Re: simple drug spam not flagged

Sat, 02 Aug 2008 08:03:38 -0700 

On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
> Okay, got some samples online to look at:
>
> http://66.213.231.82/spam/sample1.txt
> http://66.213.231.82/spam/sample2.txt
> http://66.213.231.82/spam/sample3.txt
> http://66.213.231.82/spam/sample4.txt
> http://66.213.231.82/spam/sample5.txt
> http://66.213.231.82/spam/sample6.txt
> http://66.213.231.82/spam/sample7.txt
> (that is, every file in http://66.213.231.82/spam/)
>
> If y'all could run 1 or 2 of them through your installs, I'd be
> interested to know how they score and what rules they hit. TYVM, in
> advance :)


Sample 1 scored:

Content analysis details:   (16.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: perfectcapsulessite.com]
 1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: perfectcapsulessite.com]
 1.0 FREEMAIL_FROM          From-address is freemail domain
-0.0 SPF_PASS               SPF: sender matches SPF record
 4.5 LOGINHASH              BODY: iXhash says its spam
 2.5 IXHASH                 BODY: iXhash says its spam
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5001]
 2.5 LOGINHASH2             BODY: iXhash says its spam
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Sample 2 scored:

Content analysis details:   (25.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.0 FREEMAIL_FROM          From-address is freemail domain
 0.0 DK_POLICY_TESTING      Domain Keys: policy says domain is testing DK
 0.0 DK_SIGNED              Domain Keys: message has a signature
 4.5 LOGINHASH              BODY: iXhash says its spam
 2.5 IXHASH                 BODY: iXhash says its spam
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4915]
 2.5 LOGINHASH2             BODY: iXhash says its spam
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.3 DRUGS_ERECTILE         Refers to an erectile drug
 2.5 L_UNVERIFIED_YAHOO     L_UNVERIFIED_YAHOO
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

This is what clamav reported - X-Spam-Virus: Yes 
(Email.Spam.Gen835.Sanesecurity.07062011)

Sample 3 scored:

Content analysis details:   (15.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.0 FREEMAIL_FROM          From-address is freemail domain
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 ONLINE_PHARMACY        BODY: Online Pharmacy
 0.0 TVD_VISIT_PHARMA       BODY: TVD_VISIT_PHARMA
 4.5 LOGINHASH              BODY: iXhash says its spam
 2.5 IXHASH                 BODY: iXhash says its spam
 2.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
                            [score: 0.6079]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 2.5 LOGINHASH2             BODY: iXhash says its spam
 2.2 DCC_CHECK              listed in DCC (http://rhyolite.com/anti-spam/dcc/)
                            [cpollock 1113; Body=1 Fuz1=1 Fuz2=many]
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Sample 4 scored Content analysis details:   (20.5 points, 5.0 required)
Sample 5 scored Content analysis details:   (25.7 points, 5.0 required)
Sample 6 scored Content analysis details:   (19.7 points, 5.0 required)
Sample 7 scored Content analysis details:   (25.3 points, 5.0 required)

Looking at how they were scored I see that the following plug-ins hit on every 
message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using 
the sanesecurity signatures. I've saved the complete output of spamassassin 
-D -t sample*.txt to a file. If you want I can fwd it to you to look at.

> More comments below...
>
> Is there anything I need to know about the SARE rules? I see they're
> not being updated at the moment... I've been wondering which ones are
> 'safe' to use, considering they all seem to be at least a year old. Do
> the comments on the rulesemporium.com site still apply? Anything there
> broken in SA-3.2.x I should care about?

I've 'never' had any problems with the SARE rules I run, I believe the answer 
as to why they're seldom updated is that they're such rock solid rule sets 
that they pretty much cover any type of spam out there. 

> As far as BOTNET goes... sounds interesting... I would definitely want
> to push it's score down lower though. A single rule being enough to
> flag a message bothers me. Will look into it, thanks :)
>
> Thanks all,
> Jake

One other note, I do not run a mailserver, this is just how these score on my 
home system that I'm the only user on. 

-- 
Chris
KeyID 0xE372A7DA98E6705C

Attachment: pgpath7LVSvEO.pgp
Description: PGP signature

Reply via email to