Thread: Triggering rules but not scoring
View Single Post

  #3  
Old 08-26-2008, 01:40 AM
Default Re: Help with Junk from Hotmail and Yahoo's Servers
I get spam like this too. I'd tell you to train your bayes db better,
but no amount of learning these things seems to have any effect for
me- the next one in just just right back at BAYES_50. Mine are also
largely from Yahoo, some from Hotmail.

One thing that bothers me is how painfully obvious these are, and yet
barely trigger any rules in stock SA. Maybe a Pyzor here, a DCC there.
Rarely a DKIM hit, IIRC. For the most part they sail right though,
with virtually no non-network test hitting them, and very rarely a
network test. Even with my changes below, I'm still missing more than
I would like (mostly because they don't hit enough to pass 5.0).

First I tried the SARE rules. Most of them were ineffective, but a few
files hit often. Then I added the Botnet plugin, and it was much, much
more useful. I do *not* use the stock Botnet scores, however... too
high for my tastes. But I'm getting closer to them every day, as I
inch them back up to their stock.

The "Spam" and "Ham" listed here are how SA classifies them... not
necessarily what they actually *are*...

Ruleset Ham Spam %of Ham %of Spam
--------------------------------------------------------------------
Botnet.cf 16 857 4.79% 92.05%
70_sare_obfu1.cf 0 263 0.00% 28.25%
70_sare_genlsubj1.cf 3 113 0.90% 12.14%
99_custom_rules.cf 5 111 1.50% 11.92%
70_sare_genlsubj0.cf 0 55 0.00% 5.91%
70_sare_adult.cf 0 46 0.00% 4.94%
70_sare_header0.cf 0 14 0.00% 1.50%
70_sare_header1.cf 0 13 0.00% 1.40%
70_sare_oem.cf 2 2 0.60% 0.21%
70_sare_html0.cf 1 2 0.30% 0.21%
72_sare_redirect_post3_0_0.cf 0 0 0.00% 0.00%
70_sare_obfu0.cf 0 0 0.00% 0.00%
70_sare_bayes_poison_nxm.cf 0 0 0.00% 0.00%
70_sare_evilnum0.cf 0 0 0.00% 0.00%
70_sare_html1.cf 1 0 0.30% 0.00%


My modified stock rule scores: (slowly increasing these over time)
score DRUGS_ERECTILE 1.5
score DRUGS_MUSCLE 1.0
score RDNS_NONE 0.5
score ONLINE_PHARMACY 1.0
score TVD_VISIT_PHARMA 1.0


Then I wrote these add-on rules, almost specifically to target this
problem. The scores are arbitrary, and I'm increasing them over time.
1 and 2 are the highest-hitting by far. And yes, they do sometimes
overlap with the stock rules above. Not as often as you'd think,
though.... plenty if viagra/cialis spam isn't hitting DRUGS_ERECTILE,
and plenty of pharma spam doesn't hit those 2 either. The last one
kinda made up, and hit exactly 1 in ~2000 emails last week .

header JAKE_SUBJ1 Subject =~ /Viagra/i
describe JAKE_SUBJ1 Subject mentions Viagra
score JAKE_SUBJ1 2.5

header JAKE_SUBJ2 Subject =~ /Cialis/i
describe JAKE_SUBJ2 Subject mentions Cialis
score JAKE_SUBJ2 2.5

header JAKE_SUBJ3 Subject =~ /pharmacy/i
describe JAKE_SUBJ3 Subject mentions 'pharmacy'
score JAKE_SUBJ3 1.5

header JAKE_SUBJ4 Subject =~ /****/i
describe JAKE_SUBJ4 Subject mentions '****'
score JAKE_SUBJ4 1.5

header JAKE_SUBJ5 Subject =~ /(busty|hot)
*(blond|brunette|redhead|bitch|chick|milf)/i
describe JAKE_SUBJ5 Suject mentions a hot chick
score JAKE_SUBJ5 1.5


I also started using some 3rd party ClamAV rules... SaneSecurity has
'em, don't remember the link offhand.

If anyone knows when stock SA is gonna start catching this junk a lot
better, I'd love to hear it. I hate doing this hacky garbage to a nice
clean mail server.

Good luck,
Jake


On Mon, Aug 25, 2008 at 10:10 PM, James Robertson wrote:
> I'm having an increased amount of junk getting through due to it coming from
> Hotmail and Yahoo's servers which makes any type of pre-filter stuff like
> RBL's, Greylisting, Sender Verification useless which leaves me to rely on
> Spamassassin. I cannot block hotmail and Yahoo (although I would like to
> personally) as our users receive valid email from them.
>
> I have emailed there abuse but it seems more like a blackhole.
>
> I was advised by the Postfix mailing lists to see if anyone here can help me
> out.
>
> Important Note: I am planning on upgrading the Spam Gateway we are
> operating to utilise Maia Mailguard and therefore allow easier training of
> the spam filter which will hopefully help in fixing the problem anyway but
> was wondering if anyone ha some tips on how to kill this junk.
>
> I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that
> doesn't help with all the spam.
>
> Examples are below.
>
> ##############################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by
> 3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959);
> Tue, 26 Aug 2008 07:12:23 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF
> for ; Tue, 26 Aug 2008 07:12:24 +1000 (EST)
> Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost
> (3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024) with
> ESMTP id 06003-05 for ; Tue, 26 Aug 2008 07:12:12
> +1000 (EST)
> Received: from n1.bullet.mail.re3.yahoo.com (n1.bullet.mail.re3.yahoo.com
> [68.142.237.108])
> by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72
> for ; Tue, 26 Aug 2008 07:12:05 +1000 (EST)
> Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with NNFMP;
> 25 Aug 2008 21:12:02 -0000
> Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP; 25
> Aug 2008 21:12:02 -0000
> Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25 Aug
> 2008 21:12:02 -0000
> X-Yahoo-Newman-Property: ymail-3
> X-Yahoo-Newman-Id: 710810.31677.bm@omp101.mail.re3.yahoo.com
> Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=s1024; d=yahoo.com;
> h=X-YMail-OSG:Received:X-Mailerate:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;
> b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJ Jm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=;
> X-YMail-OSG:
> mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6 NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9 xmj2QJkMtcWnsEPpQAYZxojCTXA-
> Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP; Mon,
> 25 Aug 2008 14:12:02 PDT
> X-Mailer: YahooMailWebService/0.7.218.2
> Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT)
> From: Jamie Microdissection
> Reply-To: jamiemicrodissection1673096@yahoo.com
> Subject: Firmer and longer erections shut
> To: vavero@starmedia.com
> Cc:
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Message-ID: <472879.14519.qm@web57511.mail.re1.yahoo.com>
> X-Virus-Scanned: Maia Mailguard 1.0.2
> X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31
> tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001
> X-Spam-Level:
> Return-Path: jamiemicrodissection1673096@yahoo.com
> X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC)
> FILETIME=[44ECFB00:01C906F7]
>
>
>
> -----Original Message-----
> From: Jamie Microdissection [mailto:jamiemicrodissection1673096@yahoo.com]
> Sent: Tuesday, 26 August 2008 7:12 AM
> To: vavero@starmedia.com
> Cc:
> Subject: Firmer and longer erections shut
>
> think worm mules fly blaze.
> http://groups.google.com/group/sdeli...illpewtyr2neat
>
>
> ##################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
> Mon, 25 Aug 2008 11:29:40 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956
> for ; Mon, 25 Aug 2008 11:14:07 +1000
> (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: 2.54
> X-Spam-Level: **
> X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001,
> DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368]
> Received: from mail.icfrith.com.au ([127.0.0.1])
> by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
> with ESMTP id QptAnYEjlOsy for ;
> Mon, 25 Aug 2008 11:14:05 +1000 (EST)
> Received: from BAY0-OMC3-S10.bay0.hotmail.com
> (bay0-omc3-s10.bay0.hotmail.com [65.54.246.210])
> by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C
> for ; Mon, 25 Aug 2008 11:14:02 +1000
> (EST)
> Received: from BAY113-W51 ([65.54.168.151]) by
> BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
> Sun, 24 Aug 2008 18:29:34 -0700
> Message-ID:
> Content-Type: multipart/alternative;
> boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_"
> X-Originating-IP: [201.83.252.234]
> From: Dorothy Brown
> To:
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Date: Mon, 25 Aug 2008 01:29:33 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC)
> FILETIME=[07D4EED0:01C90652]
> Return-Path: dorothyxqsdzips@hotmail.com
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_--
>
> ________________________________________
> From: Dorothy Brown [mailto:dorothyxqsdzips@hotmail.com]
> Sent: Monday, 25 August 2008 11:30 AM
> To: roslyn.holcombe@icliffs.com
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Importance: High
>
>
> Attractive prices and high quality is our motto.
> www.cid-1a15c26c02719644.spaces.live.com
>
> #########################################
>
>
>
>

Reply With Quote