Re: Scoring Issues
On 26 Jan 2018, at 17:47 (-0500), Computer Bob wrote: My understanding is that spamassassin is configured for razor and uribl. amavisd-new is configured to call spamassassin so is spamassassin not doing the sub calls ? Not exactly. The command-line 'spamassassin' script is written in Perl and it uses various Perl modules in the Mail::SpamAssassin::* tree. Amavisd-new also uses Mail::SpamAssassin::* modules but it does NOT use the spamassassin script or any other command-line tool. The effect of this is that it is possible for amavisd-new and spamassassin to use different configurations for the Mail::SpamAssassin::* modules. it is clear that this is happening on your system. I see no docs on configuring razor directly in amavis. If you could tell me what to look for it would be appreciated. Unfortunately, I can't help with amavisd-new because I don't use it. However, it is certain that it is using its own oddball config because these scores are ridiculous: tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, It's madness to give SPF_HELO_PASS or SPF_PASS significant scores on their own. Neither should have a score outside of the -0.01 to 0.01 range: SPF is informative but not probative. These rules somehow got set intentionally to sabotage-level scores somewhere that only the amavisd-new process is looking. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: Unchecked ??? [Was: Can't locate object method "trim_domain"]
On Fri, 26 Jan 2018, Ian Zimmerman wrote: What is this ***UNCHECKED*** goo in the subjects? Has someone played with the list manager configuration? That was probably a side effect of the ClamAV problem, that has been fixed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The third basic rule of firearms safety: Keep your booger hook off the bang switch! --- Tomorrow: the 51st anniversary of the loss of Apollo 1
Unchecked ??? [Was: Can't locate object method "trim_domain"]
What is this ***UNCHECKED*** goo in the subjects? Has someone played with the list manager configuration? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet, fetch the TXT record for the domain.
Re: Scoring Issues
On Fri, 26 Jan 2018, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. Who set up amavis with that kind of idiocy? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: From name containing a spoofed email address
On Fri, 2018-01-26 at 16:26 -0600, sha...@shanew.net wrote: > Just a hunch, but did you make sure to add the "$self->register..." > line inside the "sub new {" block with all the others in > HeaderEval.pm? > Yep, sure did, thanks for that. All is well now. > > On Fri, 26 Jan 2018, Chris wrote: > > > On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote: > >> This is my current solution for a problem that has been discussed > >> many times in this list. > >> I wrote it last year, and it serves me well. Feel free to use it, > if > >> you find it useful. > >> > >> This part goes into your local.cf: > >> > >> header __F_DM1 eval:from_domains_mismatch() > >> header __F_DM2 From:addr =~ > >> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/ > >> meta F_DM ( __F_DM1 && ! __F_DM2 ) > >> describe F_DM From:name domain mismatches From:addr domain > >> priority F_DM -1 > >> score F_DM 5.0 > >> > >> This part goes into the general HeaderEval.pm: > >> > >> $self->register_eval_rule("from_domains_mismatch"); > >> [...] > >> sub from_domains_mismatch { > >> my ($self, $pms) = @_; > >> my $temp; > >> $temp = $pms->get('From:addr'); > >> $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1"; > >> $temp = $pms->get('From:name'); > >> $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = > >> "$1"; > >> dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, > >> fromAddrDomain=$fromAddrDomain"); > >> if ( $fromNameDomain eq "" ) { > >> return 0; # all well > >> } else { > >> if( $fromNameDomain eq $fromAddrDomain ) { > >> return 0; # all well, they match > >> } else { > >> return 1; # mismatch, possibly spam > >> } > >> } > >> } > >> > >> R.G. > >> > > Just for the heck of it I added the above to my SpamAssassin setup > at > > home. However my syslog shows: > > > > rules: failed to run __F_DM1 test, skipping: > > (Can't locate object method "from_domains_mismatch" via package > "Mail: > > [...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.) > > > > I did restart SA after adding this. SA version 3.4.1 > > > > > > -- > Public key #7BBC68D9 at | Shane Williams > http://pgp.mit.edu/ | System Admin - UT CompSci > =--+--- > All syllogisms contain three lines | sha...@shanew.net > Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 16:48:06 up 8:35, 1 user, load average: 0.42, 0.38, 0.39 Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic signature.asc Description: This is a digitally signed message part
Re: Scoring Issues
My understanding is that spamassassin is configured for razor and uribl. amavisd-new is configured to call spamassassin so is spamassassin not doing the sub calls ? I see no docs on configuring razor directly in amavis. If you could tell me what to look for it would be appreciated. On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Re: Scoring Issues
Ok, I will look now, what am I looking for ? On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Re: Scoring Issues
I did not think so, but will check another day. 15 hours is enough for today. On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Re: From name containing a spoofed email address
Just a hunch, but did you make sure to add the "$self->register..." line inside the "sub new {" block with all the others in HeaderEval.pm? On Fri, 26 Jan 2018, Chris wrote: On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote: This is my current solution for a problem that has been discussed many times in this list. I wrote it last year, and it serves me well. Feel free to use it, if you find it useful. This part goes into your local.cf: header __F_DM1 eval:from_domains_mismatch() header __F_DM2 From:addr =~ /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/ meta F_DM ( __F_DM1 && ! __F_DM2 ) describe F_DM From:name domain mismatches From:addr domain priority F_DM -1 score F_DM 5.0 This part goes into the general HeaderEval.pm: $self->register_eval_rule("from_domains_mismatch"); [...] sub from_domains_mismatch { my ($self, $pms) = @_; my $temp; $temp = $pms->get('From:addr'); $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1"; $temp = $pms->get('From:name'); $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = "$1"; dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, fromAddrDomain=$fromAddrDomain"); if ( $fromNameDomain eq "" ) { return 0; # all well } else { if( $fromNameDomain eq $fromAddrDomain ) { return 0; # all well, they match } else { return 1; # mismatch, possibly spam } } } R.G. Just for the heck of it I added the above to my SpamAssassin setup at home. However my syslog shows: rules: failed to run __F_DM1 test, skipping: (Can't locate object method "from_domains_mismatch" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.) I did restart SA after adding this. SA version 3.4.1 -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Scoring Issues
On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Venezuela is busy reaping the benefits of Socialism: in one year 75% of the population has, on average, lost 19 pounds due to insufficient food, and 82% of households are below the poverty line. (2016 Venezuelan "Living Conditions Survey") --- Tomorrow: Wolfgang Amadeus Mozart's 262nd Birthday
Re: From name containing a spoofed email address
On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote: > This is my current solution for a problem that has been discussed > many times in this list. > I wrote it last year, and it serves me well. Feel free to use it, if > you find it useful. > > This part goes into your local.cf: > > header __F_DM1 eval:from_domains_mismatch() > header __F_DM2 From:addr =~ > /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/ > meta F_DM ( __F_DM1 && ! __F_DM2 ) > describe F_DM From:name domain mismatches From:addr domain > priority F_DM -1 > score F_DM 5.0 > > This part goes into the general HeaderEval.pm: > > $self->register_eval_rule("from_domains_mismatch"); > [...] > sub from_domains_mismatch { > my ($self, $pms) = @_; > my $temp; > $temp = $pms->get('From:addr'); > $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1"; > $temp = $pms->get('From:name'); > $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain = > "$1"; > dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain, > fromAddrDomain=$fromAddrDomain"); > if ( $fromNameDomain eq "" ) { > return 0; # all well > } else { > if( $fromNameDomain eq $fromAddrDomain ) { > return 0; # all well, they match > } else { > return 1; # mismatch, possibly spam > } > } > } > > R.G. > Just for the heck of it I added the above to my SpamAssassin setup at home. However my syslog shows: rules: failed to run __F_DM1 test, skipping: (Can't locate object method "from_domains_mismatch" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.) I did restart SA after adding this. SA version 3.4.1 -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 15:53:56 up 7:41, 1 user, load average: 0.42, 0.71, 0.69 Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic signature.asc Description: This is a digitally signed message part
Re: ***UNCHECKED*** Can't locate object method "trim_domain"
On 01/26/18 19:06, Dave Wreski wrote: > Hi, while learning an mbox on a recent 3.4.2 svn: > > # sa-learn --spam --progress --mbox junk-012618 > 28% [== > ] 5.53 msgs/sec 00m44s LEFTUse of > uninitialized value in lc at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 205. > plugin: eval failed: Can't locate object method "trim_domain" via package > "elo...@netvisio.com" (perhaps you forgot to load "elo...@netvisio.com"?) at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 230. > 97% > [= > ] 1.71 msgs/sec 01m34s DONE > Learned tokens from 162 message(s) (162 message(s) examined) > > 227 # keep IPs intact > 228 if ($uri !~ /^\d+\.\d+\.\d+\.\d+$/) { > 229 # get rid of hostname part of domain, understanding delegation > 230 $uri = $self->trim_domain($uri); > 231 > 232 # ignore invalid domains > 233 return unless ($self->is_domain_valid($uri)); > 234 } > > I've searched through bugzilla and haven't found anything similar. Is this a > known issue? I can provide the message that produced this error off-list if > necessary. > Please send the offending message to me, I will take a look. Thanks & Cheers Giovanni
Re: Scoring Issues
On 01/26/2018 02:39 PM, b...@inter-control.com wrote: Greetings to all, I have an issue with my setup somehow and it may be in amavis-new, most spam gets detected and delt with, some gets through and the scoring seems odd. The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no If I run the email through on the command line with: cat {mailfile} | spamassassin -D -t it always scores correctly and considers it spam. The example mail above actually scored 32.2 on the command line. I am running: Ubuntu 14.04.5 Postfix mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version amavisd-new-2.7.1 (20120429) ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018 Anti-Virus scanner version: 13.0.3114 SpamAssassin version 3.4.0 running on Perl version 5.18.2 I have looked over amavis-new configs and cannot find anything out of order. I don't understand how can most get caught and some get treated as this ? I must be missing something. A couple of common possibilities going on here: 1. Make sure you run the command line above as the same user as amavisd-new is using to ensure you are using the same SA configuration. 2. How long ago did it score -1.999? If hours have gone by, other things like RBLs and DCC can start hitting and cause the score to now be 32.2. We would need to see the X-Spam-Status output of the 32.2 score to have an idea. -- David Jones
Scoring Issues
Greetings to all, I have an issue with my setup somehow and it may be in amavis-new, most spam gets detected and delt with, some gets through and the scoring seems odd. The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no If I run the email through on the command line with: cat {mailfile} | spamassassin -D -t it always scores correctly and considers it spam. The example mail above actually scored 32.2 on the command line. I am running: Ubuntu 14.04.5 Postfix mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version amavisd-new-2.7.1 (20120429) ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018 Anti-Virus scanner version: 13.0.3114 SpamAssassin version 3.4.0 running on Perl version 5.18.2 I have looked over amavis-new configs and cannot find anything out of order. I don't understand how can most get caught and some get treated as this ? I must be missing something.
Re: New idea for stopping spam
On 01/26/2018 01:49 PM, Ted Mittelstaedt wrote: Hi All, OK I've been doing some sociological analysis of the spam I've been getting on my honeypot, Bays feeder email boxes (dangerous, I know) and I've come up with what I think MIGHT be a way to fight spam that I wanted to run up the flagpole. We all know ONE basic thing about spam: Spammers send it BECAUSE IT WORKS. That is, it gets OPENED and read. Now obviously anyone reading this list probably has the smarts to not be reading spam. But we all know that SOMEONE must be reading it, otherwise the spammers would give up and find some other criminal activity to engage in because it wouldn't work. So, my idea on killing spam is this: 1) Build a "spam victim archetype" filter. 2) Feed titles of current news articles into it 3) Modify the output of high scoring current news articles into common spam titles. 4) Feed that into Bays as spam. I think that when spammers create titles for spam, they MUST be already using a "spam victim archetype" program. For example, have you EVER gotten a piece of spam that said something like: "Doctors find that eating lots of green vegetables is healthy" or "Trump says if you work hard and save money you can be financially secure" By contrast how many times have we all gotten spam that says stuff like "Doctors find a food you can eat that makes you a stud in the bedroom" or "Learn Trumps secrets of making lots of money" Clearly, the spam victim archetype must LIKE titles that imply they can eat 200 pounds of sugar a day, have enormous junk that makes women jump all over them, and get a fat bank account by lying around and being a lazy-ass. They must DISLIKE titles that imply they can be thin and healthy with a moderate diet, and have to work hard to be financially secure. There's a PATTERN in there folks! There is definitely a pattern in spam titles. I think we can all see it and it must work because it's snaring people. I have noticed that spam tracks current events. When there are elections we get a ton of spam about elections. When Megyn Kelly leaves a job we get a ton of spams about that. Clearly the spammers must have realized they need to keep generating new grist for the mill they cannot re-use old spam titles and get a response. So, I think they are feeding titles of current events news stories into an AI program that has a victim archetype in it and what gets scored highly, is fed into a title bank then sent out the door. All we have to do is get there first - that is, develop the same victim archetype, feed it the same input from current events, and feed the output into the bayes learner in an effort to guess the titles the spammers are going to use BEFORE THEY USE THEM. We don't have to wait any longer to get the spams, we can stop them before the first one is received. Do you think this approach might work? Ted I am pretty sure this is not how spammers come up with their emails. They have sweat shops that hand craft emails and they run them through many different mail filters until they score low. Then they send them out to some probing mailboxes that they control to see if they get through. Once they have a good zero-hour email, then they load up their botnets of compromised email accounts to blast it out as fast as they can before it gets detected and blocked by various technologies. I don't think it's a simple matter of getting out in front of them with keyword blocking. They will just go around it if it's something global that can be tested against. For example, the very good KAM.cf file is a highly recommended add-on to SA. Spammers can download it and use it too to work their way around it for a few hours until they are spotted and accounted for. There are very smart people on this mailing list that know way more than I do about the spammer's workflow and practices. If it can be solved, then someone would have done it by now. -- David Jones
Re: New idea for stopping spam
On Fri, 26 Jan 2018 11:49:07 -0800 Ted Mittelstaedtwrote: [snip] > Do you think this approach might work? Not any better than Bayes. All your "spam archetype" examples are already easy to stop; we whack them all handily with Bayes. The annoying ones are more like: Subject: hi Subject: 'sup Subject: Order #12345 etc. Regards, Dianne.
New idea for stopping spam
Hi All, OK I've been doing some sociological analysis of the spam I've been getting on my honeypot, Bays feeder email boxes (dangerous, I know) and I've come up with what I think MIGHT be a way to fight spam that I wanted to run up the flagpole. We all know ONE basic thing about spam: Spammers send it BECAUSE IT WORKS. That is, it gets OPENED and read. Now obviously anyone reading this list probably has the smarts to not be reading spam. But we all know that SOMEONE must be reading it, otherwise the spammers would give up and find some other criminal activity to engage in because it wouldn't work. So, my idea on killing spam is this: 1) Build a "spam victim archetype" filter. 2) Feed titles of current news articles into it 3) Modify the output of high scoring current news articles into common spam titles. 4) Feed that into Bays as spam. I think that when spammers create titles for spam, they MUST be already using a "spam victim archetype" program. For example, have you EVER gotten a piece of spam that said something like: "Doctors find that eating lots of green vegetables is healthy" or "Trump says if you work hard and save money you can be financially secure" By contrast how many times have we all gotten spam that says stuff like "Doctors find a food you can eat that makes you a stud in the bedroom" or "Learn Trumps secrets of making lots of money" Clearly, the spam victim archetype must LIKE titles that imply they can eat 200 pounds of sugar a day, have enormous junk that makes women jump all over them, and get a fat bank account by lying around and being a lazy-ass. They must DISLIKE titles that imply they can be thin and healthy with a moderate diet, and have to work hard to be financially secure. There's a PATTERN in there folks! There is definitely a pattern in spam titles. I think we can all see it and it must work because it's snaring people. I have noticed that spam tracks current events. When there are elections we get a ton of spam about elections. When Megyn Kelly leaves a job we get a ton of spams about that. Clearly the spammers must have realized they need to keep generating new grist for the mill they cannot re-use old spam titles and get a response. So, I think they are feeding titles of current events news stories into an AI program that has a victim archetype in it and what gets scored highly, is fed into a title bank then sent out the door. All we have to do is get there first - that is, develop the same victim archetype, feed it the same input from current events, and feed the output into the bayes learner in an effort to guess the titles the spammers are going to use BEFORE THEY USE THEM. We don't have to wait any longer to get the spams, we can stop them before the first one is received. Do you think this approach might work? Ted
***UNCHECKED*** TEST TEST
*TEST message per moderator.*
***UNCHECKED*** Can't locate object method "trim_domain"
Hi, while learning an mbox on a recent 3.4.2 svn: # sa-learn --spam --progress --mbox junk-012618 28% [== ] 5.53 msgs/sec 00m44s LEFTUse of uninitialized value in lc at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 205. plugin: eval failed: Can't locate object method "trim_domain" via package "elo...@netvisio.com" (perhaps you forgot to load "elo...@netvisio.com"?) at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 230. 97% [= ] 1.71 msgs/sec 01m34s DONE Learned tokens from 162 message(s) (162 message(s) examined) 227# keep IPs intact 228if ($uri !~ /^\d+\.\d+\.\d+\.\d+$/) { 229 # get rid of hostname part of domain, understanding delegation 230 $uri = $self->trim_domain($uri); 231 232 # ignore invalid domains 233 return unless ($self->is_domain_valid($uri)); 234} I've searched through bugzilla and haven't found anything similar. Is this a known issue? I can provide the message that produced this error off-list if necessary.