Lots of "scam" messages getting through SA

[Robert S <ro...@gmail.com>]

I have started, over the last few months, getting a lot of plain text "scam" 
messages ("Nigerian" type scams, lottery wins etc etc).  Previously I had 
almost none of these.

Unfortunately I'd need to send rather a lot of information about my configs, 
and log files to help, but can anybody point me in the right direction.  I 
run sa-update every night.

I do quite extensive filtering before sending messages to spamassassin - I 
use xbl.spamhaus.org to block messages and I also use selective greylisting 
and clam antivirus (which detects some scams).  Maybe I'm not getting enough 
spam to train SA adequately (I train based on my "spam" and "ham" folder 
weekly).

Sorry about the lack of detail, but I'm hoping somebody might have a simple 
answer. 

Re: Lots of "scam" messages getting through SA

[mouss <mo...@netoyen.net>]

Robert S wrote:
> I have started, over the last few months, getting a lot of plain text "scam" 
> messages ("Nigerian" type scams, lottery wins etc etc).  Previously I had 
> almost none of these.
>
> Unfortunately I'd need to send rather a lot of information about my configs, 
> and log files to help, but can anybody point me in the right direction.  I 
> run sa-update every night.
>
>   

The first step is to make a copy of such scams (full headers and body) 
available (on pastebin for example).
> I do quite extensive filtering before sending messages to spamassassin - I 
> use xbl.spamhaus.org to block messages and I also use selective greylisting 
> and clam antivirus (which detects some scams).  Maybe I'm not getting enough 
> spam to train SA adequately (I train based on my "spam" and "ham" folder 
> weekly).
>
> Sorry about the lack of detail, but I'm hoping somebody might have a simple 
> answer. 
>
>
>
>   

Re: Lots of "scam" messages getting through SA

[Robert S <ro...@gmail.com>]

Fixed this by upgrading SA to 3.2.4

Re: Lots of "scam" messages getting through SA

[Robert S <ro...@gmail.com>]

>
>  Have you added the "sought " rules from
>  http://taint.org/2007/08/15/004348a.html
>
>  With these rules and my custom rules I catch 99% of these
>  But I keep getting some 2-5 daily complaints yet from customers
>
I think you're right about the source of these scams.  I've installed this
according to the instructions at taint.org.  Presumably I don't need to do
anything else to make this work.

One problem with this is that the rules won't compile any more.  Any
suggestions?

 # sa-compile
[3635] info: generic: base extraction starting. this can take a while...
[3635] info: generic: extracting from rules of type body_0
100%
[===================================================================================================================================]
82.00 rules/sec 00m16s DONE
100%
[===================================================================================================================================]
55.06 bases/sec 00m41s DONE
[3635] info: body_0: 1865 base strings extracted in 58 seconds
[3635] info: generic: extracting from rules of type body_500
100%
[===================================================================================================================================]
70.76 rules/sec 00m00s DONE
100%
[===================================================================================================================================]
264.09 bases/sec 00m00s DONE
[3635] info: body_500: 2 base strings extracted in 0 seconds
cd /tmp/.spamassassin3635vg5K00tmp
cd Mail-SpamAssassin-CompiledRegexps-body_0
Wide character in print at /usr/bin/sa-compile line 379, <$fh> line 1168.
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c: error: line 42, column 27: can't find symbol
command failed! at /usr/bin/sa-compile line 282, <$fh> line 2964.

Re: Lots of "scam" messages getting through SA

[Kevin Golding <ke...@caomhin.demon.co.uk>]

In article <12...@localhost.localdomain>, ram
<ra...@netcore.co.in> writes
>But ultimately this boils down to end user education. 
>Recipients must realize that no one from Africa is going to transfer all
>the millions of dollars in an unknown account , or there is nothing
>called as a national lottery in the united Kingdom 

Why do people keep saying this?  http://www.national-lottery.co.uk/

Yes, it's unlikely someone who lives across the globe and never
purchased a ticket would win, but it's a legit thing.  In fact Camelot
(the company behind it) run the EuroMillions lottery in 9 different
countries apparently.

Education is useful but if someone can see you're wrong in 30 seconds
they'll be less likely to believe you're right about dethroned kings
sending money.

Kevin

Re: Lots of "scam" messages getting through SA

[ram <ra...@netcore.co.in>]

On Fri, 2008-03-07 at 22:41 +1100, Robert S wrote:
> I have started, over the last few months, getting a lot of plain text "scam" 
> messages ("Nigerian" type scams, lottery wins etc etc).  Previously I had 
> almost none of these.
> 
> Unfortunately I'd need to send rather a lot of information about my configs, 
> and log files to help, but can anybody point me in the right direction.  I 
> run sa-update every night.
> 
> I do quite extensive filtering before sending messages to spamassassin - I 
> use xbl.spamhaus.org to block messages and I also use selective greylisting 
> and clam antivirus (which detects some scams).  Maybe I'm not getting enough 
> spam to train SA adequately (I train based on my "spam" and "ham" folder 
> weekly).
> 
> Sorry about the lack of detail, but I'm hoping somebody might have a simple 
> answer. 
> 
> 
> 

Yes  .. Some of these keep trickling tru :-(
But you should be able to catch most of them 

Have you added the "sought " rules from 
http://taint.org/2007/08/15/004348a.html

With these rules and my custom rules I catch 99% of these 
But I keep getting some 2-5 daily complaints yet from customers 

 The problem I have noticed is that these spams usually come from
hijacked accounts. Hence they come from legitimate mail servers and
usually get thru clean from ip reputation filters. 
So your *.spamhaus *.spamcop dont work here 

 A frighteningly large number of email users , use very simple passwords
( like password, welcome1 , hello , pass .. )  So spammers just guess
these passwords. Use authenticated sessions and bombard spams. By the
time the admin realizes this 1000's of spams have already been sent 


But ultimately this boils down to end user education. 
Recipients must realize that no one from Africa is going to transfer all
the millions of dollars in an unknown account , or there is nothing
called as a national lottery in the united Kingdom 


Thanks
Ram