You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dennis German <DG...@Real-World-Systems.com> on 2011/03/04 01:40:19 UTC
low score for ($1.5Million)
Can someone comment on the low score assigned to the email located at
http://www.cccu.us/hundredThousand.txt
X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
MILLION_USD=1.528
Is my bayes "broken"?
Re: Spamassassin,clamAV and Clamsmtp
Posted by "Matthew Kitchin (public/usenet)" <mk...@gmail.com>.
On 3/5/2011 3:36 PM, Cimoni Enwis Ogwujiakwu wrote:
> Hello All,
> I trying to set up an anti-spam and anti-virus proxy solution with
> spamassassin, clamav and clamsmtp. I have currently setup
> postifix,spamassassin,clamav, and clamsmtp and everything is working
> fine but I do not want the postfix in the setup anymore because I want
> to run the system as a proxy for port 25/587 traffic at my gateway.
> clamav and clamsmtp are both working excellentl as anti-virus proxy
> but i do not know how to include spamassassin in this setup.
> Please I need assistance your assistance.
>
Many have great success with Postfix -> Amavisd (with clamav and
spassassin).
I have run this in some form or another for about 8 years or so. It may
not be exactly what you want though. I'm not sure if that would meet
your requirements for a proxy. You can have postfix pass the mail to
your next filter before it accepts it in queue.
http://www.postfix.org/SMTPD_PROXY_README.html
I have never actually done this setup, but it has been on by to do list.
> Simon
>
>
Re: Spamassassin,clamAV and Clamsmtp
Posted by Robert Schetterer <ro...@schetterer.org>.
Am 05.03.2011 22:36, schrieb Cimoni Enwis Ogwujiakwu:
> Hello All,
> I trying to set up an anti-spam and anti-virus proxy solution with
> spamassassin, clamav and clamsmtp. I have currently setup
> postifix,spamassassin,clamav, and clamsmtp and everything is working
> fine but I do not want the postfix in the setup anymore because I want
> to run the system as a proxy for port 25/587 traffic at my gateway.
> clamav and clamsmtp are both working excellentl as anti-virus proxy but
> i do not know how to include spamassassin in this setup.
> Please I need assistance your assistance.
>
> Simon
>
>
you might use spampd ( standalone ) or i.e chain it with clamsmtp
( did this for years ) , or better use clamav-milter,spamass-milter
try amavis...
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Spamassassin,clamAV and Clamsmtp
Posted by Cimoni Enwis Ogwujiakwu <og...@yahoo.com>.
Hello All,
I trying to set up an anti-spam and anti-virus proxy solution with spamassassin, clamav and clamsmtp. I have currently setup postifix,spamassassin,clamav, and clamsmtp and everything is working fine but I do not want the postfix in the setup anymore because I want to run the system as a proxy for port 25/587 traffic at my gateway. clamav and clamsmtp are both working excellentl as anti-virus proxy but i do not know how to include spamassassin in this setup.
Please I need assistance your assistance.
Simon
Re: low score for ($1.5Million)
Posted by Adam Katz <an...@khopis.com>.
On 03/04/2011 04:11 PM, jdow wrote:
> Wellll, it IS a small number by Nigerian scam standards. So why not
> a small score?
>
> ----->>>> She ran that way FAST {O,o}
Likewise, I also enjoy weekends:
http://i.imgur.com/cxX6t.jpg (mildly NSFW, though it's on my cube)
Re: low score for ($1.5Million)
Posted by jdow <jd...@earthlink.net>.
Wellll, it IS a small number by Nigerian scam standards. So why not a
small score?
----->>>> She ran that way FAST {O,o}
On 2011/03/03 16:40, Dennis German wrote:
> Can someone comment on the low score assigned to the email located at
>
> http://www.cccu.us/hundredThousand.txt
>
> X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
> MILLION_USD=1.528
>
> Is my bayes "broken"?
>
Re: low score for ($1.5Million)
Posted by Adam Katz <an...@khopis.com>.
On 03/03/2011 04:40 PM, Dennis German wrote:
> Can someone comment on the low score assigned to the email located at
>
> http://www.cccu.us/hundredThousand.txt
>
> X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
> MILLION_USD=1.528
>
> Is my bayes "broken"?
Not "broken" so much as "poorly trained" ... you cannot rely upon
SpamAssassin's autolearn functionality to do even a half-decent job.
See the man page on sa-learn and consider using spamassassin -r in place
of sa-learn --spam.
As to the rest of that mail, here's what SA trunk had to say about it
(excluding T_ rules, formatted to 72 chars):
Content analysis details: (19.1 points, 5.0 required)
pts rule name description
---- ---------------------- ----------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser
mail provider
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/
2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit
2.5 MILLION_USD BODY: Talks about millions of dollars
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature
-0.1 DKIM_VALID Message has at least one valid DKIM
1.0 HK_NAME_FM_MR_MRS HK_NAME_FM_MR_MRS
0.0 LOTS_OF_MONEY Huge... sums of money
3.5 FILL_THIS_FORM_LONG Fill in a form with personal information
1.0 MONEY_ATM_CARD Lots of money on an ATM card
0.0 FILL_THIS_FORM Fill in a form with personal information
2.8 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud
1.0 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
1.0 ADVANCE_FEE_2_NEW_FRM_MNY Adv Fee fraud form and lots of money
1.0 ADVANCE_FEE_3_NEW_FRM_MNY Adv Fee fraud form and lots of money
1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
0.4 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
0.8 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
Re: low score for ($1.5Million)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2011-03-03 at 19:40 -0500, Dennis German wrote:
> Can someone comment on the low score assigned to the email located at
>
> http://www.cccu.us/hundredThousand.txt
>
> X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
> MILLION_USD=1.528
>
> Is my bayes "broken"?
I'd phrase it "badly trained" for this type of spam.
The BAYES_00 hit suggests, that similar fraud spam has been incorrectly
trained in the past. This might have been by auto-learning, not
necessarily after manual classification. However, it does show that
*especially* low scoring spam should be trained -- definitely, if it
went through below the spam threshold and/or has a low Bayes ratio.
The AWL hit also shows, that you've received spam from that address
before, originating from the same net-block. Given the address, it
clearly also was a scam -- I'd even bet, it was very similar, if not
identical, in text.
Let me take a guess, you did not manually feed the previous one to
sa-learn for training?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: low score for ($1.5Million)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-04 at 11:19 -0500, Dennis German wrote:
> "while the OP uses" OP means ?
Original Poster, he who started the thread. Depending on context, it
also can mean Original Post.
> Please direct me to info on FreeMail plugin.
> Is it expected that I will be able to implement it given I am on a
> shared host without root access?
The plugin is mention on the SA third-party plugins wiki page.
http://wiki.apache.org/spamassassin/CustomPlugins
Since the linked files from its home at http://sa.hege.li/ now are
linking back to SVN, it's missing the loadplugin line, which should be
placed e.g. in local.pre in your site-config dir. The following example
assumes the plugin also is in the same dir.
loadplugin Mail::SpamAssassin::Plugin::FreeMail FreeMail.pm
I don't know about the current code from 3.3, but the plugin definitely
used to work with 3.2 before. Whether or not you can use the plugin
without root access -- what you need is write permission in your
site-config dir, and a way to restart spamd.
> Karsten,
> Thank you for your continued help. We all really appreciate your efforts.
:) You're welcome.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: low score for ($1.5Million)
Posted by Adam Moffett <ad...@plexicomm.net>.
> "while the OP uses" OP means ?
Original Poster.
Re: low score for ($1.5Million)
Posted by Dennis German <DG...@Real-World-Systems.com>.
On 3/3/11 8:06 PM, Karsten Bräckelmann wrote:
> On Fri, 2011-03-04 at 01:53 +0100, Mikael Syska wrote:
>> I get the following hits:
>> Content analysis details: (19.1 points, 5.0 required)
>> Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
>> Yes, I can tell this from the scores. :)
>>
>> Major changes between these version are clearly reflected in your score
>> and rules hit. Namely a lot of work by John Hardin to catch exactly such
>> fraud, and the FreeMail plugin now upstream -- with 3.2 it is available
>> as a third-party plugin.
>>
>> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>> X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
>> MILLION_USD=1.528
"while the OP uses" OP means ?
Please direct me to info on FreeMail plugin.
Is it expected that I will be able to implement it given I am on a
shared host without root access?
Karsten,
Thank you for your continued help. We all really appreciate your efforts.
Re: Supporting 3.3 and 3.2?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
Sorry for replying to self.
On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
> > Could we please make an official project statement that 3.2.x is
> > unsupported and people should really update to 3.3.x?
>
> There is no such decision yet. The 3.2 branch as-is is not unsupported,
> just rather stale. Yes, indeed, there *might* be rule and score fixes
> still in the pipe. Less so code, but there definitely are some rule
> fixes currently in limbo.
>
> Even with officially dropping support for 3.2, there *still* will be
> questions regarding 3.2. You can not stop that with any "official"
> announcement. Some folks for whatever reason might be stuck to that
> branch.
>
> That said, personally, with various Open Source projects, I have never
> given up support for old versions. As long as I *can* help people, I
> will.
Even more so, there is a HUGE difference between officially "supporting"
a branch via rule updates, and giving advice in helping fight spam or
using SA features -- regardless of the version.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Supporting 3.3 and 3.2?
Posted by Edward Prendergast <ed...@netring.co.uk>.
On 04/03/11 16:10, Dennis German wrote:
> On 3/3/11 10:09 PM, Karsten Bräckelmann wrote:
>> On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
>>> On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
>>>> Could we please make an official project statement that 3.2.x is
>>>> unsupported and people should really update to 3.3.x?
>>> That said, personally, with various Open Source projects, I have never
>>> given up support for old versions. As long as I *can* help people, I
>>> will.
>>> Besides, in this particular case, the *real* underlying issue of a
>>> badly
>>> trained Bayes won't get fixed by updating. Yes, the overall score would
>>> change drastically, as shown, but the training has been rather poor and
>>> won't change over night by updating.
> I would surely use a more recent version of SA if I could.
> My hosting service uses CPanel and Centos and I cannot convince them
> to upgrade.
>
If you're using cPanel I think you should be able to upgrade to the
latest version with /scripts /perlinstaller Mail::SpamAssassin - but
proceed with caution, such a big upgrade could have a host of issues
with dependencies.
************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.
************
Re: Supporting 3.3 and 3.2?
Posted by Dennis German <DG...@Real-World-Systems.com>.
On 3/3/11 10:09 PM, Karsten Bräckelmann wrote:
> On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
>> On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
>>> Could we please make an official project statement that 3.2.x is
>>> unsupported and people should really update to 3.3.x?
>> That said, personally, with various Open Source projects, I have never
>> given up support for old versions. As long as I *can* help people, I
>> will.
>> Besides, in this particular case, the *real* underlying issue of a badly
>> trained Bayes won't get fixed by updating. Yes, the overall score would
>> change drastically, as shown, but the training has been rather poor and
>> won't change over night by updating.
I would surely use a more recent version of SA if I could.
My hosting service uses CPanel and Centos and I cannot convince them to
upgrade.
Re: Supporting 3.3 and 3.2?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
> On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
> > Could we please make an official project statement that 3.2.x is
> > unsupported and people should really update to 3.3.x?
> That said, personally, with various Open Source projects, I have never
> given up support for old versions. As long as I *can* help people, I
> will.
Besides, in this particular case, the *real* underlying issue of a badly
trained Bayes won't get fixed by updating. Yes, the overall score would
change drastically, as shown, but the training has been rather poor and
won't change over night by updating.
I should probably stop replying to self now, though. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Supporting 3.3 and 3.2? (was: Re: low score for ($1.5Million))
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
> On 3/3/2011 3:06 PM, Karsten Bräckelmann wrote:
> > Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
> > Yes, I can tell this from the scores. :)
> >
> > Major changes between these version are clearly reflected in your score
> > and rules hit. Namely a lot of work by John Hardin to catch exactly such
> > fraud, and the FreeMail plugin now upstream -- with 3.2 it is available
> > as a third-party plugin.
>
> Could we please make an official project statement that 3.2.x is
> unsupported and people should really update to 3.3.x?
There is no such decision yet. The 3.2 branch as-is is not unsupported,
just rather stale. Yes, indeed, there *might* be rule and score fixes
still in the pipe. Less so code, but there definitely are some rule
fixes currently in limbo.
Even with officially dropping support for 3.2, there *still* will be
questions regarding 3.2. You can not stop that with any "official"
announcement. Some folks for whatever reason might be stuck to that
branch.
That said, personally, with various Open Source projects, I have never
given up support for old versions. As long as I *can* help people, I
will.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: low score for ($1.5Million)
Posted by "Warren Togami Jr." <wt...@gmail.com>.
On 3/3/2011 3:06 PM, Karsten Bräckelmann wrote:
> On Fri, 2011-03-04 at 01:53 +0100, Mikael Syska wrote:
>> I get the following hits:
>> Content analysis details: (19.1 points, 5.0 required)
>
> Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
> Yes, I can tell this from the scores. :)
>
> Major changes between these version are clearly reflected in your score
> and rules hit. Namely a lot of work by John Hardin to catch exactly such
> fraud, and the FreeMail plugin now upstream -- with 3.2 it is available
> as a third-party plugin.
>
Could we please make an official project statement that 3.2.x is
unsupported and people should really update to 3.3.x?
Warren
Re: low score for ($1.5Million)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-04 at 01:53 +0100, Mikael Syska wrote:
> I get the following hits:
> Content analysis details: (19.1 points, 5.0 required)
Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
Yes, I can tell this from the scores. :)
Major changes between these version are clearly reflected in your score
and rules hit. Namely a lot of work by John Hardin to catch exactly such
fraud, and the FreeMail plugin now upstream -- with 3.2 it is available
as a third-party plugin.
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> > X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
> > MILLION_USD=1.528
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: low score for ($1.5Million)
Posted by Mikael Syska <mi...@syska.dk>.
Hi,
I get the following hits:
Content analysis details: (19.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low
trust
[98.139.91.205 listed in list.dnswl.org]
0.5 FREEMAIL_FROM Sender email is freemail
(offise----file1[at]att.net
)
1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (offise----file1[at]att.net)
3.2 MILLION_USD BODY: Talks about millions of dollars
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5006]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author
's
domain
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
2.0 FREEMAIL_REPLYTO Reply-To is different freemail than From or body
(offise----file1[at]att.net,
www.western_union66[at]w.cn)
0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 T_HK_NAME_FM_MR_MRS T_HK_NAME_FM_MR_MRS
3.4 FILL_THIS_FORM_LONG Fill in a form with personal information
1.4 MONEY_ATM_CARD Lots of money on an ATM card
0.0 FILL_THIS_FORM Fill in a form with personal information
0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
0.9 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
0.8 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
0.0 MONEY_FORM Lots of money if you fill out a form
0.3 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
On Fri, Mar 4, 2011 at 1:40 AM, Dennis German
<DG...@real-world-systems.com> wrote:
> Can someone comment on the low score assigned to the email located at
>
> http://www.cccu.us/hundredThousand.txt
>
> X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
> MILLION_USD=1.528
>
> Is my bayes "broken"?
Mine scores BAYES_50 ...
>
mvh