how to keep updated against german spam? - SpamAssassin

This is a discussion on how to keep updated against german spam? - SpamAssassin ; I run spamassassin 3.2.3 and every few weeks a new wave of german SPAM hits our servers that are not detected by spamassassin... Is there a webpage where I can get new rules? or any channel I can subscribe for ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: how to keep updated against german spam?

  1. how to keep updated against german spam?


    I run spamassassin 3.2.3 and every few weeks a new wave of german SPAM
    hits our servers that are not detected by spamassassin...

    Is there a webpage where I can get new rules? or any channel I can
    subscribe for sa-update?

    I also have a question about sa-update and new channels? If I add a new
    channel that provides new rulesets, do I have to add this new rules to
    my local.cf or are they used automatically as if they were sa-rules
    themselfes?

    thnx
    peter

    --
    mag. peter pilsl - goldfisch.at
    IT-Consulting
    Tel: +43-699-11288470
    Tel: +43-1-8900602
    Fax: +43-1-8900602-15
    skype: peter.pilsl
    pilsl@goldfisch.at
    www.goldfisch.at


  2. Re: how to keep updated against german spam?

    On Dienstag, 10. Juni 2008 peter pilsl wrote:
    > I run spamassassin 3.2.3 and every few weeks a new wave of german
    > SPAM hits our servers that are not detected by spamassassin...
    >
    > Is there a webpage where I can get new rules? or any channel I can
    > subscribe for sa-update?
    >
    > I also have a question about sa-update and new channels? If I add a
    > new channel that provides new rulesets, do I have to add this new
    > rules to my local.cf or are they used automatically as if they were
    > sa-rules themselfes?


    I am the maintainer of the GERMAN ruleset. You can download it in
    various ways. From the comment within that ruleset:

    # License: Artistic - see http://www.rulesemporium.com/license.txt
    # Maintainer: Michael Monnerie (sare-german@zmi.at) from it-management.at
    # How to get it:
    # SpamAssassin Channel: 70_zmi_german.cf.zmi.sa-update.dostech.net
    # Also via RDJ (RulesDuJour) as: ZMI_GERMAN
    # RDJ is available at http://www.exit0.us/index.php?pagename=RulesDuJour
    # Home: http://sa.zmi.at/rulesets/70_zmi_german.cf
    # HOWTO contribute:
    # - write and --lint your own rules
    # - be sure it hits more than just one spam
    # - try to write rules similar to how we write them recently (see the
    # latest body rulesets (the last ones!) to get an example)
    # - be sure it actually *is* spam, not just a newsletter from a company
    # who bought your e-mail address from another company (they often don't know...)
    # - send your rules to the maintainer (see above) together with the licence
    # (which MUST be "Artistic" for me to include it, or you grant me rights
    # to redistribute it under the "Artistic" licence)

    mfg zmi
    --
    // Michael Monnerie, Ing.BSc ----- http://it-management.at
    // Tel: 0660 / 415 65 31 .network.your.ideas.
    // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
    // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
    // Keyserver: www.keyserver.net Key-ID: 1C1209B4

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBITmXPzhSR9xwSCbQRAo3eAJ0ezpM0A4nwv3oe4xzKge iqabg5QQCePmO/
    +A/dXTeJ7KmI2iMypqGiuJ0=
    =H82P
    -----END PGP SIGNATURE-----


  3. Re: how to keep updated against german spam?




    Yet Another Ninja wrote:

    > Is there a place where you posted these spams so potential rule writers
    > know which you're talking about?
    >



    I just uploaded three different examples of recent spamwave to my webpage:

    http://www.goldfisch.at/goldfisch/temp/spam1


    thnx,
    peter


  4. Re: how to keep updated against german spam?


    On Tue, June 10, 2008 14:35, peter pilsl wrote:
    > I just uploaded three different examples of recent spamwave to my webpage:


    X-Spam-Status: No, score=0.6 required=2.4 tests=BAYES_05,NO_RELAYS
    autolearn=ham version=3.2.2

    NO_RELAYS should not hit on remote spams

    have you configured you trusted_networks internal_networks msa_networks in
    local.cf correct ?

    perldoc Mail::SpamAssassin::Conf for more info


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  5. Re: how to keep updated against german spam?

    On Tue, 10 Jun 2008 at 14:35 +0200, pilsl@goldfisch.at confabulated:

    >
    >
    >
    > Yet Another Ninja wrote:
    >
    >> Is there a place where you posted these spams so potential rule writers
    >> know which you're talking about?
    >>

    >
    >
    > I just uploaded three different examples of recent spamwave to my webpage:
    >
    > http://www.goldfisch.at/goldfisch/temp/spam1


    Using the messages as you have posted them, ALL would have been tagged as
    spam here regardless of language:

    X-Spam-Level: xxxxxx
    X-Spam-Status: Bayes:0.5 Score:6.5 Reqrd:5.0 AutoLrn:no
    Tests:NO_DNS_FOR_FROM=1.407,RCVD_IN_BL_SPAMCOP_NET =2.188,RCVD_IN_XBL=2.896


    X-Spam-Level: xxxxxxxx
    X-Spam-Status: Bayes:0.5 Score:8.7 Reqrd:5.0 AutoLrn:no
    Tests:NO_DNS_FOR_FROM=1.407,RCVD_IN_BL_SPAMCOP_NET =2.188,RCVD_IN_PBL=0.509,
    RCVD_IN_SORBS_DUL=1.615,RCVD_IN_XBL=2.896,RDNS_DYN AMIC=0.1

    X-Spam-Level: xxxxxxx
    X-Spam-Status: Bayes:0.5 Score:7.1 Reqrd:5.0 AutoLrn:no
    Tests:FH_HELO_EQ_D_D_D_D=0.498,NO_DNS_FOR_FROM=1.4 07,
    RCVD_IN_BL_SPAMCOP_NET=2.188,RCVD_IN_XBL=2.896,RDN S_DYNAMIC=0.1

    You probably don't have network tests enabled.


  6. Re: how to keep updated against german spam?

    Am Dienstag, 10. Juni 2008 schrieb Michael Monnerie:
    > On Dienstag, 10. Juni 2008 peter pilsl wrote:
    > > I run spamassassin 3.2.3 and every few weeks a new wave of german
    > > SPAM hits our servers that are not detected by spamassassin...
    > >
    > > Is there a webpage where I can get new rules? or any channel I
    > > can subscribe for sa-update?
    > >
    > > I also have a question about sa-update and new channels? If I add
    > > a new channel that provides new rulesets, do I have to add this
    > > new rules to my local.cf or are they used automatically as if
    > > they were sa-rules themselfes?

    >
    > I am the maintainer of the GERMAN ruleset. You can download it in
    > various ways. From the comment within that ruleset:
    >
    > # License: Artistic - see http://www.rulesemporium.com/license.txt
    > # Maintainer: Michael Monnerie (sare-german@zmi.at) from
    > it-management.at # How to get it:
    > # SpamAssassin Channel: 70_zmi_german.cf.zmi.sa-update.dostech.net
    > # Also via RDJ (RulesDuJour) as: ZMI_GERMAN
    > # RDJ is available at
    > http://www.exit0.us/index.php?pagename=RulesDuJour # Home:
    > http://sa.zmi.at/rulesets/70_zmi_german.cf
    > # HOWTO contribute:
    > # - write and --lint your own rules
    > # - be sure it hits more than just one spam
    > # - try to write rules similar to how we write them recently (see
    > the # latest body rulesets (the last ones!) to get an example) #
    > - be sure it actually *is* spam, not just a newsletter from a
    > company # who bought your e-mail address from another company
    > (they often don't know...) # - send your rules to the maintainer
    > (see above) together with the licence # (which MUST be "Artistic"
    > for me to include it, or you grant me rights # to redistribute
    > it under the "Artistic" licence)
    >
    > mfg zmi


    from sa-update -D:

    [12517] dbg: http: GET request,
    http://daryl.dostech.ca/sa-update/zm...042.tar.gz.asc
    [12517] dbg: sha1: verification wanted:
    91eaa15f9a096c202a18b9f5f858fc25058643aa
    [12517] dbg: sha1: verification result:
    91eaa15f9a096c202a18b9f5f858fc25058643aa
    [12517] dbg: channel: populating temp content file
    [12517] dbg: gpg: populating temp signature file
    [12517] dbg: gpg: calling gpg
    [12517] dbg: gpg: gpg: Signature made Do 05 Jun 2008 10:50:57 CEST
    using DSA key ID 856AA88A
    [12517] dbg: gpg: [GNUPG:] ERRSIG 3C5C05EB856AA88A 17 2 00 1212655857
    9
    [12517] dbg: gpg: [GNUPG:] NO_PUBKEY 3C5C05EB856AA88A
    [12517] dbg: gpg: gpg: Can't check signature: public key not found
    error: GPG validation failed!
    The update downloaded successfully, but it was not signed with a
    trusted GPG
    key. Instead, it was signed with the following keys:

    856AA88A



    --
    gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD
    763C


  7. Re: how to keep updated against german spam?

    On Dienstag, 10. Juni 2008 Mathias Homann wrote:
    > from sa-update -D:
    >
    > [12517] dbg: http: GET request,
    > http://daryl.dostech.ca/sa-update/zm...200806051042.t
    >ar.gz.asc [12517] dbg: sha1: verification wanted:
    > 91eaa15f9a096c202a18b9f5f858fc25058643aa
    > [12517] dbg: sha1: verification result:
    > 91eaa15f9a096c202a18b9f5f858fc25058643aa
    > [12517] dbg: channel: populating temp content file
    > [12517] dbg: gpg: populating temp signature file
    > [12517] dbg: gpg: calling gpg
    > [12517] dbg: gpg: gpg: Signature made Do 05 Jun 2008 10:50:57 CEST
    > using DSA key ID 856AA88A
    > [12517] dbg: gpg: [GNUPG:] ERRSIG 3C5C05EB856AA88A 17 2 00 1212655857
    > 9
    > [12517] dbg: gpg: [GNUPG:] NO_PUBKEY 3C5C05EB856AA88A
    > [12517] dbg: gpg: gpg: Can't check signature: public key not found
    > error: GPG validation failed!
    > The update downloaded successfully, but it was not signed with a
    > trusted GPG
    > key. *Instead, it was signed with the following keys:
    >
    > * * 856AA88A


    Sorry that problem is on Daryl's side already, cannot influence it.
    Daryl, did ya see this?

    mfg zmi
    --
    // Michael Monnerie, Ing.BSc ----- http://it-management.at
    // Tel: 0660 / 415 65 31 .network.your.ideas.
    // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
    // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
    // Keyserver: www.keyserver.net Key-ID: 1C1209B4

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBITw8WzhSR9xwSCbQRAgpNAKDKpVy/wFbotzGmz2Ldg5Je3N2bhwCg2sPA
    gx3qU+m64tKpJDDwzOcnl7Y=
    =AogT
    -----END PGP SIGNATURE-----


  8. Re: how to keep updated against german spam?

    On Dienstag, 10. Juni 2008 peter pilsl wrote:
    > I just uploaded three different examples of recent spamwave to my
    > webpage:
    > http://www.goldfisch.at/goldfisch/temp/spam1


    As others said already, with simple network tests you could filter that
    mails. Consider using the BOTNET tool, that helps too. I won't write
    rules for spam that's already recognized by other rules - the ruleset
    would be too huge and slow.

    mfg zmi
    --
    // Michael Monnerie, Ing.BSc ----- http://it-management.at
    // Tel: 0660 / 415 65 31 .network.your.ideas.
    // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
    // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
    // Keyserver: www.keyserver.net Key-ID: 1C1209B4

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBITxBZzhSR9xwSCbQRAkn+AKCsrUseW3UhFMdDdm3sfJ EPfpYoEQCeIyS1
    w/Mj8ZGIICsdfaD7Ejt1mKQ=
    =Ez7q
    -----END PGP SIGNATURE-----


  9. Re: how to keep updated against german spam?

    On Dienstag, 10. Juni 2008 peter pilsl wrote:
    > I just uploaded three different examples of recent spamwave to my
    > webpage:
    > http://www.goldfisch.at/goldfisch/temp/spam1


    As others said already, with simple network tests you could filter that
    mails. Consider using the BOTNET tool, that helps too. I won't write
    rules for spam that's already recognized by other rules - the ruleset
    would be too huge and slow.

    mfg zmi
    --
    // Michael Monnerie, Ing.BSc ----- http://it-management.at
    // Tel: 0660 / 415 65 31 .network.your.ideas.
    // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
    // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
    // Keyserver: www.keyserver.net Key-ID: 1C1209B4

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBITxDGzhSR9xwSCbQRAnUbAKCciBRuveHjzfY8Nsv0r+ +TiuudDACfZ5L6
    RdvxnSQDM2wGd2LQdNDxMiQ=
    =twtJ
    -----END PGP SIGNATURE-----


+ Reply to Thread