You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Larry Rosenman <le...@lerctr.org> on 2015/05/01 16:55:31 UTC
Particularly annoying spam
http://pastebin.com/4gck7uLD
This one and one's like it seem to get through multiple times/day.
Any help here? Today's is WITH 3.4.1......
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Particularly annoying spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Am 01.05.2015 um 16:55 schrieb Larry Rosenman:
>>http://pastebin.com/4gck7uLD
>>
>>This one and one's like it seem to get through multiple times/day.
>>
>>Any help here? Today's is WITH 3.4.1......
On 01.05.15 17:11, Reindl Harald wrote:
>Content analysis details: (14.9 points, 5.5 required)
>
> pts rule name description
>---- ----------------------
>--------------------------------------------------
> 7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: aixkids.org]
> 2.5 SPF_FAIL SPF: sender does not match SPF record (fail)
>[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=tfire.ler-ler%3Dlerctr.org%40aixkids.org;ip=69.12.64.72;r=mail-gw.thelounge.net]
> 5.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
> [score: 0.8966]
> 0.3 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to
>image area
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>necessarily valid
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not
>validhat.htm
so, the only way to block this is to manually increase score for rules
URIBL_BLACK, SPF_FAIL and BAYES_80 ?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: Particularly annoying spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 01.05.2015 um 16:55 schrieb Larry Rosenman:
> http://pastebin.com/4gck7uLD
>
> This one and one's like it seem to get through multiple times/day.
>
> Any help here? Today's is WITH 3.4.1......
Content analysis details: (14.9 points, 5.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: aixkids.org]
2.5 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=tfire.ler-ler%3Dlerctr.org%40aixkids.org;ip=69.12.64.72;r=mail-gw.thelounge.net]
5.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
[score: 0.8966]
0.3 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image
area
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not
validhat.htm
Re: Particularly annoying spam
Posted by Larry Rosenman <le...@lerctr.org>.
On 2015-05-02 15:40, John Hardin wrote:
> On Fri, 1 May 2015, RW wrote:
>
>> On Fri, 01 May 2015 09:55:31 -0500
>> Larry Rosenman wrote:
>>
>>> X-Spam-Report: SpamScore (3.8/5.0) BAYES_99=3.5,BAYES_999=0.2
>>
>> Consider increasing the score of BAYES_99 above 5. For me BAYES_99
>> has
>> an FP rate that's negligible compared with the FP rate of spamassassin
>> itself.
>
> ...and if you don't want to bump BAYES_99 that much, bump BAYES_999 -
> it's a little bit safer.
I wound up turning on SHORTCIRCUIT for BAYES_99 and BAYES_00. and a
couple of
other tweaks. So far my mailbox has been blissfully clean :)
Thanks guys!
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Particularly annoying spam
Posted by John Hardin <jh...@impsec.org>.
On Fri, 1 May 2015, RW wrote:
> On Fri, 01 May 2015 09:55:31 -0500
> Larry Rosenman wrote:
>
>> X-Spam-Report: SpamScore (3.8/5.0) BAYES_99=3.5,BAYES_999=0.2
>
> Consider increasing the score of BAYES_99 above 5. For me BAYES_99 has
> an FP rate that's negligible compared with the FP rate of spamassassin
> itself.
...and if you don't want to bump BAYES_99 that much, bump BAYES_999 - it's
a little bit safer.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I'm seriously considering getting one of those bright-orange prison
overalls and stencilling PASSENGER on the back. Along with the paper
slippers, I ought to be able to walk right through security.
-- Brian Kantor in a.s.r
-----------------------------------------------------------------------
6 days until the 70th anniversary of VE day
Re: Particularly annoying spam
Posted by RW <rw...@googlemail.com>.
On Fri, 01 May 2015 09:55:31 -0500
Larry Rosenman wrote:
> http://pastebin.com/4gck7uLD
>
> This one and one's like it seem to get through multiple times/day.
>
> Any help here? Today's is WITH 3.4.1......
>
> X-Spam-Report: SpamScore (3.8/5.0) BAYES_99=3.5,BAYES_999=0.2
Consider increasing the score of BAYES_99 above 5. For me BAYES_99 has
an FP rate that's negligible compared with the FP rate of spamassassin
itself.
Re: Particularly annoying spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 01.05.2015 um 20:22 schrieb Matus UHLAR - fantomas:
> On 01.05.15 11:17, Kevin A. McGrail wrote:
>> Reindl's test showed it is hitting URIBL and it looks like it's also a
>> good candidate for raising your SPF score and Bayesian training.
>
> I wouldn't say so... for getting standard required_score 5.0 is standard
> 1.7
> points for URIBL_BLACK and standard 3.5 for BAYES_99 just enough - properly
> trained BAYES db should be enough
depends on your setup and *what you do* with high-score spam
required_score si raised here to 5.5 to not tag much messages as spam
just because of some bad template while the most interesting part is
reject messages above 8.0
hence a BAYES_99 with 3.5 gains you nothing here and the reject score of
8.0 is careful chosen given a well trained bayes scores 80% of all
messages making it to SA with BAYES_00 and so -3.5 by having a zero-FP
policy but at the same time the goal to reject as much as possible
instead deliver it flagged
BAYES_00 51315 80.37 %
BAYES_05 1794 2.80 %
BAYES_20 1437 2.25 %
BAYES_40 1125 1.76 %
BAYES_50 3711 5.81 %
BAYES_60 456 0.71 %
BAYES_80 386 0.60 %
BAYES_95 297 0.46 %
BAYES_99 3326 5.20 %
BAYES_999 3017 4.72 %
DNSWL 55777 87.36 %
SPF 39387 61.68 %
SPF WL 8159 12.77 %
BLOCKED 5102 7.99 %
score BAYES_00 -3.5
score BAYES_05 -2.0
score BAYES_20 -1.0
score BAYES_40 -0.5
score BAYES_50 2.0
score BAYES_60 3.5
score BAYES_80 5.0
score BAYES_95 6.5
score BAYES_99 7.5
score BAYES_999 0.4
Re: Particularly annoying spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 01.05.15 11:17, Kevin A. McGrail wrote:
>Reindl's test showed it is hitting URIBL and it looks like it's also
>a good candidate for raising your SPF score and Bayesian training.
I wouldn't say so... for getting standard required_score 5.0 is standard 1.7
points for URIBL_BLACK and standard 3.5 for BAYES_99 just enough - properly
trained BAYES db should be enough.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: Particularly annoying spam
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/1/2015 11:14 AM, Larry Rosenman wrote:
>>> The rule it will hit on is KAM_SALEA.
>> Beat me to it. I was just adding the domain to the RBL as well.
> Thanks, Guys! I have a cronjob running every 6 hours (but I ran it
> early to get this one).
>
> Which RBL did you add it to, KAM?
PCCC's RBL which is running with KAM.cf. That's a standard process of
our analysis of spamples.
> and, invalument(sp?) seems to want $$ and this is a PERSONAL server :(
I'm both a capitalist and an OSS advocate so I can't really say that's a
good or bad thing. I just thought it was interesting that his RBL was
the only one showing the URL at the time I tested it.
Reindl's test showed it is hitting URIBL and it looks like it's also a
good candidate for raising your SPF score and Bayesian training.
Also, we are likely not seeing much of it due to other techniques at the
glue level like extra reverse DNS checks, helo checks, valid MX tests,
etc. Stuff I've discussed probably to peoples complete boredom over on
the MIMEDefang list.
regards,
KAM
Re: Particularly annoying spam
Posted by Larry Rosenman <le...@lerctr.org>.
On 2015-05-01 10:08, Kevin A. McGrail wrote:
> On 5/1/2015 11:06 AM, Joe Quinn wrote:
>> On 5/1/2015 10:55 AM, Larry Rosenman wrote:
>>> http://pastebin.com/4gck7uLD
>>>
>>> This one and one's like it seem to get through multiple times/day.
>>>
>>> Any help here? Today's is WITH 3.4.1......
>>>
>> That's a variant on a pretty old campaign that I haven't seen get
>> through in a long while.
>>
>> I've updated KAM.cf so it hits your sample, which you can set a
>> cronjob to download from here:
>> http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
>>
>> The rule it will hit on is KAM_SALEA.
> Beat me to it. I was just adding the domain to the RBL as well.
Thanks, Guys! I have a cronjob running every 6 hours (but I ran it
early to get this one).
Which RBL did you add it to, KAM?
and, invalument(sp?) seems to want $$ and this is a PERSONAL server :(
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Particularly annoying spam
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/1/2015 11:06 AM, Joe Quinn wrote:
> On 5/1/2015 10:55 AM, Larry Rosenman wrote:
>> http://pastebin.com/4gck7uLD
>>
>> This one and one's like it seem to get through multiple times/day.
>>
>> Any help here? Today's is WITH 3.4.1......
>>
> That's a variant on a pretty old campaign that I haven't seen get
> through in a long while.
>
> I've updated KAM.cf so it hits your sample, which you can set a
> cronjob to download from here:
> http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
>
> The rule it will hit on is KAM_SALEA.
Beat me to it. I was just adding the domain to the RBL as well.
Re: Particularly annoying spam
Posted by Joe Quinn <jq...@pccc.com>.
On 5/1/2015 10:55 AM, Larry Rosenman wrote:
> http://pastebin.com/4gck7uLD
>
> This one and one's like it seem to get through multiple times/day.
>
> Any help here? Today's is WITH 3.4.1......
>
That's a variant on a pretty old campaign that I haven't seen get
through in a long while.
I've updated KAM.cf so it hits your sample, which you can set a cronjob
to download from here:
http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
The rule it will hit on is KAM_SALEA.
Re: Particularly annoying spam
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/1/2015 10:55 AM, Larry Rosenman wrote:
> http://pastebin.com/4gck7uLD
>
> This one and one's like it seem to get through multiple times/day.
>
> Any help here? Today's is WITH 3.4.1......
>
Haven't seen this spam but I ran it through our test box. Doesn't look
like it hits much except the Invaluement list and an SPF fail.
Content analysis details: (10.0 points, 6.5 required)
4.0 URIBL_IVMURI listed on ivmURI found at invaluement.com
[URIs: aixkids.org]
5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com
[69.12.64.72 listed in sip.invaluement.local]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom&id=tfire.ler-ler%3Dlerctr.org%40aixkids.org&ip=69.12.64.72&r=intel1.peregrinehw.com]
0.0 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image
area
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Regards,
KAM