You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by do...@bakerbotts.com on 2007/07/05 17:48:06 UTC
FW: isolated W
This may have already been addressed, but is there a released rule set
or add-on that would help in identifying these type of stock spam
emails?
We use MailScanner 4.59.4 (MailScanner-v: 3.002000 Mail::SpamAssassin),
SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
sa-update and RulesDuJour for automatic updates.
We turned off Razor since it was causing delays in processing mail.
In MailScanner, we turned off SpamHaus since we process too much email -
it appears it was just raising the score of high spam: 'Spam List =
SBL+XBL'
We also use milter-greylist during the hours of 10 PM and 5 AM. We use
milter-null (snert) to reduce bounce backs.
We receive about 300k emails a day with about 70% identified as spam.
We deliver about 5% of the suspected spam (score below 5).
We added URIBL checks to our mailscanner.cf file:
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL
blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
I am considering adding the botnet plugin from:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
adding fake MX entries.
We use BAYES, but we don't feed spam or ham so it may have little help.
Here are the cf files we use in /etc/mail/spamassassin:
00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
72_sare_redirect_post3.0.0.cf chickenpox.cf sa-update-keys
70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
88_FVGT_body.cf init.pre tripwire.cf
70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
88_FVGT_rawbody.cf local.cf v310.pre
70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_whitelist.cf
88_FVGT_subject.cf mailscanner.cf v312.pre
70_sare_genlsubj_eng.cf 70_sare_random.cf
70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
v320.pre
70_sare_header0.cf 70_sare_specific.cf
70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
weeds.cf
70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
bakerbotts.cf popcorn_new.cf
Any input on our configuration would be appreciated - this is a great
forum!
Donald
Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183
------------------------------------------------------------------------
--------------------------
Microsoft Mail Internet Headers Version 2.0
Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
Thu, 5 Jul 2007 10:09:09 -0500
Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
Thu, 5 Jul 2007 10:09:09 -0500
Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
[10.20.254.236]) by housweep03.bakerbotts.net
(Content Technologies SMTPRS 4.3.20) with ESMTP id
<T8...@housweep03.bakerbotts.net> for
<do...@bakerbotts.com>;
Thu, 5 Jul 2007 10:09:08 -0500
Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by
housweep01.bakerbotts.net
(Content Technologies SMTPRS 4.3.20) with ESMTP id
<T8...@housweep01.bakerbotts.net> for
<do...@bakerbotts.com>;
Thu, 5 Jul 2007 10:09:08 -0500
X-Envelope-From: fxl@ubs.com
Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
[84.20.18.243])
by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
l65F8mIB022832
for <do...@bakerbotts.com>; Thu, 5 Jul 2007 10:08:55
-0500
Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
+0200
Received: from unknown (HELO tjz) (196.128.111.164)
by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
+0200
Message-ID: <46...@us.army.mil>
Date: Thu, 5 Jul 2007 17:08:48 +0200
From: Curry <fx...@ubs.com>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: donald.dawson@bakerbotts.com
Subject: isolated W
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
(houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
-0500 (CDT)
X-BakerBotts-MailScanner-Information: Please contact the ISP for more
information
X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=0.3, required 5, SARE_WEOFFER 0.30)
X-BakerBotts-MailScanner-From: fxl@ubs.com
X-Spam-Status: No
Return-Path: fxl@ubs.com
X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
FILETIME=[6FDCDE40:01C7BF16]
-----Original Message-----
From: Curry [mailto:fxl@ubs.com]
Sent: Thursday, July 05, 2007 10:09 AM
To: Dawson, Donald
Subject: isolated W
ERMX Continues To Expand As Stock Climbs Up 16.6%!
EntreMetrix Inc. (ERMX)
$0.21 UP 16.6%
ERMX announced further expansion with K-9 Genetics. Healthy and Premium
dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous
years. Read up on ERMX over the holiday, we think you will see even more
fireworks on Thursday morning!
Mostly we invite artists and curators to put together shows for us;
however we remain open to proposals.
Please feel free to contact Steven Winogradsky directly to discuss your
production and how The Winogradsky Company can best serve your company
and the music needs of your clients.
Elen-Florence is interested in aquiring a recording contract.
It is not objectification, but going out beyond the bounds of reality.
Access Error Headline functionality has been disabled from your
intranet.
Every two or three years this project will hold a central exhibition
with a few supplementary ones.
His works can be found in private collections in Canada, France,
England, Australia, and the USA.
>From suggesting the right clues to optimize the final audiovisual
product to advising about the fit strategies to get the expected target.
>From suggesting the right clues to optimize the final audiovisual
product to advising about the fit strategies to get the expected target.
We currently stock thousands of books, CDs and videos, together with a
superb range of dancewear from Capezio and Roch Valley.
The director is always happy to talk on current exhibitions and about
the work of the organisation. As a child, Alderman's talents were
nurtured by a physician father who encouraged him to become a cosmetic
surgeon.
After the CD was finished the two guitar players were replaced by Geoff
Schultz and Aaron Fletcher, they also aquired a second singer, Keith
Yaskovich, and the name was changed to "Blank Shift".
The Visitors Programme is a joint project with Creative New Zealand.
Mai mica sau mai mare.
com - ApS LesGalleries. It is not objectification, but going out beyond
the bounds of reality. a luat premii cu caru, in general majoritatea
criticilor .
Hawes, Lewis Hine, W.
"You follow their careers and you watch the evolution of two human
beings over the course of a lifetime.
Mai mica sau mai mare. Gigs in northern Germany included support shows
for The Damned, Social Distortion, Bad Religion, U.
An intuitive artist, he felt his talents and abilities surpassed those
of college professors. It is not objectification, but going out beyond
the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
Art works sales and curatorial projects.
We offer our marketing design services.
Here you can narrow your search. Subtle effects of lighting and shadow
casting can also be explored. Offers logo galleries, FAQs, and on-line
ordering. What music can I have for my wedding reception? She discovers
a means of expression and communication that permits her to release her
emotions trapped within her. His Studio is located in Canon City,
Colorado, where he chose to live near the source of stone he sculpts as
well as some of the finest bronze foundries in the nation.
RE: isolated W
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
Donald
Just got in something very similar and it scored thus..
X-Solid-State-Logic-MailScanner-SpamCheck: spam, SpamAssassin (not
cached,
score=6.311, required 5, BAYES_50 0.00, BOTNET 5.00,
FH_HOST_EQ_D_D_D_D 0.67, HOST_MISMATCH_COM 0.31,
IP_NOT_FRIENDLY 0.33)
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: donald.dawson@bakerbotts.com
[mailto:donald.dawson@bakerbotts.com]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam: 'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM. We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL
greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf chickenpox.cf sa-update-keys
> 70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
> 88_FVGT_body.cf init.pre tripwire.cf
> 70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf v312.pre
> 70_sare_genlsubj_eng.cf 70_sare_random.cf
> 70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf 70_sare_specific.cf
> 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>
------------------------------------------------------------------------
> --------------------------
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep03.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net)
by
> housweep01.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep01.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> X-Envelope-From: fxl@ubs.com
> Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> [84.20.18.243])
> by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> l65F8mIB022832
> for <do...@bakerbotts.com>; Thu, 5 Jul 2007 10:08:55
> -0500
> Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
> +0200
> Received: from unknown (HELO tjz) (196.128.111.164)
> by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> +0200
> Message-ID: <46...@us.army.mil>
> Date: Thu, 5 Jul 2007 17:08:48 +0200
> From: Curry <fx...@ubs.com>
> User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
> MIME-Version: 1.0
> To: donald.dawson@bakerbotts.com
> Subject: isolated W
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
> X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
> (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
> -0500 (CDT)
> X-BakerBotts-MailScanner-Information: Please contact the ISP for more
> information
> X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not
cached,
> score=0.3, required 5, SARE_WEOFFER 0.30)
> X-BakerBotts-MailScanner-From: fxl@ubs.com
> X-Spam-Status: No
> Return-Path: fxl@ubs.com
> X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
> FILETIME=[6FDCDE40:01C7BF16]
>
>
> -----Original Message-----
> From: Curry [mailto:fxl@ubs.com]
> Sent: Thursday, July 05, 2007 10:09 AM
> To: Dawson, Donald
> Subject: isolated W
>
>
> ERMX Continues To Expand As Stock Climbs Up 16.6%!
>
> EntreMetrix Inc. (ERMX)
> $0.21 UP 16.6%
>
> ERMX announced further expansion with K-9 Genetics. Healthy and
Premium
> dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in
previous
> years. Read up on ERMX over the holiday, we think you will see even
more
> fireworks on Thursday morning!
>
> Mostly we invite artists and curators to put together shows for us;
> however we remain open to proposals.
>
> Please feel free to contact Steven Winogradsky directly to discuss
your
> production and how The Winogradsky Company can best serve your company
> and the music needs of your clients.
>
> Elen-Florence is interested in aquiring a recording contract.
> It is not objectification, but going out beyond the bounds of reality.
> Access Error Headline functionality has been disabled from your
> intranet.
> Every two or three years this project will hold a central exhibition
> with a few supplementary ones.
>
> His works can be found in private collections in Canada, France,
> England, Australia, and the USA.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
> We currently stock thousands of books, CDs and videos, together with a
> superb range of dancewear from Capezio and Roch Valley.
>
> The director is always happy to talk on current exhibitions and about
> the work of the organisation. As a child, Alderman's talents were
> nurtured by a physician father who encouraged him to become a cosmetic
> surgeon.
>
> After the CD was finished the two guitar players were replaced by
Geoff
> Schultz and Aaron Fletcher, they also aquired a second singer, Keith
> Yaskovich, and the name was changed to "Blank Shift".
>
> The Visitors Programme is a joint project with Creative New Zealand.
>
> Mai mica sau mai mare.
>
> com - ApS LesGalleries. It is not objectification, but going out
beyond
> the bounds of reality. a luat premii cu caru, in general majoritatea
> criticilor .
>
> Hawes, Lewis Hine, W.
> "You follow their careers and you watch the evolution of two human
> beings over the course of a lifetime.
>
> Mai mica sau mai mare. Gigs in northern Germany included support shows
> for The Damned, Social Distortion, Bad Religion, U.
> An intuitive artist, he felt his talents and abilities surpassed those
> of college professors. It is not objectification, but going out beyond
> the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
>
> Art works sales and curatorial projects.
>
> We offer our marketing design services.
>
> Here you can narrow your search. Subtle effects of lighting and shadow
> casting can also be explored. Offers logo galleries, FAQs, and on-line
> ordering. What music can I have for my wedding reception? She
discovers
> a means of expression and communication that permits her to release
her
> emotions trapped within her. His Studio is located in Canon City,
> Colorado, where he chose to live near the source of stone he sculpts
as
> well as some of the finest bronze foundries in the nation.
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
RE: isolated W
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
Create a file with the email in it...(eg spam.txt) then run spamassassin
over it...
Spamassassin spam.txt
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: donald.dawson@bakerbotts.com
[mailto:donald.dawson@bakerbotts.com]
> Sent: 05 July 2007 21:12
> To: martinh@solidstatelogic.com; users@spamassassin.apache.org
> Subject: RE: isolated W
>
> Martin,
>
> How did you run the test below and get the rules grid? Did you
somehow
> test the email contents below?
>
> I'm concerned my implementation did not return these hits.
>
> Thanks,
> Donald
>
> -----Original Message-----
> From: Martin.Hepworth [mailto:martinh@solidstatelogic.com]
> Sent: Thursday, July 05, 2007 10:55 AM
> To: Dawson, Donald; users@spamassassin.apache.org
> Subject: RE: isolated W
>
>
> Donald
>
> My analysis (SA 3.1.8)
>
>
> Content analysis details: (10.9 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
> 2.5 MISSING_HB_SEP Missing blank line between message header
> and body
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay
> lines
> 0.3 SARE_WEOFFER BODY: Offers Something
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to
60%
> [score: 0.5000]
> 1.8 MISSING_SUBJECT Missing Subject: header
> 0.5 FM_NO_TO FM_NO_TO
> 0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET
> 0.1 TO_CC_NONE No To: or Cc: header
> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
>
> Putting in a "spam list" in mailscanner.conf will make anything that
> hits that RBL be marked as spam....nothing to do with SA!
>
> Also the URI-black and grey are already in SA, so need to add then in.
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> > -----Original Message-----
> > From: donald.dawson@bakerbotts.com
> [mailto:donald.dawson@bakerbotts.com]
> > Sent: 05 July 2007 16:48
> > To: users@spamassassin.apache.org
> > Subject: FW: isolated W
> >
> > This may have already been addressed, but is there a released rule
set
> > or add-on that would help in identifying these type of stock spam
> > emails?
> >
> > We use MailScanner 4.59.4 (MailScanner-v: 3.002000
> Mail::SpamAssassin),
> > SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
> > sa-update and RulesDuJour for automatic updates.
> >
> > We turned off Razor since it was causing delays in processing mail.
> >
> > In MailScanner, we turned off SpamHaus since we process too much
email
> -
> > it appears it was just raising the score of high spam: 'Spam List =
> > SBL+XBL'
> >
> > We also use milter-greylist during the hours of 10 PM and 5 AM. We
> use
> > milter-null (snert) to reduce bounce backs.
> >
> > We receive about 300k emails a day with about 70% identified as
spam.
> > We deliver about 5% of the suspected spam (score below 5).
> >
> > We added URIBL checks to our mailscanner.cf file:
> >
> > urirhssub URIBL_BLACK multi.uribl.com. A 2
> > body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> > describe URIBL_BLACK Contains an URL listed in the URIBL
> > blacklist
> > tflags URIBL_BLACK net
> > score URIBL_BLACK 3.0
> >
> > urirhssub URIBL_GREY multi.uribl.com. A 4
> > body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> > describe URIBL_GREY Contains an URL listed in the URIBL
> greylist
> > tflags URIBL_GREY net
> > score URIBL_GREY 0.25
> >
> > I am considering adding the botnet plugin from:
> > http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> > adding fake MX entries.
> >
> > We use BAYES, but we don't feed spam or ham so it may have little
> help.
> >
> > Here are the cf files we use in /etc/mail/spamassassin:
> >
> > 00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
> > 72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
> > 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> > 72_sare_redirect_post3.0.0.cf chickenpox.cf
sa-update-keys
> > 70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
> > 88_FVGT_body.cf init.pre tripwire.cf
> > 70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
> > 88_FVGT_rawbody.cf local.cf v310.pre
> > 70_sare_genlsubj0.cf 70_sare_oem.cf
70_sare_whitelist.cf
> > 88_FVGT_subject.cf mailscanner.cf v312.pre
> > 70_sare_genlsubj_eng.cf 70_sare_random.cf
> > 70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
> > v320.pre
> > 70_sare_header0.cf 70_sare_specific.cf
> > 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
> > weeds.cf
> > 70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
> > bakerbotts.cf popcorn_new.cf
> >
> > Any input on our configuration would be appreciated - this is a
great
> > forum!
> >
> > Donald
> >
> > Donald Dawson
> > Security Administrator
> > Baker Botts L.L.P.
> > 713-229-2183
> >
> >
>
------------------------------------------------------------------------
> > --------------------------
> >
> > Microsoft Mail Internet Headers Version 2.0
> > Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> > HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> > Thu, 5 Jul 2007 10:09:09 -0500
> > Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> > houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> > Thu, 5 Jul 2007 10:09:09 -0500
> > Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> > [10.20.254.236]) by housweep03.bakerbotts.net
> > (Content Technologies SMTPRS 4.3.20) with ESMTP id
> > <T8...@housweep03.bakerbotts.net> for
> > <do...@bakerbotts.com>;
> > Thu, 5 Jul 2007 10:09:08 -0500
> > Received: from houmx05.bakerbotts.com
(houmx05-inside.bakerbotts.net)
> by
> > housweep01.bakerbotts.net
> > (Content Technologies SMTPRS 4.3.20) with ESMTP id
> > <T8...@housweep01.bakerbotts.net> for
> > <do...@bakerbotts.com>;
> > Thu, 5 Jul 2007 10:09:08 -0500
> > X-Envelope-From: fxl@ubs.com
> > Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> > [84.20.18.243])
> > by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> > l65F8mIB022832
> > for <do...@bakerbotts.com>; Thu, 5 Jul 2007 10:08:55
> > -0500
> > Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007
17:08:48
> > +0200
> > Received: from unknown (HELO tjz) (196.128.111.164)
> > by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> > +0200
> > Message-ID: <46...@us.army.mil>
> > Date: Thu, 5 Jul 2007 17:08:48 +0200
> > From: Curry <fx...@ubs.com>
> > User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
> > MIME-Version: 1.0
> > To: donald.dawson@bakerbotts.com
> > Subject: isolated W
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> > Content-Transfer-Encoding: 7bit
> > X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
> > X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
> > (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
> > -0500 (CDT)
> > X-BakerBotts-MailScanner-Information: Please contact the ISP for
more
> > information
> > X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not
> cached,
> > score=0.3, required 5, SARE_WEOFFER 0.30)
> > X-BakerBotts-MailScanner-From: fxl@ubs.com
> > X-Spam-Status: No
> > Return-Path: fxl@ubs.com
> > X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
> > FILETIME=[6FDCDE40:01C7BF16]
> >
> >
> > -----Original Message-----
> > From: Curry [mailto:fxl@ubs.com]
> > Sent: Thursday, July 05, 2007 10:09 AM
> > To: Dawson, Donald
> > Subject: isolated W
> >
> >
> > ERMX Continues To Expand As Stock Climbs Up 16.6%!
> >
> > EntreMetrix Inc. (ERMX)
> > $0.21 UP 16.6%
> >
> > ERMX announced further expansion with K-9 Genetics. Healthy and
> Premium
> > dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in
> previous
> > years. Read up on ERMX over the holiday, we think you will see even
> more
> > fireworks on Thursday morning!
> >
> > Mostly we invite artists and curators to put together shows for us;
> > however we remain open to proposals.
> >
> > Please feel free to contact Steven Winogradsky directly to discuss
> your
> > production and how The Winogradsky Company can best serve your
company
> > and the music needs of your clients.
> >
> > Elen-Florence is interested in aquiring a recording contract.
> > It is not objectification, but going out beyond the bounds of
reality.
> > Access Error Headline functionality has been disabled from your
> > intranet.
> > Every two or three years this project will hold a central exhibition
> > with a few supplementary ones.
> >
> > His works can be found in private collections in Canada, France,
> > England, Australia, and the USA.
> >
> > From suggesting the right clues to optimize the final audiovisual
> > product to advising about the fit strategies to get the expected
> target.
> >
> > From suggesting the right clues to optimize the final audiovisual
> > product to advising about the fit strategies to get the expected
> target.
> > We currently stock thousands of books, CDs and videos, together with
a
> > superb range of dancewear from Capezio and Roch Valley.
> >
> > The director is always happy to talk on current exhibitions and
about
> > the work of the organisation. As a child, Alderman's talents were
> > nurtured by a physician father who encouraged him to become a
cosmetic
> > surgeon.
> >
> > After the CD was finished the two guitar players were replaced by
> Geoff
> > Schultz and Aaron Fletcher, they also aquired a second singer, Keith
> > Yaskovich, and the name was changed to "Blank Shift".
> >
> > The Visitors Programme is a joint project with Creative New Zealand.
> >
> > Mai mica sau mai mare.
> >
> > com - ApS LesGalleries. It is not objectification, but going out
> beyond
> > the bounds of reality. a luat premii cu caru, in general majoritatea
> > criticilor .
> >
> > Hawes, Lewis Hine, W.
> > "You follow their careers and you watch the evolution of two human
> > beings over the course of a lifetime.
> >
> > Mai mica sau mai mare. Gigs in northern Germany included support
shows
> > for The Damned, Social Distortion, Bad Religion, U.
> > An intuitive artist, he felt his talents and abilities surpassed
those
> > of college professors. It is not objectification, but going out
beyond
> > the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
> >
> > Art works sales and curatorial projects.
> >
> > We offer our marketing design services.
> >
> > Here you can narrow your search. Subtle effects of lighting and
shadow
> > casting can also be explored. Offers logo galleries, FAQs, and
on-line
> > ordering. What music can I have for my wedding reception? She
> discovers
> > a means of expression and communication that permits her to release
> her
> > emotions trapped within her. His Studio is located in Canon City,
> > Colorado, where he chose to live near the source of stone he sculpts
> as
> > well as some of the finest bronze foundries in the nation.
>
>
>
>
>
> **********************************************************************
> Confidentiality : This e-mail and any attachments are intended for the
> addressee only and may be confidential. If they come to you in error
> you must take no action based on them, nor must you copy or show them
> to anyone. Please advise the sender by replying to this e-mail
> immediately and then delete the original from your computer.
> Opinion : Any opinions expressed in this e-mail are entirely those of
> the author and unless specifically stated to the contrary, are not
> necessarily those of the author's employer.
> Security Warning : Internet e-mail is not necessarily a secure
> communications medium and can be subject to data corruption. We advise
> that you consider this fact when e-mailing us.
> Viruses : We have taken steps to ensure that this e-mail and any
> attachments are free from known viruses but in keeping with good
> computing practice, you should ensure that they are virus free.
>
> Red Lion 49 Ltd T/A Solid State Logic
> Registered as a limited company in England and Wales
> (Company No:5362730)
> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
> United Kingdom
> **********************************************************************
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
RE: isolated W
Posted by do...@bakerbotts.com.
Martin,
How did you run the test below and get the rules grid? Did you somehow
test the email contents below?
I'm concerned my implementation did not return these hits.
Thanks,
Donald
-----Original Message-----
From: Martin.Hepworth [mailto:martinh@solidstatelogic.com]
Sent: Thursday, July 05, 2007 10:55 AM
To: Dawson, Donald; users@spamassassin.apache.org
Subject: RE: isolated W
Donald
My analysis (SA 3.1.8)
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
2.5 MISSING_HB_SEP Missing blank line between message header
and body
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
0.3 SARE_WEOFFER BODY: Offers Something
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
1.8 MISSING_SUBJECT Missing Subject: header
0.5 FM_NO_TO FM_NO_TO
0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET
0.1 TO_CC_NONE No To: or Cc: header
2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
Putting in a "spam list" in mailscanner.conf will make anything that
hits that RBL be marked as spam....nothing to do with SA!
Also the URI-black and grey are already in SA, so need to add then in.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: donald.dawson@bakerbotts.com
[mailto:donald.dawson@bakerbotts.com]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam: 'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM. We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL
greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf chickenpox.cf sa-update-keys
> 70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
> 88_FVGT_body.cf init.pre tripwire.cf
> 70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf v312.pre
> 70_sare_genlsubj_eng.cf 70_sare_random.cf
> 70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf 70_sare_specific.cf
> 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>
------------------------------------------------------------------------
> --------------------------
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep03.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net)
by
> housweep01.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep01.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> X-Envelope-From: fxl@ubs.com
> Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> [84.20.18.243])
> by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> l65F8mIB022832
> for <do...@bakerbotts.com>; Thu, 5 Jul 2007 10:08:55
> -0500
> Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
> +0200
> Received: from unknown (HELO tjz) (196.128.111.164)
> by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> +0200
> Message-ID: <46...@us.army.mil>
> Date: Thu, 5 Jul 2007 17:08:48 +0200
> From: Curry <fx...@ubs.com>
> User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
> MIME-Version: 1.0
> To: donald.dawson@bakerbotts.com
> Subject: isolated W
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
> X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
> (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
> -0500 (CDT)
> X-BakerBotts-MailScanner-Information: Please contact the ISP for more
> information
> X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not
cached,
> score=0.3, required 5, SARE_WEOFFER 0.30)
> X-BakerBotts-MailScanner-From: fxl@ubs.com
> X-Spam-Status: No
> Return-Path: fxl@ubs.com
> X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
> FILETIME=[6FDCDE40:01C7BF16]
>
>
> -----Original Message-----
> From: Curry [mailto:fxl@ubs.com]
> Sent: Thursday, July 05, 2007 10:09 AM
> To: Dawson, Donald
> Subject: isolated W
>
>
> ERMX Continues To Expand As Stock Climbs Up 16.6%!
>
> EntreMetrix Inc. (ERMX)
> $0.21 UP 16.6%
>
> ERMX announced further expansion with K-9 Genetics. Healthy and
Premium
> dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in
previous
> years. Read up on ERMX over the holiday, we think you will see even
more
> fireworks on Thursday morning!
>
> Mostly we invite artists and curators to put together shows for us;
> however we remain open to proposals.
>
> Please feel free to contact Steven Winogradsky directly to discuss
your
> production and how The Winogradsky Company can best serve your company
> and the music needs of your clients.
>
> Elen-Florence is interested in aquiring a recording contract.
> It is not objectification, but going out beyond the bounds of reality.
> Access Error Headline functionality has been disabled from your
> intranet.
> Every two or three years this project will hold a central exhibition
> with a few supplementary ones.
>
> His works can be found in private collections in Canada, France,
> England, Australia, and the USA.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
> We currently stock thousands of books, CDs and videos, together with a
> superb range of dancewear from Capezio and Roch Valley.
>
> The director is always happy to talk on current exhibitions and about
> the work of the organisation. As a child, Alderman's talents were
> nurtured by a physician father who encouraged him to become a cosmetic
> surgeon.
>
> After the CD was finished the two guitar players were replaced by
Geoff
> Schultz and Aaron Fletcher, they also aquired a second singer, Keith
> Yaskovich, and the name was changed to "Blank Shift".
>
> The Visitors Programme is a joint project with Creative New Zealand.
>
> Mai mica sau mai mare.
>
> com - ApS LesGalleries. It is not objectification, but going out
beyond
> the bounds of reality. a luat premii cu caru, in general majoritatea
> criticilor .
>
> Hawes, Lewis Hine, W.
> "You follow their careers and you watch the evolution of two human
> beings over the course of a lifetime.
>
> Mai mica sau mai mare. Gigs in northern Germany included support shows
> for The Damned, Social Distortion, Bad Religion, U.
> An intuitive artist, he felt his talents and abilities surpassed those
> of college professors. It is not objectification, but going out beyond
> the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
>
> Art works sales and curatorial projects.
>
> We offer our marketing design services.
>
> Here you can narrow your search. Subtle effects of lighting and shadow
> casting can also be explored. Offers logo galleries, FAQs, and on-line
> ordering. What music can I have for my wedding reception? She
discovers
> a means of expression and communication that permits her to release
her
> emotions trapped within her. His Studio is located in Canon City,
> Colorado, where he chose to live near the source of stone he sculpts
as
> well as some of the finest bronze foundries in the nation.
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
RE: isolated W
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
Donald
My analysis (SA 3.1.8)
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
2.5 MISSING_HB_SEP Missing blank line between message header
and body
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
0.3 SARE_WEOFFER BODY: Offers Something
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
1.8 MISSING_SUBJECT Missing Subject: header
0.5 FM_NO_TO FM_NO_TO
0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET
0.1 TO_CC_NONE No To: or Cc: header
2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
1.1 FM_MULTI_ODD2 FM_MULTI_ODD2
Putting in a "spam list" in mailscanner.conf will make anything that
hits that RBL be marked as spam....nothing to do with SA!
Also the URI-black and grey are already in SA, so need to add then in.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: donald.dawson@bakerbotts.com
[mailto:donald.dawson@bakerbotts.com]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam: 'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM. We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL
> blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL
greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf 70_sare_highrisk.cf 70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf chickenpox.cf sa-update-keys
> 70_sare_bayes_poison_nxm.cf 70_sare_html_eng.cf 70_sare_uri0.cf
> 88_FVGT_body.cf init.pre tripwire.cf
> 70_sare_evilnum0.cf 70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf 70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf v312.pre
> 70_sare_genlsubj_eng.cf 70_sare_random.cf
> 70_sare_whitelist_rcvd.cf 88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf 70_sare_specific.cf
> 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf 70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>
------------------------------------------------------------------------
> --------------------------
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep03.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net)
by
> housweep01.bakerbotts.net
> (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <T8...@housweep01.bakerbotts.net> for
> <do...@bakerbotts.com>;
> Thu, 5 Jul 2007 10:09:08 -0500
> X-Envelope-From: fxl@ubs.com
> Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> [84.20.18.243])
> by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> l65F8mIB022832
> for <do...@bakerbotts.com>; Thu, 5 Jul 2007 10:08:55
> -0500
> Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
> +0200
> Received: from unknown (HELO tjz) (196.128.111.164)
> by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> +0200
> Message-ID: <46...@us.army.mil>
> Date: Thu, 5 Jul 2007 17:08:48 +0200
> From: Curry <fx...@ubs.com>
> User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
> MIME-Version: 1.0
> To: donald.dawson@bakerbotts.com
> Subject: isolated W
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
> X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
> (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
> -0500 (CDT)
> X-BakerBotts-MailScanner-Information: Please contact the ISP for more
> information
> X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not
cached,
> score=0.3, required 5, SARE_WEOFFER 0.30)
> X-BakerBotts-MailScanner-From: fxl@ubs.com
> X-Spam-Status: No
> Return-Path: fxl@ubs.com
> X-OriginalArrivalTime: 05 Jul 2007 15:09:09.0028 (UTC)
> FILETIME=[6FDCDE40:01C7BF16]
>
>
> -----Original Message-----
> From: Curry [mailto:fxl@ubs.com]
> Sent: Thursday, July 05, 2007 10:09 AM
> To: Dawson, Donald
> Subject: isolated W
>
>
> ERMX Continues To Expand As Stock Climbs Up 16.6%!
>
> EntreMetrix Inc. (ERMX)
> $0.21 UP 16.6%
>
> ERMX announced further expansion with K-9 Genetics. Healthy and
Premium
> dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in
previous
> years. Read up on ERMX over the holiday, we think you will see even
more
> fireworks on Thursday morning!
>
> Mostly we invite artists and curators to put together shows for us;
> however we remain open to proposals.
>
> Please feel free to contact Steven Winogradsky directly to discuss
your
> production and how The Winogradsky Company can best serve your company
> and the music needs of your clients.
>
> Elen-Florence is interested in aquiring a recording contract.
> It is not objectification, but going out beyond the bounds of reality.
> Access Error Headline functionality has been disabled from your
> intranet.
> Every two or three years this project will hold a central exhibition
> with a few supplementary ones.
>
> His works can be found in private collections in Canada, France,
> England, Australia, and the USA.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
>
> From suggesting the right clues to optimize the final audiovisual
> product to advising about the fit strategies to get the expected
target.
> We currently stock thousands of books, CDs and videos, together with a
> superb range of dancewear from Capezio and Roch Valley.
>
> The director is always happy to talk on current exhibitions and about
> the work of the organisation. As a child, Alderman's talents were
> nurtured by a physician father who encouraged him to become a cosmetic
> surgeon.
>
> After the CD was finished the two guitar players were replaced by
Geoff
> Schultz and Aaron Fletcher, they also aquired a second singer, Keith
> Yaskovich, and the name was changed to "Blank Shift".
>
> The Visitors Programme is a joint project with Creative New Zealand.
>
> Mai mica sau mai mare.
>
> com - ApS LesGalleries. It is not objectification, but going out
beyond
> the bounds of reality. a luat premii cu caru, in general majoritatea
> criticilor .
>
> Hawes, Lewis Hine, W.
> "You follow their careers and you watch the evolution of two human
> beings over the course of a lifetime.
>
> Mai mica sau mai mare. Gigs in northern Germany included support shows
> for The Damned, Social Distortion, Bad Religion, U.
> An intuitive artist, he felt his talents and abilities surpassed those
> of college professors. It is not objectification, but going out beyond
> the bounds of reality. S-a intamplat o eroare. com - Janet Lehr Inc.
>
> Art works sales and curatorial projects.
>
> We offer our marketing design services.
>
> Here you can narrow your search. Subtle effects of lighting and shadow
> casting can also be explored. Offers logo galleries, FAQs, and on-line
> ordering. What music can I have for my wedding reception? She
discovers
> a means of expression and communication that permits her to release
her
> emotions trapped within her. His Studio is located in Canon City,
> Colorado, where he chose to live near the source of stone he sculpts
as
> well as some of the finest bronze foundries in the nation.
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************