SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

[Walter Jeffries <wa...@blacklightning.com>]

I often get spam in that to me looks extremely spammy.
Yet SA doesn't seem to think much of it and pass it with
little to no comment. Below is a very typical example.
The only thing SA noted was FORGED_RCVD_HELO which
given both the subject line and the message content is
rather surprising.

Why aren't more tests being triggered?

How do I get more rules to be triggered? (flip side of the coin)

Unfortunately I can't use custom rules because my host (vonetwork.com)
isn't willing to let users run custom rules. :( How do I stop this sort
of spam?

This is my first post. In the subject parenthetical I listed "(SA 
version=3.0.2, Unix, spamd)". Is that the information that should be 
provided when asking a question in this list?

Cheers,

-Walter
in Vermont
at the end of a
glorious winter day

> From zipewjnwutyexk@chinesemail.org Sat Jan 29 16:26:28 2005
> Return-path: <zi...@chinesemail.org>
> Envelope-to: zcatchall@blacklighting.com
> Delivery-date: Sat, 29 Jan 2005 15:15:11 -0600
> Received: from bling by host32.root-name-server.net with local-bsmtp
> (Exim 4.43)
> 	id 1Cuzvy-0003t6-0K
> 	for zcatchall@blacklighting.com; Sat, 29 Jan 2005 15:15:11 -0600
> Received: from [222.147.38.248]
> (helo=p3248-ipbf207sapodori.hokkaido.ocn.ne.jp)
> 	by host32.root-name-server.net with smtp (Exim 4.43)
> 	id 1Cuzvx-0003pb-3H; Sat, 29 Jan 2005 15:15:09 -0600
> Received: from butte.newmail.net ([64.247.5.99])
>  by salvatore.newmail.net (Sun Java System Messaging Server 6.1 HotFix
> 0.04 (built
>  Aug 28 2004)) with ESMTP id <0F...@salvatore.newmail.net>
> for
>  shaw@flashmag.com; Sun, 30 Jan 2005 02:14:08 +0500 (IST)
> Received: from bequeath.homeway.com.cn ([209.10.161.199])
>  by butte.newmail.net
>  (Sun Java System Messaging Server 6.1 HotFix 0.00 (built Aug 29 2004))
>  with ESMTP id <0X...@butte.newmail.net> for
> shaw@flashmag.com
>  (ORCPT shaw@flashmag.com); Sat, 29 Jan 2005 16:09:08 -0500 (IST)
> Received: from haploidy.homeway.com.cn ([63.99.209.29])
>  by bequeath.homeway.com.cn with Microsoft SMTPSVC(6.0.0064.777); Sat,
> 29 Jan 2005 15:14:08 -0600
> Date: Sat, 29 Jan 2005 18:08:08 -0300
> From: "Shelton Geiger" <zi...@chinesemail.org>
> To: <sh...@flashmag.com>
> Subject: DO Y0u L0ve Penny StOx?
> Message-ID: <89...@bequeath.homeway.com.cn>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: 7Bit
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
> 	host32.root-name-server.net
> X-Spam-Level:
> X-Spam-Status: No, score=0.1 required=2.1 tests=FORGED_RCVD_HELO
> autolearn=no
> 	version=3.0.2
> Sender:  <bl...@host32.root-name-server.net>
>
>
>
> MNEI - The best Smal| Cap Stock in 2005 just keep reading the profi|e
> and the news of this company and you wi|l see fOr yOurse|f
>
>
> THIS ST0CK IS UNDISC0VERED ST0CK GEM - Just starting to trade
>
>
> Mi||ennium National Events, Inc. - Symbo|: MNEI
>
> Mi||enniums current roster of event sponsors inc|udes such names as: WM
> Wrig|ey, American Express, Office Depot, Verizon, Italian Rose, TWA,
:
ad-infinum

Re: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

[jdow <jd...@earthlink.net>]

You really must meet the SpamAssassin Rules Emporium and its ninjas.
These wonderful people have spent a great deal of time designing sets
of rules for specific types of spam. Then they test them to get the
optimal rule scores regarding their false alarm rates and miss rates
on largar corpora of ham and spam.

http://www.rulesemporium.com/ is their chief hangout. Choose the rule
sets carefully. In many cases they have broken up a category of rules
into three levels. The first involves VERY few false alarms. The second
is more aggressive and is where I usually stop for myself. The third
is very aggressive and prone to more false alarms. So be careful with
your selections. An ISP setup might want to be more conservative than
a home setup for a family.

{^_^}
----- Original Message ----- 
From: "Walter Jeffries" <wa...@blacklightning.com>

> I often get spam in that to me looks extremely spammy.
> Yet SA doesn't seem to think much of it and pass it with
> little to no comment. Below is a very typical example.
> The only thing SA noted was FORGED_RCVD_HELO which
> given both the subject line and the message content is
> rather surprising.
> 
> Why aren't more tests being triggered?
> 
> How do I get more rules to be triggered? (flip side of the coin)
> 
> Unfortunately I can't use custom rules because my host (vonetwork.com)
> isn't willing to let users run custom rules. :( How do I stop this sort
> of spam?
> 
> This is my first post. In the subject parenthetical I listed "(SA 
> version=3.0.2, Unix, spamd)". Is that the information that should be 
> provided when asking a question in this list?
> 
> Cheers,
> 
> -Walter
> in Vermont
> at the end of a
> glorious winter day

Re: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

[Thomas Arend <ml...@arend-whv.info>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Sonntag, 30. Januar 2005 05:48 schrieb Walter Jeffries:
> I often get spam in that to me looks extremely spammy.
> Yet SA doesn't seem to think much of it and pass it with
> little to no comment. Below is a very typical example.
> The only thing SA noted was FORGED_RCVD_HELO which
> given both the subject line and the message content is
> rather surprising.
>
> Why aren't more tests being triggered?

Because they fit not on these messages. In the default installation are not 
much rules for these messages.
>
> How do I get more rules to be triggered? (flip side of the coin)

1. Use bayes filtering. Train the message with sa-learn --spam ...
Next time bayes filtering will detect this type of messages as spam.

2. Write your own rules for this type of messages or look for rules on 
rulesemporium.

>
> Unfortunately I can't use custom rules because my host (vonetwork.com)
> isn't willing to let users run custom rules. :( How do I stop this sort
> of spam?

Try bayes filtering. Train at least 200 ham and 200 spam messages with 
sa-learn.


>
> This is my first post. In the subject parenthetical I listed "(SA
> version=3.0.2, Unix, spamd)". Is that the information that should be
> provided when asking a question in this list?

That's a very good idea. Sometimes the magic eye works, but mostly I forget 
where I put it down. So please give as much information as possible.


Regards

Thomas
 
>
> Cheers,
>
> -Walter
> in Vermont
> at the end of a
> glorious winter day
>
> > From zipewjnwutyexk@chinesemail.org Sat Jan 29 16:26:28 2005
> > Return-path: <zi...@chinesemail.org>
> > Envelope-to: zcatchall@blacklighting.com
> > Delivery-date: Sat, 29 Jan 2005 15:15:11 -0600
> > Received: from bling by host32.root-name-server.net with local-bsmtp
> > (Exim 4.43)
> > 	id 1Cuzvy-0003t6-0K
> > 	for zcatchall@blacklighting.com; Sat, 29 Jan 2005 15:15:11 -0600
> > Received: from [222.147.38.248]
> > (helo=p3248-ipbf207sapodori.hokkaido.ocn.ne.jp)
> > 	by host32.root-name-server.net with smtp (Exim 4.43)
> > 	id 1Cuzvx-0003pb-3H; Sat, 29 Jan 2005 15:15:09 -0600
> > Received: from butte.newmail.net ([64.247.5.99])
> >  by salvatore.newmail.net (Sun Java System Messaging Server 6.1 HotFix
> > 0.04 (built
> >  Aug 28 2004)) with ESMTP id <0F...@salvatore.newmail.net>
> > for
> >  shaw@flashmag.com; Sun, 30 Jan 2005 02:14:08 +0500 (IST)
> > Received: from bequeath.homeway.com.cn ([209.10.161.199])
> >  by butte.newmail.net
> >  (Sun Java System Messaging Server 6.1 HotFix 0.00 (built Aug 29 2004))
> >  with ESMTP id <0X...@butte.newmail.net> for
> > shaw@flashmag.com
> >  (ORCPT shaw@flashmag.com); Sat, 29 Jan 2005 16:09:08 -0500 (IST)
> > Received: from haploidy.homeway.com.cn ([63.99.209.29])
> >  by bequeath.homeway.com.cn with Microsoft SMTPSVC(6.0.0064.777); Sat,
> > 29 Jan 2005 15:14:08 -0600
> > Date: Sat, 29 Jan 2005 18:08:08 -0300
> > From: "Shelton Geiger" <zi...@chinesemail.org>
> > To: <sh...@flashmag.com>
> > Subject: DO Y0u L0ve Penny StOx?
> > Message-ID: <89...@bequeath.homeway.com.cn>
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="UTF-8"
> > Content-Transfer-Encoding: 7Bit
> > X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
> > 	host32.root-name-server.net
> > X-Spam-Level:
> > X-Spam-Status: No, score=0.1 required=2.1 tests=FORGED_RCVD_HELO
> > autolearn=no
> > 	version=3.0.2
> > Sender:  <bl...@host32.root-name-server.net>
> >
> >
> >
> > MNEI - The best Smal| Cap Stock in 2005 just keep reading the profi|e
> > and the news of this company and you wi|l see fOr yOurse|f
> >
> >
> > THIS ST0CK IS UNDISC0VERED ST0CK GEM - Just starting to trade
> >
> >
> > Mi||ennium National Events, Inc. - Symbo|: MNEI
> >
> > Mi||enniums current roster of event sponsors inc|udes such names as: WM
> > Wrig|ey, American Express, Office Depot, Verizon, Italian Rose, TWA,
>
> ad-infinum

- -- 
icq:133073900
http://www.t-arend.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFB/MXNHe2ZLU3NgHsRAuSTAJ4i/PKCtD7tnAXS9uYLctDlCfSZSQCfUUF6
q1CENDG30sJUcJ8LBWWoOm0=
=U/E1
-----END PGP SIGNATURE-----

Re: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

[Robert Menschel <Ro...@Menschel.net>]

Hello Walter,

Saturday, January 29, 2005, 8:48:55 PM, you wrote:

WJ> Why aren't more tests being triggered?
WJ> How do I get more rules to be triggered? (flip side of the coin)

WJ> Unfortunately I can't use custom rules because my host
WJ> (vonetwork.com) isn't willing to let users run custom rules. :(
WJ> How do I stop this sort of spam?

These three tie together.

Spam evolves. Spammers change their methods to try to get around
anti-spam filters.

Therefore, filter rules and methods change. The ways to keep up with
the spammers are to
a) Keep current with SpamAssassin versions, to benefit from the latest
technology.
b) Keep current with custom rules, to benefit from the latest
technology. See http://wiki.apache.org/spamassassin/CustomRulesets
c) Add your own custom rules where even (b) isn't fast enough for you.
d) Maintain a good bayes database.

If your web/mail host does not do (a), run (don't walk) to another
host that does. Make sure this is part of your evaluation for any new
host.

If your web/mail host does not allow you to do (d), ditto.

If your web/mail host does not do (b) within reason, consider
switching hosts to one that does.

If your web/mail host does/allows (a), (b), and (d), then (c) is less
important, but depending on how much time you want to put into this it
might still be useful. If your web/mail host does (a) but not (d),
then you need (c) (if only to do (b) yourself).

FYI, My web host does (a) and (d), and still without (b) and (c) I
found I wasn't satisfied with my host.  I just switched hosts, and
expect my filter performance to increase very significantly.

WJ> This is my first post. In the subject parenthetical I listed "(SA
WJ> version=3.0.2, Unix, spamd)". Is that the information that should be
WJ> provided when asking a question in this list?

Yes, though usually it's good enough to put this into the email body.

Bob Menschel

RE: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

["Jack L. Stone" <ja...@sage-american.com>]

At 09:40 AM 1.30.2005 -0500, Chris Harvey wrote:
> 
>> Why aren't more tests being triggered?
>
>I was having similar problems recently where SA didn't seem to be picking up
>much spam. Running spamd in debug mode showed me a number of things were
>going wrong that must have happened over time with various other binary
>updates (i.e. DNS wasn't working) and secondly some config mistakes I made a
>while back.
>
>Perhaps running in debug mode will give you more of a clue as to what is
>going on?
>
>> Unfortunately I can't use custom rules because my host (vonetwork.com)
>> isn't willing to let users run custom rules. :( How do I stop this sort
>> of spam?
>
>Are you running an email server with SA or are you simply seeing the results
>of 'their' SA defenses?
>

Why don't you just run the spamstats.pl program and see a summary of the
rules being fired.

Again, here's mine with SA running about 7 hours:
http://www.sage-american.com/spamstats.html


Happy trails,
Jack L. Stone

System Admin
Sage-american

RE: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)

[Chris Harvey <sa...@e-harvey.com>]

 
> Why aren't more tests being triggered?

I was having similar problems recently where SA didn't seem to be picking up
much spam. Running spamd in debug mode showed me a number of things were
going wrong that must have happened over time with various other binary
updates (i.e. DNS wasn't working) and secondly some config mistakes I made a
while back.

Perhaps running in debug mode will give you more of a clue as to what is
going on?

> Unfortunately I can't use custom rules because my host (vonetwork.com)
> isn't willing to let users run custom rules. :( How do I stop this sort
> of spam?

Are you running an email server with SA or are you simply seeing the results
of 'their' SA defenses?