You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Igor Chudov <ic...@Algebra.Com> on 2007/02/23 04:01:24 UTC
Medical tablets spams
Example is here
http://igor.chudov.com/tmp/spam001.txt
They go past spamassassin. I use latest sare rules, run rules du jour
nightly etc.
I catch them after spamassassin, using my own filter, using regex
edrx\s*\.com\b
I wonder why spamassassin cannot identify them.
i
Re: Medical tablets spams
Posted by Bob McClure Jr <bo...@bobcatos.com>.
On Thu, Feb 22, 2007 at 09:01:24PM -0600, Igor Chudov wrote:
> Example is here
>
> http://igor.chudov.com/tmp/spam001.txt
>
> They go past spamassassin. I use latest sare rules, run rules du jour
> nightly etc.
>
> I catch them after spamassassin, using my own filter, using regex
>
> edrx\s*\.com\b
>
> I wonder why spamassassin cannot identify them.
>
> i
Botnet and Bayes did the trick for me, albeit I have BAYES_99 set to
score higher than standard:
Content analysis details: (11.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.7,ip=65.182.171.162,hostname=ak74,maildomain=haats.de,baddns]
0.1 TW_DR BODY: Odd Letter Triples with DR
5.1 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9998]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?88.121.45.57>]
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
bob@bobcatos.com http://www.bobcatos.com
To do what is right and just is more acceptable to the LORD than
sacrifice. Proverbs 21:3 (NIV)
Re: Medical tablets spams
Posted by Doc Schneider <ma...@maddoc.net>.
David Goldsmith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Igor Chudov wrote:
>
>> I also got these errors:
>>
>> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
>> has undefined dependency 'SARE_RD_SAFE_MKSHRT'
>> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
>> has undefined dependency 'SARE_RD_SAFE_GT'
>> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
>> has undefined dependency 'SARE_RD_SAFE_TINY'
>> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
>> SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero
>> score
>> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
>> SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2'
>> Feb 22 21:18:41 manifold spamd[5132]: spamd: server started on port
>> 783/tcp (running version 3.1.5)
>> Feb 22 21:18:41 manifold spamd[5132]: spamd: server pid: 5132
>> Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
>> spawned child process, pid 5133
>> Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
>> spawned child process, pid 5134
>> Feb 22 21:18:41 manifold spamd[5132]: prefork: child states: II
>
> I get the SARE_RD_SAFE and SARE_RD_SAFE_MKSHRT rules from the
> 72_sare_redirect_post3.0.0.cf file. I have version 2.9.3 from 5/14/06
> of this file. Do you have the current SARE rulesets or are they a
> little out of date.
See the bottom of that ruleset. It says how to fix these errors. You
need to remove a few #*#'s if I recall. We had a big discussion on this
on the sare-users list I run. 8*)
--
-Doc
SA/SARE -- Ninja
9:36pm up 7 days, 9:03, 18 users, load average: 2.99, 1.17, 0.76
SARE HQ http://www.rulesemporium.com/
Re: Medical tablets spams
Posted by David Goldsmith <dg...@sans.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Igor Chudov wrote:
> I also got these errors:
>
> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
> has undefined dependency 'SARE_RD_SAFE_MKSHRT'
> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
> has undefined dependency 'SARE_RD_SAFE_GT'
> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
> has undefined dependency 'SARE_RD_SAFE_TINY'
> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
> SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero
> score
> Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
> SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2'
> Feb 22 21:18:41 manifold spamd[5132]: spamd: server started on port
> 783/tcp (running version 3.1.5)
> Feb 22 21:18:41 manifold spamd[5132]: spamd: server pid: 5132
> Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
> spawned child process, pid 5133
> Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
> spawned child process, pid 5134
> Feb 22 21:18:41 manifold spamd[5132]: prefork: child states: II
I get the SARE_RD_SAFE and SARE_RD_SAFE_MKSHRT rules from the
72_sare_redirect_post3.0.0.cf file. I have version 2.9.3 from 5/14/06
of this file. Do you have the current SARE rulesets or are they a
little out of date.
- From my maillog file when I processed your message:
Feb 23 03:04:58 iceman14 spamd[10312]: prefork: child states: II
Feb 23 03:05:05 iceman14 spamd[10318]: spamd: connection from
iceman12-ext.giac.net [65.173.218.113] at port 33629
Feb 23 03:05:05 iceman14 spamd[10318]: spamd: processing message
<01...@georgesport> for spamass:501
Feb 23 03:05:07 iceman14 spamd[10312]: prefork: child states: IB
Feb 23 03:05:11 iceman14 spamd[10318]: spamd: identified spam (13.7/5.0)
for spamass:501 in 6.2 seconds, 1553 bytes.
Feb 23 03:05:11 iceman14 spamd[10318]: spamd: result: Y 13 -
BAYES_99,BOTNET,DCC_CHECK,DIGEST_MULTIPLE,FORGED_RCVD_HELO,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,TW_DR
scantime=6.2,size=1553,user=spamass,uid=501,required_score=5.0,rhost=iceman12-ext.giac.net,raddr=65.173.218.113,rport=33629,mid=<01...@georgesport>,bayes=0.999999999999991,autolearn=spam
I don't have any errors about the SARE rules and "spamassassin --lint"
does not flag any issues.
David Goldsmith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3l6+417vU8/9QfkRAl5KAKCNZ9KV8LtX6oIa7srI8F/PDvhd2QCeKHa8
Ic6dLiuJb/NTx4IBgV3plQg=
=vkIz
-----END PGP SIGNATURE-----
Re: Medical tablets spams
Posted by Igor Chudov <ic...@Algebra.Com>.
On Thu, Feb 22, 2007 at 10:07:31PM -0500, David Goldsmith wrote:
> Hash: SHA1
>
> Igor Chudov wrote:
> > Example is here
> >
> > http://igor.chudov.com/tmp/spam001.txt
> >
> > They go past spamassassin. I use latest sare rules, run rules du jour
> > nightly etc.
> >
> > I catch them after spamassassin, using my own filter, using regex
> >
> > edrx\s*\.com\b
> >
> > I wonder why spamassassin cannot identify them.
> >
> > i
>
> Here's my score for that message:
>
> Content analysis details: (13.7 points, 5.0 required)
>
> pts rule name description
> - ---- ----------------------
> - --------------------------------------------------
> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> 5.0 BOTNET Relay might be a spambot or virusbot
>
> [botnet0.7,ip=65.182.171.162,hostname=ak74,maildomain=haats.de,baddns]
> 0.1 TW_DR BODY: Odd Letter Triples with DR
> 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 2.2 DCC_CHECK Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
> 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> <http://www.spamcop.net/bl.shtml?88.121.45.57>]
> 0.8 DIGEST_MULTIPLE Message hits more than one network digest check
>
>
> Running SA 3.1.8, Pyzor, Razor, DCC, BOTNET, SARE rulesets, RBL tests
> and Bayesian. I just added BOTNET recently, but even without it, it
> still would have scored 8.7.
David, very interesting. I enabled DCC as you suggested, but it is not
taking effect -- I piped this message through SA and it did not detect
BOTNET rules.
I also got these errors:
Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
has undefined dependency 'SARE_RD_SAFE_MKSHRT'
Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
has undefined dependency 'SARE_RD_SAFE_GT'
Feb 22 21:18:41 manifold spamd[5132]: rules: meta test SARE_RD_SAFE
has undefined dependency 'SARE_RD_SAFE_TINY'
Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero
score
Feb 22 21:18:41 manifold spamd[5132]: rules: meta test
SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2'
Feb 22 21:18:41 manifold spamd[5132]: spamd: server started on port
783/tcp (running version 3.1.5)
Feb 22 21:18:41 manifold spamd[5132]: spamd: server pid: 5132
Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
spawned child process, pid 5133
Feb 22 21:18:41 manifold spamd[5132]: spamd: server successfully
spawned child process, pid 5134
Feb 22 21:18:41 manifold spamd[5132]: prefork: child states: II
Re: Medical tablets spams
Posted by David Goldsmith <dg...@sans.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Igor Chudov wrote:
> Example is here
>
> http://igor.chudov.com/tmp/spam001.txt
>
> They go past spamassassin. I use latest sare rules, run rules du jour
> nightly etc.
>
> I catch them after spamassassin, using my own filter, using regex
>
> edrx\s*\.com\b
>
> I wonder why spamassassin cannot identify them.
>
> i
Here's my score for that message:
Content analysis details: (13.7 points, 5.0 required)
pts rule name description
- ---- ----------------------
- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.7,ip=65.182.171.162,hostname=ak74,maildomain=haats.de,baddns]
0.1 TW_DR BODY: Odd Letter Triples with DR
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?88.121.45.57>]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
Running SA 3.1.8, Pyzor, Razor, DCC, BOTNET, SARE rulesets, RBL tests
and Bayesian. I just added BOTNET recently, but even without it, it
still would have scored 8.7.
David Goldsmith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3lpz417vU8/9QfkRAtrgAJkB5JOPXbHz4cO5dE9XuzoyCGE5LgCgkzC5
XxgfM/kl9BUqatLtlN0T0EA=
=jv6g
-----END PGP SIGNATURE-----