You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Steve Lake <st...@raiden.net> on 2006/12/10 12:52:35 UTC
New advice spam
Seems our favorite spammer (or one of his buddies) who sent us all
that nice pump and dump "wrote" stock spam is now sending spam with the
title "(username) advise". The part that's annoying is that it's only
hitting on bayes, and occationally on FORGED_RCVD_HELO, but never enough to
actually mark it as spam. My spam threshold is set at 4.5 and these emails
are sneaking through at 3.5-3.6 total score. Any ideas what needs to be
done to deal with these? Thankfully there's not many of them right now,
but it's best to nip it in the bud before it does become a problem.
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community
Re: New advice spam
Posted by Chris Purves <ch...@northfolk.ca>.
Steve Lake wrote:
> Those razor2 and pyzor checks look interesting, but I haven't
> seen them on any of my emails that get filtered. Is that something
> special you have to setup, or is it a default feature of SA?
>
The spamassassin wiki, as well as manual pages are full of information
about razor and pyzor.
--
Chris
Re: New advice spam
Posted by Steve Lake <st...@raiden.net>.
Those razor2 and pyzor checks look interesting, but I haven't seen
them on any of my emails that get filtered. Is that something special you
have to setup, or is it a default feature of SA?
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community
Re: New advice spam
Posted by Steve Lake <st...@raiden.net>.
At 06:19 AM 12/10/2006 -0800, John Rudd wrote:
>The Botnet plugin seems to catch the vast majority of them here. Have you
>tried it?
Nope, been considering it though. I did check my spam bin and it
appears that only about one in twenty of those advice spams are getting
through, so that's good. But I will definately look into that botnet plugin.
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community
Re: New advice spam
Posted by Karl Auer <ka...@biplane.com.au>.
On Sun, 2006-12-10 at 06:52 -0500, Steve Lake wrote:
> Seems our favorite spammer (or one of his buddies) who sent us all
> that nice pump and dump "wrote" stock spam is now sending spam with the
> title "(username) advise". The part that's annoying is that it's only
> hitting on bayes, and occationally on FORGED_RCVD_HELO, but never enough to
> actually mark it as spam. My spam threshold is set at 4.5 and these emails
> are sneaking through at 3.5-3.6 total score. Any ideas what needs to be
> done to deal with these? Thankfully there's not many of them right now,
> but it's best to nip it in the bud before it does become a problem.
It might be a bad idea, but I've set the score for BAYES_00 to zero. It
seemed to me that the only emails (other than VERY short ones) that ever
got a zero Bayes rating were spams :-) and the -4.9 that BAYES_00 gives
by default seemed more than excessive.
Anyway, my system catches a lot more spam now that BAYES_00 is not
counteracting so many other spammy features...
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
Re: New advice spam
Posted by Phil Barnett <ph...@philb.us>.
On Sunday 10 December 2006 16:31, John Rudd wrote:
> It can be downloaded from:
>
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
Thanks, John. I downloaded it and installed it earlier today. It appears to be
working fine, but I got with this tonight when RulesDuJour ran:
RulesDuJour Run Summary on taz5.fiberhosting.net:
***NOTICE***: spamassassin --lint failed. This means that you have an error
somwhere in your SpamAssassin configuration. To determine what the problem
is, please run 'spamassassin --lint' from a shell and notice the error
messages it prints. For more (debug) information, add the -D switch to the
command. Usually the problem will be found in local.cf, user_prefs, or some
custom rulelset found in /usr/share/spamassassin. Here are the errors
that 'spamassassin --lint' reported:
warning: description for BOTNET is over 50 chars
lint: 1 issues detected. please rerun with debug enabled for more
information.
--
My other computer is your Windows machine
Re: New advice spam
Posted by John Rudd <jr...@ucsc.edu>.
Phil Barnett wrote:
> On Sunday 10 December 2006 09:19, John Rudd wrote:
>> Steve Lake wrote:
>>> Seems our favorite spammer (or one of his buddies) who sent us
>>> all that nice pump and dump "wrote" stock spam is now sending spam with
>>> the title "(username) advise". The part that's annoying is that it's
>>> only hitting on bayes, and occationally on FORGED_RCVD_HELO, but never
>>> enough to actually mark it as spam. My spam threshold is set at 4.5 and
>>> these emails are sneaking through at 3.5-3.6 total score. Any ideas
>>> what needs to be done to deal with these? Thankfully there's not many
>>> of them right now, but it's best to nip it in the bud before it does
>>> become a problem.
>> The Botnet plugin seems to catch the vast majority of them here. Have
>> you tried it?
>
> Where do we get it?
>
I announce the releases here on the spam assassin user's list, so a
quick search in the message archives should turn up various messages
with "Botnet" in the subject.
Here was the last release announcement:
The next version of the Botnet plugin for Spam Assassin is ready. The
install instructions are in the Botnet.txt file, and in the INSTALL file.
For those who don't know what Botnet is, it's a plugin which tries to
identify whether or not the message has been submitted by a
botnet/spam-zombie type host by looking at its DNS characteristics (no
reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back
to the relay's IP, or reverse DNS that contains things that look like an
ISP's client address). The places I've been using it, and the people I
hear about who are using it, have seen a high degree of success.
It can be downloaded from:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
As usual, feedback, statistics, bug reports, feature suggestions, are
all welcome.
NOTE: This will be the last version I announce outside of the SA users
mailing list. I don't want to wear out the patience of the other list
owners. users@spamassassin.apache.org is where I'll make all further
release announcements.
What's new in 0.6:
1) IP in Hostname bug fix (the same IP address octet could be matched
twice.. which was a problem if the octet was "1", and the hostname had a
sub-string like "101" in it)
2) pass_domains, clientwords, and serverwords weren't insensitive checks
3) typo fixed in botnet.txt
4) moved to Net::DNS (finally; and it's going to be needed for To Do
item #3)
5) perl package is now named Mail::SpamAssassin::Plugin::Botnet
6) because clientwords and serverwords are meant to be _words_, they are
now wrapped by (\b|\d) (both before and after the word/expression). This
is to help avoid false positives where a clientword might have been a
substring of a larger word that shouldn't have triggered the check
(similarly for serverwords).
7) similarly, pass_domains now have a leading (\.|\A) added to them IF
they don't already have \. or \A in front (but it will be added if the
expression starts with "." -- since this is a regular expression, that
is assumed to mean any single character, so be careful).
8) added debug output for parse_config
9) added "mta" and "relay" to serverwords (used by classmates.com and/or
reunion.com)
10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl,
sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)
11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses
".res." in residential/customer IP hostnames, and ".resnet." is common
at universities for dorm IP addresses)
12) contemplating adding cpe and cust(omer)? to the controversial
clientwords (I think cpe = customer (presence/provided/?) equipment)
----
To Do before 1.0:
1) prepend __ to sub-rules, only BOTNET proper should not have that
2) separate the SA routines from the core algorithms, so that the botnet
checks can be used in other perl programs. Include a script that takes
an IP addr and answers where/how it passed/failed.
3) try to do a lookup on the sender's email address domain; if it points
back to the relay's IP address (A record, or one of the MX records),
then that's less likely to be a botnet. Use this like
BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT. What about SPF,
too? (I think that was a suggestion in one of the alternate meta rules)
4) credits for help I've gotten from other people
5) get listed in the wiki
Re: New advice spam
Posted by René Berber <r....@computer.org>.
Phil Barnett wrote:
> On Sunday 10 December 2006 09:19, John Rudd wrote:
>> Steve Lake wrote:
>>> Seems our favorite spammer (or one of his buddies) who sent us
>>> all that nice pump and dump "wrote" stock spam is now sending spam with
>>> the title "(username) advise". The part that's annoying is that it's
>>> only hitting on bayes, and occationally on FORGED_RCVD_HELO, but never
>>> enough to actually mark it as spam. My spam threshold is set at 4.5 and
>>> these emails are sneaking through at 3.5-3.6 total score. Any ideas
>>> what needs to be done to deal with these? Thankfully there's not many
>>> of them right now, but it's best to nip it in the bud before it does
>>> become a problem.
>> The Botnet plugin seems to catch the vast majority of them here. Have
>> you tried it?
>
> Where do we get it?
http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/92277
--
René Berber
Re: New advice spam
Posted by Phil Barnett <ph...@philb.us>.
On Sunday 10 December 2006 09:19, John Rudd wrote:
> Steve Lake wrote:
> > Seems our favorite spammer (or one of his buddies) who sent us
> > all that nice pump and dump "wrote" stock spam is now sending spam with
> > the title "(username) advise". The part that's annoying is that it's
> > only hitting on bayes, and occationally on FORGED_RCVD_HELO, but never
> > enough to actually mark it as spam. My spam threshold is set at 4.5 and
> > these emails are sneaking through at 3.5-3.6 total score. Any ideas
> > what needs to be done to deal with these? Thankfully there's not many
> > of them right now, but it's best to nip it in the bud before it does
> > become a problem.
>
> The Botnet plugin seems to catch the vast majority of them here. Have
> you tried it?
Where do we get it?
--
My other computer is your Windows machine
Re: New advice spam
Posted by John Rudd <jr...@ucsc.edu>.
Steve Lake wrote:
> Seems our favorite spammer (or one of his buddies) who sent us
> all that nice pump and dump "wrote" stock spam is now sending spam with
> the title "(username) advise". The part that's annoying is that it's
> only hitting on bayes, and occationally on FORGED_RCVD_HELO, but never
> enough to actually mark it as spam. My spam threshold is set at 4.5 and
> these emails are sneaking through at 3.5-3.6 total score. Any ideas
> what needs to be done to deal with these? Thankfully there's not many
> of them right now, but it's best to nip it in the bud before it does
> become a problem.
>
>
The Botnet plugin seems to catch the vast majority of them here. Have
you tried it?
Re: New advice spam
Posted by Chris <cp...@earthlink.net>.
On Sunday 10 December 2006 5:52 am, Steve Lake wrote:
> Seems our favorite spammer (or one of his buddies) who sent us all
> that nice pump and dump "wrote" stock spam is now sending spam with the
> title "(username) advise". The part that's annoying is that it's only
> hitting on bayes, and occationally on FORGED_RCVD_HELO, but never enough to
> actually mark it as spam. My spam threshold is set at 4.5 and these emails
> are sneaking through at 3.5-3.6 total score. Any ideas what needs to be
> done to deal with these? Thankfully there's not many of them right now,
> but it's best to nip it in the bud before it does become a problem.
>
Steve, FWIW, here's how these are tagged on my home box:
Content analysis details: (51.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 BOTNET_BADDNS IP address doesn't have full circle DNS
2.0 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
1.7 SARE_MLB_Stock6 BODY: ML obfuscated ticker symbols
1.5 IXHASH BODY: Classified as spam at iX Magazine, Germany
1.5 LOGINHASH2 BODY: Classified as spam at unknown company,
Germany
1.5 LOGINHASH1 BODY: Spam at LogIn&Solutions AG, Germany
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[221.135.160.71 listed in dnsbl.sorbs.net]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[221.135.160.71 listed in combined.njabl.org]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
0.0 BOTNET_CLIENT Hostname looks like a client hostname
1.7 STOCK_NAME_FVGT1 STOCK_NAME_FVGT1
5.0 BOTNET The submitting mail server looks like part of a
Botnet
1.0 SAGREY Adds 1.0 to spam from first-time senders
HTH
--
Chris