You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tony Bunce <to...@go-concepts.com> on 2008/04/16 19:55:44 UTC
False Negatives
Hi everyone,
I'm starting to see a noticeable amount of message sneak by spamassassin with scores mostly the 3-4 range but some as low as 1 point.
I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are some samples of messages that have got through:
http://pastebin.com/m16055c85
http://pastebin.com/m52635526
http://pastebin.com/m491c4882
http://pastebin.com/m7c1240f2
Anyone have any suggestions?
Thanks in advance!
-------------------------------------------------------------------------------
Tony Bunce: tonyb@go-concepts.com
Sr. Programming Systems Administrator - GO Concepts Inc.
Re: False Negatives
Posted by DAve <da...@pixelhammer.com>.
Tony Bunce wrote:
> Hi everyone,
>
> I'm starting to see a noticeable amount of message sneak by spamassassin with scores mostly the 3-4 range but some as low as 1 point.
>
> I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are some samples of messages that have got through:
> http://pastebin.com/m16055c85
> http://pastebin.com/m52635526
> http://pastebin.com/m491c4882
> http://pastebin.com/m7c1240f2
>
>
> Anyone have any suggestions?
>
> Thanks in advance!
We run SA 3.2.4, sare, bayes. The only hit I got was bayes_99 on those.
Like you I am seeing a lot of stuff slip by. Spam that didn't slip by
with the older version of SA. After two weeks I am beginning to think
the almost 40% increase in load just ain't worth it for 3.2.4. Others
Spam of course, likely varies.
Just my two cents.
DAve
--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.
Re: False Negatives
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Tony Bunce wrote:
> Hi everyone,
>
> I'm starting to see a noticeable amount of message sneak by spamassassin with scores mostly the 3-4 range but some as low as 1 point.
>
> I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are some samples of messages that have got through:
> http://pastebin.com/m16055c85
> http://pastebin.com/m52635526
> http://pastebin.com/m491c4882
> http://pastebin.com/m7c1240f2
>
>
> Anyone have any suggestions?
>
> Thanks in advance!
>
>
> -------------------------------------------------------------------------------
> Tony Bunce: tonyb@go-concepts.com
> Sr. Programming Systems Administrator - GO Concepts Inc.
>
I think in our case, bayes would put these above the top. Without bayes
or custom rules, these messages would not be marked as spam currently.
For the first:
Content analysis details: (5.7 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.0 URIBL_RED Contains an URL listed in the URIBL redlist
[URIs: 71.187.15.19]
-0.4 AWL AWL: From: address is in the auto white-list
Re: False Negatives
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>
> I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are some samples of messages that have got through:
> http://pastebin.com/m16055c85
> http://pastebin.com/m52635526
> http://pastebin.com/m491c4882
> http://pastebin.com/m7c1240f2
>
I get a HTTP/1.1 404 Not Found on all 4 URLs.
Bye,
Raymond.
RE: False Negatives
Posted by "Koopmann, Jan-Peter" <ja...@koopmann.eu>.
> It really doesn't matter to me whether it was on urisbl/surbl when he
> sent it. I provided what our server marked this as as an example of
> rules that he could look at as to why it was scored low. Other people
> that don't use "unwanted language" may not need it, but in some cases
> it
> helps, specifically this case.
I was just about to send a reply myself but since you already stated
100% of what I wanted to say... :-)
Re: False Negatives
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
mouss wrote:
> Koopmann, Jan-Peter wrote:
>>> http://pastebin.com/m16055c85
>>>
>>
>> Content analysis details: (9.6 points, 6.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
>> blocklist
>> [URIs: diroma.us]
>> 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
>> [SPF failed: Please see
>> http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
>> r=proxy.intern.seceidos.de]
>> 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
>> 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired
>> language
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
>> [score: 0.5000]
>> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
>> above 50%
>> [cf: 100]
>> 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>> [cf: 100]
>> 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP
>> 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score
>> -2.0200
>>
>> unwanted language
>
> It was not on uribl/surbl when OP sent it, and "unwanted language"
> isn't appropriate for everybody. I ran a test on the first (when OP
> sent it) and it scored a little less than 5 (I don't remember if DCC
> was hit, but razor was).
It really doesn't matter to me whether it was on urisbl/surbl when he
sent it. I provided what our server marked this as as an example of
rules that he could look at as to why it was scored low. Other people
that don't use "unwanted language" may not need it, but in some cases it
helps, specifically this case. I ran a test on our log and could not
find one incident of hitting the "unwanted" rule, so maybe he should use
it. I also stated that bayes would help mostly in the cases he provided.
thanks.
rcr
Re: False Negatives
Posted by mouss <mo...@netoyen.net>.
Koopmann, Jan-Peter wrote:
>> http://pastebin.com/m16055c85
>>
>
> Content analysis details: (9.6 points, 6.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
> blocklist
> [URIs: diroma.us]
> 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
> [SPF failed: Please see
> http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
> r=proxy.intern.seceidos.de]
> 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
> 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired
> language
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5000]
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
> 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP
> 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score
> -2.0200
>
>
It was not on uribl/surbl when OP sent it, and "unwanted language" isn't
appropriate for everybody. I ran a test on the first (when OP sent it)
and it scored a little less than 5 (I don't remember if DCC was hit, but
razor was).
>
>> http://pastebin.com/m52635526
>>
>
> Content analysis details: (13.0 points, 6.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> [URIs: trip-reps6.com]
> 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
> blocklist
> [URIs: trip-reps6.com]
> -0.3 BOTNET_SERVERWORDS Hostname contains server-like substrings
>
> [botnet_serverwords,ip=64.187.116.22,rdns=mail.trip-reps6.com]
> 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
> [SPF failed: Please see
> http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
> r=proxy.intern.seceidos.de]
> 0.1 TW_MF BODY: Odd Letter Triples with MF
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5003]
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 80]
> 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 80]
> 2.2 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> 3.0 DIGEST_MULTIPLE Message hits more than one network digest
> check
> 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score
> -1.7700
>
> I did not check the other two. Not sure if DCC/Razor would have seen
> them a few hours ago. If they were to cross my server now they would at
> least be flagged as spam.
>
> Are you using DCC/RAZOR?
>
I guess so, otherwise, he wouldn't get into the 3-4 range as he said.
RE: False Negatives
Posted by "Koopmann, Jan-Peter" <ja...@koopmann.eu>.
> http://pastebin.com/m16055c85
Content analysis details: (9.6 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: diroma.us]
0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
r=proxy.intern.seceidos.de]
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired
language
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP
0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score
-2.0200
> http://pastebin.com/m52635526
Content analysis details: (13.0 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.0 URIBL_BLACK Contains an URL listed in the URIBL
blacklist
[URIs: trip-reps6.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: trip-reps6.com]
-0.3 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=64.187.116.22,rdns=mail.trip-reps6.com]
0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
r=proxy.intern.seceidos.de]
0.1 TW_MF BODY: Odd Letter Triples with MF
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5003]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 80]
2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 80]
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
3.0 DIGEST_MULTIPLE Message hits more than one network digest
check
0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score
-1.7700
I did not check the other two. Not sure if DCC/Razor would have seen
them a few hours ago. If they were to cross my server now they would at
least be flagged as spam.
Are you using DCC/RAZOR?