-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Lentz wrote:
> Greetings list,
> I've been reading a pretty active and recent thread from one of the
> sa-users mailing list archives that talks about a high rate of these
> stock spams that are getting through. I, too, am currently suffering
> from this problem and am wondering if anyone has any recommendations. I
> would've joined in the conversation, but I just now subscribed to the
> list. Apologies in advance...
>
> I'm running 3.1.2 (just saw the 3.1.3 security update, I'll be upgrading
> shortly) with bayes and network tests on, including the DCC, Razor2, and
> Pyzor digest checks. Our bayes learning is configured for both autolearn
> and based on feedback from the users via IMAP folders, stored in a MySQL
> backend database. My bayes_seen table has 343,697 records in it. I am
> also using the SARE stock spam custom rule set. Every message that comes
> through does hit on the Bayes check, and usually registers somewhere
> between 0% - 60%, so it won't produce a point value.
I've just setup Razor, DCC and Pyzor this week on our server and it
definitely makes a difference.
> So, I'm kinda of the impression that I'm doing everything I'm supposed
> to, but somehow these messages are all getting through with little to no
> point value. Our threshold is only 4.0.
> In addition to these:
>> ***BREAKING NEWS ALERT ISSUED****
>> We think the fun is just beginning with this stock.
>>
>> Trade Date : 7 June 2006
>> Name : AbsoluteSKY, Inc.
>> S t o c k : A B S Y
>> Today : $0.95
>> 10month Target : $1 - $3
>> Recommendation : 300-500%
>>
>> That would be well over a 300% gain from these levels.
>> Big watch in play this tomorrow morning!
>> This stock will explode!
>> Do not wait until it is too late!!!
My scores for a similar ABSY pump/dump email:
pts rule name description
- ---- ----------------------
- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
2.4 TVD_STOCK1 BODY: Message looks like it's pushing a stock...
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
0.8 SARE_RMML_Stock7 BODY: SARE_RMML_Stock7
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?82.16.172.42>]
> We're also getting these:
>> The average home-loan we've given out this month is $400,000.00 @
> 4.03% int!
>> We do not care about your current credit/financial situation.
>>
>> Last 3 closed-loans:
>>
>> 1. Holder, Natasha Houston, Texas 271,000 @ 4.12%
>> 2. Chavez, Tyson Orlando, Florida 314,000 @ 4.33%
>> 3. Hargrove, Ava Augusta, Georgia 713,000 @ 3.22%
I have also added the KAM.cf file (you can get it from
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)
Our server is blocking messages like this one. Here are the
scores/rules we are giving it:
pts rule name description
- ---- ----------------------
- --------------------------------------------------
4.5 KAM_GEO_STRING2 URI: Use of geocities very likely spam as of Dec
2005
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
1.7 SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site
0.0 AWL AWL: From: address is in the auto white-list
So 6.7 points came from DCC and the KAM.cf file
> Any help would be greatly appreciated. Maybe I just need to start
> regexing my heart out, but everything's always worked so well basically
> out of the box with SA and the network checks. I also can't figure out
> how these emails aren't getting listed in DCC, Pyzor, and Razor2. (Also,
> my current Pyzor server is 82.94.255.100:24441, as the pyzor discover
> one has been down)
Prior to my last weeks upgrades of current SA (3.1.3), sa-update for
latest default ruleset, current RDJ script and latest SARE rulesets and
Razor,Pyzor and DCC hashes, we did a lot of regex rules ourselves in a
site-specific *.cf file. After adding the above-mentioned features, I
have removed all of our regex rules and pretty much everything is
catching. Any messages that our rules would have added points to are
already scoring high enough.
> Thanks
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEhz2F417vU8/9QfkRAh0hAKCXsYnmbeA3002AE3Z0bGqJfDs0fwCeIsgj
bHXOrdc3Z+6IKZ42ZY/p8dI=
=kSFk
-----END PGP SIGNATURE-----
