You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Igor Chudov <ig...@chudov.com> on 2012/10/17 19:24:29 UTC

I thought this message was rather spammy

I receive a variety of spams with the From: field containing a
business solicitation in the name tag. They seem to have quite a bit
in common and I wonder why my SA does not catch them.

Here's the spam message: http://igor.chudov.com/tmp/spam013.txt

Here are my results of running spamassassin:

http://igor.chudov.com/tmp/spam013.trace.txt

Any idea what I am missing?

i

Re: I thought this message was rather spammy

Posted by John Hardin <jh...@impsec.org>.

On Wed, 17 Oct 2012, Alexandre Boyer wrote:

> Right, but you have the content on the other link:
>
> http://igor.chudov.com/tmp/spam013.trace.txt

Ah, didn't look at that.

Something is screwy here. I would think that would hit the low-contrast 
text HTML rules...

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The United States has become a place where entertainers and
   professional athletes are mistaken for people of importance.
                                         -- Maureen Johnson Smith Long
-----------------------------------------------------------------------
  139 days since the first successful private support mission to ISS (SpaceX)

Re: I thought this message was rather spammy

Posted by Igor Chudov <ig...@chudov.com>.

Here's my version 

==>spamassassin -V 
SpamAssassin version 3.3.1
  running on Perl version 5.10.1

On Wed, Oct 17, 2012 at 01:51:44PM -0400, Alexandre Boyer wrote:
> Right, but you have the content on the other link:
> 
> http://igor.chudov.com/tmp/spam013.trace.txt
> 
> 
> It scores 5.7 and should be blocked.
> 
> Igor, what's the threshold of your SA installation?
> 
> Alex, from prypiat.
> Yes, I recycle.
> 
> 
> On 12-10-17 01:44 PM, John Hardin wrote:
> > On Wed, 17 Oct 2012, Igor Chudov wrote:
> >
> >> Here's the spam message: http://igor.chudov.com/tmp/spam013.txt
> >
> > No permissions to view that.
> >

Re: I thought this message was rather spammy

Posted by John Hardin <jh...@impsec.org>.

On Wed, 17 Oct 2012, Ned Slider wrote:

> On 17/10/12 18:51, Alexandre Boyer wrote:
>>  Right, but you have the content on the other link:
>>
>>  http://igor.chudov.com/tmp/spam013.trace.txt
>> 
>>
>>  It scores 5.7 and should be blocked.
>> 
>
> The message scored 2.3 when it was originally received.
>
> It only scored 5.7 when it was later reevaluated by SA at which point a URI 
> is now hitting 2 URIBLs and thus increasing the score.

It hit those two BLs in that test.

> Greylisting can often help here as even though it won't block the message it 
> can delay the message long enough for offending IPs or URIs to get added to 
> blacklists.

Agreed.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The United States has become a place where entertainers and
   professional athletes are mistaken for people of importance.
                                         -- Maureen Johnson Smith Long
-----------------------------------------------------------------------
  139 days since the first successful private support mission to ISS (SpaceX)

Re: I thought this message was rather spammy

Posted by Alexandre Boyer <bi...@gmail.com>.

On 12-10-17 02:32 PM, Ned Slider wrote:
> On 17/10/12 18:51, Alexandre Boyer wrote:
>> Right, but you have the content on the other link:
>>
>> http://igor.chudov.com/tmp/spam013.trace.txt
>>
>>
>> It scores 5.7 and should be blocked.
>>
>
> The message scored 2.3 when it was originally received.
>
> It only scored 5.7 when it was later reevaluated by SA at which point
> a URI is now hitting 2 URIBLs and thus increasing the score. These
> URIs have obviously just been added to the blacklists since this spam
> run started.
>
> Greylisting can often help here as even though it won't block the
> message it can delay the message long enough for offending IPs or URIs
> to get added to blacklists.
>

Totally agree with this analyze. :-)

Greylisting is still a powerful anti-spam tool and easy to set-up.

Alex, from prypiat.
Yes, I recycle.

Re: I thought this message was rather spammy

Posted by Ned Slider <ne...@unixmail.co.uk>.

On 17/10/12 18:51, Alexandre Boyer wrote:
> Right, but you have the content on the other link:
>
> http://igor.chudov.com/tmp/spam013.trace.txt
>
>
> It scores 5.7 and should be blocked.
>

The message scored 2.3 when it was originally received.

It only scored 5.7 when it was later reevaluated by SA at which point a 
URI is now hitting 2 URIBLs and thus increasing the score. These URIs 
have obviously just been added to the blacklists since this spam run 
started.

Greylisting can often help here as even though it won't block the 
message it can delay the message long enough for offending IPs or URIs 
to get added to blacklists.

Re: I thought this message was rather spammy

Posted by Alexandre Boyer <bi...@gmail.com>.

Right, but you have the content on the other link:

http://igor.chudov.com/tmp/spam013.trace.txt

It scores 5.7 and should be blocked.

Igor, what's the threshold of your SA installation?

Alex, from prypiat.
Yes, I recycle.

On 12-10-17 01:44 PM, John Hardin wrote:
> On Wed, 17 Oct 2012, Igor Chudov wrote:
>
>> Here's the spam message: http://igor.chudov.com/tmp/spam013.txt
>
> No permissions to view that.
>

Re: I thought this message was rather spammy

Posted by John Hardin <jh...@impsec.org>.

On Wed, 17 Oct 2012, Igor Chudov wrote:

> Here's the spam message: http://igor.chudov.com/tmp/spam013.txt

No permissions to view that.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  139 days since the first successful private support mission to ISS (SpaceX)

Re: I thought this message was rather spammy

Posted by Igor Chudov <ig...@chudov.com>.

Sorry, I fixed it. 

On Wed, Oct 17, 2012 at 06:39:21PM +0100, John ffitch wrote:
> cannot read...
> 
> Forbidden
> 
> You don't have permission to access /tmp/spam013.txt on this server.
> Apache/2.2.14 (Ubuntu) Server at igor.chudov.com Port 80
> 
> 
> On Wed, 17 Oct 2012, Igor Chudov wrote:
> 
> >I receive a variety of spams with the From: field containing a
> >business solicitation in the name tag. They seem to have quite a bit
> >in common and I wonder why my SA does not catch them.
> >
> >Here's the spam message: http://igor.chudov.com/tmp/spam013.txt
> >
> >Here are my results of running spamassassin:
> >
> >http://igor.chudov.com/tmp/spam013.trace.txt
> >
> >Any idea what I am missing?
> >
> >i
> >