You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jean-Paul Natola <jn...@familycareintl.org> on 2009/04/30 15:23:03 UTC
Almost no score
Hi all,
I just upgraded to 3.2.5 ran sa-update and I got this message with only one
rule tripped
I'm putting a link to the message as well as the headers
If anyone can shed some light here , I would appreciate it.
ftp://ftp.fcimail.org/IT/SA/headers.txt
ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
%20pain%20and%20dysfunctions.htm
TIA
J
Re: Almost no score
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: Charles Gregory <cg...@hwcn.org>
Date: Fri, 1 May 2009 10:48:00 -0400 (EDT)
Uh, what do these 'ratware' rules trigger on?
The rules trigger on spam with a particular Message-Id and boundary pattern.
How effective are they, and what are the chances of false positives?
For last month the KB_RATWARE_OUTLOOK_08 rule hits
21% of spam (4665 hits out of 21748 spam). It works great here.
I haven't seen any FP. Your mileage may vary.
I got the rules from Karsten's sandbox:
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf
I would imagine that these rules will eventually show up in sa-update.
-jeff
On Thu, 30 Apr 2009, LuKreme wrote:
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
> # "
>
> score KB_RATWARE_BOUNDARY 2.0
> score KB_RATWARE_OUTLOOK_16 0.1
>
>
> --
> Exit, pursued by a bear.
>
Re: Almost no score
Posted by Craig <cc...@unitedwayqc.org>.
I could be asking the same thing as Charles, if I am I apologize.
I installed the rules below, ran the headers.txt file- thru SA and the rules did not trigger. Do I need to configure something else?
Thanks
Craig
>>> Charles Gregory <cg...@hwcn.org> 5/1/2009 9:48 AM >>>
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
> # "
>
> score KB_RATWARE_BOUNDARY 2.0
> score KB_RATWARE_OUTLOOK_16 0.1
>
>
> --
> Exit, pursued by a bear.
>
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 1-May-2009, at 08:48, Charles Gregory wrote:
> Uh, what do these 'ratware' rules trigger on?
Spammish message IDs with spammish MIME boundary tags.
Message-ID: <00...@venomousf>
From: "Shannon England" <ve...@blackmanlawoffice.com>
Subject: We hae the best alarm-clocks for your little buddy down there.
Date: Mon, 27 Apr 2009 11:27:54 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0075_01C9C74C.BC2F05D0"
matches, for example.
> How effective are they,
They catch quite a lot of spam that otherwise does not score high
enough to be caught.
> and what are the chances of false positives?
I've not had any myself. YMMV.
--
The most perfidious way of harming a cause consists of defending
it deliberately with faulty arguments.
Re: Almost no score
Posted by Charles Gregory <cg...@hwcn.org>.
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
> # "
>
> score KB_RATWARE_BOUNDARY 2.0
> score KB_RATWARE_OUTLOOK_16 0.1
>
>
> --
> Exit, pursued by a bear.
>
Re: Almost no score
Posted by Ned Slider <ne...@unixmail.co.uk>.
John Hardin wrote:
> On Fri, 1 May 2009, Ned Slider wrote:
>
>> Can you please explain the rationale behind your scoring. I've just
>> installed these 3 rules to test and so far either all 3 are being
>> triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
>> (less FP potential) than OUTLOOK_12 or OUTLOOK_16.
>
> Didn't Karsten say they were incremental refinements of the same rule?
> Meaning, you'd only use one...
>
Quite possibly John, I may well have missed that. I only picked up on
this today :)
Re: Almost no score
Posted by John Hardin <jh...@impsec.org>.
On Fri, 1 May 2009, Ned Slider wrote:
> Can you please explain the rationale behind your scoring. I've just
> installed these 3 rules to test and so far either all 3 are being
> triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
> (less FP potential) than OUTLOOK_12 or OUTLOOK_16.
Didn't Karsten say they were incremental refinements of the same rule?
Meaning, you'd only use one...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
7 days until the 64th anniversary of VE day
Re: Almost no score
Posted by Ned Slider <ne...@unixmail.co.uk>.
LuKreme wrote:
>
> This is what I have in local.cf
>
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
> # "
>
> header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
> # "
>
> score KB_RATWARE_BOUNDARY 2.0
> score KB_RATWARE_OUTLOOK_16 0.1
>
>
Can you please explain the rationale behind your scoring. I've just
installed these 3 rules to test and so far either all 3 are being
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 12:01, Jean-Paul Natola wrote:
> Have the scoring methods changed in SA I noticed in your rules there
> are no
> scores
This is what I have in local.cf
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\
$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/
msi # "
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\
$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._
\1\.\2/msi # "
header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id: <....([0-9a-f]{8})\
$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1
--
Exit, pursued by a bear.
RE: Almost no score
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
On 30-Apr-2009, at 09:53, Jean-Paul Natola wrote:
> Where did you get the KB_RATWARE rules from?
Karsten Bräkelmann (guenther@rudersport.de)
>> You can find KB_RATWARE_BOUNDARY in my sandbox, where it's still
>> badly
>> named KB_RATWARE_OUTLOOK_08. I need to rename it and get rid of the
>> other testing variants with varying fuzziness eventually...
>>
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf?v
iew=markup
Best new rules I've added to my SA install in... ages.
--
Have the scoring methods changed in SA I noticed in your rules there are no
scores
Previously in my
/usr/local/etc/mail/spamassassin directory all the rules (.cf files) had
Body
Describe
Score
Now that Im looking at your rules as well as the rules in
/var/db/spamassassin/3.002005/updates_spamassassin_org.cf
None seem to have scores in them-
Are the rules in
/usr/local/etc/mail/spamassassin still used in 3.2.5
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 09:53, Jean-Paul Natola wrote:
> Where did you get the KB_RATWARE rules from?
Karsten Bräkelmann (guenther@rudersport.de)
>> You can find KB_RATWARE_BOUNDARY in my sandbox, where it's still
>> badly
>> named KB_RATWARE_OUTLOOK_08. I need to rename it and get rid of the
>> other testing variants with varying fuzziness eventually...
>> http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf?view=markup
Best new rules I've added to my SA install in... ages.
--
No matter how fast light travels it finds the darkness has always
go there first, and is waiting for it.
RE: Almost no score
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
-----Original Message-----
From: LuKreme [mailto:kremels@kreme.com]
Sent: Thursday, April 30, 2009 10:40 AM
To: users@spamassassin.apache.org
Subject: Re: Almost no score
On 30-Apr-2009, at 07:23, Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with
> only one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
Content analysis details: (6.6 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 KB_RATWARE_OUTLOOK_16 KB_RATWARE_OUTLOOK_16
1.0 KB_RATWARE_OUTLOOK_12 KB_RATWARE_OUTLOOK_12
2.0 KB_RATWARE_BOUNDARY KB_RATWARE_BOUNDARY
2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
0.1 RDNS_NONE Delivered to trusted network by a host
with no rDNS
---------------------------------------------------------------------------
Where did you get the KB_RATWARE rules from?
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 07:23, Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with
> only one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
Content analysis details: (6.6 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 KB_RATWARE_OUTLOOK_16 KB_RATWARE_OUTLOOK_16
1.0 KB_RATWARE_OUTLOOK_12 KB_RATWARE_OUTLOOK_12
2.0 KB_RATWARE_BOUNDARY KB_RATWARE_BOUNDARY
2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
0.1 RDNS_NONE Delivered to trusted network by a host
with no rDNS
of course, KB_RATWARE or non-standard and it may not have been in the
XBL/PBL yet.
--
Nothing like grilling a kosher dog over human hair to bring out the
subtle flavors.
Re: Almost no score
Posted by Adam Katz <an...@khopis.com>.
LuKreme wrote:
> On 1-May-2009, at 12:04, Adam Katz wrote:
>> mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
>> body __PNG_240_400 eval:image_size_exact('png',240,400)
>> meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
>> describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
>>
>> Probably the mimeheader check alone is enough.
>
> What are you scoring this at?
You'd have to ask aixenv; my network hasn't fallen victim to this yet.
> I think with the dimensions that could safely score quite high.
That's my inclination, too. I tend to start low and then bring it
higher in increments. My gut says 1.5 to start and to work up to a 3.75
tops, but if its more annoying and there are no false positives, I'd go
a small bit higher (but with a note to self to re-visit the logs in a
month or so, as even 3.75 is way too high to leave alone).
> I ended up with something like this after adding your image size.
>
> mimeheader DIGI_PNG Content-Type =~
> /name\=\"[a-z]{3,4}_?\d{4,5}\.png\"/
> body __PNG_240_400 eval:image_size_exact('png',240,400)
> meta META_DIGI_PNG DIGI_PNG && __PNG_240_400
> describe META_DIGI_PNG 240,400 PNG DIGICAM
> describe DIGI_PNG Digital camera pic name, but png
> score DIGI_PNG 1.0
> score META_DIGI_PNG 2.0
No, don't do that. You at least want the DS part, even if it looks like
/name="DS[A-Z]{1,3}\d{3,6}\.png"/ instead of the narrower one I proposed
above. (Also note the lack of the trailing "i" for case-insensitive.)
Others may correct me on the lack of escapes, but I believe those are
redundant.
The scores you've chosen look appropriate assuming you preserve the
leading "DS" and the case. Otherwise, you will have false positives on
that check.
To address the other email which claims un-named 240x400 png
attachments, you could score __PNG_240_400 as a non-meta rule (rename
w/out the __) as 0.25 or so and your meta would then be that much less.
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 1-May-2009, at 12:04, Adam Katz wrote:
> mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
> body __PNG_240_400 eval:image_size_exact('png',240,400)
> meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
> describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
>
> Probably the mimeheader check alone is enough.
What are you scoring this at?
I think with the dimensions that could safely score quite high.
I ended up with something like this after adding your image size.
mimeheader DIGI_PNG Content-Type =~ /name\=\"[a-z]{3,4}_?
\d{4,5}\.png\"/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta META_DIGI_PNG DIGI_PNG && __PNG_240_400
describe META_DIGI_PNG 240,400 PNG DIGICAM
describe DIGI_PNG Digital camera pic name, but png
score DIGI_PNG 1.0
score META_DIGI_PNG 2.0
--
Ten Minutes ago you beat a man senseless.
He was senseless before I beat him.
Re: [SA] Almost no score
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2009-05-01 at 14:04 -0400, Adam Katz wrote:
> mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
> body __PNG_240_400 eval:image_size_exact('png',240,400)
> meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
> describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
>
> Probably the mimeheader check alone is enough.
>
Just got the first one I've seen in this spam campaign. The mimeheader
in this case has no image name, which strikes me as a sure fire spam
recogniser, or can drag'n drop cause that with some MUAs?
Combining a noname image with no body text and/or the usual collection
of meds/porno words/phrases in the subject line should be fairly
reliable.
Martin
Re: [SA] Almost no score
Posted by Adam Katz <an...@khopis.com>.
John Hardin wrote:
>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> It seems a wave of image spam is going out. Would it be reasonable to
> push this rule (with suitable modifications for length, etc.) and/or the
> ImageInfo version out as a base SA update so that the most people can
> benefit?
My dialog with aixenv on irc://irc.freenode.net/#spamassassin (and
other parts of this thread) yielded a slightly more flexible regex,
matched with the fact that the image always has the same dimensions:
mimeheader __DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.png\"/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG __DSCL4_PNG && __PNG_240_400
describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
Probably the mimeheader check alone is enough.
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: Almost no score
Posted by John Hardin <jh...@impsec.org>.
> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
It seems a wave of image spam is going out. Would it be reasonable to push
this rule (with suitable modifications for length, etc.) and/or the
ImageInfo version out as a base SA update so that the most people can
benefit?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Warning Labels we'd like to see #1: "If you are a stupid idiot while
using this product you may hurt yourself. And it won't be our fault."
-----------------------------------------------------------------------
7 days until the 64th anniversary of VE day
Re: Almost no score
Posted by John Hardin <jh...@impsec.org>.
On Fri, 1 May 2009, Raymond Dijkxhoorn wrote:
>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> Make that 4,5 since they also vary the size of the filenames...
You might also want to use "\d" instead of "[0-9]". Bytes don't grow on
trees, y'know.
:)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Warning Labels we'd like to see #1: "If you are a stupid idiot while
using this product you may hurt yourself. And it won't be our fault."
-----------------------------------------------------------------------
7 days until the 64th anniversary of VE day
Re: Almost no score
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> Looks like they've changed from DSL to DSC! I have a few with DSC in today's
> quarantine, but they were caught by BOTNET rules. Methinks its time to update
> the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even
> [A-Z]{3}[0-9]{4}\.png
Make that 4,5 since they also vary the size of the filenames...
Bye,
Raymond.
Re: Almost no score
Posted by Charles Gregory <cg...@hwcn.org>.
On Thu, 30 Apr 2009, John Wilcock wrote:
> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> Looks like they've changed from DSL to DSC! I have a few with DSC in
> today's quarantine, but they were caught by BOTNET rules. Methinks its
> time to update the above rule to look for DS[A-Z][0-9]{4}\.png or maybe
> even [A-Z]{3}[0-9]{4}\.png
Overly general regex's run the risk of more false positives.
However, if you toss in a 'full' test for an image being
at the top of the body, that might help prevent FP's...
LOC_IMG_AT_TOP full /<body>\n*(<[^>]>)?<img /i
That regex allows HTML tags (but no text) before the img tag.
- Charles
Re: Almost no score
Posted by John Hardin <jh...@impsec.org>.
On Thu, 30 Apr 2009, LuKreme wrote:
> On 30-Apr-2009, at 09:03, John Wilcock wrote:
>>
>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
> I'd be very careful with that rule (or any related). This file name
> pattern is a quite standard pattern for pictures from digital cameras.
I was going to say the same thing, but I'm not aware of any digital camera
that saves to .PNG by default. It's not well suited to continuous-tone
images. If the rule was for DSC\d+\.jpg then there would be big red flags
waving around...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
8 days until the 64th anniversary of VE day
Re: Almost no score
Posted by Charles Gregory <cg...@hwcn.org>.
On Thu, 30 Apr 2009, LuKreme wrote:
>> A tip: the PNG takes up considerably more disk space (and thus
>> loading time) and you're not increasing any quality (since it was
>> originally lossy).
> Actually, the PNGs load considerably faster for me as desktop images,
> which is why I convert them.
I agree that bmp or png loads faster for a desktop, but I would suggest,
just as a courtesy to people's bandwidth, that you retain the original
jpg, and mail *that* when you want to send your images to people. And
that's the reason I wouldn't worry about false positives with the
DSL####.png rule - most people won't (shoudln't?) be mailing them.
- Charles
>
>
> --
> It was intended that when Newspeak had been adopted once and for
> all and Oldspeak forgotten, a heretical thought...should be
> literally unthinkable, at least so far as thought is dependent
> on words.
>
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 18:47, Adam Katz wrote:
> LuKreme wrote:
>>> DSC? Yes. .PNG? None that I've seen...
>>
>> Not specifically, but I, for example, convert photos I want to use
>> for
>> Desktops to .png format, and I often don't rename them. If I email
>> them
>> to someone they would match that pattern. I have 6 desktop images
>> that
>> match DSC[0-90{4}\.png and about 5 more that would match a more
>> generic
>> [:alpha:]{3}[0-9]{4}\.png
>>
>> I'm just saying, this has a real potential of catching real messages.
>
> A tip: the PNG takes up considerably more disk space (and thus
> loading time) and you're not increasing any quality (since it was
> originally lossy).
Actually, the PNGs load considerably faster for me as desktop images,
which is why I convert them.
--
It was intended that when Newspeak had been adopted once and for
all and Oldspeak forgotten, a heretical thought...should be
literally unthinkable, at least so far as thought is dependent
on words.
Re: Almost no score
Posted by Adam Katz <an...@khopis.com>.
LuKreme wrote:
>> DSC? Yes. .PNG? None that I've seen...
>
> Not specifically, but I, for example, convert photos I want to use for
> Desktops to .png format, and I often don't rename them. If I email them
> to someone they would match that pattern. I have 6 desktop images that
> match DSC[0-90{4}\.png and about 5 more that would match a more generic
> [:alpha:]{3}[0-9]{4}\.png
>
> I'm just saying, this has a real potential of catching real messages.
A tip: the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).
If you're editing it, keep the original high-res JPG saved in some
more useful lossless format (like PSD or XCF) and export it back to
JPG when done editing.
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 10:50, Evan Platt wrote:
> At 09:33 AM 4/30/2009, you wrote:
>>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>>
>> I'd be very careful with that rule (or any related). This file name
>> pattern is a quite standard pattern for pictures from digital
>> cameras.
>
> DSC? Yes. .PNG? None that I've seen...
Not specifically, but I, for example, convert photos I want to use for
Desktops to .png format, and I often don't rename them. If I email
them to someone they would match that pattern. I have 6 desktop images
that match DSC[0-90{4}\.png and about 5 more that would match a more
generic [:alpha:]{3}[0-9]{4}\.png
I'm just saying, this has a real potential of catching real messages.
--
and I swear it happened just like this: / a sigh, a cry, a hungry
kiss, the Gates of Love they budged an inch / I can't say much
has happened since / but CLOSING TIME
RE: Almost no score
Posted by Evan Platt <ev...@espphotography.com>.
At 10:02 AM 4/30/2009, Jean-Paul Natola wrote:
> >I'd be very careful with that rule (or any related). This file name
> >pattern is a quite standard pattern for pictures from digital cameras.
>
> >DSC? Yes. .PNG? None that I've seen...
>
>Actually png is portable network graphics
>And DSCxxxx is the default file name on sony digital cameras
I understand that. My point was no camera I've seen uses PNG.
RE: Almost no score
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
-----Original Message-----
From: Evan Platt [mailto:evan@espphotography.com]
Sent: Thursday, April 30, 2009 12:50 PM
To: users@spamassassin.apache.org
Subject: Re: Almost no score
At 09:33 AM 4/30/2009, you wrote:
>>mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
>I'd be very careful with that rule (or any related). This file name
>pattern is a quite standard pattern for pictures from digital cameras.
>DSC? Yes. .PNG? None that I've seen...
Actually png is portable network graphics
And DSCxxxx is the default file name on sony digital cameras
Re: Almost no score
Posted by Evan Platt <ev...@espphotography.com>.
At 09:33 AM 4/30/2009, you wrote:
>>mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
>
>I'd be very careful with that rule (or any related). This file name
>pattern is a quite standard pattern for pictures from digital cameras.
DSC? Yes. .PNG? None that I've seen...
Re: Almost no score
Posted by Evan Platt <ev...@espphotography.com>.
At 11:31 AM 4/30/2009, you wrote:
>But digital cameras generally produce jpg, not png.... Yes?
Yep. Exactly the point I made. TIF, JPG or ORF or RAW.
Re: Almost no score
Posted by Charles Gregory <cg...@hwcn.org>.
On Thu, 30 Apr 2009, LuKreme wrote:
>> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
> I'd be very careful with that rule (or any related). This file name
> pattern is a quite standard pattern for pictures from digital cameras.
But digital cameras generally produce jpg, not png.... Yes?
- C
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 11:10, John Hardin wrote:
> On Thu, 30 Apr 2009, LuKreme wrote:
>> Clarke's Law: Sufficiently advanced technology is indistinguishable
>> from magic
>
> somebody's corollary to Clarke's law: Any technology distinguishable
> from magic is insufficiently advanced.
Ooooo, that's nice!
--
This above all, to thine own self be true And it must follow, as
the night the day, Thou canst not then be false to any man.
Re: Almost no score
Posted by John Hardin <jh...@impsec.org>.
On Thu, 30 Apr 2009, LuKreme wrote:
> Clarke's Law: Sufficiently advanced technology is indistinguishable
> from magic
somebody's corollary to Clarke's law: Any technology distinguishable
from magic is insufficiently advanced.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
8 days until the 64th anniversary of VE day
Re: Almost no score
Posted by LuKreme <kr...@kreme.com>.
On 30-Apr-2009, at 09:03, John Wilcock wrote:
> Le 30/04/2009 15:23, Jean-Paul Natola a écrit :
>> If anyone can shed some light here , I would appreciate it.
>>
>> ftp://ftp.fcimail.org/IT/SA/headers.txt
>
>> Content-Type: image/png;
>> name="DSC0080.png"
>
> Over the last week or so I'd been having some success looking for
> this pattern, suggested on this list:
>
> mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
I'd be very careful with that rule (or any related). This file name
pattern is a quite standard pattern for pictures from digital cameras.
--
Clarke's Law: Sufficiently advanced technology is indistinguishable
from magic
Re: Almost no score
Posted by John Wilcock <jo...@tradoc.fr>.
Le 30/04/2009 15:23, Jean-Paul Natola a écrit :
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
> Content-Type: image/png;
> name="DSC0080.png"
Over the last week or so I'd been having some success looking for this
pattern, suggested on this list:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\"DSL[0-9]{4}\.png\"/
Looks like they've changed from DSL to DSC! I have a few with DSC in
today's quarantine, but they were caught by BOTNET rules. Methinks its
time to update the above rule to look for DS[A-Z][0-9]{4}\.png or maybe
even [A-Z]{3}[0-9]{4}\.png
John.
--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: Almost no score
Posted by Ned Slider <ne...@unixmail.co.uk>.
Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with only one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
>
> ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
> %20pain%20and%20dysfunctions.htm
>
> TIA
>
> J
>
Same here other than a few hits against DNSBLs.
X-Spam-Report:
* 3.0 RCVD_IN_SBLXBL RBL: Received via a relay in Spamhaus SBL-XBL
* [85.75.94.188 listed in sbl-xbl.spamhaus.org]
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5014]
* 3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in
* dnsbl-2.uceprotect.net
* [85.75.94.188 listed in dnsbl-2.uceprotect.net]
* 2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in
* dnsbl-3.uceprotect.net
* [85.75.94.188 listed in dnsbl-3.uceprotect.net]
* 0.0 RCVD_IN_UCE_COMBINED Received via a relay in UCEProtect
* 1.0 RDNS_NONE Delivered to trusted network by a host with no
rDNS
Obviously my scoring is a little higher than yours and I catch it but
there's not a lot to go on.
Spamhaus catches it in 2 of it's lists (PBL and XBL). I would really
recommend implementing zen.spmauaus.org at the MTA (smtp) level as this
will block much of this junk before it ever gets near SA.
RE: Almost no score
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with only
one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
>
>
ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
> %20pain%20and%20dysfunctions.htm
>
> TIA
>
> J
I couldn't get the whole message so just ran against the headers:
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
[85.75.94.188 listed in
bb.barracudacentral.org]
1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaak
iekkolaakarit.com,client,clientwords]
4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8897]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1117; Body=1]
1.0 SAGREY Adds 1.0 to spam from first-time senders
--
KeyID 0xE372A7DA98E6705Cn
-------------------------------------------------------------------
Evidently Im missing A LOT of rulesets as I only scored .8 - one rule
Im running sa-update daily where are these other rules that you all running?
Re: Almost no score
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
> > I just upgraded to 3.2.5 ran sa-update and I got this message with only one
> > rule tripped
> >
> > I'm putting a link to the message as well as the headers
> >
> > If anyone can shed some light here , I would appreciate it.
> >
> > ftp://ftp.fcimail.org/IT/SA/headers.txt
> >
> > ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
> > %20pain%20and%20dysfunctions.htm
On 30.04.09 19:34, Chris wrote:
> I couldn't get the whole message so just ran against the headers:
>
> 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> [85.75.94.188 listed in zen.spamhaus.org]
> 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
std. rules, but may not work for early recipients
> 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
> [85.75.94.188 listed in
> bb.barracudacentral.org]
> 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
> Barracuda
non-standard rules
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaakiekkolaakarit.com,client,clientwords]
non-standard rule.
> 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> [score: 0.8897]
very non-standard score (default score for BAYES_80 is only 2.0), and
checking header only doesn't give valuable result.
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [localhost 1117; Body=1]
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
non-standard rules.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: Almost no score
Posted by Chris <cp...@embarqmail.com>.
On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
> Hi all,
>
> I just upgraded to 3.2.5 ran sa-update and I got this message with only one
> rule tripped
>
> I'm putting a link to the message as well as the headers
>
> If anyone can shed some light here , I would appreciate it.
>
> ftp://ftp.fcimail.org/IT/SA/headers.txt
>
> ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
> %20pain%20and%20dysfunctions.htm
>
> TIA
>
> J
I couldn't get the whole message so just ran against the headers:
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
[85.75.94.188 listed in
bb.barracudacentral.org]
1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaakiekkolaakarit.com,client,clientwords]
4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8897]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1117; Body=1]
1.0 SAGREY Adds 1.0 to spam from first-time senders
--
KeyID 0xE372A7DA98E6705C