Re: How do I filter out phishing email?
Jari Fredriksson ja...@iki.fi writes: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: 90_2tld.cf.sare.sa-update.dostech.net In a previous thread[0], it was mentioned that you should not be using the above channel (or 90_3tld.cf) because these files have been merged into 3.3.1 and are released as 20_aux_tlds.cf micah 0. http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/127703
Re: How do I filter out phishing email?
On fre 16 apr 2010 15:19:59 CEST, John Hardin wrote Fix your glue to bypass SA on list-id and received. when i need it i will, maillists that talk about spam also have ham so not a big problem for me to not fix it :=) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How do I filter out phishing email?
On ons 14 apr 2010 23:28:38 CEST, John Hardin wrote Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). If you're running SA list emails through SA you deserve what you get. :) for sa 3.3.2 bayes_ignore_on_dkim_valid ? :) bayes_ignore_to can be forged, same can dkim, ok i loose :=) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How do I filter out phishing email?
On Fri, 16 Apr 2010, Benny Pedersen wrote: On ons 14 apr 2010 23:28:38 CEST, John Hardin wrote Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). If you're running SA list emails through SA you deserve what you get. :) for sa 3.3.2 bayes_ignore_on_dkim_valid ? :) bayes_ignore_to can be forged, same can dkim, ok i loose :=) Fix your glue to bypass SA on list-id and received. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- 3 days until the 235th anniversary of The Shot Heard 'Round The World
How do I filter out phishing email?
Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: X-Unsubscribe: From: Harold johnson globalsky...@aol.com Sender: globalsky...@aol.com Reply-To: globalsky...@aol.com To: globalsky...@aol.com Message-ID: Subject: Hello - Reply asap., Return-Path: globalsky...@aol.com List-Unsubscribe: X-Complaints-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello,=20 =20 This is an awareness to let you know that we have a vacancy post of a Custo= mer evaluator in our company and we would like to know your interest in wor= king for Globalsky Inc Company. We are outsourcing for a new company and we= have clients we are working with as regard's giving a better service to th= eir customers.=20 =20 Mystery shopping is a valuable customer service tool that has gained widesp= read acceptance in the retail, financial services and restaurant industries= , and proves highly valuable to companies that use it to gain customer expe= rience metrics. You will be evaluating the efficiency of a prominent money = transfer services preferably westernunion or moneygram outlet in your neig= hborhood as regards sending and receiving money transfers. Kindly check out= for one a store outlet you would like to evaluate, make sure the store and= the outlet you choose are close to your area as much as possible, you will= have to email the name and address of the location to us. Please note that= you are to act Cool,Calm and Confident through out the period which you wi= ll be carrying out your survey at the store, in order not to arouse any sus= picion. You would make use of their service by sending us a money transfer = via their outlet with the funds we would provide for you.=20 =20 You will write a report about the customer services, you will send your rep= ort back to us via Email, you will have to use the following pointers to pr= epare your report:=20 =20 1) How long it took you to get services.=20 2) Ambiance/Outlook of the Shop/Outlet=20 3) Smartness of the attendant=20 4) Customer service professionalism=20 5) Reaction of personnel under pressure=20 6) Information that you think would be helpful=20 7) Your comments and impressions.=20 =20 Your job would be quite effective and we would provide more details on the = job as soon as you get back to us with the details requested. As a mystery = shopper, you work and shop together for pleasure and the pay is 200.00 USD = weekly on Part-time basis, you only work once or twice in a week. Payments = will be mailed out to you per task, which you will expend in carrying out a= ll that will be required of you including your Compensation and Transportat= ion fee. All Other Instructions will be sent out to you as soon as Evaluati= on commences=20 =20 Kindly provide the below information for assessment and registratration if = you are interested.=20 =20 Full Name Address (Not P.O.Box ) City State Zip-Code Phone Number Present occupation Age and Sex : =20 I will be looking forward to hearing from you.=20 =20 Thank you=20 Survey Team Global Sky inc 206-350-5956 Company | p.o.box 234 | malibu | CA | 90393 | US -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28243762.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: You sample was not a real email with all headers, or so it looked. However, I sent to my SA, and here is the result. Content analysis details: (11.0 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is freemail (globalskyinc[at]aol.com) -0.0 NO_RELAYS Informational: message was not relayed via SMTP 3.4 FILL_THIS_FORM_LONGBODY: Fill in a form with personal information 0.2 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5016] 3.0 FROM_EQUALS_TO From: and To: have the same username 0.0 T_FILL_THIS_FORM Fill in a form with personal information -0.0 NO_RECEIVEDInformational: message has no Received headers 1.4 MISSING_DATE Missing Date: header 3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL So it would have been caught here. But yes, there were no Received: -headers and other important headers, so the result is not much good. Have you trained youe Bayes and made sa-update after installation? -- http://www.iki.fi/jarif/ Q: What is orange and goes click, click? A: A ball point carrot. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: [ Wire transfer scam email ] This is a fairly innocuous email. There is not much there to key on. You could try adding rules for things like money transfer, Globalsky Inc, westernunion, moneygram, or maybe the phone number provided at the end. -- Bowie
Re: How do I filter out phishing email?
On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Post the full email source to pastebin or such, and post the link to the list. Thank you. -- http://www.iki.fi/jarif/ Living your life is a task so difficult, it has never been attempted before. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? Jari Fredriksson wrote: On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: You sample was not a real email with all headers, or so it looked. However, I sent to my SA, and here is the result. Content analysis details: (11.0 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is freemail (globalskyinc[at]aol.com) -0.0 NO_RELAYS Informational: message was not relayed via SMTP 3.4 FILL_THIS_FORM_LONGBODY: Fill in a form with personal information 0.2 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5016] 3.0 FROM_EQUALS_TO From: and To: have the same username 0.0 T_FILL_THIS_FORM Fill in a form with personal information -0.0 NO_RECEIVEDInformational: message has no Received headers 1.4 MISSING_DATE Missing Date: header 3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL So it would have been caught here. But yes, there were no Received: -headers and other important headers, so the result is not much good. Have you trained youe Bayes and made sa-update after installation? -- http://www.iki.fi/jarif/ Q:What is orange and goes click, click? A:A ball point carrot. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28244615.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Sorry, I'll stop that from now on. Jari Fredriksson wrote: On 14.4.2010 17:54, yongke wrote: Hi guys Is there anyway to filter out phishing emails using spam assassin? My current test email wasn't blocked and SA had a score 0f 0: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Post the full email source to pastebin or such, and post the link to the list. Thank you. -- http://www.iki.fi/jarif/ Living your life is a task so difficult, it has never been attempted before. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28244624.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning.
Re: How do I filter out phishing email?
I am sorry, can you please explain what do you mean by channels? I haven't changed anything at all from the install. The default ruleset is the one I use and my command is this: spamc -R foo where foo is the file with the email I posted. Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28245364.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Oh sorry, disregard my last reply. I looked it up on Google and found the FAQ on channel. Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28245435.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: On 14.4.2010 19:57, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning. Because currently I want to. I have a mechanism to skip mailing lists, any mailing list, and I used to use it earlier. But currently I do scan those, just to get data for AWL and bayes hammy tokens. Understandable. All messages from the SA list should be hammy. I can't rightfully recall when a spam message came through to the SA list. I can't recall when a spam message came through to any list I'm on. There have been a few in the very distant past.
Re: How do I filter out phishing email?
I installed all the channels in your post but I still get the same score! Is there anything else I can do? The commands I used are: wget -qO - http://khopesh.com/sa/GPG.KEY http://yerp.org/rules/GPG.KEY \ http://daryl.dostech.ca/sa-update/sare/GPG.KEY |sudo sa-update --import - sudo gpg --keyring sa-update-keys/pubring.gpg --list-public-keys sudo pico sa-update-keys.txt 856AA88A 6C6191E3 E8B493D6 sudo pico sa-update-channels.txt updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt Jari Fredriksson wrote: On 14.4.2010 18:57, yongke wrote: Well, we send emails on behalf of clients, and so we are trying catch phishing spam before they are sent out. Since the email aren't sent yet, we had to generate a mock email for SA. The header in the example is what we THINK the headers will be when they are actually sent out. When you tried it with your SA, I assume you didn't change any headers? If that's the case, then it should still work. I guess I didn't setup SA correctly? I did not change anything. And I think I have pretty default scores on the rules. I have following rule sets in my channels: updates.spamassassin.org khop-bl.sa.khopesh.com khop-blessed.sa.khopesh.com khop-general.sa.khopesh.com khop-sc-neighbors.sa.khopesh.com sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net About those channels: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ You can do very well in speculation where land or anything to do with dirt is concerned. -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28246329.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On Wed, 2010-04-14 at 11:18 -0700, yongke wrote: I installed all the channels in your post but I still get the same score! Is there anything else I can do? Are you running with compiled rules? Then you need to recompile them. Are you running a daemonized spamd or amavisd instance? You will need to restart it to load the new rules The commands I used are: [...] sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: How do I filter out phishing email?
I don't think I am running compiled rules as I haven't changed any rules... I just used that channel thing. I have also restarted SA using the following command: sudo /etc/init.d/spamassassin restart Still the same result :( McDonald, Dan wrote: On Wed, 2010-04-14 at 11:18 -0700, yongke wrote: I installed all the channels in your post but I still get the same score! Is there anything else I can do? Are you running with compiled rules? Then you need to recompile them. Are you running a daemonized spamd or amavisd instance? You will need to restart it to load the new rules The commands I used are: [...] sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com -- View this message in context: http://old.nabble.com/How-do-I-filter-out-phishing-email--tp28243762p28246560.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I filter out phishing email?
On 14.4.2010 21:38, yongke wrote: I don't think I am running compiled rules as I haven't changed any rules... I just used that channel thing. I have also restarted SA using the following command: sudo /etc/init.d/spamassassin restart Still the same result :( Clueless here, can't figure out anything... -- http://www.iki.fi/jarif/ Q: How many IBM 370's does it take to execute a job? A: Four, three to hold it down, and one to rip its head off. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
On Wed, 14 Apr 2010, Jari Fredriksson wrote: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). If you're running SA list emails through SA you deserve what you get. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- Today: the 145th anniversary of Lincoln's assassination
Re: How do I filter out phishing email?
On Wed, 14 Apr 2010, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: On 14.4.2010 19:57, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning. Because currently I want to. I have a mechanism to skip mailing lists, any mailing list, and I used to use it earlier. But currently I do scan those, just to get data for AWL and bayes hammy tokens. Understandable. All messages from the SA list should be hammy. A mailing list about spam detection shouldn't discuss actual samples of spam to detect? The primary reason for posting samples to pastebin et all is to prevent the mangling that sending them through the mail will inevitably cause. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- Today: the 145th anniversary of Lincoln's assassination
Re: How do I filter out phishing email?
On 15.4.2010 0:32, John Hardin wrote: A mailing list about spam detection shouldn't discuss actual samples of spam to detect? Of course it should. The primary reason for posting samples to pastebin et all is to prevent the mangling that sending them through the mail will inevitably cause. Sure. -- http://www.iki.fi/jarif/ You dialed 5483. signature.asc Description: OpenPGP digital signature
Re: How do I filter out phishing email?
Still the same result :( Clueless here, can't figure out anything... Jari, it's okay. It'll get better. Is there someone you can talk to about that? :-) Best, Alex
