You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Martin <ma...@idkommunikation.com> on 2004/11/16 09:55:08 UTC
How to stop this stock-spam?
Hi,
I'm using SA 2.6x with SURBL and alot of SARE rules. Recently alot of
stock spams are getting through.
I can't find any rule to catch this spam. Can anyone please give me a
hint what rules to use?
Spam is attached.
Thanks in advance
/ Martin
Re: How to stop this stock-spam?
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Tue, 16 Nov 2004, Martin wrote:
> I'm using SA 2.6x with SURBL and alot of SARE rules. Recently alot of stock
> spams are getting through.
When I replaced the _mydomain_ with our local domain in that message, it
scores 7.2 points here, just from DNSBL lists, and 2.1 for bayes.
After training the system on it (reporting to DCC, etc), it scores 9.2
However, it looks like you received it from dynamic.hinet.net . Useing DNS
BL's to block dynamic IP's will probably keep this from comming into the
system at all. IE, we block from anything dynamic.hinet.net , so this would
never have hit our SA in the first place. If this particular spam uses
dynamic IP's to send, it may be that it isn't getting reported because a
good number of people use this kind of blocking before SA.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: How to stop this stock-spam?
Posted by Martin <ma...@idkommunikation.com>.
Duncan Hill wrote:
> Content analysis details: (9.9 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 1.7 SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
> 0.1 HTML_MESSAGE BODY: HTML included in message
> -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
> [score: 0.4999]
> 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see <http://www.spamcop.net/bl.shtml?218.162.208.81>]
> 4.8 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> [218.162.208.81 listed in sbl-xbl.spamhaus.org]
> 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
> [218.162.208.81 listed in dnsbl.sorbs.net]
> 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
> [218.162.208.81 listed in combined.njabl.org]
Hi Duncan,
I ran the spam through SA and noticed that it got about 9 points now.
But at the time of arrival it always get below 5 points, which is
required in my configuration. :(
/ Martin
Re: How to stop this stock-spam?
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Tuesday 16 November 2004 08:55, Martin might have typed:
> Hi,
>
> I'm using SA 2.6x with SURBL and alot of SARE rules. Recently alot of
> stock spams are getting through.
Content analysis details: (9.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.7 SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
0.1 HTML_MESSAGE BODY: HTML included in message
-0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
[score: 0.4999]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?218.162.208.81>]
4.8 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[218.162.208.81 listed in sbl-xbl.spamhaus.org]
0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[218.162.208.81 listed in dnsbl.sorbs.net]
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[218.162.208.81 listed in combined.njabl.org]
Re: How to stop this stock-spam?
Posted by Martin <ma...@idkommunikation.com>.
Matt Kettler wrote:
> First, a word of warning.. 2.63 is subject to DoS if a carefully made
> malformed message comes in. Not a huge security risk, but I'd at least
> consider upgrading to 2.64 or higher in the near future. (2.64 should be
> an easy upgrade from 2.63.. 3.0.x might be a bit more involved, but
> might be useful in the longer term.)
Hi Matt,
Thank you, i'm aware of the issue with 2.63, and i'm planning and
upgrade to 2.64. I've actually been to lazy. Will take care of this next
week. Thanks for reminding me :)
> As for the spam, you might try some of these. Keep the scores low as
> these could cause problems for financial newsletters. However, in your
> case it looks like these are getting close to 5.0 on their own, so a
> heavy score isn't needed.
>
> body OTCBB /\bOTCBB\b/
> score OTCBB 0.4
> describe OTCBB mentions penny stocks
>
> body OTCBB2 /\bOver the Counter bulletin board\b/i
> score OTCBB2 0.4
> describe OTCBB2 mentions penny stocks
>
> body PINK_SHEET /\bPink Sheet (?:Stocks?|trading)\b/i
> score PINK_SHEET 0.4
> describe PINK_SHEET mentions penny stocks.
>
> body INVEST_ADVICE /\bInvestment Advice\b/i
> score INVEST_ADVICE 0.2
> describe INVEST_ADVICE offers investment advice.
>
>
> Note: i just wrote these, and have not tested or linted them. PINK_SHEET
> might have some logic errors, but I think it's ok.
Thanks for these rules. They linted OK, but i just got a similar spam
that got 0.0 points (see attached file). When i ran it manually a few
hours later i got the following score:
Content analysis details: (4.6 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.6 J_CHICKENPOX_41 BODY: 4alpha-pock-1alpha
0.0 HTML_MESSAGE BODY: HTML included in message
1.8 MIME_QP_DEFICIENT RAW: Deficient quoted-printable encoding in
body
2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?61.33.16.183>]
It doesn't seem like any of the rules of yours got triggered? The spam
in question is attached.
Thank you
/ Martin
Re: How to stop this stock-spam?
Posted by Matt Kettler <mk...@comcast.net>.
At 09:55 AM 11/16/2004 +0100, Martin wrote:
>Hi,
>
>I'm using SA 2.6x with SURBL and alot of SARE rules. Recently alot of
>stock spams are getting through.
>
>I can't find any rule to catch this spam. Can anyone please give me a hint
>what rules to use?
>X-Spam-Status: No, hits=4.9 required=5.0 tests=HTML_MESSAGE,
> RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS autolearn=no
> version=2.63
First, a word of warning.. 2.63 is subject to DoS if a carefully made
malformed message comes in. Not a huge security risk, but I'd at least
consider upgrading to 2.64 or higher in the near future. (2.64 should be an
easy upgrade from 2.63.. 3.0.x might be a bit more involved, but might be
useful in the longer term.)
As for the spam, you might try some of these. Keep the scores low as these
could cause problems for financial newsletters. However, in your case it
looks like these are getting close to 5.0 on their own, so a heavy score
isn't needed.
body OTCBB /\bOTCBB\b/
score OTCBB 0.4
describe OTCBB mentions penny stocks
body OTCBB2 /\bOver the Counter bulletin board\b/i
score OTCBB2 0.4
describe OTCBB2 mentions penny stocks
body PINK_SHEET /\bPink Sheet (?:Stocks?|trading)\b/i
score PINK_SHEET 0.4
describe PINK_SHEET mentions penny stocks.
body INVEST_ADVICE /\bInvestment Advice\b/i
score INVEST_ADVICE 0.2
describe INVEST_ADVICE offers investment advice.
Note: i just wrote these, and have not tested or linted them. PINK_SHEET
might have some logic errors, but I think it's ok.