Spam from compromised web mails

[Rajkumar S <ra...@gmail.com>]

Hi,

Occasionally I receive mail from compromised web mails asking user
name and password from my users. The source IPs are usually clean (as
they are legitimate mail servers) and do not catch any ip based rules.
Usually one or two mail accounts are used to pump mails via web mail
after authentication.

I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399

It is interesting to note that the victim was using  Barracuda anti
spam appliance which also failed to catch this spam. Any ideas to
tackle such spam is very much welcome.

with regards,

raj

Re: SA Tag Spam from compromised web mails

[Chris Owen <ow...@hubris.net>]

On Dec 15, 2009, at 12:02 PM, Jeff Koch wrote:

> As I said not everyone controls the mailserver they get their list mail from.

Then why are they on a mailing list for people who run mail servers?

Chris

-------------------------------------------------------------------------
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc      www.hubris.net
-------------------------------------------------------------------------

Re: SA Tag Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

As I said not everyone controls the mailserver they get their list mail from.


At 12:55 PM 12/15/2009, LuKreme wrote:
>On 15-Dec-2009, at 10:52, Jeff Koch wrote:
> > At 12:41 PM 12/15/2009, Benny Pedersen wrote:
> >> open your eyes and see more, both the above smartphones above can
> >> handle imap just fine, but i just test it from nokia e51, should i
> >> prove it ?
>
> > Of course an iPhone can see IMAP folders. But what's going to sort mail 
> into folders when I'm traveling for a week and the office PC is turned off?
>
>Server side IMAP rules? Procmail? Mailsieve?
>
>--
>Light thinks it travels faster than anything but it's wrong. No matter how 
>fast light travels it finds the darkness has always got there first, and 
>is waiting for it. --Reaper Man

Best Regards,

Jeff Koch, Intersessions 

Re: SA Tag Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On Dec 15, 2009, at 11:55, Jeff Koch <je...@intersessions.com> wrote:

> Instead of trying to make points why not read the whole thread? As I  
> said in a prior response - not everyone has management control over  
> the mailserver they use to get SA list mail.

You do not need 'management control' over a mailserver to filter mail.

Re: SA Tag Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

Instead of trying to make points why not read the whole thread? As I said 
in a prior response - not everyone has management control over the 
mailserver they use to get SA list mail.



At 01:01 PM 12/15/2009, Toni Mueller wrote:

>On Tue, 15.12.2009 at 12:52:44 -0500, Jeff Koch 
><je...@intersessions.com> wrote:
> > Of course an iPhone can see IMAP folders. But what's going to sort mail
> > into folders when I'm traveling for a week and the office PC is turned
> > off?
>
>The server on which the imap server runs?
>
>
>Kind regards,
>--Toni++

Best Regards,

Jeff Koch, Intersessions 

Re: SA Tag Spam from compromised web mails

[Mikael Syska <mi...@syska.dk>]

Hi,

You use the mailserver -
http://en.wikipedia.org/wiki/Sieve_%28mail_filtering_language%29

And all are happy and can do what they want ... add the tag to the subject
... remove it.

Personal pref can be made ...

mvh

On Tue, Dec 15, 2009 at 6:52 PM, Jeff Koch <je...@intersessions.com>wrote:

>
> Of course an iPhone can see IMAP folders. But what's going to sort mail
> into folders when I'm traveling for a week and the office PC is turned off?
>
>
>
>
> At 12:41 PM 12/15/2009, Benny Pedersen wrote:
>
>> On tir 15 dec 2009 18:22:00 CET, Jeff Koch wrote
>>
>>  How could a two character tag like SA be annoying? You must never
>>> use a blackberry or iPhone to check your email either.
>>>
>>
>> open your eyes and see more, both the above smartphones above can
>> handle imap just fine, but i just test it from nokia e51, should i
>> prove it ?
>>
>> but agree if you use pop3 its hard to see another folder, no matter
>> what client you use
>>
>> --
>> xpoint http://www.unicom.com/pw/reply-to-harmful.html
>>
>>
> Best Regards,
>
> Jeff Koch, Intersessions
>

Re: SA Tag Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On 15-Dec-2009, at 10:52, Jeff Koch wrote:
> At 12:41 PM 12/15/2009, Benny Pedersen wrote:
>> open your eyes and see more, both the above smartphones above can
>> handle imap just fine, but i just test it from nokia e51, should i
>> prove it ?

> Of course an iPhone can see IMAP folders. But what's going to sort mail into folders when I'm traveling for a week and the office PC is turned off?

Server side IMAP rules? Procmail? Mailsieve?

-- 
Light thinks it travels faster than anything but it's wrong. No matter how fast light travels it finds the darkness has always got there first, and is waiting for it. --Reaper Man

Re: SA Tag Spam from compromised web mails

[Benny Pedersen <me...@junc.org>]

On tir 15 dec 2009 18:52:44 CET, Jeff Koch wrote
> Of course an iPhone can see IMAP folders. But what's going to sort  
> mail into folders when I'm traveling for a week and the office PC is  
> turned off?

never tryed a google email at gmail ?

well sieve is the answer, not the clients problem you have in the gui  
in front of you, sieve rules can be applyed from webmail and will do  
there work for all your clients

first version of squirrelmail i used could just filter at login time,  
so if i have being away for one single day it could force me to not  
have a succesfull login since there was to much mail to filter at  
login time, this problem is gone now with sieve in dovecot, and now i  
just use horde webmail, but i am still free to use any gui if i want  
it, if i just remember to NOT edit sieve rules in them

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SA Tag Spam from compromised web mails

[Toni Mueller <su...@oeko.net>]

On Tue, 15.12.2009 at 12:52:44 -0500, Jeff Koch <je...@intersessions.com> wrote:
> Of course an iPhone can see IMAP folders. But what's going to sort mail  
> into folders when I'm traveling for a week and the office PC is turned 
> off?

The server on which the imap server runs?


Kind regards,
--Toni++

Re: SA Tag Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

Of course an iPhone can see IMAP folders. But what's going to sort mail 
into folders when I'm traveling for a week and the office PC is turned off?



At 12:41 PM 12/15/2009, Benny Pedersen wrote:
>On tir 15 dec 2009 18:22:00 CET, Jeff Koch wrote
>
>>How could a two character tag like SA be annoying? You must never
>>use a blackberry or iPhone to check your email either.
>
>open your eyes and see more, both the above smartphones above can
>handle imap just fine, but i just test it from nokia e51, should i
>prove it ?
>
>but agree if you use pop3 its hard to see another folder, no matter
>what client you use
>
>--
>xpoint http://www.unicom.com/pw/reply-to-harmful.html
>

Best Regards,

Jeff Koch, Intersessions 

Re: SA Tag Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On 15-Dec-2009, at 10:22, Jeff Koch wrote:
> At 11:12 AM 12/15/2009, RW wrote:

>> I'd find it annoying to look at a list where every single message
>> starts with "[sa-user]".

> How could a two character tag like SA be annoying? You must never use a blackberry or iPhone to check your email either.

" [sa-user] " is 11 characters, not 2. And it's 9 characters at the beginning of the subject, pushing actual DATA off the right side of whatever display you are using.

All this because some people are too lazy/incompetent to sort their mail?

Punish the many for the failings of the few.

No thanks.

-- 
I WILL NOT TRADE PANTS WITH OTHERS
	Bart chalkboard Ep. 7F05

Re: SA Tag Spam from compromised web mails

[Benny Pedersen <me...@junc.org>]

On tir 15 dec 2009 18:22:00 CET, Jeff Koch wrote

> How could a two character tag like SA be annoying? You must never  
> use a blackberry or iPhone to check your email either.

open your eyes and see more, both the above smartphones above can  
handle imap just fine, but i just test it from nokia e51, should i  
prove it ?

but agree if you use pop3 its hard to see another folder, no matter  
what client you use

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

SA Tag Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

How could a two character tag like SA be annoying? You must never use a 
blackberry or iPhone to check your email either.


At 11:12 AM 12/15/2009, RW wrote:
>On Tue, 15 Dec 2009 09:44:50 -0500
>Jeff Koch <je...@intersessions.com> wrote:
>
> >
> > I have to say that it is extremely annoying that this mailing list
> > does not put a tag identifying itself in the subject line. Every
> > other mailing list of a similar technical nature that I participate
> > in has a tag.
>
>I'm exactly the opposite, hardly any of the lists I subscribe to do
>that, and I find it annoying when it's done. Every list mail comes with
>a List-Id header so you can filter, tag or whatever.
>
>I'd find it annoying to look at a list where every single message
>starts with "[sa-user]".

Best Regards,

Jeff Koch, Intersessions 

Re: Spam from compromised web mails

[Thomas Harold <th...@nybeta.com>]

On 12/15/2009 12:49 PM, LuKreme wrote:
> On 15-Dec-2009, at 09:12, RW wrote:
>> On Tue, 15 Dec 2009 09:44:50 -0500
>>
>> I'm exactly the opposite, hardly any of the lists I subscribe to do
>> that, and I find it annoying when it's done. Every list mail comes with
>> a List-Id header so you can filter, tag or whatever.
>>
>> I'd find it annoying to look at a list where every single message
>> starts with "[sa-user]".
>
> I actually strip that kruft out of subject headers and I HATE lists that waste space in the Subject line for static text.
>
> :0 hf
> * ^Subject:.*\[
> * $ ^Subject:$WS*((Re|Fwd):$WS*)*\[[^]]*\]
> | sed 's/\[[^]]*\] //
>

I don't mind the tags, as long as they're short (under 8 chars).  It 
helps me identify stuff that might've gotten misfiled.  Sometimes I 
screw up the server-side Sieve rules, so everything ends up in my inbox 
for a day or two until I fix them.

I can't say off-hand what the longest and most obnoxious pre-tag that 
I've seen yet is.  If the SA list used something like 
"[spamassassin-users]" as the pre-tag, I'd be annoyed.

(Also, some mail clients only let you sort by subject or sender, and not 
arbitrary mail headers.)

Re: Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On 15-Dec-2009, at 09:12, RW wrote:
> On Tue, 15 Dec 2009 09:44:50 -0500
> Jeff Koch <je...@intersessions.com> wrote:
> 
>> 
>> I have to say that it is extremely annoying that this mailing list
>> does not put a tag identifying itself in the subject line. Every
>> other mailing list of a similar technical nature that I participate
>> in has a tag. 
> 
> I'm exactly the opposite, hardly any of the lists I subscribe to do
> that, and I find it annoying when it's done. Every list mail comes with
> a List-Id header so you can filter, tag or whatever. 
> 
> I'd find it annoying to look at a list where every single message
> starts with "[sa-user]".

I actually strip that kruft out of subject headers and I HATE lists that waste space in the Subject line for static text.

:0 hf
* ^Subject:.*\[
* $ ^Subject:$WS*((Re|Fwd):$WS*)*\[[^]]*\]
| sed 's/\[[^]]*\] //


-- 
'I'm not a thief, madam. But if I were, I would be the kind that steals fire from the gods.'
'We've already got fire.'
'There must be an upgrade by now.' --Hogfather

Re: Spam from compromised web mails

[RW <rw...@googlemail.com>]

On Tue, 15 Dec 2009 09:44:50 -0500
Jeff Koch <je...@intersessions.com> wrote:

> 
> I have to say that it is extremely annoying that this mailing list
> does not put a tag identifying itself in the subject line. Every
> other mailing list of a similar technical nature that I participate
> in has a tag. 

I'm exactly the opposite, hardly any of the lists I subscribe to do
that, and I find it annoying when it's done. Every list mail comes with
a List-Id header so you can filter, tag or whatever. 

I'd find it annoying to look at a list where every single message
starts with "[sa-user]".

Re: SA Tag - Spam from compromised web mails

[Mikael Syska <mi...@syska.dk>]

Hi,

On Tue, Dec 15, 2009 at 6:31 PM, Jeff Koch <je...@intersessions.com>wrote:

>
> Why be forced into using one mail client? Hey, it's almost 2010 - people
> use multiple devices to check email - smartphones, PDA's, mail to voice,
> webmail, internet cafes. The days of using only one client are long past.
> You can still use IMAP on a main PC to keep your email sorted - but why not
> also make it easy to follow discussions on other devices?
>
>
> At 12:00 PM 12/15/2009, Toni Mueller wrote:
>
>  Hi,
>>
>> On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory <cg...@hwcn.org>
>> wrote:
>> > On Tue, 15 Dec 2009, Jeff Koch wrote:
>> >> I have to say that it is extremely annoying that this mailing list does
>> >> not put a tag identifying itself in the subject line. Every other
>> >> mailing list of a similar technical nature that I participate in has a
>> >> tag. A tag of two characters would allow users to quickly identify the
>> >> email as coming from the SA mailing list and decide whether the email
>> >> is worth opening.
>> >
>> > +1
>>
>> -100
>>
>> > As you may have noticed, I've got my procmail set to insert one (as seen
>> > above). But this has the unfortunate side-effect of messing with
>> > threading in some threaded mail clients and archives.... :(
>>
>> I don't know the abilities of Alpine, but if you use procmail anyway,
>> why can't you simply sort on the List-Id header?
>>
>> :0
>> * ^List-Id: .users.spamassassin.apache.org
>> $MAILDIR/spamassassin/
>>
>
Or when using Exchange, just make the rules server side ... then they are
also applied to all mail ... whether how many diff clients you are using ...


I really dont see you problem Jeff ... if its nice to have ... make your
what ever server your are using add them ... its 2010 as you said. :-)



>
>>
>>
>> Kind regards,
>> --Toni++
>>
>
> Best Regards,
>
> Jeff Koch, Intersessions
>

mvh
Mikael Syska

SA Tag - Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

Why be forced into using one mail client? Hey, it's almost 2010 - people 
use multiple devices to check email - smartphones, PDA's, mail to voice, 
webmail, internet cafes. The days of using only one client are long past. 
You can still use IMAP on a main PC to keep your email sorted - but why not 
also make it easy to follow discussions on other devices?


At 12:00 PM 12/15/2009, Toni Mueller wrote:

>Hi,
>
>On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory <cg...@hwcn.org> 
>wrote:
> > On Tue, 15 Dec 2009, Jeff Koch wrote:
> >> I have to say that it is extremely annoying that this mailing list does
> >> not put a tag identifying itself in the subject line. Every other
> >> mailing list of a similar technical nature that I participate in has a
> >> tag. A tag of two characters would allow users to quickly identify the
> >> email as coming from the SA mailing list and decide whether the email
> >> is worth opening.
> >
> > +1
>
>-100
>
> > As you may have noticed, I've got my procmail set to insert one (as seen
> > above). But this has the unfortunate side-effect of messing with
> > threading in some threaded mail clients and archives.... :(
>
>I don't know the abilities of Alpine, but if you use procmail anyway,
>why can't you simply sort on the List-Id header?
>
>:0
>* ^List-Id: .users.spamassassin.apache.org
>$MAILDIR/spamassassin/
>
>
>
>Kind regards,
>--Toni++

Best Regards,

Jeff Koch, Intersessions 

Re: [sa] Spam from compromised web mails

[Kai Schaetzl <ma...@conactive.com>]

Charles Gregory wrote on Tue, 15 Dec 2009 12:12:41 -0500 (EST):

> I imagine this same thinking applies to any number of people using a 
> 'basic' mail client and not bothering to 'sort' mail into alternate 
> delivery folders which they must then 'remember' to read.....

If you don't sort away high-volume lists like SA to their own folder you 
are lost in a few days ...

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: [sa] Re: Spam from compromised web mails

[Charles Gregory <cg...@hwcn.org>]

On Tue, 15 Dec 2009, Toni Mueller wrote:
>> As you may have noticed, I've got my procmail set to insert one (as seen
>> above). But this has the unfortunate side-effect of messing with
>> threading in some threaded mail clients and archives.... :(
> I don't know the abilities of Alpine, but if you use procmail anyway,
> why can't you simply sort on the List-Id header?

I don't sort. I use just one inbox. Half the time I just read mail 
straight through in order. But when I'm a bit short on time, that tag 
allows me to quickly skip over list mail and get to the important 
work-related mail.

I imagine this same thinking applies to any number of people using a 
'basic' mail client and not bothering to 'sort' mail into alternate 
delivery folders which they must then 'remember' to read.....

- Charles

Re: Spam from compromised web mails

[Toni Mueller <su...@oeko.net>]

Hi,

On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory <cg...@hwcn.org> wrote:
> On Tue, 15 Dec 2009, Jeff Koch wrote:
>> I have to say that it is extremely annoying that this mailing list does 
>> not put a tag identifying itself in the subject line. Every other  
>> mailing list of a similar technical nature that I participate in has a  
>> tag. A tag of two characters would allow users to quickly identify the  
>> email as coming from the SA mailing list and decide whether the email 
>> is worth opening.
>
> +1

-100

> As you may have noticed, I've got my procmail set to insert one (as seen  
> above). But this has the unfortunate side-effect of messing with 
> threading in some threaded mail clients and archives.... :(

I don't know the abilities of Alpine, but if you use procmail anyway,
why can't you simply sort on the List-Id header?

:0
* ^List-Id: .users.spamassassin.apache.org
$MAILDIR/spamassassin/



Kind regards,
--Toni++

Re: Spam from compromised web mails

[Charles Gregory <cg...@hwcn.org>]

On Tue, 15 Dec 2009, LuKreme wrote:
>> As you may have noticed, I've got my procmail set to insert one (as 
>> seen above). But this has the unfortunate side-effect of messing with 
>> threading in some threaded mail clients and archives.... :(
> I just see "Subject: Re: Re: Spam from…"
> Changing the subject is not polite, btw.

(nod) So I make a point.... 
(up-up-up-up-up-del-del-del-del-del-del-down-down-down-down-down) :)
....of removing my inserted tag, so that subject remains the same
as the original sent from the list. Though I often forget.... :(

- C

Re: Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On 15-Dec-2009, at 09:44, Charles Gregory wrote:
> On Tue, 15 Dec 2009, Jeff Koch wrote:
>> I have to say that it is extremely annoying that this mailing list does not put a tag identifying itself in the subject line. Every other mailing list of a similar technical nature that I participate in has a tag. A tag of two characters would allow users to quickly identify the email as coming from the SA mailing list and decide whether the email is worth opening.
> 
> +1
> 
> As you may have noticed, I've got my procmail set to insert one (as seen above). But this has the unfortunate side-effect of messing with threading in some threaded mail clients and archives.... :(

I just see "Subject: Re: Re: Spam from…"

Changing the subject is not polite, btw.

-- 
Help me, Obi-wan Kenobi. You're my only hope.

Re: [sa] Re: Spam from compromised web mails

[Charles Gregory <cg...@hwcn.org>]

On Tue, 15 Dec 2009, Jeff Koch wrote:
> I have to say that it is extremely annoying that this mailing list does 
> not put a tag identifying itself in the subject line. Every other 
> mailing list of a similar technical nature that I participate in has a 
> tag. A tag of two characters would allow users to quickly identify the 
> email as coming from the SA mailing list and decide whether the email is 
> worth opening.

+1

As you may have noticed, I've got my procmail set to insert one (as seen 
above). But this has the unfortunate side-effect of messing with threading 
in some threaded mail clients and archives.... :(

But I would much rather the list added the tag itself. :)

- C

Re: Spam from compromised web mails

[Jeff Koch <je...@intersessions.com>]

I have to say that it is extremely annoying that this mailing list does not 
put a tag identifying itself in the subject line. Every other mailing list 
of a similar technical nature that I participate in has a tag. A tag of two 
characters would allow users to quickly identify the email as coming from 
the SA mailing list and decide whether the email is worth opening.


At 08:25 AM 12/15/2009, you wrote:
>On tir 15 dec 2009 08:25:00 CET, Rajkumar S wrote
>
>>I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399
>
>http://sa.hege.li/
>
>to me it looks like a gmail user trying to get more users sending
>there login and passwords then what ever it really is ?
>
>--
>xpoint http://www.unicom.com/pw/reply-to-harmful.html
>

Best Regards,

Jeff Koch, Intersessions 

Re: Site-wide Bayes

[Yet Another Ninja <sa...@alexb.ch>]

On 12/15/2009 5:49 PM, Charles Gregory wrote:
> On Tue, 15 Dec 2009, Matt Garretson wrote:
>> Heartily agreed. Site-wide bayes here (single database for 2000+ 
>> users) catches 40% of the spam here.
> 
> But what is the FP rate? Is it safe for an ISP with a widely varied user 
> base to use site-wide Bayes?

from my experience, yes.

the auto-fodder is just as diverse making Bayes very rugged and 
effective. You just need a good amount of ham traffic...

Re: Site-wide Bayes

[Thomas Harold <th...@nybeta.com>]

On 12/17/2009 10:30 AM, RW wrote:
> On Wed, 16 Dec 2009 09:36:12 -0500
> Michael Scheidell<sc...@secnap.net>  wrote:
>
>> On 12/16/09 9:27 AM, Thomas Harold wrote:
>>> I'm guessing that you'd also want to change the autolearn
>>> thresholds to be stricter?  Like only auto-learning if it scores
>>> below -2 or above +10?
>>>
>>> (That might be an amavisd-new feature.)
>> I still use 0, but have the high score at +15.
>
> The default is 0.1 IIRC, and I wouldn't recommend setting it lower
> without negative-scoring custom rules - it's set positive for good
> reasons.
>
> BAYES and "userconf" whitelisting rules don't count for autolearning, so
> if you set a negative threshold with the default rules, you rely on
> DNS whitelisting to define ham - the likes of HABEOUS.
>
> Setting it at exactly 0.0 is also problematical since the decision to
> learn is commonly going to be determined by nominally scored rules that
> score 0.001 and -0.001.

Looking at the wiki...

http://wiki.apache.org/spamassassin/BasicConfiguration

We're not using "userconf" whitelisting, our whitelisting is done by 
amavisd-new mappings (where we score specific domains/addresses with a 
small -2 to -5 score).

The wiki, as it is currently, makes it sound like the +0.1 default for 
ham auto-learn is not conservative enough.  And that the +6.0 default 
for auto-learning spam is too risky.

(We run with -0.5 and +9.5 as our boundaries for auto-learning.)

Re: Site-wide Bayes

[RW <rw...@googlemail.com>]

On Wed, 16 Dec 2009 09:36:12 -0500
Michael Scheidell <sc...@secnap.net> wrote:

> On 12/16/09 9:27 AM, Thomas Harold wrote:
> > I'm guessing that you'd also want to change the autolearn
> > thresholds to be stricter?  Like only auto-learning if it scores
> > below -2 or above +10?
> >
> > (That might be an amavisd-new feature.)
> I still use 0, but have the high score at +15.

The default is 0.1 IIRC, and I wouldn't recommend setting it lower
without negative-scoring custom rules - it's set positive for good
reasons. 

BAYES and "userconf" whitelisting rules don't count for autolearning, so
if you set a negative threshold with the default rules, you rely on
DNS whitelisting to define ham - the likes of HABEOUS.

Setting it at exactly 0.0 is also problematical since the decision to
learn is commonly going to be determined by nominally scored rules that
score 0.001 and -0.001.

Re: Site-wide Bayes

[Michael Scheidell <sc...@secnap.net>]

On 12/16/09 9:27 AM, Thomas Harold wrote:
> I'm guessing that you'd also want to change the autolearn thresholds 
> to be stricter?  Like only auto-learning if it scores below -2 or 
> above +10?
>
> (That might be an amavisd-new feature.)
I still use 0, but have the high score at +15.

watch the 'sa-learn dump --magic'

if you can keep the 'spam/ham' ratio close to your sites 'spam vs ham' 
ratio, you should be ok.



-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
   

Re: Site-wide Bayes

[Thomas Harold <th...@nybeta.com>]

On 12/15/2009 11:55 AM, Michael Scheidell wrote:
> On 12/15/09 11:49 AM, Charles Gregory wrote:
>> On Tue, 15 Dec 2009, Matt Garretson wrote:
>>> Heartily agreed. Site-wide bayes here (single database for 2000+
>>> users) catches 40% of the spam here.
>>
>> But what is the FP rate? Is it safe for an ISP with a widely varied
>> user base to use site-wide Bayes?
>>
> I find that you should reduce scores on the high and low end (bayes_00
> and bayes_95) and the 'meta rules' that might combine them also.
>
> (so, yes, an ISP, or for our hosted clients, we have modified the bayes
> scores. . if one client is a plastic surgeon, one is a stock broker, and
> one is a mortgage broker, each will be getting wildly different ham)
>
> setting up a 'per domain' bayes might work, might be tricky, especially
> if an inbound email is going to several domains, and only if you are
> doing B2B (commercial clients)
>

I'm guessing that you'd also want to change the autolearn thresholds to 
be stricter?  Like only auto-learning if it scores below -2 or above +10?

(That might be an amavisd-new feature.)

Re: Site-wide Bayes

[Michael Scheidell <sc...@secnap.net>]

On 12/15/09 11:49 AM, Charles Gregory wrote:
> On Tue, 15 Dec 2009, Matt Garretson wrote:
>> Heartily agreed. Site-wide bayes here (single database for 2000+ 
>> users) catches 40% of the spam here.
>
> But what is the FP rate? Is it safe for an ISP with a widely varied 
> user base to use site-wide Bayes?
>
I find that you should reduce scores on the high and low end (bayes_00 
and bayes_95) and the 'meta rules' that might combine them also.

(so, yes, an ISP, or for our hosted clients, we have modified the bayes 
scores. .  if one client is a plastic surgeon, one is a stock broker, 
and one is a mortgage broker, each will be getting wildly different ham)

setting up a 'per domain' bayes might work, might be tricky, especially 
if an inbound email is going to several domains, and only if you are 
doing B2B (commercial clients)




-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
   

Re: Site-wide Bayes (was: Spam from compromised web mails)

[Charles Gregory <cg...@hwcn.org>]

On Tue, 15 Dec 2009, Matt Garretson wrote:
> Heartily agreed. Site-wide bayes here (single database for 2000+ users) 
> catches 40% of the spam here.

But what is the FP rate? Is it safe for an ISP with a widely varied user 
base to use site-wide Bayes?

- Charles

Re: Spam from compromised web mails

[Matt Garretson <ma...@assembly.state.ny.us>]

On 12/15/2009 10:37 AM, Yet Another Ninja wrote:
> even using site wide, autolearning will help your detection a LOT.
> Don't underestimate it...


Heartily agreed. Site-wide bayes here (single 
database for 2000+ users) catches 40% of the spam 
here.  It could certainly catch more, but the first 
55% is caught by clamav/sanesecurity first.  (This 
leaves only the last 5% to get scooped up by SA.)

RE: Spam from compromised web mails

[R-Elists <li...@abbacomm.net>]

 

> 
> When running site wide, how do you get ham to train bayes? I 
> can manage spam by spam reporting and such, but getting ham 
> without breaching the privacy of our users is my problem.
> 
> raj
> 

Raj,

one potential option is to setup bayes autolearn thresholds with proper
scores for your specific installs/setups.

perldoc Mail::SpamAssassin::Conf

http://wiki.apache.org/spamassassin/BasicConfiguration

 - rh

Re: Spam from compromised web mails

[Thomas Harold <th...@nybeta.com>]

On 12/16/2009 9:42 AM, Rajkumar S wrote:
> On Wed, Dec 16, 2009 at 1:07 PM, Yet Another Ninja<sa...@alexb.ch>  wrote:
>> I don't do any "manual" training, ever. SA's butler, "autolearn", does it
>> for me.
>>
>> bayes_auto_learn  1
>
> In this case if a new spam comes and it does not score on any other
> rules, Would't this be classified as a ham? Also I need bayes  to help
> me with border line cases, like those scoring say 3 - 5 if my
> required_score is 6.5. Most of the new spam that get past score in the
> range of 3 - 5 in my system. auto learn does not help here either.
>
> I am also testing auto learn, just wondering how others are handling
> these issues.

The primary defense against zero-day spam... is, I think, to greylist.

Hopefully, by the time it comes around again to retry, the honeypot 
projects will have blacklisted the IP address or URL in various 
blacklists.  (Or it will be listed in Pyzor, Razor, DCC...)

In general, I don't rely on auto-learn for the marginal stuff, too big a 
chance that it will learn incorrectly.  So I don't train if the message 
falls inside the -2 to +10 score range.  What does fall inside that 
range gets manually sorted into "train as spam/ham" folders.

Re: Spam from compromised web mails

[Rajkumar S <ra...@asianetindia.com>]

On Wed, Dec 16, 2009 at 1:07 PM, Yet Another Ninja <sa...@alexb.ch> wrote:
> I don't do any "manual" training, ever. SA's butler, "autolearn", does it
> for me.
>
> bayes_auto_learn  1

In this case if a new spam comes and it does not score on any other
rules, Would't this be classified as a ham? Also I need bayes  to help
me with border line cases, like those scoring say 3 - 5 if my
required_score is 6.5. Most of the new spam that get past score in the
range of 3 - 5 in my system. auto learn does not help here either.

I am also testing auto learn, just wondering how others are handling
these issues.

raj

Re: Spam from compromised web mails

[Yet Another Ninja <sa...@alexb.ch>]

On 12/16/2009 8:24 AM, Rajkumar S wrote:
> On Tue, Dec 15, 2009 at 9:07 PM, Yet Another Ninja <sa...@alexb.ch> wrote:
>> even using site wide, autolearning will help your detection a LOT.
>> Don't underestimate it...
> 
> When running site wide, how do you get ham to train bayes? I can
> manage spam by spam reporting and such, but getting ham without
> breaching the privacy of our users is my problem.
> 
> raj

I don't do any "manual" training, ever. SA's butler, "autolearn", does 
it for me.

bayes_auto_learn  1

h2h

Axb

Re: Spam from compromised web mails

[Rajkumar S <ra...@asianetindia.com>]

On Tue, Dec 15, 2009 at 9:07 PM, Yet Another Ninja <sa...@alexb.ch> wrote:
> even using site wide, autolearning will help your detection a LOT.
> Don't underestimate it...

When running site wide, how do you get ham to train bayes? I can
manage spam by spam reporting and such, but getting ham without
breaching the privacy of our users is my problem.

raj

Re: Spam from compromised web mails

[Kai Schaetzl <ma...@conactive.com>]

Yet Another Ninja wrote on Tue, 15 Dec 2009 16:37:35 +0100:

> even using site wide, autolearning will help your detection a LOT.

Definitely. Been using site-wide for all my servers for years. No 
problems.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Spam from compromised web mails

[Yet Another Ninja <sa...@alexb.ch>]

On 12/15/2009 4:07 PM, Rajkumar S wrote:
> On Tue, Dec 15, 2009 at 8:29 PM, Matt Garretson
> <ma...@assembly.state.ny.us> wrote:
>> Do you use Bayes?  Bogofilter (another bayesian filter) catches
>> those here.  The one you posted scored 0.94 here and would have
>> been dropped.
> 
> I am not using bayes as of now, SA is site wide and so proper training
> is a problem.

even using site wide, autolearning will help your detection a LOT.
Don't underestimate it...

Re: Spam from compromised web mails

[Rajkumar S <ra...@asianetindia.com>]

On Tue, Dec 15, 2009 at 8:29 PM, Matt Garretson
<ma...@assembly.state.ny.us> wrote:
> Do you use Bayes?  Bogofilter (another bayesian filter) catches
> those here.  The one you posted scored 0.94 here and would have
> been dropped.

I am not using bayes as of now, SA is site wide and so proper training
is a problem.

raj

Re: Spam from compromised web mails

[Matt Garretson <ma...@assembly.state.ny.us>]

On 12/15/2009 9:31 AM, The Doctor wrote:
> On Tue, Dec 15, 2009 at 12:55:00PM +0530, Rajkumar S wrote:
>> Occasionally I receive mail from compromised web mails asking user
>> name and password from my users. The source IPs are usually clean (as
>> they are legitimate mail servers) and do not catch any ip based rules.


Do you use Bayes?  Bogofilter (another bayesian filter) catches 
those here.  The one you posted scored 0.94 here and would have
been dropped.

Re: Spam from compromised web mails

[The Doctor <do...@doctor.nl2k.ab.ca>]

On Tue, Dec 15, 2009 at 12:55:00PM +0530, Rajkumar S wrote:
> Hi,
> 
> Occasionally I receive mail from compromised web mails asking user
> name and password from my users. The source IPs are usually clean (as
> they are legitimate mail servers) and do not catch any ip based rules.
> Usually one or two mail accounts are used to pump mails via web mail
> after authentication.
> 
> I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399
> 
> It is interesting to note that the victim was using  Barracuda anti
> spam appliance which also failed to catch this spam. Any ideas to
> tackle such spam is very much welcome.
> 
> with regards,
> 
> raj


Seeing the same thing here.  We are trying to remove the scrit spurce
but it is disguised.  Just a matter of time to pin the source.

-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
Merry Christmas 2009 and Happy New Year 2010

Re: Spam from compromised web mails

[LuKreme <kr...@kreme.com>]

On 15-Dec-2009, at 04:39, Rajkumar S wrote:
> On Tue, Dec 15, 2009 at 3:51 PM, Mike Cardwell
> <sp...@lists.grepular.com> wrote:
>> That particular email was sent from a host in Nigeria connecting to a host
>> in Brazil. The Nigerian host is listed on Barracuda, the SBL and the XBL.
> 
> Is there a way to write a rule to tag mails which are hitting web
> mails via proxy?
> 
> Received: from 189.85.80.211 (proxying for 41.220.75.17)
>        (SquirrelMail authenticated user kyhomes@bigrivertel.net)
>        by webmail.bigrivertel.net with HTTP; Mon,

Sure, just check the Received headers for "proxying".


-- 
Lister: What d'ya think of Betty? Cat: Betty Rubble? Well, I would
	go with Betty... but I'd be thinking of Wilma. Lister: This is
	crazy. Why are we talking about going to bed with Wilma
	Flintstone? Cat: You're right. We're nuts. This is an insane
	conversation. Lister: She'll never leave Fred, and we know it.

Re: Spam from compromised web mails

[Rajkumar S <ra...@asianetindia.com>]

On Tue, Dec 15, 2009 at 3:51 PM, Mike Cardwell
<sp...@lists.grepular.com> wrote:
> That particular email was sent from a host in Nigeria connecting to a host
> in Brazil. The Nigerian host is listed on Barracuda, the SBL and the XBL.

Is there a way to write a rule to tag mails which are hitting web
mails via proxy?

Received: from 189.85.80.211 (proxying for 41.220.75.17)
        (SquirrelMail authenticated user kyhomes@bigrivertel.net)
        by webmail.bigrivertel.net with HTTP; Mon,

While not conclusive, hitting web mails via a proxy and having user
name and password string along with destination domain name in body of
the mail is a good indication of a password phishing mail.

raj

Re: Spam from compromised web mails

[Mike Cardwell <sp...@lists.grepular.com>]

On 15/12/2009 07:25, Rajkumar S wrote:

> Occasionally I receive mail from compromised web mails asking user
> name and password from my users. The source IPs are usually clean (as
> they are legitimate mail servers) and do not catch any ip based rules.
> Usually one or two mail accounts are used to pump mails via web mail
> after authentication.
>
> I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399
>
> It is interesting to note that the victim was using  Barracuda anti
> spam appliance which also failed to catch this spam. Any ideas to
> tackle such spam is very much welcome.

That particular email was sent from a host in Nigeria connecting to a 
host in Brazil. The Nigerian host is listed on Barracuda, the SBL and 
the XBL. The From header uses a domain name that isn't registered 
(swinepro.net) and a freemail Reply-To. It's also currently hitting Pyzor.

-- 
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/

Re: Spam from compromised web mails

[Benny Pedersen <me...@junc.org>]

On tir 15 dec 2009 08:25:00 CET, Rajkumar S wrote

> I have pasted one such (slightly edited) mail at http://pastebin.ca/1715399

http://sa.hege.li/

to me it looks like a gmail user trying to get more users sending  
there login and passwords then what ever it really is ?

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html