You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2009/04/01 00:49:15 UTC
Re: New kind of spam part 2
On Tue, 2009-03-31 at 19:43 +0300, Arthur Kerpician wrote:
> Hi,
> I've been following the latest messages on this list regarding new types
> of spam but, unfortunately, couldn't find the answer for the kind i'm
> dealing with. The raw mesage can be found here:
> http://www.bluechip.ro/spam.txt
> I tried to figure out for 2 weeks now how to block these messages with
> no success. Any ideas?
>
> Thanks,
> Arthur
>
Scored as this on my home box:
pts rule name description
---- ----------------------
--------------------------------------------------
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?145.94.91.39>]
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[145.94.91.39 listed in zen.spamhaus.org]
1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
[145.94.91.39 listed in
bb.barracudacentral.org]
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=145.94.91.39,rdns=z091039.tnw-s.tudelft.nl,maildomain=patrimonioediciones.com,client,ipinhostname]
0.0 HTML_MESSAGE BODY: HTML included in message
-6.6 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
[score: 0.0104]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1117; Body=1 Fuz1=1 Fuz2=1]
10 CLAMAV Clam AntiVirus detected a virus
1.0 SAGREY Adds 1.0 to spam from first-time senders
X-Spam-Virus: Yes (Sanesecurity.Spam.9970.UNOFFICIAL)
Received a low bayes score though since I've apparently not run across
any of these yet. After running sa-learn against it though the bayes
score changed:
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
--
KeyID 0xE372A7DA98E6705C
Re: New kind of spam part 2
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 01.04.09 09:52, Arthur Kerpician wrote:
> I don't know why but these tests are not running on my spamassassin 3.1.0:
> RCVD_IN_BL_SPAMCOP_NET
> RCVD_IN_XBL
Didn't you disable rbl lookups?
Can you upgrade to 3.2.5 or at least do you keep rules up-to-date using
sa-update?
> Yesterday I configured tcpserver to run the spamcop test, so the spam
> messages are decreasing but I want to rely on spamassassin only to stop
> spam, not discarding mails at the smtp level.
What's the difference?
> ham. Now I see I have to balance them. The problem is that I trained
> hundreds of spam like this and I don't have a hit from bayes (only
> BAYES_00). Anyway, I'll try the RATWARE rules to see what happens.
don't try third party rules before upgrading spamassassin to current version
and updating rules.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
Re: New kind of spam part 2
Posted by Arthur Kerpician <ar...@bluechip.ro>.
Chris wrote:
> Scored as this on my home box:
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> <http://www.spamcop.net/bl.shtml?145.94.91.39>]
> 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> [145.94.91.39 listed in zen.spamhaus.org]
> 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
> Barracuda
> [145.94.91.39 listed in
> bb.barracudacentral.org]
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=145.94.91.39,rdns=z091039.tnw-s.tudelft.nl,maildomain=patrimonioediciones.com,client,ipinhostname]
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -6.6 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
> [score: 0.0104]
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [localhost 1117; Body=1 Fuz1=1 Fuz2=1]
> 10 CLAMAV Clam AntiVirus detected a virus
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> X-Spam-Virus: Yes (Sanesecurity.Spam.9970.UNOFFICIAL)
>
> Received a low bayes score though since I've apparently not run across
> any of these yet. After running sa-learn against it though the bayes
> score changed:
>
> 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5000]
>
>
I don't know why but these tests are not running on my spamassassin 3.1.0:
RCVD_IN_BL_SPAMCOP_NET
RCVD_IN_XBL
I have these plugins loaded in init.pre:
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
And in v310.pre:
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
Yesterday I configured tcpserver to run the spamcop test, so the spam
messages are decreasing but I want to rely on spamassassin only to stop
spam, not discarding mails at the smtp level.
Regarding my bayes db, I was training it only for spam messages, not
ham. Now I see I have to balance them. The problem is that I trained
hundreds of spam like this and I don't have a hit from bayes (only
BAYES_00). Anyway, I'll try the RATWARE rules to see what happens.
Thanks,
Arthur
Re: New kind of spam part 2
Posted by Chris <cp...@embarqmail.com>.
On Tue, 2009-03-31 at 16:54 -0600, LuKreme wrote:
> On 31-Mar-2009, at 16:49, Chris wrote:
> > 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to
> > 60%
> > [score: 0.5000]
>
>
> you score 1.0 for Bayes_50??
>
Yes why? Here is how I've been scoring bayes for years
score BAYES_00 0 0 -6.400 -6.400
score BAYES_05 0 0 -6.600 -6.600
score BAYES_20 0 0 -5.801 -3.101
score BAYES_40 0 0 -1.246 -1.604
score BAYES_50 0 0 1.0 1.0
score BAYES_60 0 0 2.002 2.002
score BAYES_80 0 0 4.1 4.1
score BAYES_95 0 0 4.2 4.2
score BAYES_99 0 0 5.0 5.0
works just fine for me.
--
KeyID 0xE372A7DA98E6705C
Re: New kind of spam part 2
Posted by LuKreme <kr...@kreme.com>.
On 31-Mar-2009, at 16:49, Chris wrote:
> 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to
> 60%
> [score: 0.5000]
you score 1.0 for Bayes_50??
--
I find Windows of absolutely no technical interest... Mac OS X is a
rock -solid system that's beautifully designed. I much prefer
it to Linux. -- Bill Joy
Re: New kind of spam part 2
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2009-03-31 at 16:52 -0600, LuKreme wrote:
> On 31-Mar-2009, at 16:49, Chris wrote:
> > 5.0 BOTNET Relay might be a spambot or virusbot
> > [botnet0.8,ip=145.94.91.39,rdns=z091039.tnw-
> > s.tudelft.nl,maildomain=patrimonioediciones.com,client,ipinhostname]
>
> Is that a custom rule?
It's the Botnet plugin.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New kind of spam part 2
Posted by LuKreme <kr...@kreme.com>.
On 31-Mar-2009, at 16:49, Chris wrote:
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=145.94.91.39,rdns=z091039.tnw-
> s.tudelft.nl,maildomain=patrimonioediciones.com,client,ipinhostname]
Is that a custom rule?
--
I find Windows of absolutely no technical interest... Mac OS X is a
rock -solid system that's beautifully designed. I much prefer
it to Linux. -- Bill Joy