How do I filter out phishing email?
Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: X-Unsubscribe: From: Harold johnson globalsky...@aol.com Sender: globalsky...@aol.com Reply-To: globalsky...@aol.com To: globalsky...@aol.com Message-ID: Subject: Hello - Reply asap., Return-Path: globalsky...@aol.com List-Unsubscribe: X-Complaints-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello,=20 =20 This is an awareness to let you know that we have a vacancy post of a Custo= mer evaluator in our company and we would like to know your interest in wor= king for Globalsky Inc Company. We are outsourcing for a new company and we= have clients we are working with as regard's giving a better service to th= eir customers.=20 =20 Mystery shopping is a valuable customer service tool that has gained widesp= read acceptance in the retail, financial services and restaurant industries= , and proves highly valuable to companies that use it to gain customer expe= rience metrics. You will be evaluating the efficiency of a prominent money = transfer services preferably westernunion or moneygram outlet in your neig= hborhood as regards sending and receiving money transfers. Kindly check out= for one a store outlet you would like to evaluate, make sure the store and= the outlet you choose are close to your area as much as possible, you will= have to email the name and address of the location to us. Please note that= you are to act Cool,Calm and Confident through out the period which you wi= ll be carrying out your survey at the store, in order not to arouse any sus= picion. You would make use of their service by sending us a money transfer = via their outlet with the funds we would provide for you.=20 =20 You will write a report about the customer services, you will send your rep= ort back to us via Email, you will have to use the following pointers to pr= epare your report:=20 =20 1) How long it took you to get services.=20 2) Ambiance/Outlook of the Shop/Outlet=20 3) Smartness of the attendant=20 4) Customer service professionalism=20 5) Reaction of personnel under pressure=20 6) Information that you think would be helpful=20 7) Your comments and impressions.=20 =20 Your job would be quite effective and we would provide more details on the = job as soon as you get back to us with the details requested. As a mystery = shopper, you work and shop together for pleasure and the pay is 200.00 USD = weekly on Part-time basis, you only work once or twice in a week. Payments = will be mailed out to you per task, which you will expend in carrying out a= ll that will be required of you including your Compensation and Transportat= ion fee. All Other Instructions will be sent out to you as soon as Evaluati= on commences=20 =20 Kindly provide the below information for assessment and registratration if = you are interested.=20 =20 Full Name Address (Not P.O.Box ) City State Zip-Code Phone Number Present occupation Age and Sex : =20 I will be looking forward to hearing from you.=20 =20 Thank you=20 Survey Team Global Sky inc 206-350-5956 Company | p.o.box 234 | malibu | CA | 90393 | US -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28243762.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: You sample was not a real email with all headers, or so it looked. However, I sent to my SA, and here is the result. Content analysis details: (11.0 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is freemail (globalskyinc[at]aol.com) -0.0 NO_RELAYS Informational: message was not relayed via SMTP 3.4 FILL_THIS_FORM_LONGBODY: Fill in a form with personal information 0.2 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5016] 3.0 FROM_EQUALS_TO From: and To: have the same username 0.0 T_FILL_THIS_FORM Fill in a form with personal information -0.0 NO_RECEIVEDInformational: message has no Received headers 1.4 MISSING_DATE Missing Date: header 3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL So it would have been caught here. But yes, there were no Received: -headers and other important headers, so the result is not much good. Have you trained youe Bayes and made sa-update after installation? -- http://www.iki.fi/jarif/ Q: What is orange and goes click, click? A: A ball point carrot. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: [ Wire transfer scam email ] This is a fairly innocuous email. There is not much there to key on. You could try adding rules for things like money transfer, Globalsky Inc, westernunion, moneygram, or maybe the phone number provided at the end. -- Bowie
Re: How do I filter out phishing email?
On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Post the full email source to pastebin or such, and post the link to the list. Thank you. -- http://www.iki.fi/jarif/ Living your life is a task so difficult, it has never been attempted before. signature.asc Description: OpenPGP digital signature
flat file bayes locking issue and difference errors depending on file locking method
greetings :-) config is centos4 SA 3.3.1 upgraded from SA 3.2.5 having spent the better part of a two days searching as well as trying different configs and SA restarts no good results we do not have a hardware horsepower resource starvation issue this machine does *not* use SQL for Spamassassin at this time i have tried many different possible SPAMDOPTIONS for SA startup for regular and round-robin and thrown tons of hardware and software resources at the issue in the /home/spamd/.spamassassin directory we have bayes_journal bayes_mutex bayes_seen bayes_toks in reference to the error spamd[30339]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call what is bayes_mutex ? is bayes_seen necessary ? (i seem to recall it is not and can be deleted) if bayes_seen is large, isnt that the file we can delete and it will not make a difference? i did back up the database using sa-learn before the upgrade... should i stop spamd, restore bayes info and then restart spamd ? other options to preserve bayes? ...or should i stop SA, whack the files, and restart and retrain? tia - rh notes: when using flock as the file locking in /etc/mail/spamassassin/local.cf we get spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call when using default SA locking method we get this error spamd[19334]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists spamd[19337]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists
Re: How do I filter out phishing email?
Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? Jari Fredriksson wrote: On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: You sample was not a real email with all headers, or so it looked. However, I sent to my SA, and here is the result. Content analysis details: (11.0 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is freemail (globalskyinc[at]aol.com) -0.0 NO_RELAYS Informational: message was not relayed via SMTP 3.4 FILL_THIS_FORM_LONGBODY: Fill in a form with personal information 0.2 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5016] 3.0 FROM_EQUALS_TO From: and To: have the same username 0.0 T_FILL_THIS_FORM Fill in a form with personal information -0.0 NO_RECEIVEDInformational: message has no Received headers 1.4 MISSING_DATE Missing Date: header 3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL So it would have been caught here. But yes, there were no Received: -headers and other important headers, so the result is not much good. Have you trained youe Bayes and made sa-update after installation? -- http://www.iki.fi/jarif/ Q:What is orange and goes click, click? A:A ball point carrot. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28244615.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Sorry, I'll stop that from now on. Jari Fredriksson wrote: On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Post the full email source to pastebin or such, and post the link to the list. Thank you. -- http://www.iki.fi/jarif/ Living your life is a task so difficult, it has never been attempted before. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28244624.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Match returned message headers on any NDR
Is there a consistent way to match whatever headers might be available in a returned message? I've got one customer reporting backscatter spam, and while I've been able to create a number of rules that usually hit, they tend to fail on NDRs that are not properly formatted (eg, complete or headers-plus-a-bit original message attached as RFC822 message). I've had only very limited success using rawbody rules, and slightly more using the new(ish) mimeheader rule type. Unfortunately, something like a qmail NDR won't have any MIME parts to extract headers *from*... and I'd really prefer not to have to create three copies of each subrule in the set to target all the variations on where the matching text is. The original spams seen so far are Your order update emails claiming to be from Amazon or Apple. The rules I've been creating match on the From and Subject headers from the original - no NDR arriving at any customer account here should ever be from Amazon or Apple. -kgd
Re: How do I filter out phishing email?
On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning.
Re: How do I filter out phishing email?
I am sorry, can you please explain what do you mean by channels? I haven't changed anything at all from the install. The default ruleset is the one I use and my command is this: spamc -R foo where foo is the file with the email I posted. Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28245364.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Oh sorry, disregard my last reply. I looked it up on Google and found the FAQ on channel. Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28245435.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: On 14.4.2010 19:57, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning. Because currently I want to. I have a mechanism to skip mailing lists, any mailing list, and I used to use it earlier. But currently I do scan those, just to get data for AWL and bayes hammy tokens. Understandable. All messages from the SA list should be hammy. I can't rightfully recall when a spam message came through to the SA list. I can't recall when a spam message came through to any list I'm on. There have been a few in the very distant past.
Re: Match returned message headers on any NDR
Quoting Michael Scheidell scheid...@secnap.net: On 4/14/10 12:21 PM, Kris Deugau wrote: Is there a consistent way to match whatever headers might be available in a returned message? use the vbounce rules. google for sa and vbounce. its already done if you are using a newer version of SA. you need to specifically whitelist the outbound mail servers, and it can catch OOO and vacation messages (anything machine generated) FYI: search from the SA wiki: http://wiki.apache.org/spamassassin/VBounceRuleset
Re: flat file bayes locking issue and difference errors depending on file locking method
Hi, spamd[30339]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call what is bayes_mutex ? Many years ago Matt wrote this post that describes it: http://lists.mailscanner.info/pipermail/mailscanner/2004-November/043067.html In short, a mutex is a MUTual EXclusion. It's used to lock access to some piece of data so you don't run into consistency problems where two different threads are both trying to update the same data and one winds up stomping on the changes of the other. is bayes_seen necessary ? (i seem to recall it is not and can be deleted) if bayes_seen is large, isnt that the file we can delete and it will not make a difference? Here's a post from Matt quite a while ago where he says that it's okay to delete it, but doesn't really say what the implications are -- will you effectively then lose its ability to recognize patterns? http://markmail.org/message/ju6424xy6r2doslb should i stop spamd, restore bayes info and then restart spamd ? It sounds like you either have multiple copies of SA running at the same time, or lock files aren't being deleted after the process closes. other options to preserve bayes? You could always shut down spamd, make a physical copy of it, then restart. You can also use sa-learn to back it up: # sa-learn --backup /var/backup/bayes-backup.sa ...or should i stop SA, whack the files, and restart and retrain? What is the actual problem you're having, outside of the locking errors? Or did I somehow miss that written in your post... spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call What's the status of the system? Are you sure the integrity of it (disks, RAM, etc) are sound? Have you run memtest? spamd[19334]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists Have you stopped spamd, deleted these files, then restarted? They are just temporary lock files and should be refreshed and deleted as necessary. Best, Alex
RE: flat file bayes locking issue and difference errors depending on file locking method
notes: when using flock as the file locking in /etc/mail/spamassassin/local.cf we get spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call when using default SA locking method we get this error spamd[19334]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists spamd[19337]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists :-) apologies for replying to my own post... things i forgot to mention and that we are still investigating... the errors appear to be happening when SA is scanning longer than normal... ie, a normal scan used to only take a few seconds... these file locking errors *appear* to be happening when a scan takes 5 to 20 times or more times longer again, still investigating... before we upgraded this machine from 3.2.5 to 3.3.1 scan times averaged 2 to 4 seconds per email now, the average scan time is more like 8 to 12 seconds. any pointers to newer default knobs and handles and buttons will be appreciated... - rh
Re: How do I filter out phishing email?
I installed all the channels in your post but I still get the same score! Is there anything else I can do? The commands I used are: wget -qO - http://khopesh.com/sa/GPG.KEY http://yerp.org/rules/GPG.KEY \ http://daryl.dostech.ca/sa-update/sare/GPG.KEY |sudo sa-update --import - sudo gpg --keyring sa-update-keys/pubring.gpg --list-public-keys sudo pico sa-update-keys.txt 856AA88A 6C6191E3 E8B493D6 sudo pico sa-update-channels.txt updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28246329.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Match returned message headers on any NDR
Michael Scheidell wrote: On 4/14/10 12:21 PM, Kris Deugau wrote: Is there a consistent way to match whatever headers might be available in a returned message? use the vbounce rules. google for sa and vbounce. its already done if you are using a newer version of SA. you need to specifically whitelist the outbound mail servers, and it can catch OOO and vacation messages (anything machine generated) *nod* And after a quick check, I've apparently had those rules active for quite a while. (In fact, one of the subrules for my metas is BOUNCE_MESSAGE.) But they don't differentiate based on whatever original-message content may be available - and as a medium-sized ISP we're not in a postition to arbitrarily block all NDRs. There are too many ways legitimate NDRs may come into our mail system in response to legitimate customer mail. I'm looking for a way to match on that original-message content - after all, that's the real spam payload; the rest of the message is perfectly legitimate. -kgd
Re: How do I filter out phishing email?
On Wed, 2010-04-14 at 11:18 -0700, yongke wrote: I installed all the channels in your post but I still get the same score! Is there anything else I can do? Are you running with compiled rules? Then you need to recompile them. Are you running a daemonized spamd or amavisd instance? You will need to restart it to load the new rules The commands I used are: [...] sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: How do I filter out phishing email?
I don't think I am running compiled rules as I haven't changed any rules... I just used that channel thing. I have also restarted SA using the following command: sudo /etc/init.d/spamassassin restart Still the same result :( McDonald, Dan wrote: On Wed, 2010-04-14 at 11:18 -0700, yongke wrote: I installed all the channels in your post but I still get the same score! Is there anything else I can do? Are you running with compiled rules? Then you need to recompile them. Are you running a daemonized spamd or amavisd instance? You will need to restart it to load the new rules The commands I used are: [...] sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28246560.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On 14.4.2010 21:38, yongke wrote: I don't think I am running compiled rules as I haven't changed any rules... I just used that channel thing. I have also restarted SA using the following command: sudo /etc/init.d/spamassassin restart Still the same result :( Clueless here, can't figure out anything... -- http://www.iki.fi/jarif/ Q: How many IBM 370's does it take to execute a job? A: Four, three to hold it down, and one to rip its head off. signature.asc Description: OpenPGP digital signature
Re: flat file bayes locking issue and difference errors depending on file locking method
From: R-Elists list...@abbacomm.net Date: Wed, 14 Apr 2010 08:43:21 -0700 having spent the better part of a two days searching as well as trying different configs and SA restarts we do not have a hardware horsepower resource starvation issue in reference to the error spamd[30339]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call I'd guess that you have a bayes expire running that is either taking too long or not finishing and leaving lock files around. Turn off bayes_auto_expire and use bayes_learn_to_journal. Add a cron job to periodically sa-learn --sync (say hourly) and another cron job to do sa-learn --force-expire (daily/weekly) -jeff
Re: Match returned message headers on any NDR
On 4/14/10 2:23 PM, Kris Deugau wrote: Michael Scheidell wrote: On 4/14/10 12:21 PM, Kris Deugau wrote: Is there a consistent way to match whatever headers might be available in a returned message? use the vbounce rules. google for sa and vbounce. its already done if you are using a newer version of SA. you need to specifically whitelist the outbound mail servers, and it can catch OOO and vacation messages (anything machine generated) *nod* And after a quick check, I've apparently had those rules active for quite a while. (In fact, one of the subrules for my metas is BOUNCE_MESSAGE.) But they don't differentiate based on whatever original-message content may be available - and as a medium-sized ISP we're not in a postition to arbitrarily block all NDRs. There are too many ways legitimate NDRs may come into our mail system in response to legitimate customer mail. I'm looking for a way to match on that original-message content - after all, that's the real spam payload; the rest of the message is perfectly legitimate. yes, but they are disabled unless you have specific whitelists. the 'original-message content' you are looking for. vbounce rules are disabled, even if you enable them unless you also have this in *.cf whitelist_bounce_relays {your outbound mail servers} -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Match returned message headers on any NDR
On 4/14/2010 2:23 PM, Kris Deugau wrote: I'm looking for a way to match on that original-message content - after all, that's the real spam payload; the rest of the message is perfectly legitimate. Despite conventional wisdom to the contrary, I have been training Bayes on bounces (both spam and ham) for years with at least semi-decent results when it comes to backscatter. That'd be one potential way to get at the original content (when it's available). But I'd advise against doing it blindly. NB: For historical reasons, I use bogofilter rather than SA as my Bayesian engine.
Re: Match returned message headers on any NDR
Michael Scheidell wrote: yes, but they are disabled unless you have specific whitelists. the 'original-message content' you are looking for. vbounce rules are disabled, even if you enable them unless you also have this in *.cf whitelist_bounce_relays {your outbound mail servers} As I said: *nod* And after a quick check, I've apparently had those rules active ^^ for quite a while. (In fact, one of the subrules for my metas is ^ BOUNCE_MESSAGE.) They're active, they're hitting, I can use them in metas to boost or control further custom rule hits... but I **CAN NOT** score them significantly higher than the default advisory scores. I'm looking for ways to match *on the real spam content* - which unfortunately doesn't always include the spam body, and which I've observed hitting my extra, more-specific rules using mimeheader only on the bounces where the original is actually a proper RFC822 attachment, not some kind of inline garbage (which sometimes matches on body rules, sometimes on rawbody, and IIRC in one case didn't match any of them). For instance: mimeheader T_YOUR_ORDER_VIRUS_G Subject =~ /Apple (?:App)?-?Store Order (?:id:|\#)\d+-\d+/ This will only work if the bounce-generating system attaches some portion of the original as an RFC822 message; if the bounce was generated by qmail it fails. I don't want to have to maintain two (or more) copies of the same regex using different rule types. I could swear there's another variation I've come across that neither rawbody *or* mimeheader will match, but I can't find an example at the moment. -kgd
Re: Match returned message headers on any NDR
Matt Garretson wrote: Despite conventional wisdom to the contrary, I have been training Bayes on bounces (both spam and ham) for years with at least semi-decent results when it comes to backscatter. That'd be one potential way to get at the original content (when it's available). But I'd advise against doing it blindly. *nod* I've been doing the same for quite a while; on a much smaller mail system (~500 accounts at peak IIRC, SA2.63) I was seeing pretty good results for a while. Unfortunately I'm still experimenting with the Bayes settings on the much larger mail system, and a lot of reported missed-spam (NDR or otherwise) is found to have hit BAYES_50 originally. -kgd
Re: Match returned message headers on any NDR
On 4/14/10 3:57 PM, Kris Deugau wrote: Michael Scheidell wrote: yes, but they are disabled unless you have specific whitelists. the 'original-message content' you are looking for. vbounce rules are disabled, even if you enable them unless you also have this in *.cf whitelist_bounce_relays {your outbound mail servers} i get NO backscatter here. case study for one of our clients, they got 50,000 spams a month (normally). they got joe jobbed. they started to get 5MM a month. (with no increase in backscatter reaching users. In fact, the client never knew.. until the next month when his DNS provider hit him with a huge overage bill for excessive DNS queries of his MX record.) its mostly stopped by the vbounce rules, (we set the score to 10). but you have to keep up with sending servers, servers at partners who send on your behalf, etc. (and, yes, it FP's on OOO and vacation messages) that said, the default score, as you noticed is way too low. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Match returned message headers on any NDR
Michael Scheidell wrote: i get NO backscatter here. case study for one of our clients, they got 50,000 spams a month (normally). they got joe jobbed. they started to get 5MM a month. (with no increase in backscatter reaching users. In fact, the client never knew.. until the next month when his DNS provider hit him with a huge overage bill for excessive DNS queries of his MX record.) its mostly stopped by the vbounce rules, (we set the score to 10). but you have to keep up with sending servers, servers at partners who send on your behalf, etc. ... In other words, keep track of all of the third-party hosting systems our customers insist on forwarding their domain mail to their ISP account (ie, us) from? Not practical. (and, yes, it FP's on OOO and vacation messages) that said, the default score, as you noticed is way too low. Actually, it's just right for ISP usage; for the *third time*: I can't afford to block NDRs from third parties. Which is why I'm trying to match on the original-spam content. If I were working with a corporate mail system, where I could impose restrictions on mail relay processing, publish a restrictive SPF record with -all, etc, etc... then yes, I could take the advice you're trying to push. -kgd
RE: flat file bayes locking issue and difference errors depending on file locking method
I'd guess that you have a bayes expire running that is either taking too long or not finishing and leaving lock files around. Turn off bayes_auto_expire and use bayes_learn_to_journal. Add a cron job to periodically sa-learn --sync (say hourly) and another cron job to do sa-learn --force-expire (daily/weekly) -jeff thank you for the info and your time... :-) we do have the bayes_auto_expire turned off and the forced expire is done at off peak hours once a day - rh
Re: How do I filter out phishing email?
On Wed, 14 Apr 2010, Jari Fredriksson wrote: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). If you're running SA list emails through SA you deserve what you get. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- Today: the 145th anniversary of Lincoln's assassination
Re: How do I filter out phishing email?
On Wed, 14 Apr 2010, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: On 14.4.2010 19:57, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning. Because currently I want to. I have a mechanism to skip mailing lists, any mailing list, and I used to use it earlier. But currently I do scan those, just to get data for AWL and bayes hammy tokens. Understandable. All messages from the SA list should be hammy. A mailing list about spam detection shouldn't discuss actual samples of spam to detect? The primary reason for posting samples to pastebin et all is to prevent the mangling that sending them through the mail will inevitably cause. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- Today: the 145th anniversary of Lincoln's assassination
Re: How do I filter out phishing email?
On 15.4.2010 0:32, John Hardin wrote: A mailing list about spam detection shouldn't discuss actual samples of spam to detect? Of course it should. The primary reason for posting samples to pastebin et all is to prevent the mangling that sending them through the mail will inevitably cause. Sure. -- http://www.iki.fi/jarif/ You dialed 5483. signature.asc Description: OpenPGP digital signature
Re: Match returned message headers on any NDR
Matus UHLAR - fantomas wrote: On 14.04.10 16:16, Kris Deugau wrote: ... In other words, keep track of all of the third-party hosting systems our customers insist on forwarding their domain mail to their ISP account (ie, us) from? Not practical. requiring your users to send mail through your mailservers when the From: is in your domains is the basic rule of blocking backscatter and implementing anti-forging techniques as SPF and/or DKIM. I'm afraid you just must do it (or maintain the lists) if you want to do something against this kind of problems. *nod* I know it's coming, but the thought of how much trouble it'll be for tech support to guide customers through fixing up the relevant mail settings is good incentive to hold back they have enough on their hands just getting basic settings in there in the first place, or checking existing settings. :( Actually, that wouldn't be (directly) relevant to handling NDRs for customers deciding they want their domain mail forwarded from the third-party host here; the NDR will still come in to *our* mail system, relayed by the domain host. I have yet to figure out why people think it's a good idea to relay mail from your domain host to your ISP account (especially when the two are different companies), but quite a few people do so. And go through the headaches every time they change ISPs. -kgd
Re: flat file bayes locking issue and difference errors depending on file locking method
On 4/14/2010 4:59 PM, R-Elists wrote: I'd guess that you have a bayes expire running that is either taking too long or not finishing and leaving lock files around. Turn off bayes_auto_expire and use bayes_learn_to_journal. Add a cron job to periodically sa-learn --sync (say hourly) and another cron job to do sa-learn --force-expire (daily/weekly) -jeff thank you for the info and your time... :-) we do have the bayes_auto_expire turned off and the forced expire is done at off peak hours once a day That was going to be my guess, too. You're not swapping, or having some other i/o issue are you? /Jason
Re: How do I filter out phishing email?
Still the same result :( Clueless here, can't figure out anything... Jari, it's okay. It'll get better. Is there someone you can talk to about that? :-) Best, Alex
RE: flat file bayes locking issue and difference errors depending on file locking method
That was going to be my guess, too. You're not swapping, or having some other i/o issue are you? /Jason no sir i shutdown spamassassin backed it all up dusted bayes started spamassassin retrained 200 plus of each seems ok so far... 3.2.5 was working awesome overall yet wanted to be able to move forward with the current stable dev (so to speak) not happy about losing bayes yet maybe it is time to migrate to SQL im guessing that SA SQL setup is easy ??? anyone care to chime in? - rh