You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jenny Lee <bo...@live.com> on 2011/10/15 21:55:06 UTC
Why doesn't anything at all get these botnet spammers?
Hello Everyone,
Is there any way to get these people?
Instead of doing greylisting, I started doing SA+Greylisting 3 months ago. Since then, this guy always gets through until I modify our custom ruleset to block his URLs.
Currently I have:
uri OUR_CUSTOM_URI /\.(tumblr\.com|de\.tl|fileave\.com|ripway\.com)\//
Bayes is on, and it gets trained with his emails. Bayes is 100% accurate for us with no false-positives.
This is requiring constant maintenance. There surely must be a solution.
Thank you.
Jenny
Return-Path: <sa...@lbstudio.eu>
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_50,
MSGID_FROM_MTA_HEADER,OUR_CUSTOM_URI autolearn=no version=3.3.1
X-Spam-Report:
* 5.0 OUR_CUSTOM_URI URI: Botnet spammers
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5769]
* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
* 0.2 AWL AWL: From: address is in the auto white-list
X-Spam-Checker-Version: SPAMASSASSIN 3.3.1 (20/09/2011)
Received: from netup.it (netup.consultingweb.it [195.128.235.186])
by our_domain.comt (version_here) with ESMTP id p8QGoDc9030358
for <so...@ourdomain.com>; Mon, 26 Sep 2011 20:50:15 +0400
Message-Id: <20...@ourdomain.com>
Received: from uvecfhputwix ([93.176.234.155]) by netup.it with MailEnable ESMTP; Sun, 25 Sep 2011 21:07:46 +0200
Date: Sun, 25 Sep 2011 22:02:06 +0200
From: sabrina@lbstudio.eu
User-Agent: Thunderbird 2.0.0.27 (Windows/20090808)
MIME-Version: 1.0
To: blessedpinkangel@aol.com
Subject: [SPAM] T !r (a -n*n =l&e ` S !e .x|
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Delayed for 00:00:00 by milter-greylist-4.3.9 (ourdomain.com [1.1.1.1]); Mon, 26 Sep 2011 20:50:16 +0400 (MUT)
X-CENSOR-Robot: SPAM BUSTER v4.0 (08/08/2011) Active Mode
X-Spam-Prev-Subject: T !r (a -n*n =l&e ` S !e .x|
X-CENSOR-Class: SPAM
fwoicka odrp jbguybf etvwmbwm
i aluawj ggn. http://darrentanch1.tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu.
or a more recent one:
Subject: Se^x M-o ^v ~l e -
zp, qtw iqgcjlmkyk bnwbspnoix
dzgujz f v tdovsp. http://hnungarid.fileave.com/index.html czqrrgdmud ymlfkdv wh jhuaemf dus iv wztppda nqq vwoq nppfb.
RE: Why doesn't anything at all get these botnet spammers?
Posted by Jenny Lee <bo...@live.com>.
> Date: Mon, 17 Oct 2011 19:10:28 -0400
> From: darxus@chaosreigns.com
> To: users@spamassassin.apache.org
> Subject: Re: Why doesn't anything at all get these botnet spammers?
>
> On 10/15, Jenny Lee wrote:
> > fwoicka odrp jbguybf etvwmbwm
> > i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl ipcvlhboht
> > ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu.
>
> Is anybody else having a problem with this kind of spam? I definitely find
> it interesting. It doesn't sound likely to be very profitable.
We do have many domains and he hits most of them. I am positive many people get this.
It is profitable, becase either:
a. He gets money from those porn sites per signup
b. He is those porn sites
As with everything else, the head of the snake must be severed (as in pharma or akai spam). I am sure few knowledgeable people can cut his main income so he would not be doing this. It is similiar porn sites all the time.
> On 10/17, Jenny Lee wrote:
> > What baffles me is why it takes so long for RBLs to catch up on the
> > URL.
>
> Are you reporting them?
Unfortunately, as I mentioned earlier, we are not in a position to constantly do maintenance in our mails.
> On 10/17, Jenny Lee wrote:
> > Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all*
> > of it with greylisting since 3-4 years. No need for bothering with MXes.
>
> So why don't you go back to greylisting without spamassassin? Nobody
> profits from you using SA, use whatever works for you.
We probably will do that since SA is taking too much of our time.
> Or if your bayes is so accurate, just increase the scores for those rules?
>
> score BAYES_00 -5
> score BAYES_05 -4
> score BAYES_20 -3
> score BAYES_40 -2
> score BAYES_50 5
> score BAYES_60 6
> score BAYES_80 7
> score BAYES_95 8
> score BAYES_99 9
>
> (To be clear, I don't recommend this for most people, only if you have
> bayes results as accurate as Jenny.)
I do have top one high. I have not seen BAYES_80 or BAYES_95 before, so it is not necessary to set it. It is always BAYES_99. I have seen BAYES_60 though, but I am not keeping that high just in case. Our legit mail is not being mistakenly caught, so I have not bothered with lower scores either.
> With such accurate bayes results, that should override most other results.
> And if you're just using bayes, might as well not use spamassassin and go
> with a dedicated bayesian filter like spamprobe.
Thank you for this information. I will check it out. Without bayes, SA does not work at all for us.
> > We get about 10-20 legit emails (everyone uses internal IM) with
> > 40000-50000 SPAM a day. Most of which is same-sender/same-receipient
> > rejected at transaction stage. Spamd processes about 10K a day.
>
> Blocking more than 99% of spam, without blocking a problematic amount of
> non-spam, is hard.
Bayes seems to be working very well in this aspect. Our issue is not with FPs. We are not having any issues with our legit mail. It is only this guy's spam is passing through (which is taken care of by custom rules, but requiring constant maintenance). We have some very old domains and these domains are used in commonly-typed email addresses (like dontspam@me.com (me.com is not ours, just an example, i am not disclosing our domains here) ).
> > When we were implementing only greylisting, no spam except ebolamonkey 419
> > spam passed through. That was easy to discard with simple procmail
> > filters. However, our client's RHEL5 sendmail did not play well with
> > greylisting, so we decided to do sa+grey.
>
> Postfix + postgrey worked great for me, when I last felt a need to use
> greylisting.
We use sendmail + milter-greylist.
Thank you for all the help in this list. I learnt quite few things during these conversations.
Jenny
Re: Why doesn't anything at all get these botnet spammers?
Posted by da...@chaosreigns.com.
On 10/15, Jenny Lee wrote:
> fwoicka odrp jbguybf etvwmbwm
> i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl ipcvlhboht
> ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu.
Is anybody else having a problem with this kind of spam? I definitely find
it interesting. It doesn't sound likely to be very profitable.
On 10/17, Jenny Lee wrote:
> What baffles me is why it takes so long for RBLs to catch up on the
> URL.
Are you reporting them?
On 10/17, Jenny Lee wrote:
> Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all*
> of it with greylisting since 3-4 years. No need for bothering with MXes.
So why don't you go back to greylisting without spamassassin? Nobody
profits from you using SA, use whatever works for you.
> The problem started after I implemented spamassassin couple of months ago.
> Even though I have near ~100% accuracy with bayes (over 1 million SPAM,
> zero FP), this guy always gets through.
Or if your bayes is so accurate, just increase the scores for those rules?
score BAYES_00 -5
score BAYES_05 -4
score BAYES_20 -3
score BAYES_40 -2
score BAYES_50 5
score BAYES_60 6
score BAYES_80 7
score BAYES_95 8
score BAYES_99 9
(To be clear, I don't recommend this for most people, only if you have
bayes results as accurate as Jenny.)
With such accurate bayes results, that should override most other results.
And if you're just using bayes, might as well not use spamassassin and go
with a dedicated bayesian filter like spamprobe.
Bayesian filters generally ignore words they haven't seen before, like the
garbage non-words you're seeing. They could be modified to penalize
non-words. You would need a thoroughly trained filter keeping around
records of almost all real words though.
> We get about 10-20 legit emails (everyone uses internal IM) with
> 40000-50000 SPAM a day. Most of which is same-sender/same-receipient
> rejected at transaction stage. Spamd processes about 10K a day.
Blocking more than 99% of spam, without blocking a problematic amount of
non-spam, is hard.
> When we were implementing only greylisting, no spam except ebolamonkey 419
> spam passed through. That was easy to discard with simple procmail
> filters. However, our client's RHEL5 sendmail did not play well with
> greylisting, so we decided to do sa+grey.
Postfix + postgrey worked great for me, when I last felt a need to use
greylisting.
--
"Democracy is the theory that the common people know what they want,
and deserve to get it good and hard." - H. L. Mencken
http://www.ChaosReigns.com
RE: Why doesn't anything at all get these botnet spammers?
Posted by Jenny Lee <bo...@live.com>.
> One way you can get rid of about 1/4 of your botnet spam is to set your
> highest numbered MX record as follows:
>
> tarbaby.junkemailfilter.com
Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* of it with greylisting since 3-4 years. No need for bothering with MXes.
The problem started after I implemented spamassassin couple of months ago. Even though I have near ~100% accuracy with bayes (over 1 million SPAM, zero FP), this guy always gets through.
We get about 10-20 legit emails (everyone uses internal IM) with 40000-50000 SPAM a day. Most of which is same-sender/same-receipient rejected at transaction stage. Spamd processes about 10K a day.
When we were implementing only greylisting, no spam except ebolamonkey 419 spam passed through. That was easy to discard with simple procmail filters. However, our client's RHEL5 sendmail did not play well with greylisting, so we decided to do sa+grey.
Working very well, but needing constant attention because of this one pos.
Jenny
Re: Why doesn't anything at all get these botnet spammers?
Posted by Marc Perkel <su...@junkemailfilter.com>.
One way you can get rid of about 1/4 of your botnet spam is to set your
highest numbered MX record as follows:
tarbaby.junkemailfilter.com
It always returns a 4xx error but it does two things. Botnets often try
the highest MX first - and they don't retry. So 1/4 or so of your botnet
spam never comes to you. AND - I get to harvest some of the spambot data
to improve the HOSTKARMA blacklist.
On 10/15/2011 12:55 PM, Jenny Lee wrote:
> Hello Everyone,
>
> Is there any way to get these people?
>
> Instead of doing greylisting, I started doing SA+Greylisting 3 months ago. Since then, this guy always gets through until I modify our custom ruleset to block his URLs.
>
> Currently I have:
> uri OUR_CUSTOM_URI /\.(tumblr\.com|de\.tl|fileave\.com|ripway\.com)\//
>
> Bayes is on, and it gets trained with his emails. Bayes is 100% accurate for us with no false-positives.
>
> This is requiring constant maintenance. There surely must be a solution.
>
> Thank you.
>
> Jenny
>
>
> Return-Path:<sa...@lbstudio.eu>
> X-Spam-Flag: YES
> X-Spam-Level: ******
> X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_50,
> MSGID_FROM_MTA_HEADER,OUR_CUSTOM_URI autolearn=no version=3.3.1
> X-Spam-Report:
> * 5.0 OUR_CUSTOM_URI URI: Botnet spammers
> * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> * [score: 0.5769]
> * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
> * 0.2 AWL AWL: From: address is in the auto white-list
> X-Spam-Checker-Version: SPAMASSASSIN 3.3.1 (20/09/2011)
> Received: from netup.it (netup.consultingweb.it [195.128.235.186])
> by our_domain.comt (version_here) with ESMTP id p8QGoDc9030358
> for<so...@ourdomain.com>; Mon, 26 Sep 2011 20:50:15 +0400
> Message-Id:<20...@ourdomain.com>
> Received: from uvecfhputwix ([93.176.234.155]) by netup.it with MailEnable ESMTP; Sun, 25 Sep 2011 21:07:46 +0200
> Date: Sun, 25 Sep 2011 22:02:06 +0200
> From: sabrina@lbstudio.eu
> User-Agent: Thunderbird 2.0.0.27 (Windows/20090808)
> MIME-Version: 1.0
> To: blessedpinkangel@aol.com
> Subject: [SPAM] T !r (a -n*n =l&e ` S !e .x|
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Greylist: Delayed for 00:00:00 by milter-greylist-4.3.9 (ourdomain.com [1.1.1.1]); Mon, 26 Sep 2011 20:50:16 +0400 (MUT)
> X-CENSOR-Robot: SPAM BUSTER v4.0 (08/08/2011) Active Mode
> X-Spam-Prev-Subject: T !r (a -n*n =l&e ` S !e .x|
> X-CENSOR-Class: SPAM
>
> fwoicka odrp jbguybf etvwmbwm
> i aluawj ggn. http://darrentanch1.tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu.
>
>
> or a more recent one:
>
> Subject: Se^x M-o ^v ~l e -
>
> zp, qtw iqgcjlmkyk bnwbspnoix
> dzgujz f v tdovsp. http://hnungarid.fileave.com/index.html czqrrgdmud ymlfkdv wh jhuaemf dus iv wztppda nqq vwoq nppfb.
>
>
>
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
Re: Why doesn't anything at all get these botnet spammers?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-10-16 at 21:53 -0300, Christian Grunfeld wrote:
> easier than that !
> you dont need to check any ratio at all ... as legitimate mails dont
> have non-word characters between characters !
^^^^^^^^
> Non spamer people don´t write subjects like that !
^^^^^
> Spamers had to do that in order to avoid sex, porn, xxx, viagra
> directly in subject (which is more or less easily detected)...but when
^^^^^^^^^^^^^^^
> they put things in between you can be 99.999% confident it is spam !
^^^^^^^
Yup, there never ever are non-word chars between word chars in human
generated legit mail...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Why doesn't anything at all get these botnet spammers?
Posted by Christian Grunfeld <ch...@gmail.com>.
easier than that !
you dont need to check any ratio at all ... as legitimate mails dont
have non-word characters between characters !
Non spamer people don´t write subjects like that !
Spamers had to do that in order to avoid sex, porn, xxx, viagra
directly in subject (which is more or less easily detected)...but when
they put things in between you can be 99.999% confident it is spam !
2011/10/16 <da...@chaosreigns.com>:
> On 10/15, John Hardin wrote:
>> >Subject: T !r (a -n*n =l&e ` S !e .x|
>> >Subject: Se^x M-o ^v ~l e -
>>
>> More chickenpoxed subjects.
>
> Might be fun to create a plugin to check the ratio of word characters to
> non-word characters, possibly roughly based on html_title_subject_ratio()
> in Mail::SpamAssassin::Plugin::HTMLEval.
>
> We could then run it through RuleQA with a few ratio thresholds to find
> the optimal hit rate (highest RuleQA rank).
>
> --
> "Hermes will help you get your wagon unstuck, but only if you push on it."
> - Greek Alphabet Oracle
> http://www.ChaosReigns.com
>
Re: Why doesn't anything at all get these botnet spammers?
Posted by da...@chaosreigns.com.
On 10/15, John Hardin wrote:
> >Subject: T !r (a -n*n =l&e ` S !e .x|
> >Subject: Se^x M-o ^v ~l e -
>
> More chickenpoxed subjects.
Might be fun to create a plugin to check the ratio of word characters to
non-word characters, possibly roughly based on html_title_subject_ratio()
in Mail::SpamAssassin::Plugin::HTMLEval.
We could then run it through RuleQA with a few ratio thresholds to find
the optimal hit rate (highest RuleQA rank).
--
"Hermes will help you get your wagon unstuck, but only if you push on it."
- Greek Alphabet Oracle
http://www.ChaosReigns.com
Re: Why doesn't anything at all get these botnet spammers?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 17 Oct 2011, David B Funk wrote:
> However you need to be careful how you craft/use this kind of rule.
> I regularly get legit messages with subjects like:
>
> New ProTrav - Req Trav, Fac/Stf
> Re: [Imap-protocol] FETCH (rfc822) response
> SANS NewsBites Vol. 13 Num. 81 : Military Drone Cockpit Computers Infected With Malware; AmEx Site Exposing Data; Calif. Governor Vetoes Bill Requiring Warrant for Searching Mobile Phones
> Cron <ro...@s-lib011> /exlibris/backup/scripts/exec_backup_main s2
> FINAL DAYS: *Free to Choose* - Save 50% - All
> [InCommon] IAM Online Weds., Oct. 12 - IAM Governance
>
> Those kinds of rules may be good for making meta rules to
> combine with other indications but be careful using them
> by themselves.
Indeed:
SPAM% HAM% S/O RANK SCORE NAME
6.5107 18.6870 0.258 0.45 (n/a) __SUBJ_OBFU_PUNCT
1.0281 3.5456 0.225 0.41 0.01 T_SUBJ_OBFU_PUNCT_FEW
0.0031 0.9589 0.003 0.22 0.01 T_SUBJ_OBFU_PUNCT_MANY
Time to work on the FPs... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
312 days since the first successful private orbital launch (SpaceX)
Re: Why doesn't anything at all get these botnet spammers?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 17 Oct 2011, Christian Grunfeld wrote:
> Yeah, you catch my point !
>
> I think it's easier to find a non-alphanum character than trying to
> decode/desobfucate/guess the subject hidden word !
>
> Why do we have to waste resources in trying to guess "Sex Movie" out
> of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
> can directly trigger a rule !
>
However you need to be careful how you craft/use this kind of rule.
I regularly get legit messages with subjects like:
New ProTrav - Req Trav, Fac/Stf
Re: [Imap-protocol] FETCH (rfc822) response
SANS NewsBites Vol. 13 Num. 81 : Military Drone Cockpit Computers Infected With Malware; AmEx Site Exposing Data; Calif. Governor Vetoes Bill Requiring Warrant for Searching Mobile Phones
Cron <ro...@s-lib011> /exlibris/backup/scripts/exec_backup_main s2
FINAL DAYS: *Free to Choose* - Save 50% - All
[InCommon] IAM Online Weds., Oct. 12 - IAM Governance
Those kinds of rules may be good for making meta rules to
combine with other indications but be careful using them
by themselves.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
RE: Why doesn't anything at all get these botnet spammers?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 17 Oct 2011, Jenny Lee wrote:
[snip..]
> What baffles me is why it takes so long for RBLs to catch up on the URL. He was spamming me (i have different domains) for a good one month before his URL got dropped into an RBL, another one was never in an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is already working with one of hte RBLs and has access to the honeypot emails.
>
> Jenny
>
>
> Date: Sun, 16 Oct 2011 16:01:48 +0200
> From: Ckoe <ka...@yahoo.com>
> To: michael_otto68@ymail.com
> Subject: pznvm
>
> baniouq ljqtzfghf.
> tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
>
> <i am trimming the rest of the mail in order not to get another undeliverable>
Jenny,
Most URI-RBLs work on just the hostname part of the URL. IE with a
spamvertized ULR of http://ha.blah.com/snort_ya/index.html, they only
look at the 'blah.com' part.
For your example, http://h1.ripway.com/..., the hostname part is
'ripway.com' which is a generic web-hosting provider, thus not a good
candidate for blacklisting (IE it would FP all over the place).
Most reputable URI-RBLs want to avoid FPs at almost any cost, so will not
list such names, even if they're frequently used in spam.
Another example of the same phenomenon is URL-shortener (EG bit.ly).
regularly abused in spam but you'll almost never see them listed in
URI-RBLs.
Most good web-hosting providers & URL-shortener will take down the
offending spam site/link if you report it to them. (sigh, I know,
a wack-a-mole task but that's the game).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
RE: Why doesn't anything at all get these botnetspammers?
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 17 Oct 2011 18:07:15 +0000, Jenny Lee wrote:
> Every 2nd of my emails to this list from hotmail is returning as a
> nondeliverable. Hotmail does not give any info as to what failed but
> I
> am assuming it is the SPAM filters of the mailing list. Well done!
X-Spam-Status No, score=-4.445 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
KHOP_THREADED=-0.1, NO_USER_AGENT=0.1, NO_X_MAILER=0.1,
RCVD_IN_DNSWL_HI=-5, RCVD_IN_RP_SAFE=-2, RELAY_US=0.01,
RP_MATCHES_RCVD=-0.504, SPF_PASS=-0.001, URIBL_BLACK=1.725,
URIBL_DBL_REDIRECTOR=1.5, URIBL_SBL=1.623] autolearn=no
your msg tags here :-)
dont post spam urls to maillists, but use pastebin and post link to it
>
> Also how ironic is it to write: users -at- spamassassin.apache.org on
> the website!!! What a confidence in a spam-fighting tool! Write it as
> , show you mean business.
nabble users get used to it :-)
>
> Back to the subject:
>
> We are under the false assumption that he is mangling the subjects
> with gibberish or with porn words. His target is to get the URL
> accross. As I mentioned, I get as many emails without any punctuation
> or porn words (see below). In fact, since I started this discussion,
> I
> got about 2 mangled headers versus 100+ like the one below (before at
> least the ratio was 50/50)!
>
> What baffles me is why it takes so long for RBLs to catch up on the
> URL. He was spamming me (i have different domains) for a good one
> month before his URL got dropped into an RBL, another one was never
> in
> an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is
> already working with one of hte RBLs and has access to the honeypot
> emails.
he might use a url redirector ?
>
> Jenny
>
> Date: Sun, 16 Oct 2011 16:01:48 +0200
> From: Ckoe
> To:
> Subject: pznvm
>
> baniouq ljqtzfghf.
> tgbc, czatiaibw csa lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a
> tfpeyvq fkhaohcddt rdl bvfoju.
Re: Why doesn't anything at all get these botnet spammers?
Posted by Bowie Bailey <Bo...@BUC.com>.
On 10/17/2011 3:15 PM, Jenny Lee wrote:
> > Date: Mon, 17 Oct 2011 19:26:21 +0100
> > From: ned@unixmail.co.uk
> >
> > X-ASF-Spam-Status: No, hits=9.8 required=10.0
> >
> tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL
>
> Just because I posted a single blacklisted URL does not mean my
> message should be tagged as SPAM on a mailing list.
>
> Perhaps you need to tune these filters for accuracy:
>
> FREEMAIL_ENVFROM_END_DIGIT: With a freaking 1.2 billion freemail
> users, I would like to see a freemail account that does not end in a
> digit. I surely do not have anybody on my contact list that does not
> end with one.
> FREEMAIL_FROM: As above... 1.2 billion.
> HTML_MESSAGE: That is default on freemail accounts.
> URIBL_BLACK: 1.7 on my system
> URIBL_SBL: 1.6 on my system
Apache must have adjusted their scoring. On my system, a message
hitting those rules would have scored about 3.5 -- same as your system
apparently. Everything except the two URIBL hits has a minimal score.
(The freemail and html rules are mostly informational and useful for
META rules)
--
Bowie
RE: Why doesn't anything at all get these botnet spammers?
Posted by Jenny Lee <bo...@live.com>.
> Date: Mon, 17 Oct 2011 19:26:21 +0100
> From: ned@unixmail.co.uk
> To: users@spamassassin.apache.org
> Subject: Re: Why doesn't anything at all get these botnet spammers?
>
> On 17/10/11 19:07, Jenny Lee wrote:
> >
> > Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done!
> >
>
> Then stop posting spam to the list. You can see what rules you're
> hitting in the headers of your posts:
>
> X-ASF-Spam-Status: No, hits=9.8 required=10.0
> tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL
Just because I posted a single blacklisted URL does not mean my message should be tagged as SPAM on a mailing list.
Perhaps you need to tune these filters for accuracy:
FREEMAIL_ENVFROM_END_DIGIT: With a freaking 1.2 billion freemail users, I would like to see a freemail account that does not end in a digit. I surely do not have anybody on my contact list that does not end with one.
FREEMAIL_FROM: As above... 1.2 billion.
HTML_MESSAGE: That is default on freemail accounts.
URIBL_BLACK: 1.7 on my system
URIBL_SBL: 1.6 on my system
So I still would like to see how I get over 10 sending legit convo and having a blacklisted URL.
Deliverable happenned to me when I was posting the pastebin URL during a conversation. I, in fact, asked another user on this list if he could post my pastebin!
Jenny
Re: Why doesn't anything at all get these botnet spammers?
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 17/10/11 19:07, Jenny Lee wrote:
>
> Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done!
>
Then stop posting spam to the list. You can see what rules you're
hitting in the headers of your posts:
X-ASF-Spam-Status: No, hits=9.8 required=10.0
tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL
If you want to post examples, please make them available on a pastebin
and provide the link - that is the etiquette here on this list.
RE: Why doesn't anything at all get these botnet spammers?
Posted by Kelson Vibber <KV...@tollfreeforwarding.com>.
From: Jenny Lee
> Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a
> spam-fighting tool! Write it as users@sa, show you mean business.
Ever hear of defense in depth?
RE: Why doesn't anything at all get these botnet spammers?
Posted by Jenny Lee <bo...@live.com>.
Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done!
Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a spam-fighting tool! Write it as users@sa, show you mean business.
Back to the subject:
We are under the false assumption that he is mangling the subjects with gibberish or with porn words. His target is to get the URL accross. As I mentioned, I get as many emails without any punctuation or porn words (see below). In fact, since I started this discussion, I got about 2 mangled headers versus 100+ like the one below (before at least the ratio was 50/50)!
What baffles me is why it takes so long for RBLs to catch up on the URL. He was spamming me (i have different domains) for a good one month before his URL got dropped into an RBL, another one was never in an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is already working with one of hte RBLs and has access to the honeypot emails.
Jenny
Date: Sun, 16 Oct 2011 16:01:48 +0200
From: Ckoe <ka...@yahoo.com>
To: michael_otto68@ymail.com
Subject: pznvm
baniouq ljqtzfghf.
tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
<i am trimming the rest of the mail in order not to get another undeliverable>
Re: Why doesn't anything at all get these botnet spammers?
Posted by Christian Grunfeld <ch...@gmail.com>.
Yeah, you catch my point !
I think it's easier to find a non-alphanum character than trying to
decode/desobfucate/guess the subject hidden word !
Why do we have to waste resources in trying to guess "Sex Movie" out
of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
can directly trigger a rule !
2011/10/17 Mynabbler <my...@live.com>:
>
>
> John Hardin wrote:
>>
>>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>>> have to be quick to see the actual results... :)
>>
> I wrote a couple a days ago about these subjects, did not get a response
> however. I came up with something rather straightforward:
>
> header __MN_PUNC00 Subject =~ /~/
> header __MN_PUNC02 Subject =~ /`/
> header __MN_PUNC03 Subject =~ /\#/
> header __MN_PUNC04 Subject =~ /\$/
> header __MN_PUNC05 Subject =~ /%/
> header __MN_PUNC06 Subject =~ /\^/
> header __MN_PUNC07 Subject =~ /&/
> header __MN_PUNC08 Subject =~ /\*/
> header __MN_PUNC09 Subject =~ /\(|\)/
> header __MN_PUNC10 Subject =~ /\?/
> header __MN_PUNC11 Subject =~ /\+/
> header __MN_PUNC12 Subject =~ /=/
> header __MN_PUNC13 Subject =~ /\{|\}/
> # header __MN_PUNC14 Subject =~ /\[|\]/
> header __MN_PUNC15 Subject =~ /\|/
> header __MN_PUNC16 Subject =~ /\"/
> header __MN_PUNC17 Subject =~ /\;/
> header __MN_PUNC18 Subject =~ /\:/
> header __MN_PUNC19 Subject =~ /\//
> header __MN_PUNC20 Subject =~ /_/
> meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
> __MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
> __MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
> __MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
> __MN_PUNC20 >= 3)
> score MN_PUNCTUATION 0.1
>
> PUNC14 gave too much false positives with forums and such where [ForumName]
> is send in the subject. The actual score for this kind of punctuation is
> low, I use the rule in a meta with URL shortening, free websites, free
> blogs, stuff like that, and it is hovering above the kill switch. Also note
> that is does not choke on subjects like ===++++====, where a multiple would.
>
>
> --
> View this message in context: http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
Re: Why doesn't anything at all get these botnet spammers?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 17 Oct 2011, Mynabbler wrote:
> John Hardin wrote:
>>
>>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>>> have to be quick to see the actual results... :)
>
> I wrote a couple a days ago about these subjects, did not get a response
> however.
You just did. Work and personal matters sometimes intrude on providing
somewhat-tested rulesets quickly.
:)
On Mon, 17 Oct 2011, Christian Grunfeld wrote:
> I think it's easier to find a non-alphanum character than trying to
> decode/desobfucate/guess the subject hidden word !
>
> Why do we have to waste resources in trying to guess "Sex Movie" out
> of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
> can directly trigger a rule !
Agreed. I don't try to do that, and I don't think anybody has suggested
that as an approach to catching these.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
312 days since the first successful private orbital launch (SpaceX)
Re: Why doesn't anything at all get these botnet spammers?
Posted by Mynabbler <my...@live.com>.
John Hardin wrote:
>
>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>> have to be quick to see the actual results... :)
>
I wrote a couple a days ago about these subjects, did not get a response
however. I came up with something rather straightforward:
header __MN_PUNC00 Subject =~ /~/
header __MN_PUNC02 Subject =~ /`/
header __MN_PUNC03 Subject =~ /\#/
header __MN_PUNC04 Subject =~ /\$/
header __MN_PUNC05 Subject =~ /%/
header __MN_PUNC06 Subject =~ /\^/
header __MN_PUNC07 Subject =~ /&/
header __MN_PUNC08 Subject =~ /\*/
header __MN_PUNC09 Subject =~ /\(|\)/
header __MN_PUNC10 Subject =~ /\?/
header __MN_PUNC11 Subject =~ /\+/
header __MN_PUNC12 Subject =~ /=/
header __MN_PUNC13 Subject =~ /\{|\}/
# header __MN_PUNC14 Subject =~ /\[|\]/
header __MN_PUNC15 Subject =~ /\|/
header __MN_PUNC16 Subject =~ /\"/
header __MN_PUNC17 Subject =~ /\;/
header __MN_PUNC18 Subject =~ /\:/
header __MN_PUNC19 Subject =~ /\//
header __MN_PUNC20 Subject =~ /_/
meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
__MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
__MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
__MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
__MN_PUNC20 >= 3)
score MN_PUNCTUATION 0.1
PUNC14 gave too much false positives with forums and such where [ForumName]
is send in the subject. The actual score for this kind of punctuation is
low, I use the rule in a meta with URL shortening, free websites, free
blogs, stuff like that, and it is hovering above the kill switch. Also note
that is does not choke on subjects like ===++++====, where a multiple would.
--
View this message in context: http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Why doesn't anything at all get these botnet spammers?
Posted by Jenny Lee <bo...@live.com>.
> Date: Sun, 16 Oct 2011 08:39:42 -0700
> From: jhardin@impsec.org
> To: users@spamassassin.apache.org
> Subject: Re: Why doesn't anything at all get these botnet spammers?
>
> On Sun, 16 Oct 2011, Martin Gregorie wrote:
>
> > On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
> >> On Sat, 15 Oct 2011, Jenny Lee wrote:
> >>
> >>> Hello Everyone,
> >>>
> >>> Is there any way to get these people?
> >>
> >>> Subject: T !r (a -n*n =l&e ` S !e .x|
> >>> Subject: Se^x M-o ^v ~l e -
> >>
> > What about something like:
> >
> > header POX Subject ~= /[!\(-*\.^~]\w *[!\(-*\.^~]\w/
>
> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
> have to be quick to see the actual results... :)
Thank you.
I would like to say that an equal many comes without any subject mangling.
He manages to get only one through to me (I get about 50 of these daily) until I add his URL once a week...
But because of this ******, I have to constantly maintain my install. Because of him, I am thinking of going back to straight greylisting (where I never got any of his crap).
Jenny
Date: Sun, 16 Oct 2011 16:01:48 +0200
From: Ckoe <ka...@yahoo.com>
To: michael_otto68@ymail.com
Subject: pznvm
baniouq ljqtzfghf.
tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
Re: Why doesn't anything at all get these botnet spammers?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 16 Oct 2011, Martin Gregorie wrote:
> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>> On Sat, 15 Oct 2011, Jenny Lee wrote:
>>
>>> Hello Everyone,
>>>
>>> Is there any way to get these people?
>>
>>> Subject: T !r (a -n*n =l&e ` S !e .x|
>>> Subject: Se^x M-o ^v ~l e -
>>
> What about something like:
>
> header POX Subject ~= /[!\(-*\.^~]\w *[!\(-*\.^~]\w/
Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
have to be quick to see the actual results... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
A well educated Electorate, being necessary to the liberty of a
free State, the Right of the People to Keep and Read Books,
shall not be infringed.
-----------------------------------------------------------------------
311 days since the first successful private orbital launch (SpaceX)
Re: Why doesn't anything at all get these botnet spammers?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
> On Sat, 15 Oct 2011, Jenny Lee wrote:
>
> > Hello Everyone,
> >
> > Is there any way to get these people?
>
> > Subject: T !r (a -n*n =l&e ` S !e .x|
> > Subject: Se^x M-o ^v ~l e -
>
What about something like:
header POX Subject ~= /[!\(-*\.^~]\w *[!\(-*\.^~]\w/
Martin
Re: Why doesn't anything at all get these botnet spammers?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 15 Oct 2011, Jenny Lee wrote:
> Hello Everyone,
>
> Is there any way to get these people?
> Subject: T !r (a -n*n =l&e ` S !e .x|
> Subject: Se^x M-o ^v ~l e -
More chickenpoxed subjects.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
310 days since the first successful private orbital launch (SpaceX)