Hi

We receive some mails with EuroPharmacie
How could i avoid theses
SCORE is only 5.9

Regards
Philippe

Return-Path:
Delivered-To: support@xxxxxx.fr
Received: by mail.xxxxx.fr (Postfix, from userid 513)
id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
X-Spam-Level: *****
X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
URIBL_SBL autolearn=no version=3.x.x
Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it
(host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
by mail.infodev.fr (Postfix) with ESMTP
id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)
Received: from [79.21.166.121] by gateway10.tnb.com; Fri, 20 Jun 2008
13:37:14 +0100
From: Les pilules ici
To:
Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
Date: Fri, 20 Jun 2008 13:37:14 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C8D2DA.BFA4A100"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <01c8d2da$bfa4a100$79a6154f@pselailne.brown>
Status:

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C8D2DA.BFA4A100
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Le EuroPharmacie boutique en ligne vous propose de passer a une veritable
securite, tout en achetant des medicaments. Nous obtenons nos pilules
directement chez le fabricant de l'usine afin qu'ils ne passent pas par les
mains de toute intermediaires.

Rendez-vous sur notre pharmacie et acheter un

http://wroteprove.com




------=_NextPart_000_0006_01C8D2DA.BFA4A100
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=3D"urn:schemas-microsoft-comfficeffice" xmlns:w=3D"urn:=
schemas-microsoft-comffice:word" xmlns=3D"http://www.w3.org/TR/REC-html=
40">


i">





Le EuroPharmacie boutique en ligne vous=
propose de passer a une veritable securite, tout en achetant des medicam=
ents. Nous obtenons nos pilules directement chez le fabricant de l'usine =
afin qu'ils ne passent pas par les mains de toute intermediaires.<=
br>

3D"http://wrote= Rendez-vous sur notre pharmacie et acheter un


http://wroteprove.com







------=_NextPart_000_0006_01C8D2DA.BFA4A100--

--
View this message in context: http://www.nabble.com/EuroPharmacie-...p18030043.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

5.0 is generally considered a level you can consider something Spam at.
This scored a 5.9.

What's your Spam level set at?

phil89 wrote:
> Hi
>
> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9
>
> Regards
> Philippe
>

On Friday, June 20, 2008, 6:51:44 AM, phil89 phil89 wrote:

> Hi

> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9

> Regards
> Philippe

> Return-Path:
> Delivered-To: support@xxxxxx.fr
> Received: by mail.xxxxx.fr (Postfix, from userid 513)
> id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
> X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
> X-Spam-Level: *****
> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
>
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
> URIBL_SBL autolearn=no version=3.x.x
> Received: from
> host121-166-dynamic.21-79-r.retail.telecomitalia.it
> (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
> by mail.infodev.fr (Postfix) with ESMTP
> id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)
[...]

> http://wroteprove.com


Use SURBLs. Enable network tests:

http://www.surbl.org/faq.html#nettest

jp.surbl.org blacklisted that domain at 14:33 CEST

Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

On Fri, 2008-06-20 at 06:51 -0700, phil89 wrote:
> Hi
>
> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9

The botnet plugin probably would have given this a little boost. I use
a botnet/p0f combination under amavisd-new that is reasonably accurate
at assigning scores.

grey-listing would have delayed it enough to have hit uribl-black


>

> Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it
> (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121])
> by mail.infodev.fr (Postfix) with ESMTP
> id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)

--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkhbt/cACgkQGvhCU13z7IhYTwCeIwG2IAPrzm5+zSOe829CtXNG
XNMAoI2OhrCdj7PbDDe9+ZIkaqQGJmg1
=Z+7Y
-----END PGP SIGNATURE-----

On 20.06.08 06:51, phil89 wrote:
> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9

upgrade your spamassassin and/or rules (sa-update). turn on network ruless
you can (razor, pyzor, DCC, uribl's)

> Return-Path:
> Delivered-To: support@xxxxxx.fr
> Received: by mail.xxxxx.fr (Postfix, from userid 513)
> id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST)
> X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
> X-Spam-Level: *****
> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
> URIBL_SBL autolearn=no version=3.x.x

RCVD_IN_DYNABLOCK does not exist for some time. You rules are old and
possibly not as effective as newer are.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

On Fri, 20 Jun 2008, phil89 wrote:

>
> Hi
>
> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9

Only 5.9? 5.0 is the SA default score. You must have changed that.

> X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr

Why is your SA version a state secret? Taking a guess -- based on the
build date, it is 3.1.8 (released exactly that day) or earlier. *shrug*

> X-Spam-Level: *****
> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
> URIBL_SBL autolearn=no version=3.x.x

As Duane and Evan already pointed out, a required_score 5.0 threshold is
the default, and would have classified this message as spam. (Dudes,
hint, he included the full headers.

There's nothing wrong with being paranoid and raising this slightly if
you prefer. However, more spam sneaking through is to be expected, and
you either will have to write your own rules to counter it, or live with
more FNs. You raised that value deliberately.


> From: Les pilules ici
> To:
> Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
> Date: Fri, 20 Jun 2008 13:37:14 +0100
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0006_01C8D2DA.BFA4A100"
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Message-ID: <01c8d2da$bfa4a100$79a6154f@pselailne.brown>
^^^^^^^^
This is a spam alright. This line alone tells me. See bug 5830. [1]

Here's an easy rule that triggers on about 10% spam with no FPs in
nightly mass-checks [2]. (The 2 ham hits are already verified to be a
dirty corpus and being removed from the ham corpus.)

Enjoy

guenther


# Ratware generated 8$8$8 style Message-Ids, broken Microsoft Outlook forgery.
# The first hex is some time token, but the leading 4 chars are missing. See
# HeaderEval.pm::check_outlook_message_id().

header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
header __KB_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/

meta KB_RATWARE_MSGID __KB_MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA

describe KB_RATWARE_MSGID Ratware Message-Id
score KB_RATWARE_MSGID 3.0


[1] https://issues.apache.org/SpamAssass...ug.cgi?id=5830
[2] http://ruleqa.spamassassin.org/20080...E_MSGID/detail

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Fri, 20 Jun 2008, phil89 wrote:

> We receive some mails with EuroPharmacie
> How could i avoid theses
> SCORE is only 5.9
>
> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50

Train them as spam. That should get a BAYES_99 if it's very common.

Why have you changed your required from 5.0 to 6.2? All of the stock rules
are tuned for 5.0, increasing the required score will increase your FN
rate.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence. -- Robert A. Matern
-----------------------------------------------------------------------
14 days until the 232nd anniversary of the Declaration of Independence

On Fredag, 20/6 2008, 15:51, phil89 wrote:

> X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SOR BS,RCVD_IN_SORBS_DUL,
> URIBL_SBL autolearn=no version=3.x.x

i would set scores required to 5.8

and begin train bayes


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Benny Pedersen wrote:
> i would set scores required to 5.8
> and begin train bayes
>

What's wrong with the default of 5?

On Fredag, 20/6 2008, 20:49, Evan Platt wrote:

> What's wrong with the default of 5?

nothing

if bayes was better trained


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Benny Pedersen wrote:
> On Fredag, 20/6 2008, 20:49, Evan Platt wrote:
>
>
>> What's wrong with the default of 5?
>>
>
> nothing
>
> if bayes was better trained
>

I guess you missed my point.. If the default of 5 was used, the message
would have been marked as spam.

On Fri, June 20, 2008 22:34, Evan Platt wrote:

> I guess you missed my point.. If the default of 5 was used, the message
> would have been marked as spam.

and this have nothing to do with bayes was or is bad trained


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

On Fri, 2008-06-20 at 23:15 +0200, Benny Pedersen wrote:
> On Fri, June 20, 2008 22:34, Evan Platt wrote:
>
> > I guess you missed my point.. If the default of 5 was used, the message
> > would have been marked as spam.
>
> and this have nothing to do with bayes was or is bad trained

Yeah, just like your recommendation to arbitrarily lower the
required_score threshold, from an arbitrary value. Or maybe I just don't
see how this is related to Bayes...

There have been more than sufficient tweaks and hints given in this
thread, to bomb that easy to catch spam into oblivion.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Sunday 22 June 2008 15:10:09 mouss wrote:

> Did anybody see ham coming out of *.retail.telecomitalia.it?

we're blocking the entire network at smtp time since they ignore abuse reports
and 20% of our spam comes from that network.
No i've never seen ham, but we don't have any contact to actual italian
companies or individuals. So as usually it depends on your environment.


--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

On Jun 22, 2008, at 9:18, Arvid Ephraim Picciani
wrote:

> On Sunday 22 June 2008 15:10:09 mouss wrote:
>
>> Did anybody see ham coming out of *.retail.telecomitalia.it?
>
> we're blocking the entire network at smtp time since they ignore
> abuse reports
> and 20% of our spam comes from that network.
> No i've never seen ham, but we don't have any contact to actual
> italian
> companies or individuals. So as usually it depends on your
> environment.

We too block the entire network at SMTP -- not a modicum of ham during
the last two years.