You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nitin Bhadauria <ni...@tetrain.com> on 2008/08/04 13:34:18 UTC
Lottery spam in my inbox
Hi frnds.
How is it possible that these kind of mail are not spam tagged my
sapmassassin.......
CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
tntexpresscourierserviceworld@gmail.com)
ftp://195.169.149.102/tt/WON.txt
YOUR REF:CLAIMS/ATM/822 .........
ftp://195.169.149.102/tt/ATM.txt
please help me out...............
Thanks
Nitin Bhadauria
Re: Lottery spam in my inbox
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2008-08-06 at 20:50 -0400, Sahil Tandon wrote:
> Thanks for the advice, and I know perfectly well what BAYES_50 is
> *supposed* to mean for *most* people. This may not be a smart move for
> you, but it works remarkably well for us. False positives (which, to be
> clear, are seldom) can be found in a user's spam folder; there are a
> number of other idiosyncrasies that are off-topic here. In any case, I
> understand how SA works and acknowledge the implications of fiddling with
> the rules. TIMTOWDI. Thank you.
Hehe, well then, never mind. :)
I just was reminded about a similar story. I've seen users raise
BAYES_50, because they did not understand what it meant. Anyway, since
you seem to be perfectly aware of what you are doing, I'm glad it works
for you.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Lottery spam in my inbox
Posted by Sahil Tandon <sa...@tandon.net>.
Karsten Br?ckelmann <gu...@rudersport.de> wrote:
> That is not a smart move, IMHO. A Bayes score of 0.5 does NOT mean,
> Bayes is 50% certain it's spam. It DOES mean, that Bayes does know
> nothing. Absolutely nothing.
>
> Between BAYES_00 (aka ~100% sure it is ham) and BAYES_99 (aka ~100% sure
> it is spam), BAYES_50 is like a shrugging. It is not a sign of being
> spammy. You could just as well lower your spam threshold to 3.0.
>
> If you really feel a need to punish BAYES_50 like *that*, my advice is
> to properly train your Bayes instead.
Thanks for the advice, and I know perfectly well what BAYES_50 is
*supposed* to mean for *most* people. This may not be a smart move for
you, but it works remarkably well for us. False positives (which, to be
clear, are seldom) can be found in a user's spam folder; there are a
number of other idiosyncrasies that are off-topic here. In any case, I
understand how SA works and acknowledge the implications of fiddling with
the rules. TIMTOWDI. Thank you.
--
Sahil Tandon <sa...@tandon.net>
Re: Lottery spam in my inbox
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2008-08-06 at 20:25 -0400, Sahil Tandon wrote:
> Karsten Br?ckelmann <gu...@rudersport.de> wrote:
>
> > Hmm... Sahil, Nitin -- guys, you are seriously confusing me.
>
> I am perplexed by your confusion, but I will try to help you.
My confusion stems from different, almost random results all over the
place. That, or you guys have been talking about one spam, but posted
results of another. ;)
(To remind you: One single piece of spam. Three different results of
static RE rules.)
> > Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
> > guess your download broke or something, but these rules don't apply to
> > the given spamples.
>
> I have no idea re: HB*; perhaps as you suggest, something did "break"
> during the wget.
>
> > Even worse, your rules hit account for a total score of 7.032. Might I
> > ask which rules scores you changed?
>
> What do you even mean by "worse"? People tweak rules in local.cf. To
> satiate your curiosity (sorry for the wrapping):
Sorry, you are right of course. That word sneaked in, because I had a
gut feeling...
> X-Spam-Report:
> * 2.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> * [score: 0.5001]
Bingo! That's *exactly* what I guessed...
That is not a smart move, IMHO. A Bayes score of 0.5 does NOT mean,
Bayes is 50% certain it's spam. It DOES mean, that Bayes does know
nothing. Absolutely nothing.
Between BAYES_00 (aka ~100% sure it is ham) and BAYES_99 (aka ~100% sure
it is spam), BAYES_50 is like a shrugging. It is not a sign of being
spammy. You could just as well lower your spam threshold to 3.0.
If you really feel a need to punish BAYES_50 like *that*, my advice is
to properly train your Bayes instead.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Lottery spam in my inbox
Posted by Sahil Tandon <sa...@tandon.net>.
Karsten Br?ckelmann <gu...@rudersport.de> wrote:
> Hmm... Sahil, Nitin -- guys, you are seriously confusing me.
I am perplexed by your confusion, but I will try to help you.
> Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
> guess your download broke or something, but these rules don't apply to
> the given spamples.
I have no idea re: HB*; perhaps as you suggest, something did "break"
during the wget.
> Even worse, your rules hit account for a total score of 7.032. Might I
> ask which rules scores you changed?
What do you even mean by "worse"? People tweak rules in local.cf. To
satiate your curiosity (sorry for the wrapping):
X-Spam-Report:
* 2.1 SUBJ_ALL_CAPS Subject is all capitals
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5001]
* 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
* 2.1 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME
header and
* body
* 2.1 HTML_MISSING_CTYPE Message is HTML without HTML
Content-Type
--
Sahil Tandon <sa...@tandon.net>
Re: Lottery spam in my inbox
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
Hmm... Sahil, Nitin -- guys, you are seriously confusing me.
On Tue, 2008-08-05 at 12:00 +0530, Nitin Bhadauria wrote:
> Sahil Tandon wrote:
> yes i did train the sa data by
Nitin, neither of your headers shows *any* BAYES_XX hit. Whatever you
trained doesn't seem to be the user SA runs as.
> > > ftp://195.169.149.102/tt/ATM.txt
> >
> > Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
> > by SA:
> >
> > X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
> > HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_DIFF,SUBJ_ALL_CAPS
> > autolearn=no version=3.2.5
Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
guess your download broke or something, but these rules don't apply to
the given spamples.
Even worse, your rules hit account for a total score of 7.032. Might I
ask which rules scores you changed?
> X-Spam-Status: No, score=1.7 required=4.9 tests=HTML_MESSAGE,MIME_HTML_ONLY,
> SPF_PASS autolearn=no version=3.2.4
Nitin, this isn't the same result as your original scan. Whatever that
is, it is a different mail.
Care to clear the confusion? :)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Lottery spam in my inbox
Posted by Nitin Bhadauria <ni...@tetrain.com>.
Sahil Tandon wrote:
>
> On Aug 5, 2008, at 7:32, Nitin Bhadauria <ni...@tetrain.com>
> wrote:
>
>> Jens Kleikamp wrote:
>>> Nitin Bhadauria schrieb:
>>>> Sahil Tandon wrote:
>>>>> Nitin Bhadauria <ni...@tetrain.com> wrote:
>>>>>
>>>>>
>>>>>> How is it possible that these kind of mail are not spam tagged my
>>>>>> sapmassassin.......
>>>>>>
>>>>> Do you train SA's bayes database? Do you use RBL
>>>>> checks? Do you use ClamAV with stock and SaneSecurity signatures?
>>>> yes i did train the sa data by
>>>>
>>>> |sa-learn --showdots -C /etc/mail/spamassassin --spam
>>>> /var/spool/mail/virtual//quarantine/.spam//*
>>>>
>>>> and here is my postfix checks...
>>>>
>>>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
>>>> reject_non_fqdn_recipient, reject_unknown_sender_domain,
>>>> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
>>>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
>>>> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
>>>>
>>>> and if u suggest i may add |dnsbl-3.uceprotect.net too.
>>>
>>> If you would read the website of uceproject you would know that it
>>> is really not recommended to use the level 3 Blacklist to block
>>> mails at the mta layer.
>>>
>>> They recommend 1 and 2 for strict blocks and level 3 for scoring
>>> systems.
>>>
>> so want me to add this rbl check in spamassassin .........
>>>
>>>
>
> Neither of us said that. Just making you aware of these things. It is
> your call.
>
Thank you sir .....
can you tell me how can i get mails from mydomain through to
spamassassin. With out whitlisting......
Re: Lottery spam in my inbox
Posted by Sahil Tandon <sa...@tandon.net>.
On Aug 5, 2008, at 7:32, Nitin Bhadauria <ni...@tetrain.com>
wrote:
> Jens Kleikamp wrote:
>> Nitin Bhadauria schrieb:
>>> Sahil Tandon wrote:
>>>> Nitin Bhadauria <ni...@tetrain.com> wrote:
>>>>
>>>>
>>>>> How is it possible that these kind of mail are not spam tagged
>>>>> my sapmassassin.......
>>>>>
>>>> Do you train SA's bayes database? Do you use RBL
>>>> checks? Do you use ClamAV with stock and SaneSecurity signatures?
>>> yes i did train the sa data by
>>>
>>> |sa-learn --showdots -C /etc/mail/spamassassin --spam /var/spool/
>>> mail/virtual//quarantine/.spam//*
>>>
>>> and here is my postfix checks...
>>>
>>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
>>> reject_non_fqdn_recipient, reject_unknown_sender_domain,
>>> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
>>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
>>> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
>>>
>>> and if u suggest i may add |dnsbl-3.uceprotect.net too.
>>
>> If you would read the website of uceproject you would know that it
>> is really not recommended to use the level 3 Blacklist to block
>> mails at the mta layer.
>>
>> They recommend 1 and 2 for strict blocks and level 3 for scoring
>> systems.
>>
> so want me to add this rbl check in spamassassin .........
>>
>>
Neither of us said that. Just making you aware of these things. It is
your call.
Re: Lottery spam in my inbox
Posted by Nitin Bhadauria <ni...@tetrain.com>.
Jens Kleikamp wrote:
> Nitin Bhadauria schrieb:
>> Sahil Tandon wrote:
>>> Nitin Bhadauria <ni...@tetrain.com> wrote:
>>>
>>>
>>>> How is it possible that these kind of mail are not spam tagged my
>>>> sapmassassin.......
>>>>
>>> Do you train SA's bayes database? Do you use RBL
>>> checks? Do you use ClamAV with stock and SaneSecurity signatures?
>> yes i did train the sa data by
>>
>> |sa-learn --showdots -C /etc/mail/spamassassin --spam
>> /var/spool/mail/virtual//quarantine/.spam//*
>>
>> and here is my postfix checks...
>>
>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
>> reject_non_fqdn_recipient, reject_unknown_sender_domain,
>> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
>> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
>>
>> and if u suggest i may add |dnsbl-3.uceprotect.net too.
>
> If you would read the website of uceproject you would know that it is
> really not recommended to use the level 3 Blacklist to block mails at
> the mta layer.
>
> They recommend 1 and 2 for strict blocks and level 3 for scoring systems.
>
so want me to add this rbl check in spamassassin .........
>
>
Re: Lottery spam in my inbox
Posted by Jens Kleikamp <je...@codes-concepts.com>.
Nitin Bhadauria schrieb:
> Sahil Tandon wrote:
>> Nitin Bhadauria <ni...@tetrain.com> wrote:
>>
>>
>>> How is it possible that these kind of mail are not spam tagged my
>>> sapmassassin.......
>>>
>> Do you train SA's bayes database? Do you use RBL checks?
>> Do you use ClamAV with stock and SaneSecurity signatures?
> yes i did train the sa data by
>
> |sa-learn --showdots -C /etc/mail/spamassassin --spam
> /var/spool/mail/virtual//quarantine/.spam//*
>
> and here is my postfix checks...
>
> reject_non_fqdn_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
> reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
> reject_rbl_client dul.dnsbl.sorbs.net
>
> and if u suggest i may add |dnsbl-3.uceprotect.net too.
If you would read the website of uceproject you would know that it is
really not recommended to use the level 3 Blacklist to block mails at
the mta layer.
They recommend 1 and 2 for strict blocks and level 3 for scoring systems.
Re: Lottery spam in my inbox
Posted by Nitin Bhadauria <ni...@tetrain.com>.
Sahil Tandon wrote:
> Nitin Bhadauria <ni...@tetrain.com> wrote:
>
>
>> How is it possible that these kind of mail are not spam tagged my
>> sapmassassin.......
>>
>
> Do you train SA's bayes database? Do you use RBL checks? Do you use
> ClamAV with stock and SaneSecurity signatures?
>
yes i did train the sa data by
|sa-learn --showdots -C /etc/mail/spamassassin --spam
/var/spool/mail/virtual//quarantine/.spam//*
and here is my postfix checks...
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net
and if u suggest i may add |dnsbl-3.uceprotect.net too.
And yes i don't have clamav with SaneSecurity signatures but yes i am
going to use it from now..
http://www.sanesecurity.com/clamav/usage.htm
>
>
>> CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
>> tntexpresscourierserviceworld@gmail.com)
>> ftp://195.169.149.102/tt/WON.txt
>>
>
> The sending MX is listed on several DNSBLs, among them sorbs and ahbl;
> also caught by ClamAV: Email.ScamL.Gen711.Sanesecurity.08062506.
>
>
>> YOUR REF:CLAIMS/ATM/822 .........
>> ftp://195.169.149.102/tt/ATM.txt
>>
>
> Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
> by SA:
>
> X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
>
> HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_DIFF,SUBJ_ALL_CAPS
> autolearn=no version=3.2.5
>
>
Here is my spam-status.................
X-Spam-Status: No, score=1.7 required=4.9 tests=HTML_MESSAGE,MIME_HTML_ONLY,
SPF_PASS autolearn=no version=3.2.4
Thanks for the help...
Re: Lottery spam in my inbox
Posted by Sahil Tandon <sa...@tandon.net>.
Nitin Bhadauria <ni...@tetrain.com> wrote:
> How is it possible that these kind of mail are not spam tagged my
> sapmassassin.......
Do you train SA's bayes database? Do you use RBL checks? Do you use
ClamAV with stock and SaneSecurity signatures?
> CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
> tntexpresscourierserviceworld@gmail.com)
> ftp://195.169.149.102/tt/WON.txt
The sending MX is listed on several DNSBLs, among them sorbs and ahbl;
also caught by ClamAV: Email.ScamL.Gen711.Sanesecurity.08062506.
> YOUR REF:CLAIMS/ATM/822 .........
> ftp://195.169.149.102/tt/ATM.txt
Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
by SA:
X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_DIFF,SUBJ_ALL_CAPS
autolearn=no version=3.2.5
--
Sahil Tandon <sa...@tandon.net>