You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Craig Zeigler <cr...@cfrscca.net> on 2005/12/11 17:11:15 UTC
message with drug ad image only
I have been getting hundreds of these messages per day and don't know
how to stop them. The bayes is only come back at 60%.
They are the messages advertising drugs with a random subject (yes, I
know, one of the many) The filename is Part 1.1.jpg. There is no virus
that I can find.
Does anyone have a rule to kill these?
Re: message with drug ad image only
Posted by Fred <sp...@freddyt.com>.
Craig Zeigler wrote:
> I have been getting hundreds of these messages per day and don't know
> how to stop them. The bayes is only come back at 60%.
>
> They are the messages advertising drugs with a random subject (yes, I
> know, one of the many) The filename is Part 1.1.jpg. There is no virus
> that I can find.
>
> Does anyone have a rule to kill these?
Well I'm sick of seeing these too, so here's a rule to make them stop, now
you realize that they'll change their tactics in a few days and this rule
won't be of any use to us say in a month.
This rule didn't cause any FPs in our testing but that doesn't mean it'll
work for you.
full __FULL_MIME_IMAGE m'\bContent-Type: image/(?:jpeg|gif)'i
full __TEST_20_URL m'http://[^\r\n]{10,50}(?:\r\n){1,2}=20\r\n'
meta LOCAL_HAS_IMAGES (__FULL_MIME_IMAGE && __TEST_20_URL)
score LOCAL_HAS_IMAGES 3.75
Re: message with drug ad image only
Posted by Pollywog <li...@shadypond.com>.
On 12/11/2005 04:11 pm, Craig Zeigler wrote:
> I have been getting hundreds of these messages per day and don't know
> how to stop them. The bayes is only come back at 60%.
>
> They are the messages advertising drugs with a random subject (yes, I
> know, one of the many) The filename is Part 1.1.jpg. There is no virus
> that I can find.
>
> Does anyone have a rule to kill these?
I had been getting lots of those until about a week ago, I don't know why they
stopped.
Perhaps a Procmail or Maildrop rule that rejects (deletes) mail that contains
a gif or jpg attachment if the sender is not in a whitelist?
I will have to Google for tips on how to do that for Maildrop.
8)
Re: DCC hits of nonspam (message with drug ad image only )
Posted by Matt Kettler <mk...@evi-inc.com>.
Graham Murray wrote:
> Matt Kettler <mk...@comcast.net> writes:
>
>
>>The last mass-checks for 3.1.0 gave it a S/O of about 0.980, but I'm
>>seeing more like 0.900 out of DCC at my site. Could just be the nature
>>of my site, but about a dozen common subscriber newsletters at my site
>>consistently hit it.
>
>
> Which is why it is a good idea to add such solicited bulk senders to
> the DCC whiteclnt which will make (your local) DCC not consider these
> to be bulk and hence spamassassin not to add the DCC score to them.
>
To follow up, I looked into it, and there's WAY too many of these to whitelist
them all at my site.
I took a quick grep to look for messages unlikely to be spam. I did a quick grep
for messages that matched DCC_CHECK that:
1) were not marked as spam by SA at threshold 5
2) did not have a total score of 4.*
3) did match BAYES_00 or BAYES_05.
4) did not match any RAZOR2 rules
5) were not listed in SpamCop, DSBL, SBL or XBL
6) did not hit SPF_FAIL or SPF_SOFTFAIL
7) did not match any rule with DRUGS, OBFU or FUZZY, in its name
8) did not contain any geocities URL
I got 855 hits that fit all 8 of the above out of a total DCC_CHECK hits is
6894. That's a S/O of 0.875. My site is *massively* worse for DCC false
positives than the mass-check testing data. In this limited sample I have 6.25
times more nonspam hits per thousand than the mass-check tests did!
Admittedly I haven't verified all 855 were not spam, but it's pretty unlikely
that many of those 855 are spam given the great number if criteria I applied.
There's probably also a good number of FPs that don't meet the above criteria
DCC_CHECK Hits include:
113 messages that are BSP_TRUSTED
21 messages that are HABEAS_ACCREDITED_*
Hits include mail from:
ebay (Real, SPF_PASS and BSP_TRUSTED)
paypal (Real, SPF_PASS and BSP_TRUSTED)
securityfocus (bugtraq postings)
Fender (as in guitars)
Iomega (maker of zip drives)
Kodak
applenews.lists.apple.com
toysrus
weightwatchers
onehanesplace.com (As in Haynes underwear maker)
buy.com
hallmark.com
fashionbug (women's clothes)
eweek.com
orbitz
williams-sonoma
walmart
HP
Buy.com
And hundreds of different relatively legitamate commercial sites. I just can't
react to this with DCC's whitelisting feature. There's too many sites to deal with.
Re: message with drug ad image only
Posted by Graham Murray <gr...@gmurray.org.uk>.
Matt Kettler <mk...@comcast.net> writes:
> The last mass-checks for 3.1.0 gave it a S/O of about 0.980, but I'm
> seeing more like 0.900 out of DCC at my site. Could just be the nature
> of my site, but about a dozen common subscriber newsletters at my site
> consistently hit it.
Which is why it is a good idea to add such solicited bulk senders to
the DCC whiteclnt which will make (your local) DCC not consider these
to be bulk and hence spamassassin not to add the DCC score to them.
Re: message with drug ad image only
Posted by Matt Kettler <mk...@evi-inc.com>.
Pollywog wrote:
> On 12/11/2005 05:31 pm, Kai Schaetzl wrote:
>
>>Craig Zeigler wrote on Sun, 11 Dec 2005 11:11:15 -0500:
>>
>>>The filename is Part 1.1.jpg.
>>
>>Use MailScanner or another tool to reject/delete mail with that name. If
>>it is coming from zombies, just disallow zombies at MTA level. Not
>>everything anti-spam should be done with SA.
>
>
>
> Spammers are stupid, but not THAT stupid; they do use different names for
> their files, the ones I have gotten seem to have random filenames using mixed
> case. I think it's a job better suited to Procmail or Maildrop, though. I
> am trying to find a way to do it with a Maildrop filter.
FWIW, the most recent version of this that I got was on Dec 9, and the
attachment was an embedded type named "22.jpg".
It wound up containing a link to their site in it's limited text, and the URIBLs
tore it to bits. Also bth hash-systems I use (razor and DCC) nailed it, and it
was a SPF forgery.
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=29.637, required 5,
autolearn=spam, BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77,
DNS_FROM_RFC_DSN 2.60, DNS_FROM_RFC_POST 1.71,
HTML_IMAGE_ONLY_08 3.13, HTML_MESSAGE 0.00,
HTML_SHORT_LINK_IMG_1 0.95, INFO_GREYLIST_NOTDELAYED -0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_SOFTFAIL 1.38,
URIBL_BLACK 2.50, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64,
URIBL_SC_SURBL 4.50, URI_NOVOWEL 0.88)
And one before that from Dec 7, it's file was "mute30.gif"
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.791, required 5,
BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77,
FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_IMAGE_ONLY_12 1.87,
HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RELAY_UK 0.01,
URIBL_BLACK 2.50, URIBL_SBL 1.64)
Body hash systems like Razor's e4 and DCC both really help a lot against
embedded/attached image spams. In both of these emails the DCC/Razor combined
(plus DIGEST_MULTIPLE) resulted in 6.27 points. And that's with me trimming down
the DCC_CHECK score to 1.5 from 2.17. In a stock SA 3.1.0 config the combined
hits from these two would have been over 7 points.
Re: message with drug ad image only
Posted by Pollywog <li...@shadypond.com>.
On 12/11/2005 08:31 pm, Kai Schaetzl wrote:
> Pollywog wrote on Sun, 11 Dec 2005 17:42:38 +0000:
> > they do use different names for
> > their files
>
> well, not according to his posting.
The only thing I could think of to deal with it was to add a Maildrop rule to
send such files to the spam folder if they are not sorted into another folder
first (if the sender is unknown to me):
if (/^Content-Type: multipart\/mixed/)
{
exception {
to "$HOME/Maildir/.Spam/"
}
}
I looked unsuccessfully for a fancy rule to do what I wanted to do, but could
not find one, but I noticed there is an app for spammers that use Mac's and
it is also called Maildrop.
8)
Re: message with drug ad image only
Posted by Kai Schaetzl <ma...@conactive.com>.
Pollywog wrote on Sun, 11 Dec 2005 17:42:38 +0000:
> they do use different names for
> their files
well, not according to his posting.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: message with drug ad image only
Posted by Pollywog <li...@shadypond.com>.
On 12/11/2005 05:31 pm, Kai Schaetzl wrote:
> Craig Zeigler wrote on Sun, 11 Dec 2005 11:11:15 -0500:
> > The filename is Part 1.1.jpg.
>
> Use MailScanner or another tool to reject/delete mail with that name. If
> it is coming from zombies, just disallow zombies at MTA level. Not
> everything anti-spam should be done with SA.
Spammers are stupid, but not THAT stupid; they do use different names for
their files, the ones I have gotten seem to have random filenames using mixed
case. I think it's a job better suited to Procmail or Maildrop, though. I
am trying to find a way to do it with a Maildrop filter.
8)
Re: message with drug ad image only
Posted by Kai Schaetzl <ma...@conactive.com>.
Craig Zeigler wrote on Sun, 11 Dec 2005 11:11:15 -0500:
> The filename is Part 1.1.jpg.
Use MailScanner or another tool to reject/delete mail with that name. If
it is coming from zombies, just disallow zombies at MTA level. Not
everything anti-spam should be done with SA.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com