You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Nicholson <ro...@gmail.com> on 2008/07/27 17:43:44 UTC
Solution for Disaster spam?
What have people been using to curtail some of the new disaster spam that's
quite common now?
I usually don't use BAYES
Things like
*Man killed by flying cocktail glass*
*A-rod dropped from team*
*Obama withdraws support for Israel*
[MAYBE SOLVED] Re: Solution for Disaster spam?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hi *,
Am 2008-08-01 19:28:44, schrieb Michelle Konzack:
> Right, spamassassin scored the spams with only -0.8 to +1.9 and I had to
> install an additional procmail rule which now capture arround 99.9% of
> it. But I should mention, that I get curently arround 180.000 per day.
Since Saturday 2008-08-09 spamassassin is scoring the "Disaster spam"
with 5.3 and now it hit over 99.9% of the spams...
Gotten arround 780.000 over the last two days...
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
RE: Solution for Disaster spam?
Posted by James Pratt <jp...@norwich.edu>.
> -----Original Message-----
> From: Michelle Konzack [mailto:linux4michelle@tamay-dogan.net]
> Sent: Friday, August 01, 2008 1:29 PM
> To: users@spamassassin.apache.org
> Subject: Re: Solution for Disaster spam?
>
> Am 2008-08-01 07:07:59, schrieb Micha? J?czalik:
> > On Sun, 27 Jul 2008, Robert Nicholson wrote:
> >
> > >What have people been using to curtail some of the new disaster
spam
> > >that's quite common now?
> >
> > Well, indeed it was clamav that helped me. After upgrading to most
> > recent version, 95% of this spam disappeared. spamassassin was
> > helpless, scoring only BAYES_50 at most.
>
> Right, spamassassin scored the spams with only -0.8 to +1.9 and I had
to install an
> additional procmail rule which now capture arround 99.9% of it. But
I should
> mention, that I get curently arround 180.000 per day.
>
If you are running clamd/clamav, you can install the
anti-scam/phishing/spam signatures from
http://www.sanesecurity.com/clamav/usage.htm and you should not see
these any more.
Fri Aug 1 13:16:13 2008 ->
/var/spool/MIMEDefang/mdefang-m71HGDNr530135/Work/INPUTMBOX:
Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND
Regards,
jamie
Re: Solution for Disaster spam?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2008-08-01 07:07:59, schrieb Micha? J?czalik:
> On Sun, 27 Jul 2008, Robert Nicholson wrote:
>
> >What have people been using to curtail some of the new disaster spam
> >that's quite common now?
>
> Well, indeed it was clamav that helped me. After upgrading to most recent
> version, 95% of this spam disappeared. spamassassin was helpless, scoring
> only BAYES_50 at most.
Right, spamassassin scored the spams with only -0.8 to +1.9 and I had to
install an additional procmail rule which now capture arround 99.9% of
it. But I should mention, that I get curently arround 180.000 per day.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: Solution for Disaster spam?
Posted by Michał Jęczalik <mi...@jeczalik.com>.
On Sun, 27 Jul 2008, Robert Nicholson wrote:
> What have people been using to curtail some of the new disaster spam that's quite common now?
Well, indeed it was clamav that helped me. After upgrading to most recent
version, 95% of this spam disappeared. spamassassin was helpless, scoring
only BAYES_50 at most.
--
Michał Jęczalik, +48.603.64.62.97
Re: Solution for Disaster spam?
Posted by Dave Funk <db...@engineering.uiowa.edu>.
On Sun, 27 Jul 2008, Robert Nicholson wrote:
> What have people been using to curtail some of the new disaster spam that's
> quite common now?
> I usually don't use BAYES
>
> Things like
>
> *Man killed by flying cocktail glass*
> *A-rod dropped from team*
> *Obama withdraws support for Israel*
That's StormWorm spawn spew, not stricly speaking spam. Be that as it may
it's actually more dangerous than spam, Clueless Lluser clicks on the
link and are p0wn3d.
Here the botnet plugin prettymuch always fires on those, SURBL/URIBL
pick them up soon after they start, RBLs such as CBL & SpamHaus
usually fire too.
Bottom line, network tests seem to be the best defense.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Solution for Disaster spam?
Posted by jdow <jd...@earthlink.net>.
From: "Jari Fredriksson" <ja...@iki.fi>
Sent: Sunday, 2008, July 27 09:03
> What have people been using to curtail some of the new
> disaster spam that's quite common now?
>
>
> I usually don't use BAYES
>
>
>
> Things like
>
>
> Man killed by flying cocktail glass
>
>
> A-rod dropped from team
>
>
> Obama withdraws support for Israel
Content preview: McCain suffers sudden heart attack during flight to oil
rig
http://parapendiolestreghe.it/topnews.html [...]
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?147.236.238.35>]
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: parapendiolestreghe.it]
0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: parapendiolestreghe.it]
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=147.236.238.35,rdns=autom-238-035.ladpc.co.il,maildomain=12go.nl,client,ipinhostname]
1.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
1.0 DIGEST_MULTIPLE Message hits more than one network digest check
<< jdow
Subject: Chris Matthews dies of too many thrills running up his leg
You may have won a life time supply to a libido enhancement pill
or any of 41,632 other valuable prizes. To qualify all you need
do is send $51.99 cash to our processing house and install <link>
this software so that you can participate in our botnet to make
better use of the <gasp> UNUSED CPU cycles on your machine thus
making it more efficient.
....
I bet they'd find a few hundred thousand people idiot enough to send
in their money and install the botnet.
{O,o} <- too many silly pills today.
Re: Solution for Disaster spam?
Posted by Jari Fredriksson <ja...@iki.fi>.
> What have people been using to curtail some of the new
> disaster spam that's quite common now?
>
>
> I usually don't use BAYES
>
>
>
> Things like
>
>
> Man killed by flying cocktail glass
>
>
> A-rod dropped from team
>
>
> Obama withdraws support for Israel
Content preview: McCain suffers sudden heart attack during flight to oil rig
http://parapendiolestreghe.it/topnews.html [...]
Content analysis details: (21.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?147.236.238.35>]
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: parapendiolestreghe.it]
0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: parapendiolestreghe.it]
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=147.236.238.35,rdns=autom-238-035.ladpc.co.il,maildomain=12go.nl,client,ipinhostname]
1.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
1.0 DIGEST_MULTIPLE Message hits more than one network digest check
Re: Solution for Disaster spam?
Posted by jdow <jd...@earthlink.net>.
From: "Arvid Ephraim Picciani" <ae...@ibcsolutions.de>
Sent: Sunday, 2008, July 27 08:53
On Sunday 27 July 2008 17:43:44 Robert Nicholson wrote:
> What have people been using to curtail some of the new disaster spam
> that's
> quite common now?
nothing. see my previous post ( "0 Points")
> I usually don't use BAYES
doesn't help anyway.
> Things like
>
> *Man killed by flying cocktail glass*
> *A-rod dropped from team*
> *Obama withdraws support for Israel*
Obama's family became victim of terrorist threats
Obama vows to win the elections so that he can bring daughters into the Oval
Kidney stealing ring busted
blablabla
yeah that kind of crap. The only thing you can do is wait until they used up
all their hacked relays and hacked websites. Their site is actually quiet
good. might result in a bunch of new zombies around *sigh*
Uribl is quick enough so it catches 90% of those for me, for the rest you'll
just have to be patient.
The proper solution would be implementing a plugin that analyses the
referenced website. That would finally kill canadian pharmacy as well.
<< jdow
Greylisting?
{^_^}
Re: Solution for Disaster spam?
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Sunday 27 July 2008 17:43:44 Robert Nicholson wrote:
> What have people been using to curtail some of the new disaster spam that's
> quite common now?
nothing. see my previous post ( "0 Points")
> I usually don't use BAYES
doesn't help anyway.
> Things like
>
> *Man killed by flying cocktail glass*
> *A-rod dropped from team*
> *Obama withdraws support for Israel*
Obama's family became victim of terrorist threats
Obama vows to win the elections so that he can bring daughters into the Oval
Kidney stealing ring busted
blablabla
yeah that kind of crap. The only thing you can do is wait until they used up
all their hacked relays and hacked websites. Their site is actually quiet
good. might result in a bunch of new zombies around *sigh*
Uribl is quick enough so it catches 90% of those for me, for the rest you'll
just have to be patient.
The proper solution would be implementing a plugin that analyses the
referenced website. That would finally kill canadian pharmacy as well.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani