You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Thomas Harold <th...@nybeta.com> on 2009/12/04 17:00:33 UTC
Smart Smoker spam sailing past SA scores
SA had a lot of trouble identifying this as spam. The IP
(174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only
scored around a 1.0 on the spam meter.
http://pastebin.com/m1d0a75b7
It uses a block of foreign language spam at the end to get past some SA
checks. Such as HTML_IMAGE_RATIO. The text/plain section is complete
empty (and doesn't match the text/html section).
Re: Smart Smoker spam sailing past SA scores
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On 4.12.2009 18:00, Thomas Harold wrote:
> > SA had a lot of trouble identifying this as spam. The IP
> > (174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only
> > scored around a 1.0 on the spam meter.
> >
> > http://pastebin.com/m1d0a75b7
On 04.12.09 22:42, Jari Fredriksson wrote:
> Content analysis details: (14.9 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
> [174.139.37.196 listed in bb.barracudacentral.org]
> 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
> [174.139.37.196 listed in hostkarma.junkemailfilter.com]
> 0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
> [174.139.37.196 listed in bl.spameatingmonkey.net]
> 4.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
> 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
> sequence
> 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
...these are all unofficial rules
> -2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
> [score: 0.0515]
> 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
these require manual training/configuration, although anyone should
configure languages as one of first things...
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: globalsaveonlinepath.net]
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
OP was apparently early recipient so they didn't match that time.
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.1 RDNS_NONE Delivered to trusted network by a host with
> no rDNS
well, these should match anywhere anytime ;)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Smart Smoker spam sailing past SA scores
Posted by Henrik K <he...@hege.li>.
On Sat, Dec 05, 2009 at 09:51:40PM -0700, LuKreme wrote:
> On 5-Dec-2009, at 12:26, Jari Fredriksson wrote:
> > On 5.12.2009 16:03, LuKreme wrote:
> >>
> >>
> >> On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote:
> >>
> >>> Content analysis details: (14.9 points, 5.0 required)
> >>
> >> 14 of your points come from the IP being listed. It was not listed
> >> initially, and score 0.9 on your tests based on that.
> >>
> >
> > Really?
> >
> > 4.0 BOTNET Relay might be a spambot or virusbot
> > [botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
> > 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
> > 0.0 HTML_MESSAGE BODY: HTML included in message
> > -2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
> > 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
> > sequence
> > 0.1 RDNS_NONE Delivered to trusted network by a host with
> >
> > 4 + 2,8 + 0 - 2,5 + 0,6 + 0,1 = 5 (catch)
>
> What about:
>
> 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
> 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
> 0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
Why do you guys keep on nitpicking about rules and scores thread after
thread?
The fact is that SpamAssassin is probably _never_ going to catch 0-day spam
(or even much longer, pick your number) on purely "default non-net" rules.
The content rules are extremely simple to bypass and sa-update will never be
realtime. You only block when someone else has seen the spam or on
botnet/rdns rules. Or when Bayes has happened to seen similar stuff.
Re: Smart Smoker spam sailing past SA scores
Posted by LuKreme <kr...@kreme.com>.
On 5-Dec-2009, at 12:26, Jari Fredriksson wrote:
> On 5.12.2009 16:03, LuKreme wrote:
>>
>>
>> On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote:
>>
>>> Content analysis details: (14.9 points, 5.0 required)
>>
>> 14 of your points come from the IP being listed. It was not listed
>> initially, and score 0.9 on your tests based on that.
>>
>
> Really?
>
> 4.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
> 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
> 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
> sequence
> 0.1 RDNS_NONE Delivered to trusted network by a host with
>
> 4 + 2,8 + 0 - 2,5 + 0,6 + 0,1 = 5 (catch)
What about:
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
--
Ten Minutes ago you beat a man senseless.
He was senseless before I beat him.
Re: Smart Smoker spam sailing past SA scores
Posted by Jari Fredriksson <ja...@iki.fi>.
On 5.12.2009 16:03, LuKreme wrote:
>
>
> On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote:
>
>> Content analysis details: (14.9 points, 5.0 required)
>
> 14 of your points come from the IP being listed. It was not listed
> initially, and score 0.9 on your tests based on that.
>
Really?
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
0.0 HTML_MESSAGE BODY: HTML included in message
-2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
sequence
0.1 RDNS_NONE Delivered to trusted network by a host with
4 + 2,8 + 0 - 2,5 + 0,6 + 0,1 = 5 (catch)
--
http://www.iki.fi/jarif/
You will be reincarnated as a toad; and you will be much happier.
Re: Smart Smoker spam sailing past SA scores
Posted by RW <rw...@googlemail.com>.
On Sat, 5 Dec 2009 07:03:34 -0700
LuKreme <kr...@kreme.com> wrote:
>
>
> On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote:
>
> > Content analysis details: (14.9 points, 5.0 required)
>
> 14 of your points come from the IP being listed. It was not listed
> initially, and score 0.9 on your tests based on that.
I make it 5.0 without report-based rules.
Re: Smart Smoker spam sailing past SA scores
Posted by LuKreme <kr...@kreme.com>.
On Dec 4, 2009, at 13:42, Jari Fredriksson <ja...@iki.fi> wrote:
> Content analysis details: (14.9 points, 5.0 required)
14 of your points come from the IP being listed. It was not listed
initially, and score 0.9 on your tests based on that.
Re: Smart Smoker spam sailing past SA scores
Posted by Jari Fredriksson <ja...@iki.fi>.
On 4.12.2009 18:00, Thomas Harold wrote:
> SA had a lot of trouble identifying this as spam. The IP
> (174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only
> scored around a 1.0 on the spam meter.
>
> http://pastebin.com/m1d0a75b7
>
> It uses a block of foreign language spam at the end to get past some SA
> checks. Such as HTML_IMAGE_RATIO. The text/plain section is complete
> empty (and doesn't match the text/html section).
>
Content analysis details: (14.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
[174.139.37.196 listed in
bb.barracudacentral.org]
1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
[174.139.37.196 listed in
hostkarma.junkemailfilter.com]
0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK
[174.139.37.196 listed in
bl.spameatingmonkey.net]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: globalsaveonlinepath.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
0.0 HTML_MESSAGE BODY: HTML included in message
-2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20%
[score: 0.0515]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
sequence
0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
--
http://www.iki.fi/jarif/
Many pages make a thick book.