You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Igor Chudov <ig...@chudov.com> on 2009/04/24 18:41:31 UTC
Why is the advertising for certain "berry" not caught
I get a shipload of spams like this one:
http://igor.chudov.com/tmp/spam007.txt
These advertise certain berries, but also other equally worthless
gimmicks. These spammers started "snowshoeing" but as time went on,
predictably they became more brazen.
I have the latest ubuntu 9.04 and I was hoping for better results. Am
I missing some rulesets or what?
i
Re: Why is the advertising for certain "berry" not caught
Posted by Igor Chudov <ig...@chudov.com>.
On Fri, Apr 24, 2009 at 11:41:31AM -0500, Igor Chudov wrote:
> I get a shipload of spams like this one:
>
> http://igor.chudov.com/tmp/spam007.txt
By the way, look at these spams. The afiliate URL is mentioned once or
twice, and then the "remove" URL. The remove URL is like affiliate
URL, different by one character only.
i
> These advertise certain berries, but also other equally worthless
> gimmicks. These spammers started "snowshoeing" but as time went on,
> predictably they became more brazen.
>
> I have the latest ubuntu 9.04 and I was hoping for better results. Am
> I missing some rulesets or what?
>
> i
Re: Secondary benefit from greylisting's delay
Posted by Rik <hl...@buzzhost.co.uk>.
On Sun, 2009-04-26 at 15:06 -0400, Adam Katz wrote:
> John Hardin wrote:
> >>> Igor, you might also want to implement greylisting, to give the URIBLs a
> >>> chance to list URIs that appear in these messages.
>
> Ned Slider responded:
> >> Interesting concept - do you have any data to support the hypothesis?
>
> John Hardin shrugged:
> > Nope.
>
> I have anecdotal evidence supporting it; after I train+report a spam, I
> have SA parse it a second time. On occasion, it has hit another
> spamtrap or two (in addition to hits from the places I reported it to:
> DCC, Pyzor, SpamCop, and my local Bayesian db), though perhaps it had
> hit some of the places I was reporting to as well.
>
> Here's a logical defense if you prefer:
>
> Many MTAs now implement some sort of delay (mine uses 1.8s) before
> anything can happen in an SMTP transaction. This has the direct benefit
> of stopping some spam bots from delivering mail (supporting data:
> http://acme.com/mail_filtering/sendmail_config.html ), but it also has a
> second benefit: spam can't be sent out so quickly when so many of its
> recipients force it to wait for delivery.
>
> So if you're at the beginning of a blasting of spam and a spamtrap is
> later on, or if somebody has reported the message after it was delivered
> to you, it will appear in the online indexes (and not just URIBLs; don't
> forget DNSBLs and all the hash-sharing systems).
>
> Like the delay before the SMTP greeting, greylisting is a great way to
> stop spam botnets. The secondary benefit of delayed network tests in SA
> is often overlooked as it is admittedly far less profound than the first
> benefit.
>
Sure, it may not be able to send it out as quick, but as it is usually
somebody Else's bandwidth I'm sure the average spammer is not sitting
back and pulling their hair out for a bit of tarpitting.
You could also argue the delay has a detrimental effect. Certain systems
are looking to detect spambot IP's by 'x' connections seen in 30 minutes
on a detector gateway. If you delay a message by a few seconds it is not
totally inconceivably that the connection rate drops back adding a delay
to the detection. If everybody started to do it how much latency could
this add to spotting the trend of an IP?
Greylisting and tarpitting are amusing to watch from a telnet prompt,
but the average bot really does not care if you want to keep wasting
your own resources. It's a network cuckoo usually. I can see the logic,
but the coin has two sides.
Secondary benefit from greylisting's delay
Posted by Adam Katz <an...@khopis.com>.
John Hardin wrote:
>>> Igor, you might also want to implement greylisting, to give the URIBLs a
>>> chance to list URIs that appear in these messages.
Ned Slider responded:
>> Interesting concept - do you have any data to support the hypothesis?
John Hardin shrugged:
> Nope.
I have anecdotal evidence supporting it; after I train+report a spam, I
have SA parse it a second time. On occasion, it has hit another
spamtrap or two (in addition to hits from the places I reported it to:
DCC, Pyzor, SpamCop, and my local Bayesian db), though perhaps it had
hit some of the places I was reporting to as well.
Here's a logical defense if you prefer:
Many MTAs now implement some sort of delay (mine uses 1.8s) before
anything can happen in an SMTP transaction. This has the direct benefit
of stopping some spam bots from delivering mail (supporting data:
http://acme.com/mail_filtering/sendmail_config.html ), but it also has a
second benefit: spam can't be sent out so quickly when so many of its
recipients force it to wait for delivery.
So if you're at the beginning of a blasting of spam and a spamtrap is
later on, or if somebody has reported the message after it was delivered
to you, it will appear in the online indexes (and not just URIBLs; don't
forget DNSBLs and all the hash-sharing systems).
Like the delay before the SMTP greeting, greylisting is a great way to
stop spam botnets. The secondary benefit of delayed network tests in SA
is often overlooked as it is admittedly far less profound than the first
benefit.
Re: Why is the advertising for certain "berry" not caught
Posted by John Hardin <jh...@impsec.org>.
On Sat, 2009-04-25 at 23:06 +0100, Ned Slider wrote:
> John Hardin wrote:
>
> > Igor, you might also want to implement greylisting, to give the URIBLs a
> > chance to list URIs that appear in these messages.
>
> Interesting concept - do you have any data to support the hypothesis?
Nope.
> I tried looking at this a while back, but it's difficult to collect
> qualitative data. I ran for a month with a short greylisting period (1
> min), and a month for 30 mins and 60 mins. I looked at hit rates against
> popular DNSRBLs to see if I could observe any increase in effectiveness
> from IPs being added during the increased greylisting periods.
Note I said "URIBLs". The URI domains will probably not change as
quickly as the IP addresses from a botnet universe. I don't expect
greylisting to have much if any benefit w/r/t DNSBLs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I'll have that son of a bitch eating out of dumpsters in less than
two years. -- MS CEO Steve Ballmer, on RedHat CEO Matt Szulik
-----------------------------------------------------------------------
94 days since Obama's inauguration and still no unicorn!
Re: Why is the advertising for certain "berry" not caught
Posted by Bill Landry <bi...@inetmsg.com>.
Igor Chudov wrote:
> OK, dumb question, how would I implement greylisting (I have Ubuntu)
That depends on what MTA you are using. Most greylisting is performed
by milters or, if using Postfix, policy delegation. Check your MTA's
web site, they will usually advise you on how to implement greylisting
for their MTA.
Bill
Re: Why is the advertising for certain "berry" not caught
Posted by Igor Chudov <ig...@chudov.com>.
On Sat, Apr 25, 2009 at 11:06:47PM +0100, Ned Slider wrote:
> John Hardin wrote:
>> On Fri, 24 Apr 2009, LuKreme wrote:
>>
>>> On 24-Apr-2009, at 10:41, Igor Chudov wrote:
>>>
>>>> I get a shipload of spams like this one:
>>>>
>>>> http://igor.chudov.com/tmp/spam007.txt
>>>
>>> Scores very high here.
>>>
>>> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>>> [URIs: tgifriday.info]
>>
>> Igor, you might also want to implement greylisting, to give the URIBLs
>> a chance to list URIs that appear in these messages.
>>
>
> Interesting concept - do you have any data to support the hypothesis?
OK, dumb question, how would I implement greylisting (I have Ubuntu)
i
> I tried looking at this a while back, but it's difficult to collect
> qualitative data. I ran for a month with a short greylisting period (1
> min), and a month for 30 mins and 60 mins. I looked at hit rates against
> popular DNSRBLs to see if I could observe any increase in effectiveness
> from IPs being added during the increased greylisting periods. I didn't
> see anything conclusive that would be worth the increased delay to
> legitimate new mail. Of course the study isn't very scientific as the
> spamflow is likely to change from month to month. Also, only reactive
> lists are likely to benefit, and only those that react quickly.
>
> Getting back to the OP's question, I've found adding a couple of simple
> body rules to check for a certain four letter 'A' word or 2-3 word
> phrases works well in this instance, and I've not noticed any FPs.
>
Re: Why is the advertising for certain "berry" not caught
Posted by Ned Slider <ne...@unixmail.co.uk>.
John Hardin wrote:
> On Fri, 24 Apr 2009, LuKreme wrote:
>
>> On 24-Apr-2009, at 10:41, Igor Chudov wrote:
>>
>>> I get a shipload of spams like this one:
>>>
>>> http://igor.chudov.com/tmp/spam007.txt
>>
>> Scores very high here.
>>
>> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>> [URIs: tgifriday.info]
>
> Igor, you might also want to implement greylisting, to give the URIBLs a
> chance to list URIs that appear in these messages.
>
Interesting concept - do you have any data to support the hypothesis?
I tried looking at this a while back, but it's difficult to collect
qualitative data. I ran for a month with a short greylisting period (1
min), and a month for 30 mins and 60 mins. I looked at hit rates against
popular DNSRBLs to see if I could observe any increase in effectiveness
from IPs being added during the increased greylisting periods. I didn't
see anything conclusive that would be worth the increased delay to
legitimate new mail. Of course the study isn't very scientific as the
spamflow is likely to change from month to month. Also, only reactive
lists are likely to benefit, and only those that react quickly.
Getting back to the OP's question, I've found adding a couple of simple
body rules to check for a certain four letter 'A' word or 2-3 word
phrases works well in this instance, and I've not noticed any FPs.
Re: Why is the advertising for certain "berry" not caught
Posted by John Hardin <jh...@impsec.org>.
On Fri, 24 Apr 2009, LuKreme wrote:
> On 24-Apr-2009, at 10:41, Igor Chudov wrote:
>
>> I get a shipload of spams like this one:
>>
>> http://igor.chudov.com/tmp/spam007.txt
>
> Scores very high here.
>
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: tgifriday.info]
Igor, you might also want to implement greylisting, to give the URIBLs a
chance to list URIs that appear in these messages.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that
item. -- John C. Randolph <jc...@idiom.com>
-----------------------------------------------------------------------
94 days since Obama's inauguration and still no unicorn!
Re: Why is the advertising for certain "berry" not caught
Posted by LuKreme <kr...@kreme.com>.
On 24-Apr-2009, at 10:41, Igor Chudov wrote:
> I get a shipload of spams like this one:
>
> http://igor.chudov.com/tmp/spam007.txt
Scores very high here.
Content analysis details: (9.6 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
2.0 URIBL_BLACK Contains an URL listed in the URIBL
blacklist
[URIs: tgifriday.info]
4.5 BAYES_99 BODY: Bayesian spam probability is 99 to
100%
[score: 1.0000]
0.1 DIET_1 BODY: Lose Weight Spam
0.6 SPF_SOFTFAIL SPF: sender does not match SPF record
(softfail)
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
--
I hear hurricanes a-blowing, I know the end is coming
soon. I fear rivers over-flowing. I hear the voice
of rage and ruin.
Re: Why is the advertising for certain "berry" not caught
Posted by Adam Katz <an...@khopis.com>.
Igor Chudov wrote:
>> http://igor.chudov.com/tmp/spam007.txt
>> [...] Am I missing some rulesets or what?
Check Razor2 with this command:
spamassassin --lint -D 2>&1 |grep -C2 Razor
it should say "module installed: Razor2::Client::Agent"
and "loading Mail::SpamAssassin::Plugin::Razor2"
(and since --lint only runs local tests, it should skip it).
If you don't have it loaded, un-comment its loadplugin line in your
v310.pre file. You may also need the following Ubuntu/Debian command:
sudo aptitude install razor
Rick Macdougall wrote:
> Would be caught here.
> X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1,
> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK
Either Igor doesn't have Razor2 configured, or the message hadn't yet
found its way into Vipul's index. Also, it's unfair to assume
anything about somebody else's Bayes db, so assuming you (Rick) are on
the default scores, that means you got 6.4 including 2.8 from Razor2.
It only hit one more check for me, and that was a custom one (see my
khop-lists channel at http://khopesh.com/Anti-Spam ), designed to
lightly penalize any bulk or automated message. (In case you're
wondering, 0.1 points for KHOP_SENDER_BOT, which triggered on the
noreply@* address.) I don't recommend khop-lists for general use; my
other channels are far more safe and useful.
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: Why is the advertising for certain "berry" not caught
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Igor Chudov wrote:
> I get a shipload of spams like this one:
>
> http://igor.chudov.com/tmp/spam007.txt
>
> These advertise certain berries, but also other equally worthless
> gimmicks. These spammers started "snowshoeing" but as time went on,
> predictably they became more brazen.
>
> I have the latest ubuntu 9.04 and I was hoping for better results. Am
> I missing some rulesets or what?
>
> i
Would be caught here.
X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK
Regards,
Rick