You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Anton Krall <ak...@intruder.com.mx> on 2005/08/19 16:36:39 UTC
Sudden Increase in Spam Mails
Guys.
Is it just me or has spam increased for the past few days? Its like amavis
and SA are not caching a lot anymore...
Any ideas?
Re: Sudden Increase in Spam Mails
Posted by jdow <jd...@earthlink.net>.
From: "Loren Wilton" <lw...@earthlink.net>
>> Is it just me or has spam increased for the past few days? Its like
>> amavis
>> and SA are not caching a lot anymore...
>
> Haven't seen it here, but that doesn't mean a whole lot. Different people
> seem to get different kinds of spam.
Actually in the last two to four days caught spam has jumped by about
50%. This has sort of surprised me a little.
It seemed to dip dramatically for a week after the Russian was killed.
It also dipped some after $7 million was pulled from a pocket. And it
was down until just this week when it's been climbing about 10% to 15%
per day as if a new spam organization is up or there is a huge spate of
new zombie machines.
{^_^}
Re: Sudden Increase in Spam Mails
Posted by Loren Wilton <lw...@earthlink.net>.
> Is it just me or has spam increased for the past few days? Its like amavis
> and SA are not caching a lot anymore...
Haven't seen it here, but that doesn't mean a whole lot. Different people
seem to get different kinds of spam.
Loren
Re: Sudden Increase in Spam Mails
Posted by jdow <jd...@earthlink.net>.
You need to setup your trusted networks properly. Visit the wiki in this
regard. Look for trusted_networks and internal_networks.
I had to set mine something like...
trusted_networks 192.168/16 127/8 207.217.121/24
internal_networks 192.168/16
207.217.121/24 is the address for the Earthlink pop3 servers I use.
{^_^}
----- Original Message -----
From: "Anton Krall" <ak...@intruder.com.mx>
To: "'jdow'" <jd...@earthlink.net>; <us...@spamassassin.apache.org>
Sent: 2005 August, 20, Saturday 02:14
Subject: RE: Sudden Increase in Spam Mails
> This is weird.. I don't know if it has something to do with the problem
> but
> since Aug 12, I don't see any SURBL hits on maillog anymore...
>
> Has anythiung changed?
>
> Here is my SURBL ruleset, Im just updated to Mail::SpamAssassin 3.0.4
>
> ^[[A[root@server spamassassin]# cat 25_uribl.cf
> # SpamAssassin - URIDNSBL rules
> #
> # Please don't modify this file as your changes will be overwritten with
> # the next update. Use /etc/mail/spamassassin/local.cf instead.
> # See 'perldoc Mail::SpamAssassin::Conf' for details.
> #
> # <@LICENSE>
> # Copyright 2004 Apache Software Foundation
> #
> # Licensed under the Apache License, Version 2.0 (the "License");
> # you may not use this file except in compliance with the License.
> # You may obtain a copy of the License at
> #
> # http://www.apache.org/licenses/LICENSE-2.0
> #
> # Unless required by applicable law or agreed to in writing, software
> # distributed under the License is distributed on an "AS IS" BASIS,
> # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> # See the License for the specific language governing permissions and
> # limitations under the License.
> # </...@LICENSE>
> #
> ###########################################################################
>
> # Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
> # Note that this plugin defines a new config setting, 'uridnsbl',
> # which lists the zones to look up in advance. The rules will
> # not hit unless each rule has a corresponding 'uridnsbl' line.
>
> ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
>
> # URI-DNSBL lookups can take a *maximum* of this many seconds past the
> # normal DNSBL lookups.
> uridnsbl_timeout 2
>
> uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
> body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
> describe URIBL_SBL Contains an URL listed in the SBL
> blocklist
> tflags URIBL_SBL net
>
> urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
> body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
> describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> blocklist
> tflags URIBL_SC_SURBL net
>
> urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
> body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
> describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> tflags URIBL_WS_SURBL net
>
> urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
> body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
> describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL
> blocklist
> tflags URIBL_PH_SURBL net
>
> urirhssub URIBL_OB_SURBL multi.surbl.org. A 16
> body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL')
> describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL
> blocklist
> tflags URIBL_OB_SURBL net
>
> urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
> body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
> describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL
> blocklist
> tflags URIBL_AB_SURBL net
>
> urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
> body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
> describe URIBL_JP_SURBL Contains an URL listed in the JP SURBL
> blocklist
> tflags URIBL_JP_SURBL net
>
> # Top 125 domains whitelisted by SURBL
> uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
> uridnsbl_skip_domain hotmail.com doubleclick.net flowgo.com ebaystatic.com
> aol.com
> uridnsbl_skip_domain akamai.net yahoogroups.com ebay.com classmates.com
> akamaitech.net
> uridnsbl_skip_domain incredimail.com tiscali.co.uk google.com chtah.com
> ediets.com
> uridnsbl_skip_domain directtrack.com microsoft.com paypal.com jexiste.fr
> amazon.com
> uridnsbl_skip_domain nytimes.com unitedoffers.com sitesolutions.it m0.net
> hyperpc.co.jp
> uridnsbl_skip_domain terra.com.br macromedia.com ed10.net earthlink.net
> citibank.com
> uridnsbl_skip_domain sourceforge.net marketwatch.com comcast.net
> messagelabs.com mcafee.com
> uridnsbl_skip_domain grisoft.com geocities.com yourfreedvds.com
> smileycentral.com ual.com
> uridnsbl_skip_domain monster.com e-trend.co.jp cnn.com cnet.com bfi0.com
> uridnsbl_skip_domain atdmt.com sportsline.com rs6.net rr.com redhat.com
> uridnsbl_skip_domain partner2profit.com joingevalia.com hotbar.com
> advertising.com topica.com
> uridnsbl_skip_domain rm04.net ed4.net dsbl.org extm.us edgesuite.net
> uridnsbl_skip_domain debian.org click-url.com bbc.co.uk adobe.com gte.net
> uridnsbl_skip_domain go.com weatherbug.com speedera.net sbcglobal.net
> ientrymail.com
> uridnsbl_skip_domain ibm.com att.net apple.com 5iantlavalamp.com
> verizon.net
> uridnsbl_skip_domain plaxo.com pandasoftware.com p0.com mediaplex.com
> gmail.com
> uridnsbl_skip_domain exacttarget.com constantcontact.com sf.net roving.com
> netflix.com
> uridnsbl_skip_domain moveon.org cc-dt.com xmr3.com spamcop.net
> postdirect.com
> uridnsbl_skip_domain norman.com netatlantic.com mail.com investorplace.com
> hitbox.com
> uridnsbl_skip_domain citizensbank.com chase.com bridgetrack.com apache.org
> washingtonpost.com
> uridnsbl_skip_domain si.com shockwave.com sears.com quickinspirations.com
> prserv.net
> uridnsbl_skip_domain mac.com myweathercheck.com dsi-enews.net
> cheaptickets.com bravenet.com
> uridnsbl_skip_domain arcamax.com afa.net 4at1.com yahoo.co.uk uclick.com
> uridnsbl_skip_domain suntrust.com sun.com ups.com pcmag.com
> mycomicspage.com
>
> endif # Mail::SpamAssassin::Plugin::URIDNSBL
>
> Why did it suddenly stop showing SURBL hits?
>
>
>
>
>
> |-----Original Message-----
> |From: jdow [mailto:jdow@earthlink.net]
> |Sent: Viernes, 19 de Agosto de 2005 05:21 p.m.
> |To: users@spamassassin.apache.org
> |Subject: Re: Sudden Increase in Spam Mails
> |
> |SURBL, tweaked scores for image only, and some custom
> |recipient rules have kept it to virtually zero here.
> |{^_^}
> |----- Original Message -----
> |From: "Bruno S. Delbono" <Br...@mail.ac>
> |To: "Anton Krall" <ak...@intruder.com.mx>;
> |<us...@spamassassin.apache.org>
> |Sent: 2005 August, 19, Friday 11:37
> |Subject: Re: Sudden Increase in Spam Mails
> |
> |
> |> Anton Krall wrote:
> |>> Im getting very low scores.. Smapm emails are passing thru,
> |>> containing just
> |>> 1 big jpg inside or text with one html link... These spam could
> |>> easily be confused with normal email... Which files would I
> |need to post here?
> |>
> |> - The mail with full content headers + sa score
> |> - SA version
> |> - OS
> |> - Bayes if any
> |> - spamassassin --lint -D
> |> - Setup of mailserver
> |
> |
> |
RE: Sudden Increase in Spam Mails
Posted by Anton Krall <ak...@intruder.com.mx>.
This is weird.. I don't know if it has something to do with the problem but
since Aug 12, I don't see any SURBL hits on maillog anymore...
Has anythiung changed?
Here is my SURBL ruleset, Im just updated to Mail::SpamAssassin 3.0.4
^[[A[root@server spamassassin]# cat 25_uribl.cf
# SpamAssassin - URIDNSBL rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Copyright 2004 Apache Software Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </...@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
# Note that this plugin defines a new config setting, 'uridnsbl',
# which lists the zones to look up in advance. The rules will
# not hit unless each rule has a corresponding 'uridnsbl' line.
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
# URI-DNSBL lookups can take a *maximum* of this many seconds past the
# normal DNSBL lookups.
uridnsbl_timeout 2
uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains an URL listed in the SBL blocklist
tflags URIBL_SBL net
urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
tflags URIBL_SC_SURBL net
urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
tflags URIBL_WS_SURBL net
urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL
blocklist
tflags URIBL_PH_SURBL net
urirhssub URIBL_OB_SURBL multi.surbl.org. A 16
body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL')
describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
tflags URIBL_OB_SURBL net
urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
tflags URIBL_AB_SURBL net
urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
tflags URIBL_JP_SURBL net
# Top 125 domains whitelisted by SURBL
uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
uridnsbl_skip_domain hotmail.com doubleclick.net flowgo.com ebaystatic.com
aol.com
uridnsbl_skip_domain akamai.net yahoogroups.com ebay.com classmates.com
akamaitech.net
uridnsbl_skip_domain incredimail.com tiscali.co.uk google.com chtah.com
ediets.com
uridnsbl_skip_domain directtrack.com microsoft.com paypal.com jexiste.fr
amazon.com
uridnsbl_skip_domain nytimes.com unitedoffers.com sitesolutions.it m0.net
hyperpc.co.jp
uridnsbl_skip_domain terra.com.br macromedia.com ed10.net earthlink.net
citibank.com
uridnsbl_skip_domain sourceforge.net marketwatch.com comcast.net
messagelabs.com mcafee.com
uridnsbl_skip_domain grisoft.com geocities.com yourfreedvds.com
smileycentral.com ual.com
uridnsbl_skip_domain monster.com e-trend.co.jp cnn.com cnet.com bfi0.com
uridnsbl_skip_domain atdmt.com sportsline.com rs6.net rr.com redhat.com
uridnsbl_skip_domain partner2profit.com joingevalia.com hotbar.com
advertising.com topica.com
uridnsbl_skip_domain rm04.net ed4.net dsbl.org extm.us edgesuite.net
uridnsbl_skip_domain debian.org click-url.com bbc.co.uk adobe.com gte.net
uridnsbl_skip_domain go.com weatherbug.com speedera.net sbcglobal.net
ientrymail.com
uridnsbl_skip_domain ibm.com att.net apple.com 5iantlavalamp.com verizon.net
uridnsbl_skip_domain plaxo.com pandasoftware.com p0.com mediaplex.com
gmail.com
uridnsbl_skip_domain exacttarget.com constantcontact.com sf.net roving.com
netflix.com
uridnsbl_skip_domain moveon.org cc-dt.com xmr3.com spamcop.net
postdirect.com
uridnsbl_skip_domain norman.com netatlantic.com mail.com investorplace.com
hitbox.com
uridnsbl_skip_domain citizensbank.com chase.com bridgetrack.com apache.org
washingtonpost.com
uridnsbl_skip_domain si.com shockwave.com sears.com quickinspirations.com
prserv.net
uridnsbl_skip_domain mac.com myweathercheck.com dsi-enews.net
cheaptickets.com bravenet.com
uridnsbl_skip_domain arcamax.com afa.net 4at1.com yahoo.co.uk uclick.com
uridnsbl_skip_domain suntrust.com sun.com ups.com pcmag.com mycomicspage.com
endif # Mail::SpamAssassin::Plugin::URIDNSBL
Why did it suddenly stop showing SURBL hits?
|-----Original Message-----
|From: jdow [mailto:jdow@earthlink.net]
|Sent: Viernes, 19 de Agosto de 2005 05:21 p.m.
|To: users@spamassassin.apache.org
|Subject: Re: Sudden Increase in Spam Mails
|
|SURBL, tweaked scores for image only, and some custom
|recipient rules have kept it to virtually zero here.
|{^_^}
|----- Original Message -----
|From: "Bruno S. Delbono" <Br...@mail.ac>
|To: "Anton Krall" <ak...@intruder.com.mx>;
|<us...@spamassassin.apache.org>
|Sent: 2005 August, 19, Friday 11:37
|Subject: Re: Sudden Increase in Spam Mails
|
|
|> Anton Krall wrote:
|>> Im getting very low scores.. Smapm emails are passing thru,
|>> containing just
|>> 1 big jpg inside or text with one html link... These spam could
|>> easily be confused with normal email... Which files would I
|need to post here?
|>
|> - The mail with full content headers + sa score
|> - SA version
|> - OS
|> - Bayes if any
|> - spamassassin --lint -D
|> - Setup of mailserver
|
|
|
Re: Sudden Increase in Spam Mails
Posted by jdow <jd...@earthlink.net>.
SURBL, tweaked scores for image only, and some custom recipient rules
have kept it to virtually zero here.
{^_^}
----- Original Message -----
From: "Bruno S. Delbono" <Br...@mail.ac>
To: "Anton Krall" <ak...@intruder.com.mx>;
<us...@spamassassin.apache.org>
Sent: 2005 August, 19, Friday 11:37
Subject: Re: Sudden Increase in Spam Mails
> Anton Krall wrote:
>> Im getting very low scores.. Smapm emails are passing thru, containing
>> just
>> 1 big jpg inside or text with one html link... These spam could easily be
>> confused with normal email... Which files would I need to post here?
>
> - The mail with full content headers + sa score
> - SA version
> - OS
> - Bayes if any
> - spamassassin --lint -D
> - Setup of mailserver
Re: Sudden Increase in Spam Mails
Posted by "Bruno S. Delbono" <Br...@mail.ac>.
Anton Krall wrote:
> Im getting very low scores.. Smapm emails are passing thru, containing just
> 1 big jpg inside or text with one html link... These spam could easily be
> confused with normal email...
>
> Which files would I need to post here?
- The mail with full content headers + sa score
- SA version
- OS
- Bayes if any
- spamassassin --lint -D
- Setup of mailserver
RE: Sudden Increase in Spam Mails
Posted by Anton Krall <ak...@intruder.com.mx>.
Im getting very low scores.. Smapm emails are passing thru, containing just
1 big jpg inside or text with one html link... These spam could easily be
confused with normal email...
Which files would I need to post here?
|-----Original Message-----
|From: Matthias Fuhrmann
|[mailto:Matthias.Fuhrmann@stud.uni-hannover.de]
|Sent: Viernes, 19 de Agosto de 2005 12:10 p.m.
|To: users@spamassassin.apache.org
|Subject: Re: Sudden Increase in Spam Mails
|
|On Fri, 19 Aug 2005, Anton Krall wrote:
|
|> Guys.
|>
|> Is it just me or has spam increased for the past few days? Its like
|> amavis and SA are not caching a lot anymore...
|>
|> Any ideas?
|
|does it mean, there are no tags set in the header of emails,
|or just low scorings?
|no tags means, there were timeouts due to busy cpu or other
|problems.if you post your setup, i guess, people here can help you.
|
|regards,
|Matthias
|
|
Re: Sudden Increase in Spam Mails
Posted by Matthias Fuhrmann <Ma...@stud.uni-hannover.de>.
On Fri, 19 Aug 2005, Anton Krall wrote:
> Guys.
>
> Is it just me or has spam increased for the past few days? Its like amavis
> and SA are not caching a lot anymore...
>
> Any ideas?
does it mean, there are no tags set in the header of emails, or just low
scorings?
no tags means, there were timeouts due to busy cpu or other problems.if
you post your setup, i guess, people here can help you.
regards,
Matthias