You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by stefan novak <lm...@gmail.com> on 2009/04/12 18:43:25 UTC
spam not classified
Hello!
Since a month, I always get the same spam again and again.
Has somebody else this problem whith such mails: http://pastebin.com/m63db288f
thx Bru
Re: spam not classified
Posted by Ned Slider <ne...@unixmail.co.uk>.
stefan novak wrote:
> Hello!
>
> Since a month, I always get the same spam again and again.
> Has somebody else this problem whith such mails: http://pastebin.com/m63db288f
>
> thx Bru
>
I've been hitting these with a rule that matches the phone no's they use.
Here's the phone no rule I have at the moment:
body LOCAL_SCAM_PHONE_NO
/(267.?697.?5.?89[0-9]|302.?565.?4.?88[0-9]|302.?442.?4.?07[0-9]|305.?390.?0.?26[0-9]|309.?409.?4.?50[0-9]|312.?260.?7.?94[0-9]|603.?509.?2.?00[0-9]|646.?537.?1.?73[0-9]|718.?989.?2.?17[0-9]|718.?989.?5.?74[0-9]|832.?550.?3.?16[0-9]|845.?709.?8.?04[0-9])/
score LOCAL_SCAM_PHONE_NO 4
describe LOCAL_SCAM_PHONE_NO Contains Scam Phone Number
Score it as you see fit, and add new phone no's as they arise.
Detecting obfuscated words (with "1" replacing "l", for example) can be
quite effective against these too - your example contains a couple of
such instances.
Re: spam not classified
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2009-04-12 at 09:49 -0700, John Hardin wrote:
> On Sun, 12 Apr 2009, stefan novak wrote:
>
> > Since a month, I always get the same spam again and again. Has somebody
> > else this problem whith such mails: http://pastebin.com/m63db288f
>
> Thanks for posting a spample, but in the future please remember to include
> _all_ of the message headers. Not having the message headers limits the
> analysis we can perform and the advice we can provide.
Very true... However, I believe I got a couple of these myself.
> If you're getting the same spam again and again, bayes should easily
> catch it. Is your bayes working? Are you training it with misses?
Again, true. :) Always scores BAYES_99 here.
Also quite a few RCVD_IN_* network tests. You do have network tests
enabled, right? And always hits iXhash [1] and a simple and cheap local
rule adding 0.5 for direct MUA to MX submissions.
By a quick glimpse, all of them do score at least these. Typically high
hitter, no one sample less than a total score of 15...
[1] http://ixhash.net/ third-party plugin
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spam not classified
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> stefan novak wrote:
> > I've updatet the file with the headers:
> >
> > http://pastebin.com/m6e31520c
On 12.04.09 10:30, Bill Landry wrote:
> Scored high here:
>
> Content analysis details: (32.9 points, 10.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.0 RELAY_AR Relayed through Argentina
> 0.5 BOTNET_BADDNS Relay doesn't have full circle DNS
>
> [botnet_baddns,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
> 0.5 RCVD_IN_UCEPROTECT_3 RBL: Sender listed in UCEPROTECT_3
> [190.51.32.122 listed in dnsbl-3.uceprotect.net]
> 1.0 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK
> [190.51.32.122 listed in
> hostkarma.junkemailfilter.com]
> 1.0 RCVD_IN_UCEPROTECT_2 RBL: Sender listed in UCEPROTECT_2
> [190.51.32.122 listed in dnsbl-2.uceprotect.net]
> 2.0 RCVD_IN_UCEPROTECT_1 RBL: Sender listed in UCEPROTECT_1
> [190.51.32.122 listed in dnsbl-1.uceprotect.net]
> 1.5 RCVD_IN_BARRACUDA RBL: Sender listed in Barracuda Relay Black List
> [190.51.32.122 listed in b.barracudacentral.org]
> 2.5 RCVD_IN_NERDS_AR RBL: Received from Argentina
> [190.51.32.122 listed in zz.countries.nerd.dk]
> 0.5 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,maildomain=alfa.com,baddns,client,ipinhostname]
> 0.5 BOTNET_IPINHOSTNAME Hostname contains its own IP address
>
> [botnet_ipinhosntame,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
> 0.5 BOTNET_CLIENT Relay has a client-like hostname
> [botnet_client,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,ipinhostname]
> 1.0 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net
> 1.0 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net
> 4.5 KAM_UNIV Diploma Mill Rule
> 2.0 BOTNET_WU BOTNET_WU
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
unluckily all these rules are not in SA distribution... I see you use BOTNET and
IXHASH plugins, apparently even others.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: spam not classified
Posted by stefan novak <lm...@gmail.com>.
I checked my configuration and had a misconfiguration in my mimedefang setup.
# By default, SpamAssassin will run RBL checks. If your ISP already
# does this, set this to 1.
skip_rbl_checks 0
skip_rbl_checks was set to 1 :(
thx for your help
Re: spam not classified
Posted by Bill Landry <bi...@inetmsg.com>.
stefan novak wrote:
> I've updatet the file with the headers:
>
> http://pastebin.com/m6e31520c
Scored high here:
Content analysis details: (32.9 points, 10.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.2 TO_MALFORMED To: has a malformed address
1.0 RELAY_AR Relayed through Argentina
0.5 BOTNET_BADDNS Relay doesn't have full circle DNS
[botnet_baddns,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
0.5 RCVD_IN_UCEPROTECT_3 RBL: Sender listed in UCEPROTECT_3
[190.51.32.122 listed in dnsbl-3.uceprotect.net]
1.0 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK
[190.51.32.122 listed in
hostkarma.junkemailfilter.com]
1.0 RCVD_IN_UCEPROTECT_2 RBL: Sender listed in UCEPROTECT_2
[190.51.32.122 listed in dnsbl-2.uceprotect.net]
2.0 RCVD_IN_UCEPROTECT_1 RBL: Sender listed in UCEPROTECT_1
[190.51.32.122 listed in dnsbl-1.uceprotect.net]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[190.51.32.122 listed in zen.spamhaus.org]
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.5 RCVD_IN_BARRACUDA RBL: Sender listed in Barracuda Relay Black List
[190.51.32.122 listed in b.barracudacentral.org]
2.5 RCVD_IN_NERDS_AR RBL: Received from Argentina
[190.51.32.122 listed in zz.countries.nerd.dk]
0.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,maildomain=alfa.com,baddns,client,ipinhostname]
0.5 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar]
0.5 BOTNET_CLIENT Relay has a client-like hostname
[botnet_client,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,ipinhostname]
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
1.0 LONGWORDS_15 BODY: string of 15+ random letters
1.0 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net
1.0 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
4.5 KAM_UNIV Diploma Mill Rule
2.0 BOTNET_WU BOTNET_WU
1.0 SAGREY Adds 1.0 to spam from first-time senders
Might consider adding some of the available plugins and using sa-update
to grab Justin's "sought" rules, if not already doing so.
Bill
Re: spam not classified
Posted by stefan novak <lm...@gmail.com>.
I've updatet the file with the headers:
http://pastebin.com/m6e31520c
Re: spam not classified
Posted by John Hardin <jh...@impsec.org>.
On Sun, 12 Apr 2009, stefan novak wrote:
> Since a month, I always get the same spam again and again. Has somebody
> else this problem whith such mails: http://pastebin.com/m63db288f
Thanks for posting a spample, but in the future please remember to include
_all_ of the message headers. Not having the message headers limits the
analysis we can perform and the advice we can provide.
If you're getting the same spam again and again, bayes should easily
catch it. Is your bayes working? Are you training it with misses?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 266th Birthday