You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Goldsmith <dg...@sans.org> on 2007/03/02 16:57:49 UTC
Low Scoring Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
This message got 0 points. Does it score over 5 for anyone?
http://members.cox.net/dgoldsmi/spam/lowscore01.txt
Thanks,
David Goldsmith
=====
X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=243 Fuz1=408 Fuz2=408
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on iceman11.giac.net
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
MIME_HTML_ONLY autolearn=no version=3.1.8
X-Spam-Pyzor: Reported 1 times.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF6El9417vU8/9QfkRAggwAJ4g8YeQAId2lgxtnQvo92Lk7IJyxgCfS/rQ
xMavN0cyUf02vt+67kIOg5o=
=vCzg
-----END PGP SIGNATURE-----
Re: Low Scoring Message
Posted by David Goldsmith <dg...@sans.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Maul wrote:
> Jim Maul wrote:
>> David Goldsmith wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
>>> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>>>
>>> This message got 0 points. Does it score over 5 for anyone?
>>>
>>> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>>>
>>
>> Content analysis details: (8.6 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
>> 0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
>> 0.1 HTML_MESSAGE BODY: HTML included in message
>> 0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence between 11
>> and 50
>> [cf: 33]
>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>> [score: 0.9992]
>> 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
>> 0.1 CLICK_BELOW Asks you to click below
>>
>> Sure does.
>>
>> -Jim
>>
> BTW, i forgot to mention that im running SA 2.64, razor and a few sare
> rules only. Bayes was the kicker here. I <3 bayes ;)
>
> -Jim
Odd. If I rerun it again, I'm getting a hit from DCC now, but still not
seeing Razor hit or Bayes. I ran it through spamassassin -D rather than
spamc, and here are the applicable log entries:
[21191] dbg: razor2: part=0 engine=4 contested=0 confidence=33
[21191] dbg: razor2: part=0 engine=8 contested=0 confidence=0
[21191] dbg: razor2: part=0 engine=8 contested=1 confidence=0
[21191] dbg: razor2: results: spam? 0
[21191] dbg: razor2: results: engine 8, highest cf score: 0
[21191] dbg: razor2: results: engine 4, highest cf score: 33
[21191] dbg: dcc: dccifd is not available: no r/w dccifd socket found
[21191] dbg: util: executable for dccproc was found at
/usr/local/bin/dccproc
[21191] dbg: dcc: dccproc is available: /usr/local/bin/dccproc
[21191] dbg: info: entering helper-app run mode
[21191] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a
65.173.218.105 < /tmp/.spamassassin21191jK69ditmp
[21202] dbg: util: setuid: ruid=0 euid=0
[21191] dbg: dcc: got response: X-DCC-CTc-dcc2-Metrics:
iceman11.giac.net 1031; Body=many Fuz1=many Fuz2=many
[21191] dbg: info: leaving helper-app run mode
[21191] dbg: dcc: listed: BODY=999999/999999 FUZ1=999999/999999
FUZ2=999999/999999
[21191] dbg: rules: ran eval rule DCC_CHECK ======> got hit
[21191] dbg: bayes: tie-ing to DB file R/O
/home/spamass/.spamassassin/bayes_toks
[21191] dbg: bayes: tie-ing to DB file R/O
/home/spamass/.spamassassin/bayes_seen
[21191] dbg: bayes: found bayes db version 3
[21191] dbg: bayes: DB journal sync: last sync: 1172851977
[21191] dbg: bayes: corpus size: nspam = 42311, nham = 6189
[21191] dbg: bayes: score = 0.499999999933664
[21191] dbg: bayes: DB journal sync: last sync: 1172851977
[21191] dbg: bayes: untie-ing
[21191] dbg: bayes: untie-ing db_toks
[21191] dbg: bayes: untie-ing db_seen
X-Spam-DCC: CTc-dcc2: iceman11.giac.net 1031; Body=many Fuz1=many Fuz2=many
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on iceman11.giac.net
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=AWL,BAYES_50,DCC_CHECK,
HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.1.8
X-Spam-Pyzor: Reported 1 times.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* -1.1 AWL AWL: From: address is in the auto white-list
After running 'sa-learn --spam' on the message, the Bayes probability
ticked up a tad but nothing significant:
[21599] dbg: bayes: DB journal sync: last sync: 1172852471
[21599] dbg: bayes: corpus size: nspam = 42402, nham = 6207
[21599] dbg: bayes: score = 0.500000410035903
[21599] dbg: bayes: DB journal sync: last sync: 1172852471
Bayes seems to be working overall - right now, the most frequent BAYES
rules hitting on spam messages are:
TOP SPAM RULES FIRED
- ----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
- ----------------------------------------------------------------------
1 BAYES_99 11273 73.05 97.61 0.56
143 BAYES_50 124 10.91 1.07 39.95
and on ham messages:
TOP HAM RULES FIRED
- ----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
- ----------------------------------------------------------------------
2 BAYES_00 1977 12.80 0.02 50.54
4 BAYES_50 1563 10.91 1.07 39.95
17 BAYES_20 101 0.67 0.03 2.58
20 BAYES_40 90 0.58 0.00 2.30
32 BAYES_05 64 0.41 0.00 1.64
34 BAYES_60 61 0.69 0.39 1.56
49 BAYES_80 26 0.47 0.40 0.66
56 BAYES_99 22 73.05 97.61 0.56
83 SARE_BAYES_7x5 9 0.06 0.00 0.23
87 BAYES_95 8 0.41 0.48 0.20
so BAYES_99 is pretty accurate.
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF6FBx417vU8/9QfkRAtabAKCPCHuLs3FvOBaxLMJbp3NOjmH+PQCguZRz
rHAuTua0CR/sJE8uWie5Vsg=
=oiFr
-----END PGP SIGNATURE-----
Re: Low Scoring Message
Posted by Jim Maul <jm...@elih.org>.
Giampaolo Tomassoni wrote:
> From: Jim Maul [mailto:jmaul@elih.org]
>> Jim Maul wrote:
>>> David Goldsmith wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
>>>> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>>>>
>>>> This message got 0 points. Does it score over 5 for anyone?
>>>>
>>>> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>>>>
>>> Content analysis details: (8.6 points, 5.0 required)
>>>
>>> pts rule name description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
>>> 0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
>>> 0.1 HTML_MESSAGE BODY: HTML included in message
>>> 0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence
>> between 11 and 50
>>> [cf: 33]
>>> 5.4 BAYES_99 BODY: Bayesian spam probability is
>> 99 to 100%
>>> [score: 0.9992]
>>> 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>>> 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
>>> 0.1 CLICK_BELOW Asks you to click below
>
> Jim, Where did you get the LINK_TO_NO_SCHEME and CLICK_BELOW rules?
>
>
They are both from the stock 2.64 rulesets.
20_phrases.cf:body __CLICK_BELOW
/click\s.{0,30}(?:here|below)/is
20_phrases.cf:meta CLICK_BELOW (__CLICK_BELOW && !CLICK_BELOW_CAPS)
20_phrases.cf:describe CLICK_BELOW Asks you to click below
20_html_tests.cf:rawbody LINK_TO_NO_SCHEME /\s+href=['"]?www\./i
20_html_tests.cf:describe LINK_TO_NO_SCHEME Contains link without
http:// prefix
I just cant see upgrading to 3.anything with 2.64 working so well.
-Jim
RE: Low Scoring Message
Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.
From: Jim Maul [mailto:jmaul@elih.org]
>
> Jim Maul wrote:
> > David Goldsmith wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
> >> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
> >>
> >> This message got 0 points. Does it score over 5 for anyone?
> >>
> >> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
> >>
> >
> > Content analysis details: (8.6 points, 5.0 required)
> >
> > pts rule name description
> > ---- ----------------------
> > --------------------------------------------------
> > 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
> > 0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
> > 0.1 HTML_MESSAGE BODY: HTML included in message
> > 0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence
> between 11 and 50
> > [cf: 33]
> > 5.4 BAYES_99 BODY: Bayesian spam probability is
> 99 to 100%
> > [score: 0.9992]
> > 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> > 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
> > 0.1 CLICK_BELOW Asks you to click below
Jim, Where did you get the LINK_TO_NO_SCHEME and CLICK_BELOW rules?
Thanks,
Giampaolo
> >
> > Sure does.
> >
> > -Jim
> >
> >
>
> BTW, i forgot to mention that im running SA 2.64, razor and a few sare
> rules only. Bayes was the kicker here. I <3 bayes ;)
>
> -Jim
Re: Low Scoring Message
Posted by Jim Maul <jm...@elih.org>.
Jim Maul wrote:
> David Goldsmith wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
>> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>>
>> This message got 0 points. Does it score over 5 for anyone?
>>
>> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>>
>
> Content analysis details: (8.6 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
> 0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence between 11 and 50
> [cf: 33]
> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 0.9992]
> 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
> 0.1 CLICK_BELOW Asks you to click below
>
> Sure does.
>
> -Jim
>
>
BTW, i forgot to mention that im running SA 2.64, razor and a few sare
rules only. Bayes was the kicker here. I <3 bayes ;)
-Jim
Re: Low Scoring Message
Posted by Jim Maul <jm...@elih.org>.
David Goldsmith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>
> This message got 0 points. Does it score over 5 for anyone?
>
> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>
Content analysis details: (8.6 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
0.1 HTML_MESSAGE BODY: HTML included in message
0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence between 11 and 50
[cf: 33]
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9992]
0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
0.1 CLICK_BELOW Asks you to click below
Sure does.
-Jim
Re: Low Scoring Message
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
John D. Hardin wrote:
> On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
>
>> Anyway... this is the redirect code they're using:
>>
>> <div class='widget-content'>
>> <script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
>> "ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
>> "nhu";wnx = "ocation.
>> hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
>> + uos + bdj; eval(jftrg); </script>
>> </div>
>>
>>
>> Quick and dirty, a regex that would work for a Web-Redirect header rule:
>>
>> /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
>
> How about a much simpler rule that just adds 100 points for any mail
> with a <script> tag? Javascript has no place in email.
Aside from the regex being intended for use in a Web-Redirect header
rule, such a rule (that instead matches <script> tags in email) wouldn't
be so simple if you want to avoid legit emails, such as this one or any
other mail talking about javascript.
Daryl
Re: Low Scoring Message
Posted by Brian Wilson <wi...@bubba.org>.
On Mar 14, 2007, at 7:08 PM, Daryl C. W. O'Shea wrote:
> Brian Wilson wrote:
>> On Wed, 14 Mar 2007, John D. Hardin wrote:
>>> On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
>>>
>>>> Anyway... this is the redirect code they're using:
>>>>
>>>> <div class='widget-content'>
>>>> <script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo =
>>>> "'h";usf =
>>>> "ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
>>>> "nhu";wnx = "ocation.
>>>> hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww +
>>>> iaswx + usf
>>>> + uos + bdj; eval(jftrg); </script>
>>>> </div>
>>>>
>>>>
>>>> Quick and dirty, a regex that would work for a Web-Redirect
>>>> header rule:
>>>>
>>>> /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
>>>
>>> How about a much simpler rule that just adds 100 points for any mail
>>> with a <script> tag? Javascript has no place in email.
>>>
>> The <script> tag is actually in the site referenced in the email.
>> It seems like a lot of hoops to jump through in order to classify
>> this
>> message as spam, when the rendered html obviously tells us it is.
>> Is there
>> anything out there that can render an html message and score it
>> (similar to
>> what FuzzyOcr does with images)?
>
> How is scoring based on the raw content of the original http
> resource more difficult than first retrieving the same, running the
> javascript that it contains in something that is going to provide a
> document object so that the redirect actually works, and then
> rendering the resource that you're redirected to (after retrieving
> it too)?
>
> Personally, I'd opt for rules against the original http resource
> doing the redirecting, or developing rules against the email itself.
>
>
I guess I wasn't clear; I was referring to rendering the html
message, not the link in the message. If you look at how it is
rendered in my screenshot, you'll clearly see the intended message,
while simply analyzing the text in the message gets you nothing.
Re: Low Scoring Message
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Wilson wrote:
> On Wed, 14 Mar 2007, John D. Hardin wrote:
>
>> On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
>>
>>> Anyway... this is the redirect code they're using:
>>>
>>> <div class='widget-content'>
>>> <script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
>>> "ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
>>> "nhu";wnx = "ocation.
>>> hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
>>> + uos + bdj; eval(jftrg); </script>
>>> </div>
>>>
>>>
>>> Quick and dirty, a regex that would work for a Web-Redirect header rule:
>>>
>>> /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
>>
>> How about a much simpler rule that just adds 100 points for any mail
>> with a <script> tag? Javascript has no place in email.
>>
>
> The <script> tag is actually in the site referenced in the email.
>
> It seems like a lot of hoops to jump through in order to classify this
> message as spam, when the rendered html obviously tells us it is. Is there
> anything out there that can render an html message and score it (similar to
> what FuzzyOcr does with images)?
How is scoring based on the raw content of the original http resource
more difficult than first retrieving the same, running the javascript
that it contains in something that is going to provide a document object
so that the redirect actually works, and then rendering the resource
that you're redirected to (after retrieving it too)?
Personally, I'd opt for rules against the original http resource doing
the redirecting, or developing rules against the email itself.
Daryl
Re: Low Scoring Message
Posted by Brian Wilson <wi...@bubba.org>.
On Wed, 14 Mar 2007, John D. Hardin wrote:
> On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
>
>> Anyway... this is the redirect code they're using:
>>
>> <div class='widget-content'>
>> <script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
>> "ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
>> "nhu";wnx = "ocation.
>> hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
>> + uos + bdj; eval(jftrg); </script>
>> </div>
>>
>>
>> Quick and dirty, a regex that would work for a Web-Redirect header rule:
>>
>> /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
>
> How about a much simpler rule that just adds 100 points for any mail
> with a <script> tag? Javascript has no place in email.
>
The <script> tag is actually in the site referenced in the email.
It seems like a lot of hoops to jump through in order to classify this
message as spam, when the rendered html obviously tells us it is. Is there
anything out there that can render an html message and score it (similar to
what FuzzyOcr does with images)?
-B
Re: Low Scoring Message
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
> Anyway... this is the redirect code they're using:
>
> <div class='widget-content'>
> <script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
> "ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
> "nhu";wnx = "ocation.
> hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
> + uos + bdj; eval(jftrg); </script>
> </div>
>
>
> Quick and dirty, a regex that would work for a Web-Redirect header rule:
>
> /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
How about a much simpler rule that just adds 100 points for any mail
with a <script> tag? Javascript has no place in email.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
There is no doubt in my mind that millions of lives could have been
saved if the people were not "brainwashed" about gun ownership and
had been well armed. ... Gun haters always want to forget the Warsaw
Ghetto uprising, which is a perfect example of how a ragtag,
half-starved group of Jews took 10 handguns and made asses out of
the Nazis. -- Theodore Haas, Dachau Survivor
-----------------------------------------------------------------------
Today: Albert Einstein's 128th Birthday
Re: Low Scoring Message
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Wilson wrote:
> On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
>
>> Brian Wilson wrote:
>>>
>>> Ok, I've got one; apparently from a gmail user to my gmail account,
>>> then forwarded to an external account. The html links go to a
>>> blogspot.com site, then redirect to some Pharmacy Express site.
>>>
>>> Raw Message: http://bubba.org/spam/spam_lowscore.txt
>>> Message renders like this: http://bubba.org/spam/spam_lowscore.jpg
>>>
>>> X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
>>> SPF_PASS autolearn=no version=3.1.8
>>> X-Spam-Report:
>>> * -0.5 SPF_PASS SPF: sender matches SPF record
>>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>>> * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
>>> * [score: 0.4641]
>>>
>>> Any ideas for detecting these?
>>
>> The WebRedirect plugin will help (if you add *.blogspot.com to the
>> list of domains it's supposed to check).
>>
>> Daryl
>>
>>
>
> I installed the plugin, added *.blogspot.com to the list, and the plugin
> didn't flag anything for this particular message.
> [13718] dbg: rules: hostname: osmmehaaranrev.blogspot.com matches check
> pattern: *.blogspot.com
> [13718] dbg: rules: checking uri: http://osmmehaaranrev.blogspot.com/
> [13718] dbg: rules: request status: 200 OK
> [13718] dbg: rules: got response to request in 0.813493 seconds
> [13718] dbg: rules: _decode_page() iteration 0
> [13718] dbg: rules: WebRedirect page text: start>>
> <data from page>
> [13718] dbg: rules: WebRedirect decoded text: start>><<end
>
> Did this work for you?
Looking at this particular web page for now, you'll need a rule to hit
on how they're doing the redirect. Previous Blogspot redirect pages
used redirect code that matched rules written two years ago for
Geocities spam.
Anyway... this is the redirect code they're using:
<div class='widget-content'>
<script>yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
"ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
"nhu";wnx = "ocation.
hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
+ uos + bdj; eval(jftrg); </script>
</div>
Quick and dirty, a regex that would work for a Web-Redirect header rule:
/( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/
Daryl
Re: Low Scoring Message
Posted by Brian Wilson <wi...@bubba.org>.
On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:
> Brian Wilson wrote:
>>
>> Ok, I've got one; apparently from a gmail user to my gmail account, then
>> forwarded to an external account. The html links go to a blogspot.com
>> site, then redirect to some Pharmacy Express site.
>>
>> Raw Message: http://bubba.org/spam/spam_lowscore.txt
>> Message renders like this: http://bubba.org/spam/spam_lowscore.jpg
>>
>> X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
>> SPF_PASS autolearn=no version=3.1.8
>> X-Spam-Report:
>> * -0.5 SPF_PASS SPF: sender matches SPF record
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
>> * [score: 0.4641]
>>
>> Any ideas for detecting these?
>
> The WebRedirect plugin will help (if you add *.blogspot.com to the list of
> domains it's supposed to check).
>
> Daryl
>
>
I installed the plugin, added *.blogspot.com to the list, and the plugin
didn't flag anything for this particular message.
[13718] dbg: plugin: Mail::SpamAssassin::Plugin::WebRedirect=HASH(0x8f54e7c) implements
'parsed_metadata'
[13718] dbg: uri: html uri found, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: cleaned html uri, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: html domain, blogspot.com
[13718] dbg: uri: parsed uri found, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: parsed domain, blogspot.com
[13718] dbg: uridnsbl: domain blogspot.com in skip list
[13718] dbg: uridnsbl: domains to query:
[13718] dbg: rules: hostname: osmmehaaranrev.blogspot.com matches check pattern: *.blogspot.com
[13718] dbg: rules: checking uri: http://osmmehaaranrev.blogspot.com/
[13718] dbg: rules: request status: 200 OK
[13718] dbg: rules: got response to request in 0.813493 seconds
[13718] dbg: rules: _decode_page() iteration 0
[13718] dbg: rules: WebRedirect page text: start>>
<data from page>
[13718] dbg: rules: WebRedirect decoded text: start>><<end
Did this work for you?
Re: Low Scoring Message
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Brian Wilson wrote:
>
> Ok, I've got one; apparently from a gmail user to my gmail account, then
> forwarded to an external account. The html links go to a blogspot.com
> site, then redirect to some Pharmacy Express site.
>
> Raw Message: http://bubba.org/spam/spam_lowscore.txt
> Message renders like this: http://bubba.org/spam/spam_lowscore.jpg
>
> X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
> SPF_PASS autolearn=no version=3.1.8
> X-Spam-Report:
> * -0.5 SPF_PASS SPF: sender matches SPF record
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> * [score: 0.4641]
>
> Any ideas for detecting these?
The WebRedirect plugin will help (if you add *.blogspot.com to the list
of domains it's supposed to check).
Daryl
Re: Low Scoring Message
Posted by Brian Wilson <wi...@bubba.org>.
Ok, I've got one; apparently from a gmail user to my gmail account,
then forwarded to an external account. The html links go to a
blogspot.com site, then redirect to some Pharmacy Express site.
Raw Message: http://bubba.org/spam/spam_lowscore.txt
Message renders like this: http://bubba.org/spam/spam_lowscore.jpg
X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
SPF_PASS autolearn=no version=3.1.8
X-Spam-Report:
* -0.5 SPF_PASS SPF: sender matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.4641]
Any ideas for detecting these?
-B
RE: Low Scoring Message
Posted by Giampaolo Tomassoni <g....@libero.it>.
From: David Goldsmith [mailto:dgoldsmith@sans.org]
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>
> This message got 0 points. Does it score over 5 for anyone?
>
> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>
> Thanks,
> David Goldsmith
Well, I get this:
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9458]
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 TRUF_POS Possibili Toto' francofoni (experimental)
which is quite low (2.1). Please note that TRUF_POS is an experimental rule I made to stop some spam from the Hivory Coast. It is not designed for this kind of spam but, well, it's good it would get fired.
Giampaolo
>
> =====
>
> X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=243 Fuz1=408 Fuz2=408
> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
> iceman11.giac.net
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
> MIME_HTML_ONLY autolearn=no version=3.1.8
> X-Spam-Pyzor: Reported 1 times.
> X-Spam-Report:
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> * [score: 0.5000]
> * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3rc2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFF6El9417vU8/9QfkRAggwAJ4g8YeQAId2lgxtnQvo92Lk7IJyxgCfS/rQ
> xMavN0cyUf02vt+67kIOg5o=
> =vCzg
> -----END PGP SIGNATURE-----