You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Christopher X. Candreva" <ch...@westnet.com> on 2011/11/04 04:07:25 UTC
Large mbox of uncaught spam, for whoever knows what to do with it.
I have a particular user suddenly being hammered with porn spam that is
getting by SA, despite bayes training.
I've put the whole thing up into a gziped mbox file:
http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
I'm at the end of my rope as to what to do, so I hopefully making this
available will get it to --- someone who can do --- something with it.
:-)
(all local email address have been obfuscated)
-Chris
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Fri, 4 Nov 2011, Kevin A. McGrail wrote:
> > I've added your KAM rules, we'll see how that helps.
>
> FYI, Looks like a false-positive in their on ebill@cablevision.com in the
> corpus. Same thing with la_fonda_on_the_plaza@zmaildirect.com.
Ah, the second you are right, bu t the ebill@cablevision is a fish, just a
bad one with the URL missing. Note the sending SMTP server is idahs.com , a
domains by proxy / GoDaddy domain.
We had a lot more caught that included a fishing URL.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
> I've added your KAM rules, we'll see how that helps.
FYI, Looks like a false-positive in their on ebill@cablevision.com in
the corpus. Same thing with la_fonda_on_the_plaza@zmaildirect.com.
Otherwise, I've got some good framework on some rules to block this
onslaught.
Let me know what you see reported now.
Regards,
KAM
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Fri, 4 Nov 2011, Kevin A. McGrail wrote:
> On 11/3/2011 11:11 PM, Christopher X. Candreva wrote:
> > On Thu, 3 Nov 2011, Christopher X. Candreva wrote:
> >
> > > I have a particular user suddenly being hammered with porn spam that is
> > > getting by SA, despite bayes training.
> > >
> > > I've put the whole thing up into a gziped mbox file:
> > > http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
> > I meant to specify, it has 184 messages from the past week or so.
> >
> From spot checking it, most appear to be gibberish from compromised
> accounts/websites.
>
> These are going to be tough to block though I see some patterns in there.
>
> You can add http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
> and I'll tweak to catch some at least.
Thanks. fixing the Recevied checks has helped some but not much.
I've added your KAM rules, we'll see how that helps.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
> These look very helpful. Are these rules going to make it into an
> sa-update?
That's the eventual goal. The bad part is that my corpora isn't in the
mass check for SA so my rules often get poor results and fail to
promote. No promises when but that is the goal.
> Can we wget this file periodically?
Yes. Feel free. Make sure you lint as I link to the live file
including while I'm editing.
>
> There are also a few unresolved dependencies:
>
> rules: meta test KAM_BLANK01 has undefined dependency 'UNDISC_RECIPS'
> rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_FROM_OR_TO'
> rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_TO'
> rules: meta test KAM_BLANK02 has undefined dependency 'MSGID_FROM_MTA_ID
There are conditions in the rule for these tests not to be used but lint
ignores these tests and throws an error.
It's a known issue for some years but I opened a bug just to make sure
it gets eventually resolved.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6691
> rules: meta test KAM_RPTR_PASSED has undefined dependency 'IN_BCUDA_RBL'
> rules: meta test KAM_RPTR_PASSED has undefined dependency 'RCVD_IN_BCUDA_RELAY'
I believe these two can be ignored. I'm going to create a plugin called
KAMOnly that only loads for me so I can conditionally write rules that
no one else on the planet cares about. Unfortunately, due to the above,
you'll still see the error but you won't actually use the rules.
>
> Am I missing another rules file for these missing rules?
No.
Regards,
KAM
Re: Large mbox of uncaught spam, for whoever knows what to do with it.
Posted by Alex <my...@gmail.com>.
Hi,
>>> I have a particular user suddenly being hammered with porn spam that is
>>> getting by SA, despite bayes training.
>>>
>>> I've put the whole thing up into a gziped mbox file:
>>> http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
>>
>> I meant to specify, it has 184 messages from the past week or so.
>>
> From spot checking it, most appear to be gibberish from compromised
> accounts/websites.
>
> These are going to be tough to block though I see some patterns in there.
>
> You can add http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
> and I'll tweak to catch some at least.
These look very helpful. Are these rules going to make it into an
sa-update? Can we wget this file periodically?
There are also a few unresolved dependencies:
rules: meta test KAM_BLANK01 has undefined dependency 'UNDISC_RECIPS'
rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_FROM_OR_TO'
rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_TO'
rules: meta test KAM_BLANK02 has undefined dependency 'MSGID_FROM_MTA_ID
rules: meta test KAM_RPTR_PASSED has undefined dependency 'IN_BCUDA_RBL'
rules: meta test KAM_RPTR_PASSED has undefined dependency 'RCVD_IN_BCUDA_RELAY'
Am I missing another rules file for these missing rules?
Thanks,
Alex
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 11/3/2011 11:11 PM, Christopher X. Candreva wrote:
> On Thu, 3 Nov 2011, Christopher X. Candreva wrote:
>
>> I have a particular user suddenly being hammered with porn spam that is
>> getting by SA, despite bayes training.
>>
>> I've put the whole thing up into a gziped mbox file:
>> http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
> I meant to specify, it has 184 messages from the past week or so.
>
From spot checking it, most appear to be gibberish from compromised
accounts/websites.
These are going to be tough to block though I see some patterns in there.
You can add
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf and
I'll tweak to catch some at least.
Regards,
KAM
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Thu, 3 Nov 2011, Christopher X. Candreva wrote:
>
> I have a particular user suddenly being hammered with porn spam that is
> getting by SA, despite bayes training.
>
> I've put the whole thing up into a gziped mbox file:
> http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
I meant to specify, it has 184 messages from the past week or so.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by Benny Pedersen <me...@junc.org>.
On Fri, 4 Nov 2011 10:57:54 -0400 (EDT), Christopher X. Candreva wrote:
> On Fri, 4 Nov 2011, Matus UHLAR - fantomas wrote:
> Sorry for the noise, thank you greatly for pointing this out.
i got no no_received here
spamassassin --mbox -t MissedSpam.mbox
uri rules to try:
page.tl
livejournal.com
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Fri, 4 Nov 2011, Matus UHLAR - fantomas wrote:
> On 03.11.11 23:07, Christopher X. Candreva wrote:
> > I have a particular user suddenly being hammered with porn spam that is
> > getting by SA, despite bayes training.
> >
> > I've put the whole thing up into a gziped mbox file:
> > http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
>
> all mail there hits NO_RECEIVED. How do you run spamassassin?
> It can't see Received: headers which are VERY important to find out if the
> message is spam...
AH-ha ! Thank you !
I had added a Received: rule to local.cf, didn't terminate the regex, and
that evidently screwed up ALL Received: checks.
Sorry for the noise, thank you greatly for pointing this out.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Large mbox of uncaught spam, for whoever knows what to do with
it.
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 03.11.11 23:07, Christopher X. Candreva wrote:
>I have a particular user suddenly being hammered with porn spam that is
>getting by SA, despite bayes training.
>
>I've put the whole thing up into a gziped mbox file:
>http://www.westnet.com/~chris/SA/MissedSpam1.mbox.gz
>
>I'm at the end of my rope as to what to do, so I hopefully making this
>available will get it to --- someone who can do --- something with it.
>:-)
all mail there hits NO_RECEIVED. How do you run spamassassin?
It can't see Received: headers which are VERY important to find out if
the message is spam...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete