You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "emailitis.com" <in...@emailitis.com> on 2013/09/02 08:34:22 UTC
Image spam
We are getting a lot of Spam getting through which is a remote image and for
some reason is not being picked up by SA. I have put them below with all
details, including the SA rules found and message details. For ease, the
rules are all pasted below here also.
Are there others who have seen these and are preventing them getting
through? Can you share how?
http://pastebin.com/SC9JSZSW
http://pastebin.com/qSxV47z2
http://pastebin.com/Ds0adR49
http://pastebin.com/HkNjdm5R
I have already tried to make some common rules score more but that does not
seem to be working. In /etc/mail/spamassassin/local.cf we have put in the
following but I am not sure that these scores are in fact replacing the
default ones:
score URIBL_BLACK 3.5
score URIBL_DBL_SPAM 3
score T_REMOTE_IMAGE 3.5
score RCVD_IN_BRBL_LASTEXT 3.5
Many thanks, in advance, for any assistance that the gurus can offer.
Kind Regards,
Christoph
/root/weeklymail/Sunmaillog:Aug 31 11:11:05 plesk3 spamd[11160]: spamd:
result: . 0 -
BAYES_00,HTML_EXTRA_CLOSE,HTML_MESSAGE,LOCALPART_IN_SUBJECT,LOTS_OF_MONEY,RA
ZOR2_CHECK,RDNS_NONE
scantime=1.2,size=10587,user=qscand,uid=10124,required_score=5.0,rhost=local
host.localdomain,raddr=127.0.0.1,rport=35181,mid=<URL>,bayes=0.000002,autole
arn=no
/root/weeklymail/Sunmaillog:Aug 31 14:21:34 plesk3 spamd[27015]: spamd:
result: Y 5 -
BAYES_50,DIET_1,HTML_EXTRA_CLOSE,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MO
NEY,RDNS_NONE,T_REMOTE_IMAGE
scantime=2.1,size=9289,user=qscand,uid=10124,required_score=5.0,rhost=localh
ost.localdomain,raddr=127.0.0.1,rport=54771,mid=<URL
<ma...@hmv4drc.sheikargemamai.com>
>,bayes=0.480496,autolearn=no
/root/weeklymail/Sunmaillog:Aug 31 16:07:21 plesk3 spamd[12813]: spamd:
result: . 4 -
BAYES_20,HTML_EXTRA_CLOSE,HTML_IMAGE_RATIO_08,HTML_MESSAGE,RDNS_NONE,T_REMOT
E_IMAGE
scantime=1.1,size=8535,user=qscand,uid=10124,required_score=5.0,rhost=localh
ost.localdomain,raddr=127.0.0.1,rport=44411,mid=<URL
<ma...@3nmrx8.spakerhmoner.com>
>,bayes=0.087335,autolearn=no
/root/weeklymail/Sunmaillog:Aug 31 18:07:59 plesk3
spamd[12813]: spamd: result: . 1 -
BAYES_50,HTML_EXTRA_CLOSE,HTML_MESSAGE,LOTS_OF_MONEY,RDNS_NONE
scantime=1.4,size=7946,user=qscand,uid=10124,required_score=5.0,rhost=localh
ost.localdomain,raddr=127.0.0.1,rport=45934,mid=<URL
<ma...@mdi9hj1.tyttacekory.com>
>,bayes=0.500000,autolearn=no
RE: Image spam
Posted by "emailitis.com" <in...@emailitis.com>.
Thanks John,
> Standard Bayes questions:
>
> How do you train? Manually, automatically, or both?
Automatically. Recently I am manually training on Spam that I receive to
about 10 email addresses of our own like the ones shown but not sure how
much difference that is making. I THINK I used to get even more BAYES_00 so
maybe it is working. But some Spam-heavy mailboxes are not ours and we
would not be able to train the owner how to do the training. And I have
been doing only Spam, not Ham, training.
I expect that in the dim and distant past, we did not do as much
> If you train manually, who contributes? Are the contributions reviewed
prior
> to training?
>
> Do you retain your manual training corpus to review, and for initial
retraining
> if Bayes goes completely off the rails?
Not sure how easily we could make it for our clients to assist with manual
training - I suspect they would not have the time or knowledge or
inclination so to do.
> Do you retain your manual training corpus to review, and for initial
retraining
> if Bayes goes completely off the rails?
No, we do not have this sadly. In the past we only ever let SA do the
automatic training so I guess it was not perfect. But even with a re-train
I am not sure how we could capture emails being sent to clients which are
Spam.
> Non-Bayes questions: are you using greylisting? It really cuts down on the
> garbage. Are you doing MTA SMTP-time DNSBL filtering using ZEN? It's very
> reliable and appears to have ~30% spam-only overlap with
> __REMOTE_IMAGE.
No, we cancelled it because the delay was causing some issues but we will
look to re-activating that.
>
> Suggestion: a meta of __REMOTE_IMAGE and LOTS_OF_MONEY might help,
> assuming you don't have a lot of ham that hits both rules.
Thank you for that suggestion which I will put in place. Only one today
that met both criteria and that was Spam! And it got through with a score
of 4.2!
Kind regards,
Christoph
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: 02 September 2013 08:01
> To: users@spamassassin.apache.org
> Subject: Re: Image spam
>
> On Mon, 2 Sep 2013, emailitis.com wrote:
>
> Here's something else to look into:
>
> > /root/weeklymail/Sunmaillog:Aug 31 11:11:05 plesk3 spamd[11160]:
> spamd:
> > result: . 0 - BAYES_00
> >
> > /root/weeklymail/Sunmaillog:Aug 31 14:21:34 plesk3 spamd[27015]:
> spamd:
> > result: Y 5 - BAYES_50
> >
> > /root/weeklymail/Sunmaillog:Aug 31 16:07:21 plesk3 spamd[12813]:
> spamd:
> > result: . 4 - BAYES_20
> >
> > /root/weeklymail/Sunmaillog:Aug 31 18:07:59 plesk3 spamd[12813]:
> spamd:
> > result: . 1 - BAYES_50
>
> I could see the BAYES_50s if there was little else other than an image
link in
> the message, and the spam campaign was something new, but BAYES_20
> and especially BAYES_00?
>
> Standard Bayes questions:
>
> How do you train? Manually, automatically, or both?
>
> If you train manually, who contributes? Are the contributions reviewed
prior
> to training?
>
> Do you retain your manual training corpus to review, and for initial
retraining
> if Bayes goes completely off the rails?
>
> Non-Bayes questions: are you using greylisting? It really cuts down on the
> garbage. Are you doing MTA SMTP-time DNSBL filtering using ZEN? It's very
> reliable and appears to have ~30% spam-only overlap with
> __REMOTE_IMAGE.
>
> Suggestion: a meta of __REMOTE_IMAGE and LOTS_OF_MONEY might help,
> assuming you don't have a lot of ham that hits both rules.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Yet another example of a Mexican doing a job Americans are
> unwilling to do. -- Reno Sepulveda, on UniVision reporters asking
> President Obama some pointed questions about
> the BATFE Fast and Furious scandal.
> -----------------------------------------------------------------------
> 458 days since the first successful private support mission to ISS
(SpaceX)
Re: Image spam
Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Sep 2013, emailitis.com wrote:
Here's something else to look into:
> /root/weeklymail/Sunmaillog:Aug 31 11:11:05 plesk3 spamd[11160]: spamd:
> result: . 0 - BAYES_00
>
> /root/weeklymail/Sunmaillog:Aug 31 14:21:34 plesk3 spamd[27015]: spamd:
> result: Y 5 - BAYES_50
>
> /root/weeklymail/Sunmaillog:Aug 31 16:07:21 plesk3 spamd[12813]: spamd:
> result: . 4 - BAYES_20
>
> /root/weeklymail/Sunmaillog:Aug 31 18:07:59 plesk3 spamd[12813]: spamd:
> result: . 1 - BAYES_50
I could see the BAYES_50s if there was little else other than an image
link in the message, and the spam campaign was something new, but BAYES_20
and especially BAYES_00?
Standard Bayes questions:
How do you train? Manually, automatically, or both?
If you train manually, who contributes? Are the contributions reviewed
prior to training?
Do you retain your manual training corpus to review, and for initial
retraining if Bayes goes completely off the rails?
Non-Bayes questions: are you using greylisting? It really cuts down on the
garbage. Are you doing MTA SMTP-time DNSBL filtering using ZEN? It's very
reliable and appears to have ~30% spam-only overlap with __REMOTE_IMAGE.
Suggestion: a meta of __REMOTE_IMAGE and LOTS_OF_MONEY might help,
assuming you don't have a lot of ham that hits both rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Yet another example of a Mexican doing a job Americans are
unwilling to do. -- Reno Sepulveda, on UniVision reporters asking
President Obama some pointed questions about
the BATFE Fast and Furious scandal.
-----------------------------------------------------------------------
458 days since the first successful private support mission to ISS (SpaceX)