|

»

»

SpamAssassin - Users

VL scoring 0.1 Phish Spam

View: New views

5 Messages — Rating Filter: Alert me

	VL scoring 0.1 Phish Spam by richard@buzzhost.co.uk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://pastebin.com/m53a550ce Somewhat unfortunately seen coming out of The Dana-Farber Cancer Institute. Looking at it objectively there is little for a filter to go on other than the words: username password followed by a webmail type email address in the body.
	Re: VL scoring 0.1 Phish Spam by Chris-394 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, 2009-10-31 at 07:46 +0000, richard@... wrote: > http://pastebin.com/m53a550ce > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer > Institute. > > Looking at it objectively there is little for a filter to go on other > than the words: > > username password followed by a webmail type email address > > in the body. > > > Short Circuit rule hit here due to ClamAv plug-in firing: -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies) [155.52.251.101 listed in hostkarma.junkemailfilter.com] 20 CLAMAV Clam AntiVirus detected a virus X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL) -- KeyID 0xE372A7DA98E6705C signature.asc (204 bytes) Download Attachment
	Re: VL scoring 0.1 Phish Spam by richard@buzzhost.co.uk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, 2009-10-31 at 07:29 -0500, Chris wrote: > On Sat, 2009-10-31 at 07:46 +0000, richard@... wrote: > > http://pastebin.com/m53a550ce > > > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer > > Institute. > > > > Looking at it objectively there is little for a filter to go on other > > than the words: > > > > username password followed by a webmail type email address > > > > in the body. > > > > > > > Short Circuit rule hit here due to ClamAv plug-in firing: > > -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies) > [155.52.251.101 listed in > hostkarma.junkemailfilter.com] > 20 CLAMAV Clam AntiVirus detected a virus > > X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL) > My clamav is on a milter ahead of SA, my thinking being I don't bother scanning anything that has a virus - drop it with an SMTP 5xx. I had no virus/attachment with this mail, hence why it scanned and scored low. I'm not sure if this is the spammer dropping a cog and not attaching anything.
	Re: VL scoring 0.1 Phish Spam by Chris-394 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, 2009-10-31 at 12:53 +0000, richard@... wrote: > On Sat, 2009-10-31 at 07:29 -0500, Chris wrote: > > On Sat, 2009-10-31 at 07:46 +0000, richard@... wrote: > > > http://pastebin.com/m53a550ce > > > > > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer > > > Institute. > > > > > > Looking at it objectively there is little for a filter to go on other > > > than the words: > > > > > > username password followed by a webmail type email address > > > > > > in the body. > > > > > > > > > > > Short Circuit rule hit here due to ClamAv plug-in firing: > > > > -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies) > > [155.52.251.101 listed in > > hostkarma.junkemailfilter.com] > > 20 CLAMAV Clam AntiVirus detected a virus > > > > X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL) > > > My clamav is on a milter ahead of SA, my thinking being I don't bother > scanning anything that has a virus - drop it with an SMTP 5xx. I had no > virus/attachment with this mail, hence why it scanned and scored low. > I'm not sure if this is the spammer dropping a cog and not attaching > anything. > Are you running the 'unofficial' sigs with clamav or just the official ones? As above, my clamav setup tagged this as a 'spear phishing' attempt with the unofficial sigs. -- KeyID 0xE372A7DA98E6705C signature.asc (204 bytes) Download Attachment
	Re: VL scoring 0.1 Phish Spam by richard@buzzhost.co.uk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, 2009-10-31 at 08:05 -0500, Chris wrote: > On Sat, 2009-10-31 at 12:53 +0000, richard@... wrote: > > On Sat, 2009-10-31 at 07:29 -0500, Chris wrote: > > > On Sat, 2009-10-31 at 07:46 +0000, richard@... wrote: > > > > http://pastebin.com/m53a550ce > > > > > > > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer > > > > Institute. > > > > > > > > Looking at it objectively there is little for a filter to go on other > > > > than the words: > > > > > > > > username password followed by a webmail type email address > > > > > > > > in the body. > > > > > > > > > > > > > > > Short Circuit rule hit here due to ClamAv plug-in firing: > > > > > > -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies) > > > [155.52.251.101 listed in > > > hostkarma.junkemailfilter.com] > > > 20 CLAMAV Clam AntiVirus detected a virus > > > > > > X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL) > > > > > My clamav is on a milter ahead of SA, my thinking being I don't bother > > scanning anything that has a virus - drop it with an SMTP 5xx. I had no > > virus/attachment with this mail, hence why it scanned and scored low. > > I'm not sure if this is the spammer dropping a cog and not attaching > > anything. > > > Are you running the 'unofficial' sigs with clamav or just the official > ones? As above, my clamav setup tagged this as a 'spear phishing' > attempt with the unofficial sigs. > Vanilla, Chris - but not via Spamassassin. Upstream of it.