Spam PDF
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 - 3 | Next > |
 |
Spam PDF
by Raymond Myren
::
Rate this Message:
Hello,
Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond |
|
|
RE: Spam PDF
by Stéphane LEPREVOST
::
Rate this Message:
Hi,
Got one yesterday too here. Seems to be a new way for spammers ... -----Message d'origine----- De : Raymond Myren [mailto:raymond@...] Envoyé : mercredi 27 juin 2007 08:09 À : users@... Objet : Spam PDF Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond |
|
|
Re: Spam PDF
by Robert Schetterer
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Stéphane LEPREVOST schrieb: > Hi, > > Got one yesterday too here. Seems to be a new way for spammers ... > > -----Message d'origine----- > De : Raymond Myren [mailto:raymond@...] > Envoyé : mercredi 27 juin 2007 08:09 > À : users@... > Objet : Spam PDF > > Hello, > > Just today I started receiving spam mails with attached .pdf files with a > spam image. > Any ideas how to stop this spam type? > > \raymond > unless the mail isnt caught by other rules or bayes, i still dont know any way to mark this, so yesterday on got trough at my server too i ve asked on the list what to do aginst it , but havent got any usefull answer. Perhaps it would be easier to use clamav to filter such mails out, i think i will asked there - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGgg9dfGH2AvR16oERAr/VAJ92VrfiU1xAHVsTfSRZw+ZdnwPG1QCcCTW7 bHFWLUkmxWo7H9FX9EXwp6o= =OTeI -----END PGP SIGNATURE----- |
|
|
Re: Spam PDF
by Wael Shahin
::
Rate this Message:
On Wed, 2007-06-27 at 09:18 +0200, Robert Schetterer wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stéphane LEPREVOST schrieb: > > Hi, > > > > Got one yesterday too here. Seems to be a new way for spammers ... > > I have two servers one is running DCC and one is not, the one that is running DCC didn't pass the message or maybe I am mistaken but it didn't go through (Maybe didn't get there at all from the first place). On the other server that is not running DCC the email went through and it was an empty email body with a PDF attachment > > -----Message d'origine----- > > De : Raymond Myren [mailto:raymond@...] > > Envoyé : mercredi 27 juin 2007 08:09 > > À : users@... > > Objet : Spam PDF > > > > Hello, > > > > Just today I started receiving spam mails with attached .pdf files with a > > spam image. > > Any ideas how to stop this spam type? > > > > \raymond > > > Hi Stephane, > unless the mail isnt caught by other rules > or bayes, i still dont know any way to mark this, > so yesterday on got trough at my server too > i ve asked on the list what to do aginst it , but havent got any usefull > answer. > Perhaps it would be easier to use clamav to filter > such mails out, i think i will asked there > - -- > Mit freundlichen Gruessen > Best Regards > > Robert Schetterer > > https://www.schetterer.org > Germany > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFGgg9dfGH2AvR16oERAr/VAJ92VrfiU1xAHVsTfSRZw+ZdnwPG1QCcCTW7 > bHFWLUkmxWo7H9FX9EXwp6o= > =OTeI > -----END PGP SIGNATURE----- Wael |
|
|
Re: Spam PDF
by Matthias Häker
::
Rate this Message:
Robert Schetterer schrieb: > Perhaps it would be easier to use clamav to filter > such mails out, i think i will asked there > - -- > > Sanesecurity has a CLAMAV signature Email.Stk.Gen522.Sanesecurity.07062102.pdf MH |
|
|
Re: Spam PDF
by Chr. v. Stuckrad
::
Rate this Message:
On Wed, 27 Jun 2007, Wael Shahin wrote:
> I have two servers one is running DCC and one is not, the one that is > running DCC didn't pass the message or maybe I am mistaken but it didn't > go through (Maybe didn't get there at all from the first place). > On the other server that is not running DCC the email went through and > it was an empty email body with a PDF attachment No wonder I think. DCC will notice/flag spam 'already seen elswhere'. AND that may be the only way to decide whether the pdf(s) are junk or real information. So Spamtraps or honeypots may be the fist choice. The last 'try' of the spammers was to put the pictures into Word-docs or powerpoint docs, so I assume they just go through every format of 'embeddable attachment' for which a 'plugin or viewer' exists and which is automagically opening in mailbrowsers (which must be carelessly configured to show the picture, but which is default). So on the long run we need a generic way to mime-strip contents of attachments (like virus-filters do it!) and recursively feed all parts of the mail into scanners for spam (eighter text or picture scanner). If there is a simple way to program signatures for virus-checkers it might be possible to catch specific pictures therewith. Alternatively you could forbid such attachments completely, but that has no chance in a university environment like I'm in. We got wo 'waves' of pdf's here. The first wave was stopped here by noticing that the spammers did program the spambots with a repeated pattern of filenames, but they noticed and the second wave is only random nonsense plus the pdf. But every 'normal' user would never open a pdf out of a mail of nonsense, so they reach only a small fraction which might not be useful for pushing stocks. So I hope that 'fad' might die out soon, like the other waves of doubly-packed pictures in rtf, word, powerpoint did. Stucki -- Christoph von Stuckrad * * |nickname |<stucki@...> \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600| Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/ |
|
|
Re: Spam PDF
by Steven Stern
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Wael Shahin wrote: > On Wed, 2007-06-27 at 09:18 +0200, Robert Schetterer wrote: > Stéphane LEPREVOST schrieb: >>>> Hi, >>>> >>>> Got one yesterday too here. Seems to be a new way for spammers ... >>>> >> I have two servers one is running DCC and one is not, the one that is >> running DCC didn't pass the message or maybe I am mistaken but it didn't >> go through (Maybe didn't get there at all from the first place). >> On the other server that is not running DCC the email went through and >> it was an empty email body with a PDF attachment >>>> -----Message d'origine----- >>>> De : Raymond Myren [mailto:raymond@...] >>>> Envoyé : mercredi 27 juin 2007 08:09 >>>> ì : users@... >>>> Objet : Spam PDF >>>> >>>> Hello, >>>> >>>> Just today I started receiving spam mails with attached .pdf files with a >>>> spam image. >>>> Any ideas how to stop this spam type? >>>> >>>> \raymond >>>> > Hi Stephane, > unless the mail isnt caught by other rules > or bayes, i still dont know any way to mark this, > so yesterday on got trough at my server too > i ve asked on the list what to do aginst it , but havent got any usefull > answer. > Perhaps it would be easier to use clamav to filter > such mails out, i think i will asked there > ---- > Wael We just caught one: Content analysis details: (5.0 points, 4.0 required) pts rule name description - ---- ---------------------- - -------------------------------------------------- 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7404] 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [201.32.227.251 listed in dnsbl.sorbs.net] 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [201.32.227.251 listed in zen.spamhaus.org] - -- Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGglxneERILVgMyvARAtK4AJ944YGr+IfI+3FYEkonqklmyNgj2wCeLGKK oXS7J7pypbbL/6ADur+rhAg= =Rxu9 -----END PGP SIGNATURE----- |
|
|
Re: Spam PDF
by Raymond Dijkxhoorn
::
Rate this Message:
Hi!
> We just caught one: > > Content analysis details: (5.0 points, 4.0 required) > > pts rule name description > - ---- ---------------------- > - -------------------------------------------------- > 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record > (softfail) > 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.7404] > 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO > 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [201.32.227.251 listed in dnsbl.sorbs.net] > 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL > [201.32.227.251 listed in zen.spamhaus.org] Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from 212.127.254.149 (idqct@...) to quicknet.nl is spam, SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, GMD_PDF_STOX 1.00, PROLO_NO_URI 0.01, RCVD_IN_WHOIS_BOGONS 2.43) Dallas rocks! Bye, Raymond. |
|
|
Re: Spam PDF
by Dallas Engelken
::
Rate this Message:
Raymond Dijkxhoorn wrote:
> Hi! > >> We just caught one: >> >> Content analysis details: (5.0 points, 4.0 required) >> >> pts rule name description >> - ---- ---------------------- >> - -------------------------------------------------- >> 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record >> (softfail) >> 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80% >> [score: 0.7404] >> 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO >> 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP >> address >> [201.32.227.251 listed in dnsbl.sorbs.net] >> 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >> [201.32.227.251 listed in zen.spamhaus.org] > > Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from > 212.127.254.149 (idqct@...) to quicknet.nl is spam, > SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, > BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, > GMD_PDF_STOX 1.00, PROLO_NO_URI 0.01, RCVD_IN_WHOIS_BOGONS 2.43) > > Dallas rocks! > The cats out of the bag now! :) More details on this will be made available later today hopefully. -- Dallas Engelken dallase@... http://uribl.com |
|
|
Re: Spam PDF
by Robert Schetterer
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Dallas Engelken schrieb: > Raymond Dijkxhoorn wrote: >> Hi! >> >>> We just caught one: >>> >>> Content analysis details: (5.0 points, 4.0 required) >>> >>> pts rule name description >>> - ---- ---------------------- >>> - -------------------------------------------------- >>> 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record >>> (softfail) >>> 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80% >>> [score: 0.7404] >>> 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO >>> 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP >>> address >>> [201.32.227.251 listed in dnsbl.sorbs.net] >>> 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >>> [201.32.227.251 listed in zen.spamhaus.org] >> >> Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from >> 212.127.254.149 (idqct@...) to quicknet.nl is spam, >> SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, >> BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, >> GMD_PDF_STOX 1.00, PROLO_NO_URI 0.01, RCVD_IN_WHOIS_BOGONS 2.43) >> >> Dallas rocks! >> > > The cats out of the bag now! :) > > More details on this will be made available later today hopefully. > i tested http://sanesecurity.com/clamav works too - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGgm53fGH2AvR16oERAgVnAJ4xfN0pP6h+nazMPqjn2EHum/PGogCfZM72 so+pup+/0xyYcYKx6jkTlas= =ik2u -----END PGP SIGNATURE----- |
|
|
Re: Spam PDF
by arni-2
::
Rate this Message:
Raymond Myren schrieb:
> Hello, > > Just today I started receiving spam mails with attached .pdf files > with a spam image. > Any ideas how to stop this spam type? > > \raymond as i said several times on this maillist now, i've never had any of these mails get through, here is how the current ones score: X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE autolearn=no version=3.2.0 X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.0000] * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [85.138.88.254 listed in zen.spamhaus.org] * 3.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=85.138.88.254,nordns] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record * [botnet_nordns,ip=85.138.88.254] * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company, * Germany * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogIn&Solutions * AG, Germany * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) arni |
|
|
Re: Spam PDF
by Robert Schetterer
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 arni schrieb: > Raymond Myren schrieb: >> Hello, >> >> Just today I started receiving spam mails with attached .pdf files >> with a spam image. >> Any ideas how to stop this spam type? >> >> \raymond > as i said several times on this maillist now, i've never had any of > these mails get through, here is how the current ones score: > > X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, > BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, > LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE > > autolearn=no version=3.2.0 > X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 > to 100% > * [score: 1.0000] > * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS > * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in > bl.spamcop.net > * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] > * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL > * [85.138.88.254 listed in zen.spamhaus.org] > * 3.0 BOTNET Relay might be a spambot or virusbot > * [botnet0.7,ip=85.138.88.254,nordns] > * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says > domain > * signs some mails > * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record > * [botnet_nordns,ip=85.138.88.254] > * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown > company, > * Germany > * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ > LogIn&Solutions > * AG, Germany > * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > > arni > you are a "late reciever" of that spam, so it was detected by others before ( look at your headers ) but it wasnt detected by i.e a plain pdf_spam rule/solution ( like fuzzy_ocr etc ) this is what i am looking for - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGgnMlfGH2AvR16oERArCeAJ9rcyFXiYo+VbG7OlO10x0uKjb63gCeNa5b iFWSeK/3nW2p5DFI95Uqs4g= =SxM8 -----END PGP SIGNATURE----- |
|
|
Re: Spam PDF
by arni-2
::
Rate this Message:
Robert Schetterer schrieb:
I looked for the lowest scoring email of the past 2 days (dont save them longer), this is the one:arni schrieb: X-Spam-Status: Yes, score=10.7 required=5.0 tests=BAYES_99,DCC_CHECK, DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1,LOGINHASH2,MIME_HTML_MOSTLY autolearn=no version=3.2.0 X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.0000] * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company, * Germany * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogIn&Solutions * AG, Germany * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)Note that already a well trained BAYES can take these mails out on its own on my system. If you find your bayes to score really acurate then its a good idea to increase the scores. For me bayes is fed from 2 spamtrap addresses with around 50 pieces of the finest spam every day. Doing this, bayes scores BAYES_99 on 99.5% of my remaining spam - i hardly ever see it score below BAYES_80 and thats just great. So maybe training bayes better or increasing the score will put and end to this for you. arni |
|
|
Re: Spam PDF
by DAve-12
::
Rate this Message:
Robert Schetterer wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > arni schrieb: >> Raymond Myren schrieb: >>> Hello, >>> >>> Just today I started receiving spam mails with attached .pdf files >>> with a spam image. >>> Any ideas how to stop this spam type? >>> >>> \raymond >> as i said several times on this maillist now, i've never had any of >> these mails get through, here is how the current ones score: >> >> X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, >> BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, >> LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE >> >> autolearn=no version=3.2.0 >> X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 >> to 100% >> * [score: 1.0000] >> * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS >> * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in >> bl.spamcop.net >> * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] >> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >> * [85.138.88.254 listed in zen.spamhaus.org] >> * 3.0 BOTNET Relay might be a spambot or virusbot >> * [botnet0.7,ip=85.138.88.254,nordns] >> * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says >> domain >> * signs some mails >> * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record >> * [botnet_nordns,ip=85.138.88.254] >> * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown >> company, >> * Germany >> * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ >> LogIn&Solutions >> * AG, Germany >> * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) >> >> arni >> > you are in a luck, > you are a "late reciever" of that spam, so it was detected > by others before ( look at your headers ) > but it wasnt detected by i.e a plain pdf_spam rule/solution > ( like fuzzy_ocr etc ) > this is what i am looking for We have been catching them here no problem, --------- 3.00 BAYES_99 Bayesian spam probability is 99 to 100% 3.82 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 2.19 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.29 RCVD_ILLEGAL_IP Received: contains illegal IP address 1.50 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -------- 3.00 BAYES_99 Bayesian spam probability is 99 to 100% 4.10 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 3.82 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) A few slipping through though not many, no false posivtives reported so far. Bayes, relay, and helo checks seem to be getting them. I checked 10 or twelve from this morning. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. |
|
|
Re: Spam PDF
by John Rudd
::
Rate this Message:
Robert Schetterer wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > arni schrieb: >> Raymond Myren schrieb: >>> Hello, >>> >>> Just today I started receiving spam mails with attached .pdf files >>> with a spam image. >>> Any ideas how to stop this spam type? >>> >>> \raymond >> as i said several times on this maillist now, i've never had any of >> these mails get through, here is how the current ones score: >> >> X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, >> BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, >> LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE >> >> autolearn=no version=3.2.0 >> X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 >> to 100% >> * [score: 1.0000] >> * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS >> * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in >> bl.spamcop.net >> * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] >> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >> * [85.138.88.254 listed in zen.spamhaus.org] >> * 3.0 BOTNET Relay might be a spambot or virusbot >> * [botnet0.7,ip=85.138.88.254,nordns] >> * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says >> domain >> * signs some mails >> * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record >> * [botnet_nordns,ip=85.138.88.254] >> * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown >> company, >> * Germany >> * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ >> LogIn&Solutions >> * AG, Germany >> * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) >> >> arni >> > you are in a luck, > you are a "late reciever" of that spam, so it was detected > by others before ( look at your headers ) > but it wasnt detected by i.e a plain pdf_spam rule/solution > ( like fuzzy_ocr etc ) > this is what i am looking for His success didn't depend upon that luck. Even without the LOGINHASH* and DCC_CHECK, or even BAYES, he still had a high enough score to flag it as spam. |
|
|
Re: Spam PDF
by benthere-nine
::
Rate this Message:
Where did those GMD rules come from? Thanks. |
|
|
Re: Spam PDF
by Dave Koontz
::
Rate this Message:
Eagerly awaiting your latest treat! ;-)
Dallas Engelken wrote: > > The cats out of the bag now! :) > > More details on this will be made available later today hopefully. > |
|
|
Re: Spam PDF
by Raymond Dijkxhoorn
::
Rate this Message:
Hi!
>> Jun 27 14:50:03 vmx80 MailScanner[4491]: Message l5RCnxP8019756 from >> 212.127.254.149 (idqct@...) to quicknet.nl is spam, >> SpamAssassin (not cached, score=24.191, required 5, BAYES_50 0.00, >> BODY_EMPTY 0.50, GMD_PDF_BAD_FUZZY 20.00, GMD_PDF_HORIZ 0.25, GMD_PDF_STOX >> 1.00, PROLO_NO_URI 0.01, RCVD_IN_WHOIS_BOGONS 2.43) > Where did those GMD rules come from? Will be announced lateron. Bye, Raymond. |
|
|
Re: Spam PDF
by bgodette
::
Rate this Message:
John Rudd wrote:
> Robert Schetterer wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> arni schrieb: >>> Raymond Myren schrieb: >>>> Hello, >>>> >>>> Just today I started receiving spam mails with attached .pdf files >>>> with a spam image. >>>> Any ideas how to stop this spam type? >>>> >>>> \raymond >>> as i said several times on this maillist now, i've never had any of >>> these mails get through, here is how the current ones score: >>> >>> X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, >>> BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, >>> LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE >>> >>> autolearn=no version=3.2.0 >>> X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 >>> to 100% >>> * [score: 1.0000] >>> * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS >>> * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in >>> bl.spamcop.net >>> * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] >>> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >>> * [85.138.88.254 listed in zen.spamhaus.org] >>> * 3.0 BOTNET Relay might be a spambot or virusbot >>> * [botnet0.7,ip=85.138.88.254,nordns] >>> * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says >>> domain >>> * signs some mails >>> * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record >>> * [botnet_nordns,ip=85.138.88.254] >>> * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME >>> * 0.0 HTML_MESSAGE BODY: HTML included in message >>> * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown >>> company, >>> * Germany >>> * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ >>> LogIn&Solutions >>> * AG, Germany >>> * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) >>> >>> arni >>> >> you are in a luck, >> you are a "late reciever" of that spam, so it was detected >> by others before ( look at your headers ) >> but it wasnt detected by i.e a plain pdf_spam rule/solution >> ( like fuzzy_ocr etc ) >> this is what i am looking for > > His success didn't depend upon that luck. Even without the LOGINHASH* > and DCC_CHECK, or even BAYES, he still had a high enough score to flag > it as spam. > > and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks to the BOTNET plugin (which is amazing btw). That hit was all from late-receiver effect. If one is running local spamtraps, that feed sa-learn/spamc -R without delay, in combination with greylisting one will get a good BAYES score off new zombies; however doing so is also really risky as there's a lot mail sources (some very large and well known names) that people actually want to receive that will start sending daily/weekly/monthly mails, without an opt-in confirmation feed-back loop, as a result of joe-jobs and/or spam-spiders looking for vulnerable forms/forums/blogs. That means maintaining a local whitelist for sources the traps shouldn't learn as spam as the traps WILL eventually start to receive mail from sources normal people would consider ham sources, even tho it technically is spam as far as the trap is concerned. |
|
|
Re: Spam PDF
by arni-2
::
Rate this Message:
bgodette@... schrieb:
> Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP) > and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks > to the BOTNET plugin (which is amazing btw). That hit was all from > late-receiver effect. > That sounds a bit like "if we stopped trying to detect spam, we'd fail to catch it" |
| < Prev | 1 - 2 - 3 | Next > |
| Free embeddable forum powered by Nabble | Forum Help |
