You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Luis Hernán Otegui <lu...@gmail.com> on 2006/12/26 16:04:57 UTC
SA not catching apostrophes in sender's addressess?
Hi, list. I have been under heavy stocks alerts spamming. Currently, my
setup goes like this:
-Debian Sarge
-Postfix 2.1.5-9 with VDA patch
-Amavisd-new 2.4.2
-SA 3.1.5
-ClamAV 0.84-2.sarge.1
-Mysql 4.0.24-10sarge
System was installed and is mantained via apt. I've recently added the
sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
But since a month or so, I've noticed that in some sender's addresses
(spammers, of course) there are apostrophes. Shouldn't them get caught by
the INVALID_CHARACTERS rule? I'm only getting a 3.5 points score because of
the BAYES tokens. My quarantine treshold is at 5, and the reject treshold is
set up at 8.
If there are no problems with my setup, could somebody point me a custom
rule in order to stop this type of spam?
Here I put an aexample of this kind of messages:
<SNIP-SPAM>--------------------
>From Philadelphia'sNegro@abc-job.ru mar dic 26 09:54:17 2006
Return-Path: <Ph...@abc-job.ru>
X-Original-To: luis_o@biol.unlp.edu.ar
Delivered-To: luis_o@biol.unlp.edu.ar
Received: from localhost (localhost [127.0.0.1])
by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id 7342870EE1
for <lu...@biol.unlp.edu.ar>; Tue, 26 Dec 2006 09:54:17 -0300 (ART)
X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at
biol.unlp.edu.ar
X-Spam-Score: 3.5
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 tagged_above=2 required=5 tests=[BAYES_99=3.5]
Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1])
by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id Xp6-Zl9r-rE0 for <lu...@biol.unlp.edu.ar>;
Tue, 26 Dec 2006 09:54:17 -0300 (ART)
Received: from mx1planet.ingw.tn (unknown [80.51.251.194])
by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id B23AE70ECC
for <lu...@biol.unlp.edu.ar>; Tue, 26 Dec 2006 09:54:09 -0300 (ART)
Received: from 217.16.16.81 (HELO mx1.masterhost.ru)
by biol.unlp.edu.ar with esmtp (7>7@=..JK4 F1@*RD)
id A2G5G)-2;9776-1/
for luis_o@biol.unlp.edu.ar; Tue, 26 Dec 2006 13:04:44 -0060
From: "Curtis Finch" <Ph...@abc-job.ru>
To: <lu...@biol.unlp.edu.ar>
Subject: Curtis
Date: Tue, 26 Dec 2006 13:04:44 -0060
Message-ID: <01c728ee$69f80d60$6c822ecf@Philadelphia'sNegro>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Thread-Index: Aca6Q21Q4-E5.2-8V-2S:X935/JU9A==
2005 was the year of the oil company with many of these
companies posting record profits. 2006 has been the year
of alternative fuels with companies involved in this sector
blowing off the charts. This trend shows no signs of
abating.
Our next feature is right in the thick of the high-growth
alternative energy sector and they are doing incredible
things.
AlgoDyne Ethanol Energy
Symbol: ADYN
Current Price: $1.30
Short Term Target: $3.50
Long Term Projected: $10.00
It doesn't take a genius to know why alternative energy is
such a high-growth area right now. Smart traders know how
to watch global trends and seize the moment.
AlgoDyne is where it's at. AlgoDyne has developed a
turnkey solution in their proprietary micro-algae based
process which can produce direct electricity, eco-friendly
fuels, and valuable bi-products.
The company has just hit its sweet spot in the development
phase and is set to release some astounding results. These
revelations are being backed up by a far-reaching PR
campaign.
It is essential to get in early in order to enjoy the
biggest gains. Come Tuesday, December 26th this one will
be rapidly going up to meet our target price!
Do not delay! Win with ADYN!
</SNIP-SPAM>-------------------------------
Hope this info is enough.
Luis
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
-------------------------------------------------
Re: SA not catching apostrophes in sender's addressess?
Posted by Eray Aslan <er...@caf.com.tr>.
Luis Hernán Otegui wrote:
[snip]
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes. Shouldn't them get caught
> by the INVALID_CHARACTERS rule?
[snip]
apostrophe is a valid character frequently used by people named O'Brian ...
Are you up to date on your SARE rules?
http://rulesemporium.com/
--
Eray
Re: SA not catching apostrophes in sender's addressess?
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Dec 26, 2006 at 08:54:08PM +0100, Benny Pedersen wrote:
> its valid so we make rules for it ?
Lots of things are valid, and are also good signs of spam. SpamAssassin is
not an RFC compliance system, it looks for things that are likely to be spam.
--
Randomly Selected Tagline:
"As I was walking among the fires of Hell, delighted with the enjoyments of
Genius; which to Angels look like torment and insanity. I collected some of
their Proverbs..." - Blake, "The Marriage of Heaven and Hell"
Re: SA not catching apostrophes in sender's addressess?
Posted by Benny Pedersen <me...@junc.org>.
On Tue, December 26, 2006 18:06, Theo Van Dinter wrote:
> FWIW, there are some rules in dev for the apostrophe, but they haven't made it
> into an update yet but should really soon.
its valid so we make rules for it ?
how to submit mails to spamassassin corpus (ham/spam) ?
--
This message was sent using 100% recycled spam mails.
Re: SA not catching apostrophes in sender's addressess?
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Dec 26, 2006 at 12:04:57PM -0300, Luis Hernán Otegui wrote:
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes. Shouldn't them get caught by
> the INVALID_CHARACTERS rule? I'm only getting a 3.5 points score because of
As others have stated, the apostrophe isn't invalid, so that rule won't catch
it. Are you using sa-update and network checks? Those mails don't make it
through at all here.
FWIW, there are some rules in dev for the apostrophe, but they haven't made it
into an update yet but should really soon.
--
Randomly Selected Tagline:
"This car began to rust while it was still in the showroom."
- Unknown about the Dodge Aspen/ Plymouth Volare
Re: SA not catching apostrophes in sender's addressess?
Posted by Phil Barnett <ph...@philb.us>.
On Tuesday 26 December 2006 12:13, Luis Hernán Otegui wrote:
> OK, I'm using sa-update AND Rules Du Jour. However, I'm not sure about
> which rulesets are te most convenient to download. Could somebody pass a
> config file for RDJ?
The ruleset you want will vary based on how strict or loose you want the rules
to be.
Here's the one I use: (fix the email address)
# cat /etc/rulesdujour/config
SA_DIR="/usr/share/spamassassin"
MAIL_ADDRESS="YourEmailAddy@GoesHere.com"
SINGLE_EMAIL_ONLY="true"
SA_RESTART="/etc/init.d/spamassassin restart"
# Ruleset descriptions found at http://www.rulesemporium.com
TRUSTED_RULESETS="TRIPWIRE SARE_EVILNUMBERS0 SARE_EVILNUMBERS1
SARE_EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_FRAUD SARE_BML
SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_OBFU0
SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_HTML SARE_UNSUB SARE_URI
SARE_REDIRECT_POST300 SARE_STOCKS SARE_WHITELIST SARE_SPECIFIC SARE_HEADER"
--
My other computer is your Windows machine
Re: SA not catching apostrophes in sender's addressess?
Posted by Luis Hernán Otegui <lu...@gmail.com>.
OK, I'm using sa-update AND Rules Du Jour. However, I'm not sure about which
rulesets are te most convenient to download. Could somebody pass a config
file for RDJ?
Thanks again,
Luis
2006/12/26, Chris <cp...@earthlink.net>:
>
> On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote:
> > Hi, list. I have been under heavy stocks alerts spamming. Currently, my
> > setup goes like this:
> >
> > -Debian Sarge
> > -Postfix 2.1.5-9 with VDA patch
> > -Amavisd-new 2.4.2
> > -SA 3.1.5
> > -ClamAV 0.84-2.sarge.1
> > -Mysql 4.0.24-10sarge
> >
> > System was installed and is mantained via apt. I've recently added the
> > sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
> >
> > But since a month or so, I've noticed that in some sender's addresses
> > (spammers, of course) there are apostrophes.
>
> Addresses such as this "Gena Mercer" <th...@abc.spb.ru> are
> caught
> here quite easily on my home system:
>
> Content analysis details: (43.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> 0.0 BOTNET_NORDNS IP address has no PTR record
> 1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
> 1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC.
> 0.4 SARE_LWOILCO BODY: SARE_LWOILCO
> 1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
> 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
> 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
> 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 10 CLAMAV Clam AntiVirus detected a virus
> 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> [88.243.90.7 listed in sbl-xbl.spamhaus.org]
> 0.8 DIGEST_MULTIPLE Message hits more than one network digest check
> 5.0 BOTNET The submitting mail server looks like part of a
> Botnet
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> Looks like any of the sare rules, or network tests would kick it over the
> limit. Are you running any of the add-on clamav db's? These are tagged
> here
> with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even
> running botnet would have put it over your threshlold.
>
> --
> Chris
> http://learn.to/quote
>
>
>
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
-------------------------------------------------
Re: SA not catching apostrophes in sender's addressess?
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Thu, 28 Dec 2006 15:40:49 -0800, John Rudd <jr...@ucsc.edu> wrote:
>Chris wrote:
>> On Thursday 28 December 2006 12:22 pm, Benny Pedersen wrote:
>
>>> if clamav knows its a virus, why then test it as spam in spamassassin ?
>> Why not? I'm using the clamav plug-in as part of the spamassassin install.
>
>
>Because SpamAssassin is rather expensive, while ClamAV is rather cheap
>(in terms of system resources consumed in the scanning process). If
>possible, I'd do the ClamAV check _before_ SpamAssassin, and not spam
>scan anything ClamAV flagged as a virus.
>
>For example, in mimedefang, the logic I follow is like this:
>
>1) if the message has an attachment with a bad attachment filename,
>reject it and don't do any further scanning.
>
>2) if ClamAV says the message is a virus, reject it and don't do any
>further scanning.
>
>3) only after those 2 checks, check it for spam. If the score is >= 10,
>reject it. If the score is >= 5, mark it as spam. If the score is < 5,
>mark it as not-spam/ham.
>
>
>That way, the cheapest check (attachment filenames) is first and keeps
>those messages from clogging my more expensive checks. Then I do the
>next cheapest check (ClamAV) and that keeps viruses and phishing
>attempts from clogging up spamassassin. Only after I've eliminated all
>of that traffic do I then let spamassassin look at the message.
I'm not sure which MTA you use but mine allows for a local blacklist
of addresses with wildcards. I have one line that does *'*@*.* so far
that's caught all the pesky apostrophe mails and doesn't require
action from either SA or Clam; it's done at the SMTP receipt portion
of the message. Better yet, anything failing this test gets banged
into the greylist for a set period so as not to tie up threads.
HTH
Nigel
Re: SA not catching apostrophes in sender's addressess?
Posted by John Rudd <jr...@ucsc.edu>.
Chris wrote:
> On Thursday 28 December 2006 12:22 pm, Benny Pedersen wrote:
>> if clamav knows its a virus, why then test it as spam in spamassassin ?
> Why not? I'm using the clamav plug-in as part of the spamassassin install.
Because SpamAssassin is rather expensive, while ClamAV is rather cheap
(in terms of system resources consumed in the scanning process). If
possible, I'd do the ClamAV check _before_ SpamAssassin, and not spam
scan anything ClamAV flagged as a virus.
For example, in mimedefang, the logic I follow is like this:
1) if the message has an attachment with a bad attachment filename,
reject it and don't do any further scanning.
2) if ClamAV says the message is a virus, reject it and don't do any
further scanning.
3) only after those 2 checks, check it for spam. If the score is >= 10,
reject it. If the score is >= 5, mark it as spam. If the score is < 5,
mark it as not-spam/ham.
That way, the cheapest check (attachment filenames) is first and keeps
those messages from clogging my more expensive checks. Then I do the
next cheapest check (ClamAV) and that keeps viruses and phishing
attempts from clogging up spamassassin. Only after I've eliminated all
of that traffic do I then let spamassassin look at the message.
Re: SA not catching apostrophes in sender's addressess?
Posted by Chris <cp...@earthlink.net>.
On Thursday 28 December 2006 12:22 pm, Benny Pedersen wrote:
> On Wed, December 27, 2006 04:01, Chris wrote:
> >> what virus is found in clamav ?
> >
> > X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204), this comes
> > from one of Steve Basford's add-ons.
>
> if clamav knows its a virus, why then test it as spam in spamassassin ?
Why not? I'm using the clamav plug-in as part of the spamassassin install.
> it only makes sense when using clamav as a mail tester with own signatures
The signatures I'm using are not mine, I have the daily and main signatures
that I use as well as the MSRBL and SaneSecurity signatures.
> is the database path diffrent from spamassassin for clamav so clamav plugin
> test only own signatures and not virus ?
All of the clamav databases are stored in /var/lib/clamav
> mixed setups makes more questions and more problems :-)
I don't understand what you mean by 'mixed setups'?
--
Chris
http://learn.to/quote
Re: SA not catching apostrophes in sender's addressess?
Posted by Benny Pedersen <me...@junc.org>.
On Wed, December 27, 2006 04:01, Chris wrote:
>> what virus is found in clamav ?
> X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204), this comes from
> one of Steve Basford's add-ons.
if clamav knows its a virus, why then test it as spam in spamassassin ?
it only makes sense when using clamav as a mail tester with own signatures
is the database path diffrent from spamassassin for clamav so clamav plugin
test only own signatures and not virus ?
mixed setups makes more questions and more problems :-)
--
This message was sent using 100% recycled spam mails.
Re: SA not catching apostrophes in sender's addressess?
Posted by Chris <cp...@earthlink.net>.
On Tuesday 26 December 2006 1:47 pm, Benny Pedersen wrote:
> > Addresses such as this "Gena Mercer" <th...@abc.spb.ru> are
> > caught here quite easily on my home system:
>
> its valid email address
> > 10 CLAMAV Clam AntiVirus detected a virus
> what virus is found in clamav ?
X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204), this comes from
one of Steve Basford's add-ons.
--
Chris
http://learn.to/quote
Re: SA not catching apostrophes in sender's addressess?
Posted by Benny Pedersen <me...@junc.org>.
On Tue, December 26, 2006 17:29, Chris wrote:
[snip]
> Addresses such as this "Gena Mercer" <th...@abc.spb.ru> are caught
> here quite easily on my home system:
its valid email address
[snip]
> 10 CLAMAV Clam AntiVirus detected a virus
[/snip]
what virus is found in clamav ?
--
This message was sent using 100% recycled spam mails.
Re: SA not catching apostrophes in sender's addressess?
Posted by Chris <cp...@earthlink.net>.
On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote:
> Hi, list. I have been under heavy stocks alerts spamming. Currently, my
> setup goes like this:
>
> -Debian Sarge
> -Postfix 2.1.5-9 with VDA patch
> -Amavisd-new 2.4.2
> -SA 3.1.5
> -ClamAV 0.84-2.sarge.1
> -Mysql 4.0.24-10sarge
>
> System was installed and is mantained via apt. I've recently added the
> sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
>
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes.
Addresses such as this "Gena Mercer" <th...@abc.spb.ru> are caught
here quite easily on my home system:
Content analysis details: (43.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 BOTNET_NORDNS IP address has no PTR record
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC.
0.4 SARE_LWOILCO BODY: SARE_LWOILCO
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[88.243.90.7 listed in sbl-xbl.spamhaus.org]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
5.0 BOTNET The submitting mail server looks like part of a
Botnet
1.0 SAGREY Adds 1.0 to spam from first-time senders
Looks like any of the sare rules, or network tests would kick it over the
limit. Are you running any of the add-on clamav db's? These are tagged here
with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even
running botnet would have put it over your threshlold.
--
Chris
http://learn.to/quote