You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dennis German <dg...@Real-World-Systems.com> on 2010/10/19 23:34:04 UTC
Spam US$350,000 not tripped
I am surprised this plain text spam did not trip for US$350,000
sa 3.2.4
http://www.Real-World-Systems.com/mail/spam.un
Re: Spam US$350,000 not tripped
Posted by Benny Pedersen <me...@junc.org>.
On tir 19 okt 2010 23:34:04 CEST, Dennis German wrote
> http://www.Real-World-Systems.com/mail/spam.un
sqirrelmail is old :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spam US$350,000 not tripped
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-10-20 at 06:26 +0100, Ned Slider wrote:
> On 19/10/10 22:56, Karsten Bräckelmann wrote:
> > On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
> > > It hits a stack of rules here (some are my own scoring) - looks like
> > > * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> > > * [148.208.170.3 listed in bb.barracudacentral.org]
> >
> > Seriously? Or is that a score typo in your cf files?
>
> I did say above "some are my own scoring". I've been evaluating BRBL to
> see if it's a candidate to use at the smtp level and need to identify
> possible false positives. Giving it a ridiculously high score ensures
> any hits end up in quarantine where I can examine. No FPs of note yet.
Yes, you did state some scores are adjusted. That one really stuck out,
though, and with such a ridiculously high score (your own words, let me
just stress the point ;) being a typo was not unlikely. Your usage as
test-phase for possible SMTP rejection makes sense and puts it into
perspective.
> I've also tweaked the Basian scoring for my own preferences. I still see
> a fair amount of spam caught by Bayes alone and manually train Bayes
> with confirmed ham/spam only. I have high confidence in my Bayesian
> setup and whitelisting invariably catches any potential FP hits.
*nod* With a well-trained Bayes DB, that's entirely possible.
> In general, I wouldn't recommend users tweak the default scoring too much.
Thanks. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam US$350,000 not tripped
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 19/10/10 22:56, Karsten Bräckelmann wrote:
> On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
>> On 19/10/10 22:34, Dennis German wrote:
>>> I am surprised this plain text spam did not trip for US$350,000
>>> sa 3.2.4
>
> Uhm, a generic amount of money on it's own is not a sign of spam. You
> know, some people do deal with and talk about money...
>
>> It hits a stack of rules here (some are my own scoring) - looks like
>> it's time to upgrade to SA 3.3.1.
>
>> * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> * [score: 0.9999]
>> * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
>> * [148.208.170.3 listed in bb.barracudacentral.org]
>
> Seriously? Or is that a score typo in your cf files?
>
I did say above "some are my own scoring". I've been evaluating BRBL to
see if it's a candidate to use at the smtp level and need to identify
possible false positives. Giving it a ridiculously high score ensures
any hits end up in quarantine where I can examine. No FPs of note yet.
I've also tweaked the Basian scoring for my own preferences. I still see
a fair amount of spam caught by Bayes alone and manually train Bayes
with confirmed ham/spam only. I have high confidence in my Bayesian
setup and whitelisting invariably catches any potential FP hits.
In general, I wouldn't recommend users tweak the default scoring too much.
Re: Spam US$350,000 not tripped
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-10-19 at 19:29 -0400, Dennis German wrote:
> Thank you fro the suggestion of adding BRBL and JMF.
> Can you please point me to some detailed information explaining how to do that.
> PS I am on a shared server without root access. ( or I would have upgraded SA)
The actual rules to be added are documented in SA bugzilla. The Sought
channel is documented in the wiki.
However, no root access -- neither of these are user preferences, it is
impossible to add with mere tweaking of user_prefs [1]. You can only do
this, if you have access to the site-wide config, commonly referred to
as local.cf.
This might be possible, even on a shared, virtual server. If you ever
could add rules yourself, you can do this, too.
[1] Unless allow_user_rules is enabled, which is rather unlikely.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam US$350,000 not tripped
Posted by Dennis German <dg...@Real-World-Systems.com>.
On Oct 19, 2010, at 5:56 PM, Karsten Bräckelmann wrote:
> On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
>> On 19/10/10 22:34, Dennis German wrote:
>>> I am surprised this plain text spam did not trip for US$350,000
>>> sa 3.2.4
>
> Uhm, a generic amount of money on it's own is not a sign of spam. You
> know, some people do deal with and talk about money...
>
>> It hits a stack of rules here (some are my own scoring) - looks like
>> it's time to upgrade to SA 3.3.1.
>
>> * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> * [score: 0.9999]
>> * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
>> * [148.208.170.3 listed in bb.barracudacentral.org]
>
> Seriously? Or is that a score typo in your cf files?
>
>> * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad)
>> * [148.208.170.3 listed in hostkarma.junkemailfilter.com]
>
> BRBL and JMF are easy enough to add to an existing 3.2.x installation.
>
>> * 1.0 MISSING_HEADERS Missing To: header
>
> Stock 3.2.x, scored even slightly higher.
>
>> * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
>
> Easy enough to add to 3.2.x via sa-update. Recommended.
>
> Bayes of course also is part of stock 3.2.x. ;) Plethora of new fraud
> rules snipped.
Karsten,
Thank you fro the suggestion of adding BRBL and JMF.
Can you please point me to some detailed information explaining how to do that.
PS I am on a shared server without root access. ( or I would have upgraded SA)
Re: Spam US$350,000 not tripped
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
> On 19/10/10 22:34, Dennis German wrote:
> > I am surprised this plain text spam did not trip for US$350,000
> > sa 3.2.4
Uhm, a generic amount of money on it's own is not a sign of spam. You
know, some people do deal with and talk about money...
> It hits a stack of rules here (some are my own scoring) - looks like
> it's time to upgrade to SA 3.3.1.
> * 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * [score: 0.9999]
> * 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
> * [148.208.170.3 listed in bb.barracudacentral.org]
Seriously? Or is that a score typo in your cf files?
> * 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad)
> * [148.208.170.3 listed in hostkarma.junkemailfilter.com]
BRBL and JMF are easy enough to add to an existing 3.2.x installation.
> * 1.0 MISSING_HEADERS Missing To: header
Stock 3.2.x, scored even slightly higher.
> * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
Easy enough to add to 3.2.x via sa-update. Recommended.
Bayes of course also is part of stock 3.2.x. ;) Plethora of new fraud
rules snipped.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam US$350,000 not tripped
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 19/10/10 22:34, Dennis German wrote:
> I am surprised this plain text spam did not trip for US$350,000
> sa 3.2.4
>
> http://www.Real-World-Systems.com/mail/spam.un
>
It hits a stack of rules here (some are my own scoring) - looks like
it's time to upgrade to SA 3.3.1.
X-Spam-Report:
* 6.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 0.9999]
* 25 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
* [148.208.170.3 listed in bb.barracudacentral.org]
* 3.0 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter
BLACK (bad)
* [148.208.170.3 listed in hostkarma.junkemailfilter.com]
* 1.8 DKIM_ADSP_DISCARD No valid author signature, domain
signs all mail
* and suggests discarding the rest
* 1.0 MISSING_HEADERS Missing To: header
* 0.0 T_LOTS_OF_MONEY Huge... sums of money
* 1.6 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC
* 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text
patterns
* 3.4 FILL_THIS_FORM_LONG Fill in a form with personal information
* 0.0 T_FILL_THIS_FORM Fill in a form with personal information
* 1.5 ADVANCE_FEE_4_NEW Appears to be advance fee fraud
(Nigerian 419)
* 3.3 ADVANCE_FEE_5_NEW Appears to be advance fee fraud
(Nigerian 419)
* 0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud
(Nigerian 419)
* 0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
* 0.9 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
* 1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
* 0.8 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
* 0.5 MONEY_FRAUD_5 Lots of money and many fraud phrases
* 0.8 MONEY_FRAUD_8 Lots of money and very many fraud phrases
* 0.5 MONEY_FRAUD_3 Lots of money and several fraud phrases
* 0.5 FORM_FRAUD_5 Fill a form and many fraud phrases
* 0.5 FORM_FRAUD_3 Fill a form and several fraud phrases