Re: Why is the advertising for certain berry not caught
On Sat, Apr 25, 2009 at 11:06:47PM +0100, Ned Slider wrote: John Hardin wrote: On Fri, 24 Apr 2009, LuKreme wrote: On 24-Apr-2009, at 10:41, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt Scores very high here. 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: tgifriday.info] Igor, you might also want to implement greylisting, to give the URIBLs a chance to list URIs that appear in these messages. Interesting concept - do you have any data to support the hypothesis? OK, dumb question, how would I implement greylisting (I have Ubuntu) i I tried looking at this a while back, but it's difficult to collect qualitative data. I ran for a month with a short greylisting period (1 min), and a month for 30 mins and 60 mins. I looked at hit rates against popular DNSRBLs to see if I could observe any increase in effectiveness from IPs being added during the increased greylisting periods. I didn't see anything conclusive that would be worth the increased delay to legitimate new mail. Of course the study isn't very scientific as the spamflow is likely to change from month to month. Also, only reactive lists are likely to benefit, and only those that react quickly. Getting back to the OP's question, I've found adding a couple of simple body rules to check for a certain four letter 'A' word or 2-3 word phrases works well in this instance, and I've not noticed any FPs.
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: OK, dumb question, how would I implement greylisting (I have Ubuntu) That depends on what MTA you are using. Most greylisting is performed by milters or, if using Postfix, policy delegation. Check your MTA's web site, they will usually advise you on how to implement greylisting for their MTA. Bill
Re: Why is the advertising for certain berry not caught
On Fri, 24 Apr 2009, LuKreme wrote: On 24-Apr-2009, at 10:41, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt Scores very high here. 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: tgifriday.info] Igor, you might also want to implement greylisting, to give the URIBLs a chance to list URIs that appear in these messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item.-- John C. Randolph j...@idiom.com --- 94 days since Obama's inauguration and still no unicorn!
Re: Why is the advertising for certain berry not caught
John Hardin wrote: On Fri, 24 Apr 2009, LuKreme wrote: On 24-Apr-2009, at 10:41, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt Scores very high here. 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: tgifriday.info] Igor, you might also want to implement greylisting, to give the URIBLs a chance to list URIs that appear in these messages. Interesting concept - do you have any data to support the hypothesis? I tried looking at this a while back, but it's difficult to collect qualitative data. I ran for a month with a short greylisting period (1 min), and a month for 30 mins and 60 mins. I looked at hit rates against popular DNSRBLs to see if I could observe any increase in effectiveness from IPs being added during the increased greylisting periods. I didn't see anything conclusive that would be worth the increased delay to legitimate new mail. Of course the study isn't very scientific as the spamflow is likely to change from month to month. Also, only reactive lists are likely to benefit, and only those that react quickly. Getting back to the OP's question, I've found adding a couple of simple body rules to check for a certain four letter 'A' word or 2-3 word phrases works well in this instance, and I've not noticed any FPs.
Re: Why is the advertising for certain berry not caught
On Sat, 2009-04-25 at 23:06 +0100, Ned Slider wrote: John Hardin wrote: Igor, you might also want to implement greylisting, to give the URIBLs a chance to list URIs that appear in these messages. Interesting concept - do you have any data to support the hypothesis? Nope. I tried looking at this a while back, but it's difficult to collect qualitative data. I ran for a month with a short greylisting period (1 min), and a month for 30 mins and 60 mins. I looked at hit rates against popular DNSRBLs to see if I could observe any increase in effectiveness from IPs being added during the increased greylisting periods. Note I said URIBLs. The URI domains will probably not change as quickly as the IP addresses from a botnet universe. I don't expect greylisting to have much if any benefit w/r/t DNSBLs. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I'll have that son of a bitch eating out of dumpsters in less than two years. -- MS CEO Steve Ballmer, on RedHat CEO Matt Szulik --- 94 days since Obama's inauguration and still no unicorn!
Why is the advertising for certain berry not caught
I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i
Re: Why is the advertising for certain berry not caught
On Fri, Apr 24, 2009 at 11:41:31AM -0500, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt By the way, look at these spams. The afiliate URL is mentioned once or twice, and then the remove URL. The remove URL is like affiliate URL, different by one character only. i These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt These advertise certain berries, but also other equally worthless gimmicks. These spammers started snowshoeing but as time went on, predictably they became more brazen. I have the latest ubuntu 9.04 and I was hoping for better results. Am I missing some rulesets or what? i Would be caught here. X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK Regards, Rick
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: http://igor.chudov.com/tmp/spam007.txt [...] Am I missing some rulesets or what? Check Razor2 with this command: spamassassin --lint -D 21 |grep -C2 Razor it should say module installed: Razor2::Client::Agent and loading Mail::SpamAssassin::Plugin::Razor2 (and since --lint only runs local tests, it should skip it). If you don't have it loaded, un-comment its loadplugin line in your v310.pre file. You may also need the following Ubuntu/Debian command: sudo aptitude install razor Rick Macdougall wrote: Would be caught here. X-Spam-Status: Yes, hits=9.9 required=5.0 tests=BAYES_99,DIET_1, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK Either Igor doesn't have Razor2 configured, or the message hadn't yet found its way into Vipul's index. Also, it's unfair to assume anything about somebody else's Bayes db, so assuming you (Rick) are on the default scores, that means you got 6.4 including 2.8 from Razor2. It only hit one more check for me, and that was a custom one (see my khop-lists channel at http://khopesh.com/Anti-Spam ), designed to lightly penalize any bulk or automated message. (In case you're wondering, 0.1 points for KHOP_SENDER_BOT, which triggered on the nore...@* address.) I don't recommend khop-lists for general use; my other channels are far more safe and useful. -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
Re: Why is the advertising for certain berry not caught
On 24-Apr-2009, at 10:41, Igor Chudov wrote: I get a shipload of spams like this one: http://igor.chudov.com/tmp/spam007.txt Scores very high here. Content analysis details: (9.6 points, 5.0 required) pts rule name description -- -- 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: tgifriday.info] 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 DIET_1 BODY: Lose Weight Spam 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] -- I hear hurricanes a-blowing, I know the end is coming soon. I fear rivers over-flowing. I hear the voice of rage and ruin.
