Re: Bogus Dollar Amounts
On Wed, Feb 24, 2010 at 8:44 PM, Dennis B. Hopp dh...@coreps.com wrote: I have been seeing a few spam mails slip past that talk about being able to get bogus dollar amounts. What I mean by that is it will give a large value in the e-mail but where there should be a comma it puts a period. I put an example of one of these messages at: http://pastebin.com/SXuGELUS Are there any rules that can detect this? The only rules this hit on mine are: 1.900 DCC_CHECK 1.449 RCVD_IN_BRBL_LASTEXT 1.000 RCVD_IN_BRBL -0.001 SPF_PASS -0.010 T_RP_MATCHES_RCVD -1.900 BAYES_00 http://pastebin.com/6c9sEEn9 even recently i installed new qmail server i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Ram
Re: Bogus Dollar Amounts
On 25/02/2010 12:01, ram wrote: I have been seeing a few spam mails slip past that talk about being able to get bogus dollar amounts. What I mean by that is it will give a large value in the e-mail but where there should be a comma it puts a period. I put an example of one of these messages at: http://pastebin.com/SXuGELUS Are there any rules that can detect this? The only rules this hit on mine are: 1.900 DCC_CHECK 1.449 RCVD_IN_BRBL_LASTEXT 1.000 RCVD_IN_BRBL -0.001 SPF_PASS -0.010 T_RP_MATCHES_RCVD -1.900 BAYES_00 http://pastebin.com/6c9sEEn9 even recently i installed new qmail server i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Ram I repasted that at http://spamalyser.com/v/gcrvcnbm/mime in order to get the benefit of mime parsing and decoding. You could score on the koi8-r charset. You could score on the fact the email came from South Korea. You could use the TextCat language plugin. -- Mike Cardwell: UK based IT Consultant, Perl developer, Linux admin Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226 Technical Blog : Tech Blog - https://secure.grepular.com/ Spamalyser : Spam Tool - http://spamalyser.com/
Re: Bogus Dollar Amounts
On Thu, 2010-02-25 at 17:31 +0530, ram wrote: http://pastebin.com/SXuGELUS Are there any rules that can detect this? The only rules this hit on mine are: 1.900 DCC_CHECK 1.449 RCVD_IN_BRBL_LASTEXT 1.000 RCVD_IN_BRBL -0.001 SPF_PASS -0.010 T_RP_MATCHES_RCVD -1.900 BAYES_00 Two of my private rules hit too: MG_MONEYrecognises monetary amounts in message bodies MG_SPAMREF recognised the live.com URI - IME thats pretty much a sure-fire spam flag. Martin
Re: Bogus Dollar Amounts
Ram wrote on Thu, 25 Feb 2010 17:31:04 +0530: how can i stop those kind of emails 11.Received: from unknown (HELO NANQRZBVJZ) (121.100.119.197) If you allow such a thing to deliver to you you actively ask for spam. I don't waste SA cycles on such stuff. Apart from that it seems your SA is outdated and your Bayes is not trained well. I don't use any RBL tests and get 20. X-Spam-Status: Yes, score=20.2 required=5.0 tests=BAYES_50,BODY_8BITS, CHARSET_FARAWAY_HEADER,FH_FAKE_RCVD_LINE_B,FSL_HELO_NON_FQDN_1,HK_BADNAME, HK_BADSUBJECT,KB_RATWARE_OUTLOOK_MID,MIME_CHARSET_FARAWAY,MIME_QP_LONG_LIN E, RDNS_NONE,UNWANTED_LANGUAGE_BODY autolearn=spam version=3.3.0 Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Bogus Dollar Amounts
Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600: Obviously I have something going on with my bayes, but that's a separate issue Indeed. But it's an important issue. If it is that biased for other spam as well youa re better off to not use it in this state. X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_50,HK_MUCHMONEY, T_LOTS_OF_MONEY,UNPARSEABLE_RELAY autolearn=no version=3.3.0 add your RBL score and it's way over 5. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Bogus Dollar Amounts
On Thu, 25 Feb 2010, ram wrote: http://pastebin.com/6c9sEEn9 i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Reject languages you can't read at SMTP time? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 139 days since President Obama won the Nobel Not George W. Bush prize
Re: [sa] Re: Bogus Dollar Amounts
On Thu, 25 Feb 2010, John Hardin wrote: i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Reject languages you can't read at SMTP time? I've been noticing more 'foreign language' spams that do not use a 'foreign' character set and therefore do not trigger the 'faraway' rules I don't suppose anyone has developed a generic rule that would spot 'foreign language usage in non-foreign charset'? - C
Re: Bogus Dollar Amounts
Quoting Kai Schaetzl mailli...@conactive.com: Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600: Obviously I have something going on with my bayes, but that's a separate issue Indeed. But it's an important issue. If it is that biased for other spam as well youa re better off to not use it in this state. X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_50,HK_MUCHMONEY, T_LOTS_OF_MONEY,UNPARSEABLE_RELAY autolearn=no version=3.3.0 add your RBL score and it's way over 5. I agree it's an important issue. I had turned off bayes autoexpire in local.cf and at some point taken the cron job out that did a manual force-expire. Once I did a force expire BAYES_60 triggered rather then BAYES_00. What is the HK_MUCHMONEY rule that you have? Is that part of the base SA installation? Thanks, --Dennis
Re: Bogus Dollar Amounts
On 25-Feb-2010, at 05:36, Mike Cardwell wrote: I repasted that at http://spamalyser.com/v/gcrvcnbm/mime in order to get the benefit of mime parsing and decoding. running it through spamassassin -Lt I get a score of 16.6 (13.2) Content analysis details: (16.6 points, 5.0 required) pts rule name description -- -- 4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 KB_RATWARE_OUTLOOK_16 KB_RATWARE_OUTLOOK_16 0.1 KB_RATWARE_OUTLOOK_12 KB_RATWARE_OUTLOOK_12 3.8 KB_RATWARE_BOUNDARYKB_RATWARE_BOUNDARY 0.7 SARE_RECV_IP_FROMIP3 Received line is IP address from IP address 0.7 SARE_SUB_ENC_KOI8R Subject specifies display in non-English lang 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 MISSING_MIME_HB_SEPBODY: Missing blank line between MIME header and body 1.5 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 3.4 AWLAWL: From: address is in the auto white-list -- 'There's Mr Dibbler.' 'What's he selling this time?' 'I don't think he's trying to sell anything, Mr Poons.' 'It's that bad? Then we're probably in lots of trouble.' --Reaper Man
Re: Bogus Dollar Amounts
On Thu, 25 Feb 2010, Dennis B. Hopp wrote: What is the HK_MUCHMONEY rule that you have? Is that part of the base SA installation? It's a sandbox rule that got promoted. I'm working on a set of money rules that will supercede it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Health Care _is_ a right - the government has no business keeping you from getting it. But forcing somebody else to pay for your health care at gunpoint (i.e. through taxation) is _not_ a right. --- 139 days since President Obama won the Nobel Not George W. Bush prize
Re: [sa] Re: Bogus Dollar Amounts
Le 25/02/2010 17:06, Charles Gregory a écrit : On Thu, 25 Feb 2010, John Hardin wrote: i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Reject languages you can't read at SMTP time? I've been noticing more 'foreign language' spams that do not use a 'foreign' character set and therefore do not trigger the 'faraway' rules I don't suppose anyone has developed a generic rule that would spot 'foreign language usage in non-foreign charset'? Perhaps more useful - and less prone to FPs in internationally-oriented organisations - a rule that spots *mismatched* charsets, e.g. a Cyrillic charset from a Chinese IP, a Korean charset via an Italian freemail host, and so on. I guess such a rule would be possible as a meta, though an eval function might be more effective and allow more combinations. -- John
Re: Bogus Dollar Amounts
On 2/24/2010 10:14 AM, Dennis B. Hopp wrote: ... but where there should be a comma it puts a period. I put an example of one of these messages at: http://pastebin.com/SXuGELUS It is common in many parts of the world to use a period instead of a comma as a digit group separator, and vice-versa for the decimal separator. http://en.wikipedia.org/wiki/Thousands_separator#Digit_grouping /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Bogus Dollar Amounts
Nevermind...it was also hitting T_LOTS_OF_MONEY and once I expired old bayes tokens it no longer hit BAYES_00. Now I just have to figure out whats up with my bayes db. --Dennis Quoting Dennis B. Hopp dh...@coreps.com: I have been seeing a few spam mails slip past that talk about being able to get bogus dollar amounts. What I mean by that is it will give a large value in the e-mail but where there should be a comma it puts a period. I put an example of one of these messages at: http://pastebin.com/SXuGELUS Are there any rules that can detect this? The only rules this hit on mine are: 1.900 DCC_CHECK 1.449 RCVD_IN_BRBL_LASTEXT 1.000 RCVD_IN_BRBL -0.001 SPF_PASS -0.010 T_RP_MATCHES_RCVD -1.900 BAYES_00 Obviously I have something going on with my bayes, but that's a separate issue Thanks, --Dennis
Re: Bogus Dollar Amounts
It is common in many parts of the world to use a period instead of a comma as a digit group separator, and vice-versa for the decimal separator. http://en.wikipedia.org/wiki/Thousands_separator#Digit_grouping I knew it was common in other parts of the world, but for some reason was thinking that when referring to US Dollars it wouldn't be. Now that I think about it I can understand why my original thought was wrong. I guess it doesn't really matter since the message was actually hitting another rule (T_LOTS_OF_MONEY) that I somehow missed. --Dennis
Re: Bogus Dollar Amounts
On Wed, 24 Feb 2010 09:37:47 -0600 Dennis B. Hopp dh...@coreps.com wrote: It is common in many parts of the world to use a period instead of a comma as a digit group separator, and vice-versa for the decimal separator. http://en.wikipedia.org/wiki/Thousands_separator#Digit_grouping I knew it was common in other parts of the world, but for some reason was thinking that when referring to US Dollars it wouldn't be. Now that I think about it I can understand why my original thought was wrong. I don't think you were all that wrong, the spam had: $800.000.00 USD I doubt there's any part of the world where they use the same symbol for both.
Re: Bogus Dollar Amounts
On Wed, 24 Feb 2010, Dennis B. Hopp wrote: I guess it doesn't really matter since the message was actually hitting another rule (T_LOTS_OF_MONEY) that I somehow missed. It also hits some of the testing ADVANCE_FEE_NEW rules. I hope to bring those live soon... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Homeland Security: Specializing in Tactical Band-aids for Strategic Problems. -- Eric K. in Bruce Schneier's blog --- 138 days since President Obama won the Nobel Not George W. Bush prize
