You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/02/17 17:49:55 UTC
Google Drive/Docs spam
Hi all,
I recall some rules that were written years ago to address these, but
it appears they're back. We've been hit with a few, including users
actually following the link. I was hoping someone had some
recommendations on how to stop them.
http://pastebin.com/zKWUUQ0Q
Obviously they're coming in advance of being on an RBL or DNSBL.
I was thinking to correlate the body text somehow with something that
checks to see if it actually passed through Google (SPF, etc?), but
that won't work for messages that were forwarded to another user...
Thanks,
Alex
Re: Google Drive/Docs spam
Posted by Jari Fredriksson <ja...@iki.fi>.
RW kirjoitti 18.2.2016 14:40:
> On Thu, 18 Feb 2016 09:35:18 +0200
> Jari Fredriksson wrote:
>
>
>> > I seem to remember a botnet plugin from about 2010, but didn't think
>> > it was maintained or worked properly anymore?
>> >
>>
>> That very same. Seems to work fine, so I have not disabled it.
>
> It works for me too, but I don't have any IPv6.
>
> IIRC at one time it FP'ed on IPv6, and I'm not sure if this was fixed.
I have IPv6 but not with the external interface to inet, and that ipv6
does not do seem to much damage anyways. Dunno, maybe I should do some
research. But it aint broken, for me, so I have not "fixed" it away.
--
jarif.bit
Re: Google Drive/Docs spam
Posted by Alex <my...@gmail.com>.
Hi,
>> > I seem to remember a botnet plugin from about 2010, but didn't think
>> > it was maintained or worked properly anymore?
>>
>> That very same. Seems to work fine, so I have not disabled it.
>
> It works for me too, but I don't have any IPv6.
>
> IIRC at one time it FP'ed on IPv6, and I'm not sure if this was fixed.
I knew there was a reason I disabled it:
* 0.01 BOTNET Relay might be a spambot or virusbot
* [botnet0.9,ip=72.166.183.235,rdns=p1-183235.e.target.com,maildomain=e.target.com,client,ipinhostname]
I enabled them with a lower score, and it still catches a ton of good
mail that comes from poorly configured systems.
Maybe when this plugin was written it wasn't common to have an IP in a
mail server's hostname, but these days it is.
* 0.01 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* [botnet_ipinhosntame,ip=72.166.183.235,rdns=p1-183235.e.target.com]
There are dozens of other examples. Perhaps it would work in a meta
with a low score, but I think it needs more current development.
Thanks,
Alex
Re: Google Drive/Docs spam
Posted by RW <rw...@googlemail.com>.
On Thu, 18 Feb 2016 09:35:18 +0200
Jari Fredriksson wrote:
> > I seem to remember a botnet plugin from about 2010, but didn't think
> > it was maintained or worked properly anymore?
> >
>
> That very same. Seems to work fine, so I have not disabled it.
It works for me too, but I don't have any IPv6.
IIRC at one time it FP'ed on IPv6, and I'm not sure if this was fixed.
Re: Google Drive/Docs spam
Posted by Jari Fredriksson <ja...@iki.fi>.
Alex kirjoitti 18.2.2016 2:16:
> Hi,
>
> On Wed, Feb 17, 2016 at 4:29 PM, Jari Fredriksson <ja...@iki.fi> wrote:
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 1.5 BOTNET Relay might be a spambot or virusbot
>
> What rule is that?
>
> I seem to remember a botnet plugin from about 2010, but didn't think
> it was maintained or worked properly anymore?
>
That very same. Seems to work fine, so I have not disabled it.
>> 8.0 CLAMAV Clam AntiVirus detected a virus
>> [winnow.spam.ts.google.994118.UNOFFICIAL(59724bd0d31d1f2fccdbb50fed23e7cb:3924)]
>
--
jarif.bit
Re: Google Drive/Docs spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 18.02.2016 um 01:16 schrieb Alex:
> Reindl Harald <h....@thelounge.net> wrote:
>> 7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>
> I can't even imagine almost doubling the bayes score from the default,
> basically making it a poison pill, when the default score is generated
> as part of the rule development process
depends how and how long and careful you train it, especially the ham
and balance - no single complaint in the last 12 months
[root@mail-gw:~]$ su - sa-milt
$ /usr/bin/sa-learn --dump magic
0.000 0 3 0 non-token data: bayes db version
0.000 0 60711 0 non-token data: nspam
0.000 0 21689 0 non-token data: nham
0.000 0 2524595 0 non-token data: ntokens
0.000 0 1452439800 0 non-token data: oldest atime
0.000 0 1452439800 0 non-token data: newest atime
0.000 0 1455752529 0 non-token data: last journal
sync atime
0.000 0 0 0 non-token data: last expiry atime
0.000 0 0 0 non-token data: last expire
atime delta
0.000 0 0 0 non-token data: last expire
reduction count
Re: Google Drive/Docs spam
Posted by RW <rw...@googlemail.com>.
On Wed, 17 Feb 2016 19:16:46 -0500
Alex wrote:
> I can't even imagine almost doubling the bayes score from the default,
> basically making it a poison pill, when the default score is generated
> as part of the rule development process.
AFAIK the BAYES_* scores are just made-up - although it is true that
the autogenerated scores are affected by them.
For me scoring BAYES_99 above 5 is a much more conservative approach
than writing a lot of custom rules to combine with BAYES_99 at 3.5. It
depends on your Bayes results.
Re: Google Drive/Docs spam
Posted by Alex <my...@gmail.com>.
Hi,
On Wed, Feb 17, 2016 at 4:29 PM, Jari Fredriksson <ja...@iki.fi> wrote:
> Alex kirjoitti 17.2.2016 18:49:
>>
>> Hi all,
>>
>> I recall some rules that were written years ago to address these, but
>> it appears they're back. We've been hit with a few, including users
>> actually following the link. I was hoping someone had some
>> recommendations on how to stop them.
>>
>> http://pastebin.com/zKWUUQ0Q
>>
>> Obviously they're coming in advance of being on an RBL or DNSBL.
>>
>> I was thinking to correlate the body text somehow with something that
>> checks to see if it actually passed through Google (SPF, etc?), but
>> that won't work for messages that were forwarded to another user...
>>
>> Thanks,
>> Alex
>
> Rejected here, easily.
>
> Content analysis details: (14.4 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 BOTNET Relay might be a spambot or virusbot
What rule is that?
I seem to remember a botnet plugin from about 2010, but didn't think
it was maintained or worked properly anymore?
> 8.0 CLAMAV Clam AntiVirus detected a virus
> [winnow.spam.ts.google.994118.UNOFFICIAL(59724bd0d31d1f2fccdbb50fed23e7cb:3924)]
Yes, clamav is catching them now here too. We seem to continually be
ahead of the antivirus writers and SBLs.
Reindl Harald <h....@thelounge.net> wrote:
> 7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
I can't even imagine almost doubling the bayes score from the default,
basically making it a poison pill, when the default score is generated
as part of the rule development process.
Thanks,
Alex
Re: Google Drive/Docs spam
Posted by Jari Fredriksson <ja...@iki.fi>.
Alex kirjoitti 17.2.2016 18:49:
> Hi all,
>
> I recall some rules that were written years ago to address these, but
> it appears they're back. We've been hit with a few, including users
> actually following the link. I was hoping someone had some
> recommendations on how to stop them.
>
> http://pastebin.com/zKWUUQ0Q
>
> Obviously they're coming in advance of being on an RBL or DNSBL.
>
> I was thinking to correlate the body text somehow with something that
> checks to see if it actually passed through Google (SPF, etc?), but
> that won't work for messages that were forwarded to another user...
>
> Thanks,
> Alex
Rejected here, easily.
Content analysis details: (14.4 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=23.111.183.206,rdns=23-111-183-206.static.hvvc.us,maildomain=hollowayaffiliates.com,client,ipinhostname,clientwords]
-0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
[score: 0.3871]
1.0 HTML_MESSAGE BODY: HTML included in message
2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
8.0 CLAMAV Clam AntiVirus detected a virus
[winnow.spam.ts.google.994118.UNOFFICIAL(59724bd0d31d1f2fccdbb50fed23e7cb:3924)]
0.8 RDNS_NONE Delivered to internal network by a host with
no rDNS
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
0.0 T_REMOTE_IMAGE Message contains an external image
--
jarif.bit
Re: Google Drive/Docs spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 18.02.2016 um 12:29 schrieb Matus UHLAR - fantomas:
>> Am 17.02.2016 um 17:49 schrieb Alex:
>>> http://pastebin.com/zKWUUQ0Q
>>>
>>> Obviously they're coming in advance of being on an RBL or DNSBL.
>>>
>>> I was thinking to correlate the body text somehow with something that
>>> checks to see if it actually passed through Google (SPF, etc?), but
>>> that won't work for messages that were forwarded to another user...
>
> On 17.02.16 20:17, Reindl Harald wrote:
>> well, and that's why bayes-autoexpire is nonsense, your pastebin would
>> have been rejected here by exceed 8.0 points (milter-rejcts score) easily
>
> but only if you manually bump scores, which most of people should not.
>
> It also does in no way indicate that bayes autoexpire is nonsense, it only
> says it's better to use BAYES (and to have it properly cofigured)
such mails are coming over years in waves with weeks and month not
appear and the tokes would expire as well as i recently faced other
rejected spam trained a year ago and not seen for a long time
>> Content analysis details: (13.1 points, 5.5 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> [score: 1.0000]
>> 0.4 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
>> [score: 1.0000]
>> 2.5 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
>> words
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 2.5 RDNS_NONE Delivered to internal network by a host
>> with no rDNS
>> 0.2 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
>> 0.0 T_REMOTE_IMAGE Message contains an external image
>
> score HTML_SHORT_LINK_IMG_1 2.215 0.139 0.480 0.001
> score RDNS_NONE 2.399 1.274 1.228 0.793
> score HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059
> score HTML_MESSAGE 0.001
> score BAYES_99 0 0 3.8 3.5
> score BAYES_999 0 0 0.2 0.2
>
> this would give us lower scores: 5.996 3.043 7.109 6.554
3.7 for a BAYES_999 is a nice default when you start with your setup
until it is trained well enough, but later it's a joke
Re: Google Drive/Docs spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Am 17.02.2016 um 17:49 schrieb Alex:
>>http://pastebin.com/zKWUUQ0Q
>>
>>Obviously they're coming in advance of being on an RBL or DNSBL.
>>
>>I was thinking to correlate the body text somehow with something that
>>checks to see if it actually passed through Google (SPF, etc?), but
>>that won't work for messages that were forwarded to another user...
On 17.02.16 20:17, Reindl Harald wrote:
>well, and that's why bayes-autoexpire is nonsense, your pastebin
>would have been rejected here by exceed 8.0 points (milter-rejcts
>score) easily
but only if you manually bump scores, which most of people should not.
It also does in no way indicate that bayes autoexpire is nonsense, it only
says it's better to use BAYES (and to have it properly cofigured)
>Content analysis details: (13.1 points, 5.5 required)
>
> pts rule name description
>---- ----------------------
>--------------------------------------------------
> 7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.4 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]
> 2.5 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS
> 0.2 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
> 0.0 T_REMOTE_IMAGE Message contains an external image
score HTML_SHORT_LINK_IMG_1 2.215 0.139 0.480 0.001
score RDNS_NONE 2.399 1.274 1.228 0.793
score HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059
score HTML_MESSAGE 0.001
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 0.2 0.2
this would give us lower scores: 5.996 3.043 7.109 6.554
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: Google Drive/Docs spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.02.2016 um 17:49 schrieb Alex:
> Hi all,
>
> I recall some rules that were written years ago to address these, but
> it appears they're back. We've been hit with a few, including users
> actually following the link. I was hoping someone had some
> recommendations on how to stop them.
>
> http://pastebin.com/zKWUUQ0Q
>
> Obviously they're coming in advance of being on an RBL or DNSBL.
>
> I was thinking to correlate the body text somehow with something that
> checks to see if it actually passed through Google (SPF, etc?), but
> that won't work for messages that were forwarded to another user...
well, and that's why bayes-autoexpire is nonsense, your pastebin would
have been rejected here by exceed 8.0 points (milter-rejcts score) easily
Content analysis details: (13.1 points, 5.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.4 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
2.5 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
2.5 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.2 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
0.0 T_REMOTE_IMAGE Message contains an external image
Re: Google Drive/Docs spam
Posted by Alex <my...@gmail.com>.
Oh, please note I just noticed bayes wasn't consulted for this. It's a
new system and was having some database problems, but bayes hasn't
always been effective on these anyway.
Thanks,
Alex
On Wed, Feb 17, 2016 at 11:49 AM, Alex <my...@gmail.com> wrote:
> Hi all,
>
> I recall some rules that were written years ago to address these, but
> it appears they're back. We've been hit with a few, including users
> actually following the link. I was hoping someone had some
> recommendations on how to stop them.
>
> http://pastebin.com/zKWUUQ0Q
>
> Obviously they're coming in advance of being on an RBL or DNSBL.
>
> I was thinking to correlate the body text somehow with something that
> checks to see if it actually passed through Google (SPF, etc?), but
> that won't work for messages that were forwarded to another user...
>
> Thanks,
> Alex
Re: Google Drive/Docs spam
Posted by John Hardin <jh...@impsec.org>.
On Wed, 17 Feb 2016, Alex wrote:
> Hi all,
>
> I recall some rules that were written years ago to address these, but
> it appears they're back. We've been hit with a few, including users
> actually following the link. I was hoping someone had some
> recommendations on how to stop them.
>
> http://pastebin.com/zKWUUQ0Q
google docs, yes, google drive, I don't think so.
Also, there would need to be examples in the masscheck corpus for them to
be published.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government wants to do everything it can "for the children,"
except sparing them crushing tax burdens.
-----------------------------------------------------------------------
5 days until George Washington's 284th Birthday