You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2008/01/16 08:03:45 UTC

are the NORMAL_HTTP_TO_IP scores still valid?

Hi there

I just got a one-line piece of spam with a ipaddress-based URL. Probably 
pointing at some "auto infect your Windows PC" app.

Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later it 
had showed up in several RBLs and the score was pushed up to 4.9.

My question is that it triggered NORMAL_HTTP_TO_IP, but that only adds 
0.1 to the score. That seems really low to me. Are there really so many 
"legitimate" IP-based URLs being sent around via email that makes a 
higher score a bad idea?

Just wondering...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: are the NORMAL_HTTP_TO_IP scores still valid?

Posted by Jason Haar <Ja...@trimble.co.nz>.

Matt Kettler wrote:
> Yes. In fact, IP based  URLs occur more commonly in nonspam than spam.
>
> STATISTICS-set0.txt:OVERALL    SPAM%     HAM%     S/O    RANK   SCORE  
> NAME
> STATISTICS-set0.txt:  0.395   0.3920   0.4001    0.495   0.42    0.10  
> NORMAL_HTTP_TO_IP
>
> Note the S/O of 0.42 means that 42% of matches to this rule were spam, 
> and 58% were nonspam.
Ah - pity. StormBot is currently sending out tonnes of emails that 
contain a link to ip-based webservers (the infected hosts no doubt) 
which have trojans. The emails are <1K in size and in fact contain just 
a single line. e.g

For You....My Love http://ip.address/

Perhaps a rule to score up NORMAL_HTTP_TO_IP if seen in conjunction with small message size could catch it. Casting 
my mind back, I'm sure I've seen this sort of behaviour before with older trojan mail runs - could be a winner?



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: are the NORMAL_HTTP_TO_IP scores still valid?

Posted by Matt Kettler <mk...@verizon.net>.

Jason Haar wrote:
> Hi there
>
> I just got a one-line piece of spam with a ipaddress-based URL. 
> Probably pointing at some "auto infect your Windows PC" app.
>
> Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later 
> it had showed up in several RBLs and the score was pushed up to 4.9.
>
> My question is that it triggered NORMAL_HTTP_TO_IP, but that only adds 
> 0.1 to the score. That seems really low to me. Are there really so 
> many "legitimate" IP-based URLs being sent around via email that makes 
> a higher score a bad idea? 
Yes. In fact, IP based  URLs occur more commonly in nonspam than spam.

STATISTICS-set0.txt:OVERALL    SPAM%     HAM%     S/O    RANK   SCORE  NAME
STATISTICS-set0.txt:  0.395   0.3920   0.4001    0.495   0.42    0.10  
NORMAL_HTTP_TO_IP

Note the S/O of 0.42 means that 42% of matches to this rule were spam, 
and 58% were nonspam.