You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Owen Mehegan <ow...@nerdnetworks.org> on 2013/11/08 00:00:15 UTC

Uptick in false negatives - filter check?

Posted this to the wrong/no list (via Nabble) yesterday...

I've seen an uptick in false negatives lately, and the spam that is getting
through is all the same stuff repeatedly. If anyone would be  willing to run
these samples through their filters and let me know if  they get better
hits, I would appreciate it. There are three at 
http://nerdnetworks.org/spam/

I'm using SA 3.3.1, with Bayes, etc. I also have greylisting on my system
with a 15 minute delay, and surprisingly the first sample in this group now
hits a bunch of RBLs and scores >5, but apparently the 15 minute delay
wasn't enough time for that to help me. I've also been training my Bayes DB
on these types of messages for a few days, but they still keep getting
through. I used to hear that if your Bayes DB gets too big it can become
ineffective. I don't know if that's true or not, but here's my '--dump
magic' output:

0.000          0          3          0  non-token data: bayes db version
0.000          0      62157          0  non-token data: nspam
0.000          0     176680          0  non-token data: nham
0.000          0     144331          0  non-token data: ntokens
0.000          0 1383022790          0  non-token data: oldest atime
0.000          0 1383770853          0  non-token data: newest atime
0.000          0 1383766433          0  non-token data: last journal sync
atime
0.000          0 1383685115          0  non-token data: last expiry atime
0.000          0     662551          0  non-token data: last expire atime
delta
0.000          0      19902          0  non-token data: last expire
reduction count

Looking at my spamd log, out of 1300 messages classified as spam, 566 hit
BAYES_9* and 391 hit BAYES_5*.

Thanks in advance for any advice anyone can offer!




--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Uptick in false negatives - filter check?

Posted by Rob McEwen <ro...@invaluement.com>.

On 11/7/2013 6:00 PM, Owen Mehegan wrote:
> Thanks in advance for any advice anyone can offer!

fwiw, of the 4 spam examples, ivmURI had blacklisted one or more domains
in ALL 4 out of 4 samples at least several minutes BEFORE those spams
hit your server (some  days or weeks before).

In a large portion of those (1/2 or more), I'm fairly sure that ivmURI
was the ONLY URI/domain blacklist to have the domain blacklisted at the
time the message hit your network. (I'm unable to verify if DBL had
caught it at that time and/or some of those could have been "a game of
inches" where ivmURI and other lists had just listed it moments before
and it would be somewhat of a propagation issue... but, overall, I think
if I provided the date/times that these were blacklisted on ivmURI...
that assertion would "check out" and the raw data would be rather
impressive!)

If you keep seeing these, check the domains on multirbl.valli.org ...and
you'll see in real time what I'm talking about!

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032

Re: Uptick in false negatives - filter check?

Posted by Owen Mehegan <ow...@nerdnetworks.org>.

Oh, and I fixed spam4.txt to be accessible, sorry about that. 
-- 
Sent from Kaiten Mail. Please excuse my brevity.



--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107097.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Uptick in false negatives - filter check?

Posted by Owen Mehegan <ow...@nerdnetworks.org>.

Thanks for your response! My server is in EC2, and it appears that URIBL blanketly refuses requests from there. I set up a caching DNS server locally and tried routing my request through that, it was still rejected. Too many spammers using EC2 I guess. 

As for your other suggestion, isn't that the point of Bayesian filtering? I keep getting similar messages, training my bayes db on them, and then more get through. 

"Kris Deugau [via SpamAssassin]" <ml...@n5.nabble.com> wrote:
>
>
>Owen Mehegan wrote:
>> Posted this to the wrong/no list (via Nabble) yesterday...
>> 
>> I've seen an uptick in false negatives lately, and the spam that is
>getting
>> through is all the same stuff repeatedly. If anyone would be  willing
>to run
>> these samples through their filters and let me know if  they get
>better
>> hits, I would appreciate it. There are three at 
>> http://nerdnetworks.org/spam/
>
>(spam4.txt is inaccessible)
>
>I notice URIBL_BLOCKED hits;  check that you're either using your own
>resolver with less than 100K messages/day, or that you're properly set
>up for datafeed.  Or just disable the uribl.com rules.  (We found that
>while they were usefully increasing our overall catch rate, the
>increase
>was not worth the cost of the datafeed [it came out to somewhere
>between
>one and five dollars a spam for the ones that the uribl.com hit was key
>in getting the message tagged], so we disabled the rules.)
>
>Beyond that....  I've started creating very simple rules targeting the
>Subject and From: name in this type of spam, along with extracting the
>relay IP and URIs for local DNSBLs.  It's moderately effective once
>I've
>confirmed enough volume for any given Subject or name to feel it's
>worth
>creating a rule...
>
>-kgd
>
>
>
>
>_______________________________________________
>If you reply to this email, your message will be added to the
>discussion below:
>http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107092.html
>
>To unsubscribe from Uptick in false negatives - filter check?, visit
>http://spamassassin.1065346.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=107090&code=b3dlbkBuZXJkbmV0d29ya3Mub3JnfDEwNzA5MHwyMDgxOTQ3Njg5

-- 
Sent from Kaiten Mail. Please excuse my brevity.



--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107096.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Uptick in false negatives - filter check?

Posted by Kris Deugau <kd...@vianet.ca>.

Owen Mehegan wrote:
> Posted this to the wrong/no list (via Nabble) yesterday...
> 
> I've seen an uptick in false negatives lately, and the spam that is getting
> through is all the same stuff repeatedly. If anyone would be  willing to run
> these samples through their filters and let me know if  they get better
> hits, I would appreciate it. There are three at 
> http://nerdnetworks.org/spam/

(spam4.txt is inaccessible)

I notice URIBL_BLOCKED hits;  check that you're either using your own
resolver with less than 100K messages/day, or that you're properly set
up for datafeed.  Or just disable the uribl.com rules.  (We found that
while they were usefully increasing our overall catch rate, the increase
was not worth the cost of the datafeed [it came out to somewhere between
one and five dollars a spam for the ones that the uribl.com hit was key
in getting the message tagged], so we disabled the rules.)

Beyond that....  I've started creating very simple rules targeting the
Subject and From: name in this type of spam, along with extracting the
relay IP and URIs for local DNSBLs.  It's moderately effective once I've
confirmed enough volume for any given Subject or name to feel it's worth
creating a rule...

-kgd