Mailing List Archive: SpamAssassin: users

Low score? Recommendations?

Index | Next | Previous | View Threaded

jdavis at standard

Oct 5, 2009, 9:32 AM

Post #1 of 9 (778 views)
Permalink

Low score? Recommendations?

Keep getting similar obvious (to me) spam - tuning recommendations? My threshold is torqued down to 3.5

X-SPAM-LEVEL: *
X-SPAM-STATUS: No, score=1.1 required=3.5 tests=BAYES_50,RAZOR2_CHECK, SPF_HELO_PASS,US_DOLLARS_3 autolearn=no version=3.2.4

Good Day

My name is Mr. Song Li. I work with the Hang Seng Bank. There is a sum of
$19,500,000.00 in my bank Hang Seng Bank", Hong Kong. There were no
beneficiaries stated concerning these funds which means no one would ever
come to claim it. That is why I ask that we work together.

I do solicit for your assistance in effecting this transaction.I intend to
give 30% of the total funds as compensation for your assistance.

I will notify you on the full transaction on receipt of your response if
interested, and I shall send you the details and necessary
procedures with which to make the transfer.

Should you be interested? Please send me your:

1. Full names
2. Private phone number
3. Current residential address

You can email me at : { songli45 [at] gmail }

Kind Regard.
Mr Song li

--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

jarif at iki

Oct 5, 2009, 9:41 AM

Post #2 of 9 (747 views)
Permalink

Re: Low score? Recommendations? [In reply to]

> Keep getting similar obvious (to me) spam - tuning
> recommendations? My threshold is torqued down to 3.5
>
> X-Spam-Level: *
> X-Spam-Status: No, score=1.1 required=3.5
> tests=BAYES_50,RAZOR2_CHECK, SPF_HELO_PASS,US_DOLLARS_3
> autolearn=no version=3.2.4
>

Please don't send spam to the list. Post the original email with full headers to www.pastebin.org, and let us examine it.

Setting the spam threshold to 3.5 is dangerous and may lead to false positives, when you get your SpamAssassin configured correctly.

It is not possible to test your sample now, it lacks the headers and everything to make it an email message.

guenther at rudersport

Oct 5, 2009, 9:42 AM

Post #3 of 9 (737 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On Mon, 2009-10-05 at 09:32 -0700, Jefferson Davis wrote:
> Keep getting similar obvious (to me) spam - tuning recommendations?

Bayes training. Sought [1] Fraud third-party rule-set.

> My threshold is torqued down to 3.5

Don't. Do expect FPs with a required_score that low.

> X-Spam-Status: No, score=1.1 required=3.5 tests=BAYES_50,RAZOR2_CHECK,
> SPF_HELO_PASS,US_DOLLARS_3 autolearn=no version=3.2.4

[pasted sample snipped]

Do NOT paste spam samples. Put 'em up your site or a pastebin instead
and provide a link. Always do provide the RAW, unaltered original mail,
rather than a copy-n-paste of the body into a munging editor.

[1] http://wiki.apache.org/spamassassin/SoughtRules

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jhardin at impsec

Oct 5, 2009, 9:43 AM

Post #4 of 9 (738 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On Mon, 5 Oct 2009, Jefferson Davis wrote:

>
>
> Keep getting similar obvious (to me) spam - tuning recommendations? My
> threshold is torqued down to 3.5
>
> X-SPAM-LEVEL: *
> X-SPAM-STATUS: No, score=1.1 required=3.5 tests=BAYES_50,RAZOR2_CHECK, SPF_HELO_PASS,US_DOLLARS_3 autolearn=no version=3.2.4
>
> Good Day
>
> My name is Mr. Song Li. I work with the Hang Seng Bank. There is a sum of
> $19,500,000.00 in my bank Hang Seng Bank", Hong Kong. There were no
> beneficiaries stated concerning these funds which means no one would ever
> come to claim it. That is why I ask that we work together.

(1) put your threshold back to 5.0, all of the scores are generated based
on that threshold and it should not be changed lightly.

(2) BAYES_50 for that? You should be training your BAYES, it should have
caught that.

(3) That's the sort of spam the SOUGHT_FRAUD rules are designed to catc;
you might want to install the SOUGHT ruleset.

http://wiki.apache.org/spamassassin/SoughtRules

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista is at best mildly annoying and at worst makes you want to
rush to Redmond, Wash. and rip somebody's liver out. -- Forbes
-----------------------------------------------------------------------
Approximately 9185280 firearms legally purchased in the U.S. this year

jdavis at standard

Oct 5, 2009, 11:01 AM

Post #5 of 9 (737 views)
Permalink

Re: Low score? Recommendations? [In reply to]

----- Message from jdavis [at] standard ---------
Date: Mon, 05 Oct 2009 09:32:39 -0700
From: Jefferson Davis <jdavis [at] standard>
Subject: Low score? Recommendations?
To: users <users [at] spamassassin>

> Keep getting similar obvious (to me) spam - tuning recommendations? My threshold is torqued down to 3.5

*** inappropriate content removed ***
----- End message from jdavis [at] standard -----

Thanks for the tips and low-grade knuck-wrap. Investigating - installed 20_sought, tweaked local.cf back to 5.0 per list recommendation.

Appears that perhaps bayes_db is jacked up. re-training.

--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

guenther at rudersport

Oct 5, 2009, 11:17 AM

Post #6 of 9 (741 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On Mon, 2009-10-05 at 11:01 -0700, Jefferson Davis wrote:
> Thanks for the tips and low-grade knuck-wrap. Investigating -
> installed 20_sought, tweaked local.cf back to 5.0 per list
> recommendation.
>
> Appears that perhaps bayes_db is jacked up. re-training.

All good. :)

Just a minor nit, in case it isn't just different terminology. Installed
sounds like a one-time operation -- the Sought rule-set needs to be
updated using sa-update frequently, preferably more than once a day.
Also note that when using sa-update, you need to run it for the stock
rules, too. At the very least, once. A plain 'sa-update' will populate
the stock channel.

After training Bayes, it might be worth to keep an eye on it. In
particular, that your users are not just deleting low-scoring spam, but
instead move it somewhere after human review for training.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jhardin at impsec

Oct 5, 2009, 11:18 AM

Post #7 of 9 (730 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On Mon, 5 Oct 2009, Jefferson Davis wrote:

> installed 20_sought

There are actually two sought rulesets, one generated from a general
spamtrap and one generated from hand-classified fraud corpora. You likely
want both.

If you set up sought in sa-update (which is what you should do as they are
regenerated often) rather than manually installing a rule file, you're
good. You also want to be running sa_update daily if you're using them.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
Approximately 9188040 firearms legally purchased in the U.S. this year

Dan.McDonald at austinenergy

Oct 5, 2009, 11:30 AM

Post #8 of 9 (736 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On Mon, 2009-10-05 at 20:17 +0200, Karsten Bräckelmann wrote:
> On Mon, 2009-10-05 at 11:01 -0700, Jefferson Davis wrote:
> > Thanks for the tips and low-grade knuck-wrap. Investigating -
> > installed 20_sought, tweaked local.cf back to 5.0 per list
> > recommendation.

> Just a minor nit, in case it isn't just different terminology. Installed
> sounds like a one-time operation -- the Sought rule-set needs to be
> updated using sa-update frequently, preferably more than once a day.

How often should I be running sa-update to pick up SOUGHT. I currently
run it automatically once a day, and ad-hoc whenever I tweak any other
rules. Should I run 4 times/day? 6? Inquiring minds want to know.

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachments:

signature.asc (0.19 KB)

me at junc

Oct 5, 2009, 11:45 AM

Post #9 of 9 (747 views)
Permalink

Re: Low score? Recommendations? [In reply to]

On man 05 okt 2009 20:30:09 CEST, "McDonald, Dan" wrote
> How often should I be running sa-update to pick up SOUGHT. I currently
> run it automatically once a day, and ad-hoc whenever I tweak any other
> rules. Should I run 4 times/day? 6? Inquiring minds want to know.

first one would need to know how sa-update works, 2nd then you know
how many times each day you would like to try updateing :)

sa-update check dns, not http to find if there is updates, if dns says
new version exists, it will download it with http, and if it --lint it
will be used, if it does not lint the update is holded back until
remote have fixed the problem

answers is more in how many times each day you want to sa-compile

--
xpoint

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads