from across the company about these
>>>> emails. At least my mailscanner boxes are stripping the files, and
>>>> tagging it as spam, but what worries me, is the low scores these
>>>> messages are receiving.
>>>
>>> SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
>>> care about virus emails. No effort is made to try to catch them, because
>>> doing so would dilute the scores of the spam ruleset. No effort is made
>>> to try to avoid tagging them either. They're just removed from the corpus
>>> and handled by the developers as if they don't exist.
>>
>> Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
>> I get the best of both worlds. Creative use of BLs also helps.
>>
>> {^_^}
>>
>>
Re: New Spammer?
Posted by Leonard SA <sp...@pcnetsources.com>.
Where are BLs setup at?
Thanks in advance..
Regards ..
Leonard Bernstein
-------------------------------------
| Email leonardb@pcnetsources.com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant
-------------------------------------
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
To: <us...@spamassassin.apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?
> From: "Matt Kettler" <mk...@comcast.net>
>
>> At 09:56 AM 11/22/2005, Casey King wrote:
>>
>>>This morning we have been getting drilled by spam/virus emails.
>>
>> Are they spam, or viruses? Not the same thing.
>>
>>>40 so far.
>>
>> I should be so lucky to see as few as 40/hour during any kind of outbreak
>>
>>> Been getting a lot of phone calls from across the company about these
>>> emails. At least my mailscanner boxes are stripping the files, and
>>> tagging it as spam, but what worries me, is the low scores these
>>> messages are receiving.
>>
>> SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
>> care about virus emails. No effort is made to try to catch them, because
>> doing so would dilute the scores of the spam ruleset. No effort is made
>> to try to avoid tagging them either. They're just removed from the corpus
>> and handled by the developers as if they don't exist.
>
> Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
> I get the best of both worlds. Creative use of BLs also helps.
>
> {^_^}
>
>
Re: New Spammer?
Posted by Kelson <ke...@speed.net>.
jdow wrote:
> Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
> I get the best of both worlds. Creative use of BLs also helps.
Local blackists help a lot. If you figure most viruses are going to be
sent directly from client PCs, and most of 'em are going to try
repeatedly, a temporary block on any* IP that sends you a virus can save
a whole lot of connection time, bandwidth, and scanning time.
*You want some safeguards, of course. Don't blacklist your upstream
mail server, if you have one. Don't blacklist known forwarders. We
only block IPs that appear to be DSL/cable modems and do not appear to
be mail servers, plus we have a whitelist (in the don't-block-it sense,
not in the accept-everything sense) of sites known to forward to our
users, and we clear the blocks nightly.
I expect greylisting would be similarly effective.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: New Spammer?
Posted by jdow <jd...@earthlink.net>.
From: "Matt Kettler" <mk...@comcast.net>
> At 09:56 AM 11/22/2005, Casey King wrote:
>
>>This morning we have been getting drilled by spam/virus emails.
>
> Are they spam, or viruses? Not the same thing.
>
>>40 so far.
>
> I should be so lucky to see as few as 40/hour during any kind of outbreak
>
>> Been getting a lot of phone calls from across the company about these
>> emails. At least my mailscanner boxes are stripping the files, and
>> tagging it as spam, but what worries me, is the low scores these messages
>> are receiving.
>
> SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
> care about virus emails. No effort is made to try to catch them, because
> doing so would dilute the scores of the spam ruleset. No effort is made to
> try to avoid tagging them either. They're just removed from the corpus and
> handled by the developers as if they don't exist.
Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
I get the best of both worlds. Creative use of BLs also helps.
{^_^}
RE: New Spammer?
Posted by Casey King <ck...@lovebox.com>.
Matt,
You are right, these are viruses being sent. I have been working with
SA for about 6 months now, and I must say...originally I was confused
about the 'features' of SA, but have since learned that SA has nothing
to do with viruses. I probably eluded to the idea that I was worried SA
wasn't scoring high enough; hence, making everything think that I felt
SA should give a higher score b/c of the virus attached, but that is not
what I was getting at. You are also right that I need to send an email
out to the users, and let them know about the virus outbreak. No
message has made it through without being tagged, so the servers are
working as they should. I mainly sent out the email to see if others
were seeing an influx also.
Thanks for the information. As always, if it were not for this active
mailing list, I would not be as knowledgeable as I am now...but I would
still be considered a "novice," much like what you and Julian have been
discussing on the MailScanner list.
Casey
-----Original Message-----
From: Matt Kettler [mailto:mkettler_sa@comcast.net]
Sent: Tuesday, November 22, 2005 9:47 AM
To: Casey King; SpamAssassin Users
Subject: Re: New Spammer?
At 09:56 AM 11/22/2005, Casey King wrote:
>This morning we have been getting drilled by spam/virus emails.
Are they spam, or viruses? Not the same thing.
>40 so far.
I should be so lucky to see as few as 40/hour during any kind of
outbreak
> Been getting a lot of phone calls from across the company about these
> emails. At least my mailscanner boxes are stripping the files, and
> tagging it as spam, but what worries me, is the low scores these
messages
> are receiving.
SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY
not
care about virus emails. No effort is made to try to catch them, because
doing so would dilute the scores of the spam ruleset. No effort is made
to
try to avoid tagging them either. They're just removed from the corpus
and
handled by the developers as if they don't exist.
>I start tagging spam, at 3.5 so each message has been tagged, but still
>sent through. Any one else seeing these emails?
I see plenty of viruses, and never give them a mind. My selective
greylisting helps, but so far this morning my mailscanner still got 20
of
them.
There was also a steep burst last Weds, 18 of them, which then leveled
off
through the rest of the day.
*shrug*.. tell your users in a broadcast email that there is a virus
outbreak, but to not be concerned unless they have a message that looks
like a virus and isn't tagged. You might also want to include some
standard
educational notes about viruses and their auto-sending, auto-forging
habits.
Re: New Spammer?
Posted by Matt Kettler <mk...@comcast.net>.
At 09:56 AM 11/22/2005, Casey King wrote:
>This morning we have been getting drilled by spam/virus emails.
Are they spam, or viruses? Not the same thing.
>40 so far.
I should be so lucky to see as few as 40/hour during any kind of outbreak
> Been getting a lot of phone calls from across the company about these
> emails. At least my mailscanner boxes are stripping the files, and
> tagging it as spam, but what worries me, is the low scores these messages
> are receiving.
SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
care about virus emails. No effort is made to try to catch them, because
doing so would dilute the scores of the spam ruleset. No effort is made to
try to avoid tagging them either. They're just removed from the corpus and
handled by the developers as if they don't exist.
>I start tagging spam, at 3.5 so each message has been tagged, but still
>sent through. Any one else seeing these emails?
I see plenty of viruses, and never give them a mind. My selective
greylisting helps, but so far this morning my mailscanner still got 20 of
them.
There was also a steep burst last Weds, 18 of them, which then leveled off
through the rest of the day.
*shrug*.. tell your users in a broadcast email that there is a virus
outbreak, but to not be concerned unless they have a message that looks
like a virus and isn't tagged. You might also want to include some standard
educational notes about viruses and their auto-sending, auto-forging habits.