Effectiveness of Bayes poisoning (was Re: Spam Pattern)

cored 99.99% likelihood of spam. The word "Wopsle", for example, was a dead giveaway... that never appears in our ham stream, but has appeared in 93 spams in our database. Bayes poisoning, in our experience, is only occasionally effective. Regards, David.

Re: Trouble with bayes poisoning spam

Hi, > Actually, that's a Snowshoe IP. > Which, on balance, can be a good thing, slaying-wise. :) You mean that it's more likely to be added to the SBL with the other IPs in the same range sooner? > Almost four years ago, I posted my approach to snowshoe slaying: > > http://mail-archives

re: Trouble with bayes poisoning spam

Hi Alex! Actually, that's a Snowshoe IP. Which, on balance, can be a good thing, slaying-wise. :) Almost four years ago, I posted my approach to snowshoe slaying: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e It has cont

Re: Trouble with bayes poisoning spam

On Thu, 29 Nov 2012, Alex wrote: I have an example of spam that I just can't reliably detect: http://pastebin.com/YuuLuA1x I was just wondering if there was something else that could be triggered on in the header to catch these sooner? I'm assuming the sending IP part of a botnet? I'm using v3

Trouble with bayes poisoning spam

Hi, I have an example of spam that I just can't reliably detect: http://pastebin.com/YuuLuA1x It's basically some HTML with a URL to an ad for "Lantern with 9 LED bulbs". I've trained hundreds of these, and they still report BAYES_50. I've just tested it now, a few hours after having first recei

Re: Bayes Poisoning

On 10/18/11 12:12 PM, "Karsten Bräckelmann" wrote: > On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote: >> One of my users submitted a spam for analysis, and I was amazed at the >> efforts this troglodyte expended to poison bayes. >> Is it worth the effort to try to find huge html comme

Re: Bayes Poisoning

On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote: > One of my users submitted a spam for analysis, and I was amazed at the > efforts this troglodyte expended to poison bayes. > Is it worth the effort to try to find huge html comments hiding junk > like this? Hmm, wait -- Bayes and HTML com

Re: Bayes Poisoning

Daniel McDonald wrote: Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/ Describe OBFU_HTML_LONG_COMMENT contains a ridiculously long html comment Tried with exactly that limit, 1 kb. TargetX, which is used by universities in recruiting, uses a long comment in its generated mail (I did no

Re: Bayes Poisoning

ing and ending markers are part of the same comment. Your example would be tripped up if there was a small comment at the beginning of the message and another small comment at the end. It would count characters between the beginning of the first comment and the end of the second one. As far as &q

Bayes Poisoning

One of my users submitted a spam for analysis, and I was amazed at the efforts this troglodyte expended to poison bayes. Is it worth the effort to try to find huge html comments hiding junk like this? Maybe something like Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/ Describe OBFU_HTML_LONG_

Re: RetrunPath and Bayes Poisoning

On Tue, 2010-02-23 at 09:28 -0500, Bowie Bailey wrote: > Michael Scheidell wrote: > > you can edit the tflags and add noautolearn > Are these settings cumulative? The man page doesn't specify. Nope. tflags is of type CONF_TYPE_HASH_KEY_VALUE, so there's exactly one tflags value per rule name.

Re: RetrunPath and Bayes Poisoning

Michael Scheidell wrote: > On 2/23/10 9:28 AM, Bowie Bailey wrote: >> Michael Scheidell wrote: >> >>> On 2/23/10 9:03 AM, Jason Bertoch wrote: >>> Are there any internal checks that disable Bayes autolearn when these artificial whitelist rules match? I'd disabled these rules in >

Re: RetrunPath and Bayes Poisoning

On 2/23/2010 9:35 AM, Michael Scheidell wrote: > why not just do tflags RULENAME nice net noautolearn (oh.. and to find them, grep '^tflags.*RCVD_IN' *.cf some interesting ones. not sure why they rate a net nice: Grepping for 'autolearn' turns up the built-in whitelist and blacklist rules.

Re: RetrunPath and Bayes Poisoning

On 2/23/10 9:28 AM, Bowie Bailey wrote: Michael Scheidell wrote: On 2/23/10 9:03 AM, Jason Bertoch wrote: Are there any internal checks that disable Bayes autolearn when these artificial whitelist rules match? I'd disabled these rules in versions prior to 3.3.0 but, with all the disc

Re: RetrunPath and Bayes Poisoning

On 2/23/2010 9:20 AM, Michael Scheidell wrote: Unfortunately, I'm still seeing false positives and am concerned that they are pushing the scores low enough to poison my Bayes database. you can edit the tflags and add noautolearn example: 72_active.cf:tflags RCVD_IN_RP_CERTIFIEDnet nice

Re: RetrunPath and Bayes Poisoning

Michael Scheidell wrote: > On 2/23/10 9:03 AM, Jason Bertoch wrote: >> >> Are there any internal checks that disable Bayes autolearn when these >> artificial whitelist rules match? I'd disabled these rules in >> versions prior to 3.3.0 but, with all the discussion on the matter, I >> thought I'd l

Re: RetrunPath and Bayes Poisoning

On 2/23/10 9:03 AM, Jason Bertoch wrote: Are there any internal checks that disable Bayes autolearn when these artificial whitelist rules match? I'd disabled these rules in versions prior to 3.3.0 but, with all the discussion on the matter, I thought I'd leave them in to see the "new and imp

RetrunPath and Bayes Poisoning

Are there any internal checks that disable Bayes autolearn when these artificial whitelist rules match? I'd disabled these rules in versions prior to 3.3.0 but, with all the discussion on the matter, I thought I'd leave them in to see the "new and improved" version. Unfortunately, I'm still

Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam

Craig Carriere wrote: Matt wrote: First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60

Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam

Matt wrote: >> First - use dummy MX records. Real mail retries. Botnet and must >> spammers don't. It's easier for them to try to spam someone else than to >> fight your filter. MX config is as follows: >> >> dummy - 10 >> real - 20 >> real-backups - 30 >> dummy - 40 >> dummy - 50 >> dummy - 60 >

Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam

First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60 Currently I have mail.mydomain.com as 10.

Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam

Marc Perkel schrieb: I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. ah nice can you tell me how to implant th

Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam

Marc Perkel schrieb: I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. 56th reinvention of the square wheel You mi

Solution to Bayes poisoning, high load levels, image spam, and botnet spam

I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. First - use dummy MX records. Real mail retries. Botnet and must s

Re: bayes poisoning

maillist wrote: I see a few emails every-now-and-then about "bayes poisoning", and am wondering what is means. From what I understand, it is some message that gets learned (only through autolearn?) that has certain characteristics that throw the bayes system off. From what I

Bayes Poisoning

I've been having problem with bayes as of late with it marming nonspam as spam and spam as nonspam. I think it's the damn gif file spam causing it. Anyone else having this problem? Any solutions?

RE: Bayes poisoning (was Re: your mail)

Peter Smith wrote: > > > The messages are simply a random stream of words, with punctuation > > > scattered in them. No HTML, no URLs being advertised, no excessive > > > capitalisation, just meaningless text. > > I'm cautious about feeding these messages to sa-learn as spam, in > case it has a ne

Bayes poisoning (was Re:)

> Are you runing net tests? It sounds like someone has a broken zombie net > that is supposed to be sending out gif spams, but they forgot the images. > Net tests would probably catch these easily. Well I'm using the following: score DCC_CHECK 1.0 score PYZOR_CHECK 1.0 score RAZOR_CHECK 1.0 scor

Bayes poisoning (was Re: your mail)

>> The messages are simply a random stream of words, with punctuation >> scattered in them. No HTML, no URLs being advertised, no excessive >> capitalisation, just meaningless text. > > Technically, then, it's not spam. Spam requires a commercial message > of some sort. :) Yeah, I think I said 'j

Re: Bayes poisoning ?

The best thing to do is probably throw the current database away and start over. As you seem to have several users, you should have bayes working again within a very few hours, or less. You should delete the current database, reset the scores to normal (and increase the bayes_99 score to somethin

Bayes poisoning ?

, and are there any ways to avoid bayes poisoning ? Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --