John Rudd wrote: > Robert Schetterer wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> arni schrieb: >>> Raymond Myren schrieb: >>>> Hello, >>>> >>>> Just today I started receiving spam mails with attached .pdf files >>>> with a spam image. >>>> Any ideas how to stop this spam type? >>>> >>>> \raymond >>> as i said several times on this maillist now, i've never had any of >>> these mails get through, here is how the current ones score: >>> >>> X-Spam-Status: Yes, score=16.6 required=5.0 tests=BAYES_99,BOTNET, >>> BOTNET_NORDNS,DCC_CHECK,DKIM_POLICY_SIGNSOME,HTML_MESSAGE,LOGINHASH1, >>> LOGINHASH2,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE >>> >>> autolearn=no version=3.2.0 >>> X-Spam-Report: * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 >>> to 100% >>> * [score: 1.0000] >>> * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS >>> * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in >>> bl.spamcop.net >>> * [Blocked - see <http://www.spamcop.net/bl.shtml?85.138.88.254>] >>> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL >>> * [85.138.88.254 listed in zen.spamhaus.org] >>> * 3.0 BOTNET Relay might be a spambot or virusbot >>> * [botnet0.7,ip=85.138.88.254,nordns] >>> * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says >>> domain >>> * signs some mails >>> * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record >>> * [botnet_nordns,ip=85.138.88.254] >>> * 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME >>> * 0.0 HTML_MESSAGE BODY: HTML included in message >>> * 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown >>> company, >>> * Germany >>> * 1.5 LOGINHASH1 BODY: mail has been classified as spam @ >>> LogIn&Solutions >>> * AG, Germany >>> * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) >>> >>> arni >>> >> you are in a luck, >> you are a "late reciever" of that spam, so it was detected >> by others before ( look at your headers ) >> but it wasnt detected by i.e a plain pdf_spam rule/solution >> ( like fuzzy_ocr etc ) >> this is what i am looking for > > His success didn't depend upon that luck. Even without the LOGINHASH* > and DCC_CHECK, or even BAYES, he still had a high enough score to flag > it as spam. > > Actually it did, take away the spamtrap fed blackholes (PBL and SPAMCOP) and the spamtrap fed BAYES as well and it scores a whopping 3.1 thanks to the BOTNET plugin (which is amazing btw). That hit was all from late-receiver effect.
If one is running local spamtraps, that feed sa-learn/spamc -R without delay, in combination with greylisting one will get a good BAYES score off new zombies; however doing so is also really risky as there's a lot mail sources (some very large and well known names) that people actually want to receive that will start sending daily/weekly/monthly mails, without an opt-in confirmation feed-back loop, as a result of joe-jobs and/or spam-spiders looking for vulnerable forms/forums/blogs. That means maintaining a local whitelist for sources the traps shouldn't learn as spam as the traps WILL eventually start to receive mail from sources normal people would consider ham sources, even tho it technically is spam as far as the trap is concerned.
