Lots of spam with the following snip - SpamAssassin

This is a discussion on Lots of spam with the following snip - SpamAssassin ; God dag, *** Warning! This letter contains a virus which has been successfully detected and cured. *** The part that's noteworthy is this: *** Warning! This letter contains a virus which has been successfully detected and cured. *** Does someone ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Lots of spam with the following snip

  1. Lots of spam with the following snip

    God dag,





    ***

    Warning!

    This letter contains a virus which has been

    successfully detected and cured.

    ***


    The part that's noteworthy is this:



    ***

    Warning!

    This letter contains a virus which has been

    successfully detected and cured.

    ***


    Does someone have rule for this ready made?

    Thanks

    --
    Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
    happened but none stranger than this. Does your driver's license say Organ ..0
    Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
    individuals! What if this weren't a hypothetical question?
    steveo at syslang.net


  2. Re: Lots of spam with the following snip

    On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote:
    >

    God dag,


    >
    >


    ***

    > Warning!

    > This letter contains a virus which has been

    > successfully detected and cured.
    >
    ***

    >
    > The part that's noteworthy is this:
    >
    >
    >
    ***

    > Warning!

    > This letter contains a virus which has been

    > successfully detected and cured.
    >
    ***

    >
    > Does someone have rule for this ready made?
    >
    > Thanks

    Scored pretty well here, do you have network checks active? The "SOUGHT" rule
    scored well too. The 'virus' that was detected is a sanesecurity sig:

    X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

    Content analysis details: * (23.0 points, 5.0 required)

    *pts rule name * * * * * * *description
    ---- ---------------------- --------------------------------------------------
    *2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    * * * * * * * *[Blocked - see ]
    *0.9 RCVD_IN_PBL * * * * * *RBL: Received via a relay in Spamhaus PBL
    * * * * * * * * * * * * * * [79.86.225.100 listed in zen.spamhaus.org]
    *3.0 RCVD_IN_XBL * * * * * *RBL: Received via a relay in Spamhaus XBL
    *1.0 RELAYED_BY_DIALUP * * *Sent directly from dynamic IP address
    *0.0 HTML_MESSAGE * * * * * BODY: HTML included in message
    *1.0 BAYES_50 * * * * * * * BODY: Bayesian spam probabilityis 40 to 60%
    * * * * * * * * * * * * * * [score: 0.5844]
    -0.0 DCC_CHECK_NEGATIVE * * Not listed in DCC
    * * * * * * * * * * * * * * [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
    * 10 CLAMAV * * * * * * * * Clam AntiVirus detected a virus
    *0.1 RDNS_DYNAMIC * * * * * Delivered to trusted network by host with
    * * * * * * * * * * * * * * dynamic-looking rDNS
    *4.0 JM_SOUGHT_1 * * * * * *JM_SOUGHT_1
    *1.0 SAGREY * * * * * * * * Adds 1.0 to spam from first-time senders

    And here's another I just received:

    Content analysis details: * (27.8 points, 5.0 required)

    *pts rule name * * * * * * *description
    ---- ---------------------- --------------------------------------------------
    *2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    * * * * * * * [Blocked - see ]
    *0.9 RCVD_IN_PBL * * * * * *RBL: Received via a relay in Spamhaus PBL
    * * * * * * * * * * * * * * [190.46.180.155 listed in zen.spamhaus.org]
    *0.7 SPF_NEUTRAL * * * * * *SPF: sender does not match SPF record (neutral)
    *5.0 BOTNET * * * * * * * * Relay might be a spambot or virusbot
    [botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipin hostname]
    *1.0 RELAYED_BY_DIALUP * * *Sent directly from dynamic IP address
    *0.0 HTML_MESSAGE * * * * * BODY: HTML included in message
    *1.0 BAYES_50 * * * * * * * BODY: Bayesian spam probabilityis 40 to 60%
    * * * * * * * * * * * * * * [score: 0.4671]
    *2.2 DCC_CHECK * * * * * * *listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    * * * * * * * * * * * * * * [cpollock 102; Body=1 Fuz1=many]
    * * * * * * * * * * * * * * [Fuz2=many]
    * 10 CLAMAV * * * * * * * * Clam AntiVirus detected a virus
    *0.1 RDNS_NONE * * * * * * *Delivered to trusted network bya host with no
    rDNS
    *4.0 JM_SOUGHT_1 * * * * * *JM_SOUGHT_1
    *1.0 SAGREY * * * * * * * * Adds 1.0 to spam from first-time senders

    NOTE: I've sent an earlier post with just the first spam scores, however, my
    ISP, Embarq sometimes has a tendency to block my posts even with IP's in the
    body such as above. They're using CMAE so I don't know if that's something it
    does or not. I've Bcc'd myself on the first post and it went through to me
    but then I have no idea what the CMAE hashes mean.

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhphXYACgkQ43Kn2pjmcFwE/wCdGadBE1oM/FjDhNQ4PEGjeXqB
    XGAAnitpnP2XU5Xlxrd6cXphiWdvMdR+
    =C5r7
    -----END PGP SIGNATURE-----


  3. Re: ways to check reason/error of rejected/bounced emails with calling customers

    Please teach your mailer to wrap lines in a sane way...

    On 01.07.08 11:46, NGSS wrote:
    > Many of our clients started to have problem sending emails to us after I
    > inserted more strict
    > SA rules . Previously our system was flooded with spams. So I decided to
    > inserted them to the
    > Existing emails. After this the spams had reduced significantly. But I know
    > more worry about false
    > Positive and rejected (or sometimes disappeared emails) .


    > I can't call all of them to get them to send me the bounced/error messages.
    > So I wonder if there is a
    > Way to check for the rejected emails and why they are being rejected? So at
    > least I know what reason
    > For the rejects and will be able to fine-tine it further.


    Seems you set up your MTA too agressively - probably reject mail with too
    low score. However you did not provide enough informations for us to help
    you.

    What's "existing emails"? Did you train global BAYES filter on received spam?
    Did you feed it enough of hams to avoid FPs? Did you play with scores? What
    did you set required_score to?
    Did you fiddle with other settings like trusted_networks and
    internal_networks to set up proper trust path? Did you turn on all possible
    network rules?

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...


  4. bad rules that likely to result in more false positives

    Thanks for the response.
    Yah I think it is just too aggressive, I included a handful of rules
    Is there any forum or website that discuss about (lists of ) rules that is
    likely to result in more false positives ?

    -----Original Message-----
    From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
    Sent: Tuesday, July 01, 2008 3:35 PM
    To: users@spamassassin.apache.org
    Subject: Re: ways to check reason/error of rejected/bounced emails with
    calling customers

    Please teach your mailer to wrap lines in a sane way...

    On 01.07.08 11:46, NGSS wrote:
    > Many of our clients started to have problem sending emails to us after I
    > inserted more strict
    > SA rules . Previously our system was flooded with spams. So I decided to
    > inserted them to the
    > Existing emails. After this the spams had reduced significantly. But I

    know
    > more worry about false
    > Positive and rejected (or sometimes disappeared emails) .


    > I can't call all of them to get them to send me the bounced/error

    messages.
    > So I wonder if there is a
    > Way to check for the rejected emails and why they are being rejected? So

    at
    > least I know what reason
    > For the rejects and will be able to fine-tine it further.


    Seems you set up your MTA too agressively - probably reject mail with too
    low score. However you did not provide enough informations for us to help
    you.

    What's "existing emails"? Did you train global BAYES filter on received
    spam?
    Did you feed it enough of hams to avoid FPs? Did you play with scores? What
    did you set required_score to?
    Did you fiddle with other settings like trusted_networks and
    internal_networks to set up proper trust path? Did you turn on all possible
    network rules?

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...


  5. Re: bad rules that likely to result in more false positives

    On 02.07.08 13:55, NGSS wrote:
    > To: 'Matus UHLAR - fantomas' ,
    > users@spamassassin.apache.org


    Please, don't send private replies, I did not ask for them.

    > Yah I think it is just too aggressive, I included a handful of rules
    > Is there any forum or website that discuss about (lists of ) rules that is
    > likely to result in more false positives ?


    ANY rules could lead to false positives. That's why it's better to have more
    rules with lower scores. See:
    http://wiki.apache.org/spamassassin/...butingNewRules
    http://wiki.apache.org/spamassassin/WritingRules

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Due to unexpected conditions Windows 2000 will be released
    in first quarter of year 1901


  6. Re: bad rules that likely to result in more false positives

    > On 02.07.08 13:55, NGSS wrote:
    >> To: 'Matus UHLAR - fantomas' ,
    >> users@spamassassin.apache.org

    >
    > Please, don't send private replies, I did not ask for
    > them.
    >


    Its impossible to know who wants them, and who does not. Someone who does not sit here and read all messages thru may be very greatful of a reply to his email address.


  7. Re: bad rules that likely to result in more false positives

    > > On 02.07.08 13:55, NGSS wrote:
    > >> To: 'Matus UHLAR - fantomas' ,
    > >> users@spamassassin.apache.org

    > >
    > > Please, don't send private replies, I did not ask for
    > > them.


    On 02.07.08 21:32, Jari Fredriksson wrote:
    > Its impossible to know who wants them, and who does not.


    my mail headers contain Mail-Followup-To: header that is only sent to the
    list. That means that replies should be sent to the list.

    > Someone who does
    > not sit here and read all messages thru may be very greatful of a reply to
    > his email address.


    If anyone wants private copies, (s)he should ask for them. This is a mailing
    lists and all members receive all mail posted to it. Even non-members can
    read it all in archives.

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    99 percent of lawyers give the rest a bad name.


  8. Re: bad rules that likely to result in more false positives

    On Jul 3, 2008, at 12:14 AM, Matus UHLAR - fantomas wrote:
    >>> Please, don't send private replies, I did not ask for
    >>> them.

    >
    > On 02.07.08 21:32, Jari Fredriksson wrote:
    >> Its impossible to know who wants them, and who does not.

    >
    > my mail headers contain Mail-Followup-To: header that is only sent
    > to the
    > list. That means that replies should be sent to the list.


    I'm sorry, but what MUA recognizes those? Why don' t you set Reply-
    To: which will be honored by all MUAs?

    > If anyone wants private copies, (s)he should ask for them. This is a
    > mailing
    > lists and all members receive all mail posted to it. Even non-
    > members can
    > read it all in archives.



    He is acted as is common and expected. Others who, like you, don't
    want private copies set Reply-To.

    --
    Jo Rhett
    Net Consonance : consonant endings by net philanthropy, open source
    and other randomness


  9. Re: bad rules that likely to result in more false positives

    Jo Rhett wrote:

    > On Jul 3, 2008, at 12:14 AM, Matus UHLAR - fantomas wrote:
    >>>> Please, don't send private replies, I did not ask for
    >>>> them.

    >>
    >> On 02.07.08 21:32, Jari Fredriksson wrote:
    >>> Its impossible to know who wants them, and who does not.

    >>
    >> my mail headers contain Mail-Followup-To: header that is only sent to the
    >> list. That means that replies should be sent to the list.

    >
    > I'm sorry, but what MUA recognizes those? Why don' t you set Reply-To:
    > which will be honored by all MUAs?
    >
    >> If anyone wants private copies, (s)he should ask for them. This is a
    >> mailing
    >> lists and all members receive all mail posted to it. Even non-members can
    >> read it all in archives.

    >
    > He is acted as is common and expected. Others who, like you, don't want
    > private copies set Reply-To.


    Bingo! Maybe Matus and Benny will get it now.

    --
    Sahil Tandon


+ Reply to Thread