You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Robert A. Ober" <ro...@robob.com> on 2013/08/08 22:21:52 UTC
DHL From Russia
Hello Folks,
First of all, I appreciate the fact that a quality tool like
SpamAssassin has an opensource version. Only costs time. Furthermore, I
appreciate all the hard work the devs put into making it better.
But really, shouldn't the latest version with sa-update run a few days
ago, be able to block DHL package spam from Russia? How long has that
been going on? A decade?
Now back to our regularly scheduled program.
Y'all be cool,
Robert A. Ober
Re: DHL From Russia
Posted by Neil Schwartzman <ne...@cauce.org>.
On Aug 9, 2013, at 6:16 AM, Thomas Harold <th...@nybeta.com> wrote:
> We see a few of these each week, not sure if they are from Russia:
>
> http://pastebin.com/iBmELtSh
Not really that difficult to block.
31.24.139.73
Senderscore of '3'(out of 100)
https://senderscore.org/lookup.php?lookup=31.24.139.73&ipLookup=Go
Email Reputation Poor
http://www.senderbase.org/lookup?search_string=31.24.139.73
Re: DHL From Russia
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2013-08-09 17:27:
> ... and no BAYES?
yep no bayes, privacy concern
> These looks like the types of messages where either a specific body
> pattern would be necessary, or block the IP with postfix.
well ip is not content
Re: DHL From Russia
Posted by Alex <my...@gmail.com>.
Hi,
>> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
>> [62.109.30.143 listed in
>> bb.barracudacentral.org]
>> 1.5 RELAY_RU Relayed through RU
>> -0.0 SPF_PASS SPF: sender matches SPF record
>> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
>> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
>> domains are different
>> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END
>> &&
>> HTML_MESSAGE
>> 1.3 RDNS_NONE Delivered to internal network by a host with no
>> rDNS
>> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
>> 1.3 SAGREY Adds score to spam from first-time senders
>
> unfortunately RELAY_IT, RELAY_RU STARS_ON_FORTY_FOOR, STARS_ON_FORTY_SIX and
> SAGREY are not stock rules. the RCVD_IN_BRBL_LASTEXT and URIBL_BLACK may
> not apply for early recipients.
> you also seem have modified scoresd for URIBL_BLACK, at least what I have
> locally:
>
> 50_scores.cf:score URIBL_BLACK 0 1.775 0 1.725 # n=0 n=2
>
> ... and I have quite actual scores:
> -rw-r--r-- 1 debian-spamd debian-spamd 44575 Aug 9 02:23 50_scores.cf
>
> just noticing...
... and no BAYES?
These looks like the types of messages where either a specific body
pattern would be necessary, or block the IP with postfix.
Regards,
Alex
Re: DHL From Russia
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Thomas Harold skrev den 2013-08-09 15:16:
>>We see a few of these each week, not sure if they are from Russia:
>>http://pastebin.com/iBmELtSh
On 09.08.13 16:05, Benny Pedersen wrote:
> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
> [31.24.139.73 listed in bb.barracudacentral.org]
> 0.1 RELAY_IT Relayed through IT
> 3.3 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: slppoa.org]
> 0.5 SPF_NONE SPF: sender does not publish an SPF Record
> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
> domains are different
> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
> 0.1 STARS_ON_FORTY_SIX URI: contains 6 chars url at end
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END &&
> HTML_MESSAGE
> 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
> 1.3 SAGREY Adds score to spam from first-time senders
>>http://pastebin.com/qpxhkJbB
> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
> [62.109.30.143 listed in bb.barracudacentral.org]
> 1.5 RELAY_RU Relayed through RU
>-0.0 SPF_PASS SPF: sender matches SPF record
> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
> domains are different
> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END &&
> HTML_MESSAGE
> 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
> 1.3 SAGREY Adds score to spam from first-time senders
unfortunately RELAY_IT, RELAY_RU STARS_ON_FORTY_FOOR, STARS_ON_FORTY_SIX and
SAGREY are not stock rules. the RCVD_IN_BRBL_LASTEXT and URIBL_BLACK may
not apply for early recipients.
you also seem have modified scoresd for URIBL_BLACK, at least what I have
locally:
50_scores.cf:score URIBL_BLACK 0 1.775 0 1.725 # n=0 n=2
... and I have quite actual scores:
-rw-r--r-- 1 debian-spamd debian-spamd 44575 Aug 9 02:23 50_scores.cf
just noticing...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Re: DHL From Russia
Posted by Benny Pedersen <me...@junc.eu>.
Thomas Harold skrev den 2013-08-09 15:16:
> We see a few of these each week, not sure if they are from Russia:
>
> http://pastebin.com/iBmELtSh
Content analysis details: (8.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[31.24.139.73 listed in
bb.barracudacentral.org]
0.1 RELAY_IT Relayed through IT
3.3 URIBL_BLACK Contains an URL listed in the URIBL
blacklist
[URIs: slppoa.org]
0.5 SPF_NONE SPF: sender does not publish an SPF Record
0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
domains are different
0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
0.1 STARS_ON_FORTY_SIX URI: contains 6 chars url at end
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN &&
!__HTML_TITLE_END &&
HTML_MESSAGE
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
1.3 SAGREY Adds score to spam from first-time senders
> http://pastebin.com/qpxhkJbB
Content analysis details: (8.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[62.109.30.143 listed in
bb.barracudacentral.org]
1.5 RELAY_RU Relayed through RU
-0.0 SPF_PASS SPF: sender matches SPF record
2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
domains are different
0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN &&
!__HTML_TITLE_END &&
HTML_MESSAGE
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
1.3 SAGREY Adds score to spam from first-time senders
> Sometimes they score high enough to flag as spam, other times they
> are just below the threshold.
last one was over
> I've debated writing a local rule to flag them as spam if the from
> address does not match what DHL uses, except I have no good samples
> from DHL.
could be a start, but none example showed forged senders here
Re: DHL From Russia
Posted by Thomas Harold <th...@nybeta.com>.
On 8/8/2013 6:12 PM, Benny Pedersen wrote:
>
> show sample on pastebin
>
We see a few of these each week, not sure if they are from Russia:
http://pastebin.com/iBmELtSh
http://pastebin.com/qpxhkJbB
Sometimes they score high enough to flag as spam, other times they are
just below the threshold.
I've debated writing a local rule to flag them as spam if the from
address does not match what DHL uses, except I have no good samples from
DHL.
Re: DHL From Russia
Posted by Benny Pedersen <me...@junc.eu>.
Robert A. Ober skrev den 2013-08-08 22:21:
> Hello Folks,
who?
> First of all, I appreciate the fact that a quality tool like
> SpamAssassin has an opensource version. Only costs time. Furthermore,
> I appreciate all the hard work the devs put into making it better.
opensource means you can make patches aand suggest new rules to detect
not detected spam, but time does not permit it ?
> But really, shouldn't the latest version with sa-update run a few
> days ago, be able to block DHL package spam from Russia? How long has
> that been going on? A decade?
show sample on pastebin, dont be stupid
last but not least dont post html on maillists