Re: Bitcoin ransom mail

[Dean Carpenter]

On 2019-12-11 1:58 pm, Giovanni Bechis wrote:
On 12/11/19 3:17 PM, Bill Cole wrote:
On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
Hi PFA...

On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
On 12/10/19 7:49 PM, Michael Storz wrote:
[...]
My copy hit

BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, 
MPART_ALT_DIFF=0.79

not enough to mark it as spammy.

FuzzyOcr + bayes is killing this kind of emails for me:

FuzzyOcr is unmaintained and doesn't even have an authoritative 
repository as far as I can tell. It is computationally very expensive, 
to the degree that it isn't safe to just add it to an existing mail 
system which does not have a lot of idle CPU and memory capacity.

it's true that it's unmaintained but I have it running on Perl 5.28
with some patches and it's still useful every now and then (if you
have some spare cpu cycles and you know what you are doing).
A new ocr plugin could be definetely a better choice.
  Giovanni

fuzzyocr is available from the standard repos for Ubuntu 18.04.  It's
v3.6.0-10, with a homepage listed as

https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/

Interestingly I just got one of those bitcoin spams, but fuzzyocr didn't 
pick up on it.  This is the spam report for it :

==== ====================== 
==================================================
  pts  rule name              description
 ---- ---------------------- 
--------------------------------------------------
  2.0 BAYES_80               BODY: Bayes spam probability is 80 to 95%
                             [score: 0.8391]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at 
https://www.dnswl.org/, no
                             trust
                             [40.92.254.80 listed in list.dnswl.org]
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser 
mail provider
                             (xbdamianta[at]outlook.com)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  1.2 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of 
words
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature 
from author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK 
signature
  0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
  0.0 TVD_SPACE_RATIO        No description available.
  0.5 KAM_NUMSUBJECT         Subject ends in numbers excluding current 
years