You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christoph Petersen <li...@peterschen.de> on 2008/10/18 13:00:26 UTC
German Spam Flood
Hey guys,
since a week or two all my mail servers are receiving a massive amount
of emails which passes by all my rules in SA (even Bayes doesn't stand a
chance as the content is written to good).
I wondered if somebody else has this problem and has some advice
regarding rules.
Here some of the subjects of these emails:
- Bist DU mein Traumtyp??
- Willst Du spass haben?
- Shireen gepoppt.
- Saga direkt gevoegelt hehe
- L0litas wollen es richtig hart
- Myriam naturgeiles Teenie!
Thanks for your help.
Best regards
Christoph
Re: German Spam Flood
Posted by Christoph Petersen <li...@peterschen.de>.
Hi.
cfgerty wrote:
> Hello,
>
> the same here. Typical thing here is that the links are typical written with
> blanks like
>
> www . something . org
>
> Has anyone a rule which is able to validate this kind of URL's against a BL?
>
> And as you say: Bayes still comes back with 0-5%.
>
Mhh my bayes identifies some of them with even 99% but it's not enough
to stop all of them.
> Chris
>
>
BR
Christoph
Re: German Spam Flood
Posted by mouss <mo...@netoyen.net>.
cfgerty a écrit :
> Hello,
>
> the same here. Typical thing here is that the links are typical written with
> blanks like
>
> www . something . org
>
> Has anyone a rule which is able to validate this kind of URL's against a BL?
are there any legitimate uses of such spacings?
Otherwise, you could play with something like:
describe URI_SPACE body contains a spaced URI.
body URI_SPACE
/www[\s\.\-]{1,3}[^\s\.]{1,20}[\s\.\-]{1,3}(?:org|com|net)/
score URI_SPACE 0.01
Re: German Spam Flood
Posted by cfgerty <cf...@gmx.net>.
Hello,
the same here. Typical thing here is that the links are typical written with
blanks like
www . something . org
Has anyone a rule which is able to validate this kind of URL's against a BL?
And as you say: Bayes still comes back with 0-5%.
Chris
Christoph Petersen wrote:
>
> Hey guys,
>
> since a week or two all my mail servers are receiving a massive amount
> of emails which passes by all my rules in SA (even Bayes doesn't stand a
> chance as the content is written to good).
>
> I wondered if somebody else has this problem and has some advice
> regarding rules.
>
> Here some of the subjects of these emails:
>
> - Bist DU mein Traumtyp??
> - Willst Du spass haben?
> - Shireen gepoppt.
> - Saga direkt gevoegelt hehe
> - L0litas wollen es richtig hart
> - Myriam naturgeiles Teenie!
>
> Thanks for your help.
>
> Best regards
> Christoph
>
>
--
View this message in context: http://www.nabble.com/German-Spam-Flood-tp20045971p20046407.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: German Spam Flood
Posted by Michael Monnerie <mi...@is.it-management.at>.
On Samstag, 18. Oktober 2008 Christoph Petersen wrote:
> - Bist DU mein Traumtyp??
> - Willst Du spass haben?
> - Shireen gepoppt.
> - Saga direkt gevoegelt hehe
> - L0litas wollen es richtig hart
> - Myriam naturgeiles Teenie!
Another thing: We have a very hard spam filter, so I do not get a lot of
spam through. And I do not get a lot of reports of GERMAN spam either,
so please forward me the most annoying GERMAN spam so that I can react.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660 / 415 65 31 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net Key-ID: 1C1209B4
Re: German Spam Flood
Posted by Michael Monnerie <mi...@is.it-management.at>.
On Samstag, 18. Oktober 2008 Christoph Petersen wrote:
> - Bist DU mein Traumtyp??
> - Willst Du spass haben?
> - Shireen gepoppt.
> - Saga direkt gevoegelt hehe
> - L0litas wollen es richtig hart
> - Myriam naturgeiles Teenie!
Hi guys, I'm the maintainer of ZMI_GERMAN. Sorry that your mails have
not been identified, but it seems those spammers are subscribers of
ZMI_GERMAN too, and they quickly adopt their text as soon as I change my
rules. I've just now updated the rules to
Version: 01.27.15
and that detects all current spam of that type. Look for ZMIde_Flirt
rules, these are currently 67 (!) rules just for this type of spam. I
try to be as generic as possible, and so more and more versions can be
auto-detected.
Also, I recommend increasing BAYES_99 to 4.5 points and train your bayes
daily. I do so via scripts, and always append the newest spam to the
learn-as-spam-mailbox. No FPs with bayes.
HOW CAN YOU HELP? Excerpt from the ruleset:
# HOWTO contribute:
# - write and --lint your own rules
# - be sure it hits more than just one spam
# - try to write rules similar to how we write them recently (see the
# latest body rulesets (the last ones!) to get an example)
# - be sure it actually *is* spam, not just a newsletter from a company
# who bought your e-mail address from another company (they often
don't know...)
# - send your rules to the maintainer (see above) together with the
licence
# (which MUST be "Artistic" for me to include it, or you grant me
rights
# to redistribute it under the "Artistic" licence)
Please always contact me directly, as I don't read this list too often.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660 / 415 65 31 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: www.keyserver.net Key-ID: 1C1209B4
Re: German Spam Flood
Posted by mouss <mo...@netoyen.net>.
Chris a écrit :
> On Saturday 18 October 2008 7:20 am, cfgerty wrote:
>> One sample of these mails:
>>
>> http://pastebin.com/m1e3d6b5d
>>
>> German Language Rulesets are applied.
>>
>> Chris
>>
> Scored like this on my standalone machine:
>
> Content analysis details: (11.2 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=88.215.95.153,rdns=88.215.95.153.dynamic.cablesurf.de,maildomain=cablesurf.de,client,ipinhostname,clientwords]
> 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
> 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> [score: 0.8473]
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [cpollock 104; Body=1 Fuz1=1]
> 0.1 RDNS_NONE Delivered to trusted network by a host with no
> rDNS
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
>
hmmm...
* RDNS_NONE is bogus here. The host does have rdns, it's just that the
(ISP?) MTA didn't look it up. Fortunately, 0.1 is small enough.
* For the same reason, RELAYED_BY_DIALUP looks bogus to me as well. does
this plugin perform rDNS lookup? or does the botnet plugin correct the
X-Relay-* meta headers?
* 5.0 for dynamic rDNS may be too high depending on site policy
regarding dynamic rdns.
Re: German Spam Flood
Posted by Christoph Petersen <li...@peterschen.de>.
Hi Chris,
Chris wrote:
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=88.215.95.153,rdns=88.215.95.153.dynamic.cablesurf.de,maildomain=cablesurf.de,client,ipinhostname,clientwords]
> 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
> 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> [score: 0.8473]
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [cpollock 104; Body=1 Fuz1=1]
> 0.1 RDNS_NONE Delivered to trusted network by a host with no
> rDNS
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
>
Thanks for pointing that out. Will check on adding these plugins/rules
into SA.
BR
Christoph
Re: German Spam Flood
Posted by cfgerty <cf...@gmx.net>.
ok, I see your mail some more plugins I have not currently running, e.g.
Botnet, sagrey. Have installed them. Will check if it's better now. Just
strange that your Bayes is seeing it...
Chris
Chris-394 wrote:
>
> On Saturday 18 October 2008 7:20 am, cfgerty wrote:
>> One sample of these mails:
>>
>> http://pastebin.com/m1e3d6b5d
>>
>> German Language Rulesets are applied.
>>
>> Chris
>>
> Scored like this on my standalone machine:
>
> Content analysis details: (11.2 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=88.215.95.153,rdns=88.215.95.153.dynamic.cablesurf.de,maildomain=cablesurf.de,client,ipinhostname,clientwords]
> 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
> 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> [score: 0.8473]
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [cpollock 104; Body=1 Fuz1=1]
> 0.1 RDNS_NONE Delivered to trusted network by a host with no
> rDNS
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
>
> --
> Chris
> KeyID 0xE372A7DA98E6705C
>
>
>
--
View this message in context: http://www.nabble.com/German-Spam-Flood-tp20045971p20046893.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: German Spam Flood
Posted by Chris <cp...@embarqmail.com>.
On Saturday 18 October 2008 7:20 am, cfgerty wrote:
> One sample of these mails:
>
> http://pastebin.com/m1e3d6b5d
>
> German Language Rulesets are applied.
>
> Chris
>
Scored like this on my standalone machine:
Content analysis details: (11.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=88.215.95.153,rdns=88.215.95.153.dynamic.cablesurf.de,maildomain=cablesurf.de,client,ipinhostname,clientwords]
1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8473]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[cpollock 104; Body=1 Fuz1=1]
0.1 RDNS_NONE Delivered to trusted network by a host with no
rDNS
1.0 SAGREY Adds 1.0 to spam from first-time senders
--
Chris
KeyID 0xE372A7DA98E6705C
Re: German Spam Flood
Posted by mouss <mo...@netoyen.net>.
mouss a écrit :
> Matthias Schmidt a écrit :
>> Am/On Sat, 18 Oct 2008 05:20:03 -0700 schrieb/wrote cfgerty:
>>
>>> One sample of these mails:
>>>
>>> http://pastebin.com/m1e3d6b5d
>>>
>>> German Language Rulesets are applied.
>>>
>> this message doesn't come from a mail-server with a resolving reverse pointer.
>> We don't accept such messages, so this message even wouldn't make it to
>> spamassassin here.
>
>
> which mail server do you mean? My understanding is that Chritoph gets
> the mail via his ISP, and his ISP doesn't perfrom rDNS lookup.
> Christoph: can you confirm this?
Brain corrupted:) It was Chris, not Christoph.
>
> Other than that, the server that pushed it has a "dynamic" rdns:
>
> $ host 88.215.95.153
> 153.95.215.88.in-addr.arpa domain name pointer
> 88.215.95.153.dynamic.cablesurf.de.
> $ host 88.215.95.153.dynamic.cablesurf.de
> 88.215.95.153.dynamic.cablesurf.de has address 88.215.95.153
>
> and if the ISP relay is trusted, then the mail is "direct to mx", which
> could deserve few points.
>
> Also, that IP is listed in bb.barracudacentral.org (2.0 here. I am
> considering increasing the score as I didn't see it FP).
>
> another note: The spam contains an obfuscated uri (geheime-webcam....)
> which is listed on surbl and uribl (since 2008-10-05).
>
>
>
Re: German Spam Flood
Posted by mouss <mo...@netoyen.net>.
Matthias Schmidt a écrit :
> Am/On Sat, 18 Oct 2008 05:20:03 -0700 schrieb/wrote cfgerty:
>
>> One sample of these mails:
>>
>> http://pastebin.com/m1e3d6b5d
>>
>> German Language Rulesets are applied.
>>
>
> this message doesn't come from a mail-server with a resolving reverse pointer.
> We don't accept such messages, so this message even wouldn't make it to
> spamassassin here.
which mail server do you mean? My understanding is that Chritoph gets
the mail via his ISP, and his ISP doesn't perfrom rDNS lookup.
Christoph: can you confirm this?
Other than that, the server that pushed it has a "dynamic" rdns:
$ host 88.215.95.153
153.95.215.88.in-addr.arpa domain name pointer
88.215.95.153.dynamic.cablesurf.de.
$ host 88.215.95.153.dynamic.cablesurf.de
88.215.95.153.dynamic.cablesurf.de has address 88.215.95.153
and if the ISP relay is trusted, then the mail is "direct to mx", which
could deserve few points.
Also, that IP is listed in bb.barracudacentral.org (2.0 here. I am
considering increasing the score as I didn't see it FP).
another note: The spam contains an obfuscated uri (geheime-webcam....)
which is listed on surbl and uribl (since 2008-10-05).
Re: German Spam Flood
Posted by Matthias Schmidt <be...@admilon.net>.
Am/On Sat, 18 Oct 2008 05:20:03 -0700 schrieb/wrote cfgerty:
>
>One sample of these mails:
>
>http://pastebin.com/m1e3d6b5d
>
>German Language Rulesets are applied.
>
this message doesn't come from a mail-server with a resolving reverse pointer.
We don't accept such messages, so this message even wouldn't make it to
spamassassin here.
Thanks and all the best
Matthias
Re: German Spam Flood
Posted by cfgerty <cf...@gmx.net>.
One sample of these mails:
http://pastebin.com/m1e3d6b5d
German Language Rulesets are applied.
Chris
mouss-2 wrote:
>
> Christoph Petersen a écrit :
>> Hey guys,
>>
>> since a week or two all my mail servers are receiving a massive amount
>> of emails which passes by all my rules in SA (even Bayes doesn't stand a
>> chance as the content is written to good).
>>
>> I wondered if somebody else has this problem and has some advice
>> regarding rules.
>>
>> Here some of the subjects of these emails:
>>
>
> you'd better show a full message (use pastebin or put it on your own web
> page ...).
>
>> - Bist DU mein Traumtyp??
>> - Willst Du spass haben?
>> - Shireen gepoppt.
>> - Saga direkt gevoegelt hehe
>> - L0litas wollen es richtig hart
>> - Myriam naturgeiles Teenie!
>>
>
>
> You can try the "German Language Ruleset"
> http://wiki.apache.org/spamassassin/CustomRulesets
>
> with sa-update, the channel is
> 70_zmi_german.cf.zmi.sa-update.dostech.net
> See
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> for how to access sare channels.
>
>
>
>
--
View this message in context: http://www.nabble.com/German-Spam-Flood-tp20045971p20046457.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: German Spam Flood
Posted by mouss <mo...@netoyen.net>.
Christoph Petersen a écrit :
> Hey guys,
>
> since a week or two all my mail servers are receiving a massive amount
> of emails which passes by all my rules in SA (even Bayes doesn't stand a
> chance as the content is written to good).
>
> I wondered if somebody else has this problem and has some advice
> regarding rules.
>
> Here some of the subjects of these emails:
>
you'd better show a full message (use pastebin or put it on your own web
page ...).
> - Bist DU mein Traumtyp??
> - Willst Du spass haben?
> - Shireen gepoppt.
> - Saga direkt gevoegelt hehe
> - L0litas wollen es richtig hart
> - Myriam naturgeiles Teenie!
>
You can try the "German Language Ruleset"
http://wiki.apache.org/spamassassin/CustomRulesets
with sa-update, the channel is
70_zmi_german.cf.zmi.sa-update.dostech.net
See
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
for how to access sare channels.