msnbc.com - BREAKING NEWS spam question - SpamAssassin

This is a discussion on msnbc.com - BREAKING NEWS spam question - SpamAssassin ; I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've made sure that all of those spams (over 40 of them) are manually trained to be spam. SpamAssassin does filter out those messages about 75% of the time. However, ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: msnbc.com - BREAKING NEWS spam question

  1. msnbc.com - BREAKING NEWS spam question


    I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
    made sure that all of those spams (over 40 of them) are manually trained to
    be spam. SpamAssassin does filter out those messages about 75% of the time.
    However, even after this careful manual training some of those spams are
    still getting through (my score threshold is now 4.4). I get the feeling
    that the training doesn't have any effect. Is there something wrong or is
    SpamAssassin just incapable of learning this? The msnbc spams are almost
    identical to eachother with lots of words, so I would imagine this should be
    an easy task.

    Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that if
    there are more than one of those tags present, for example
    "RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
    still be ham?

    Here is a recent "msnbc"-message with headers:


    From - Sat Aug 16 11:52:22 2008
    X-Account-Key: account18
    X-UIDL: UID776-1218109787
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    DomainKey-Status: no signature
    X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on ---.com
    X-Spam-Level: **
    X-Spam-Status: No, score=2.8 required=4.4 tests=HTML_MESSAGE,

    HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,RCVD_IN_BL_SP AMCOP_NET,RCVD_IN_SORBS_WEB
    autolearn=no version=3.1.9
    DomainKey-Status: no signature
    Received: (qmail 8490 invoked from network); 16 Aug 2008 11:45:05 +0300
    Received: from --- (---)
    by --- with SMTP; 16 Aug 2008 11:45:05 +0300
    Received-SPF: none (---: domain at flynn.ca does not designate permitted
    sender hosts)
    Received: from adsl-static-23-254.netflash.net
    (adsl-static-23-254.netflash.net [64.187.23.254])
    by --- (Postfix) with ESMTP id EDA8932B8191
    for <--->; Sat, 16 Aug 2008 11:45:02 +0300 (EEST)
    thread-index: 3c4f25c55e9c926cb1f89d288dcf90==
    Thread-Topic: msnbc.com - BREAKING NEWS: British Penny Actually Worth More
    Than One Dollar. Watch the proof.
    MIME-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Mailer: Microsoft CDO for Windows 2000
    Content-Class: urn:content-classes:message
    Importance: normal
    Priority: normal
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119
    Message-ID: <000901c8ff7b$29228e90$fe17bb40@nissansales3>
    Date: Sat, 16 Aug 2008 04:36:21 -0400
    Reply-To: MSNBC Breaking News
    From: MSNBC Breaking News
    Subject: msnbc.com - BREAKING NEWS: British Penny Actually Worth More Than
    One Dollar. Watch the proof.
    To: ---
    Precedence: list
    X-EsetId: D39316FAF3E6373387D2









    msnbc.com: BREAKING NEWS: British Penny Actually Worth More Than One Dollar.
    Watch the proof.




    Find out more at http://planetahd.com/msn_video.html
    http://breakingnews.msnbc.com




    ================================================== ====

    See the top news of the day at MSNBC.com, and the latest from Today Show and
    NBC Nightly News.



    =========================================

    This e-mail is never sent unsolicited. You have received this MSNBC Breaking
    News Newsletter

    newsletter because you subscribed to it or, someone forwarded it to
    you.




    To remove yourself from the list (or to add yourself to the list if this

    message was forwarded to you) simply go to




    http://www.msnbc.msn.com/id/23823601 http://www.msnbc.msn.com/id/74704933 ,
    select unsubscribe, enter the

    email address receiving this message, and click the Go button.





    Microsoft Corporation - One Microsoft Way - Redmond, WA 98052

    MSN PRIVACY STATEMENT

    http://privacy.msn.com ( http://privacy.msn.com/ http://privacy.msn.com/> )


    --
    View this message in context: http://www.nabble.com/msnbc.com---BR...p19010363.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  2. Re: msnbc.com - BREAKING NEWS spam question

    distill writes:

    > I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
    > made sure that all of those spams (over 40 of them) are manually trained to
    > be spam. SpamAssassin does filter out those messages about 75% of the time.
    > However, even after this careful manual training some of those spams are
    > still getting through (my score threshold is now 4.4). I get the feeling
    > that the training doesn't have any effect. Is there something wrong or is
    > SpamAssassin just incapable of learning this? The msnbc spams are almost
    > identical to eachother with lots of words, so I would imagine this should be
    > an easy task.


    On your message I also got:

    * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
    * [URIs: planetahd.com]
    * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
    * [URIs: planetahd.com]

    but not the received ones of course. You didn't get this, but I see
    that on uribl planetahd.com was listed at 0826Z today.

    > Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that if
    > there are more than one of those tags present, for example
    > "RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
    > still be ham?


    I'm not sure what you're asking. If you mean

    "If I get a message where both RCVD_IN_BL_SPAMCOP_NET and
    RCVD_IN_SORBS_WEB fire, is there any chance the message is still ham?"

    I'd say yes. Those blacklists probably have overlapping listing
    critieria, and certainly two lists listing something is at least a bit
    stronger than one, but not absolute.

    I have edited my scores file to increase MIME_HTML_ONLY and if I were
    you would increase HTML_TAG_BALANCE_BODY as well (probably 1 point
    each), unless you find lots of ham hits on these.


  3. Re: msnbc.com - BREAKING NEWS spam question

    On Saturday 16 August 2008 5:27 am, distill wrote:
    > I've been receiving these "msnbc.com - BREAKING NEWS" spams recently. I've
    > made sure that all of those spams (over 40 of them) are manually trained to
    > be spam. SpamAssassin does filter out those messages about 75% of the time.
    > However, even after this careful manual training some of those spams are
    > still getting through (my score threshold is now 4.4). I get the feeling
    > that the training doesn't have any effect. Is there something wrong or is
    > SpamAssassin just incapable of learning this? The msnbc spams are almost
    > identical to eachother with lots of words, so I would imagine this should
    > be an easy task.
    >
    > Also I'd like to ask about the RCVD_IN-tags: Is it possible/probable that
    > if there are more than one of those tags present, for example
    > "RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB", that the message in fact could
    > still be ham?
    >


    If you're running the ClamAv plug-in Steve Basford has a new set of
    experimental sigs for this. They can be found here:

    http://sanesecurity.co.uk/clamav/rogue.htm

    Here's Steve's whole blurb:

    "The new Rogue signature database contains hashes of known Rogue
    Anti-Virus software and also contains known Fake Videos/Codecs.
    Most of these files are currently being distributed via the current wave
    of fake CNN/Msnbc/BBC news and fake video emails (54 signatures currently)"

    I've downloaded and installed but haven't received any of the above since
    installing. If you do install don't forget to stop and restart ClamAv so that
    they take effect.

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkim++wACgkQ43Kn2pjmcFwbvACeMvEoPW+UsP frRpBW8eJVbDRO
    R70Anio66fvzQo1V76Qf0KOxi7BSXyPW
    =GQPV
    -----END PGP SIGNATURE-----


  4. Re: msnbc.com - BREAKING NEWS spam question


    Thanks for the good suggestions.

    I was investigating further and found out, that in zero of the SpamAssassin
    processed messages there is BAYES_ mentioned in the X-Spam-Status. Could it
    be that the Bayes learning function is in fact completely disabled in the
    configuration (and that's why it seems to be not learning anything)?

    The SpamAssassin is running at my ISP's server and I don't have direct
    access to it's specific configuration (but I can ask if I know what to ask).
    --
    View this message in context: http://www.nabble.com/msnbc.com---BR...p19013729.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  5. Re: msnbc.com - BREAKING NEWS spam question

    On Saturday 16 August 2008 6:09 am, Greg Troxel wrote:
    > distill writes:
    > > I've been receiving these "msnbc.com - BREAKING NEWS" spams recently.
    > > I've made sure that all of those spams (over 40 of them) are manually
    > > trained to be spam. SpamAssassin does filter out those messages about 75%
    > > of the time. However, even after this careful manual training some of
    > > those spams are still getting through (my score threshold is now 4.4). I
    > > get the feeling that the training doesn't have any effect. Is there
    > > something wrong or is SpamAssassin just incapable of learning this? The
    > > msnbc spams are almost identical to eachother with lots of words, so I
    > > would imagine this should be an easy task.

    >

    A bit more clarification on Steve's experimental rogue sigs:

    "Just to clarify... the rogue.hdb will detect only the exe's that the fake
    news/videos are trying to get you to run.

    Inside the phish.ndb file, there are sigs to block the actual emails, before
    the user even gets to click anything,
    which might be best for the original poster to use

    Sigs such as, the following should block most of the fake news emails:

    Email.Malware.Sanesecurity.08080802.StormNews.CnnG en
    Email.Malware.Sanesecurity.08081301.StormNews.MSNB CGen
    Email.Malware.Sanesecurity.08081509.StormNews.BBCG en

    The fake video ones, are usually covered by the Malware ones, such as:
    Email.Malware.Sanesecurity.08081604"

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkiocioACgkQ43Kn2pjmcFyP+QCfa8JYAnG/ioKs11keOOxTifnW
    BSwAnRq79x8rvNFjC1ABoWPhuiVIksI6
    =j+c1
    -----END PGP SIGNATURE-----


  6. Re: msnbc.com - BREAKING NEWS spam question



    distill wrote:
    >
    > Thanks for the good suggestions.
    >
    > I was investigating further and found out, that in zero of the
    > SpamAssassin processed messages there is BAYES_ mentioned in the
    > X-Spam-Status. Could it be that the Bayes learning function is in fact
    > completely disabled in the configuration (and that's why it seems to be
    > not learning anything)?
    >
    > The SpamAssassin is running at my ISP's server and I don't have direct
    > access to it's specific configuration (but I can ask if I know what to
    > ask).
    >


    My language might've been bad (again). I meant that out of 700 processed
    messages, there is no occurance of the string "BAYES" in the headers. Does
    this indicate that the Bayes function is disabled in the configuration?
    --
    View this message in context: http://www.nabble.com/msnbc.com---BR...p19022676.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


+ Reply to Thread