btech Posted July 12, 2009 Posted July 12, 2009 Anyone else noticed an influx of spam being delivered to your inbox. Lat night alone, 20 of my 30 new messages were spam. On first glance, it doesn't appear SpamAssasain is hitting the usual words like 'pharmacy'. Examples: http://www.spamcop.net/sc?id=z3109831437z1...d4a66119fce08fz http://www.spamcop.net/sc?id=z3109833967za...319eb848be783fz
Wazoo Posted July 12, 2009 Posted July 12, 2009 Handled by two different servers, both stating that SpamAssassinis up and running. So, the flip side is an ancient post I made a few years back ... apparently you may have a spammer that's not all that lazy .... take a look at Software Development Life Cycle principles for spam as found in the SpamCop FAQ here.
agsteele Posted July 13, 2009 Posted July 13, 2009 Anyone else noticed an influx of spam being delivered to your inbox. No, not especially. Now I do make use of the grey-list option so the vast bulk of spam never even reaches the filtering stage. But the remainder seems to have appropriately filtered. Andrew
btech Posted July 13, 2009 Author Posted July 13, 2009 man... out of 70 messages in my inbox, 50 were spam. Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez ... but I wonder if I'm also being flooded... I had 260 messages, all seemingly about pharma, in 12 hours, which is about 2x what I'm used to in that period.
Farelf Posted July 14, 2009 Posted July 14, 2009 ...Certainly something must be awry: ... Doesn't seem like very effective filtering to be sure Brandon. Unfortunately it is a matter of "needle in a haystack" for other users to compare notes on their experience with those spam or anything similar. But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right.
agsteele Posted July 14, 2009 Posted July 14, 2009 man... out of 70 messages in my inbox, 50 were spam. We could be comparing oranges with lemons... Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)? All these things could change things for you. Andrew
btech Posted July 14, 2009 Author Posted July 14, 2009 Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)? I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder. But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right. Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facia, that looks like an issue with SA. Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz
petzl Posted July 15, 2009 Posted July 15, 2009 I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder. Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facie, that looks like an issue with SA. Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz Greylisting is now needed to effectively stop spam any properly configured email system will resend email appropriately and pass through greylisting Big trouble is that there are people guising as anti-spammers out to destroy any effective method of stopping spam. Anyone remember Margie.Huey etc, they were VERY knowledgeable about mail systems and were very vocally against any effective system being used to stop spam (ORBS, SpamCop for instance) Always "joining" groups (NANE) that were effective. Convincing others that making them ineffective is the way to go They seem to be effective. SpamCop seems now reluctant to block delinquent mailservers that do/are not acting on spam/abuse reports. So personal blacklists and whitelists are becoming more important to create and use
btech Posted July 15, 2009 Author Posted July 15, 2009 Yea, I think I'm going to have to turn graylisting on, because this is just asinine. Example of a CP spam that should CLEARLY have made some hits in SA, but was delivered to my inbox: http://www.spamcop.net/sc?id=z3121429075zb...7000b163e4066ez If nothing else, it's listed in SORBS... isn't that one of the blocklists?
agsteele Posted July 15, 2009 Posted July 15, 2009 If nothing else, it's listed in SORBS... isn't that one of the blocklists? I don't think so but, in any case, SORBS is closing... Andrew
petzl Posted July 17, 2009 Posted July 17, 2009 Yea, I think I'm going to have to turn graylisting on, because this is just asinine. Example of a CP spam that should CLEARLY have made some hits in SA, but was delivered to my inbox: http://www.spamcop.net/sc?id=z3121429075zb...7000b163e4066ez If nothing else, it's listed in SORBS... isn't that one of the blocklists? The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked In this case that IP is a mail server and would resend thus getting past Greylisting Most ISP's block port 25 stopping spam unless sent from a mail server. Spammers now rely on "Trogans" to take control of ones computer and email addresses on it Often one gets attachments from people/email addresses they know. but turn out to be viruses/trojans from computers that have now been made zombies out to infect YOU Important to have effective protection to stop this such as
btech Posted July 17, 2009 Author Posted July 17, 2009 The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked In this case that IP is a mail server and would resend thus getting past Greylisting Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to.
rconner Posted July 17, 2009 Posted July 17, 2009 Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you. -- rick
petzl Posted July 18, 2009 Posted July 18, 2009 Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to. Just pay to check your whitelist A whitelist will ovrtride spamassasin, greylisting and blacklists I did not see in your example wher it was whitelisted and it should not of ended up in your inbox?
StevenUnderwood Posted July 20, 2009 Posted July 20, 2009 Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you. I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass.
rconner Posted July 20, 2009 Posted July 20, 2009 I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass. Hmmm... I pulled the SPF records for the HELO of what appeared to be the originator of the zero-score spam (asianet.co.th), this message very conspicuously fails to pass an SPF check as far as I can tell. On the other hand, maybe the check is done on the HELO of btech's own domain, but I failed to get a clear SPF pass here either (tho I may not know enough about reading SPF records to be sure). So, I wonder which HELO got tested and passed the SPF check? -- rick
DavidT Posted July 23, 2009 Posted July 23, 2009 Not sure if anyone has asked you this before, but you're not using a "catchall" address (aka "default address") for your domain, are you? That makes all possible incoming addresses valid and is pretty much an invitation to mass quantities of spam. DT
mootimus Posted July 24, 2009 Posted July 24, 2009 Greetings, Here's a user rant for you, with a plea for remediation on the Spamcop side, or tips on the user side. :-) For the past few weeks both of my Spamcop accounts have been receiving a huge number (10-15 a day in each one) making it through Spamcop's filters, my filters, and into my Inbox instead of Held Mail, leaving myself to gloriously delete them individually. In the years I've had these accounts, I've never spent so much time cleaning my inboxes on a regular basis; second, the Spamassassin levels as reported in the headers are 1-2 stars or below, which is right about the threshold of my non-spam mail as well. Whitelisting everyone I know is not a workable solution, for obvious reasons. The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow. Before I get flamed here are my account settings: * All DNS blacklists enabled except 'Spamhaus PBL' * x-spam-level 5 * I'm not in my whitelist * no forwarding to or from the Spamcop accounts So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)? Thanks in advance, Matt
Farelf Posted July 24, 2009 Posted July 24, 2009 You've read the recent topic at http://forum.spamcop.net/forums/index.php?showtopic=10500 ? Is greylisting an option for you? Can we have a tracking URL for one of those slipping through?
mootimus Posted July 24, 2009 Posted July 24, 2009 0 x-spam-level http://www.spamcop.net/sc?id=z3151436249ze...66d653d82b04a9z 1 x-spam-level http://www.spamcop.net/sc?id=z3151441705za...7a77c11615733dz 2 x-spam-level http://www.spamcop.net/sc?id=z3151445100z1...db96a346236a2bz You've read the recent topic at http://forum.spamcop.net/forums/index.php?showtopic=10500 ? Is greylisting an option for you? Can we have a tracking URL for one of those slipping through? And just to respond to the second question -- greylisting is, to me, a bandaid solution to a fundamental problem which is the need to adjust the algorithms which seemed previously to properly raise the x-spam-level rating. Why the same string values ('acai berry' 'luxury watches' etc etc etc) get sent over and over and over daily to me over the course of a few weeks, never raising the x-spam-level above 1 or 2 (if even that), is probably something that should be confirmed as impossible to overcome programmatically, clever spammers or not. The greylist solution is clunky because the real-time nature of e-mails are an appeal of the technology and in today's world unfortunately a necessity, making half hour to an hour delays for new senders a very iffy proposition for most people. Consider responses to job postings, or -- more concrete example: every single time my bank's cookie expires, they make me do an e-mail confirmation which sends me an ID code before I am able to log in. Matt
michaelanglo Posted July 24, 2009 Posted July 24, 2009 [...] The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow. [...] So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)? Except for "replica" I think SA doesn't use real words much since the Viagra etc. lot just went over to misspelling. To investigate this properly would need a look at what SA tests were effective both now and in the past - I found the URL tests were the usual trigger - and what might be made more effective. You don't say how many Spams a month you get (index numbers in VER or Held make this quite easy to record). I have SA=2.0 3622 spams (121/d), 46 leakers (=1.3 %) for June with all Blocklists including pbl in spite of the false positives caused by the SC implementation. There is a trick to let you just look at the borderline SA values so going from SA=5.0 to SA=2.0 is no risk nor requires more than a few to be eyballed. Thus using SC Webmail Search on the held folder (and save as a virtual folder) Search 'Entire messagel' for any of "hits=0.", "hits=1.", "hits=2.", "hits=3.", "hits=4." plus for good measure any that don't contain "hits=" at all This should show you all the low SA and blocklist items which (for me) is only 1-5 a day. HTH
Recommended Posts
Archived
This topic is now archived and is closed to further replies.