You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2008/01/16 08:03:45 UTC
are the NORMAL_HTTP_TO_IP scores still valid?
Hi there
I just got a one-line piece of spam with a ipaddress-based URL. Probably
pointing at some "auto infect your Windows PC" app.
Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later it
had showed up in several RBLs and the score was pushed up to 4.9.
My question is that it triggered NORMAL_HTTP_TO_IP, but that only adds
0.1 to the score. That seems really low to me. Are there really so many
"legitimate" IP-based URLs being sent around via email that makes a
higher score a bad idea?
Just wondering...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: are the NORMAL_HTTP_TO_IP scores still valid?
Posted by Jason Haar <Ja...@trimble.co.nz>.
Matt Kettler wrote:
> Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
>
> STATISTICS-set0.txt:OVERALL SPAM% HAM% S/O RANK SCORE
> NAME
> STATISTICS-set0.txt: 0.395 0.3920 0.4001 0.495 0.42 0.10
> NORMAL_HTTP_TO_IP
>
> Note the S/O of 0.42 means that 42% of matches to this rule were spam,
> and 58% were nonspam.
Ah - pity. StormBot is currently sending out tonnes of emails that
contain a link to ip-based webservers (the infected hosts no doubt)
which have trojans. The emails are <1K in size and in fact contain just
a single line. e.g
For You....My Love http://ip.address/
Perhaps a rule to score up NORMAL_HTTP_TO_IP if seen in conjunction with small message size could catch it. Casting
my mind back, I'm sure I've seen this sort of behaviour before with older trojan mail runs - could be a winner?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: are the NORMAL_HTTP_TO_IP scores still valid?
Posted by Matt Kettler <mk...@verizon.net>.
Jason Haar wrote:
> Hi there
>
> I just got a one-line piece of spam with a ipaddress-based URL.
> Probably pointing at some "auto infect your Windows PC" app.
>
> Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later
> it had showed up in several RBLs and the score was pushed up to 4.9.
>
> My question is that it triggered NORMAL_HTTP_TO_IP, but that only adds
> 0.1 to the score. That seems really low to me. Are there really so
> many "legitimate" IP-based URLs being sent around via email that makes
> a higher score a bad idea?
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
STATISTICS-set0.txt:OVERALL SPAM% HAM% S/O RANK SCORE NAME
STATISTICS-set0.txt: 0.395 0.3920 0.4001 0.495 0.42 0.10
NORMAL_HTTP_TO_IP
Note the S/O of 0.42 means that 42% of matches to this rule were spam,
and 58% were nonspam.