You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ben Hanson <Be...@transprintusa.com> on 2004/02/05 21:42:40 UTC

Move Bayes???

I've been testing various mail server options and programs for a couple of months, and as part of the process have tweaked a very nicely functioning Spamassassin install.  I'm running SA 2.63 with various rule additions thanks to all those involved with hairy, evil, popcorn pox chicken etc. sets.  Thanks for all your fantastic work.  I also have Razor, Pyzor, DCC and Bayes up and running.  I will be building up a new server an about six weeks, and can easily copy and paste config files to duplicate everything config and rule-wise, BUT I'm curious if anybody can tell me about potential issues moving my Bayes database.  It's becoming very accurate, to the point that I moved up the point value in my local config for the Bayes_99 test.  I don't think I've ever seen a false positive at that level.  So, can I just do the install, copy the db files to their new home, and crank it all up, or is it a more complicated process?

Thanks

Ben

Re: Phish Rule Question

Posted by John Fleming <jo...@wa9als.com>.

----- Original Message ----- 
From: "Kevin A. McGrail" <km...@pccc.com>
To: <sp...@incubator.apache.org>
Sent: Thursday, February 05, 2004 6:37 PM
Subject: Re: Phish Rule Question

> > I am trying to write a rule that helps catch phishing emails.  These
> emails
> > do NOT have any url spoofing in them.  They are pure and simple social
> > engineering.
>
> Thanks for all the replies.  I needed to use rawbody as was pointed out.
>
> The beta rule to try and catch phishing emails is up now in
> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
>
> Feedback appreciated and it has a low score of 1.0 until I confirm more
> about FPs.
>
> Regards,
> KAM
>

Sorry if repeating, but I never got any answers to this:
This newbie sees various posts like the above here on the list.  These rules
can be invoked by which of the following means:
1.  Simply copying the .cf file to /etc/spamassassin (or the appropriate
user dir)?
2.  Cutting and pasting the rules directly to the local.cf file would work
for the above KAM.cf, but I see other .cf files that don't directly contain
regex rules etc.  Are those invoked simply be their being in the
/etc/mail/spamassassin dir with the local.cf file, or is some other step
necessary to invoke them?

Re: Phish Rule Question

Posted by "Kevin A. McGrail" <km...@pccc.com>.

> I am trying to write a rule that helps catch phishing emails.  These
emails
> do NOT have any url spoofing in them.  They are pure and simple social
> engineering.

Thanks for all the replies.  I needed to use rawbody as was pointed out.

The beta rule to try and catch phishing emails is up now in
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf

Feedback appreciated and it has a low score of 1.0 until I confirm more
about FPs.

Regards,
KAM

Phish Rule Question

Posted by "Kevin A. McGrail" <km...@pccc.com>.

I am trying to write a rule that helps catch phishing emails.  These emails
do NOT have any url spoofing in them.  They are pure and simple social
engineering.

I have started with the following theory to identify several factors that
contribute to an email such as this which will be expanded if I can get this
first ground work done.  Basically, if you have a form in an email and ask
for a credit card, etc. it's probably a phish.  That's my theory.  I almost
think any <input> tags are likely to be a scam but I haven't researched that
further to see if there are legitimate companies doing forms in their
emails.

However, I am having troubles getting the rules like name=password to match.
My regexp below seems fine but just writing name=password in an email
doesn't trigger the rule.  Any insight would be appreciated as I imagine
it's got to be something SpamAssassin specific with regexp's or just my
brain overworked.

Regards,
KAM


#COMBO rules to catch phishing expeditions
#SWITCH TO __KAM_PHISH AFTER TESTING
body            KAM_PHISH_01    /<input /i
describe        KAM_PHISH_01    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_01    0.15

body            KAM_PHISH_02    /credit card fail/i
describe        KAM_PHISH_02    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_02    0.15

body            KAM_PHISH_03    /\bauthoriz/i
describe        KAM_PHISH_03    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_03    0.15

body            KAM_PHISH_04    /\bname=cc/i
describe        KAM_PHISH_04    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_04    0.15

body            KAM_PHISH_05    /\bname=cvv/i
describe        KAM_PHISH_05    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_05    0.15

body            KAM_PHISH_06    /\bname=pin/i
describe        KAM_PHISH_06    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_06    0.15

body            KAM_PHISH_07    /\bname=date/i
describe        KAM_PHISH_07    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_07    0.15

body            KAM_PHISH_08    /\bname=year/i
describe        KAM_PHISH_08    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_08    0.15

body            KAM_PHISH_09    /\bname=month/i
describe        KAM_PHISH_09    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_09    0.15

body            KAM_PHISH_10    /\btype=submit/i
describe        KAM_PHISH_10    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_10    0.15

body            KAM_PHISH_11    /\baccount management\b/i
describe        KAM_PHISH_11    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_11    0.15

body            KAM_PHISH_12    /\bname=password/i
describe        KAM_PHISH_12    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_12    0.15

body            KAM_PHISH_13    /<form.*action\=.*>/i
describe        KAM_PHISH_13    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_13    0.15

body            KAM_PHISH_14    /\bname\=username/i
describe        KAM_PHISH_14    Partial Rule to try and Catch Phishing
Emails
score           KAM_PHISH_14    0.15

meta            KAM_combo_PHISH   ((KAM_PHISH_01 + KAM_PHISH_02 +
KAM_PHISH_03 + KAM_PHISH_04 + KAM_PHISH_05 + KAM_PHISH_06 + KAM_PHISH_07 +
KAM_PHISH_08 + KAM_PHISH_09 + KAM_PHISH_10 + KAM_PHISH_11 + KAM_PHISH_12 +
KAM_PHISH_13 + KAM_PHISH_14) > 6)
describe        KAM_combo_PHISH   KAM - Phishing Expedition Email
Probability High
score           KAM_combo_PHISH   1.0 #RAISE AFTER MORE TESTING


Regards,
KAM

Re: Move Bayes???

Posted by Theo Van Dinter <fe...@kluge.net>.

On Thu, Feb 05, 2004 at 03:42:40PM -0500, Ben Hanson wrote:
> seen a false positive at that level.  So, can I just do the install,
> copy the db files to their new home, and crank it all up, or is it a
> more complicated process?

In theory, yes.  You'll want to either 1) have a compatible DB_File/libdb
install on the new box, or 2) upgrade and make sure to run "db_upgrade"
before launching SA.

I would move the DB's, then do a "sa-learn --dump magic" to see if it
can read the DB.  If it can't, look at the db_upgrade bit.  If it can,
you're fine. :)

-- 
Randomly Generated Tagline:
Well, that's more-or-less what I was saying, though obviously addition
 is a little more cosmic than the bitwise operators.
              -- Larry Wall in <19...@wall.org>