You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Gene Heskett <ge...@verizon.net> on 2005/12/09 01:13:04 UTC
phishing stuf isn't being caught
Hi All;
I've fed probably 50 of those paypal/ebay phishing scams thru sa-learn-spam,
but SA-3.10 hasn't caught a single one of them so far.
Also, should I be getting emails from rules_du_jour? I have it in the root
crontab so it should be working.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.36% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: phishing stuf isn't being caught
Posted by Matt Kettler <mk...@evi-inc.com>.
Gene Heskett wrote:
> On Friday 09 December 2005 05:35, Martin Hepworth wrote:
>
>>Gene
>>
>>By default the RDJ script will put it's updates in
>>/etc/mail/spamassasin/
>>
>
> But, since all this is running as root, I just changed the config to
> put them in /root/.spamassassin, moved copies
> from /etc/mail/spamassasin that it may have been updateing & then
> re-ran rdj, which did update 1 rule for a change. Remembering the the
> anitdrug.cf was deprecated, I removed all of them.
>
> We'll see how it works now.
It won't work at all that way.
SpamAssassin will NOT parse .cf files out of ~/.spamassassin/
It will ONLY parse user_prefs from that location.
To install whole .cf files, you need to put them in your site config dir. For
most of us, this is /etc/mail/spamassassin, but for some it's /etc/spamassassin.
(When in doubt, run spamassassin --lint -D and the top of the debug out will
tell you.)
Re: phishing stuf isn't being caught
Posted by Gene Heskett <ge...@verizon.net>.
On Friday 09 December 2005 05:35, Martin Hepworth wrote:
>Gene
>
>By default the RDJ script will put it's updates in
> /etc/mail/spamassasin/
>
But, since all this is running as root, I just changed the config to
put them in /root/.spamassassin, moved copies
from /etc/mail/spamassasin that it may have been updateing & then
re-ran rdj, which did update 1 rule for a change. Remembering the the
anitdrug.cf was deprecated, I removed all of them.
We'll see how it works now.
Thanks Martin. I also added most of what you show below that I didn't
have in my config trusted stuff & reran it again.
>If you have rules in the 'users' .spamassassin dir these will
> override any similar named rules held elsewhere.
>
>
>For RDJ to work you need a config file...this is normally in
>/etc/rulesjudour and called 'config'
>
>Mine looks like this...watch out line breaks my email program has put
>in...and my config is MailScanner specific as well.
>
># IMPORTANT! Edit the TRUSTED_RULESETS line to choose which RuleSets
> to update
>TRUSTED_RULESETS="TRIPWIRE EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2
> SARE_RANDOM RAN
>DOMVAL BOGUSVIRUS SARE_ADULT SARE_BML SARE_URI0 SARE_URI1 SARE_URI3
>SARE_URI_ENG
> SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER0
>SARE_HEADER2
> SARE_CODING SARE_SPECIFIC SARE_REDIRECT_POST300 SARE_GENLSUBJ
> SARE_UNSUB SARE_O
>BFU SARE_OBFU2 SARE_OBFU3 SARE_WHITELIST SARE_WHITELIST_SPF
>SARE_WHITELIST_RCVD
>ZMI_GERMAN";
>
># Both FOOBAR and BARBAZ are non-existant rulesets.
># Please choose for yourself which sets you want to track..
># Here are some of the rulesets included in the 1.12 release:
># "MRWIGGLY BIGEVIL TRIPWIRE ANTIDRUG EVILNUMBERS BOGUSVIRUS
> SARE_ADULT SARE_FRA
>UD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM
>SARE_RANDOM S
>ARE_HEADER_ABUSE SARE_CODING_HTML";
>
>#### Local SpamAssassin/system Settings ####
>#### Modify these to match your system. ####
># Note that these settings take precedence over the settings found in
> the stock
>rules_du_jour.
>
>SA_DIR="/etc/mail/spamassassin"; # Change this to
> your SA lo
>cal config
> # directory, probably
>/etc/mail/
>spamassassin.
> # For amavisd
> chrooted, this may
> be:
> #
>/var/amavisd/etc/mail/spamassa
>ssin
>MAIL_ADDRESS="root"; # Where do Email
>notifications g
>o
>SINGLE_EMAIL_ONLY="true"; # Send only one
> notification ema
>il per run
>SA_LINT="/usr/local/bin/spamassassin -p
>/opt/MailScanner/etc/spamassassin.prefs.
>conf --lint"; # Command used to lint spamassassin
>SA_RESTART="/usr/local/etc/rc.d/MailScanner.sh restart"; # Command
> used to rest
>art spamd
> # May be
>/etc/rc.d/init.d/spamas
>sassin restart
> # For amavisd, may be
>/etc/init.
>d/amavisd restart
>WGET="wget -N" # Location (and
> flags) of the wg
>et program
>PERL="perl"; # Location of the
> perl program
>MAILCMD="mail"; # Location of the
> mail program t
>hat supports the -s flag
>GREP="grep"; # Location of the
> grep program
> # (solaris users may
> want to poi
>nt this to gnu grep)
>
>#### End Local Settings ####
>
>--
>Martin Hepworth
>Snr Systems Administrator
>Solid State Logic
>Tel: +44 (0)1865 842300
>
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.36% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
RE: phishing stuf isn't being caught
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Gene
By default the RDJ script will put it's updates in /etc/mail/spamassasin/
If you have rules in the 'users' .spamassassin dir these will override any
similar named rules held elsewhere.
For RDJ to work you need a config file...this is normally in
/etc/rulesjudour and called 'config'
Mine looks like this...watch out line breaks my email program has put
in...and my config is MailScanner specific as well.
# IMPORTANT! Edit the TRUSTED_RULESETS line to choose which RuleSets to
update
TRUSTED_RULESETS="TRIPWIRE EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 SARE_RANDOM
RAN
DOMVAL BOGUSVIRUS SARE_ADULT SARE_BML SARE_URI0 SARE_URI1 SARE_URI3
SARE_URI_ENG
SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER0
SARE_HEADER2
SARE_CODING SARE_SPECIFIC SARE_REDIRECT_POST300 SARE_GENLSUBJ SARE_UNSUB
SARE_O
BFU SARE_OBFU2 SARE_OBFU3 SARE_WHITELIST SARE_WHITELIST_SPF
SARE_WHITELIST_RCVD
ZMI_GERMAN";
# Both FOOBAR and BARBAZ are non-existant rulesets.
# Please choose for yourself which sets you want to track..
# Here are some of the rulesets included in the 1.12 release:
# "MRWIGGLY BIGEVIL TRIPWIRE ANTIDRUG EVILNUMBERS BOGUSVIRUS SARE_ADULT
SARE_FRA
UD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM
SARE_RANDOM S
ARE_HEADER_ABUSE SARE_CODING_HTML";
#### Local SpamAssassin/system Settings ####
#### Modify these to match your system. ####
# Note that these settings take precedence over the settings found in the
stock
rules_du_jour.
SA_DIR="/etc/mail/spamassassin"; # Change this to your
SA lo
cal config
# directory, probably
/etc/mail/
spamassassin.
# For amavisd chrooted, this
may
be:
#
/var/amavisd/etc/mail/spamassa
ssin
MAIL_ADDRESS="root"; # Where do Email
notifications g
o
SINGLE_EMAIL_ONLY="true"; # Send only one notification
ema
il per run
SA_LINT="/usr/local/bin/spamassassin -p
/opt/MailScanner/etc/spamassassin.prefs.
conf --lint"; # Command used to lint spamassassin
SA_RESTART="/usr/local/etc/rc.d/MailScanner.sh restart"; # Command used to
rest
art spamd
# May be
/etc/rc.d/init.d/spamas
sassin restart
# For amavisd, may be
/etc/init.
d/amavisd restart
WGET="wget -N" # Location (and flags) of
the wg
et program
PERL="perl"; # Location of the perl
program
MAILCMD="mail"; # Location of the mail
program t
hat supports the -s flag
GREP="grep"; # Location of the grep
program
# (solaris users may want to
poi
nt this to gnu grep)
#### End Local Settings ####
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: Gene Heskett [mailto:gene.heskett@verizon.net]
> Sent: 09 December 2005 09:45
> To: users@spamassassin.apache.org
> Subject: Re: phishing stuf isn't being caught
>
> On Friday 09 December 2005 02:36, Loren Wilton wrote:
> >> I've fed probably 50 of those paypal/ebay phishing scams thru
> >
> >sa-learn-spam,
> >
> >> but SA-3.10 hasn't caught a single one of them so far.
> >
> >Bayes won't help much on the better phish if you also get a bunch of
> > legit paypal/ebay messages. It should do well on the ones written
> > by the english-isn't-my-language crowd.
> >
> >> Also, should I be getting emails from rules_du_jour? I have it in
> >> the
> >
> >root
> >
> >> crontab so it should be working.
> >
> >Yes, now and then. You should only get something when a ruleset is
> > updated. I don't know that any rulesets have necessarily been
> > updated in the last week or so. It would be somewhat unusual to see
> > more than 2-4 updates a week on average, and usually less than that.
> >
> >If you don't have sare_specific.cf and sare_fraud.cf you should get
> > those, they will help.
> >
> Thanks Loren, got them saved into /root/.spamassassin, but where is the
> rulesdujour file that contains the list of stuff its to keep up2date?
>
> > Loren
>
> --
> Cheers, Gene
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> 99.36% setiathome rank, not too shabby for a WV hillbilly
> Yahoo.com and AOL/TW attorneys please note, additions to the above
> message by Gene Heskett are:
> Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: phishing stuf isn't being caught
Posted by Gene Heskett <ge...@verizon.net>.
On Friday 09 December 2005 02:36, Loren Wilton wrote:
>> I've fed probably 50 of those paypal/ebay phishing scams thru
>
>sa-learn-spam,
>
>> but SA-3.10 hasn't caught a single one of them so far.
>
>Bayes won't help much on the better phish if you also get a bunch of
> legit paypal/ebay messages. It should do well on the ones written
> by the english-isn't-my-language crowd.
>
>> Also, should I be getting emails from rules_du_jour? I have it in
>> the
>
>root
>
>> crontab so it should be working.
>
>Yes, now and then. You should only get something when a ruleset is
> updated. I don't know that any rulesets have necessarily been
> updated in the last week or so. It would be somewhat unusual to see
> more than 2-4 updates a week on average, and usually less than that.
>
>If you don't have sare_specific.cf and sare_fraud.cf you should get
> those, they will help.
>
Thanks Loren, got them saved into /root/.spamassassin, but where is the
rulesdujour file that contains the list of stuff its to keep up2date?
> Loren
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.36% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: phishing stuf isn't being caught
Posted by Loren Wilton <lw...@earthlink.net>.
> I've fed probably 50 of those paypal/ebay phishing scams thru
sa-learn-spam,
> but SA-3.10 hasn't caught a single one of them so far.
Bayes won't help much on the better phish if you also get a bunch of legit
paypal/ebay messages. It should do well on the ones written by the
english-isn't-my-language crowd.
> Also, should I be getting emails from rules_du_jour? I have it in the
root
> crontab so it should be working.
Yes, now and then. You should only get something when a ruleset is updated.
I don't know that any rulesets have necessarily been updated in the last
week or so. It would be somewhat unusual to see more than 2-4 updates a
week on average, and usually less than that.
If you don't have sare_specific.cf and sare_fraud.cf you should get those,
they will help.
Loren
Re: phishing stuf isn't being caught
Posted by jdow <jd...@earthlink.net>.
ClamAV does not seem to do much regarding phishes either. Fred maintains
the SARE fraud and scam stuff. I just sent him the first of the ebay
phishes in a LONG time that got past the filters. I've a hunch the fix
is very easy. But knowing just where to put it is the hard part or I'd
have done it myself.
DO check out the SARE rules. They are really good additions to SA.
http://www.rulesemporium.com/ (modulo any typos I might have made.)
{^_-}
----- Original Message -----
From: "Greg Allen" <sa...@floridacpu.com>
> SA has a great plugin that will catch most of these, plus viruses.
>
> You would need to install Clamav and this plugin.
>
> http://wiki.apache.org/spamassassin/ClamAVPlugin
>
>
>
>
>> -----Original Message-----
>> From: Gene Heskett [mailto:gene.heskett@verizon.net]
>> Sent: Thursday, December 08, 2005 7:13 PM
>> To: users@spamassassin.apache.org
>> Subject: phishing stuf isn't being caught
>>
>>
>> Hi All;
>>
>> I've fed probably 50 of those paypal/ebay phishing scams thru
>> sa-learn-spam,
>> but SA-3.10 hasn't caught a single one of them so far.
>>
>> Also, should I be getting emails from rules_du_jour? I have it
>> in the root
>> crontab so it should be working.
>>
>> --
>> Cheers, Gene
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> 99.36% setiathome rank, not too shabby for a WV hillbilly
>> Yahoo.com and AOL/TW attorneys please note, additions to the above
>> message by Gene Heskett are:
>> Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
>>
>>
RE: phishing stuf isn't being caught
Posted by Greg Allen <sa...@floridacpu.com>.
SA has a great plugin that will catch most of these, plus viruses.
You would need to install Clamav and this plugin.
http://wiki.apache.org/spamassassin/ClamAVPlugin
> -----Original Message-----
> From: Gene Heskett [mailto:gene.heskett@verizon.net]
> Sent: Thursday, December 08, 2005 7:13 PM
> To: users@spamassassin.apache.org
> Subject: phishing stuf isn't being caught
>
>
> Hi All;
>
> I've fed probably 50 of those paypal/ebay phishing scams thru
> sa-learn-spam,
> but SA-3.10 hasn't caught a single one of them so far.
>
> Also, should I be getting emails from rules_du_jour? I have it
> in the root
> crontab so it should be working.
>
> --
> Cheers, Gene
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> 99.36% setiathome rank, not too shabby for a WV hillbilly
> Yahoo.com and AOL/TW attorneys please note, additions to the above
> message by Gene Heskett are:
> Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
>
>