You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jose Luis Marin Perez <jo...@hotmail.com> on 2009/09/18 20:51:54 UTC
Problems with high spam
Dear Sirs,
I have the problem that many SPAM emails being filtered to the mail box users, who might that be?
These are the statistics from yesterday:
Total messages: Ham: Spam: % Spam:
----------------------------------------------------------------------
10896 4954 5942 54.53%
Although filters 54% of users are reporting much SPAM
This is the configuration of the server:
Server ML110
Intel(R) Pentium(R) D CPU 2.80GHz
512 MB Ram
300GB HD
SpamAssassin 3.2.5 - local.cf
ok_locales all
skip_rbl_checks 1
#Con esto evalua cada mensaje, se requiere un 5.0 para marcarlo como spam
required_hits 3
#Que realice reporte de mensaje
report_safe 0
#Sobreescriba el subjetc
rewrite_header Subject ***SPAM***
########################################################################
# Puede ser cuenta o dominio como whitelist
whitelist_from victorlewitus@gmail.com
whitelist_from eva@qnet.com.pe
whitelist_from arcemartino@gmail.com
whitelist_from *@es.mcafee.com
whitelist_from *@mcafee.com
whitelist_from alpine142@yahoo.com
whitelist_from *croda.com.br
whitelist_from *wmarmanillo*
whitelist_from *@pcmodasac.com
whitelist_from *@mmsc.telefonicamovistar.com.pe
whitelist_from *@ideasclaro.com.pe
whitelist_from *@surfcontrol.com
whitelist_from *@inkanatura.com.pe
whitelist_from *@hanwha.co.kr
whitelist_from *@innoviafilms.com
whitelist_from *@fmm.com.pa
whitelist_from *@cmoviles.net.pe
whitelist_from *@enerquimica.com
whitelist_from agenda@rfgonline.com
whitelist_from boletines@caballerobustamante.com.pe
whitelist_from trener@goalsnet.com.pe
whitelist_from *@newfpi.com
whitelist_from liyw@neusoft.com
whitelist_from marketing@esan.edu.pe
whitelist_from eAgreements@microsoft.com
whitelist_from admin@grupocoril.com
whitelist_from eandonaire@lapositiva.com.pe
whitelist_from rosita_maria_3@hotmail.com
whitelist_from administrador@netactiva24.com
whitelist_from ikergust@hotmail.com
whitelist_from *@bms.com
whitelist_from *@*.163.com
whitelist_from *@163.com
whitelist_from *@vip.163.com
whitelist_from *@sino-ld.com
whitelist_from *@bunge.com
whitelist_from *@arellanoim.com
whitelist_from *@san-fernando.com.pe
whitelist_from *@popdirect.biz
whitelist_from *@apccorporacion.com
whitelist_from jelkron@gmail.com
whitelist_from ivonnesimana@gmail.com
whitelist_from prestal@adinet.com.uy
whitelist_from hvillacorta@gym.com.pe
whitelist_from orphafripp1@aol.com
whitelist_from zoebg@aol.com
whitelist_from dioj48k8j@aim.com
whitelist_from orphafripp1@aol.com
whitelist_from Flugelman1@aol.com
whitelist_from joebob7999@aol.com
whitelist_from *@camperu.com.pe
whitelist_from *@optimedia.com.pe
whitelist_from *@bdo.com.pe
whitelist_from *@molprod.com
whitelist_from *@claroideas.com.pe
whitelist_from yvasquez@filtroslys.com.pe
whitelist_from *@forus.cl
whitelist_from *@orica.com
whitelist_from *@licenciasonline.com
###################################################
blacklist_from *@aim.com
#Usas yzor si lo tienes, pero lo bajas desde cpan
use_pyzor 1
use_razor2 1
dcc_path /usr/local/bin/dccproc
dcc_home /var/dcc
dcc_body_max 999999
dcc_timeout 10
dcc_fuz1_max 999999
dcc_fuz2_max 999999
#Inicias las funcionalidades del spamassassin
use_auto_whitelist 1
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12
######################################################################
user_scores_dsn DBI:mysql:spamassassin:localhost
user_scores_sql_username spamuser
user_scores_sql_password spampass
user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) OR userna
me = _USERNAME_ ORDER BY username ASC
auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
user_awl_dsn DBI:mysql:spamassassin:localhost
user_awl_sql_username user
user_awl_sql_password pass
user_awl_sql_table awl
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:spamassassin:localhost
bayes_sql_username user
bayes_sql_password pass
#####################################################################
# Modified default scores
score BAYES_99 5.5 # 5.4
score RAZOR2_CHECK 2.5 # 0.899
score RAZOR2_CF_RANGE_51_100 4.5 # 1.552
score RAZOR2_CF_RANGE_11_50 1.5 # 0.559
score DCC_CHECK 3.0 # 1.806
score PYZOR_CHECK 3.0 # 0.322
#########################
header GAY Subject =~ /MARCO ANTONIO ASESINADO/i
describe GAY Publicidad sobre muerte Marco Antonio
score GAY 10.0
header LLAMADAS Subject =~ /LLAMADAS GRATUITAS DESDE SU LAPTOP O PC \!\!\!\./i
describe LLAMADAS Publicidad llamadas gratuitas
score LLAMADAS 10.0
header TRADUCCIONES Subject =~ /\:\:Servicio de traducciones\:\:/i
describe TRADUCCIONES Publicidad traducciones
score TRADUCCIONES 10.0
header CATALOGO Subject =~ /PROPIO CATALOGO ONLINE INTERNACIONAL/i
describe CATALOGO CATALOGO
score CATALOGO 200.0
header PUBLICIDAD1 Subject =~ /\(publicidad\)/i
describe PUBLICIDAD1 Publicidad1
score PUBLICIDAD1 100.0
header PUBLICIDAD2 Subject =~ / \- publicidad/i
describe PUBLICIDAD2 Publicidad2
score PUBLICIDAD2 100.0
header PUBLICIDAD3 Subject =~ /publicidad_/i
describe PUBLICIDAD3 Publicidad3
score PUBLICIDAD3 100.0
header PUBLICIDAD4 Subject =~ /\[ publicidad \]/i
describe PUBLICIDAD4 Publicidad4
score PUBLICIDAD4 100.0
header PUBLICIDAD5 Subject =~ /\-publicidad/i
describe PUBLICIDAD5 Publicidad5
score PUBLICIDAD5 100.0
header PUBLICIDAD6 Subject =~ /\. publicidad \./i
describe PUBLICIDAD6 Publicidad6
score PUBLICIDAD6 100.0
header PUBLICIDAD7 Subject =~ /\[\.publicidad\.\]/i
describe PUBLICIDAD7 Publicidad7
score PUBLICIDAD7 100.0
header PUBLICIDAD8 Subject =~ / publicidad/i
describe PUBLICIDAD8 Publicidad8
score PUBLICIDAD8 100.0
header PUBLICIDAD9 Subject =~ /\. publicidad\./i
describe PUBLICIDAD9 Publicidad9
score PUBLICIDAD9 100.0
header PUBLICIDAD10 Subject =~ / \- publlcldad/i
describe PUBLICIDAD10 Publicidad10
score PUBLICIDAD10 100.0
header PUBLICIDAD11 Subject =~ /\. publicidad/i
describe PUBLICIDAD11 Publicidad11
score PUBLICIDAD11 100.0
header PUBLICIDAD12 Subject =~ /publicidad \|/i
describe PUBLICIDAD12 Publicidad12
score PUBLICIDAD12 100.0
header PUBLICIDAD13 Subject =~ /publicidad\:/i
describe PUBLICIDAD13 Publicidad13
score PUBLICIDAD13 100.0
header SYSTEMERROR Subject =~ /system error/i
describe SYSTEMERROR System Error
score SYSTEMERROR 100.0
header PEDIGREE Subject =~ /Pedigree a precios increible/i
describe PEDIGREE Pedigree
score PEDIGREE 100.0
header ORGASMO Subject =~ /reforzamiento del orgasmo/i
describe ORGASMO Orgasmo
score ORGASMO 100.0
header LENOVO Subject =~ /Netbook Lenovo S10 con/i
describe LENOVO Lenovo
score LENOVO 100.0
header OFFON Subject =~ /FF on Pfizer/i
describe OFFON offon
score OFFON 100.0
header MEMBERS Subject =~ /group members on LinkedIn/i
describe MEMBERS members
score MEMBERS 100.0
header _LOCAL_I_HATE_VIAGRA Subject =~ /V.?[i1].?[a\@].?g.?[\@a]?.?r.?[\@a]/i
describe _LOCAL_I_HATE_VIAGRA viagra
score _LOCAL_I_HATE_VIAGRA 100.0
header BARZA_TO To =~ /\@isp.qnet.com.pe/
header BARZA_FROM From =~ /\@barzamiraflores.com/
meta BARZA BARZA_TO && BARZA_FROM
describe BARZA BARZA
score BARZA 100.0
body ISSO /ISSO SYSTEM/
describe ISSO Publicidad
score ISSO 10.0
header PUBLICIDAD_PROMOCION Subject =~ /Promocin/i
describe PUBLICIDAD_PROMOCION Subject: spam publicidad
score PUBLICIDAD_PROMOCION 5.0
header SPAM_QNET3 Subject =~ /bacterial sinusitis with Augmentin/i
describe SPAM_QNET3 Subject: spam conocido 1
score SPAM_QNET3 5.0
header PUBLICIDAD_VILLAGE Subject =~ /Publicidad.vnmel/i
describe PUBLICIDAD_VILLAGE Subject: spam conocido 2
score PUBLICIDAD_VILLAGE 5.0
header PUBLICIDAD_CAMARA Subject =~ /SPY Cmara/i
describe PUBLICIDAD_CAMARA Subject: spam publicidad 3
score PUBLICIDAD_CAMARA 5.0
header PUBLICIDAD_VIAGRA Subject =~ /today and become a super star tomorrow!/i
describe PUBLICIDAD_VIAGRA Subject: spam publicidad 4
score PUBLICIDAD_VIAGRA 5.0
header PUBLICIDAD_VIAGRA2 Subject =~ /UK Pharmacy Discount/i
describe PUBLICIDAD_VIAGRA2 Subject: spam publicidad 5
score PUBLICIDAD_VIAGRA2 5.0
header SPAM_MASTER_CUISINE Subject =~ /Publicidad.cdaumc/i
describe SPAM_MASTER_CUISINE Subject: spam publicidad 6
score SPAM_MASTER_CUISINE 5.0
body lNCA /lNCA HOME/
describe lNCA Publicidad
score lNCA 10.0
header CONGRESO_GLOBAL Subject =~ /Publicidad.bhni/i
describe CONGRESO_GLOBAL Subject: spam publicidad 7
score CONGRESO_GLOBAL 5.0
header MASCONSULTORES Subject =~ /Evaluacin Publicidad.rucn/i
describe MASCONSULTORES Subject: spam publicidad 8
score MASCONSULTORES 5.0
header holaxu3lt Subject =~ /xu3lt/i
describe holaxu3lt Subject: spam publicidad 8
score holaxu3lt 10.0
header SPAM_SEXY Subject =~ /How to be Irresistible to Women - Sexually/i
describe SPAM_SEXY Subject: spam publicidad 9
score SPAM_SEXY 10.0
header HOTEL_PALMERAS Subject =~ /Publicidad.xxax/i
describe HOTEL_PALMERAS Subject: spam publicidad 10
score HOTEL_PALMERAS 10.0
header SPAM_MASTER_CUISINE Subject =~ /.urgfph/i
describe SPAM_MASTER_CUISINE Subject: spam publicidad 11
score SPAM_MASTER_CUISINE 10.0
body assistance /experience with assistance/
describe assistance Publicidad
score assistance 10.0
body ELLE /is this ELLE/
describe is this ELLE Publicidad
score ELLE 10.0
Thanks
Jose Luis
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: Problems with high spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-09-18 at 16:38 -0400, Dan Schaefer wrote:
> Karsten Bräckelmann wrote:
> > However, I'm pretty sure he merely describes a rule named "is", which is
> > non-fatal.
>
> I added that line to my config and ran spamassassin --lint and
> received the following error:
So did I, to back up my claim before posting -- though I used a
different rule name. ;)
> You are correct, though, in saying that it is non-fatal.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problems with high spam
Posted by Dan Schaefer <da...@performanceadmin.com>.
Karsten Bräckelmann wrote:
> On Fri, 2009-09-18 at 16:06 -0400, Dan Schaefer wrote:
>
>> Jose Luis Marin Perez wrote:
>>
>>> body ELLE /is this ELLE/
>>> describe is this ELLE Publicidad
>>> score ELLE 10.0
>>>
>> It appears that you are missing ELLE after describe. If you have
>> spelling/format issues in your configuration, SA may not work at all.
>> Run "spamassassin --lint" to see if you have any warnings. I'm pretty
>> sure this is your solution...
>>
>
> Nice catch. And the advice of lint checking always is a good one.
>
> However, I'm pretty sure he merely describes a rule named "is", which is
> non-fatal.
>
>
>
I added that line to my config and ran spamassassin --lint and received
the following error:
[3530] warn: config: warning: description exists for non-existent rule is
[3530] warn: lint: 1 issues detected, please rerun with debug enabled
for more information
You are correct, though, in saying that it is non-fatal.
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: Problems with high spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-09-18 at 16:06 -0400, Dan Schaefer wrote:
> Jose Luis Marin Perez wrote:
> >
> > body ELLE /is this ELLE/
> > describe is this ELLE Publicidad
> > score ELLE 10.0
>
> It appears that you are missing ELLE after describe. If you have
> spelling/format issues in your configuration, SA may not work at all.
> Run "spamassassin --lint" to see if you have any warnings. I'm pretty
> sure this is your solution...
Nice catch. And the advice of lint checking always is a good one.
However, I'm pretty sure he merely describes a rule named "is", which is
non-fatal.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problems with high spam
Posted by Dan Schaefer <da...@performanceadmin.com>.
Jose Luis Marin Perez wrote:
> *
> **body ELLE /is this ELLE/
> describe is this ELLE Publicidad
> score ELLE 10.0*
It appears that you are missing ELLE after describe. If you have
spelling/format issues in your configuration, SA may not work at all.
Run "spamassassin --lint" to see if you have any warnings. I'm pretty
sure this is your solution...
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: Problems with high spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> > skip_rbl_checks 1
>
> You *disabled* DNS BL checks. Enabling them should drastically improve
> results. You'd likely want a local, caching nameserver.
More details. What DNS server do you use? Your ISPs one?
You should check the test-points for URIBL and SpamHaus (the latter
after enabling RBL checks). If they fail, your ISPs DNS is blocked as an
abuser, and you *want* a local, caching nameserver. No forwarder.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problems with high spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-09-18 at 13:51 -0500, Jose Luis Marin Perez wrote:
> I have the problem that many SPAM emails being filtered to the mail
> box users, who might that be?
>
> These are the statistics from yesterday:
> Although filters 54% of users are reporting much SPAM
About half of the mail in-stream is spam? Yeah, generally that sounds
like your users will complain. ;) The spam/overall ratio usually is
*much* higher.
> Intel(R) Pentium(R) D CPU 2.80GHz
> 512 MB Ram
> 300GB HD
Ouch -- that server could go with some RAM, don't you think? No hard
numbers, but given your 10k+ messages a day, I guess that's about the
bare minimum.
Oh, you mentioned yesterday running ClamAV, too. Yes, that is low. Hope
you don't hit swap yet.
> SpamAssassin 3.2.5 - local.cf
>
> ok_locales all
> skip_rbl_checks 1
You *disabled* DNS BL checks. Enabling them should drastically improve
results. You'd likely want a local, caching nameserver.
> required_hits 3
Not a safe thing to do. That's severely lower than the default. Do
expect FPs. If you find yourself in the need to lower the threshold that
drastically, something else is wrong.
Also, that option is deprecated (inherited from some ancient conf, I
assume) and now listens to the name required_score.
> whitelist_from *@ideasclaro.com.pe
> whitelist_from *@surfcontrol.com
> whitelist_from *@inkanatura.com.pe
*Lots* more snipped. If you need that much whitelisting, it indicates
there is a problem -- in this case, my guess can be seen above. Your
required_score threshold is too low, and thus you need to whitelist more
and more legit senders...
Even worse, you are using the un-constrained variant. Do NOT do that,
unless as a last resort. If you need whitelisting at all, do use at
least the *_rcvd variant, if not the auth'ed ones.
In particular: DO NOT whitelist_from your own domain! If you do, a *lot*
of spam will sail right through. Spammers love to pretend sending from
your domain.
> header _LOCAL_I_HATE_VIAGRA Subject =~ /V.?[i1].?[a\@].?g.?[\@a]?.?r.?[\@a]/i
> describe _LOCAL_I_HATE_VIAGRA viagra
> score _LOCAL_I_HATE_VIAGRA 100.0
Funny. Can't even recall when the last spam like that got through. Do
you really need such rules?
Maybe your Bayes is severely mis-trained? Or maybe you need that to
counter the whitelist_from for pills spam pretending to be sent from
your own domain. The score sure hints at that...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}