You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/10/26 20:04:34 UTC
[Bug 5704] New: New ruile suggestion: Pump_N_Dump_Ratware
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
Summary: New ruile suggestion: Pump_N_Dump_Ratware
Product: Spamassassin
Version: 3.1.8
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: joe@avvanta.com
An easily recognized bogus Received header injected by an unknown but prolific
ratware program. Used by us for months now against a mail volume of 175,000 to
200,000 emails daily. Average of 15,000 to 20,000 hits and zero known false
positives.
The Received header was first spotted and recognized in primarily pump-n-dump
stock spam, hence the name.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
joe@avvanta.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #4177|application/octet-stream |text/plain
mime type| |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From jm@jmason.org 2007-10-28 04:39 -------
(In reply to comment #2)
> let's see how it performs.
not bad, but needs a little work:
http://ruleqa.spamassassin.org/20071028-r589305-n/T_BUG5704_PUMP_N_DUMP_RATWARE/detail
my FPs are:
Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [193.201.200.170])
by dogma.boxhost.net (Postfix) with ESMTP id 199F93100F2
for <jm...@jmason.org>; Sun, 1 Jul 2007 07:54:03 +0100 (IST)
Received: from localhost ([127.0.0.1] helo=chiark.greenend.org.uk)
by chiark.greenend.org.uk (Debian Exim 3.36 #1) with esmtp
(return-path ccf-admin@chiark.greenend.org.uk)
id 1I4tJr-0001i9-00
for jm@jmason.org; Sun, 01 Jul 2007 07:54:03 +0100
Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [193.201.200.170])
by dogma.boxhost.net (Postfix) with ESMTP id 9B0DC310090
for <jm...@jmason.org>; Fri, 1 Jun 2007 07:54:32 +0100 (IST)
Received: from localhost ([127.0.0.1] helo=chiark.greenend.org.uk)
by chiark.greenend.org.uk (Debian Exim 3.36 #1) with esmtp
(return-path ccf-admin@chiark.greenend.org.uk)
id 1Hu11x-0000Zz-00
for jm@jmason.org; Fri, 01 Jun 2007 07:54:37 +0100
looks like Debian Exim uses a different formatting.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From jm@jmason.org 2007-10-27 12:20 -------
thanks, added to SVN (with some minor mods)
: jm 426...; svn commit -m "bug 5704: add a test rule
(BUG5704_PUMP_N_DUMP_RATWARE) and another for a web rule to catch Gozi PDFs
(DVLABS_GOZI_PDF)" /home/jm/ftp/spamassassin/rulesrc/sandbox/jm/20_basic.cf
Sending spamassassin/rulesrc/sandbox/jm/20_basic.cf
Transmitting file data .
Committed revision 589187.
let's see how it performs.
btw a good trick for header rules to catch forged Received hdrs nowadays, is to
match the "ALL" pseudoheader and catch unusual patterns that span multiple lines...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From jm@jmason.org 2007-11-15 03:54 -------
ok, I think I'm going to close this and leave the rule out, since according to
the overlap report in
http://ruleqa.spamassassin.org/20071114-r594799-n/BUG5704_PUMP_N_DUMP_RATWARE/detail
, RCVD_FORGED_WROTE2 overlaps with 99% of the BUG5704_PUMP_N_DUMP_RATWARE hits,
without any of the false positives on ham.
thanks though! If it wasn't for the high overlap, it'd be a great rule ;) feel
free to submit more...
: jm 19...; svn commit -m "remove BUG5704_PUMP_N_DUMP_RATWARE, it overlaps too
highly with RCVD_FORGED_WROTE2" spamassassin/rulesrc/sandbox/jm/20_basic.cf
Sending spamassassin/rulesrc/sandbox/jm/20_basic.cf
Transmitting file data .
Committed revision 595278.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From jm@jmason.org 2007-10-28 04:41 -------
worth noting that it overlaps highly with RCVD_FORGED_WROTE2
overlap spam: 99% of RCVD_FORGED_WROTE2 hits also hit
T_BUG5704_PUMP_N_DUMP_RATWARE; 100% of T_BUG5704_PUMP_N_DUMP_RATWARE hits also
hit RCVD_FORGED_WROTE2
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From alex.uribl@gmail.com 2007-10-31 05:47 -------
counts PUMP_N_DUMP_RATWARE 29485s/5h of 83177 corpus (73563s/9614h
AxB2-TRAPS) 10/31/07
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From jm@jmason.org 2007-10-30 06:15 -------
updated to avoid those FPs:
: jm 437...; svn commit -m "revise BUG5704_PUMP_N_DUMP_RATWARE slightly to cope
with 'Debian Exim'" /home/jm/ftp/spamassassin/rulesrc/sandbox/jm/20_basic.cf
Sending spamassassin/rulesrc/sandbox/jm/20_basic.cf
Transmitting file data .
Committed revision 590062.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From joe@avvanta.com 2007-10-26 11:11 -------
Created an attachment (id=4177)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=4177&action=view)
pump_n_dump_ratware rule definition
The ratware injects a bogus Exim-style Received header. This ratware alone is
about 10% of our recognized daily spam, so its effectiveness has been most
welcome.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
chiark (SAUCE?) header confusing otherwise-good provisional SpamAssassin rule (was Re: [Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware)
Posted by Nix <ni...@esperi.org.uk>.
On 31 Oct 2007, bugzilla-daemon@bugzilla.spamassassin.org said:
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
>
>
>
>
>
> ------- Additional Comments From jm@jmason.org 2007-10-31 06:17 -------
> http://ruleqa.spamassassin.org/20071030-r589988-n/BUG5704_PUMP_N_DUMP_RATWARE/detail
>
> still seeing FPs. hmm. here's one:
>
> Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [193.201.200.170])
> by dogma.boxhost.net (Postfix) with ESMTP id 4EF9731007C
> for <jm...@jmason.org>; Tue, 12 Sep 2006 07:30:37 +0100 (IST)
> Received: from localhost ([127.0.0.1] helo=chiark.greenend.org.uk)
> by chiark.greenend.org.uk (Debian Exim 3.36 #1) with esmtp
> (return-path ukcrypto-admin@chiark.greenend.org.uk)
> id 1GN1mY-0000E4-00; Tue, 12 Sep 2006 07:30:06 +0100
IIRC, chiark uses a notably unusual paranoid mailserver (based on Exim)
called SAUCE, available from <http://www.chiark.greenend.org.uk/~ian/sauce/>.
(chiark admin and SAUCE author Cc:ed accordingly.)
I'm not sure how many non-chiark users of SAUCE there are.
> they're all from that server. seems I haven't successfully figured out
> what was causing it to FP.
chiark is Different (the clue density alone would cause distortions in
local space-time if it wasn't for the proximity of Cambridge University
drowning out such effects).
--
`Some people don't think performance issues are "real bugs", and I think
such people shouldn't be allowed to program.' --- Linus Torvalds
[Bug 5704] New ruile suggestion: Pump_N_Dump_Ratware
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5704
------- Additional Comments From jm@jmason.org 2007-10-31 06:17 -------
http://ruleqa.spamassassin.org/20071030-r589988-n/BUG5704_PUMP_N_DUMP_RATWARE/detail
still seeing FPs. hmm. here's one:
Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [193.201.200.170])
by dogma.boxhost.net (Postfix) with ESMTP id 4EF9731007C
for <jm...@jmason.org>; Tue, 12 Sep 2006 07:30:37 +0100 (IST)
Received: from localhost ([127.0.0.1] helo=chiark.greenend.org.uk)
by chiark.greenend.org.uk (Debian Exim 3.36 #1) with esmtp
(return-path ukcrypto-admin@chiark.greenend.org.uk)
id 1GN1mY-0000E4-00; Tue, 12 Sep 2006 07:30:06 +0100
Received: from ptb-relay03.plus.net ([212.159.14.214])
by chiark.greenend.org.uk (Debian Exim 3.36 #1) with esmtp
(return-path brg@gladman.plus.com)
id 1GN1lu-000090-00
for ukcrypto@chiark.greenend.org.uk; Tue, 12 Sep 2006 07:29:26 +0100
Received: from ptb-relay03.plus.net ([212.159.14.214])
by chiark.greenend.org.uk (SAUCE v0.8.99.iwj.4)
with esmtp id sauce-18799-1158042-1; 12 Sep 2006 06:29:26 +0000 (GMT)
Received: from [212.159.60.66] (helo=[192.168.1.10])
by ptb-relay03.plus.net with esmtp (Exim) id 1GN1ll-0003hi-8q
for ukcrypto@chiark.greenend.org.uk; Tue, 12 Sep 2006 07:29:17 +0100
they're all from that server. seems I haven't successfully figured out
what was causing it to FP.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.