Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

VL scoring 0.1 Phish Spam

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


richard at buzzhost

Oct 31, 2009, 12:46 AM

Post #1 of 5 (223 views)
Permalink
VL scoring 0.1 Phish Spam
http://pastebin.com/m53a550ce

Somewhat unfortunately seen coming out of The Dana-Farber Cancer
Institute.

Looking at it objectively there is little for a filter to go on other
than the words:

username password followed by a webmail type email address

in the body.


cpollock at embarqmail

Oct 31, 2009, 5:29 AM

Post #2 of 5 (198 views)
Permalink
Re: VL scoring 0.1 Phish Spam [In reply to]
On Sat, 2009-10-31 at 07:46 +0000, richard[at]buzzhost.co.uk wrote:
> http://pastebin.com/m53a550ce
>
> Somewhat unfortunately seen coming out of The Dana-Farber Cancer
> Institute.
>
> Looking at it objectively there is little for a filter to go on other
> than the words:
>
> username password followed by a webmail type email address
>
> in the body.
>
>
>
Short Circuit rule hit here due to ClamAv plug-in firing:

-0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
[155.52.251.101 listed in
hostkarma.junkemailfilter.com]
20 CLAMAV Clam AntiVirus detected a virus

X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL)

--
KeyID 0xE372A7DA98E6705C
Attachments: signature.asc (0.19 KB)


richard at buzzhost

Oct 31, 2009, 5:53 AM

Post #3 of 5 (200 views)
Permalink
Re: VL scoring 0.1 Phish Spam [In reply to]
On Sat, 2009-10-31 at 07:29 -0500, Chris wrote:
> On Sat, 2009-10-31 at 07:46 +0000, richard[at]buzzhost.co.uk wrote:
> > http://pastebin.com/m53a550ce
> >
> > Somewhat unfortunately seen coming out of The Dana-Farber Cancer
> > Institute.
> >
> > Looking at it objectively there is little for a filter to go on other
> > than the words:
> >
> > username password followed by a webmail type email address
> >
> > in the body.
> >
> >
> >
> Short Circuit rule hit here due to ClamAv plug-in firing:
>
> -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
> [155.52.251.101 listed in
> hostkarma.junkemailfilter.com]
> 20 CLAMAV Clam AntiVirus detected a virus
>
> X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL)
>
My clamav is on a milter ahead of SA, my thinking being I don't bother
scanning anything that has a virus - drop it with an SMTP 5xx. I had no
virus/attachment with this mail, hence why it scanned and scored low.
I'm not sure if this is the spammer dropping a cog and not attaching
anything.


cpollock at embarqmail

Oct 31, 2009, 6:05 AM

Post #4 of 5 (200 views)
Permalink
Re: VL scoring 0.1 Phish Spam [In reply to]
On Sat, 2009-10-31 at 12:53 +0000, richard[at]buzzhost.co.uk wrote:
> On Sat, 2009-10-31 at 07:29 -0500, Chris wrote:
> > On Sat, 2009-10-31 at 07:46 +0000, richard[at]buzzhost.co.uk wrote:
> > > http://pastebin.com/m53a550ce
> > >
> > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer
> > > Institute.
> > >
> > > Looking at it objectively there is little for a filter to go on other
> > > than the words:
> > >
> > > username password followed by a webmail type email address
> > >
> > > in the body.
> > >
> > >
> > >
> > Short Circuit rule hit here due to ClamAv plug-in firing:
> >
> > -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
> > [155.52.251.101 listed in
> > hostkarma.junkemailfilter.com]
> > 20 CLAMAV Clam AntiVirus detected a virus
> >
> > X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL)
> >
> My clamav is on a milter ahead of SA, my thinking being I don't bother
> scanning anything that has a virus - drop it with an SMTP 5xx. I had no
> virus/attachment with this mail, hence why it scanned and scored low.
> I'm not sure if this is the spammer dropping a cog and not attaching
> anything.
>
Are you running the 'unofficial' sigs with clamav or just the official
ones? As above, my clamav setup tagged this as a 'spear phishing'
attempt with the unofficial sigs.

--
KeyID 0xE372A7DA98E6705C
Attachments: signature.asc (0.19 KB)


richard at buzzhost

Oct 31, 2009, 7:08 AM

Post #5 of 5 (199 views)
Permalink
Re: VL scoring 0.1 Phish Spam [In reply to]
On Sat, 2009-10-31 at 08:05 -0500, Chris wrote:
> On Sat, 2009-10-31 at 12:53 +0000, richard[at]buzzhost.co.uk wrote:
> > On Sat, 2009-10-31 at 07:29 -0500, Chris wrote:
> > > On Sat, 2009-10-31 at 07:46 +0000, richard[at]buzzhost.co.uk wrote:
> > > > http://pastebin.com/m53a550ce
> > > >
> > > > Somewhat unfortunately seen coming out of The Dana-Farber Cancer
> > > > Institute.
> > > >
> > > > Looking at it objectively there is little for a filter to go on other
> > > > than the words:
> > > >
> > > > username password followed by a webmail type email address
> > > >
> > > > in the body.
> > > >
> > > >
> > > >
> > > Short Circuit rule hit here due to ClamAv plug-in firing:
> > >
> > > -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
> > > [155.52.251.101 listed in
> > > hostkarma.junkemailfilter.com]
> > > 20 CLAMAV Clam AntiVirus detected a virus
> > >
> > > X-Spam-Virus: Yes (Sanesecurity.Spear.9873.UNOFFICIAL)
> > >
> > My clamav is on a milter ahead of SA, my thinking being I don't bother
> > scanning anything that has a virus - drop it with an SMTP 5xx. I had no
> > virus/attachment with this mail, hence why it scanned and scored low.
> > I'm not sure if this is the spammer dropping a cog and not attaching
> > anything.
> >
> Are you running the 'unofficial' sigs with clamav or just the official
> ones? As above, my clamav setup tagged this as a 'spear phishing'
> attempt with the unofficial sigs.
>
Vanilla, Chris - but not via Spamassassin. Upstream of it.

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.