The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SpamAssassin suddenly not effective for one kind of image-only spam.

Discussion in 'General Discussion' started by jols, Jul 31, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We are up to SpamAssassin 3.1.4 on all our cPanel servers, however, as of the past week we are getting a ton of image only spam. The spam contains a single gif file with a few random words at the bottom. This content involves stock buying scams of one kind or another.

    Does anyone know the correct way to run sa-update to make sure that all of the the local rules are updated?

    By the way, after struggleing a bit I managed to get a new rules_du_jour called SARE_STOCKS added, but this does not seem to help.

    Any other ideas about how to combat this particular problem?

    Thanks very much for any input.
     
    #1 jols, Jul 31, 2006
    Last edited: Jul 31, 2006
  2. Epademic

    Epademic Active Member

    Joined:
    Nov 21, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    I have been suffering from the exact same type of spam. They all consist of one image usually about a stock tip, followed by some random text.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I am starting to run up the scoring in Spam Assassin and we are catching more of this kind of junk as a result, but this is more of a bandaid than anything else.

    Here is an example of what I have done:

    added the following to /etc/mail/spamassassin/local.cf

    score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
    score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
    score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
    score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
    score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
    score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
    score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
    score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052
    score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 3.961
    score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 3.668
    score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 4.767
    score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 4.688
    score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 4.100
    score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 4.403

    And will probably soon do the same with the DATE_IN_PAST scores.

    Problem is, there are many who like to put their nice little sig graphics in the email they send who will likely get caught up in some of this.

    I am starting to wonder if there are some better RBLs we can use in conjunction with this.

    Oh and by the way, I also discovered that the BAYES stuff was actually taking spam scores away! So I also added this until I have a handle on this one:

    score BAYES_00 0.0001 0.0001 0.001 0.001
    score BAYES_05 0.0001 0.0001 0.001 0.001
    score BAYES_20 0.0001 0.0001 0.001 0.001
    score BAYES_40 0.0001 0.0001 0.001 0.001
    score BAYES_50 0.0001 0.0001 0.001 0.001
    score BAYES_60 0.0001 0.0001 1.0 1.0
    score BAYES_80 0.0001 0.0001 2.0 2.0
    score BAYES_95 0.0001 0.0001 3.0 3.0
    score BAYES_99 0.0001 0.0001 3.5 3.5

    (i.e. I took out the negative numbers on BAYES 00 through 50)
     
  4. positive

    positive Member

    Joined:
    Mar 29, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    spam assassin is not working effectively for the last few days.
    it looks like how it calculates the points have changed, and it is not effective.

    what can we do ?
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    By manually rasing the scores as stated above, we have seen a good 70% or more of this kind of junk email now receive a score of over 5, but are keeping a lookout for legitimate email scored over 5 as well, so far there has been none.

    I also have plans to do the following:

    Consider boosting (even further) DATE_IN_PAST
    Boost HELO_DYNAMIC_SPLIT_IP
    Boost FROM_LOCAL_NOVOWEL
    Boost HELO_DYNAMIC_IPADDR
    Boost DATE_IN_FUTURE_03_06
    Boost SARE_GIF_ATTACH


    ("boost" meaning to raise the score.)
     
  6. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    I found it amazing that the Bayes scores had negative numbers.
    It was screwing up a lot of things, since those stupid nonsense bayes-poison text emails would seem to create more and more acceptable negative numbers.

    I had noticed that most 'good' mail would score very low on bayes (00 to 20). After that, it appeared that if it hit the Bayes_40 mark, it was 'likely' to be spam.

    So, I took a ballsy move and went:

    score BAYES_00 0
    score BAYES_05 0.925
    score BAYES_20 1.730
    score BAYES_40 2.276
    score BAYES_50 2.967
    score BAYES_60 3.515
    score BAYES_80 3.608
    score BAYES_95 3.514
    score BAYES_99 4.070

    I haven't heard any complaints yet, (many months) and I check for false-positives frequently.


    Your mileage may vary.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Good idea, we may incorporate this, although with a little lower scores on the lower end.

    Here's what we have settled on for the score rennovatioins that seems to be catching nearly all of the recent image-only (or near image only) spam:

    The following inserted in both:

    /home/.cpan/build/Mail-SpamAssassin-3.1.4/rules/local.cf

    and

    /etc/mail/spamassassin/local.cf

    I'm still trying to figure out why we need to insert the mods in both of the above.
    I'm also still trying to figure out what the other three numbers leading up to the foruth in each line (below) is all about. SpamAssassin only seems to use the number on the end. Anyone know exactly how this works?


    score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
    score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
    score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
    score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
    score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
    score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
    score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
    score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052
    score BAYES_00 0.0001 0.0001 0.001 0.001
    score BAYES_05 0.0001 0.0001 0.001 0.001
    score BAYES_20 0.0001 0.0001 0.001 0.001
    score BAYES_40 0.0001 0.0001 0.001 0.001
    score BAYES_50 0.0001 0.0001 0.001 0.001
    score BAYES_60 0.0001 0.0001 1.0 1.0
    score BAYES_80 0.0001 0.0001 2.0 2.0
    score BAYES_95 0.0001 0.0001 3.0 3.0
    score BAYES_99 0.0001 0.0001 3.5 3.5
    score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 4.961
    score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 4.668
    score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 5.767
    score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 5.688
    score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 5.100
    score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 5.403
    score DATE_IN_PAST_03_06 0.736 0 1.122 1.478
    score DATE_IN_PAST_06_12 0.846 0.746 0.926 1.827
    score DATE_IN_PAST_12_24 0.960 0.881 1.036 2.247
    score DATE_IN_PAST_24_48 0.801 0.805 0.976 1.880
    score DATE_IN_PAST_48_96 0.383 0.501 0.400 1.379
    score DATE_IN_PAST_96_XX 1.752 1.572 2.101 3.020
    score HELO_DYNAMIC_SPLIT_IP 2.880 2.880 3.330 3.191
    score FROM_LOCAL_NOVOWEL 2.480 2.331 2.867 3.861
    score HELO_DYNAMIC_IPADDR 3.360 3.360 3.885 5.200
     
  8. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    other numbers (4 columns)

    check the spamassassin site. they explain it there. From my very weak memory, it had to do with how the mail was scanned, if certain flags were hit, or something like that. Don't recall, been so long since I looked or cared.

    I just use the one column on the few settings that I alter for my custom scores.
     
  9. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, thanks.

    So I take it that I can delete the other three collums, and use setting like this instead?

    score BAYES_00 0
    score BAYES_05 0.925
    score BAYES_20 1.730
    score BAYES_40 2.276
    score BAYES_50 2.967
    score BAYES_60 3.515
    score BAYES_80 3.608
    score BAYES_95 3.514
    score BAYES_99 4.070
     
  10. spiff06

    spiff06 Well-Known Member

    Joined:
    Jan 17, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Folks:

    I have the MailScanner package. A bunch of SpamAssassin rules are updated via RulesDuJour. How do I know if the stock ruleset (http://www.rulesemporium.com/rules/70_sare_stocks.cf) is being updated, and if not, how do I add it?

    Thanks!

    EDIT: never mind, found it at the bottom of the SARE page: "add "SARE_STOCKS" to TRUSTED_RULESETS"

    EDIT 2: still a bit confused; do I add it to rules_du_jour or my_rules_du_jour?
     
    #10 spiff06, Aug 14, 2006
    Last edited: Aug 14, 2006
  11. spiff06

    spiff06 Well-Known Member

    Joined:
    Jan 17, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Hello again. Please answer this one if you can.

    I've just inserted the above BAYES parameters in mailscanner.cf. When I run spamassassin --lint -c /usr/mailscanner/etc/spam.assassin.prefs.conf, I get:

    [20561] warn: config: warning: score set for non-existent rule BAYES_99
    [20561] warn: config: warning: score set for non-existent rule BAYES_50
    [20561] warn: config: warning: score set for non-existent rule BAYES_60
    [20561] warn: config: warning: score set for non-existent rule BAYES_95
    [20561] warn: config: warning: score set for non-existent rule BAYES_40
    [20561] warn: config: warning: score set for non-existent rule BAYES_80
    [20561] warn: config: warning: score set for non-existent rule BAYES_20
    [20561] warn: config: warning: score set for non-existent rule DNS_FROM_AHBL_RHSBL
    [20561] warn: config: warning: score set for non-existent rule BAYES_05
    [20561] warn: config: warning: score set for non-existent rule BAYES_00
    [20561] warn: lint: 10 issues detected, please rerun with debug enabled for more information

    Also, I've noticed that the antidrug.cf was over two years old; seems it's never been updated. I've modified the config line in rules_du_jour to read: CF_URLS[7]="http://www.rulesemporium.com/rules/antidrug.cf". Will this keep it updated?

    Thanks for your answers.
     
  12. spiff06

    spiff06 Well-Known Member

    Joined:
    Jan 17, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Well, I'm still at it...

    I've set this up in my local.cf:

    score BAYES_00 0
    score BAYES_05 0.625
    score BAYES_20 1.330
    score BAYES_40 2.276
    score BAYES_50 2.967
    score BAYES_60 3.515
    score BAYES_80 3.608
    score BAYES_95 3.514
    score BAYES_99 4.070

    score HTML_IMAGE_ONLY_04 2.820 2.880 3.330 4.600
    score HTML_IMAGE_ONLY_08 2.581 2.435 3.469 4.126
    score HTML_IMAGE_ONLY_12 2.294 1.639 2.046 3.867
    score HTML_IMAGE_ONLY_16 0.668 0.627 0.338 3.497
    score HTML_IMAGE_ONLY_20 1.108 0.640 1.416 3.157
    score HTML_IMAGE_ONLY_24 1.316 0.930 1.771 3.841
    score HTML_IMAGE_ONLY_28 1.438 1.014 1.732 3.900
    score HTML_IMAGE_ONLY_32 1.423 0.836 1.610 3.052

    score DATE_IN_FUTURE_03_06 2.061 2.007 2.275 3.961
    score DATE_IN_FUTURE_06_12 1.680 1.498 1.883 3.668
    score DATE_IN_FUTURE_12_24 2.320 2.316 2.775 4.767
    score DATE_IN_FUTURE_24_48 2.080 2.080 2.498 4.688
    score DATE_IN_FUTURE_48_96 1.680 1.680 1.942 4.100
    score DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 4.403

    score DATE_IN_PAST_03_06 2.061 2.007 2.275 3.961
    score DATE_IN_PAST_06_12 1.680 1.498 1.883 3.668
    score DATE_IN_PAST_12_24 2.320 2.316 2.775 4.767
    score DATE_IN_PAST_24_48 2.080 2.080 2.498 4.688
    score DATE_IN_PAST_48_96 1.680 1.680 1.942 4.100
    score DATE_IN_PAST_96_XX 1.920 1.888 2.276 4.403

    Works mostly, but some of them still go through (as you can see, Bayesian filters don't help):
    cached not
    score=2.139
    5 required
    0.00 HTML_MESSAGE HTML included in message
    0.12 HTML_TEXT_AFTER_BODY HTML contains text after BODY close tag
    1.27 INFO_TLD Contains an URL in the INFO top-level domain
    0.75 SARE_GIF_ATTACH

    cached not
    score=4.712
    5 required
    3.96 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
    0.00 HTML_MESSAGE HTML included in message
    0.75 SARE_GIF_ATTACH​
     
Loading...

Share This Page