-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Lentz wrote:
Greetings list,
I've been reading a pretty active and recent thread from one of the
sa-users mailing list archives that talks about a high rate of these
stock spams that are getting through. I, too, am currently suffering
from this problem and am wondering if anyone has any recommendations. I
would've joined in the conversation, but I just now subscribed to the
list. Apologies in advance...
I'm running 3.1.2 (just saw the 3.1.3 security update, I'll be upgrading
shortly) with bayes and network tests on, including the DCC, Razor2, and
Pyzor digest checks. Our bayes learning is configured for both autolearn
and based on feedback from the users via IMAP folders, stored in a MySQL
backend database. My bayes_seen table has 343,697 records in it. I am
also using the SARE stock spam custom rule set. Every message that comes
through does hit on the Bayes check, and usually registers somewhere
between 0% - 60%, so it won't produce a point value.
I've just setup Razor, DCC and Pyzor this week on our server and it
definitely makes a difference.
So, I'm kinda of the impression that I'm doing everything I'm supposed
to, but somehow these messages are all getting through with little to no
point value. Our threshold is only 4.0.
In addition to these:
***BREAKING NEWS ALERT ISSUED****
We think the fun is just beginning with this stock.
Trade Date : 7 June 2006
Name : AbsoluteSKY, Inc.
S t o c k : A B S Y
Today : $0.95
10month Target : $1 - $3
Recommendation : 300-500%
That would be well over a 300% gain from these levels.
Big watch in play this tomorrow morning!
This stock will explode!
Do not wait until it is too late!!!
My scores for a similar ABSY pump/dump email:
pts rule name description
- ---- ----------------------
- --------------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
2.4 TVD_STOCK1 BODY: Message looks like it's pushing a stock...
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
0.8 SARE_RMML_Stock7 BODY: SARE_RMML_Stock7
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?82.16.172.42>]
We're also getting these:
The average home-loan we've given out this month is $400,000.00 @
4.03% int!
We do not care about your current credit/financial situation.
Last 3 closed-loans:
1. Holder, Natasha Houston, Texas 271,000 @ 4.12%
2. Chavez, Tyson Orlando, Florida 314,000 @ 4.33%
3. Hargrove, Ava Augusta, Georgia 713,000 @ 3.22%
I have also added the KAM.cf file (you can get it from
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)
Our server is blocking messages like this one. Here are the
scores/rules we are giving it:
pts rule name description
- ---- ----------------------
- --------------------------------------------------
4.5 KAM_GEO_STRING2 URI: Use of geocities very likely spam as of Dec
2005
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
1.7 SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site
0.0 AWL AWL: From: address is in the auto white-list
So 6.7 points came from DCC and the KAM.cf file
Any help would be greatly appreciated. Maybe I just need to start
regexing my heart out, but everything's always worked so well basically
out of the box with SA and the network checks. I also can't figure out
how these emails aren't getting listed in DCC, Pyzor, and Razor2. (Also,
my current Pyzor server is 82.94.255.100:24441, as the pyzor discover
one has been down)
Prior to my last weeks upgrades of current SA (3.1.3), sa-update for
latest default ruleset, current RDJ script and latest SARE rulesets and
Razor,Pyzor and DCC hashes, we did a lot of regex rules ourselves in a
site-specific *.cf file. After adding the above-mentioned features, I
have removed all of our regex rules and pretty much everything is
catching. Any messages that our rules would have added points to are
already scoring high enough.
Thanks
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEhz2F417vU8/9QfkRAh0hAKCXsYnmbeA3002AE3Z0bGqJfDs0fwCeIsgj
bHXOrdc3Z+6IKZ42ZY/p8dI=
=kSFk
-----END PGP SIGNATURE-----
