-- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net sp...@bway.net - 212.982.9800
> On Mar 15, 2016, at 12:28 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > > Am 15.03.2016 um 17:07 schrieb Robert Boyl: >> Hi, everyone >> >> Please check http://pastebin.com/GUBqpyZ8 >> >> Interesting how some spams that abuse some legit account such as this >> one are hard to detect, how Spamassassin scores almost nothing although >> there are spammy works, etc. System caught DCC_CHECK 1.10. >> >> Some other systems such as isnotspam.com <http://isnotspam.com> caught >> some SA rule which doesnt exist anymore in latest SA... >> AXB_X_FF_SEZ_S=3.10. >> >> Any ways to report such spams to spamassassin devels so they can try to >> create new rules? >> >> Any tips how to mark such mails as spam? > > easy to detect and no way to slip through our filters > Barracuda Networks *lol* we where victims of that noobs too... > > X-Barracuda-Envelope-From: williams.1...@osu.edu > X-Barracuda-Apparent-Source-IP: 157.56.111.246 > X-Barracuda-Envelope-To: XXX > > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > ScamNailer.Phish.williams.1727_AT_osu.edu.UNOFFICIAL FOUND > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > ScamNailer.Phish.williams.1727_AT_osu.edu.UNOFFICIAL FOUND > /var/www/uploadtemp/7f4da2b4dac87498e3828802c5b22fc098e963be.eml: > Sanesecurity.Spear.williams_dot_1727_at_osu_dot_edu.UNOFFICIAL FOUND > > ----------- VIRUS-SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.024 sec (0 m 0 s) > Content analysis details: (18.4 points, 5.5 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > -0.2 CUST_DNSWL_8 RBL: dnswl-aggregate.thelounge.net (No Trust) > [157.56.111.246 listed in dnswl-aggregate.thelounge.net] > 0.1 CUST_DNSBL_33 RBL: dnsbl-backscatterer.thelounge.net > (ips.backscatterer.org) > [157.56.111.246 listed in dnsbl-backscatterer.thelounge.net] > 7.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 0.9995] > 3.1 AXB_X_FF_SEZ_S Forefront sez this is spam > -0.1 CUST_DNSWL_5 RBL: list.dnswl.org (No Trust) > [157.56.111.246 listed in list.dnswl.org] > 0.5 CUST_DNSBL_31 RBL: bl.nszones.com > [157.56.111.246 listed in bl.nszones.com] > 1.0 CUST_DNSBL_23 RBL: bl.spamcannibal.org > [157.56.111.246 listed in bl.spamcannibal.org] > -0.1 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) > [157.56.111.246 listed in wl.mailspike.net] > 1.5 CUST_DNSBL_21 RBL: score.senderscore.com (senderscore.com High) > [157.56.111.246 listed in score.senderscore.com] > 1.0 CUST_DNSBL_25 RBL: score.senderscore.com (senderscore.com Medium) > 0.4 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 0.9995] > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.7 LOTS_OF_MONEY Huge... sums of money > 0.5 CUST_SUBJ_6 Begins Very Low > 2.5 MONEY_FROM_41 Lots of money from Africa > 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information > I thought I was doing an OK job of training Bayes, but in my case Bayes went hammy on this one: Content analysis details: (7.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.1 AXB_X_FF_SEZ_S Forefront sez this is spam -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [157.56.111.246 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [157.56.111.246 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 2.8 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 0.0 LOTS_OF_MONEY Huge... sums of money 2.0 MONEY_FROM_41 Lots of money from Africa 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 1.3 TXREP TXREP: Score normalizing based on sender's reputation Sometimes I wish there was a paid “Bayes in the Cloud” service that aggregated a bunch of well-fed bayesian dbs. Charles
signature.asc
Description: Message signed with OpenPGP using GPGMail
