simple drug spam not flagged - SpamAssassin

This is a discussion on simple drug spam not flagged - SpamAssassin ; Greetings, I've recently been getting more simple drug-related spam that has no real obfuscation and often doesn't get flagged with anything other than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99). A few sample Subject lines: Subject: Use Generik Viagra and forget ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: simple drug spam not flagged

  1. simple drug spam not flagged

    Greetings,

    I've recently been getting more simple drug-related spam that has no
    real obfuscation and often doesn't get flagged with anything other
    than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).

    A few sample Subject lines:

    Subject: Use Generik Viagra and forget about your sexual nightmares.
    Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    Subject: Viagra Pro will save your from sexual hardships.
    Subject: Any medication without prescription. Visa and MasterCard accepted
    Subject: EZ order and fast delivery of your drugs
    Subject: {SPAM?} You'll get harder erections with Soft Viagra.

    (Last one tagged due to "2.9 SUSPICIOUS_RECIPS" and BAYES_99)

    Most of these don't hit any DNSBLs, and are generally not in Pyzor or
    Razor (incidentally... my Pyzor stopped working this morning... anyone
    else? pyzor ping is failing). Some also hit the DRUGS_ERECTILE test,
    but not reliably.

    A large majority seem to be coming from yahoo.com webmail servers, but
    this isn't a high-volume server so that might be just an anomaly.

    I have attempted to compensate by increasing DRUGS_ERECTILE up to 1.5
    (default is 0.3), but this seems to be a body-only rule, and I'm not
    seeing a generic rule for ED-related drugs in the subject that are
    *not* obfuscated. Seems pretty stupid that none of those subjects
    manage to break a stock 0.3 without bayes or some 'lucky' hit...

    Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
    go all willy-nilly on my local.cf with stupid-simple rules with high
    scores.

    I run sa-update and sa-compile pretty regularly, but not using any
    non-stock rulesets (where are the good ones that are actually
    maintained? ).

    Many thanks,
    Jake


  2. Re: simple drug spam not flagged

    On 31.07.08 21:58, Jake Maul wrote:
    > I've recently been getting more simple drug-related spam that has no
    > real obfuscation and often doesn't get flagged with anything other
    > than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).

    [...]
    > Subject: Use Generik Viagra and forget about your sexual nightmares.
    > Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    > Subject: Viagra Pro will save your from sexual hardships.
    > Subject: Any medication without prescription. Visa and MasterCard accepted
    > Subject: EZ order and fast delivery of your drugs
    > Subject: {SPAM?} You'll get harder erections with Soft Viagra.

    [...]
    > Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
    > go all willy-nilly on my local.cf with stupid-simple rules with high
    > scores.
    >
    > I run sa-update and sa-compile pretty regularly, but not using any
    > non-stock rulesets (where are the good ones that are actually
    > maintained? ).


    Justin Mason's sought rulesets should catch those.
    http://wiki.apache.org/spamassassin/SoughtRules

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Linux - It's now safe to turn on your computer.
    Linux - Teraz mozete pocitac bez obav zapnut.


  3. Re: simple drug spam not flagged

    On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
    > Greetings,
    >
    > I've recently been getting more simple drug-related spam that has no
    > real obfuscation and often doesn't get flagged with anything other
    > than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
    >
    > A few sample Subject lines:
    >
    > Subject: Use Generik Viagra and forget about your sexual nightmares.
    > Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    > Subject: Viagra Pro will save your from sexual hardships.
    > Subject: Any medication without prescription. Visa and MasterCard accepted
    > Subject: EZ order and fast delivery of your drugs
    > Subject: {SPAM?} You'll get harder erections with Soft Viagra.

    [...]

    > Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
    > go all willy-nilly on my local.cf with stupid-simple rules with high
    > scores.


    No raw mail examples, no advice. Well, unless you actually ask us to
    come up with Subject-only rules...

    Upload a few spamples somewhere, if need be use a pastebin.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  4. Re: simple drug spam not flagged

    Jake Maul wrote:
    > Greetings,
    >
    > I've recently been getting more simple drug-related spam that has no
    > real obfuscation and often doesn't get flagged with anything other
    > than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
    >
    > A few sample Subject lines:
    >
    > Subject: Use Generik Viagra and forget about your sexual nightmares.
    > Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    > Subject: Viagra Pro will save your from sexual hardships.
    > Subject: Any medication without prescription. Visa and MasterCard accepted
    > Subject: EZ order and fast delivery of your drugs
    > Subject: {SPAM?} You'll get harder erections with Soft Viagra.
    >

    Are spammers finally learning that to get past spam filters they should
    send normal looking messages?


  5. Re: simple drug spam not flagged

    On Fri, Aug 1, 2008 at 12:53 AM, Matus UHLAR - fantomas
    wrote:
    > On 31.07.08 21:58, Jake Maul wrote:
    >> I've recently been getting more simple drug-related spam that has no
    >> real obfuscation and often doesn't get flagged with anything other
    >> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).

    > [...]
    >> Subject: Use Generik Viagra and forget about your sexual nightmares.
    >> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    >> Subject: Viagra Pro will save your from sexual hardships.
    >> Subject: Any medication without prescription. Visa and MasterCard accepted
    >> Subject: EZ order and fast delivery of your drugs
    >> Subject: {SPAM?} You'll get harder erections with Soft Viagra.

    > [...]
    >> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
    >> go all willy-nilly on my local.cf with stupid-simple rules with high
    >> scores.
    >>
    >> I run sa-update and sa-compile pretty regularly, but not using any
    >> non-stock rulesets (where are the good ones that are actually
    >> maintained? ).

    >
    > Justin Mason's sought rulesets should catch those.
    > http://wiki.apache.org/spamassassin/SoughtRules


    This looks promising... not sure how well it'll do, but I like the
    idea nonetheless. Thanks!

    Jake


  6. Re: simple drug spam not flagged

    On Fri, Aug 1, 2008 at 6:42 AM, Richard Frovarp
    wrote:
    > Jake Maul wrote:
    >>
    >> Greetings,
    >>
    >> I've recently been getting more simple drug-related spam that has no
    >> real obfuscation and often doesn't get flagged with anything other
    >> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
    >>
    >> A few sample Subject lines:
    >>
    >> Subject: Use Generik Viagra and forget about your sexual nightmares.
    >> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    >> Subject: Viagra Pro will save your from sexual hardships.
    >> Subject: Any medication without prescription. Visa and MasterCard accepted
    >> Subject: EZ order and fast delivery of your drugs
    >> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
    >>

    >
    > Are spammers finally learning that to get past spam filters they should send
    > normal looking messages?


    I hope it's just a phase. I mean, can't they just send spam engineered
    to hit lots of SpamAssassin rules? That would be a lot easier on us
    than having to continually come up with new rules, statistical
    analyses, etc...


  7. Re: simple drug spam not flagged

    On Fri, Aug 1, 2008 at 6:07 AM, Karsten Bräckelmann
    wrote:
    > On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
    >> Greetings,
    >>
    >> I've recently been getting more simple drug-related spam that has no
    >> real obfuscation and often doesn't get flagged with anything other
    >> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
    >>
    >> A few sample Subject lines:
    >>
    >> Subject: Use Generik Viagra and forget about your sexual nightmares.
    >> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    >> Subject: Viagra Pro will save your from sexual hardships.
    >> Subject: Any medication without prescription. Visa and MasterCard accepted
    >> Subject: EZ order and fast delivery of your drugs
    >> Subject: {SPAM?} You'll get harder erections with Soft Viagra.

    > [...]
    >
    >> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
    >> go all willy-nilly on my local.cf with stupid-simple rules with high
    >> scores.

    >
    > No raw mail examples, no advice. Well, unless you actually ask us to
    > come up with Subject-only rules...
    >
    > Upload a few spamples somewhere, if need be use a pastebin.
    >
    > guenther


    Will get some samples uploaded somewhere today hopefully.
    Jake


  8. Re: simple drug spam not flagged

    On Thursday 31 July 2008 11:58 pm, Jake Maul wrote:
    > Greetings,
    >
    > I've recently been getting more simple drug-related spam that has no
    > real obfuscation and often doesn't get flagged with anything other
    > than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
    >
    > A few sample Subject lines:
    >
    > Subject: Use Generik Viagra and forget about your sexual nightmares.
    > Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
    > Subject: Viagra Pro will save your from sexual hardships.
    > Subject: Any medication without prescription. Visa and MasterCard accepted
    > Subject: EZ order and fast delivery of your drugs
    > Subject: {SPAM?} You'll get harder erections with Soft Viagra.
    >
    > (Last one tagged due to "2.9 SUSPICIOUS_RECIPS" and BAYES_99)
    >
    > Most of these don't hit any DNSBLs, and are generally not in Pyzor or
    > Razor (incidentally... my Pyzor stopped working this morning... anyone
    > else? pyzor ping is failing). Some also hit the DRUGS_ERECTILE test,
    > but not reliably.
    >
    > A large majority seem to be coming from yahoo.com webmail servers, but
    > this isn't a high-volume server so that might be just an anomaly.
    >


    Is the below a sample subject line you're seeing? If so my setup using network
    tests, SARE Rules, Botnet plugin and others always score these between 50 and
    70. But this may not be what you're getting so a sample will be great.

    Subject: Buy Cialis, Viagra online at lowest prices!

    Content analysis details: * (67.9 points, 5.0 required)

    *pts rule name * * * * * * *description
    ---- ---------------------- --------------------------------------------------
    *5.0 BAYES_99 * * * * * * * BODY: Bayesian spam probabilityis 99 to 100%
    * * * * * * * * * * * * * * [score: 1.0000]
    *1.5 MIME_BOUND_DD_DIGITS * Spam tool pattern in MIME boundary
    *1.2 INVALID_DATE * * * * * Invalid Date: header (not RFC 2822)
    *2.9 DATE_SPAMWARE_Y2K * * *Date header uses unusual Y2K formatting
    *3.2 FROM_LOCAL_NOVOWEL * * From: localpart has series of non-vowel letters
    *1.9 TVD_RCVD_IP * * * * * *TVD_RCVD_IP
    *3.2 TVD_RCVD_IP4 * * * * * TVD_RCVD_IP4
    *3.1 MSGID_YAHOO_CAPS * * * Message-ID has ALLCAPS@yahoo.com
    *4.2 MSGID_SPAM_CAPS * * * *Spam tool Message-Id: (caps variant)
    *0.0 SUBJECT_DRUG_GAP_C * * Subject contains a gappy version of 'cialis'
    *0.0 SUBJ_BUY * * * * * * * Subject line starts with Buy orBuying
    *1.0 FREEMAIL_FROM * * * * *From-address is freemail domain
    *2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    * * * * * * * *[Blocked - see ]
    *5.0 BOTNET * * * * * * * * Relay might be a spambot or virusbot
    [botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,mail domain=yahoo.com,baddns,client,ipinhostname]
    *1.0 RELAYED_BY_DIALUP * * *Sent directly from dynamic IP address
    *1.4 DATE_IN_FUTURE_96_XX * Date: is 96 hours or more after Received: date
    *0.0 UNPARSEABLE_RELAY * * *Informational: message has unparseable relay lines
    *2.3 FORGED_YAHOO_RCVD * * *'From' yahoo.com does not match 'Received' headers
    *1.4 FB_CIALIS_LEO3 * * * * BODY: Uses a mis-spelled version of cialis.
    *1.7 FUZZY_PHARMACY * * * * BODY: Attempt to obfuscate words in spam
    *4.5 LOGINHASH * * * * * * *BODY: iXhash says its spam
    *2.5 IXHASH * * * * * * * * BODY: iXhash says its spam
    *0.0 HTML_MESSAGE * * * * * BODY: HTML included in message
    *2.5 LOGINHASH2 * * * * * * BODY: iXhash says its spam
    *1.5 MIME_HTML_ONLY * * * * BODY: Message only has text/html MIMEparts
    *1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
    * * * * * * * * * * * * * * above 50%
    * * * * * * * * * * * * * * [cf: *60]
    *0.5 RAZOR2_CHECK * * * * * Listed in Razor2 (http://razor.sf.net/)
    *0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    * * * * * * * * * * * * * * [cf: *60]
    *3.7 PYZOR_CHECK * * * * * *Listed in Pyzor (http://pyzor.sf.net/)
    *2.2 DCC_CHECK * * * * * * *listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    * * * * * * * * * * * * * * [cpollock 1170; Body=1 Fuz1=1 Fuz2=many]
    *0.0 DIGEST_MULTIPLE * * * *Message hits more than one network digest check
    *2.6 REPTO_QUOTE_YAHOO * * *Yahoo! doesn't do quoting like this
    *0.3 DRUGS_ERECTILE * * * * Refers to an erectile drug
    *0.1 HTML_MIME_NO_HTML_TAG *HTML-only message, but there is no HTML tag
    *2.5 L_UNVERIFIED_YAHOO * * L_UNVERIFIED_YAHOO
    *1.0 SAGREY * * * * * * * * Adds 1.0 to spam from first-time senders


    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkiTyKMACgkQ43Kn2pjmcFz5IACfVhAjsr+Cut 6MRYdRk/4uo88X
    EuYAn1aThyYJNSPhV/3OhM6l17b14luN
    =k826
    -----END PGP SIGNATURE-----


  9. Re: simple drug spam not flagged

    Okay, got some samples online to look at:

    http://66.213.231.82/spam/sample1.txt
    http://66.213.231.82/spam/sample2.txt
    http://66.213.231.82/spam/sample3.txt
    http://66.213.231.82/spam/sample4.txt
    http://66.213.231.82/spam/sample5.txt
    http://66.213.231.82/spam/sample6.txt
    http://66.213.231.82/spam/sample7.txt
    (that is, every file in http://66.213.231.82/spam/)

    If y'all could run 1 or 2 of them through your installs, I'd be
    interested to know how they score and what rules they hit. TYVM, in
    advance

    More comments below...

    > Is the below a sample subject line you're seeing? If so my setup using network
    > tests, SARE Rules, Botnet plugin and others always score these between 50 and
    > 70. But this may not be what you're getting so a sample will be great.


    Is there anything I need to know about the SARE rules? I see they're
    not being updated at the moment... I've been wondering which ones are
    'safe' to use, considering they all seem to be at least a year old. Do
    the comments on the rulesemporium.com site still apply? Anything there
    broken in SA-3.2.x I should care about?

    As far as BOTNET goes... sounds interesting... I would definitely want
    to push it's score down lower though. A single rule being enough to
    flag a message bothers me. Will look into it, thanks

    > Subject: Buy Cialis, Viagra online at lowest prices!
    >
    > Content analysis details: (67.9 points, 5.0 required)
    >
    > pts rule name description
    > ---- ---------------------- --------------------------------------------------
    > 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    > [score: 1.0000]
    > 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
    > 1.2 INVALID_DATE Invalid Date: header (not RFC 2822)
    > 2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
    > 3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
    > 1.9 TVD_RCVD_IP TVD_RCVD_IP
    > 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
    > 3.1 MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com
    > 4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
    > 0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
    > 0.0 SUBJ_BUY Subject line starts with Buy or Buying
    > 1.0 FREEMAIL_FROM From-address is freemail domain
    > 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    > [Blocked - see ]
    > 5.0 BOTNET Relay might be a spambot or virusbot
    > [botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,mail domain=yahoo.com,baddns,client,ipinhostname]
    > 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
    > 1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
    > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
    > 2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
    > 1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis.
    > 1.7 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
    > 4.5 LOGINHASH BODY: iXhash says its spam
    > 2.5 IXHASH BODY: iXhash says its spam
    > 0.0 HTML_MESSAGE BODY: HTML included in message
    > 2.5 LOGINHASH2 BODY: iXhash says its spam
    > 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    > 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
    > above 50%
    > [cf: 60]
    > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    > [cf: 60]
    > 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
    > 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    > [cpollock 1170; Body=1 Fuz1=1 Fuz2=many]
    > 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
    > 2.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this
    > 0.3 DRUGS_ERECTILE Refers to an erectile drug
    > 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
    > 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
    > 1.0 SAGREY Adds 1.0 to spam from first-time senders



    Thanks all,
    Jake


  10. Re: simple drug spam not flagged

    On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
    > Okay, got some samples online to look at:
    >
    > http://66.213.231.82/spam/sample1.txt
    > http://66.213.231.82/spam/sample2.txt
    > http://66.213.231.82/spam/sample3.txt
    > http://66.213.231.82/spam/sample4.txt
    > http://66.213.231.82/spam/sample5.txt
    > http://66.213.231.82/spam/sample6.txt
    > http://66.213.231.82/spam/sample7.txt
    > (that is, every file in http://66.213.231.82/spam/)
    >
    > If y'all could run 1 or 2 of them through your installs, I'd be
    > interested to know how they score and what rules they hit. TYVM, in
    > advance



    Sample 1 scored:

    Content analysis details: (16.0 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
    [URIs: perfectcapsulessite.com]
    1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
    [URIs: perfectcapsulessite.com]
    1.0 FREEMAIL_FROM From-address is freemail domain
    -0.0 SPF_PASS SPF: sender matches SPF record
    4.5 LOGINHASH BODY: iXhash says its spam
    2.5 IXHASH BODY: iXhash says its spam
    0.0 HTML_MESSAGE BODY: HTML included in message
    1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    [score: 0.5001]
    2.5 LOGINHASH2 BODY: iXhash says its spam
    0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
    [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
    1.0 SAGREY Adds 1.0 to spam from first-time senders

    Sample 2 scored:

    Content analysis details: (25.8 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.0 FREEMAIL_FROM From-address is freemail domain
    0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
    0.0 DK_SIGNED Domain Keys: message has a signature
    4.5 LOGINHASH BODY: iXhash says its spam
    2.5 IXHASH BODY: iXhash says its spam
    0.0 HTML_MESSAGE BODY: HTML included in message
    1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    [score: 0.4915]
    2.5 LOGINHASH2 BODY: iXhash says its spam
    0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
    [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
    10 CLAMAV Clam AntiVirus detected a virus
    0.3 DRUGS_ERECTILE Refers to an erectile drug
    2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
    1.0 SAGREY Adds 1.0 to spam from first-time senders

    This is what clamav reported - X-Spam-Virus: Yes
    (Email.Spam.Gen835.Sanesecurity.07062011)

    Sample 3 scored:

    Content analysis details: (15.7 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.0 FREEMAIL_FROM From-address is freemail domain
    -0.0 SPF_PASS SPF: sender matches SPF record
    0.0 ONLINE_PHARMACY BODY: Online Pharmacy
    0.0 TVD_VISIT_PHARMA BODY: TVD_VISIT_PHARMA
    4.5 LOGINHASH BODY: iXhash says its spam
    2.5 IXHASH BODY: iXhash says its spam
    2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
    [score: 0.6079]
    0.0 HTML_MESSAGE BODY: HTML included in message
    2.5 LOGINHASH2 BODY: iXhash says its spam
    2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    [cpollock 1113; Body=1 Fuz1=1 Fuz2=many]
    1.0 SAGREY Adds 1.0 to spam from first-time senders

    Sample 4 scored Content analysis details: (20.5 points, 5.0 required)
    Sample 5 scored Content analysis details: (25.7 points, 5.0 required)
    Sample 6 scored Content analysis details: (19.7 points, 5.0 required)
    Sample 7 scored Content analysis details: (25.3 points, 5.0 required)

    Looking at how they were scored I see that the following plug-ins hit on every
    message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using
    the sanesecurity signatures. I've saved the complete output of spamassassin
    -D -t sample*.txt to a file. If you want I can fwd it to you to look at.

    > More comments below...
    >
    > Is there anything I need to know about the SARE rules? I see they're
    > not being updated at the moment... I've been wondering which ones are
    > 'safe' to use, considering they all seem to be at least a year old. Do
    > the comments on the rulesemporium.com site still apply? Anything there
    > broken in SA-3.2.x I should care about?


    I've 'never' had any problems with the SARE rules I run, I believe the answer
    as to why they're seldom updated is that they're such rock solid rule sets
    that they pretty much cover any type of spam out there.

    > As far as BOTNET goes... sounds interesting... I would definitely want
    > to push it's score down lower though. A single rule being enough to
    > flag a message bothers me. Will look into it, thanks
    >
    > Thanks all,
    > Jake


    One other note, I do not run a mailserver, this is just how these score on my
    home system that I'm the only user on.

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkiUdqQACgkQ43Kn2pjmcFwEOwCfTr4UJKFr66 Uzlzf7iDby9aJl
    SRUAoIFRjhlmdMBmr5Iprs05z+1KmV1q
    =CTyh
    -----END PGP SIGNATURE-----


  11. Re: simple drug spam not flagged

    Yes, I would love to have the full listing.

    I've just done the ClamAV sigs from SaneSecurity/etc. Very nice!

    I'm looking into the following plugins/rulesets for general use. will
    probably use a few of them:

    Botnet plugin
    SARE rulesets
    DKIM (included in SA, but never bothered to set up)
    iXhash plugin
    Freemail plugin
    SAGrey plugin
    Justin Mason's automated ruleset


    If I could just get Pyzor working again now too...

    Thanks!
    Jake

    On Sat, Aug 2, 2008 at 8:00 AM, Chris wrote:
    > On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
    >> Okay, got some samples online to look at:
    >>
    >> http://66.213.231.82/spam/sample1.txt
    >> http://66.213.231.82/spam/sample2.txt
    >> http://66.213.231.82/spam/sample3.txt
    >> http://66.213.231.82/spam/sample4.txt
    >> http://66.213.231.82/spam/sample5.txt
    >> http://66.213.231.82/spam/sample6.txt
    >> http://66.213.231.82/spam/sample7.txt
    >> (that is, every file in http://66.213.231.82/spam/)
    >>
    >> If y'all could run 1 or 2 of them through your installs, I'd be
    >> interested to know how they score and what rules they hit. TYVM, in
    >> advance

    >
    >
    > Sample 1 scored:
    >
    > Content analysis details: (16.0 points, 5.0 required)
    >
    > pts rule name description
    > ---- ---------------------- --------------------------------------------------
    > 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
    > [URIs: perfectcapsulessite.com]
    > 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
    > [URIs: perfectcapsulessite.com]
    > 1.0 FREEMAIL_FROM From-address is freemail domain
    > -0.0 SPF_PASS SPF: sender matches SPF record
    > 4.5 LOGINHASH BODY: iXhash says its spam
    > 2.5 IXHASH BODY: iXhash says its spam
    > 0.0 HTML_MESSAGE BODY: HTML included in message
    > 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    > [score: 0.5001]
    > 2.5 LOGINHASH2 BODY: iXhash says its spam
    > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    > -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
    > [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
    > 1.0 SAGREY Adds 1.0 to spam from first-time senders
    >
    > Sample 2 scored:
    >
    > Content analysis details: (25.8 points, 5.0 required)
    >
    > pts rule name description
    > ---- ---------------------- --------------------------------------------------
    > 1.0 FREEMAIL_FROM From-address is freemail domain
    > 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
    > 0.0 DK_SIGNED Domain Keys: message has a signature
    > 4.5 LOGINHASH BODY: iXhash says its spam
    > 2.5 IXHASH BODY: iXhash says its spam
    > 0.0 HTML_MESSAGE BODY: HTML included in message
    > 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    > [score: 0.4915]
    > 2.5 LOGINHASH2 BODY: iXhash says its spam
    > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    > -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
    > [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
    > 10 CLAMAV Clam AntiVirus detected a virus
    > 0.3 DRUGS_ERECTILE Refers to an erectile drug
    > 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
    > 1.0 SAGREY Adds 1.0 to spam from first-time senders
    >
    > This is what clamav reported - X-Spam-Virus: Yes
    > (Email.Spam.Gen835.Sanesecurity.07062011)
    >
    > Sample 3 scored:
    >
    > Content analysis details: (15.7 points, 5.0 required)
    >
    > pts rule name description
    > ---- ---------------------- --------------------------------------------------
    > 1.0 FREEMAIL_FROM From-address is freemail domain
    > -0.0 SPF_PASS SPF: sender matches SPF record
    > 0.0 ONLINE_PHARMACY BODY: Online Pharmacy
    > 0.0 TVD_VISIT_PHARMA BODY: TVD_VISIT_PHARMA
    > 4.5 LOGINHASH BODY: iXhash says its spam
    > 2.5 IXHASH BODY: iXhash says its spam
    > 2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
    > [score: 0.6079]
    > 0.0 HTML_MESSAGE BODY: HTML included in message
    > 2.5 LOGINHASH2 BODY: iXhash says its spam
    > 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    > [cpollock 1113; Body=1 Fuz1=1 Fuz2=many]
    > 1.0 SAGREY Adds 1.0 to spam from first-time senders
    >
    > Sample 4 scored Content analysis details: (20.5 points, 5.0 required)
    > Sample 5 scored Content analysis details: (25.7 points, 5.0 required)
    > Sample 6 scored Content analysis details: (19.7 points, 5.0 required)
    > Sample 7 scored Content analysis details: (25.3 points, 5.0 required)
    >
    > Looking at how they were scored I see that the following plug-ins hit on every
    > message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using
    > the sanesecurity signatures. I've saved the complete output of spamassassin
    > -D -t sample*.txt to a file. If you want I can fwd it to you to look at.
    >
    >> More comments below...
    >>
    >> Is there anything I need to know about the SARE rules? I see they're
    >> not being updated at the moment... I've been wondering which ones are
    >> 'safe' to use, considering they all seem to be at least a year old. Do
    >> the comments on the rulesemporium.com site still apply? Anything there
    >> broken in SA-3.2.x I should care about?

    >
    > I've 'never' had any problems with the SARE rules I run, I believe the answer
    > as to why they're seldom updated is that they're such rock solid rule sets
    > that they pretty much cover any type of spam out there.
    >
    >> As far as BOTNET goes... sounds interesting... I would definitely want
    >> to push it's score down lower though. A single rule being enough to
    >> flag a message bothers me. Will look into it, thanks
    >>
    >> Thanks all,
    >> Jake

    >
    > One other note, I do not run a mailserver, this is just how these score on my
    > home system that I'm the only user on.
    >
    > --
    > Chris
    > KeyID 0xE372A7DA98E6705C
    >



+ Reply to Thread