You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by James Robertson <j...@mesrobertson.com> on 2008/08/26 07:10:47 UTC
Help with Junk from Hotmail and Yahoo's Servers
I'm having an increased amount of junk getting through due to it coming
from Hotmail and Yahoo's servers which makes any type of pre-filter
stuff like RBL's, Greylisting, Sender Verification useless which leaves
me to rely on Spamassassin. I cannot block hotmail and Yahoo (although
I would like to personally) as our users receive valid email from them.
I have emailed there abuse but it seems more like a blackhole.
I was advised by the Postfix mailing lists to see if anyone here can
help me out.
Important Note: I am planning on upgrading the Spam Gateway we are
operating to utilise Maia Mailguard and therefore allow easier training
of the spam filter which will hopefully help in fixing the problem
anyway but was wondering if anyone ha some tips on how to kill this junk.
I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that
doesn't help with all the spam.
Examples are below.
##############################
Microsoft Mail Internet Headers Version 2.0
Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by
3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 26 Aug 2008 07:12:23 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF
for <ou...@example.com>; Tue, 26 Aug 2008 07:12:24 +1000 (EST)
Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost
(3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024)
with ESMTP id 06003-05 for <ou...@example.com>; Tue, 26 Aug 2008
07:12:12 +1000 (EST)
Received: from n1.bullet.mail.re3.yahoo.com
(n1.bullet.mail.re3.yahoo.com [68.142.237.108])
by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72
for <ou...@example.com>; Tue, 26 Aug 2008 07:12:05 +1000 (EST)
Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with
NNFMP; 25 Aug 2008 21:12:02 -0000
Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP;
25 Aug 2008 21:12:02 -0000
Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25
Aug 2008 21:12:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 710810.31677.bm@omp101.mail.re3.yahoo.com
Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;
b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJJm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=;
X-YMail-OSG:
mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9xmj2QJkMtcWnsEPpQAYZxojCTXA-
Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP;
Mon, 25 Aug 2008 14:12:02 PDT
X-Mailer: YahooMailWebService/0.7.218.2
Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT)
From: Jamie Microdissection <ja...@yahoo.com>
Reply-To: jamiemicrodissection1673096@yahoo.com
Subject: Firmer and longer erections shut
To: vavero@starmedia.com
Cc: <Various other email addresses>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <47...@web57511.mail.re1.yahoo.com>
X-Virus-Scanned: Maia Mailguard 1.0.2
X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31
tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001
X-Spam-Level:
Return-Path: jamiemicrodissection1673096@yahoo.com
X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC)
FILETIME=[44ECFB00:01C906F7]
-----Original Message-----
From: Jamie Microdissection [mailto:jamiemicrodissection1673096@yahoo.com]
Sent: Tuesday, 26 August 2008 7:12 AM
To: vavero@starmedia.com
Cc: <Various other email addresses>
Subject: Firmer and longer erections shut
think worm mules fly blaze.
http://groups.google.com/group/sdeliapadenf7hd/?fadewerzrspillpewtyr2neat
##################################################
Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 25 Aug 2008 11:29:40 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956
for <an...@example.com>; Mon, 25 Aug 2008 11:14:07
+1000 (EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: 2.54
X-Spam-Level: **
X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001,
DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368]
Received: from mail.icfrith.com.au ([127.0.0.1])
by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
with ESMTP id QptAnYEjlOsy for <an...@example.com>;
Mon, 25 Aug 2008 11:14:05 +1000 (EST)
Received: from BAY0-OMC3-S10.bay0.hotmail.com
(bay0-omc3-s10.bay0.hotmail.com [65.54.246.210])
by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C
for <an...@example.com>; Mon, 25 Aug 2008 11:14:02
+1000 (EST)
Received: from BAY113-W51 ([65.54.168.151]) by
BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 24 Aug 2008 18:29:34 -0700
Message-ID: <BA...@phx.gbl>
Content-Type: multipart/alternative;
boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_"
X-Originating-IP: [201.83.252.234]
From: Dorothy Brown <do...@hotmail.com>
To: <ro...@icliffs.com>
Subject: Licensed pharmaceutical professionals from our pharmacy are
available 24/7 for you.
Date: Mon, 25 Aug 2008 01:29:33 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC)
FILETIME=[07D4EED0:01C90652]
Return-Path: dorothyxqsdzips@hotmail.com
--_6d082c57-ec4b-42db-aaa6-f421809ee165_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_6d082c57-ec4b-42db-aaa6-f421809ee165_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_6d082c57-ec4b-42db-aaa6-f421809ee165_--
________________________________________
From: Dorothy Brown [mailto:dorothyxqsdzips@hotmail.com]
Sent: Monday, 25 August 2008 11:30 AM
To: roslyn.holcombe@icliffs.com
Subject: Licensed pharmaceutical professionals from our pharmacy are
available 24/7 for you.
Importance: High
Attractive prices and high quality is our motto.
www.cid-1a15c26c02719644.spaces.live.com
#########################################
Re: Help with Junk from Hotmail and Yahoo's Servers
Posted by Robert Schetterer <ro...@schetterer.org>.
Henrik K schrieb:
> On Mon, Aug 25, 2008 at 10:40:08PM -0700, Jake Maul wrote:
>> I get spam like this too. I'd tell you to train your bayes db better,
>> but no amount of learning these things seems to have any effect for
>> me- the next one in just just right back at BAYES_50. Mine are also
>> largely from Yahoo, some from Hotmail.
>
> Check: http://marc.info/?l=spamassassin-users&m=121929487811982
>
> In 3.2.5 bayes doesn't work fully when there are DKIM/DomainKey headers.
>
i just recognized
that hotmails spf is not
valid for hard discarding mail
hotmail.com. 987 IN TXT "v=spf1
include:spf-a.hotmail.com include:spf-b.hotmail.com
include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"
it should be -all at the end in my understanding, with current
spf policy servers will notice a fake but dont block it
additional i noticed yahoo.com adsp dkim record is total
nonsense
dig -t txt _adsp._domainkey.yahoo.com
; <<>> DiG 9.4.2-P1 <<>> -t txt _adsp._domainkey.yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2242
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_adsp._domainkey.yahoo.com. IN TXT
;; ANSWER SECTION:
_adsp._domainkey.yahoo.com. 6408 IN CNAME rc.yahoo.com.
rc.yahoo.com. 1008 IN CNAME rc.yahoo.akadns.net.
so its also up to them to fix for beeing usable in antispam
the joke might be, that hotmail is m$ and promoted spf
and yahoo promotes dkim *g
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: Help with Junk from Hotmail and Yahoo's Servers
Posted by Henrik K <he...@hege.li>.
On Mon, Aug 25, 2008 at 10:40:08PM -0700, Jake Maul wrote:
> I get spam like this too. I'd tell you to train your bayes db better,
> but no amount of learning these things seems to have any effect for
> me- the next one in just just right back at BAYES_50. Mine are also
> largely from Yahoo, some from Hotmail.
Check: http://marc.info/?l=spamassassin-users&m=121929487811982
In 3.2.5 bayes doesn't work fully when there are DKIM/DomainKey headers.
Re: Help with Junk from Hotmail and Yahoo's Servers
Posted by Jake Maul <ja...@gmail.com>.
I get spam like this too. I'd tell you to train your bayes db better,
but no amount of learning these things seems to have any effect for
me- the next one in just just right back at BAYES_50. Mine are also
largely from Yahoo, some from Hotmail.
One thing that bothers me is how painfully obvious these are, and yet
barely trigger any rules in stock SA. Maybe a Pyzor here, a DCC there.
Rarely a DKIM hit, IIRC. For the most part they sail right though,
with virtually no non-network test hitting them, and very rarely a
network test. Even with my changes below, I'm still missing more than
I would like (mostly because they don't hit enough to pass 5.0).
First I tried the SARE rules. Most of them were ineffective, but a few
files hit often. Then I added the Botnet plugin, and it was much, much
more useful. I do *not* use the stock Botnet scores, however... too
high for my tastes. But I'm getting closer to them every day, as I
inch them back up to their stock.
The "Spam" and "Ham" listed here are how SA classifies them... not
necessarily what they actually *are*...
Ruleset Ham Spam %of Ham %of Spam
--------------------------------------------------------------------
Botnet.cf 16 857 4.79% 92.05%
70_sare_obfu1.cf 0 263 0.00% 28.25%
70_sare_genlsubj1.cf 3 113 0.90% 12.14%
99_custom_rules.cf 5 111 1.50% 11.92%
70_sare_genlsubj0.cf 0 55 0.00% 5.91%
70_sare_adult.cf 0 46 0.00% 4.94%
70_sare_header0.cf 0 14 0.00% 1.50%
70_sare_header1.cf 0 13 0.00% 1.40%
70_sare_oem.cf 2 2 0.60% 0.21%
70_sare_html0.cf 1 2 0.30% 0.21%
72_sare_redirect_post3_0_0.cf 0 0 0.00% 0.00%
70_sare_obfu0.cf 0 0 0.00% 0.00%
70_sare_bayes_poison_nxm.cf 0 0 0.00% 0.00%
70_sare_evilnum0.cf 0 0 0.00% 0.00%
70_sare_html1.cf 1 0 0.30% 0.00%
My modified stock rule scores: (slowly increasing these over time)
score DRUGS_ERECTILE 1.5
score DRUGS_MUSCLE 1.0
score RDNS_NONE 0.5
score ONLINE_PHARMACY 1.0
score TVD_VISIT_PHARMA 1.0
Then I wrote these add-on rules, almost specifically to target this
problem. The scores are arbitrary, and I'm increasing them over time.
1 and 2 are the highest-hitting by far. And yes, they do sometimes
overlap with the stock rules above. Not as often as you'd think,
though.... plenty if viagra/cialis spam isn't hitting DRUGS_ERECTILE,
and plenty of pharma spam doesn't hit those 2 either. The last one
kinda made up, and hit exactly 1 in ~2000 emails last week :).
header JAKE_SUBJ1 Subject =~ /Viagra/i
describe JAKE_SUBJ1 Subject mentions Viagra
score JAKE_SUBJ1 2.5
header JAKE_SUBJ2 Subject =~ /Cialis/i
describe JAKE_SUBJ2 Subject mentions Cialis
score JAKE_SUBJ2 2.5
header JAKE_SUBJ3 Subject =~ /pharmacy/i
describe JAKE_SUBJ3 Subject mentions 'pharmacy'
score JAKE_SUBJ3 1.5
header JAKE_SUBJ4 Subject =~ /cock/i
describe JAKE_SUBJ4 Subject mentions 'cock'
score JAKE_SUBJ4 1.5
header JAKE_SUBJ5 Subject =~ /(busty|hot)
*(blond|brunette|redhead|bitch|chick|milf)/i
describe JAKE_SUBJ5 Suject mentions a hot chick
score JAKE_SUBJ5 1.5
I also started using some 3rd party ClamAV rules... SaneSecurity has
'em, don't remember the link offhand.
If anyone knows when stock SA is gonna start catching this junk a lot
better, I'd love to hear it. I hate doing this hacky garbage to a nice
clean mail server.
Good luck,
Jake
On Mon, Aug 25, 2008 at 10:10 PM, James Robertson <j...@mesrobertson.com> wrote:
> I'm having an increased amount of junk getting through due to it coming from
> Hotmail and Yahoo's servers which makes any type of pre-filter stuff like
> RBL's, Greylisting, Sender Verification useless which leaves me to rely on
> Spamassassin. I cannot block hotmail and Yahoo (although I would like to
> personally) as our users receive valid email from them.
>
> I have emailed there abuse but it seems more like a blackhole.
>
> I was advised by the Postfix mailing lists to see if anyone here can help me
> out.
>
> Important Note: I am planning on upgrading the Spam Gateway we are
> operating to utilise Maia Mailguard and therefore allow easier training of
> the spam filter which will hopefully help in fixing the problem anyway but
> was wondering if anyone ha some tips on how to kill this junk.
>
> I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that
> doesn't help with all the spam.
>
> Examples are below.
>
> ##############################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by
> 3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959);
> Tue, 26 Aug 2008 07:12:23 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF
> for <ou...@example.com>; Tue, 26 Aug 2008 07:12:24 +1000 (EST)
> Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost
> (3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024) with
> ESMTP id 06003-05 for <ou...@example.com>; Tue, 26 Aug 2008 07:12:12
> +1000 (EST)
> Received: from n1.bullet.mail.re3.yahoo.com (n1.bullet.mail.re3.yahoo.com
> [68.142.237.108])
> by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72
> for <ou...@example.com>; Tue, 26 Aug 2008 07:12:05 +1000 (EST)
> Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with NNFMP;
> 25 Aug 2008 21:12:02 -0000
> Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP; 25
> Aug 2008 21:12:02 -0000
> Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25 Aug
> 2008 21:12:02 -0000
> X-Yahoo-Newman-Property: ymail-3
> X-Yahoo-Newman-Id: 710810.31677.bm@omp101.mail.re3.yahoo.com
> Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=s1024; d=yahoo.com;
> h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;
> b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJJm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=;
> X-YMail-OSG:
> mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9xmj2QJkMtcWnsEPpQAYZxojCTXA-
> Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP; Mon,
> 25 Aug 2008 14:12:02 PDT
> X-Mailer: YahooMailWebService/0.7.218.2
> Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT)
> From: Jamie Microdissection <ja...@yahoo.com>
> Reply-To: jamiemicrodissection1673096@yahoo.com
> Subject: Firmer and longer erections shut
> To: vavero@starmedia.com
> Cc: <Various other email addresses>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Message-ID: <47...@web57511.mail.re1.yahoo.com>
> X-Virus-Scanned: Maia Mailguard 1.0.2
> X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31
> tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001
> X-Spam-Level:
> Return-Path: jamiemicrodissection1673096@yahoo.com
> X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC)
> FILETIME=[44ECFB00:01C906F7]
>
>
>
> -----Original Message-----
> From: Jamie Microdissection [mailto:jamiemicrodissection1673096@yahoo.com]
> Sent: Tuesday, 26 August 2008 7:12 AM
> To: vavero@starmedia.com
> Cc: <Various other email addresses>
> Subject: Firmer and longer erections shut
>
> think worm mules fly blaze.
> http://groups.google.com/group/sdeliapadenf7hd/?fadewerzrspillpewtyr2neat
>
>
> ##################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
> Mon, 25 Aug 2008 11:29:40 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956
> for <an...@example.com>; Mon, 25 Aug 2008 11:14:07 +1000
> (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: 2.54
> X-Spam-Level: **
> X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001,
> DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368]
> Received: from mail.icfrith.com.au ([127.0.0.1])
> by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
> with ESMTP id QptAnYEjlOsy for <an...@example.com>;
> Mon, 25 Aug 2008 11:14:05 +1000 (EST)
> Received: from BAY0-OMC3-S10.bay0.hotmail.com
> (bay0-omc3-s10.bay0.hotmail.com [65.54.246.210])
> by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C
> for <an...@example.com>; Mon, 25 Aug 2008 11:14:02 +1000
> (EST)
> Received: from BAY113-W51 ([65.54.168.151]) by
> BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
> Sun, 24 Aug 2008 18:29:34 -0700
> Message-ID: <BA...@phx.gbl>
> Content-Type: multipart/alternative;
> boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_"
> X-Originating-IP: [201.83.252.234]
> From: Dorothy Brown <do...@hotmail.com>
> To: <ro...@icliffs.com>
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Date: Mon, 25 Aug 2008 01:29:33 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC)
> FILETIME=[07D4EED0:01C90652]
> Return-Path: dorothyxqsdzips@hotmail.com
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_--
>
> ________________________________________
> From: Dorothy Brown [mailto:dorothyxqsdzips@hotmail.com]
> Sent: Monday, 25 August 2008 11:30 AM
> To: roslyn.holcombe@icliffs.com
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Importance: High
>
>
> Attractive prices and high quality is our motto.
> www.cid-1a15c26c02719644.spaces.live.com
>
> #########################################
>
>
>
>