You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by distill <ji...@inbox.lv> on 2008/08/16 12:27:04 UTC
msnbc.com - BREAKING NEWS spam question
I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
made sure that all of those spams (over 40 of them) are manually trained to
be spam. SpamAssassin does filter out those messages about 75% of the time.
However, even after this careful manual training some of those spams are
still getting through (my score threshold is now 4.4). I get the feeling
that the training doesn't have any effect. Is there something wrong or is
SpamAssassin just incapable of learning this? The msnbc spams are almost
identical to eachother with lots of words, so I would imagine this should be
an easy task.
Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that if
there are more than one of those tags present, for example
"RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
still be ham?
Here is a recent "msnbc"-message with headers:
>From - Sat Aug 16 11:52:22 2008
X-Account-Key: account18
X-UIDL: UID776-1218109787
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
DomainKey-Status: no signature
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on ---.com
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=4.4 tests=HTML_MESSAGE,
HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB
autolearn=no version=3.1.9
DomainKey-Status: no signature
Received: (qmail 8490 invoked from network); 16 Aug 2008 11:45:05 +0300
Received: from --- (---)
by --- with SMTP; 16 Aug 2008 11:45:05 +0300
Received-SPF: none (---: domain at flynn.ca does not designate permitted
sender hosts)
Received: from adsl-static-23-254.netflash.net
(adsl-static-23-254.netflash.net [64.187.23.254])
by --- (Postfix) with ESMTP id EDA8932B8191
for <--->; Sat, 16 Aug 2008 11:45:02 +0300 (EEST)
thread-index: 3c4f25c55e9c926cb1f89d288dcf90==
Thread-Topic: msnbc.com - BREAKING NEWS: British Penny Actually Worth More
Than One Dollar. Watch the proof.
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
Message-ID: <00...@nissansales3>
Date: Sat, 16 Aug 2008 04:36:21 -0400
Reply-To: MSNBC Breaking News <ua...@flynn.ca>
From: MSNBC Breaking News <ua...@flynn.ca>
Subject: msnbc.com - BREAKING NEWS: British Penny Actually Worth More Than
One Dollar. Watch the proof.
To: ---
Precedence: list
X-EsetId: D39316FAF3E6373387D2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16681" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
msnbc.com: BREAKING NEWS: British Penny Actually Worth More Than One Dollar.
Watch the proof. <br>
<br>
Find out more at http://planetahd.com/msn_video.html
http://breakingnews.msnbc.com <br>
<br>
======================================================<br>
See the top news of the day at MSNBC.com, and the latest from Today Show and
NBC Nightly News.<br>
<br>
=========================================<br>
This e-mail is never sent unsolicited. You have received this MSNBC Breaking
News Newsletter<br>
newsletter because you subscribed to it or, someone forwarded it to
you.</br>
<br><br>
To remove yourself from the list (or to add yourself to the list if this<br>
message was forwarded to you) simply go to</br>
<br><br>
http://www.msnbc.msn.com/id/23823601 http://www.msnbc.msn.com/id/74704933 ,
select unsubscribe, enter the<br>
email address receiving this message, and click the Go button.<br>
<br><br>
Microsoft Corporation - One Microsoft Way - Redmond, WA 98052<br>
MSN PRIVACY STATEMENT<br>
http://privacy.msn.com ( http://privacy.msn.com/ http://privacy.msn.com/> )
--
View this message in context: http://www.nabble.com/msnbc.com---BREAKING-NEWS-spam-question-tp19010363p19010363.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: msnbc.com - BREAKING NEWS spam question
Posted by distill <ji...@inbox.lv>.
distill wrote:
>
> Thanks for the good suggestions.
>
> I was investigating further and found out, that in zero of the
> SpamAssassin processed messages there is BAYES_ mentioned in the
> X-Spam-Status. Could it be that the Bayes learning function is in fact
> completely disabled in the configuration (and that's why it seems to be
> not learning anything)?
>
> The SpamAssassin is running at my ISP's server and I don't have direct
> access to it's specific configuration (but I can ask if I know what to
> ask).
>
My language might've been bad (again). I meant that out of 700 processed
messages, there is no occurance of the string "BAYES" in the headers. Does
this indicate that the Bayes function is disabled in the configuration?
--
View this message in context: http://www.nabble.com/msnbc.com---BREAKING-NEWS-spam-question-tp19010363p19022676.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: msnbc.com - BREAKING NEWS spam question
Posted by distill <ji...@inbox.lv>.
Thanks for the good suggestions.
I was investigating further and found out, that in zero of the SpamAssassin
processed messages there is BAYES_ mentioned in the X-Spam-Status. Could it
be that the Bayes learning function is in fact completely disabled in the
configuration (and that's why it seems to be not learning anything)?
The SpamAssassin is running at my ISP's server and I don't have direct
access to it's specific configuration (but I can ask if I know what to ask).
--
View this message in context: http://www.nabble.com/msnbc.com---BREAKING-NEWS-spam-question-tp19010363p19013729.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: msnbc.com - BREAKING NEWS spam question
Posted by Chris <cp...@embarqmail.com>.
On Saturday 16 August 2008 6:09 am, Greg Troxel wrote:
> distill <ji...@inbox.lv> writes:
> > I've been receiving these "msnbc.com - BREAKING NEWS" spams recently.
> > I've made sure that all of those spams (over 40 of them) are manually
> > trained to be spam. SpamAssassin does filter out those messages about 75%
> > of the time. However, even after this careful manual training some of
> > those spams are still getting through (my score threshold is now 4.4). I
> > get the feeling that the training doesn't have any effect. Is there
> > something wrong or is SpamAssassin just incapable of learning this? The
> > msnbc spams are almost identical to eachother with lots of words, so I
> > would imagine this should be an easy task.
>
A bit more clarification on Steve's experimental rogue sigs:
"Just to clarify... the rogue.hdb will detect only the exe's that the fake
news/videos are trying to get you to run.
Inside the phish.ndb file, there are sigs to block the actual emails, before
the user even gets to click anything,
which might be best for the original poster to use :)
Sigs such as, the following should block most of the fake news emails:
Email.Malware.Sanesecurity.08080802.StormNews.CnnGen
Email.Malware.Sanesecurity.08081301.StormNews.MSNBCGen
Email.Malware.Sanesecurity.08081509.StormNews.BBCGen
The fake video ones, are usually covered by the Malware ones, such as:
Email.Malware.Sanesecurity.08081604"
--
Chris
KeyID 0xE372A7DA98E6705C
Re: msnbc.com - BREAKING NEWS spam question
Posted by Greg Troxel <gd...@ir.bbn.com>.
distill <ji...@inbox.lv> writes:
> I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
> made sure that all of those spams (over 40 of them) are manually trained to
> be spam. SpamAssassin does filter out those messages about 75% of the time.
> However, even after this careful manual training some of those spams are
> still getting through (my score threshold is now 4.4). I get the feeling
> that the training doesn't have any effect. Is there something wrong or is
> SpamAssassin just incapable of learning this? The msnbc spams are almost
> identical to eachother with lots of words, so I would imagine this should be
> an easy task.
On your message I also got:
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: planetahd.com]
* 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: planetahd.com]
but not the received ones of course. You didn't get this, but I see
that on uribl planetahd.com was listed at 0826Z today.
> Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that if
> there are more than one of those tags present, for example
> "RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
> still be ham?
I'm not sure what you're asking. If you mean
"If I get a message where both RCVD_IN_BL_SPAMCOP_NET and
RCVD_IN_SORBS_WEB fire, is there any chance the message is still ham?"
I'd say yes. Those blacklists probably have overlapping listing
critieria, and certainly two lists listing something is at least a bit
stronger than one, but not absolute.
I have edited my scores file to increase MIME_HTML_ONLY and if I were
you would increase HTML_TAG_BALANCE_BODY as well (probably 1 point
each), unless you find lots of ham hits on these.
Re: msnbc.com - BREAKING NEWS spam question
Posted by Chris <cp...@embarqmail.com>.
On Saturday 16 August 2008 5:27 am, distill wrote:
> I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
> made sure that all of those spams (over 40 of them) are manually trained to
> be spam. SpamAssassin does filter out those messages about 75% of the time.
> However, even after this careful manual training some of those spams are
> still getting through (my score threshold is now 4.4). I get the feeling
> that the training doesn't have any effect. Is there something wrong or is
> SpamAssassin just incapable of learning this? The msnbc spams are almost
> identical to eachother with lots of words, so I would imagine this should
> be an easy task.
>
> Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that
> if there are more than one of those tags present, for example
> "RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
> still be ham?
>
If you're running the ClamAv plug-in Steve Basford has a new set of
experimental sigs for this. They can be found here:
http://sanesecurity.co.uk/clamav/rogue.htm
Here's Steve's whole blurb:
"The new Rogue signature database contains hashes of known Rogue
Anti-Virus software and also contains known Fake Videos/Codecs.
Most of these files are currently being distributed via the current wave
of fake CNN/Msnbc/BBC news and fake video emails (54 signatures currently)"
I've downloaded and installed but haven't received any of the above since
installing. If you do install don't forget to stop and restart ClamAv so that
they take effect.
--
Chris
KeyID 0xE372A7DA98E6705C