How easy is Spam Assassin really?
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 | Next > |
 |
How easy is Spam Assassin really?
by Chris Norman
::
Rate this Message:
I host about 10 domains on a w2k server (when you're done mocking,
please continue). Currently, I use ASSP which isn't very effective but helps a lot. Occasionally, I'll get fed up and dig into implementing SA instead but then stop short after readying about how it doesn't run as a service well et al. However, it runs well as a service and I actually run 4 simultaneous instances of it for various levels of filtering. Also, since it is bayes based, it allows for unique per domain databases for those that need it. There are some commercial SA solutions (Catch! is one I keep circling back to because of it's unlimited domains / users versus price). But it doesn't have an obvious popb4smtp engine that I can see. Then, I see the flood of emails in this list about the rules, etc. Do you have to constantly tune your rules? How often do you need to do this for it to be effective? Some honest feedback and maybe a link or two would be helpful. Implementing SA on a win32 doesn't seem like it'd be too difficult, but every configuration is unique I'm sure. Thanks in advance, Chris |
|
|
RE: How easy is Spam Assassin really?
by Bret Miller
::
Rate this Message:
> I host about 10 domains on a w2k server (when you're done mocking,
> please continue). Currently, I use ASSP which isn't very > effective but > helps a lot. > > Occasionally, I'll get fed up and dig into implementing SA > instead but > then stop short after readying about how it doesn't run as a service > well et al. > > However, it runs well as a service and I actually run 4 simultaneous > instances of it for various levels of filtering. Also, since > it is bayes > based, it allows for unique per domain databases for those > that need it. > > There are some commercial SA solutions (Catch! is one I keep circling > back to because of it's unlimited domains / users versus > price). But it > doesn't have an obvious popb4smtp engine that I can see. > > Then, I see the flood of emails in this list about the rules, etc. > > Do you have to constantly tune your rules? How often do you > need to do > this for it to be effective? > > Some honest feedback and maybe a link or two would be helpful. > > Implementing SA on a win32 doesn't seem like it'd be too > difficult, but every configuration is unique I'm sure. Getting SA to run is no big deal. Integrating with your MTA can be a challenge if no one has done it already. I've run SA on Windows for a few years now. It gets easier and more stable with every release. CommuniGate Pro is our current MTA and we have a decent free integration tool (missing one important feature, but hey it's free). We evaluated Merak a while back and I wrote an integration tool for it without too much problem. If you're using native Windows mail services, then you'd need a proxy engine that runs in front of it to run SA. I've never looked into what might work to do that, but you might look at MailScanner to see if it supports that configuration. If you're looking to buy something, Deep Six's DS200 gets pretty good reviews and is fairly cheap for it's accuracy. http://www.deep6tech.com/prod.html. You might want to check it out... I can't speak for real-life usage of it. I just read the reviews. Brian Livingston reviewed it recently including testing it on their own e-mail system. Be happy to forward you the review if you're interested enough. Bret |
|
|
|
|
|
|
|
|
GIF stock spams
by Chris Conn
::
Rate this Message:
Hello,
Has anyone written any rules to catch the following types of spam http://nisk.creenet.com/~cconn/sa/ They consist of a few lines of text (sometimes), and a .gif attachment that is in fact some penny stock being pushed. Thanks in advance, Chris |
|
|
RE: GIF stock spams
by Bugzilla from ruben@ruben.cn
::
Rate this Message:
I catch them all, for example:
X-Spam-Report: * 1.0 ICAB_FW2 ICAB_FW2 * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 Ruben > -----Mensaje original----- > De: Chris Conn [mailto:cconn@...] > Enviado el: viernes, 24 de febrero de 2006 17:35 > Para: users@... > Asunto: GIF stock spams > > Hello, > > Has anyone written any rules to catch the following types of spam > > > http://nisk.creenet.com/~cconn/sa/ > > > They consist of a few lines of text (sometimes), and a .gif attachment > that > is in fact some penny stock being pushed. > > Thanks in advance, > > Chris |
|
|
RE: How easy is Spam Assassin really?
by Herb Martin
::
Rate this Message:
> -----Original Message-----
> From: Bret Miller [mailto:bret.miller@...] > Sent: Friday, February 24, 2006 9:56 AM > To: users@... > Subject: RE: How easy is Spam Assassin really? > > > I host about 10 domains on a w2k server (when you're done mocking, > > please continue). Currently, I use ASSP which isn't very > > effective but > > helps a lot. Since I too run Windows servers (no apologies necessary; ignore those who mock) and wished to run SA, my approach was to implement it under CygWin. In CygWin it runs as a (near) service in the mode of Linux etc (i.e., Spamd and SpamC or whatever client you use to query the running instance.) CygWin is a surprising delight. Must of the best of both Linux and all of the features Windows. My setup is to actually run Exim as the email server but that is just my choice and others would work.... -- Herb Martin |
|
|
RE: GIF stock spams
by Maurice Lucas - TAOS-IT
::
Rate this Message:
> * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% So 6.0 point for your BAYES I hope your BAYES is well trained and never gets corrupted Maurice Lucas On Fri, 2006-02-24 at 17:44 +0100, Ruben Cardenal wrote: > I catch them all, for example: > > X-Spam-Report: > * 1.0 ICAB_FW2 ICAB_FW2 > * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= > entry > * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of > words > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i > score ICAB_FW2 1 > > Ruben > > > > -----Mensaje original----- > > De: Chris Conn [mailto:cconn@...] > > Enviado el: viernes, 24 de febrero de 2006 17:35 > > Para: users@... > > Asunto: GIF stock spams > > > > Hello, > > > > Has anyone written any rules to catch the following types of spam > > > > > > http://nisk.creenet.com/~cconn/sa/ > > > > > > They consist of a few lines of text (sometimes), and a .gif attachment > > that > > is in fact some penny stock being pushed. > > > > Thanks in advance, > > > > Chris > |
|
|
|
|
|
RE: GIF stock spams
by Joey-16
::
Rate this Message:
Hi Ruben, Sorry to be such a nube, but can you tell me exactly what I need to do to impliment what is working for you. These damn image files are killing us. Thanks, Joey -----Original Message----- From: Ruben Cardenal [mailto:ruben@...] Sent: Friday, February 24, 2006 11:45 AM To: users@... Subject: RE: GIF stock spams I catch them all, for example: X-Spam-Report: * 1.0 ICAB_FW2 ICAB_FW2 * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 Ruben > -----Mensaje original----- > De: Chris Conn [mailto:cconn@...] Enviado el: viernes, 24 de > febrero de 2006 17:35 > Para: users@... > Asunto: GIF stock spams > > Hello, > > Has anyone written any rules to catch the following types of spam > > > http://nisk.creenet.com/~cconn/sa/ > > > They consist of a few lines of text (sometimes), and a .gif attachment > that is in fact some penny stock being pushed. > > Thanks in advance, > > Chris |
|
|
RE: GIF stock spams
by Bugzilla from ruben@ruben.cn
::
Rate this Message:
>
> > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > So 6.0 point for your BAYES I hope your BAYES is well trained and never > gets corrupted Works like a charm :) Ruben |
|
|
Re: GIF stock spams
by Tom Brown-15
::
Rate this Message:
>>> * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% >> >>So 6.0 point for your BAYES I hope your BAYES is well trained and never >>gets corrupted > > > Works like a charm :) i've only dared goto a 3 however so far so good |
|
|
Re: GIF stock spams
by Craig Baird
::
Rate this Message:
I get a ton of these. However, I've also got about 30 spamtrap addresses
aliased to my account. I also run my SA threshold at 7, so those two factors probably account for a lot of the reason I get so many. Anyway, the SARE stock rules help quite a bit, but I still see a fair number of these that get through. Most of the ones that get through only get about BAYES_50 at best. I finally resorted to raising the score on the HTML_IMAGE_ONLY_XX rules by about 1 point each. Even with this in place, I still see a few here and there. Craig Quoting Chris Conn <cconn@...>: > Hello, > > Has anyone written any rules to catch the following types of spam > > > http://nisk.creenet.com/~cconn/sa/ > > > They consist of a few lines of text (sometimes), and a .gif attachment that > > is in fact some penny stock being pushed. > > Thanks in advance, > > Chris > > |
|
|
RE: GIF stock spams
by Bugzilla from ruben@ruben.cn
::
Rate this Message:
Hi Joel, Well, I have spamassassin scoring as spam from 3.0 on, and until 14 gets quarantined for review for messages not scoring BAYES_99. Almost 250.000 messages scoring over 14 with only 1 FP being rejected (and was quite an unusual situation). That kind of mails have all "Fw: 12345", from 3-6/7 numers. Writing a rule to score those subjects could help, but don't score it too high or you'll catch innocent mails. You have the rule I used in my firs mail. I quarantine mails using excellent Toribio's Qmail-Scanner patch (you can find it at http://toribio.apollinare.org/qmail-scanner/) That kind of funcinality has been added in the Qmail-Scanner 2.00 RC1 . Good luck, Ruben > -----Mensaje original----- > De: Joey [mailto:Joey@...] > Enviado el: viernes, 24 de febrero de 2006 18:47 > Para: users@... > Asunto: RE: GIF stock spams > > > Hi Ruben, > > Sorry to be such a nube, but can you tell me exactly what I need to do to > impliment what is working for you. > These damn image files are killing us. > > Thanks, > > Joey > > -----Original Message----- > From: Ruben Cardenal [mailto:ruben@...] > Sent: Friday, February 24, 2006 11:45 AM > To: users@... > Subject: RE: GIF stock spams > > I catch them all, for example: > > X-Spam-Report: > * 1.0 ICAB_FW2 ICAB_FW2 > * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= > entry > * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of > words > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 > > Ruben > > > > -----Mensaje original----- > > De: Chris Conn [mailto:cconn@...] Enviado el: viernes, 24 de > > febrero de 2006 17:35 > > Para: users@... > > Asunto: GIF stock spams > > > > Hello, > > > > Has anyone written any rules to catch the following types of spam > > > > > > http://nisk.creenet.com/~cconn/sa/ > > > > > > They consist of a few lines of text (sometimes), and a .gif attachment > > that is in fact some penny stock being pushed. > > > > Thanks in advance, > > > > Chris > > |
|
|
RE: GIF stock spams
by Joey-16
::
Rate this Message:
So if I use postfix I'm SOL?
-----Original Message----- From: Ruben Cardenal [mailto:ruben@...] Sent: Friday, February 24, 2006 1:02 PM To: users@... Subject: RE: GIF stock spams Hi Joel, Well, I have spamassassin scoring as spam from 3.0 on, and until 14 gets quarantined for review for messages not scoring BAYES_99. Almost 250.000 messages scoring over 14 with only 1 FP being rejected (and was quite an unusual situation). That kind of mails have all "Fw: 12345", from 3-6/7 numers. Writing a rule to score those subjects could help, but don't score it too high or you'll catch innocent mails. You have the rule I used in my firs mail. I quarantine mails using excellent Toribio's Qmail-Scanner patch (you can find it at http://toribio.apollinare.org/qmail-scanner/) That kind of funcinality has been added in the Qmail-Scanner 2.00 RC1 . Good luck, Ruben > -----Mensaje original----- > De: Joey [mailto:Joey@...] > Enviado el: viernes, 24 de febrero de 2006 18:47 > Para: users@... > Asunto: RE: GIF stock spams > > > Hi Ruben, > > Sorry to be such a nube, but can you tell me exactly what I need to do > to impliment what is working for you. > These damn image files are killing us. > > Thanks, > > Joey > > -----Original Message----- > From: Ruben Cardenal [mailto:ruben@...] > Sent: Friday, February 24, 2006 11:45 AM > To: users@... > Subject: RE: GIF stock spams > > I catch them all, for example: > > X-Spam-Report: > * 1.0 ICAB_FW2 ICAB_FW2 > * 1.1 EXTRA_MPART_TYPE Header has extraneous > Content-type:...type= entry > * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes > of words > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 > > Ruben > > > > -----Mensaje original----- > > De: Chris Conn [mailto:cconn@...] Enviado el: viernes, 24 de > > febrero de 2006 17:35 > > Para: users@... > > Asunto: GIF stock spams > > > > Hello, > > > > Has anyone written any rules to catch the following types of spam > > > > > > http://nisk.creenet.com/~cconn/sa/ > > > > > > They consist of a few lines of text (sometimes), and a .gif > > attachment that is in fact some penny stock being pushed. > > > > Thanks in advance, > > > > Chris > > |
|
|
RE: GIF stock spams
by Joey-16
::
Rate this Message:
Sorry wasn't thinking, should this work?
header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 score ICAB_FW2 4 describe ICAB_FW2 IMAGE SPAM -----Original Message----- From: Ruben Cardenal [mailto:ruben@...] Sent: Friday, February 24, 2006 1:02 PM To: users@... Subject: RE: GIF stock spams Hi Joel, Well, I have spamassassin scoring as spam from 3.0 on, and until 14 gets quarantined for review for messages not scoring BAYES_99. Almost 250.000 messages scoring over 14 with only 1 FP being rejected (and was quite an unusual situation). That kind of mails have all "Fw: 12345", from 3-6/7 numers. Writing a rule to score those subjects could help, but don't score it too high or you'll catch innocent mails. You have the rule I used in my firs mail. I quarantine mails using excellent Toribio's Qmail-Scanner patch (you can find it at http://toribio.apollinare.org/qmail-scanner/) That kind of funcinality has been added in the Qmail-Scanner 2.00 RC1 . Good luck, Ruben > -----Mensaje original----- > De: Joey [mailto:Joey@...] > Enviado el: viernes, 24 de febrero de 2006 18:47 > Para: users@... > Asunto: RE: GIF stock spams > > > Hi Ruben, > > Sorry to be such a nube, but can you tell me exactly what I need to do > to impliment what is working for you. > These damn image files are killing us. > > Thanks, > > Joey > > -----Original Message----- > From: Ruben Cardenal [mailto:ruben@...] > Sent: Friday, February 24, 2006 11:45 AM > To: users@... > Subject: RE: GIF stock spams > > I catch them all, for example: > > X-Spam-Report: > * 1.0 ICAB_FW2 ICAB_FW2 > * 1.1 EXTRA_MPART_TYPE Header has extraneous > Content-type:...type= entry > * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes > of words > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 > > Ruben > > > > -----Mensaje original----- > > De: Chris Conn [mailto:cconn@...] Enviado el: viernes, 24 de > > febrero de 2006 17:35 > > Para: users@... > > Asunto: GIF stock spams > > > > Hello, > > > > Has anyone written any rules to catch the following types of spam > > > > > > http://nisk.creenet.com/~cconn/sa/ > > > > > > They consist of a few lines of text (sometimes), and a .gif > > attachment that is in fact some penny stock being pushed. > > > > Thanks in advance, > > > > Chris > > |
|
|
RE: GIF stock spams
by Bugzilla from ruben@ruben.cn
::
Rate this Message:
IF your mails have that kind of subject too, yes, but is malformed: header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 4 describe ICAB_FW2 IMAGE SPAM ("ICAB" is related to my work, feel free to change it) Ruben. > -----Mensaje original----- > De: Joey [mailto:Joey@...] > Enviado el: viernes, 24 de febrero de 2006 19:06 > Para: 'Ruben Cardenal'; users@... > Asunto: RE: GIF stock spams > > Sorry wasn't thinking, should this work? > > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 > score ICAB_FW2 4 > describe ICAB_FW2 IMAGE SPAM > > > -----Original Message----- > From: Ruben Cardenal [mailto:ruben@...] > Sent: Friday, February 24, 2006 1:02 PM > To: users@... > Subject: RE: GIF stock spams > > > Hi Joel, > > Well, I have spamassassin scoring as spam from 3.0 on, and until 14 gets > quarantined for review for messages not scoring BAYES_99. Almost 250.000 > messages scoring over 14 with only 1 FP being rejected (and was quite an > unusual situation). > > That kind of mails have all "Fw: 12345", from 3-6/7 numers. Writing a > rule > to score those subjects could help, but don't score it too high or you'll > catch innocent mails. You have the rule I used in my firs mail. I > quarantine > mails using excellent Toribio's Qmail-Scanner patch (you can find it at > http://toribio.apollinare.org/qmail-scanner/) That kind of funcinality has > been added in the Qmail-Scanner 2.00 RC1 . > > Good luck, > > Ruben > > > -----Mensaje original----- > > De: Joey [mailto:Joey@...] > > Enviado el: viernes, 24 de febrero de 2006 18:47 > > Para: users@... > > Asunto: RE: GIF stock spams > > > > > > Hi Ruben, > > > > Sorry to be such a nube, but can you tell me exactly what I need to do > > to impliment what is working for you. > > These damn image files are killing us. > > > > Thanks, > > > > Joey > > > > -----Original Message----- > > From: Ruben Cardenal [mailto:ruben@...] > > Sent: Friday, February 24, 2006 11:45 AM > > To: users@... > > Subject: RE: GIF stock spams > > > > I catch them all, for example: > > > > X-Spam-Report: > > * 1.0 ICAB_FW2 ICAB_FW2 > > * 1.1 EXTRA_MPART_TYPE Header has extraneous > > Content-type:...type= entry > > * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes > > of words > > * 0.0 HTML_MESSAGE BODY: HTML included in message > > * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > > > header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i score ICAB_FW2 1 > > > > Ruben > > > > > > > -----Mensaje original----- > > > De: Chris Conn [mailto:cconn@...] Enviado el: viernes, 24 de > > > febrero de 2006 17:35 > > > Para: users@... > > > Asunto: GIF stock spams > > > > > > Hello, > > > > > > Has anyone written any rules to catch the following types of spam > > > > > > > > > http://nisk.creenet.com/~cconn/sa/ > > > > > > > > > They consist of a few lines of text (sometimes), and a .gif > > > attachment that is in fact some penny stock being pushed. > > > > > > Thanks in advance, > > > > > > Chris > > > > > > > |
|
|
|
|
|
Re: How easy is Spam Assassin really?
by jdow
::
Rate this Message:
From: "Chris Norman" <chris@...>
>I host about 10 domains on a w2k server (when you're done mocking, > please continue). Currently, I use ASSP which isn't very effective but > helps a lot. > > Occasionally, I'll get fed up and dig into implementing SA instead but > then stop short after readying about how it doesn't run as a service > well et al. > > However, it runs well as a service and I actually run 4 simultaneous > instances of it for various levels of filtering. Also, since it is bayes > based, it allows for unique per domain databases for those that need it. > > There are some commercial SA solutions (Catch! is one I keep circling > back to because of it's unlimited domains / users versus price). But it > doesn't have an obvious popb4smtp engine that I can see. > > Then, I see the flood of emails in this list about the rules, etc. > > Do you have to constantly tune your rules? How often do you need to do > this for it to be effective? Well, that is an interesting question because it does not have a simple answer. Now, I am assuredly not running a commercial setup. But I can to a degree scale up my experience here. Mostly I have to keep my SARE rules up to date. (I use my own script because RDJ was not 'real' when I built it. It works. I know how to tune it. So.... {^_-}) I run it every time I notice a mention of updates. Once in a while (months) I check the SARE site for new rule sets. (With one of the semi-ninjas sitting right behind me much of the time you'd think I'd be more diligent. But, I'm a lazy bit<oops>. {^_-}) Aside from the rules updates, usually about once a week to once a month, I myself don't write any rules more often than "this one tee'd me off". Usually it is a rule that experienced the slight negative score I give the LKML and still scored BAYES_99, which I have at 5.0. I am content to review my low scoring spam, usually the few below 10 to 15 points, for mismarked ham. (I readjusted my LKML meta rules and rules. That problem seems to be much abated at the moment. And Bayes 99 is approaching 100%/0% asymptotically at the moment.) I get annoyed with spam that escapes. That happens about one in 10,000 messages of late, again it's almost always LKML related. I do tweak the whitelists periodically as new legitimate sources come on line. (I also anti-tweak them to hide junk from some trade journals that insist on daily or weekly junk if I want to get their magazine. {^_-} SA is a WONDERFUL tool.) So I suspect you could get by without getting too embroiled in the mechanics of SA maintenance by using Bayes, SARE rules, and a clearly stated set of policies about what is done with the marked email. Note that if it is 10 domains including the likes of Earthlink or NetZero the problem is much worse than if they are small company domains for say a set of real estate offices. {^_^} |
|
|
Re: GIF stock spams
by mouss
::
Rate this Message:
Joey a écrit :
> So if I use postfix I'm SOL? amavisd-new. |
| < Prev | 1 - 2 | Next > |
| Free embeddable forum powered by Nabble | Forum Help |
