SpamAssassin suddenly not effective for one kind of image-only spam.

[jols]

We are up to SpamAssassin 3.1.4 on all our cPanel servers, however, as of the past week we are getting a ton of image only spam. The spam contains a single gif file with a few random words at the bottom. This content involves stock buying scams of one kind or another.

Does anyone know the correct way to run sa-update to make sure that all of the the local rules are updated?

By the way, after struggleing a bit I managed to get a new rules_du_jour called SARE_STOCKS added, but this does not seem to help.

Any other ideas about how to combat this particular problem?

Thanks very much for any input.

 

[Epademic]

I have been suffering from the exact same type of spam. They all consist of one image usually about a stock tip, followed by some random text.

 

[jols]

I am starting to run up the scoring in Spam Assassin and we are catching more of this kind of junk as a result, but this is more of a bandaid than anything else.

Here is an example of what I have done:

added the following to /etc/mail/spamassassin/local.cf

score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052
score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 3.961
score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 3.668
score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 4.767
score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 4.688
score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 4.100
score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 4.403

And will probably soon do the same with the DATE_IN_PAST scores.

Problem is, there are many who like to put their nice little sig graphics in the email they send who will likely get caught up in some of this.

I am starting to wonder if there are some better RBLs we can use in conjunction with this.

Oh and by the way, I also discovered that the BAYES stuff was actually taking spam scores away! So I also added this until I have a handle on this one:

score BAYES_00 0.0001 0.0001 0.001 0.001
score BAYES_05 0.0001 0.0001 0.001 0.001
score BAYES_20 0.0001 0.0001 0.001 0.001
score BAYES_40 0.0001 0.0001 0.001 0.001
score BAYES_50 0.0001 0.0001 0.001 0.001
score BAYES_60 0.0001 0.0001 1.0 1.0
score BAYES_80 0.0001 0.0001 2.0 2.0
score BAYES_95 0.0001 0.0001 3.0 3.0
score BAYES_99 0.0001 0.0001 3.5 3.5

(i.e. I took out the negative numbers on BAYES 00 through 50)

 

[positive]

spam assassin is not working effectively for the last few days.
it looks like how it calculates the points have changed, and it is not effective.

what can we do ?

 

[jols]

By manually rasing the scores as stated above, we have seen a good 70% or more of this kind of junk email now receive a score of over 5, but are keeping a lookout for legitimate email scored over 5 as well, so far there has been none.

I also have plans to do the following:

Consider boosting (even further) DATE_IN_PAST
Boost HELO_DYNAMIC_SPLIT_IP
Boost FROM_LOCAL_NOVOWEL
Boost HELO_DYNAMIC_IPADDR
Boost DATE_IN_FUTURE_03_06
Boost SARE_GIF_ATTACH


("boost" meaning to raise the score.)

 

[SageBrian]

I found it amazing that the Bayes scores had negative numbers.
It was screwing up a lot of things, since those stupid nonsense bayes-poison text emails would seem to create more and more acceptable negative numbers.

I had noticed that most 'good' mail would score very low on bayes (00 to 20). After that, it appeared that if it hit the Bayes_40 mark, it was 'likely' to be spam.

So, I took a ballsy move and went:

score BAYES_00 0
score BAYES_05 0.925
score BAYES_20 1.730
score BAYES_40 2.276
score BAYES_50 2.967
score BAYES_60 3.515
score BAYES_80 3.608
score BAYES_95 3.514
score BAYES_99 4.070

I haven't heard any complaints yet, (many months) and I check for false-positives frequently.


Your mileage may vary.

 

[jols]

I found it amazing that the Bayes scores had negative numbers.
It was screwing up a lot of things, since those stupid nonsense bayes-poison text emails would seem to create more and more acceptable negative numbers.

I had noticed that most 'good' mail would score very low on bayes (00 to 20). After that, it appeared that if it hit the Bayes_40 mark, it was 'likely' to be spam.

So, I took a ballsy move and went:

score BAYES_00 0
score BAYES_05 0.925
score BAYES_20 1.730
score BAYES_40 2.276
score BAYES_50 2.967
score BAYES_60 3.515
score BAYES_80 3.608
score BAYES_95 3.514
score BAYES_99 4.070

I haven't heard any complaints yet, (many months) and I check for false-positives frequently.


Your mileage may vary.

Good idea, we may incorporate this, although with a little lower scores on the lower end.

Here's what we have settled on for the score rennovatioins that seems to be catching nearly all of the recent image-only (or near image only) spam:

The following inserted in both:

/home/.cpan/build/Mail-SpamAssassin-3.1.4/rules/local.cf

and

/etc/mail/spamassassin/local.cf

I'm still trying to figure out why we need to insert the mods in both of the above.
I'm also still trying to figure out what the other three numbers leading up to the foruth in each line (below) is all about. SpamAssassin only seems to use the number on the end. Anyone know exactly how this works?


score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052
score BAYES_00 0.0001 0.0001 0.001 0.001
score BAYES_05 0.0001 0.0001 0.001 0.001
score BAYES_20 0.0001 0.0001 0.001 0.001
score BAYES_40 0.0001 0.0001 0.001 0.001
score BAYES_50 0.0001 0.0001 0.001 0.001
score BAYES_60 0.0001 0.0001 1.0 1.0
score BAYES_80 0.0001 0.0001 2.0 2.0
score BAYES_95 0.0001 0.0001 3.0 3.0
score BAYES_99 0.0001 0.0001 3.5 3.5
score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 4.961
score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 4.668
score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 5.767
score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 5.688
score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 5.100
score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 5.403
score DATE_IN_PAST_03_06 0.736 0 1.122 1.478
score DATE_IN_PAST_06_12 0.846 0.746 0.926 1.827
score DATE_IN_PAST_12_24 0.960 0.881 1.036 2.247
score DATE_IN_PAST_24_48 0.801 0.805 0.976 1.880
score DATE_IN_PAST_48_96 0.383 0.501 0.400 1.379
score DATE_IN_PAST_96_XX 1.752 1.572 2.101 3.020
score HELO_DYNAMIC_SPLIT_IP 2.880 2.880 3.330 3.191
score FROM_LOCAL_NOVOWEL 2.480 2.331 2.867 3.861
score HELO_DYNAMIC_IPADDR 3.360 3.360 3.885 5.200

 

[SageBrian]

other numbers (4 columns)

check the spamassassin site. they explain it there. From my very weak memory, it had to do with how the mail was scanned, if certain flags were hit, or something like that. Don't recall, been so long since I looked or cared.

I just use the one column on the few settings that I alter for my custom scores.

 

[jols]

other numbers (4 columns)

check the spamassassin site. they explain it there. From my very weak memory, it had to do with how the mail was scanned, if certain flags were hit, or something like that. Don't recall, been so long since I looked or cared.

I just use the one column on the few settings that I alter for my custom scores.

Okay, thanks.

So I take it that I can delete the other three collums, and use setting like this instead?

score BAYES_00 0
score BAYES_05 0.925
score BAYES_20 1.730
score BAYES_40 2.276
score BAYES_50 2.967
score BAYES_60 3.515
score BAYES_80 3.608
score BAYES_95 3.514
score BAYES_99 4.070

 

[spiff06]

Folks:

I have the MailScanner package. A bunch of SpamAssassin rules are updated via RulesDuJour. How do I know if the stock ruleset (http://www.rulesemporium.com/rules/70_sare_stocks.cf) is being updated, and if not, how do I add it?

Thanks!

EDIT: never mind, found it at the bottom of the SARE page: "add "SARE_STOCKS" to TRUSTED_RULESETS"

EDIT 2: still a bit confused; do I add it to rules_du_jour or my_rules_du_jour?

 

[spiff06]

Hello again. Please answer this one if you can.

I've just inserted the above BAYES parameters in mailscanner.cf. When I run spamassassin --lint -c /usr/mailscanner/etc/spam.assassin.prefs.conf, I get:

[20561] warn: config: warning: score set for non-existent rule BAYES_99
[20561] warn: config: warning: score set for non-existent rule BAYES_50
[20561] warn: config: warning: score set for non-existent rule BAYES_60
[20561] warn: config: warning: score set for non-existent rule BAYES_95
[20561] warn: config: warning: score set for non-existent rule BAYES_40
[20561] warn: config: warning: score set for non-existent rule BAYES_80
[20561] warn: config: warning: score set for non-existent rule BAYES_20
[20561] warn: config: warning: score set for non-existent rule DNS_FROM_AHBL_RHSBL
[20561] warn: config: warning: score set for non-existent rule BAYES_05
[20561] warn: config: warning: score set for non-existent rule BAYES_00
[20561] warn: lint: 10 issues detected, please rerun with debug enabled for more information

Also, I've noticed that the antidrug.cf was over two years old; seems it's never been updated. I've modified the config line in rules_du_jour to read: CF_URLS[7]="http://www.rulesemporium.com/rules/antidrug.cf". Will this keep it updated?

Thanks for your answers.

 

[spiff06]

Well, I'm still at it...

I've set this up in my local.cf:

score BAYES_00 0
score BAYES_05 0.625
score BAYES_20 1.330
score BAYES_40 2.276
score BAYES_50 2.967
score BAYES_60 3.515
score BAYES_80 3.608
score BAYES_95 3.514
score BAYES_99 4.070

score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052

score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 3.961
score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 3.668
score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 4.767
score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 4.688
score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 4.100
score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 4.403

score DATE_IN_PAST_03_06 2.061 2.007 2.275 3.961
score DATE_IN_PAST_06_12 1.680 1.498 1.883 3.668
score DATE_IN_PAST_12_24 2.320 2.316 2.775 4.767
score DATE_IN_PAST_24_48 2.080 2.080 2.498 4.688
score DATE_IN_PAST_48_96 1.680 1.680 1.942 4.100
score DATE_IN_PAST_96_XX 1.920 1.888 2.276 4.403
​

Works mostly, but some of them still go through (as you can see, Bayesian filters don't help):

cached not
score=2.139
5 required
0.00 HTML_MESSAGE HTML included in message
0.12 HTML_TEXT_AFTER_BODY HTML contains text after BODY close tag
1.27 INFO_TLD Contains an URL in the INFO top-level domain
0.75 SARE_GIF_ATTACH

cached not
score=4.712
5 required
3.96 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
0.00 HTML_MESSAGE HTML included in message
0.75 SARE_GIF_ATTACH​