Re: Scoring Issues

2018-01-26 Thread Bill Cole 

On 26 Jan 2018, at 17:47 (-0500), Computer Bob wrote:

My understanding is that spamassassin is configured for razor and 
uribl.
amavisd-new is configured to call spamassassin so is spamassassin not 
doing the sub calls ?


Not exactly. The command-line 'spamassassin' script is written in Perl 
and it uses various Perl modules in the Mail::SpamAssassin::* tree. 
Amavisd-new also uses Mail::SpamAssassin::* modules but it does NOT use 
the spamassassin script or any other command-line tool.


The effect of this is that it is possible for amavisd-new and 
spamassassin to use different configurations for the 
Mail::SpamAssassin::* modules. it is clear that this is happening on 
your system.



I see no docs on configuring razor directly in amavis.
If you could tell me what to look for it would be appreciated.


Unfortunately, I can't help with amavisd-new because I don't use it. 
However, it is certain that it is using its own oddball config because 
these scores are ridiculous:



tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,


It's madness to give SPF_HELO_PASS or SPF_PASS significant scores on 
their own. Neither should have a score outside of the -0.01 to 0.01 
range: SPF is informative but not probative. These rules somehow got set 
intentionally to sabotage-level scores somewhere that only the 
amavisd-new process is looking.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Unchecked ??? [Was: Can't locate object method "trim_domain"]

2018-01-26 Thread John Hardin 

On Fri, 26 Jan 2018, Ian Zimmerman wrote:


What is this ***UNCHECKED*** goo in the subjects?  Has someone played
with the list manager configuration?


That was probably a side effect of the ClamAV problem, that has been 
fixed.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The third basic rule of firearms safety:
  Keep your booger hook off the bang switch!
---
 Tomorrow: the 51st anniversary of the loss of Apollo 1

Unchecked ??? [Was: Can't locate object method "trim_domain"]

2018-01-26 Thread Ian Zimmerman 
What is this ***UNCHECKED*** goo in the subjects?  Has someone played
with the list manager configuration?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: Scoring Issues

2018-01-26 Thread David B Funk 

On Fri, 26 Jan 2018, John Hardin wrote:


On Fri, 26 Jan 2018, b...@inter-control.com wrote:


Oh, here is the X-SPAM status from the command line:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID,
    URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no 
autolearn_force=no

    version=3.4.0
MIME-Version: 1.0

Bob


RAZOR and URIBL hits.

Is amavis perhaps configured to disable network tests?




On 1/26/18 2:48 PM, David Jones wrote:

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no



Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS 
is nontrivial DainBRamage.


It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz 
thru that kind of filtering.


Who set up amavis with that kind of idiocy?

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: From name containing a spoofed email address

2018-01-26 Thread Chris 
On Fri, 2018-01-26 at 16:26 -0600, sha...@shanew.net wrote:
> Just a hunch, but did you make sure to add the "$self->register..."
> line inside the "sub new {" block with all the others in
> HeaderEval.pm?
> 
Yep, sure did, thanks for that. All is well now.

> 
> On Fri, 26 Jan 2018, Chris wrote:
> 
> > On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
> >> This is my current solution for a problem that has been discussed
> >> many times in this list. 
> >> I wrote it last year, and it serves me well. Feel free to use it,
> if
> >> you find it useful. 
> >>
> >> This part goes into your local.cf:
> >>
> >> header   __F_DM1 eval:from_domains_mismatch()
> >> header   __F_DM2 From:addr =~
> >> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
> >> meta   F_DM ( __F_DM1 && ! __F_DM2 )
> >> describe   F_DM From:name domain mismatches From:addr domain
> >> priority   F_DM -1
> >> score  F_DM 5.0
> >>
> >> This part goes into the general HeaderEval.pm:
> >>
> >> $self->register_eval_rule("from_domains_mismatch");
> >> [...]
> >> sub from_domains_mismatch {
> >>   my ($self, $pms) = @_;
> >>   my $temp;
> >>   $temp = $pms->get('From:addr');
> >>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
> >>   $temp = $pms->get('From:name');
> >>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
> >> "$1";
> >>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
> >> fromAddrDomain=$fromAddrDomain");
> >>   if ( $fromNameDomain eq "" ) {
> >>  return 0; # all well
> >>   } else {
> >>  if( $fromNameDomain eq $fromAddrDomain ) {
> >>     return 0; # all well, they match
> >>  } else {
> >>     return 1; # mismatch, possibly spam
> >>  }
> >>   }
> >> }
> >>
> >> R.G.
> >>
> > Just for the heck of it I added the above to my SpamAssassin setup
> at
> > home. However my syslog shows:
> >
> > rules: failed to run __F_DM1 test, skipping:
> > (Can't locate object method "from_domains_mismatch" via package
> "Mail:
> > [...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.)
> >
> > I did restart SA after adding this. SA version 3.4.1
> >
> >
> 
> -- 
> Public key #7BBC68D9 at    | Shane Williams
> http://pgp.mit.edu/    |  System Admin - UT CompSci
> =--+---
> All syllogisms contain three lines |  sha...@shanew.net
> Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:48:06 up 8:35, 1 user, load average: 0.42, 0.38, 0.39
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: Scoring Issues

2018-01-26 Thread Computer Bob 

My understanding is that spamassassin is configured for razor and uribl.
amavisd-new is configured to call spamassassin so is spamassassin not 
doing the sub calls ?

I see no docs on configuring razor directly in amavis.
If you could tell me what to look for it would be appreciated.


On 1/26/18 4:20 PM, John Hardin wrote:

On Fri, 26 Jan 2018, b...@inter-control.com wrote:


Oh, here is the X-SPAM status from the command line:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, 

    URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no 
autolearn_force=no

    version=3.4.0
MIME-Version: 1.0

Bob


RAZOR and URIBL hits.

Is amavis perhaps configured to disable network tests?




On 1/26/18 2:48 PM, David Jones wrote:

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no

Re: Scoring Issues

2018-01-26 Thread Computer Bob 

Ok, I will look now, what am I looking for ?

On 1/26/18 4:20 PM, John Hardin wrote:

On Fri, 26 Jan 2018, b...@inter-control.com wrote:


Oh, here is the X-SPAM status from the command line:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, 

    URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no 
autolearn_force=no

    version=3.4.0
MIME-Version: 1.0

Bob


RAZOR and URIBL hits.

Is amavis perhaps configured to disable network tests?




On 1/26/18 2:48 PM, David Jones wrote:

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no

Re: Scoring Issues

2018-01-26 Thread Computer Bob 

I did not think so, but will check another day.
15 hours is enough for today.

On 1/26/18 4:20 PM, John Hardin wrote:

On Fri, 26 Jan 2018, b...@inter-control.com wrote:


Oh, here is the X-SPAM status from the command line:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, 

    URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no 
autolearn_force=no

    version=3.4.0
MIME-Version: 1.0

Bob


RAZOR and URIBL hits.

Is amavis perhaps configured to disable network tests?




On 1/26/18 2:48 PM, David Jones wrote:

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no

Re: From name containing a spoofed email address

2018-01-26 Thread shanew 

Just a hunch, but did you make sure to add the "$self->register..."
line inside the "sub new {" block with all the others in HeaderEval.pm?


On Fri, 26 Jan 2018, Chris wrote:


On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:

This is my current solution for a problem that has been discussed
many times in this list. 
I wrote it last year, and it serves me well. Feel free to use it, if
you find it useful. 

This part goes into your local.cf:

header   __F_DM1 eval:from_domains_mismatch()
header   __F_DM2 From:addr =~
/\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
meta   F_DM ( __F_DM1 && ! __F_DM2 )
describe   F_DM From:name domain mismatches From:addr domain
priority   F_DM -1
score  F_DM 5.0

This part goes into the general HeaderEval.pm:

$self->register_eval_rule("from_domains_mismatch");
[...]
sub from_domains_mismatch {
  my ($self, $pms) = @_;
  my $temp;
  $temp = $pms->get('From:addr');
  $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
  $temp = $pms->get('From:name');
  $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
"$1";
  dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
fromAddrDomain=$fromAddrDomain");
  if ( $fromNameDomain eq "" ) {
 return 0; # all well
  } else {
 if( $fromNameDomain eq $fromAddrDomain ) {
    return 0; # all well, they match
 } else {
    return 1; # mismatch, possibly spam
 }
  }
}

R.G.


Just for the heck of it I added the above to my SpamAssassin setup at
home. However my syslog shows:

rules: failed to run __F_DM1 test, skipping:
(Can't locate object method "from_domains_mismatch" via package "Mail:
[...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.)

I did restart SA after adding this. SA version 3.4.1




--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Scoring Issues

2018-01-26 Thread John Hardin 

On Fri, 26 Jan 2018, b...@inter-control.com wrote:


Oh, here is the X-SPAM status from the command line:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID,
    URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no 
autolearn_force=no

    version=3.4.0
MIME-Version: 1.0

Bob


RAZOR and URIBL hits.

Is amavis perhaps configured to disable network tests?




On 1/26/18 2:48 PM, David Jones wrote:

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Venezuela is busy reaping the benefits of Socialism:
  in one year 75% of the population has, on average, lost 19 pounds
  due to insufficient food, and 82% of households are below the
  poverty line. (2016 Venezuelan "Living Conditions Survey")
---
 Tomorrow: Wolfgang Amadeus Mozart's 262nd Birthday

Re: From name containing a spoofed email address

2018-01-26 Thread Chris 
On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
> This is my current solution for a problem that has been discussed
> many times in this list. 
> I wrote it last year, and it serves me well. Feel free to use it, if
> you find it useful. 
> 
> This part goes into your local.cf:
> 
> header   __F_DM1 eval:from_domains_mismatch()
> header   __F_DM2 From:addr =~
> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
> meta   F_DM ( __F_DM1 && ! __F_DM2 )
> describe   F_DM From:name domain mismatches From:addr domain
> priority   F_DM -1
> score  F_DM 5.0
> 
> This part goes into the general HeaderEval.pm:
> 
> $self->register_eval_rule("from_domains_mismatch");
> [...]
> sub from_domains_mismatch {
>   my ($self, $pms) = @_;
>   my $temp;
>   $temp = $pms->get('From:addr');
>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>   $temp = $pms->get('From:name');
>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
> "$1";
>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
> fromAddrDomain=$fromAddrDomain");
>   if ( $fromNameDomain eq "" ) {
>  return 0; # all well
>   } else {
>  if( $fromNameDomain eq $fromAddrDomain ) {
>     return 0; # all well, they match
>  } else {
>     return 1; # mismatch, possibly spam
>  }
>   }
> }
> 
> R.G.
> 
Just for the heck of it I added the above to my SpamAssassin setup at
home. However my syslog shows:

rules: failed to run __F_DM1 test, skipping:
(Can't locate object method "from_domains_mismatch" via package "Mail:
[...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.)

I did restart SA after adding this. SA version 3.4.1

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:53:56 up 7:41, 1 user, load average: 0.42, 0.71, 0.69
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: ***UNCHECKED*** Can't locate object method "trim_domain"

2018-01-26 Thread Giovanni Bechis 
On 01/26/18 19:06, Dave Wreski wrote:
> Hi, while learning an mbox on a recent 3.4.2 svn:
> 
> # sa-learn --spam --progress --mbox junk-012618
>  28% [==  
>   ] 5.53 msgs/sec 00m44s LEFTUse of 
> uninitialized value in lc at 
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 205.
> plugin: eval failed: Can't locate object method "trim_domain" via package 
> "elo...@netvisio.com" (perhaps you forgot to load "elo...@netvisio.com"?) at 
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm line 230.
>  97% 
> [=
>     ]   1.71 msgs/sec 01m34s DONE
> Learned tokens from 162 message(s) (162 message(s) examined)
> 
>    227    # keep IPs intact
>    228    if ($uri !~ /^\d+\.\d+\.\d+\.\d+$/) {
>    229  # get rid of hostname part of domain, understanding delegation
>    230  $uri = $self->trim_domain($uri);
>    231
>    232  # ignore invalid domains
>    233  return unless ($self->is_domain_valid($uri));
>    234    }
> 
> I've searched through bugzilla and haven't found anything similar. Is this a 
> known issue? I can provide the message that produced this error off-list if 
> necessary.
> 
Please send the offending message to me, I will take a look.
 Thanks & Cheers
  Giovanni

Re: Scoring Issues

2018-01-26 Thread David Jones 

On 01/26/2018 02:39 PM, b...@inter-control.com wrote:

Greetings to all,

I have an issue with my setup somehow and it may be in amavis-new, most 
spam gets detected and delt with, some gets through and the scoring 
seems odd.

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no


If I run the email through on the command line with:
cat {mailfile} | spamassassin -D -t
it always scores correctly and considers it spam.
The example mail above actually scored 32.2 on the command line.

I am running:
Ubuntu 14.04.5
Postfix mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version
amavisd-new-2.7.1 (20120429)
ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018
Anti-Virus scanner version: 13.0.3114
SpamAssassin version 3.4.0
   running on Perl version 5.18.2

I have looked over amavis-new configs and cannot find anything out of order.
I don't understand how can most get caught and some get treated as this ?
I must be missing something.



A couple of common possibilities going on here:

1. Make sure you run the command line above as the same user as 
amavisd-new is using to ensure you are using the same SA configuration.


2. How long ago did it score -1.999?  If hours have gone by, other 
things like RBLs and DCC can start hitting and cause the score to now be 
32.2.  We would need to see the X-Spam-Status output of the 32.2 score 
to have an idea.


--
David Jones

Scoring Issues

2018-01-26 Thread b...@inter-control.com 

Greetings to all,

I have an issue with my setup somehow and it may be in amavis-new, most 
spam gets detected and delt with, some gets through and the scoring 
seems odd.

The headers that get through are usually along the lines of:

X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no


If I run the email through on the command line with:
cat {mailfile} | spamassassin -D -t
it always scores correctly and considers it spam.
The example mail above actually scored 32.2 on the command line.

I am running:
Ubuntu 14.04.5
Postfix mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version
amavisd-new-2.7.1 (20120429)
ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018
Anti-Virus scanner version: 13.0.3114
SpamAssassin version 3.4.0
  running on Perl version 5.18.2

I have looked over amavis-new configs and cannot find anything out of order.
I don't understand how can most get caught and some get treated as this ?
I must be missing something.

Re: New idea for stopping spam

2018-01-26 Thread David Jones 

On 01/26/2018 01:49 PM, Ted Mittelstaedt wrote:

Hi All,

OK I've been doing some sociological analysis of the spam I've been 
getting on my honeypot, Bays feeder email boxes (dangerous, I know)

and I've come up with what I think MIGHT be a way to fight spam
that I wanted to run up the flagpole.

We all know ONE basic thing about spam:

Spammers send it BECAUSE IT WORKS.  That is, it gets OPENED and read.

Now obviously anyone reading this list probably has the smarts to
not be reading spam.  But we all know that SOMEONE must be reading it,
otherwise the spammers would give up and find some other criminal
activity to engage in because it wouldn't work.

So, my idea on killing spam is this:

1) Build a "spam victim archetype" filter.
2) Feed titles of current news articles into it
3) Modify the output of high scoring current news articles
into common spam titles.
4) Feed that into Bays as spam.

I think that when spammers create titles for spam, they MUST be already 
using a "spam victim archetype" program.


For example, have you EVER gotten a piece of spam that said
something like:

"Doctors find that eating lots of green vegetables is healthy"
or
"Trump says if you work hard and save money you can be financially secure"

By contrast how many times have we all gotten spam that says
stuff like

"Doctors find a food you can eat that makes you a stud in the bedroom"
or
"Learn Trumps secrets of making lots of money"

Clearly, the spam victim archetype must LIKE titles that imply they
can eat 200 pounds of sugar a day, have enormous junk that makes
women jump all over them, and get a fat bank account by lying around
and being a lazy-ass.

They must DISLIKE titles that imply they can be thin and healthy with
a moderate diet, and have to work hard to be financially secure.

There's a PATTERN in there folks!  There is definitely a pattern in
spam titles.  I think we can all see it and it must work because it's
snaring people.

I have noticed that spam tracks current events.  When there are 
elections we get a ton of spam about elections.  When Megyn Kelly

leaves a job we get a ton of spams about that.  Clearly the
spammers must have realized they need to keep generating new
grist for the mill they cannot re-use old spam titles and get a
response.

So, I think they are feeding titles of current events news stories
into an AI program that has a victim archetype in it and what gets
scored highly, is fed into a title bank then sent out the door.

All we have to do is get there first - that is, develop the same
victim archetype, feed it the same input from current events,
and feed the output into the bayes learner in an effort to guess
the titles the spammers are going to use BEFORE THEY USE THEM.
We don't have to wait any longer to get the spams, we can stop them
before the first one is received.

Do you think this approach might work?

Ted


I am pretty sure this is not how spammers come up with their emails. 
They have sweat shops that hand craft emails and they run them through 
many different mail filters until they score low.  Then they send them 
out to some probing mailboxes that they control to see if they get 
through.  Once they have a good zero-hour email, then they load up their 
botnets of compromised email accounts to blast it out as fast as they 
can before it gets detected and blocked by various technologies.


I don't think it's a simple matter of getting out in front of them with 
keyword blocking.  They will just go around it if it's something global 
that can be tested against.


For example, the very good KAM.cf file is a highly recommended add-on to 
SA.  Spammers can download it and use it too to work their way around it 
for a few hours until they are spotted and accounted for.


There are very smart people on this mailing list that know way more than 
I do about the spammer's workflow and practices.  If it can be solved, 
then someone would have done it by now.


--
David Jones

Re: New idea for stopping spam

2018-01-26 Thread Dianne Skoll 
On Fri, 26 Jan 2018 11:49:07 -0800
Ted Mittelstaedt  wrote:

[snip]

> Do you think this approach might work?

Not any better than Bayes.  All your "spam archetype" examples are
already easy to stop; we whack them all handily with Bayes.  The
annoying ones are more like:

Subject: hi
Subject: 'sup
Subject: Order #12345

etc.

Regards,

Dianne.

New idea for stopping spam

2018-01-26 Thread Ted Mittelstaedt 

Hi All,

OK I've been doing some sociological analysis of the spam I've been 
getting on my honeypot, Bays feeder email boxes (dangerous, I know)

and I've come up with what I think MIGHT be a way to fight spam
that I wanted to run up the flagpole.

We all know ONE basic thing about spam:

Spammers send it BECAUSE IT WORKS.  That is, it gets OPENED and read.

Now obviously anyone reading this list probably has the smarts to
not be reading spam.  But we all know that SOMEONE must be reading it,
otherwise the spammers would give up and find some other criminal
activity to engage in because it wouldn't work.

So, my idea on killing spam is this:

1) Build a "spam victim archetype" filter.
2) Feed titles of current news articles into it
3) Modify the output of high scoring current news articles
into common spam titles.
4) Feed that into Bays as spam.

I think that when spammers create titles for spam, they MUST be already 
using a "spam victim archetype" program.


For example, have you EVER gotten a piece of spam that said
something like:

"Doctors find that eating lots of green vegetables is healthy"
or
"Trump says if you work hard and save money you can be financially secure"

By contrast how many times have we all gotten spam that says
stuff like

"Doctors find a food you can eat that makes you a stud in the bedroom"
or
"Learn Trumps secrets of making lots of money"

Clearly, the spam victim archetype must LIKE titles that imply they
can eat 200 pounds of sugar a day, have enormous junk that makes
women jump all over them, and get a fat bank account by lying around
and being a lazy-ass.

They must DISLIKE titles that imply they can be thin and healthy with
a moderate diet, and have to work hard to be financially secure.

There's a PATTERN in there folks!  There is definitely a pattern in
spam titles.  I think we can all see it and it must work because it's
snaring people.

I have noticed that spam tracks current events.  When there are 
elections we get a ton of spam about elections.  When Megyn Kelly

leaves a job we get a ton of spams about that.  Clearly the
spammers must have realized they need to keep generating new
grist for the mill they cannot re-use old spam titles and get a
response.

So, I think they are feeding titles of current events news stories
into an AI program that has a victim archetype in it and what gets
scored highly, is fed into a title bank then sent out the door.

All we have to do is get there first - that is, develop the same
victim archetype, feed it the same input from current events,
and feed the output into the bayes learner in an effort to guess
the titles the spammers are going to use BEFORE THEY USE THEM.
We don't have to wait any longer to get the spams, we can stop them
before the first one is received.

Do you think this approach might work?

Ted

***UNCHECKED*** TEST TEST

2018-01-26 Thread b...@inter-control.com 

*TEST message per moderator.*

***UNCHECKED*** Can't locate object method "trim_domain"

2018-01-26 Thread Dave Wreski 

Hi, while learning an mbox on a recent 3.4.2 svn:

# sa-learn --spam --progress --mbox junk-012618
 28% [== 
   ] 
5.53 msgs/sec 00m44s LEFTUse of uninitialized value in lc at 
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm 
line 205.
plugin: eval failed: Can't locate object method "trim_domain" via 
package "elo...@netvisio.com" (perhaps you forgot to load 
"elo...@netvisio.com"?) at 
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/RegistryBoundaries.pm 
line 230.
 97% 
[= 
   ]   1.71 msgs/sec 01m34s DONE

Learned tokens from 162 message(s) (162 message(s) examined)

   227# keep IPs intact
   228if ($uri !~ /^\d+\.\d+\.\d+\.\d+$/) {
   229  # get rid of hostname part of domain, understanding delegation
   230  $uri = $self->trim_domain($uri);
   231
   232  # ignore invalid domains
   233  return unless ($self->is_domain_valid($uri));
   234}

I've searched through bugzilla and haven't found anything similar. Is 
this a known issue? I can provide the message that produced this error 
off-list if necessary.