Lottery spam in my inbox - SpamAssassin

This is a discussion on Lottery spam in my inbox - SpamAssassin ; Hi frnds. How is it possible that these kind of mail are not spam tagged my sapmassassin....... CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO tntexpresscourierserviceworld@gmail.com ) ftp://195.169.149.102/tt/WON.txt YOUR REF:CLAIMS/ATM/822 ......... ftp://195.169.149.102/tt/ATM.txt please help me out............... Thanks Nitin Bhadauria...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Lottery spam in my inbox

  1. Lottery spam in my inbox

    Hi frnds.


    How is it possible that these kind of mail are not spam tagged my
    sapmassassin.......

    CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
    tntexpresscourierserviceworld@gmail.com)
    ftp://195.169.149.102/tt/WON.txt

    YOUR REF:CLAIMS/ATM/822 .........
    ftp://195.169.149.102/tt/ATM.txt

    please help me out...............

    Thanks
    Nitin Bhadauria


  2. Re: Lottery spam in my inbox

    Nitin Bhadauria wrote:

    > How is it possible that these kind of mail are not spam tagged my
    > sapmassassin.......


    Do you train SA's bayes database? Do you use RBL checks? Do you use
    ClamAV with stock and SaneSecurity signatures?

    > CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
    > tntexpresscourierserviceworld@gmail.com)
    > ftp://195.169.149.102/tt/WON.txt


    The sending MX is listed on several DNSBLs, among them sorbs and ahbl;
    also caught by ClamAV: Email.ScamL.Gen711.Sanesecurity.08062506.

    > YOUR REF:CLAIMS/ATM/822 .........
    > ftp://195.169.149.102/tt/ATM.txt


    Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
    by SA:

    X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,

    HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_D IFF,SUBJ_ALL_CAPS
    autolearn=no version=3.2.5

    --
    Sahil Tandon


  3. Re: Lottery spam in my inbox

    Sahil Tandon wrote:
    > Nitin Bhadauria wrote:
    >
    >
    >> How is it possible that these kind of mail are not spam tagged my
    >> sapmassassin.......
    >>

    >
    > Do you train SA's bayes database? Do you use RBL checks? Do you use
    > ClamAV with stock and SaneSecurity signatures?
    >

    yes i did train the sa data by

    |sa-learn --showdots -C /etc/mail/spamassassin --spam
    /var/spool/mail/virtual//quarantine/.spam//*

    and here is my postfix checks...

    reject_non_fqdn_hostname, reject_non_fqdn_sender,
    reject_non_fqdn_recipient, reject_unknown_sender_domain,
    reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
    reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net

    and if u suggest i may add |dnsbl-3.uceprotect.net too.

    And yes i don't have clamav with SaneSecurity signatures but yes i am
    going to use it from now..

    http://www.sanesecurity.com/clamav/usage.htm

    >
    >
    >> CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO
    >> tntexpresscourierserviceworld@gmail.com)
    >> ftp://195.169.149.102/tt/WON.txt
    >>

    >
    > The sending MX is listed on several DNSBLs, among them sorbs and ahbl;
    > also caught by ClamAV: Email.ScamL.Gen711.Sanesecurity.08062506.
    >
    >
    >> YOUR REF:CLAIMS/ATM/822 .........
    >> ftp://195.169.149.102/tt/ATM.txt
    >>

    >
    > Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
    > by SA:
    >
    > X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
    >
    > HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_D IFF,SUBJ_ALL_CAPS
    > autolearn=no version=3.2.5
    >
    >

    Here is my spam-status.................

    X-Spam-Status: No, score=1.7 required=4.9 tests=HTML_MESSAGE,MIME_HTML_ONLY,
    SPF_PASS autolearn=no version=3.2.4


    Thanks for the help...


  4. Re: Lottery spam in my inbox

    Nitin Bhadauria schrieb:
    > Sahil Tandon wrote:
    >> Nitin Bhadauria wrote:
    >>
    >>
    >>> How is it possible that these kind of mail are not spam tagged my
    >>> sapmassassin.......
    >>>

    >> Do you train SA's bayes database? Do you use RBL checks?
    >> Do you use ClamAV with stock and SaneSecurity signatures?

    > yes i did train the sa data by
    >
    > |sa-learn --showdots -C /etc/mail/spamassassin --spam
    > /var/spool/mail/virtual//quarantine/.spam//*
    >
    > and here is my postfix checks...
    >
    > reject_non_fqdn_hostname, reject_non_fqdn_sender,
    > reject_non_fqdn_recipient, reject_unknown_sender_domain,
    > reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
    > reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
    > reject_rbl_client dul.dnsbl.sorbs.net
    >
    > and if u suggest i may add |dnsbl-3.uceprotect.net too.


    If you would read the website of uceproject you would know that it is
    really not recommended to use the level 3 Blacklist to block mails at
    the mta layer.

    They recommend 1 and 2 for strict blocks and level 3 for scoring systems.


  5. Re: Lottery spam in my inbox

    Jens Kleikamp wrote:
    > Nitin Bhadauria schrieb:
    >> Sahil Tandon wrote:
    >>> Nitin Bhadauria wrote:
    >>>
    >>>
    >>>> How is it possible that these kind of mail are not spam tagged my
    >>>> sapmassassin.......
    >>>>
    >>> Do you train SA's bayes database? Do you use RBL
    >>> checks? Do you use ClamAV with stock and SaneSecurity signatures?

    >> yes i did train the sa data by
    >>
    >> |sa-learn --showdots -C /etc/mail/spamassassin --spam
    >> /var/spool/mail/virtual//quarantine/.spam//*
    >>
    >> and here is my postfix checks...
    >>
    >> reject_non_fqdn_hostname, reject_non_fqdn_sender,
    >> reject_non_fqdn_recipient, reject_unknown_sender_domain,
    >> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
    >> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
    >> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
    >>
    >> and if u suggest i may add |dnsbl-3.uceprotect.net too.

    >
    > If you would read the website of uceproject you would know that it is
    > really not recommended to use the level 3 Blacklist to block mails at
    > the mta layer.
    >
    > They recommend 1 and 2 for strict blocks and level 3 for scoring systems.
    >

    so want me to add this rbl check in spamassassin .........

    >
    >



  6. Re: Lottery spam in my inbox


    On Aug 5, 2008, at 7:32, Nitin Bhadauria
    wrote:

    > Jens Kleikamp wrote:
    >> Nitin Bhadauria schrieb:
    >>> Sahil Tandon wrote:
    >>>> Nitin Bhadauria wrote:
    >>>>
    >>>>
    >>>>> How is it possible that these kind of mail are not spam tagged
    >>>>> my sapmassassin.......
    >>>>>
    >>>> Do you train SA's bayes database? Do you use RBL
    >>>> checks? Do you use ClamAV with stock and SaneSecurity signatures?
    >>> yes i did train the sa data by
    >>>
    >>> |sa-learn --showdots -C /etc/mail/spamassassin --spam /var/spool/
    >>> mail/virtual//quarantine/.spam//*
    >>>
    >>> and here is my postfix checks...
    >>>
    >>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
    >>> reject_non_fqdn_recipient, reject_unknown_sender_domain,
    >>> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
    >>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
    >>> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
    >>>
    >>> and if u suggest i may add |dnsbl-3.uceprotect.net too.

    >>
    >> If you would read the website of uceproject you would know that it
    >> is really not recommended to use the level 3 Blacklist to block
    >> mails at the mta layer.
    >>
    >> They recommend 1 and 2 for strict blocks and level 3 for scoring
    >> systems.
    >>

    > so want me to add this rbl check in spamassassin .........
    >>
    >>


    Neither of us said that. Just making you aware of these things. It is
    your call.


  7. Re: Lottery spam in my inbox

    Sahil Tandon wrote:
    >
    > On Aug 5, 2008, at 7:32, Nitin Bhadauria
    > wrote:
    >
    >> Jens Kleikamp wrote:
    >>> Nitin Bhadauria schrieb:
    >>>> Sahil Tandon wrote:
    >>>>> Nitin Bhadauria wrote:
    >>>>>
    >>>>>
    >>>>>> How is it possible that these kind of mail are not spam tagged my
    >>>>>> sapmassassin.......
    >>>>>>
    >>>>> Do you train SA's bayes database? Do you use RBL
    >>>>> checks? Do you use ClamAV with stock and SaneSecurity signatures?
    >>>> yes i did train the sa data by
    >>>>
    >>>> |sa-learn --showdots -C /etc/mail/spamassassin --spam
    >>>> /var/spool/mail/virtual//quarantine/.spam//*
    >>>>
    >>>> and here is my postfix checks...
    >>>>
    >>>> reject_non_fqdn_hostname, reject_non_fqdn_sender,
    >>>> reject_non_fqdn_recipient, reject_unknown_sender_domain,
    >>>> reject_unknown_recipient_domain, reject_rbl_client list.dsbl.org,
    >>>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
    >>>> cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
    >>>>
    >>>> and if u suggest i may add |dnsbl-3.uceprotect.net too.
    >>>
    >>> If you would read the website of uceproject you would know that it
    >>> is really not recommended to use the level 3 Blacklist to block
    >>> mails at the mta layer.
    >>>
    >>> They recommend 1 and 2 for strict blocks and level 3 for scoring
    >>> systems.
    >>>

    >> so want me to add this rbl check in spamassassin .........
    >>>
    >>>

    >
    > Neither of us said that. Just making you aware of these things. It is
    > your call.
    >

    Thank you sir .....

    can you tell me how can i get mails from mydomain through to
    spamassassin. With out whitlisting......


  8. Re: Lottery spam in my inbox

    Hmm... Sahil, Nitin -- guys, you are seriously confusing me.


    On Tue, 2008-08-05 at 12:00 +0530, Nitin Bhadauria wrote:
    > Sahil Tandon wrote:


    > yes i did train the sa data by


    Nitin, neither of your headers shows *any* BAYES_XX hit. Whatever you
    trained doesn't seem to be the user SA runs as.


    > > > ftp://195.169.149.102/tt/ATM.txt

    > >
    > > Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught
    > > by SA:
    > >
    > > X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
    > > HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_D IFF,SUBJ_ALL_CAPS
    > > autolearn=no version=3.2.5


    Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
    guess your download broke or something, but these rules don't apply to
    the given spamples.

    Even worse, your rules hit account for a total score of 7.032. Might I
    ask which rules scores you changed?


    > X-Spam-Status: No, score=1.7 required=4.9 tests=HTML_MESSAGE,MIME_HTML_ONLY,
    > SPF_PASS autolearn=no version=3.2.4


    Nitin, this isn't the same result as your original scan. Whatever that
    is, it is a different mail.


    Care to clear the confusion?

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  9. Re: Lottery spam in my inbox

    Karsten Br?ckelmann wrote:

    > Hmm... Sahil, Nitin -- guys, you are seriously confusing me.


    I am perplexed by your confusion, but I will try to help you.

    > Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
    > guess your download broke or something, but these rules don't apply to
    > the given spamples.


    I have no idea re: HB*; perhaps as you suggest, something did "break"
    during the wget.

    > Even worse, your rules hit account for a total score of 7.032. Might I
    > ask which rules scores you changed?


    What do you even mean by "worse"? People tweak rules in local.cf. To
    satiate your curiosity (sorry for the wrapping):

    X-Spam-Report:
    * 2.1 SUBJ_ALL_CAPS Subject is all capitals
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 2.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    * [score: 0.5001]
    * 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
    * 2.1 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME
    header and
    * body
    * 2.1 HTML_MISSING_CTYPE Message is HTML without HTML
    Content-Type

    --
    Sahil Tandon


  10. Re: Lottery spam in my inbox

    On Wed, 2008-08-06 at 20:25 -0400, Sahil Tandon wrote:
    > Karsten Br?ckelmann wrote:
    >
    > > Hmm... Sahil, Nitin -- guys, you are seriously confusing me.

    >
    > I am perplexed by your confusion, but I will try to help you.


    My confusion stems from different, almost random results all over the
    place. That, or you guys have been talking about one spam, but posted
    results of another.

    (To remind you: One single piece of spam. Three different results of
    static RE rules.)


    > > Sahil, this is just odd. The examples *do* have the HB_SEP blank line. I
    > > guess your download broke or something, but these rules don't apply to
    > > the given spamples.

    >
    > I have no idea re: HB*; perhaps as you suggest, something did "break"
    > during the wget.
    >
    > > Even worse, your rules hit account for a total score of 7.032. Might I
    > > ask which rules scores you changed?

    >
    > What do you even mean by "worse"? People tweak rules in local.cf. To
    > satiate your curiosity (sorry for the wrapping):


    Sorry, you are right of course. That word sneaked in, because I had a
    gut feeling...

    > X-Spam-Report:
    > * 2.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    > * [score: 0.5001]


    Bingo! That's *exactly* what I guessed...

    That is not a smart move, IMHO. A Bayes score of 0.5 does NOT mean,
    Bayes is 50% certain it's spam. It DOES mean, that Bayes does know
    nothing. Absolutely nothing.

    Between BAYES_00 (aka ~100% sure it is ham) and BAYES_99 (aka ~100% sure
    it is spam), BAYES_50 is like a shrugging. It is not a sign of being
    spammy. You could just as well lower your spam threshold to 3.0.

    If you really feel a need to punish BAYES_50 like *that*, my advice is
    to properly train your Bayes instead.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  11. Re: Lottery spam in my inbox

    Karsten Br?ckelmann wrote:

    > That is not a smart move, IMHO. A Bayes score of 0.5 does NOT mean,
    > Bayes is 50% certain it's spam. It DOES mean, that Bayes does know
    > nothing. Absolutely nothing.
    >
    > Between BAYES_00 (aka ~100% sure it is ham) and BAYES_99 (aka ~100% sure
    > it is spam), BAYES_50 is like a shrugging. It is not a sign of being
    > spammy. You could just as well lower your spam threshold to 3.0.
    >
    > If you really feel a need to punish BAYES_50 like *that*, my advice is
    > to properly train your Bayes instead.


    Thanks for the advice, and I know perfectly well what BAYES_50 is
    *supposed* to mean for *most* people. This may not be a smart move for
    you, but it works remarkably well for us. False positives (which, to be
    clear, are seldom) can be found in a user's spam folder; there are a
    number of other idiosyncrasies that are off-topic here. In any case, I
    understand how SA works and acknowledge the implications of fiddling with
    the rules. TIMTOWDI. Thank you.


    --
    Sahil Tandon


  12. Re: Lottery spam in my inbox

    On Wed, 2008-08-06 at 20:50 -0400, Sahil Tandon wrote:

    > Thanks for the advice, and I know perfectly well what BAYES_50 is
    > *supposed* to mean for *most* people. This may not be a smart move for
    > you, but it works remarkably well for us. False positives (which, to be
    > clear, are seldom) can be found in a user's spam folder; there are a
    > number of other idiosyncrasies that are off-topic here. In any case, I
    > understand how SA works and acknowledge the implications of fiddling with
    > the rules. TIMTOWDI. Thank you.


    Hehe, well then, never mind.

    I just was reminded about a similar story. I've seen users raise
    BAYES_50, because they did not understand what it meant. Anyway, since
    you seem to be perfectly aware of what you are doing, I'm glad it works
    for you.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


+ Reply to Thread