You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Beast <be...@ldap.or.id> on 2006/07/31 07:03:38 UTC
spam not detected
I have implemented site wide SA and it works pretty well except for this
kind of spam.
postmaster account has been receiving many spam and its not being
blocked by SA, I have feed SA to learns hundred of similar spam
manually, but still not able to catcth up.
spamassassin --lint -D
...
[26113] dbg: bayes: corpus size: nspam = 31488, nham = 6671
----
*X-Spam-Status:* No, score=3.8 required=5.2 tests=BAYES_99,FORGED_RCVD_HELO,
HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
---
Content-Transfer-Encoding: quoted-printable
=20
CAjRTIER
TIjFFANY & CO
BVjLGARI
OMjEGA
ROjLEX
PAjTEK
BRjEITLING
=20
---
Re: spam not detected
Posted by Logan Shaw <ls...@emitinc.com>.
On Mon, 31 Jul 2006, Beast wrote:
> I have implemented site wide SA and it works pretty well except for this
> kind of spam.
> postmaster account has been receiving many spam and its not being
> blocked by SA, I have feed SA to learns hundred of similar spam
> manually, but still not able to catcth up.
> ----
> *X-Spam-Status:* No, score=3.8 required=5.2 tests=BAYES_99,FORGED_RCVD_HELO,
> HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
> ---
> Content-Transfer-Encoding: quoted-printable
> CAjRTIER
> TIjFFANY & CO
> BVjLGARI
> OMjEGA
> ROjLEX
> PAjTEK
> BRjEITLING
As your score summary indicates, the message is already
receiving a BAYES_99 result from the Bayes test. That means
that Bayes is already quite confident that this message
is spam. The Bayes training you have done has worked, and no
further training would have increased the Bayes score for this
particular message. However, Bayes by itself is not sufficient
to mark a message as spam.
I have seen quite a number of similar spams lately to the ones
you describe, and mine are hitting all kinds of network tests.
This includes both dcc and razor2 and also various sender IP
blacklists and URI blacklists. Because of the network tests,
the last 4 spams of this type that I've gotten have scored in
the range of 20 to 27:
score=20.117, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, HTML_MESSAGE 0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_XBL
3.90, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64
score=24.244, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_NJABL_DUL 1.95,
RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, URIBL_JP_SURBL
4.09, URIBL_SBL 1.64
score=23.287, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05,
URIBL_JP_SURBL 4.09, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50
score=26.796, required 6, autolearn=spam, BAYES_99 3.50,
DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO
0.14, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_DUL 2.05,
RCVD_IN_XBL 3.90, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64,
So, I'd say one fairly effective way of dealing with these
spams is to make sure you have plenty of network tests enabled.
- Logan
Re: spam not detected
Posted by Obantec Support <su...@obantec.net>.
----- Original Message -----
From: "Beast" <be...@ldap.or.id>
Cc: <us...@spamassassin.apache.org>
Sent: Monday, July 31, 2006 9:08 AM
Subject: Re: spam not detected
> Loren Wilton wrote:
> >>
> >> *X-Spam-Status:* No, score=3.8 required=5.2
> >> tests=BAYES_99,FORGED_RCVD_HELO,
> >> HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
> >
> > Bayes is doing fine. You can't get much better than Bayes_99 as a
> > spam indicator.
> >
> > On the other hand, having Bayes_99 and three other positive rules only
> > sum to 3.8 seems a little strange. On a modern SA Bayes_99 should be
> > scoring up around 4.5 I believe. So you must have local rule scores
> > that are decreasing that score. I'd suggest considering taking
> > bayes_90 and Bayes_99 back to about their default scores.
> Is there any way to check that some rules are overwrite the default value?
>
> >> CAjRTIER
> >> TIjFFANY & CO
> >> BVjLGARI
> >> OMjEGA
> >> ROjLEX
> >> PAjTEK
> >> BRjEITLING
> >
> > You obviously aren't running network tests. These little puppies hit
> > on SURBL just fine, unless you are one of the unlucky few that are
> > just at the leading edge of a spam run. The net tests would probably
> > stop these all by themselves.
> I have bandwidth constraint, so doing network test would just slow
> things down. In fact many nestwork test (DNSBL etc) are done in postfix.
> >
> > I haven't checked to see if we have a handful of SARE rules for these
> > particular things. But I'm a little surprised that at least a few
> > SARE rules don't show up. This makes me think you may not have any
> > add-on rulesets either. You might consider adding some, or maybe even
> > quite a few if there is a good reason you aren't running network
> > tests. www.rulesemporium.com.
> Any suggestion how to block this kind of spam?
>
> [root@blowfish spamassassin]# ls -l /etc/mail/spamassassin/
> total 1520
> -rw-r--r-- 1 root root 31854 Jun 1 2004 70_sare_adult.cf
> -rw-r--r-- 1 root root 3839 Jun 2 2005 70_sare_bayes_poison_nxm.cf
> -rw-r--r-- 1 root root 120154 Sep 23 2005 70_sare_header0.cf
> -rw-r--r-- 1 root root 137436 Sep 23 2005 70_sare_header1.cf
> -rw-r--r-- 1 root root 59037 Sep 23 2005 70_sare_header2.cf
> -rw-r--r-- 1 root root 80967 Sep 23 2005 70_sare_header3.cf
> -rw-r--r-- 1 root root 224440 Sep 23 2005 70_sare_header.cf
> -rw-r--r-- 1 root root 95279 Oct 6 2005 70_sare_html.cf
> -rw-r--r-- 1 root root 58118 Sep 23 2005 70_sare_obfu0.cf
> -rw-r--r-- 1 root root 97771 Sep 23 2005 70_sare_obfu1.cf
> -rw-r--r-- 1 root root 3547 Sep 23 2005 70_sare_obfu2.cf
> -rw-r--r-- 1 root root 9163 Sep 23 2005 70_sare_obfu3.cf
> -rw-r--r-- 1 root root 4900 Oct 2 2005 70_sare_obfu4.cf
> -rw-r--r-- 1 root root 155889 Sep 23 2005 70_sare_obfu.cf
> -rw-r--r-- 1 root root 11298 Sep 23 2005 70_sare_oem.cf
> -rw-r--r-- 1 root root 17656 Sep 23 2005 70_sare_random.cf
> -rw-r--r-- 1 root root 59281 Sep 23 2005 70_sare_specific.cf
> -rw-r--r-- 1 root root 7029 May 27 2005 70_sare_spoof.cf
> -rw-r--r-- 1 root root 5172 Jul 30 2004 70_sare_unsub.cf
> -rw-r--r-- 1 root root 15511 Nov 17 2004 72_sare_redirect_post3.0.0.cf
> -rw-r--r-- 1 root root 10147 May 2 2004 99_sare_fraud_post25x.cf
> -rw-r--r-- 1 root root 109810 Jun 22 2005 bogus-virus-warnings.cf
> -rw-r--r-- 1 root root 935 May 2 2005 init.pre
> -rw-r--r-- 1 root root 12326 Jul 28 13:10 local.cf
> -rw-r--r-- 1 root root 2397 Sep 22 2005 v310.pre
> -rw-r--r-- 1 root root 806 Jun 15 16:47 v312.pre
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.394 / Virus Database: 268.10.5/403 - Release Date: 28/07/2006
>
Hi
just ran thru your list of rules and i see
"No index found for ruleset named SARE_OBFU4. Check that this ruleset is
still valid."
and do you need SARE_OBFU when you also have SARE_OBFU0 & SARE_OBFU1 ?
Mark
Re: spam not detected
Posted by Beast <be...@ldap.or.id>.
Loren Wilton wrote:
>>
>> *X-Spam-Status:* No, score=3.8 required=5.2
>> tests=BAYES_99,FORGED_RCVD_HELO,
>> HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
>
> Bayes is doing fine. You can't get much better than Bayes_99 as a
> spam indicator.
>
> On the other hand, having Bayes_99 and three other positive rules only
> sum to 3.8 seems a little strange. On a modern SA Bayes_99 should be
> scoring up around 4.5 I believe. So you must have local rule scores
> that are decreasing that score. I'd suggest considering taking
> bayes_90 and Bayes_99 back to about their default scores.
Is there any way to check that some rules are overwrite the default value?
>> CAjRTIER
>> TIjFFANY & CO
>> BVjLGARI
>> OMjEGA
>> ROjLEX
>> PAjTEK
>> BRjEITLING
>
> You obviously aren't running network tests. These little puppies hit
> on SURBL just fine, unless you are one of the unlucky few that are
> just at the leading edge of a spam run. The net tests would probably
> stop these all by themselves.
I have bandwidth constraint, so doing network test would just slow
things down. In fact many nestwork test (DNSBL etc) are done in postfix.
>
> I haven't checked to see if we have a handful of SARE rules for these
> particular things. But I'm a little surprised that at least a few
> SARE rules don't show up. This makes me think you may not have any
> add-on rulesets either. You might consider adding some, or maybe even
> quite a few if there is a good reason you aren't running network
> tests. www.rulesemporium.com.
Any suggestion how to block this kind of spam?
[root@blowfish spamassassin]# ls -l /etc/mail/spamassassin/
total 1520
-rw-r--r-- 1 root root 31854 Jun 1 2004 70_sare_adult.cf
-rw-r--r-- 1 root root 3839 Jun 2 2005 70_sare_bayes_poison_nxm.cf
-rw-r--r-- 1 root root 120154 Sep 23 2005 70_sare_header0.cf
-rw-r--r-- 1 root root 137436 Sep 23 2005 70_sare_header1.cf
-rw-r--r-- 1 root root 59037 Sep 23 2005 70_sare_header2.cf
-rw-r--r-- 1 root root 80967 Sep 23 2005 70_sare_header3.cf
-rw-r--r-- 1 root root 224440 Sep 23 2005 70_sare_header.cf
-rw-r--r-- 1 root root 95279 Oct 6 2005 70_sare_html.cf
-rw-r--r-- 1 root root 58118 Sep 23 2005 70_sare_obfu0.cf
-rw-r--r-- 1 root root 97771 Sep 23 2005 70_sare_obfu1.cf
-rw-r--r-- 1 root root 3547 Sep 23 2005 70_sare_obfu2.cf
-rw-r--r-- 1 root root 9163 Sep 23 2005 70_sare_obfu3.cf
-rw-r--r-- 1 root root 4900 Oct 2 2005 70_sare_obfu4.cf
-rw-r--r-- 1 root root 155889 Sep 23 2005 70_sare_obfu.cf
-rw-r--r-- 1 root root 11298 Sep 23 2005 70_sare_oem.cf
-rw-r--r-- 1 root root 17656 Sep 23 2005 70_sare_random.cf
-rw-r--r-- 1 root root 59281 Sep 23 2005 70_sare_specific.cf
-rw-r--r-- 1 root root 7029 May 27 2005 70_sare_spoof.cf
-rw-r--r-- 1 root root 5172 Jul 30 2004 70_sare_unsub.cf
-rw-r--r-- 1 root root 15511 Nov 17 2004 72_sare_redirect_post3.0.0.cf
-rw-r--r-- 1 root root 10147 May 2 2004 99_sare_fraud_post25x.cf
-rw-r--r-- 1 root root 109810 Jun 22 2005 bogus-virus-warnings.cf
-rw-r--r-- 1 root root 935 May 2 2005 init.pre
-rw-r--r-- 1 root root 12326 Jul 28 13:10 local.cf
-rw-r--r-- 1 root root 2397 Sep 22 2005 v310.pre
-rw-r--r-- 1 root root 806 Jun 15 16:47 v312.pre
Re: spam not detected
Posted by Loren Wilton <lw...@earthlink.net>.
> postmaster account has been receiving many spam and its not being
> blocked by SA, I have feed SA to learns hundred of similar spam
> manually, but still not able to catcth up.
>
> ----
> *X-Spam-Status:* No, score=3.8 required=5.2
> tests=BAYES_99,FORGED_RCVD_HELO,
> HTML_50_60,HTML_MESSAGE autolearn=disabled version=3.1.4
Bayes is doing fine. You can't get much better than Bayes_99 as a spam
indicator.
On the other hand, having Bayes_99 and three other positive rules only sum
to 3.8 seems a little strange. On a modern SA Bayes_99 should be scoring up
around 4.5 I believe. So you must have local rule scores that are
decreasing that score. I'd suggest considering taking bayes_90 and Bayes_99
back to about their default scores.
> CAjRTIER
> TIjFFANY & CO
> BVjLGARI
> OMjEGA
> ROjLEX
> PAjTEK
> BRjEITLING
You obviously aren't running network tests. These little puppies hit on
SURBL just fine, unless you are one of the unlucky few that are just at the
leading edge of a spam run. The net tests would probably stop these all by
themselves.
I haven't checked to see if we have a handful of SARE rules for these
particular things. But I'm a little surprised that at least a few SARE
rules don't show up. This makes me think you may not have any add-on
rulesets either. You might consider adding some, or maybe even quite a few
if there is a good reason you aren't running network tests.
www.rulesemporium.com.
Loren