You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Adam Katz <an...@khopis.com> on 2009/10/15 21:43:52 UTC
Re: [SA] sneaky pharma spam shooting past standard rules
Jari Fredriksson wrote:
> 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL
> 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list
> 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too
> 0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
> 1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP
> 6.0 L_TAB_IN_FROM L_TAB_IN_FROM
> 4.0 BOTNET Relay might be a spambot or virusbot
> 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> 1.0 HTML_MESSAGE BODY: HTML included in message
> 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
Of those 20.2 points, 2.9 are from stock SA, and the 2.0 from Bayes
doesn't count in helping people's configs. HTML_MESSAGE is dangerous
to bump up to 1.0 ... MIME_HTML_ONLY (1.5) takes care of most of the
HTML-based spam, while HTML_MESSAGE will trip over almost everything
(it hit 87% of the masscheck spam but also hit 27% of the ham), see
http://ruleqa.spamassassin.org/week/HTML_MESSAGE/detail
Of the remaining points, my channels (see link in my sig) contributed
6.2 by bringing in BRBL and HostKarma (plus DNSBL_BUMP) plus my other
rules like 2IPS (though the original post had "IN_BCUDA_RBL" plus some
rules penalizing mail from New Zealand).
The rest comes from BotNet and whatever L_TAB_IN_FROM is.
Google directs me to a post to this list from two months ago
(2009/08/22 18:19 UTC and 2009/08/06 20:50 UTC, both from Mike Cappella).
A score of 6 is FREAKISHLY high, even for something with a very low FP
rate. I'd score that around 1.2 if I trusted it. I like it, so I'm
throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now:
# @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
header MC_TAB_IN_FROM From:raw =~ /^\t/m
describe MC_TAB_IN_FROM From: Contains a tab
score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
Re: [SA] sneaky pharma spam shooting past standard rules
Posted by Mike Cappella <li...@cappella.us>.
On 10/15/2009 10:56 PM, Henrik K wrote:
> You missed the important post:
>
>
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3C200908222035.57647.Mark.Martinec+sa@ijs.si%3E
>
For general use, the rule should be tightened. The relaxed version only
hit mailing lists from a particular, custom news forum / SMTP gateway.
> 15.10.2009 22:43, Adam Katz kirjoitti:
>>
>> A score of 6 is FREAKISHLY high, even for something with a very low FP
>> rate. I'd score that around 1.2 if I trusted it. I like it, so I'm
>> throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now:
>>
The high score ensured a forced quarantine, where manual inspection
validated the results. 0 is indeed a very low FP, at least on our
server over the course of several years. I agree, its best to reduce
that freakish score for mass use. :-)
>> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
>> header MC_TAB_IN_FROM From:raw =~ /^\t/m
>> describe MC_TAB_IN_FROM From: Contains a tab
>> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
>>
Nice to see it has been useful.
--
Mike
Re: [SA] sneaky pharma spam shooting past standard rules
Posted by Jari Fredriksson <ja...@iki.fi>.
15.10.2009 22:43, Adam Katz kirjoitti:
>
> A score of 6 is FREAKISHLY high, even for something with a very low FP
> rate. I'd score that around 1.2 if I trusted it. I like it, so I'm
> throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now:
>
> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
> header MC_TAB_IN_FROM From:raw =~ /^\t/m
> describe MC_TAB_IN_FROM From: Contains a tab
> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
>
Removed mine from local.rc as it will come to me later in an update then.
The current problem is possible duplicate rules in my rc.local and KHOP
ruleset.. Have to take time for a clean up.
--
http://www.iki.fi/jarif/
Habit is habit, and not to be flung out of the window by any man, but coaxed
down-stairs a step at a time.
-- Mark Twain, "Pudd'nhead Wilson's Calendar
Re: sneaky pharma spam shooting past standard rules
Posted by Adam Katz <an...@khopis.com>.
Henrik K wrote:
> On Thu, Oct 15, 2009 at 03:43:52PM -0400, Adam Katz wrote:
>> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
>> header MC_TAB_IN_FROM From:raw =~ /^\t/m
>> describe MC_TAB_IN_FROM From: Contains a tab
>> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
>
> You missed the important post:
>
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3C200908222035.57647.Mark.Martinec+sa@ijs.si%3E
Ah, right. That should be /s rather than /m, as in:
header MC_TAB_IN_FROM From:raw =~ /^\t/s
(Since /^\t/s == /\A\t/m == /\A\t/s == /\A\t/ )
I think carrot is more legible/recognizable than \A, and /\A\t/ and
/\A\t/s are pointless since \A only differs from ^ when using /m.
(Maybe that's just because I use regexps in perl, vim, and javascript.
\A only works this way in perl, while ^ inside /s works everywhere.)
If I'm wrong anywhere, please do correct.
My channel has this update pending for its next release.
Re: [SA] sneaky pharma spam shooting past standard rules
Posted by Henrik K <he...@hege.li>.
On Thu, Oct 15, 2009 at 03:43:52PM -0400, Adam Katz wrote:
>
> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
> header MC_TAB_IN_FROM From:raw =~ /^\t/m
> describe MC_TAB_IN_FROM From: Contains a tab
> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
You missed the important post:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3C200908222035.57647.Mark.Martinec+sa@ijs.si%3E
Re: [SA] sneaky pharma spam shooting past standard rules
Posted by Benny Pedersen <me...@junc.org>.
On Thu 15 Oct 2009 09:43:52 PM CEST, Adam Katz wrote
> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
> header MC_TAB_IN_FROM From:raw =~ /^\t/m
> describe MC_TAB_IN_FROM From: Contains a tab
> score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2
also tab on date
maybe mata both so
--
xpoint