Another low scoring obvious spam message - SpamAssassin

This is a discussion on Another low scoring obvious spam message - SpamAssassin ; What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 -- Get my PGP Public key here: http://pelorus.org/skip@pelorus.org_public_key.asc...

+ Reply to Thread
Results 1 to 20 of 20

Thread: Another low scoring obvious spam message

  1. Another low scoring obvious spam message

    What can I do to increase my chances on spammies like this one:
    http://pastebin.com/m5f5d11e0

    --
    Get my PGP Public key here:
    http://pelorus.org/skip@pelorus.org_public_key.asc


  2. Re: Another low scoring obvious spam message

    Skip wrote:
    > What can I do to increase my chances on spammies like this one:
    > http://pastebin.com/m5f5d11e0
    >


    maybe

    header _CTYPE_PLAIN Content-Type =~ m|text/plain|
    header _CTRANSFER_B64 Content-Transfer-Encoding =~ m|base64|


    ....


  3. Re: Another low scoring obvious spam message

    On Thu, 18 Sep 2008, Skip wrote:

    > What can I do to increase my chances on spammies like this one:
    > http://pastebin.com/m5f5d11e0


    (1) train your bayes with it

    (2) try the sought fraud ruleset that Justin is generating

    http://svn.apache.org/viewvc/spamass...ought_fraud.cf

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    An AR-15 in civilian hands used to defend a home or business:
    a High Velocity Assault Weapon with High Capacity Magazines
    An AR-15 in Law Enforcement Officer hands used to murder six kids:
    a Police-Style Patrol Rifle
    -----------------------------------------------------------------------
    Tomorrow: Talk Like a Pirate day


  4. Re: Another low scoring obvious spam message

    On Thu, September 18, 2008 8:55 am, mouss wrote:
    > Skip wrote:
    >
    >> What can I do to increase my chances on spammies like this one:
    >> http://pastebin.com/m5f5d11e0
    >>
    >>

    >
    > maybe
    >
    > header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
    > Content-Transfer-Encoding =~ m|base64|
    >
    >

    I wonder if that would have too many false positives.
    It got me thinking though. I looked in the 20_body_tests.cf rules and see
    the following rules:

    rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
    describe __MIME_BASE64 Includes a base64 attachment
    rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
    describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
    rawbody MIME_BASE64_TEXT
    eval:check_for_mime('mime_base64_encoded_text')
    describe MIME_BASE64_TEXT Message text disguised using base64 encoding

    and from the 20_head_tests.cf
    meta FROM_EXCESS_BASE64 __FROM_ENCODED_B64 &&
    !__FROM_NEEDS_MIME
    describe FROM_EXCESS_BASE64 From: base64 encoded unnecessarily

    Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
    rule in the past six months, but I have had ten hams fire the rule. Too
    many FPs for me.

    Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that
    rule, but have had two hams fire it (they were newsletters from Red Hat).

    Sadly, these both sound like they would be good rules, but they don't seem
    to live up to their potential. (Btw, I am working with about 6,000 spams
    and 3,500 hams)

    Quick aside: Does SA decode the message body before running the body
    tests? I was really surprised that the decoded content on this message
    didn't trigger any of the get rich quick rules, or my bayes.


  5. Re: Another low scoring obvious spam message

    On Thu, September 18, 2008 9:33 am, John Hardin wrote:
    > On Thu, 18 Sep 2008, Skip wrote:
    >
    >
    >> What can I do to increase my chances on spammies like this one:
    >> http://pastebin.com/m5f5d11e0
    >>

    >
    > (1) train your bayes with it
    >

    I am using bayes, but it didn't catch it. I was quite surprised at that.
    >
    > (2) try the sought fraud ruleset that Justin is generating
    >
    >
    > http://svn.apache.org/viewvc/spamass...ox/jm/20_sough
    > t_fraud.cf
    >

    I'm using that too, and again no joy there. It may be time for an
    sa-update though.

    Thanks for the ideas though

    Skip


  6. Re: Another low scoring obvious spam message

    Skip Morrow wrote:
    > On Thu, September 18, 2008 9:33 am, John Hardin wrote:
    >> On Thu, 18 Sep 2008, Skip wrote:
    >>
    >>
    >>> What can I do to increase my chances on spammies like this one:
    >>> http://pastebin.com/m5f5d11e0
    >>>

    >> (1) train your bayes with it
    >>

    > I am using bayes, but it didn't catch it. I was quite surprised at that.


    Doesn't look to me like you are using bayes. There is no bayes score in
    the headers.


    X-Spam-Report:
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    * 1.3 MISSING_HEADERS Missing To: header
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding

    Regards,

    Rick


  7. Re: Another low scoring obvious spam message

    >> I am using bayes, but it didn't catch it. I was quite surprised at
    >> that.

    >
    > Doesn't look to me like you are using bayes. There is no bayes score in
    > the headers.
    >

    Oh. I thought I was. I do get reports in some messages. Here's the
    debug from this particular message:
    [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf
    [12541] dbg: config: read file
    /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf
    [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
    [12541] dbg: config: fixed relative path:
    /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: using
    "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for
    included file
    [12541] dbg: config: read file
    /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: fixed relative path:
    /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: using
    "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf"
    for included file
    [12541] dbg: bayes: tie-ing to DB file R/O
    /home/peloruso/.spamassassin/skip/bayes/bayes_toks
    [12541] dbg: bayes: tie-ing to DB file R/O
    /home/peloruso/.spamassassin/skip/bayes/bayes_seen
    [12541] dbg: bayes: found bayes db version 3
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680
    [12541] dbg: bayes: score = 2.02454774056449e-08
    [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size:
    150000, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire:
    1220940612, Current time: 1221712855
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: untie-ing

    Anything look funny in there? I see a very low score: 2.02e-08, but isn't
    it still working?


  8. Re: Another low scoring obvious spam message

    >> I am using bayes, but it didn't catch it. I was quite surprised at
    >> that.

    >
    > Doesn't look to me like you are using bayes. There is no bayes score in
    > the headers.
    >

    Oh. I thought I was. I do get reports in some messages. Here's the
    debug from this particular message:
    [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf
    [12541] dbg: config: read file
    /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf
    [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
    [12541] dbg: config: fixed relative path:
    /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: using
    "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for
    included file
    [12541] dbg: config: read file
    /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: fixed relative path:
    /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
    [12541] dbg: config: using
    "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf"
    for included file
    [12541] dbg: bayes: tie-ing to DB file R/O
    /home/peloruso/.spamassassin/skip/bayes/bayes_toks
    [12541] dbg: bayes: tie-ing to DB file R/O
    /home/peloruso/.spamassassin/skip/bayes/bayes_seen
    [12541] dbg: bayes: found bayes db version 3
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680
    [12541] dbg: bayes: score = 2.02454774056449e-08
    [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size:
    150000, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire:
    1220940612, Current time: 1221712855
    [12541] dbg: bayes: DB journal sync: last sync: 1221706869
    [12541] dbg: bayes: untie-ing

    Anything look funny in there? I see a very low score: 2.02e-08, but isn't
    it still working?


  9. Re: Another low scoring obvious spam message

    Sorry about the double post--operator error.


  10. Re: Another low scoring obvious spam message

    On Thu, 18 Sep 2008, Skip Morrow wrote:

    >> Doesn't look to me like you are using bayes. There is no bayes score in
    >> the headers.

    >
    > Oh. I thought I was. I do get reports in some messages. Here's the
    > debug from this particular message:
    > [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf


    Silly question, but is "peloruso" the user that spamd is running as?
    user/database mismatch is a common problem.

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    What nuts do with guns is terrible, certainly. But what evil or crazy
    people do with *anything* is not a valid argument for banning that
    item. -- John C. Randolph
    -----------------------------------------------------------------------
    Tomorrow: Talk Like a Pirate day


  11. Re: Another low scoring obvious spam message

    Skip Morrow wrote:
    > On Thu, September 18, 2008 8:55 am, mouss wrote:
    >> Skip wrote:
    >>
    >>> What can I do to increase my chances on spammies like this one:
    >>> http://pastebin.com/m5f5d11e0
    >>>
    >>>

    >> maybe
    >>
    >> header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
    >> Content-Transfer-Encoding =~ m|base64|
    >>
    >>

    > I wonder if that would have too many false positives.


    it will trigger on ham, which means you shouldn't score it too much.

    If you check the list mail, it'll trigger for mail sent by Larry Rosenbaum.

    > It got me thinking though. I looked in the 20_body_tests.cf rules and see
    > the following rules:
    >
    > rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
    > describe __MIME_BASE64 Includes a base64 attachment
    > rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
    > describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
    > rawbody MIME_BASE64_TEXT
    > eval:check_for_mime('mime_base64_encoded_text')
    > describe MIME_BASE64_TEXT Message text disguised using base64 encoding
    >
    > and from the 20_head_tests.cf
    > meta FROM_EXCESS_BASE64 __FROM_ENCODED_B64 &&
    > !__FROM_NEEDS_MIME
    > describe FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
    >
    > Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
    > rule in the past six months, but I have had ten hams fire the rule. Too
    > many FPs for me.
    >
    > Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that
    > rule, but have had two hams fire it (they were newsletters from Red Hat).
    >
    > Sadly, these both sound like they would be good rules, but they don't seem
    > to live up to their potential. (Btw, I am working with about 6,000 spams
    > and 3,500 hams)
    >
    > Quick aside: Does SA decode the message body before running the body
    > tests? I was really surprised that the decoded content on this message
    > didn't trigger any of the get rich quick rules, or my bayes.
    >



  12. Re: Another low scoring obvious spam message

    Skip Morrow wrote:
    > On Thu, September 18, 2008 9:33 am, John Hardin wrote:
    >> On Thu, 18 Sep 2008, Skip wrote:
    >>
    >>
    >>> What can I do to increase my chances on spammies like this one:
    >>> http://pastebin.com/m5f5d11e0
    >>>

    >> (1) train your bayes with it
    >>

    > I am using bayes, but it didn't catch it. I was quite surprised at that.


    hmmmm...

    Content analysis details: (6.3 points, 5.0 required)

    pts rule name description
    ---- ----------------------
    --------------------------------------------------
    3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    [score: 1.0000]
    -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    -0.0 SPF_PASS SPF: sender matches SPF record
    1.3 MISSING_HEADERS Missing To: header
    1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
    0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding




    >> (2) try the sought fraud ruleset that Justin is generating
    >>
    >>
    >> http://svn.apache.org/viewvc/spamass...ox/jm/20_sough
    >> t_fraud.cf
    >>

    > I'm using that too, and again no joy there. It may be time for an
    > sa-update though.
    >


    sa-update and jm sought here. without Bayes, it's missed.


  13. Re: Another low scoring obvious spam message

    Skip Morrow wrote:
    > Sorry about the double post--operator error.
    >


    fire operator


  14. Re: Another low scoring obvious spam message

    >>>
    >>>

    >> I am using bayes, but it didn't catch it. I was quite surprised at
    >> that.

    >
    > hmmmm...
    >
    > Content analysis details: (6.3 points, 5.0 required)
    >
    >
    > pts rule name description ---- ----------------------
    > --------------------------------------------------
    > 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    > [score: 1.0000]
    > -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    > -0.0 SPF_PASS SPF: sender matches SPF record
    > 1.3 MISSING_HEADERS Missing To: header
    > 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
    > 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
    >
    >

    How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm
    not. I just looked and I have never triggered that rule in any spams, but
    I have triggered it in a couple of hams. Now why would it work for you
    and not for me???? hmmmmm..... I am using SA 3.2.4. By the way, that
    mime block is only 76 characters wide.

    >
    > sa-update and jm sought here. without Bayes, it's missed.
    >
    >

    I ran sa-update just a few minutes ago and it didn't make a difference.

    I habitually run most of my spam through sa-learn and most of my ham too.
    I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule
    (and others too). I am still surprised that I had such a low score on
    this one. Bayes would have been my only saving grace here too.


  15. Re: Another low scoring obvious spam message

    On Thu, 18 Sep 2008, mouss wrote:

    >> > (2) try the sought fraud ruleset that Justin is generating
    >> >
    >> > http://svn.apache.org/viewvc/spamass...ox/jm/20_sough
    >> > t_fraud.cf
    >> >

    >> I'm using that too, and again no joy there. It may be time for an
    >> sa-update though.

    >
    > sa-update and jm sought here. without Bayes, it's missed.


    sought != sought_fraud.

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    Your mouse has moved. Your Windows Operating System must be
    relicensed due to this hardware change. Please contact Microsoft
    to obtain a new activation key. If this hardware change results in
    added functionality you may be subject to additional license fees.
    Your system will now shut down. Thank you for choosing Microsoft.
    -----------------------------------------------------------------------
    Tomorrow: Talk Like a Pirate day


  16. Re: Another low scoring obvious spam message

    Skip Morrow wrote:
    >>>>
    >>> I am using bayes, but it didn't catch it. I was quite surprised at
    >>> that.

    >> hmmmm...
    >>
    >> Content analysis details: (6.3 points, 5.0 required)
    >>
    >>
    >> pts rule name description ---- ----------------------
    >> --------------------------------------------------
    >> 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    >> [score: 1.0000]
    >> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    >> -0.0 SPF_PASS SPF: sender matches SPF record
    >> 1.3 MISSING_HEADERS Missing To: header
    >> 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
    >> 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
    >>
    >>

    > How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm
    > not. I just looked and I have never triggered that rule in any spams, but
    > I have triggered it in a couple of hams. Now why would it work for you
    > and not for me???? hmmmmm..... I am using SA 3.2.4. By the way, that
    > mime block is only 76 characters wide.
    >


    well, I did a cut-paste from the pastebin page, so maybe there's a
    mismatch between what I passed to sa and your message?

    >> sa-update and jm sought here. without Bayes, it's missed.
    >>
    >>

    > I ran sa-update just a few minutes ago and it didn't make a difference.
    >
    > I habitually run most of my spam through sa-learn and most of my ham too.
    > I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule
    > (and others too). I am still surprised that I had such a low score on
    > this one. Bayes would have been my only saving grace here too.
    >


    I have spam that goes to pseudo-traps. maybe this helps Bayes.

    anyway, if your SA only misses few spam, there's no need to try to
    improve that with new rules.


  17. Re: Another low scoring obvious spam message

    John Hardin wrote:
    > On Thu, 18 Sep 2008, mouss wrote:
    >
    >>> > (2) try the sought fraud ruleset that Justin is generating
    >>> > >
    >>> http://svn.apache.org/viewvc/spamass...ox/jm/20_sough
    >>>
    >>> > t_fraud.cf
    >>> >
    >>> I'm using that too, and again no joy there. It may be time for an
    >>> sa-update though.

    >>
    >> sa-update and jm sought here. without Bayes, it's missed.

    >
    > sought != sought_fraud.
    >


    ah. missed that. just tried it, but I get the same results.


  18. Re: Another low scoring obvious spam message

    >
    > sought != sought_fraud.
    >

    Whoops! Thanks! Got it now, but still no hits in that rule set either.


  19. Re: Another low scoring obvious spam message

    >
    >
    > anyway, if your SA only misses few spam, there's no need to try to improve
    > that with new rules.
    >
    >
    >

    Yeah, this is the first spam I've gotten in about a month or maybe two.
    Still, I let it bug me too much. That, and it's slow at work today. I
    guess I'll just let it go.


  20. Re: Another low scoring obvious spam message

    On Thu, 18 Sep 2008, mouss wrote:

    > John Hardin wrote:
    >
    >> sought != sought_fraud.

    >
    > ah. missed that. just tried it, but I get the same results.


    That's not *too* surprising. At the moment the corpus for it is
    manually-collected fraud spams sent to me personally, and I don't
    necessarily see all possible forms.

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    Tomorrow: Talk Like a Pirate day


+ Reply to Thread