You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2013/06/07 19:20:27 UTC
Single-link spam
Hi all,
I'm also receiving a ton of single-link spam that none of my
single-link spam rules seem to be triggering on sufficiently to block.
They are all routed through yahoo.com and typically have a very small
body. I've created one meta with a small body and a single link from a
freemail domain, but I can't detect anything further in the headers
that may help. I hoped someone could help me investigate:
http://pastebin.com/DVEGBE3j
http://pastebin.com/Z97tBVE4
After training, they are hitting bayes99. The IP from one example
(98.138.120.233) still isn't listed in SBL or XBL. Shouldn't it be by
now?
I've also created a few local rules based on a specific subject, but
that obviously doesn't scale well. Typically by the time I can
evaluate the FNs, they have hit zen or other RBLs, but they aren't
hitting those RBLs when I'm receiving them, so I really hoped there
was something else in the message that could be used since I seem to
be at the top of the spammers list and receive these before zen.
Thanks for any ideas.
Alex
Re: Single-link spam
Posted by Kris Deugau <kd...@vianet.ca>.
Alex wrote:
> I'm also receiving a ton of single-link spam
> http://pastebin.com/DVEGBE3j
> http://pastebin.com/Z97tBVE4
>
> After training, they are hitting bayes99. The IP from one example
> (98.138.120.233) still isn't listed in SBL or XBL. Shouldn't it be by
> now?
No, and neither should 72.30.239.77 from the other message. Both are
legitimate Yahoo! relays that handed these messages to your MX.
Feel free to blacklist Yahoo! if you like...
79.120.163.57 and 223.207.210.39 possibly could be listed on a DNSBL,
since those are the IPs the messages entered Yahoo! from. But most
DNSBLs aren't intended for the deep header scans that would be needed
for them to hit.
-kgd
Re: Single-link spam
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2013-06-10 01:10:
> Benny had posted a link to some old KAM rules to ascertain the number
> of lines of text in a message. Perhaps they're applicable here and
> can
> catch these new samples?
dont know if this url is blacklisted ? http://exnwsfx.com/
and dkim fail, do you get this mail in forward ?, if so can it be
tested dkim on the forwarding host before forwarding ?, i dont really
know if c=nofwd means make dkim invalid if forwarded
but in this case here this spam is cached with one more url check, i
will create it later, the perl code exists in 3.3.2 i dont know if there
is rules that use it yet, check redirect ?
kam rule set is olso good it works since none belive its could be used
:)
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Single-link spam
Posted by Alex <my...@gmail.com>.
Hi,
On Fri, Jun 7, 2013 at 2:18 PM, Martin Gregorie <ma...@gregorie.org> wrote:
> On Fri, 2013-06-07 at 13:20 -0400, Alex wrote:
>> I'm also receiving a ton of single-link spam that none of my
>> single-link spam rules seem to be triggering on sufficiently to block.
>> They are all routed through yahoo.com and typically have a very small
>> body. I've created one meta with a small body and a single link from a
>> freemail domain, but I can't detect anything further in the headers
>> that may help. I hoped someone could help me investigate:
>>
>> http://pastebin.com/DVEGBE3j
>> http://pastebin.com/Z97tBVE4
>>
> I'm recognising bodies that contain just a URL with metarule,
> MG_BARE_URL, that ANDs this:
>
> rawbody __MG_BU1 /^\s{0,10}(\S{1,80}|http:\S{1,70})\s{0,10}$/
>
> with either this:
>
> body __MG_BU2 /http:\S{1,70}/i
>
> or a domain thats in a private URIBL. Finally, I'm using another meta
> that fires if the msg-id says that yahoo originated the message.
Perhaps it's moved beyond the scope of this rule, but now it looks
like they've changed it up a bit, by adding an additional line of
text, which has caused the rule to fail:
http://pastebin.com/4BrKVWb8
The LOC_YAHOO_BC is a local meta rule I created that is basically just
that it passes through yahoo.com and one of a list of five or so
foreign countries, and has a 0.01 score.
Benny had posted a link to some old KAM rules to ascertain the number
of lines of text in a message. Perhaps they're applicable here and can
catch these new samples?
Thanks,
Alex
Re: Single-link spam
Posted by Alex <my...@gmail.com>.
Hi,
>> http://pastebin.com/DVEGBE3j
>> http://pastebin.com/Z97tBVE4
>>
> I'm recognising bodies that contain just a URL with metarule,
> MG_BARE_URL, that ANDs this:
>
> rawbody __MG_BU1 /^\s{0,10}(\S{1,80}|http:\S{1,70})\s{0,10}$/
>
> with either this:
>
> body __MG_BU2 /http:\S{1,70}/i
>
> or a domain thats in a private URIBL. Finally, I'm using another meta
> that fires if the msg-id says that yahoo originated the message.
>
> That caught both of your examples.
That seems to help, thanks. I've also been using your yahoo msg-id
rule for some time, and have had some success with it. Not sure why it
didn't trigger here with the samples I posted.
Kris, thanks for your help as well. It looks like body checks are all
that's feasible with spam like this.
Thanks,
Alex
Re: Single-link spam
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2013-06-07 at 13:20 -0400, Alex wrote:
> I'm also receiving a ton of single-link spam that none of my
> single-link spam rules seem to be triggering on sufficiently to block.
> They are all routed through yahoo.com and typically have a very small
> body. I've created one meta with a small body and a single link from a
> freemail domain, but I can't detect anything further in the headers
> that may help. I hoped someone could help me investigate:
>
> http://pastebin.com/DVEGBE3j
> http://pastebin.com/Z97tBVE4
>
I'm recognising bodies that contain just a URL with metarule,
MG_BARE_URL, that ANDs this:
rawbody __MG_BU1 /^\s{0,10}(\S{1,80}|http:\S{1,70})\s{0,10}$/
with either this:
body __MG_BU2 /http:\S{1,70}/i
or a domain thats in a private URIBL. Finally, I'm using another meta
that fires if the msg-id says that yahoo originated the message.
That caught both of your examples.
I'm not convinced MG_BARE_URL is foolproof, but on my message stream,
anyway, it isn't generating false positives, while at the same time its
general enough to hit messages where the plain text contains a URL
surrounded by whitespace pretty much regardless of anything else.
Martin
Re: Single-link spam
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2013-06-07 19:20:
> I'm also receiving a ton of single-link spam that none of my
> single-link spam rules seem to be triggering on sufficiently to
> block.
http://www.mentby.com/Group/spamassassin-users/rules-based-on-number-of-lines.html
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it