lots of spam getting through lately???

[Un Area]

Solokron, you should put the last rule that avoid local senders from being refused. All mail coming to the server from a host machine with a private address is spam.

Please post the log of what is being refused. Thanks.

[serversphere]

Interesting post on the SA mailing list today - some folks are saying they are seeing the text phrase "$6c822ecf@" in the message-id of alot of the spam they are getting. I did a quick SQL search through my bayes db and see none, but might be worth a check. I might stick in an ACL on our boxes that denies messages with this phrase if I hear people finding it here...

[AndyReed]

Anyone else getting hammered with "EQSE" stock spam?

Mailscanner is a great application, yet you can achieve the same results of killing 99% of SPAM without it. You need a good set of SA rules from: http://www.rulesemporium.com/rules.htm, SA supporting modules/extensions, and a well written procedure in /etc/antivirus.exim. Now, to kill those SPAM with keywords including EQSE or hi it's, copy and paste the following syntax into your /etc/antivirus.exim:

Code:

#
# ServerTune Exim filter to delete SAPM that contains any of the following keywords
#
if     $header_subject: contains "wrote" or
        $header_subject: contains "The Ultimate Online Pharmaceutical" or
        $header_subject: contains "hi it's" or
        $header_subject: contains "hi It's" or
        $header_subject: contains "EQSE" or
        $message_body: contains "Maya 7" or
        $message_body: contains "Hoodia" or
        then
seen finish
endif

When done, save the file, restart exim and spamd. Wait a few minutes and then run this command to see if it's working:
grep "discarded (system filter)" /var/log/exim_mainlog
You can also run this command and watch the system discard SPAM with the keywords mentioned above:
tail -f /var/log/exim_mainlog

By the way, the vast majority of SPAM with "wrote:" in the subject line can be purged using SARE_STOCKS ruleset for Spamassassin at: http://www.rulesemporium.com/rules.htm#stocks

Enjoy

[serversphere]

Mailscanner is a great application, yet you can achieve the same results of killing 99% of SPAM without it.

No, Andy, I cannot. As I have said before - I like the flexibility MailScanner offers both myself and my hosting customers. I actually choose to run MS believe it or not. The easy way is to create a quick rule that blocks all email with the words "hi its" in it. For me, I would rather let them all through then see one customer lose one email to a false positive hit.

Which was my point in posting my success. Despite the fact that I don't simply create a quick rule, those emails are still being blocked. Because we train databases, and use SARE rules, and DCC, Razor and RBLs - all combined with MailScanner. Throw a little bit of work at the problem and it pays off in spades.

Case in point: I subscribe to the SARE Users mailing list. There is a thread of mail now entitled Re: [Sare-users] "hi it's" advice. My system let them all through, while still blocking all the spam ones. Well in the interest of being honest, it let through 7 of 3,462 "Hi it's" SPAM emails yesterday on the same box. Your filter in Exim would have blocked them all...

Appreciate your advice, hope it helps someone else. For me, I feel I am on the right path.

[rhenderson]

I installed it yesterday and it seems to be useful. Together with the SARE stock rules most of the stock spam is being filtered.

One question though, where do you guys install the spamassassin plugins? I added the ImageInfo.pm to /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/ since that's where I found other plugins.

Upgrading perl would obviously mean I would have to reinstall the plugin. Doesn't it make more sense to create a directory /etc/mail/spamassassin/plugins and change the spamassassin plugin path?

You can put it wherever you want and assign the path to it in your init.pre, look at the top of the ImageInfo.pm for the instructions.

[bsasninja]

I have this at antivirus.exim, adding .gif to the rule, this will block emails with .gif attachments. Ok someone knows if it affects embedded gif images?
I hope spam assasin launchs a new version with the image procesing patch included on it.

Bye


# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif

# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif

# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:f ile)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif

# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition?>\\\\s*)attachment);(?>\\\\s*)(?:f ile)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif

[wzd]

There's been an upsurge int he past few months of zombie spam in which no two emails are alike with embedded images and completely random content.

It's usually stock advice or once again sexual supplement email coming from smartrx.org
----

I'm stuck with just spamassasin and antivirus.exim to protect myself against the spammers. I feel like i'm naked

Configserv's Mailscanner sounds good but can't use it cause running FreeBSD

Anyone had any luck using fuzzyOCR to stop this image based spam?

[Un Area]

I will post a "home made" rule later that reduce Image Spam at least a 50% (works at antivirus.exim). You know 50% of the image spam is attached as a gif file and the other 50% is embedded into the message.

The rule may be kinda rude cause it deletes all email received to the server that includes .gif attachments. So if a legitimate user is sending for example a gif banner or something to one of the customers in the server as an attachment, it´ll be deleted. (or you can make a white list to avoid some address from being deleted )

The only thing you can to is to tell your customers (to avoid complaints), is to explain them the image spam situation nowadays and have the gif files compressed with zip or rar. (you can do this meanwhile until a good solution to this be done)

The rule doesnt affect users from the server sending out gif files. This ones can be sent without any problem.

The rule is applied to esmtpb, no to the esmtpa (authenticated one).

With this you will only receive those image spam with embedded gif in them. Gif file attachment will be deleted and logged into a file for further research.

Also i have other rule that filters by content-type, for example korean iso, 7-bit, etc will be blocked if you want.

Sometime in the near future spammers change their methods and use jpg instead of gif an so on with other extensions. We have to wait spamassassin next release (I suppose 3.1.8) if it has some solution to this.
This is a war that never ends.

Regards

[Solokron]

How are clients supposed to send cyber pics with a rule like that?!

In all seriousness, viewing the threads an individual has already posted such rule. I am not so sure I agree with it as it takes a lot of functionality away that many clients expect.

I will post a "home made" rule later that reduce Image Spam at least a 50% (works at antivirus.exim). You know 50% of the image spam is attached as a gif file and the other 50% is embedded into the message.

The rule may be kinda rude cause it deletes all email received to the server that includes .gif attachments. So if a legitimate user is sending for example a gif banner or something to one of the customers in the server as an attachment, it´ll be deleted. (or you can make a white list to avoid some address from being deleted )

The only thing you can to is to tell your customers (to avoid complaints), is to explain them the image spam situation nowadays and have the gif files compressed with zip or rar. (you can do this meanwhile until a good solution to this be done)

The rule doesnt affect users from the server sending out gif files. This ones can be sent without any problem.

The rule is applied to esmtpb, no to the esmtpa (authenticated one).

With this you will only receive those image spam with embedded gif in them. Gif file attachment will be deleted and logged into a file for further research.

Also i have other rule that filters by content-type, for example korean iso, 7-bit, etc will be blocked if you want.

Sometime in the near future spammers change their methods and use jpg instead of gif an so on with other extensions. We have to wait spamassassin next release (I suppose 3.1.8) if it has some solution to this.
This is a war that never ends.

Regards