[EMAIL PROTECTED] wrote:
John Rudd wrote:
Robert Schetterer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
arni schrieb:
Raymond Myren schrieb:
Hello,
Just today I started receiving spam mails with attached .pdf files
with a spam image.
Any ideas how to stop this spam type?
\raymond
as i said several times on this maillist now, i've never had any of
these mails get through, here is how the current ones score:
X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET,
BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1,
LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE
autolearn=no version=3.2.0
X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99
to 100%
* [score: 1.0000]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>]
* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [85.138.88.254 listed in zen.spamhaus.org]
* 3.0 BOTNET Relay might be a spambot or virusbot
* [botnet0.7,ip=85.138.88.254,nordns]
* 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says
domain
* signs some mails
* 0.0 BOTNET_NORDNS Relay's IP address has no PTR record
* [botnet_nordns,ip=85.138.88.254]
* 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown
company,
* Germany
* 1.5 LOGINHASH1 BODY: mail has been classified as spam @
LogIn&Solutions
* AG, Germany
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
arni
you are in a luck,
you are a "late reciever" of that spam, so it was detected
by others before ( look at your headers )
but it wasnt detected by i.e a plain pdf_spam rule/solution
( like fuzzy_ocr etc )
this is what i am looking for
His success didn't depend upon that luck. Even without the LOGINHASH*
and DCC_CHECK, or even BAYES, he still had a high enough score to flag
it as spam.
Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP)
and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks
to the BOTNET plugin (which is amazing btw). That hit was all from
late-receiver effect.
Actually, it didn't. The assertion is that if someone else hadn't seen
this exact message first, then SA wouldn't have caught it.
The PBL (which isn't spamtrap fed, it's collected from ISP published
and/or contributed data) would have caught this based upon issues that
have nothing at all to do with this message, and most likely nothing at
all to do with this current round of spam. It would be based upon the
host provider's policy that this host shouldn't send email to the internet.
Similarly, the SPAMCOP listing is most likely not related to _this_
message. It is more likely an ongoing abuse issue, so the fact that the
host fed a spamtrap at spamcop at some point in the past does not mean
that they were "lucky to catch this message". The odds are that the
SPAMCOP listing has nothing to do with this message.
I would make the same characterization of BAYES. You don't have to see
a specific message in the past in order for BAYES to catch it.
Therefore, you're not depending upon "luckily not being the first person
to see a given message".
Just resting upon BAYES, BOTNET, and PBL, you're not "lucky to have
caught the message because you're a late receiver". You've caught the
message due to a combination of policy, misuse, and historical
characteristics of spam in general being used to train your system.
