You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daniele Paoni <da...@libertyline.it> on 2014/06/04 15:47:30 UTC
Viagra spam not caught
Hello, I'm getting a lot of viagra emails that are not tagged by
spamassassin
I'm using SA version 3.3.2
This is the original message http://pastebin.ca/2794087
This is the result of spamassassin
X-Spam-Flag: NO
X-Spam-Score: 0.239
X-Spam-Level:
X-Spam-Status: No, score=0.239 tagged_above=-1000 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
HTML_OBFUSCATE_10_20=0.093, LONGWORDS=2.035,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01]
autolearn=no
Re: Viagra spam not caught
Posted by Daniele Paoni <da...@libertyline.it>.
On 06/07/2014 03:55 PM, Matus UHLAR - fantomas wrote:
> On 06.06.14 18:06, Daniele Paoni wrote:
>> I deleted the bayes database and trained it using real spam&ham
>
> I would not clear the BAYES DB so fast. Even BAYES_00 spam can become
> BAYES_99 after a few properly trained samples.
>
OK, I will keep it in mind for the next time :-)
>> Today I got another one of these emails, the strange thing is that if
>> I scan it with spamassassin manually the TO_NO_BRKTS_MSFT is triggered
>> but it is not triggered on the original mail scanned with postfix +
>> amavisd-new.
>
> did you reload amavis after spamassassin rule updates?
>
Yes I have also rebooted the server for a kernel upgrade so it was
definitely restarted.
Re: Viagra spam not caught
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 06/05/2014 09:25 AM, Matus UHLAR - fantomas wrote:
>> Seems the only problems Daniele could solve are obsolete rules and
>> mistrained BAYES database.
On 06.06.14 18:06, Daniele Paoni wrote:
>I deleted the bayes database and trained it using real spam&ham
I would not clear the BAYES DB so fast. Even BAYES_00 spam can become
BAYES_99 after a few properly trained samples.
>Today I got another one of these emails, the strange thing is that if
>I scan it with spamassassin manually the TO_NO_BRKTS_MSFT is
>triggered but it is not triggered on the original mail scanned with
>postfix + amavisd-new.
did you reload amavis after spamassassin rule updates?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: Viagra spam not caught
Posted by Daniele Paoni <da...@libertyline.it>.
On 06/05/2014 09:25 AM, Matus UHLAR - fantomas wrote:
>
> Seems the only problems Daniele could solve are obsolete rules and
> mistrained BAYES database.
>
Hello
I deleted the bayes database and trained it using real spam&ham
Today I got another one of these emails, the strange thing is that if I
scan it with spamassassin manually the TO_NO_BRKTS_MSFT is triggered but
it is not triggered on the original mail scanned with postfix + amavisd-new.
I tried to check the amavisd-new configuration but I cannot see anything
that can exclude the rule.
The amavisd-new version is 2.8.0 and the server is a centos 6.5 using
ispconfig as hosting panel.
Does anyone have an idea on what I'm doing wrong?
Re: Viagra spam not caught
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 6/4/2014 11:04 AM, Daniele Paoni wrote:
>>I will try to retrain my bayes database.
... and run sa-update and reload your spamd.
If you keep some of your spam and ham samples, re-train them properly.
Those that misfired are more important.
On 04.06.14 11:56, Bowie Bailey wrote:
>That message would have been blocked before it even got to my spam
>folder.
Daniele was apparently the early recipient.
> * 4.1 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * [score: 1.0000]
you have increased your BAYES_99 score :-)
> * 3.1 TO_NO_BRKTS_MSFT To: misformatted and supposed
>Microsoft tool
>
>TO_NO_BRKTS_MSFT is the only major rule I didn't see hit in your
>message. I can't tell which version of SA you have, but you should
>also make sure you are up to date (3.4.0) and run sa-update to make
>sure you have all of the latest rules.
I see this rule in 3.3.2 (I use Debian's spamassassin so I have 3.3.2 for
now).
Seems the only problems Daniele could solve are obsolete rules and
mistrained BAYES database.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
Re: Viagra spam not caught
Posted by Bowie Bailey <Bo...@BUC.com>.
On 6/4/2014 2:10 PM, daniele-ml@libertyline.it wrote:
> Il 04-06-2014 17:56 Bowie Bailey ha scritto:
>
>> That message would have been blocked before it even got to my spam
>> folder. Even taking out the blacklists and Bayes, it still would have
>> scored 5.2 and I think those are all stock rules. Actually, the KAM
>> rule indicates that it would have also hit Spamhaus, which I have as a
>> blacklist in my MTA, so this message would not have even gotten as far
>> as SA.
>>
> If I scan it now it hits the blacklists for me too but when I get the
> message it is not yet in the blacklists (my email is probably at the
> beginning of this spammer's list) so the message is not tagged.
Greylisting can help with that if you are willing to deal with the
delays it can cause.
>
>> X-Spam-Status: Yes, score=20.0 required=4.0 tests=BAYES_99,BAYES_999,
>> FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTML_OBFUSCATE_10_20,
>> KAM_VERY_BLACK_DBL,LONGWORDS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
>> TO_NO_BRKTS_MSFT,T_REMOTE_IMAGE,URIBL_BLACK,URIBL_DBL_SPAM
>> autolearn=disabled
>> version=3.4.0
>> [....]
>>
>> TO_NO_BRKTS_MSFT is the only major rule I didn't see hit in your
>> message. I can't tell which version of SA you have, but you should
>> also make sure you are up to date (3.4.0) and run sa-update to make
>> sure you have all of the latest rules.
> I have sa 3.3.2 , I will check this rule; thanks for the hint.
This may be a new rule for 3.4, I'm not sure. It's always a good idea
to keep SA up to date for the best results.
--
Bowie
Re: Viagra spam not caught
Posted by da...@libertyline.it.
Il 04-06-2014 17:56 Bowie Bailey ha scritto:
> That message would have been blocked before it even got to my spam
> folder. Even taking out the blacklists and Bayes, it still would have
> scored 5.2 and I think those are all stock rules. Actually, the KAM
> rule indicates that it would have also hit Spamhaus, which I have as a
> blacklist in my MTA, so this message would not have even gotten as far
> as SA.
>
If I scan it now it hits the blacklists for me too but when I get the
message it is not yet in the blacklists (my email is probably at the
beginning of this spammer's list) so the message is not tagged.
> X-Spam-Status: Yes, score=20.0 required=4.0 tests=BAYES_99,BAYES_999,
> FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTML_OBFUSCATE_10_20,
> KAM_VERY_BLACK_DBL,LONGWORDS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
> TO_NO_BRKTS_MSFT,T_REMOTE_IMAGE,URIBL_BLACK,URIBL_DBL_SPAM
> autolearn=disabled
> version=3.4.0
> [....]
>
> TO_NO_BRKTS_MSFT is the only major rule I didn't see hit in your
> message. I can't tell which version of SA you have, but you should
> also make sure you are up to date (3.4.0) and run sa-update to make
> sure you have all of the latest rules.
I have sa 3.3.2 , I will check this rule; thanks for the hint.
Re: Viagra spam not caught
Posted by Bowie Bailey <Bo...@BUC.com>.
On 6/4/2014 11:04 AM, Daniele Paoni wrote:
> On 06/04/2014 04:36 PM, Bowie Bailey wrote:
>
>> The problem isn't that BAYES_00 subtracts 1.9 points. The problem is
>> that you DON'T get the 3.5 points added from BAYES_99, which is what
>> should have hit. Even if it got to BAYES_60, you still would have
>> gotten 1.5 points, which would have increased your score by 3.4 points.
>>
> I will try to retrain my bayes database.
>
>> There are some rules for obfuscated words both in html and plain text.
>> But the spammers are always finding new methods. Paste the original
>> message text to www.pastebin.com and give us the link. That way we can
>> see what the message looks like and give you better suggestions for how
>> to catch that type of message.
> Ok, the original message is here.
>
> http://pastebin.ca/2794087
That message would have been blocked before it even got to my spam
folder. Even taking out the blacklists and Bayes, it still would have
scored 5.2 and I think those are all stock rules. Actually, the KAM
rule indicates that it would have also hit Spamhaus, which I have as a
blacklist in my MTA, so this message would not have even gotten as far
as SA.
X-Spam-Status: Yes, score=20.0 required=4.0 tests=BAYES_99,BAYES_999,
FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTML_OBFUSCATE_10_20,
KAM_VERY_BLACK_DBL,LONGWORDS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
TO_NO_BRKTS_MSFT,T_REMOTE_IMAGE,URIBL_BLACK,URIBL_DBL_SPAM
autolearn=disabled
version=3.4.0
X-Spam-Report:
* 4.1 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser
mail provider
* (munge[at]outlook.com)
* 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
* [URIs: munge.com]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: munge.com]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
* [65.54.190.220 listed in wl.mailspike.net]
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 HTML_OBFUSCATE_10_20 BODY: Message is 10% to 20% HTML
obfuscation
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to
* background
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
* 2.0 LONGWORDS Long string of long words
* 5.0 KAM_VERY_BLACK_DBL Email that hits both URIBL Black and
Spamhaus DBL
* 0.0 T_REMOTE_IMAGE Message contains an external image
* 3.1 TO_NO_BRKTS_MSFT To: misformatted and supposed
Microsoft tool
TO_NO_BRKTS_MSFT is the only major rule I didn't see hit in your
message. I can't tell which version of SA you have, but you should also
make sure you are up to date (3.4.0) and run sa-update to make sure you
have all of the latest rules.
--
Bowie
Re: Viagra spam not caught
Posted by Daniele Paoni <da...@libertyline.it>.
On 06/04/2014 04:36 PM, Bowie Bailey wrote:
> Please keep list messages on the list so everyone can see them. I'm
> just another user. Other people may be able to add additional suggestions.
ops..sorry hit the wrong button :-(
>
> The problem isn't that BAYES_00 subtracts 1.9 points. The problem is
> that you DON'T get the 3.5 points added from BAYES_99, which is what
> should have hit. Even if it got to BAYES_60, you still would have
> gotten 1.5 points, which would have increased your score by 3.4 points.
>
I will try to retrain my bayes database.
> There are some rules for obfuscated words both in html and plain text.
> But the spammers are always finding new methods. Paste the original
> message text to www.pastebin.com and give us the link. That way we can
> see what the message looks like and give you better suggestions for how
> to catch that type of message.
>
Ok, the original message is here.
http://pastebin.ca/2794087
--
Daniele Paoni - Developer and System Administrator
Liberty Line srl - Via Macaggi 17/14 - 16121 Genova -
http://www.libertyline.com
Re: Viagra spam not caught
Posted by Bowie Bailey <Bo...@BUC.com>.
On 6/4/2014 10:09 AM, Daniele Paoni wrote:
> On 06/04/2014 04:01 PM, Bowie Bailey wrote:
>
>> Your Bayes DB is messed up. Spam should never get BAYES_00. Check your
>> training procedures to make sure that spam is not being accidentally
>> trained as ham. The best way to fix the problem is to wipe the DB and
>> start over. If you have a saved corpus of ham and spam, you can use
>> that to start off the training of the new DB -- just make sure it's
>> sorted properly or you'll wind up with the same problem all over again.
>>
> Ok I will do it, but I don't think it will fix this particular message
> as the BAYES_00 is only -1.9.
> Is there some rule that recognize words in "obfuscated" html ? The
> message is made with random letters and uses colors to show only
> relevant characters.
Please keep list messages on the list so everyone can see them. I'm
just another user. Other people may be able to add additional suggestions.
The problem isn't that BAYES_00 subtracts 1.9 points. The problem is
that you DON'T get the 3.5 points added from BAYES_99, which is what
should have hit. Even if it got to BAYES_60, you still would have
gotten 1.5 points, which would have increased your score by 3.4 points.
There are some rules for obfuscated words both in html and plain text.
But the spammers are always finding new methods. Paste the original
message text to www.pastebin.com and give us the link. That way we can
see what the message looks like and give you better suggestions for how
to catch that type of message.
--
Bowie
Re: Viagra spam not caught
Posted by Bowie Bailey <Bo...@BUC.com>.
On 6/4/2014 9:47 AM, Daniele Paoni wrote:
> Hello, I'm getting a lot of viagra emails that are not tagged by
> spamassassin
>
> I'm using SA version 3.3.2
>
> This is the original message http://pastebin.ca/2794087
>
> This is the result of spamassassin
>
> X-Spam-Flag: NO
> X-Spam-Score: 0.239
> X-Spam-Level:
> X-Spam-Status: No, score=0.239 tagged_above=-1000 required=5
> tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
> HTML_OBFUSCATE_10_20=0.093, LONGWORDS=2.035,
> RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01]
> autolearn=no
Your Bayes DB is messed up. Spam should never get BAYES_00. Check your
training procedures to make sure that spam is not being accidentally
trained as ham. The best way to fix the problem is to wipe the DB and
start over. If you have a saved corpus of ham and spam, you can use
that to start off the training of the new DB -- just make sure it's
sorted properly or you'll wind up with the same problem all over again.
--
Bowie