EuroPharmacie - SpamAssassin

This is a discussion on EuroPharmacie - SpamAssassin ; ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: EuroPharmacie

  1. Re: EuroPharmacie


  2. EuroPharmacie


    Hi

    We receive some mails with EuroPharmacie
    How could i avoid theses
    SCORE is only 5.9

    Regards
    Philippe

    Return-Path:
    Delivered-To: support@xxxxxx.fr
    Received: by mail.xxxxx.fr (Postfix, from userid 513)
    id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
    X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
    X-Spam-Level: *****
    X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
    MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
    URIBL_SBL autolearn=no version=3.x.x
    Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it
    (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
    by mail.infodev.fr (Postfix) with ESMTP
    id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)
    Received: from [79.21.166.121] by gateway10.tnb.com; Fri, 20 Jun 2008
    13:37:14 +0100
    From: Les pilules ici
    To:
    Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
    Date: Fri, 20 Jun 2008 13:37:14 +0100
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0006_01C8D2DA.BFA4A100"
    X-Mailer: Microsoft Office Outlook, Build 11.0.6353
    Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    Message-ID: <01c8d2da$bfa4a100$79a6154f@pselailne.brown>
    Status:

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0006_01C8D2DA.BFA4A100
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: 7bit

    Le EuroPharmacie boutique en ligne vous propose de passer a une veritable
    securite, tout en achetant des medicaments. Nous obtenons nos pilules
    directement chez le fabricant de l'usine afin qu'ils ne passent pas par les
    mains de toute intermediaires.

    Rendez-vous sur notre pharmacie et acheter un

    http://wroteprove.com




    ------=_NextPart_000_0006_01C8D2DA.BFA4A100
    Content-Type: text/html;
    charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

    =3D"urn:schemas-microsoft-comfficeffice" xmlns:w=3D"urn:=
    schemas-microsoft-comffice:word" xmlns=3D"http://www.w3.org/TR/REC-html=
    40">


    i">





    Le EuroPharmacie boutique en ligne vous=
    propose de passer a une veritable securite, tout en achetant des medicam=
    ents. Nous obtenons nos pilules directement chez le fabricant de l'usine =
    afin qu'ils ne passent pas par les mains de toute intermediaires.<=
    br>

    3D"http://wrote= Rendez-vous sur notre pharmacie et acheter un


    http://wroteprove.com







    ------=_NextPart_000_0006_01C8D2DA.BFA4A100--

    --
    View this message in context: http://www.nabble.com/EuroPharmacie-...p18030043.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  3. Re: EuroPharmacie

    5.0 is generally considered a level you can consider something Spam at.
    This scored a 5.9.

    What's your Spam level set at?

    phil89 wrote:
    > Hi
    >
    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9
    >
    > Regards
    > Philippe
    >



  4. Re: EuroPharmacie

    On Friday, June 20, 2008, 6:51:44 AM, phil89 phil89 wrote:

    > Hi


    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9


    > Regards
    > Philippe


    > Return-Path:
    > Delivered-To: support@xxxxxx.fr
    > Received: by mail.xxxxx.fr (Postfix, from userid 513)
    > id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
    > X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
    > X-Spam-Level: *****
    > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
    >
    > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
    > URIBL_SBL autolearn=no version=3.x.x
    > Received: from
    > host121-166-dynamic.21-79-r.retail.telecomitalia.it
    > (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
    > by mail.infodev.fr (Postfix) with ESMTP
    > id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)

    [...]

    > http://wroteprove.com



    Use SURBLs. Enable network tests:

    http://www.surbl.org/faq.html#nettest

    jp.surbl.org blacklisted that domain at 14:33 CEST

    Jeff C.
    --
    Jeff Chan
    mailto:jeffc@surbl.org
    http://www.surbl.org/


  5. Re: +++Spam+++: EuroPharmacie

    On Fri, 2008-06-20 at 06:51 -0700, phil89 wrote:
    > Hi
    >
    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9


    The botnet plugin probably would have given this a little boost. I use
    a botnet/p0f combination under amavisd-new that is reasonably accurate
    at assigning scores.

    grey-listing would have delayed it enough to have hit uribl-black


    >


    > Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it
    > (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
    > by mail.infodev.fr (Postfix) with ESMTP
    > id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)


    --
    Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
    Austin Energy
    http://www.austinenergy.com


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhbt/cACgkQGvhCU13z7IhYTwCeIwG2IAPrzm5+zSOe829CtXNG
    XNMAoI2OhrCdj7PbDDe9+ZIkaqQGJmg1
    =Z+7Y
    -----END PGP SIGNATURE-----


  6. Re: EuroPharmacie

    On 20.06.08 06:51, phil89 wrote:
    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9


    upgrade your spamassassin and/or rules (sa-update). turn on network ruless
    you can (razor, pyzor, DCC, uribl's)

    > Return-Path:
    > Delivered-To: support@xxxxxx.fr
    > Received: by mail.xxxxx.fr (Postfix, from userid 513)
    > id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
    > X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
    > X-Spam-Level: *****
    > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
    > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
    > URIBL_SBL autolearn=no version=3.x.x


    RCVD_IN_DYNABLOCK does not exist for some time. You rules are old and
    possibly not as effective as newer are.

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Atheism is a non-prophet organization.


  7. Re: EuroPharmacie

    On Fri, 20 Jun 2008, phil89 wrote:

    >
    > Hi
    >
    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9


    Only 5.9? 5.0 is the SA default score. You must have changed that.


  8. RATWARE_MSGID (was: Re: EuroPharmacie)


    > X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr


    Why is your SA version a state secret? Taking a guess -- based on the
    build date, it is 3.1.8 (released exactly that day) or earlier. *shrug*

    > X-Spam-Level: *****
    > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
    > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
    > URIBL_SBL autolearn=no version=3.x.x


    As Duane and Evan already pointed out, a required_score 5.0 threshold is
    the default, and would have classified this message as spam. (Dudes,
    hint, he included the full headers.

    There's nothing wrong with being paranoid and raising this slightly if
    you prefer. However, more spam sneaking through is to be expected, and
    you either will have to write your own rules to counter it, or live with
    more FNs. You raised that value deliberately.


    > From: Les pilules ici
    > To:
    > Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
    > Date: Fri, 20 Jun 2008 13:37:14 +0100
    > MIME-Version: 1.0
    > Content-Type: multipart/alternative;
    > boundary="----=_NextPart_000_0006_01C8D2DA.BFA4A100"
    > X-Mailer: Microsoft Office Outlook, Build 11.0.6353
    > Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
    > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    > Message-ID: <01c8d2da$bfa4a100$79a6154f@pselailne.brown>

    ^^^^^^^^
    This is a spam alright. This line alone tells me. See bug 5830. [1]

    Here's an easy rule that triggers on about 10% spam with no FPs in
    nightly mass-checks [2]. (The 2 ham hits are already verified to be a
    dirty corpus and being removed from the ham corpus.)

    Enjoy

    guenther


    # Ratware generated 8$8$8 style Message-Ids, broken Microsoft Outlook forgery.
    # The first hex is some time token, but the leading 4 chars are missing. See
    # HeaderEval.pm::check_outlook_message_id().

    header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
    header __KB_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/

    meta KB_RATWARE_MSGID __KB_MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA

    describe KB_RATWARE_MSGID Ratware Message-Id
    score KB_RATWARE_MSGID 3.0


    [1] https://issues.apache.org/SpamAssass...ug.cgi?id=5830
    [2] http://ruleqa.spamassassin.org/20080...E_MSGID/detail

    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  9. Re: EuroPharmacie

    On Fri, 20 Jun 2008, phil89 wrote:

    > We receive some mails with EuroPharmacie
    > How could i avoid theses
    > SCORE is only 5.9
    >
    > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50


    Train them as spam. That should get a BAYES_99 if it's very common.

    Why have you changed your required from 5.0 to 6.2? All of the stock rules
    are tuned for 5.0, increasing the required score will increase your FN
    rate.

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    Efficiency can magnify good, but it magnifies evil just as well.
    So, we should not be surprised to find that modern electronic
    communication magnifies stupidity as *efficiently* as it magnifies
    intelligence. -- Robert A. Matern
    -----------------------------------------------------------------------
    14 days until the 232nd anniversary of the Declaration of Independence


  10. Re: EuroPharmacie


    On Fredag, 20/6 2008, 15:51, phil89 wrote:

    > X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
    > MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
    > URIBL_SBL autolearn=no version=3.x.x


    i would set scores required to 5.8

    and begin train bayes


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  11. Re: EuroPharmacie

    Benny Pedersen wrote:
    > i would set scores required to 5.8
    > and begin train bayes
    >


    What's wrong with the default of 5?


  12. Re: EuroPharmacie


    On Fredag, 20/6 2008, 20:49, Evan Platt wrote:

    > What's wrong with the default of 5?


    nothing

    if bayes was better trained


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  13. Re: EuroPharmacie

    Benny Pedersen wrote:
    > On Fredag, 20/6 2008, 20:49, Evan Platt wrote:
    >
    >
    >> What's wrong with the default of 5?
    >>

    >
    > nothing
    >
    > if bayes was better trained
    >


    I guess you missed my point.. If the default of 5 was used, the message
    would have been marked as spam.


  14. Re: EuroPharmacie


    On Fri, June 20, 2008 22:34, Evan Platt wrote:

    > I guess you missed my point.. If the default of 5 was used, the message
    > would have been marked as spam.


    and this have nothing to do with bayes was or is bad trained


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  15. Re: EuroPharmacie

    On Fri, 2008-06-20 at 23:15 +0200, Benny Pedersen wrote:
    > On Fri, June 20, 2008 22:34, Evan Platt wrote:
    >
    > > I guess you missed my point.. If the default of 5 was used, the message
    > > would have been marked as spam.

    >
    > and this have nothing to do with bayes was or is bad trained


    Yeah, just like your recommendation to arbitrarily lower the
    required_score threshold, from an arbitrary value. Or maybe I just don't
    see how this is related to Bayes...

    There have been more than sufficient tweaks and hints given in this
    thread, to bomb that easy to catch spam into oblivion.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  16. Re: EuroPharmacie

    On Sunday 22 June 2008 15:10:09 mouss wrote:

    > Did anybody see ham coming out of *.retail.telecomitalia.it?


    we're blocking the entire network at smtp time since they ignore abuse reports
    and 20% of our spam comes from that network.
    No i've never seen ham, but we don't have any contact to actual italian
    companies or individuals. So as usually it depends on your environment.


    --
    mit freundlichen Grüßen / best regards
    Arvid Ephraim Picciani


  17. Re: EuroPharmacie


    On Jun 22, 2008, at 9:18, Arvid Ephraim Picciani
    wrote:

    > On Sunday 22 June 2008 15:10:09 mouss wrote:
    >
    >> Did anybody see ham coming out of *.retail.telecomitalia.it?

    >
    > we're blocking the entire network at smtp time since they ignore
    > abuse reports
    > and 20% of our spam comes from that network.
    > No i've never seen ham, but we don't have any contact to actual
    > italian
    > companies or individuals. So as usually it depends on your
    > environment.


    We too block the entire network at SMTP -- not a modicum of ham during
    the last two years.


+ Reply to Thread