You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Luis Hernán Otegui <lu...@gmail.com> on 2008/03/18 14:28:37 UTC
How can I catch these?
Hi, I'm kinda getting tired of reporting these mails (both to my local
SA and to SpamCop), and so are my customers. My problem is that the
spammers are using a large ISP's mail server, and that particular ISP
(as all the others here in Argentina) don't bother checking the abuse
reports. What drives me crazy is the little score it lacks to go
devnulled...
I've tried adding
blacklist_from ventas*@interservers.com.ar
to my local.cf
Anyway, here's a sample: http://pastebin.com/m3c0e5b9
Thanks in advance,
Luis
Re: How can I catch these?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 18 Mar 2008, Loren Wilton wrote:
>> tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001,
>
> You could probably take bayes_99 up to very nearly 5 points quite safely
> IF your bayes database is well trained.
And if you're vexed by spams from Argentinian ISPs that BAYES is trained
to recognize, then add a DNSBL lookup for IP addresses in Argentina and
add a meta rule combining that and BAYES_99 for the goal...
Possibly:
describe BL_COUNTRY_AR_1 Mail client in Argentina
header BL_COUNTRY_AR_1 X-Relay-Countries =~ /AR/i
score BL_COUNTRY_AR_1 0.5
meta AR_SPAM BL_COUNTRY_AR_1 && (BAYES_80 || BAYES_99)
score AR_SPAM 10
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
68 days until the Mars Phoenix lander arrives at Mars
Re: How can I catch these?
Posted by Loren Wilton <lw...@earthlink.net>.
> tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001,
You could probably take bayes_99 up to very nearly 5 points quite safely IF
your bayes database is well trained.
Loren
Re: How can I catch these?
Posted by Luis Hernán Otegui <lu...@gmail.com>.
Hi, Matthias
2008/3/18, Matthias Haegele <mh...@linuxrocks.dyndns.org>:
> Luis Hernán Otegui schrieb:
>
> > Hi, I'm kinda getting tired of reporting these mails (both to my local
> > SA and to SpamCop), and so are my customers. My problem is that the
> > spammers are using a large ISP's mail server, and that particular ISP
> > (as all the others here in Argentina) don't bother checking the abuse
> > reports. What drives me crazy is the little score it lacks to go
> > devnulled...
> >
> > I've tried adding
> >
> > blacklist_from ventas*@interservers.com.ar
> >
> > to my local.cf
> >
> > Anyway, here's a sample: http://pastebin.com/m3c0e5b9
> >
> > Thanks in advance,
>
>
> X-Spam-Flag: YES
> #
> X-Spam-Score: 7.068
> #
> X-Spam-Level: *******
> #
> X-Spam-Status: Yes, score=7.068 tagged_above=-100 required=5
> #
> tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001,
> #
> MIME_QP_LONG_LINE=1.396, NORMAL_HTTP_TO_IP=0.001
>
> hmm, whats the problem you got some hits like: bayes_99 ... DCC ?
>
Well, it needs 8 points to go devnulled. Between 5 and 8 I only do
tag-and-pass, via Amavis.
BTW, I'm using SA 3.2.4, Amavisd-new 2.5.4, Debian Sarge
>
> > Luis
>
>
> --
> Gruesse/Greetings
> MH
>
>
> Dont send mail to: ubecatcher@linuxrocks.dyndns.org
>
> --
>
>
Luis
Re: How can I catch these?
Posted by Matthias Haegele <mh...@linuxrocks.dyndns.org>.
Luis Hernán Otegui schrieb:
> Hi, I'm kinda getting tired of reporting these mails (both to my local
> SA and to SpamCop), and so are my customers. My problem is that the
> spammers are using a large ISP's mail server, and that particular ISP
> (as all the others here in Argentina) don't bother checking the abuse
> reports. What drives me crazy is the little score it lacks to go
> devnulled...
>
> I've tried adding
>
> blacklist_from ventas*@interservers.com.ar
>
> to my local.cf
>
> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
>
> Thanks in advance,
X-Spam-Flag: YES
#
X-Spam-Score: 7.068
#
X-Spam-Level: *******
#
X-Spam-Status: Yes, score=7.068 tagged_above=-100 required=5
#
tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001,
#
MIME_QP_LONG_LINE=1.396, NORMAL_HTTP_TO_IP=0.001
hmm, whats the problem you got some hits like: bayes_99 ... DCC ?
> Luis
--
Gruesse/Greetings
MH
Dont send mail to: ubecatcher@linuxrocks.dyndns.org
--
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Luis Hernán Otegui wrote:
> Hi, I'm kinda getting tired of reporting these mails (both to my local
> SA and to SpamCop), and so are my customers. My problem is that the
> spammers are using a large ISP's mail server, and that particular ISP
> (as all the others here in Argentina) don't bother checking the abuse
> reports. What drives me crazy is the little score it lacks to go
> devnulled...
>
> I've tried adding
>
> blacklist_from ventas*@interservers.com.ar
>
> to my local.cf
>
> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
>
you could reject non fqdn helo in your MTA. if this is too aggressive
for your site, you can do it if the client "looks dynamic", for example
if it matches [^a-z]{9} (pcre).
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Henrik K wrote:
> On Wed, Mar 19, 2008 at 09:27:27PM +0100, mouss wrote:
>
> If the registrar MX relays mail to you, it should be in internal_networks,
> thus *-External will match . If it doesn't, then your internal/trusted is
> set up wrong.
>
>
I always thought "internal" meant "under my control". just reread more
carefully and I saw my confusion...
does the same logic apply to mail retrived via fetchmail? should the POP
and MX be in internal_networks?
Re: How can I catch these?
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 19, 2008 at 09:27:27PM +0100, mouss wrote:
> Henrik K wrote:
>> You are missing the point. It doesn't matter if it's not bringing _you_
>> anything. The correct method is External. If you don't have any extra
>> trusted_networks set, it works identically no matter which you use. But for
>> those who want to do something that's documented and correct, it needs to be
>> External.
>>
>>
>
> I want to check the rdns and helo of the host that injected mail to my
> registrar MX. the *-External pseudo-header starts with my registrar hop.
If the registrar MX relays mail to you, it should be in internal_networks,
thus *-External will match . If it doesn't, then your internal/trusted is
set up wrong.
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Henrik K wrote:
> You are missing the point. It doesn't matter if it's not bringing _you_
> anything. The correct method is External. If you don't have any extra
> trusted_networks set, it works identically no matter which you use. But for
> those who want to do something that's documented and correct, it needs to be
> External.
>
>
I want to check the rdns and helo of the host that injected mail to my
registrar MX. the *-External pseudo-header starts with my registrar hop.
the *-Untrusted one starts with the hop I want to check. In short, with
-D, *-Untrusted fires while *-External does not. I get:
X-Spam-Relays-Untrusted: [ ip=1.2.3.4 rdns=1.2.3.4.dyn.example helo=foo
... ] [ ...
and
X-Spam-Relays-External: [ ip=192.0.2.1 rdns=relay.friend.example
helo=relay.friend.example ... ] ....
[ ip=1.2.3.4 rdns=4.3.2.1.dyn.example helo=foo ...
with *-Untrusted, I can easily get the first hop (1.2.3.4...). with
*-External, I can't because it's inside (and the number of hops varies,
so I can't just count the brakets).
Re: How can I catch these?
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 19, 2008 at 08:08:01PM +0100, mouss wrote:
> Henrik K wrote:
>>
>> Inspired by this thread I submitted this, which should explain it:
>>
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
>>
>>
>
> it's because you are trusting the ISP MSA. I am not. I only trust my ISP
> and my registrar MX. no MUA should talk to them.
>
> *-external wouldn't bring me anything, because I am already doing checks
> at the MTA level, so the zombie won't get to SA if it matches such
> rules. In particular, I reject non fqdn helo on the MX unconditionally
> (I know this may catch misconfigured sites, but I currently don't care).
You are missing the point. It doesn't matter if it's not bringing _you_
anything. The correct method is External. If you don't have any extra
trusted_networks set, it works identically no matter which you use. But for
those who want to do something that's documented and correct, it needs to be
External.
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Henrik K wrote:
> On Wed, Mar 19, 2008 at 05:35:32PM +0100, mouss wrote:
>
>> Henrik K wrote:
>>
>>> On Wed, Mar 19, 2008 at 02:48:34PM +0100, mouss wrote:
>>>
>>>
>>>> Luis Hernán Otegui wrote:
>>>>
>>>>
>>>>>> [snip]
>>>>>>
>>>>>> how about something like
>>>>>>
>>>>>> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
>>>>>> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>>>>>> score NONFQHELO_DYN1 3.0
>>>>>> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>>>>>>
>>>>>> ?
>>>>>>
>>>>>>
>>>>> I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
>>>>> for their suggestions. They've gone right into my documentation folder
>>>>> ;-)
>>>>>
>>>>>
>>>> beware. that was a question, not a suggestion! I only ran it on very
>>>> few messages, so it's completely untested.
>>>>
>>>>
>>> It should use X-Spam-Relays-External. Still a common minconception that
>>> untrusted == external.
>>>
>>>
>>>
>> can you explain why it should use *-external instead of *-untrusted?
>>
>
> Inspired by this thread I submitted this, which should explain it:
>
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
>
>
it's because you are trusting the ISP MSA. I am not. I only trust my ISP
and my registrar MX. no MUA should talk to them.
*-external wouldn't bring me anything, because I am already doing checks
at the MTA level, so the zombie won't get to SA if it matches such
rules. In particular, I reject non fqdn helo on the MX unconditionally
(I know this may catch misconfigured sites, but I currently don't care).
Re: How can I catch these?
Posted by Henrik K <he...@hege.li>.
On Thu, Mar 20, 2008 at 03:16:40PM +0100, Matus UHLAR - fantomas wrote:
> > >> It should use X-Spam-Relays-External. Still a common minconception that
> > >> untrusted == external.
>
> > > can you explain why it should use *-external instead of *-untrusted?
>
> On 19.03.08 20:47, Henrik K wrote:
> > Inspired by this thread I submitted this, which should explain it:
> >
> > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
>
> trusted_networks should be a bit broader than internal_networks. So, there
> may be trusted hosts that are not internal, but no internal netowrks that
> are untrusted.
This is exactly what I said.
> In such case, if the first external host is trusted, it should _not_ be
> checked against any blacklists etc., just because it is trusted. That's imho
> why it's *-untrusted, not *-external
If a host is trusted, it is not checked in RBLs. Using External makes no
different in that regard.
Re: How can I catch these?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> >> It should use X-Spam-Relays-External. Still a common minconception that
> >> untrusted == external.
> > can you explain why it should use *-external instead of *-untrusted?
On 19.03.08 20:47, Henrik K wrote:
> Inspired by this thread I submitted this, which should explain it:
>
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
trusted_networks should be a bit broader than internal_networks. So, there
may be trusted hosts that are not internal, but no internal netowrks that
are untrusted.
In such case, if the first external host is trusted, it should _not_ be
checked against any blacklists etc., just because it is trusted. That's imho
why it's *-untrusted, not *-external
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: How can I catch these?
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 19, 2008 at 05:35:32PM +0100, mouss wrote:
> Henrik K wrote:
>> On Wed, Mar 19, 2008 at 02:48:34PM +0100, mouss wrote:
>>
>>> Luis Hernán Otegui wrote:
>>>
>>>>> [snip]
>>>>>
>>>>> how about something like
>>>>>
>>>>> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
>>>>> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>>>>> score NONFQHELO_DYN1 3.0
>>>>> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>>>>>
>>>>> ?
>>>>>
>>>> I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
>>>> for their suggestions. They've gone right into my documentation folder
>>>> ;-)
>>>>
>>> beware. that was a question, not a suggestion! I only ran it on very
>>> few messages, so it's completely untested.
>>>
>>
>> It should use X-Spam-Relays-External. Still a common minconception that
>> untrusted == external.
>>
>>
>
> can you explain why it should use *-external instead of *-untrusted?
Inspired by this thread I submitted this, which should explain it:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Henrik K wrote:
> On Wed, Mar 19, 2008 at 02:48:34PM +0100, mouss wrote:
>
>> Luis Hernán Otegui wrote:
>>
>>>> [snip]
>>>>
>>>> how about something like
>>>>
>>>> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
>>>> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>>>> score NONFQHELO_DYN1 3.0
>>>> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>>>>
>>>> ?
>>>>
>>>>
>>> I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
>>> for their suggestions. They've gone right into my documentation folder
>>> ;-)
>>>
>>>
>> beware. that was a question, not a suggestion! I only ran it on very few
>> messages, so it's completely untested.
>>
>
> It should use X-Spam-Relays-External. Still a common minconception that
> untrusted == external.
>
>
can you explain why it should use *-external instead of *-untrusted?
Re: How can I catch these?
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 19, 2008 at 02:48:34PM +0100, mouss wrote:
> Luis Hernán Otegui wrote:
>>> [snip]
>>>
>>> how about something like
>>>
>>> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
>>> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>>> score NONFQHELO_DYN1 3.0
>>> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>>>
>>> ?
>>>
>>
>> I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
>> for their suggestions. They've gone right into my documentation folder
>> ;-)
>>
>
> beware. that was a question, not a suggestion! I only ran it on very few
> messages, so it's completely untested.
It should use X-Spam-Relays-External. Still a common minconception that
untrusted == external.
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Luis Hernán Otegui wrote:
>> [snip]
>>
>> how about something like
>>
>> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
>> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>> score NONFQHELO_DYN1 3.0
>> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>>
>> ?
>>
>
> I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
> for their suggestions. They've gone right into my documentation folder
> ;-)
>
beware. that was a question, not a suggestion! I only ran it on very few
messages, so it's completely untested.
Re: How can I catch these?
Posted by Luis Hernán Otegui <lu...@gmail.com>.
OK, Mouss
2008/3/18, mouss <mo...@netoyen.net>:
> Loren Wilton wrote:
> >> Hi, I'm kinda getting tired of reporting these mails (both to my local
> >> SA and to SpamCop), and so are my customers. My problem is that the
> >> spammers are using a large ISP's mail server, and that particular ISP
> >> (as all the others here in Argentina) don't bother checking the abuse
> >> reports. What drives me crazy is the little score it lacks to go
> >> devnulled...
> >>
> >> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
> >
> > The main problem here is that the standard SA rules are in english and
> > the mail is in spanish (or something close to that I suppose). My
> > Spanish is incredibly rusty, but just scanning the mail I see dozens
> > of phrases I'd try to match on to add points for this sort of thing.
> > Of course, I'd need a few dozen examples (at least!) to even consider
> > writing any rules for this sort of thing. It would be better if a
> > native speaker wrote the rules than someone not that familiar with the
> > language.
> >
> > In any case, you can try blacklisting the address of the CD company,
> > try rules against cheap CDs, try ruels against mail advertizing
> > pictures of nice colored girls (presumably where all of the color is
> > visible at once), and a half dozen other seemingly pretty obvious
> > stock phrases.
> >
> > Of course, you need a bunch of these mails so you can compile a phrase
> > list, and you ideally need some way to do a masscheck against spam and
> > ham to make sure you aren't accidentally catching a lot of ham. But
> > you should be able to get the first of those requirements trivially,
> > and if you are careful and start with low scores and monitor the logs
> > for the rules that are hitting you should be able to adjust scores
> > safely and successfuly.
> >
> > Justin has a tool that makes rules based on phrases found in ham and
> > spam. This is an automated form of doing what I suggest above by
> > hand. I don't know if those tools are part of the SA package, but
> > they might be. If so, they could probably be used to advantage.
> >
> > Loren
> >
>
>
> how about something like
>
> header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
> rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
> score NONFQHELO_DYN1 3.0
> describe NONFQHELO_DYN1 non fqdn helo from dynamic client
>
> ?
I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
for their suggestions. They've gone right into my documentation folder
;-)
>
>
>
Regards,
Luis
Re: How can I catch these?
Posted by mouss <mo...@netoyen.net>.
Loren Wilton wrote:
>> Hi, I'm kinda getting tired of reporting these mails (both to my local
>> SA and to SpamCop), and so are my customers. My problem is that the
>> spammers are using a large ISP's mail server, and that particular ISP
>> (as all the others here in Argentina) don't bother checking the abuse
>> reports. What drives me crazy is the little score it lacks to go
>> devnulled...
>>
>> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
>
> The main problem here is that the standard SA rules are in english and
> the mail is in spanish (or something close to that I suppose). My
> Spanish is incredibly rusty, but just scanning the mail I see dozens
> of phrases I'd try to match on to add points for this sort of thing.
> Of course, I'd need a few dozen examples (at least!) to even consider
> writing any rules for this sort of thing. It would be better if a
> native speaker wrote the rules than someone not that familiar with the
> language.
>
> In any case, you can try blacklisting the address of the CD company,
> try rules against cheap CDs, try ruels against mail advertizing
> pictures of nice colored girls (presumably where all of the color is
> visible at once), and a half dozen other seemingly pretty obvious
> stock phrases.
>
> Of course, you need a bunch of these mails so you can compile a phrase
> list, and you ideally need some way to do a masscheck against spam and
> ham to make sure you aren't accidentally catching a lot of ham. But
> you should be able to get the first of those requirements trivially,
> and if you are careful and start with low scores and monitor the logs
> for the rules that are hitting you should be able to adjust scores
> safely and successfuly.
>
> Justin has a tool that makes rules based on phrases found in ham and
> spam. This is an automated form of doing what I suggest above by
> hand. I don't know if those tools are part of the SA package, but
> they might be. If so, they could probably be used to advantage.
>
> Loren
>
how about something like
header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
score NONFQHELO_DYN1 3.0
describe NONFQHELO_DYN1 non fqdn helo from dynamic client
?
Re: How can I catch these?
Posted by Loren Wilton <lw...@earthlink.net>.
> Hi, I'm kinda getting tired of reporting these mails (both to my local
> SA and to SpamCop), and so are my customers. My problem is that the
> spammers are using a large ISP's mail server, and that particular ISP
> (as all the others here in Argentina) don't bother checking the abuse
> reports. What drives me crazy is the little score it lacks to go
> devnulled...
>
> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
The main problem here is that the standard SA rules are in english and the
mail is in spanish (or something close to that I suppose). My Spanish is
incredibly rusty, but just scanning the mail I see dozens of phrases I'd try
to match on to add points for this sort of thing. Of course, I'd need a few
dozen examples (at least!) to even consider writing any rules for this sort
of thing. It would be better if a native speaker wrote the rules than
someone not that familiar with the language.
In any case, you can try blacklisting the address of the CD company, try
rules against cheap CDs, try ruels against mail advertizing pictures of nice
colored girls (presumably where all of the color is visible at once), and a
half dozen other seemingly pretty obvious stock phrases.
Of course, you need a bunch of these mails so you can compile a phrase list,
and you ideally need some way to do a masscheck against spam and ham to make
sure you aren't accidentally catching a lot of ham. But you should be able
to get the first of those requirements trivially, and if you are careful and
start with low scores and monitor the logs for the rules that are hitting
you should be able to adjust scores safely and successfuly.
Justin has a tool that makes rules based on phrases found in ham and spam.
This is an automated form of doing what I suggest above by hand. I don't
know if those tools are part of the SA package, but they might be. If so,
they could probably be used to advantage.
Loren