You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert S <ro...@gmail.com> on 2008/03/07 12:41:29 UTC
Lots of "scam" messages getting through SA
I have started, over the last few months, getting a lot of plain text "scam"
messages ("Nigerian" type scams, lottery wins etc etc). Previously I had
almost none of these.
Unfortunately I'd need to send rather a lot of information about my configs,
and log files to help, but can anybody point me in the right direction. I
run sa-update every night.
I do quite extensive filtering before sending messages to spamassassin - I
use xbl.spamhaus.org to block messages and I also use selective greylisting
and clam antivirus (which detects some scams). Maybe I'm not getting enough
spam to train SA adequately (I train based on my "spam" and "ham" folder
weekly).
Sorry about the lack of detail, but I'm hoping somebody might have a simple
answer.
Re: Lots of "scam" messages getting through SA
Posted by mouss <mo...@netoyen.net>.
Robert S wrote:
> I have started, over the last few months, getting a lot of plain text "scam"
> messages ("Nigerian" type scams, lottery wins etc etc). Previously I had
> almost none of these.
>
> Unfortunately I'd need to send rather a lot of information about my configs,
> and log files to help, but can anybody point me in the right direction. I
> run sa-update every night.
>
>
The first step is to make a copy of such scams (full headers and body)
available (on pastebin for example).
> I do quite extensive filtering before sending messages to spamassassin - I
> use xbl.spamhaus.org to block messages and I also use selective greylisting
> and clam antivirus (which detects some scams). Maybe I'm not getting enough
> spam to train SA adequately (I train based on my "spam" and "ham" folder
> weekly).
>
> Sorry about the lack of detail, but I'm hoping somebody might have a simple
> answer.
>
>
>
>
Re: Lots of "scam" messages getting through SA
Posted by Robert S <ro...@gmail.com>.
Fixed this by upgrading SA to 3.2.4
Re: Lots of "scam" messages getting through SA
Posted by Robert S <ro...@gmail.com>.
>
> Have you added the "sought " rules from
> http://taint.org/2007/08/15/004348a.html
>
> With these rules and my custom rules I catch 99% of these
> But I keep getting some 2-5 daily complaints yet from customers
>
I think you're right about the source of these scams. I've installed this
according to the instructions at taint.org. Presumably I don't need to do
anything else to make this work.
One problem with this is that the rules won't compile any more. Any
suggestions?
# sa-compile
[3635] info: generic: base extraction starting. this can take a while...
[3635] info: generic: extracting from rules of type body_0
100%
[===================================================================================================================================]
82.00 rules/sec 00m16s DONE
100%
[===================================================================================================================================]
55.06 bases/sec 00m41s DONE
[3635] info: body_0: 1865 base strings extracted in 58 seconds
[3635] info: generic: extracting from rules of type body_500
100%
[===================================================================================================================================]
70.76 rules/sec 00m00s DONE
100%
[===================================================================================================================================]
264.09 bases/sec 00m00s DONE
[3635] info: body_500: 2 base strings extracted in 0 seconds
cd /tmp/.spamassassin3635vg5K00tmp
cd Mail-SpamAssassin-CompiledRegexps-body_0
Wide character in print at /usr/bin/sa-compile line 379, <$fh> line 1168.
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c: error: line 42, column 27: can't find symbol
command failed! at /usr/bin/sa-compile line 282, <$fh> line 2964.
Re: Lots of "scam" messages getting through SA
Posted by Kevin Golding <ke...@caomhin.demon.co.uk>.
In article <12...@localhost.localdomain>, ram
<ra...@netcore.co.in> writes
>But ultimately this boils down to end user education.
>Recipients must realize that no one from Africa is going to transfer all
>the millions of dollars in an unknown account , or there is nothing
>called as a national lottery in the united Kingdom
Why do people keep saying this? http://www.national-lottery.co.uk/
Yes, it's unlikely someone who lives across the globe and never
purchased a ticket would win, but it's a legit thing. In fact Camelot
(the company behind it) run the EuroMillions lottery in 9 different
countries apparently.
Education is useful but if someone can see you're wrong in 30 seconds
they'll be less likely to believe you're right about dethroned kings
sending money.
Kevin
Re: Lots of "scam" messages getting through SA
Posted by ram <ra...@netcore.co.in>.
On Fri, 2008-03-07 at 22:41 +1100, Robert S wrote:
> I have started, over the last few months, getting a lot of plain text "scam"
> messages ("Nigerian" type scams, lottery wins etc etc). Previously I had
> almost none of these.
>
> Unfortunately I'd need to send rather a lot of information about my configs,
> and log files to help, but can anybody point me in the right direction. I
> run sa-update every night.
>
> I do quite extensive filtering before sending messages to spamassassin - I
> use xbl.spamhaus.org to block messages and I also use selective greylisting
> and clam antivirus (which detects some scams). Maybe I'm not getting enough
> spam to train SA adequately (I train based on my "spam" and "ham" folder
> weekly).
>
> Sorry about the lack of detail, but I'm hoping somebody might have a simple
> answer.
>
>
>
Yes .. Some of these keep trickling tru :-(
But you should be able to catch most of them
Have you added the "sought " rules from
http://taint.org/2007/08/15/004348a.html
With these rules and my custom rules I catch 99% of these
But I keep getting some 2-5 daily complaints yet from customers
The problem I have noticed is that these spams usually come from
hijacked accounts. Hence they come from legitimate mail servers and
usually get thru clean from ip reputation filters.
So your *.spamhaus *.spamcop dont work here
A frighteningly large number of email users , use very simple passwords
( like password, welcome1 , hello , pass .. ) So spammers just guess
these passwords. Use authenticated sessions and bombard spams. By the
time the admin realizes this 1000's of spams have already been sent
But ultimately this boils down to end user education.
Recipients must realize that no one from Africa is going to transfer all
the millions of dollars in an unknown account , or there is nothing
called as a national lottery in the united Kingdom
Thanks
Ram