PDA

View Full Version : I need help -spam woes



brdsolutions
08-18-2004, 07:54 AM
I need help!?!?! I have been trying to use SpamAssassin for the past 6 months and still having problems. I have adjusted some of the filters, scores and test, but spam is still coming through unmarked and/or getting through undetected. I have a client that is getting very annoyed with me, and westhost because with their last host they received very little to no spam. One user over night gets an average of 50 emails, 10 of which are legit, 10 maybe marked spam and the rest are spam but not marked. Any sugestions are greatly appreciated.

jalal
08-18-2004, 08:30 AM
There is no point in blaming Westhost, they just provide the tools, it is up to us to use them. By default their installation of SpamAssassin is of 'medium strength'.

It can be setup to provide a rock solid installation. As an example, the last time I checked I was receiving something in the region of 400-500 spams a day. About 100 are to the wrong email address and are rejected (mostly virii to be more accurate) and of the rest about 1-2% get through the system, about 5-10 a day, which I can deal with.

Some things you can do:
* Make sure there is no catch-all email alias.
* Make sure that SpamAssassin is actually processing the emails.
* Let us know what you are doing so far and maybe someone can suggest some improvements.
* If you are responsible for a clients email setup, which you seem to be, then you need to learn how this stuff works. That, presumably, is what they are paying you for! You can start with the link in my sig, and check the web. There is *loads* of information on this subject, you are not alone!

HTH

brdsolutions
08-18-2004, 09:39 AM
Thank you, I will look at that site. What I have doe so far is:
I edited the local.cf with white_list and black_list.
I also added scores to tests that I saw most spam was trigering.
The problem seems to reside in the spam the comes through and does not trigger any tests?

For example:


From bounce-595957_115@fellowservantsdirect.com Wed Aug 18 06:35:43 2004
X-UIDL: S?]!!ehB!!G?+"!BEd!!
Return-Path: <bounce-595957_115@fellowservantsdirect.com>
Received: from mail9.sex4nothing.net (mail9.sex4nothing.net [209.50.54.251])
by aignerassoc.com (8.11.6/8.11.6) with ESMTP id i7ICZhf23368
for <annemarie@aignerassoc.com>; Wed, 18 Aug 2004 06:35:43 -0600
Received: by mail9.sex4nothing.net (Postfix, from userid 0)
id 3A6B9A366F; Wed, 18 Aug 2004 06:15:06 -0700 (MST)
Message-Id: <NTk1OTU3XzExNQ@fellowservantsdirect.com>
From: "Men Thunder" <reply-595957_115@fellowservantsdirect.com>
To: "Adult Freely Subscriber" <annemarie@aignerassoc.com>
Subject: SEXUALLY-EXPLICIT: T.op g.ay site of the year
Content-Type: multipart/alternative;
boundary="------------toonswayvl:NTk1OTU3XzExNQ"
Lines: 145
Date: Wed, 18 Aug 2004 06:15:06 -0700 (MST)
Status: RO


Compared to:



From tifvrwxjfzs@netcityhk.com Tue Aug 17 18:24:25 2004
X-UIDL: ,'K"!dLb!!lN~"!W?4"!
Return-Path: <tifvrwxjfzs@netcityhk.com>
Received: from dexserv.net (dexserv.net [81.169.172.165])
by aignerassoc.com (8.11.6/8.11.6) with SMTP id i7I0ODI07342;
Tue, 17 Aug 2004 18:24:24 -0600
Received: from 210.14.107.138 by web654.mail.yahoo.com; Tue, 17 Aug 2004 21:14:22 -0300
Message-ID: <LCWCBFKDICJFDJAEDARUK@gt.rr.com>
From: "Alicia Conner" <tifvrwxjfzs@netcityhk.com>
To: annemarie@aignerassoc.com, jprensky@aignerassoc.com
Subject: appointment on friday at 09-00
Date: Tue, 17 Aug 2004 19:19:22 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--394235438707089"
X-CS-IP: 169.246.164.242
X-Spam-Status: No, hits=2.1 required=3.0
tests=HTML_10_20,HTML_IMAGE_ONLY_10,HTML_MESSAGE,
MIME_HTML_NO_CHARSET,MIME_HTML_ONLY
version=2.52
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)
Status: RO


or



From arksztmbrfh@poczta.onet.pl Wed Aug 18 06:43:43 2004
Return-Path: <arksztmbrfh@poczta.onet.pl>
Received: from 69.36.187.10 ([221.166.234.191])
by aignerassoc.com (8.11.6/8.11.6) with SMTP id i7IChfN27033
for <annemarie@aignerassoc.com>; Wed, 18 Aug 2004 06:43:42 -0600
Received: from dns502.uol.com.br ([225.151.33.190]) by 221.166.234.191 with SMTP id 23D84AA3;
Wed, 18 Aug 2004 19:57:03 +0600
Date: Wed, 18 Aug 2004 09:02:03 -0500
From: "Jamel Mccollum" <pyhgyx@uol.com.br>
Reply-To: "Jamel Mccollum" <pyhgyx@uol.com.br>
Message-Id: <IoTTRNR77ciCN@conformal>
Organization: wedding dress 6 onlookers
To: annemarie@aignerassoc.com
X-Mailer: assassin accession fadeout
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====12071117767458=_"
X-Spam-Status: Yes, hits=23.4 required=3.0
tests=HTML_00_10,J_CHICKENPOX_12,J_CHICKENPOX_13,J _CHICKENPOX_16,
J_CHICKENPOX_22,J_CHICKENPOX_24,J_CHICKENPOX_27,
J_CHICKENPOX_42,J_CHICKENPOX_51,J_CHICKENPOX_62
version=2.52
X-Spam-Level: ***********************
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)
X-Spam-Report: ---- Start SpamAssassin results
23.40 points, 3 required;
* 3.0 -- BODY: {4}Letter - punctuation - {2}Letter
* 3.0 -- BODY: {5}Letter - punctuation - {1}Letter
* 0.6 -- BODY: {6}Letter - punctuation - {2}Letter
* 3.0 -- BODY: {1}Letter - punctuation - {2}Letter
* 3.0 -- BODY: {1}Letter - punctuation - {3}Letter
* 3.0 -- BODY: {1}Letter - punctuation - {6}Letter
* 3.0 -- BODY: {2}Letter - punctuation - {2}Letter
* 3.0 -- BODY: {2}Letter - punctuation - {4}Letter
* 0.6 -- BODY: {2}Letter - punctuation - {7}Letter
* 1.2 -- BODY: Message is 0% to 10% HTML
---- End of SpamAssassin results
X-Spam-Flag: YES
Subject: ***SPAM*** ysuu,News approaching to highlight the hidden value for invest0rs

jalal
08-18-2004, 02:08 PM
Hmm, I see what you mean...

You could try turning on the logging in procmailrc (make it verbose for a couple of days) and that will tell you what procmail is doing with the emails and whether it is sending it off to spamassassin or not. I think that is where I would start.

I might add, that I've sometimes had the same happen to me, but so rarely that I've never bothered finding out what was going on. If you do suss it out, let us know...

HTH

dansroka
08-18-2004, 10:36 PM
Can spamassassin get bogged down? As in, if it was busy scanning some email, other email might slip by?

brdsolutions
08-18-2004, 10:39 PM
Logging is now enabled for a few of the most problematic users. I am not quite sure how to interpert procmailrc.log but will watch it over the next couple of days.

I noticed another stumper for me...
an email sent to two users one gets marked as spam the other not...
Both users have the same settings. I beleive anyway...


From segbxhtayas@yahoo.com Wed Aug 18 22:21:51 2004
Return-Path: <segbxhtayas@yahoo.com>
Received: from cdm-208-180-182-23.brns.cox-internet.com (cdm-208-180-182-23.brns.cox-internet.com [208.180.182.23])
by aignerassoc.com (8.11.6/8.11.6) with SMTP id i7J4Lmj11489;
Wed, 18 Aug 2004 22:21:50 -0600
Message-Id: <200408190421.i7J4Lmj11489@aignerassoc.com>
Original-Encoded-Information-Types: multipart/alternative
Language: English
Disclose-Recipients: No
Reply-To: "Lindsey Gay" <segbxhtayas@yahoo.com>
From: "Lindsey Gay" <segbxhtayas@yahoo.com>
To: annemarie@aignerassoc.com, jprensky@aignerassoc.com
Date: Thu, 19 Aug 2004 23:30:03 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--304935783901649"
X-Spam-Status: Yes, hits=9.1 required=3.0
tests=BAD_CREDIT,DATE_IN_FUTURE_12_24,FORGED_YAHOO _RCVD,
MORTGAGE_PITCH,MSG_ID_ADDED_BY_MTA_3
version=2.52
X-Spam-Level: *********
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)
X-Spam-Report: ---- Start SpamAssassin results
9.10 points, 3 required;
* 0.7 -- BODY: Looks like mortgage pitch
* 3.0 -- BODY: Eliminate Bad Credit
* 2.3 -- 'From' yahoo.com does not match 'Received' headers
* 0.3 -- 'Message-Id' was added by a relay (3)
* 2.8 -- Date: is 12 to 24 hours after Received: date
---- End of SpamAssassin results
X-Spam-Flag: YES
Subject: ***SPAM*** is that raelly you?

second user:

From segbxhtayas@yahoo.com Wed Aug 18 22:21:52 2004
Return-Path: <segbxhtayas@yahoo.com>
Received: from cdm-208-180-182-23.brns.cox-internet.com (cdm-208-180-182-23.brns.cox-internet.com [208.180.182.23])
by aignerassoc.com (8.11.6/8.11.6) with SMTP id i7J4Lmj11489;
Wed, 18 Aug 2004 22:21:50 -0600
Message-Id: <200408190421.i7J4Lmj11489@aignerassoc.com>
Original-Encoded-Information-Types: multipart/alternative
Language: English
Disclose-Recipients: No
Reply-To: "Lindsey Gay" <segbxhtayas@yahoo.com>
From: "Lindsey Gay" <segbxhtayas@yahoo.com>
To: annemarie@aignerassoc.com, jprensky@aignerassoc.com
Subject: is that raelly you?
Date: Thu, 19 Aug 2004 23:30:03 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--304935783901649"
X-Spam-Status: No, hits=1.5 required=3.0
tests=BAD_CREDIT,BAYES_01,DATE_IN_FUTURE_12_24,FOR GED_YAHOO_RCVD,
MORTGAGE_PITCH,MSG_ID_ADDED_BY_MTA_3
version=2.52
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)

Any thoughts?

jalal
08-19-2004, 12:45 AM
The second email is going through the same tests (see the tests line) so in this case it sounds like the second email is simply not scoring anything for the tests, while the first one is.

Possibly a syntax error in the .spamassassin files?

brdsolutions
08-20-2004, 08:02 AM
I think I found where the two users were different and have solved that. As for the mail coimg through with not trggering the tests, I am still not sure what is happening.

Here is a header of an email followed by the pocmailrc.log:

From bounce-595957_115@overpastbreeding.com Fri Aug 13 11:19:44 2004
X-UIDL: L4%"!ii`!!<DN!!"<X!!
Return-Path: <bounce-595957_115@overpastbreeding.com>
Received: from mail4.sex4nothing.net (mail4.sex4nothing.net [209.50.54.98])
by aignerassoc.com (8.11.6/8.11.6) with ESMTP id i7DHJhE10375
for <annemarie@aignerassoc.com>; Fri, 13 Aug 2004 11:19:43 -0600
Received: by mail4.sex4nothing.net (Postfix, from userid 0)
id 6272D3102F7; Fri, 13 Aug 2004 10:35:05 -0700 (MST)
Message-Id: <NTk1OTU3XzExNQ@overpastbreeding.com>
From: "Private ****" <reply-595957_115@overpastbreeding.com>
To: "Adult Freely Subscriber" <annemarie@aignerassoc.com>
Subject: SEXUALLY-EXPLICIT: This Studly Army Grunt Will Make You Gru
Content-Type: multipart/alternative;
boundary="------------vuqrmgurnxmtly:NTk1OTU3XzExNQ"
Lines: 74
Date: Fri, 13 Aug 2004 10:35:05 -0700 (MST)
Status: RO


procmail: [31201] Thu Aug 19 15:43:19 2004
procmail: Assigning "LOGABSTRACT=YES"
procmail: Assigning "SHELL=/bin/sh"
procmail: No match on "^X-Spam-Level: \*\*\*\*\*\*"
procmail: Locking "/var/spool/mail/annemarie.lock"
procmail: Assigning "LASTFOLDER=/var/spool/mail/annemarie"
procmail: Opening "/var/spool/mail/annemarie"
procmail: Acquiring kernel-lock
procmail: Unlocking "/var/spool/mail/annemarie.lock"
procmail: Notified comsat: "annemarie@17963697:/var/spool/mail/annemarie"
From bounce-595957_115@obededomcommitteth.com Thu Aug 19 15:43:19 2004
Subject: SEXUALLY-EXPLICIT: LOTR cast naked? Both female and male!
Folder: /var/spool/mail/annemarie 21933

We get multiple of these every day. Any thoughts?

brdsolutions
08-20-2004, 08:09 AM
Oops wrong header:


From bounce-595957_115@obededomcommitteth.com Thu Aug 19 15:43:19 2004
X-UIDL: lCB!!:7Z"!R3C"!oP3"!
Return-Path: <bounce-595957_115@obededomcommitteth.com>
Received: from mail16.sex4nothing.net (mail16.sex4nothing.net [209.50.55.231])
by aignerassoc.com (8.11.6/8.11.6) with ESMTP id i7JLhJj31199
for <annemarie@aignerassoc.com>; Thu, 19 Aug 2004 15:43:19 -0600
Received: by mail16.sex4nothing.net (Postfix, from userid 0)
id 8500512B189; Thu, 19 Aug 2004 14:36:43 -0700 (MST)
Message-Id: <NTk1OTU3XzExNQ@obededomcommitteth.com>
From: "Lord of the Rings" <reply-595957_115@obededomcommitteth.com>
To: "Adult Freely Subscriber" <annemarie@aignerassoc.com>
Subject: SEXUALLY-EXPLICIT: LOTR cast naked? Both female and male!
Content-Type: multipart/alternative;
boundary="------------hhgpqlxosw:NTk1OTU3XzExNQ"
Lines: 259
Date: Thu, 19 Aug 2004 14:36:43 -0700 (MST)
Status: RO

FZ
08-20-2004, 11:59 AM
It doesn't look like that message was even processed by SpamAssassin. What do the log lines for the other messages (that do pass through SpamAssassin) look like?

For the messages that pass through without being scanned, are they sent to a different address than the ones that do get scanned? For example to an alias or something...?

----


Can spamassassin get bogged down? As in, if it was busy scanning some email, other email might slip by?

I don't think so. As I understand it, one of two things would/do happen: either a separate instance of SpamAsassin is run on each and every mail (meaning that it would never "miss" mail), or, because of the use of locking, it processes mail one-by-one (as in a queue).

Not sure which of those applies/really happens. Someone correct me if I'm wrong.

SJP
08-20-2004, 04:11 PM
So another solution to the SPAM problem and imo a better fix is to insist that the person sending you e-mail "authenticate" themselves. The usual way I've seen is an image that contains a code and you put it in the subject. I do something like that and while I'm not seeing anywhere near the volume Jalal is getting I'm not worried about it when the SPAM escalates to that level. Everyone is exposed to SPAM. Don't you think legitimate persons would be willing to make the extra effort if it were required, because they'd understand why? Otherwise you're looking at copious amounts of CPU and other resources being used up to try and catch people in the act. IMO SPAMassassin is the backwards way. Kind of like most medicines. Treat the symptom and ignore the cause.

SJP

Adarkts
08-20-2004, 11:27 PM
I noticed you have SA 2.52. Are you able to upgrade to 2.63? Mine seemed to act better after the upgrade....but I was getting false positives.

SJP
08-22-2004, 01:20 AM
Ok. Didn't help to suggest another method, but no solution. So I've thrown together a different way that's even easier and unless SPAM bots are scouring the net and using what they gather that day no junk will get through.

I have a perl program which is run by cron at 3:05AM everyday. It rebuilds the contactus.html page. In your web-page you'd link to such a page. Besides inserting the code du jour it also sticks it in a file that procmail accesses. I chose "info", because that's fairly common and easy to guess. Here's the procmail recipe:

CODE=`cat /home/urantiapersonals/code`

:0
* ^TO_?info@
* $^Subject:.*$CODE
! user@domain

the perl program is:

#!/usr/bin/perl
use integer;
use bytes;
use strict;

# c o n t a c t u s . p l Written By Jeff S. Dickson, 21 August 2004

my $home= '/home/urantiapersonals';
chdir($home);
my $now= time;
open (FILE, ">code");
print FILE "$now";
close(FILE);
open (FILE, ">www/contactus.html");
print FILE <<"EOF";
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML LANG="en">
<HEAD>
<TITLE>Free Personals for Readers of the Urantia Book</TITLE>
<LINK REL=stylesheet HREF="ancillary.css">
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<META http-equiv="Pragma" content="no-cache">
<META http-equiv="Expires" content="Tue, 01 Jan 1981 01:00:00 GMT">
<META http-equiv="Cache-Control" content="no-cache, must-revalidate">
</HEAD><BODY STYLE="width:678px;margin-left:27px"><P STYLE="font-size:15pt;font-weight:600">
Please e-mail us! We'd love to hear from you and all mail will be answered. However, there's
a catch. If clicking the link doesn't fire up your e-mail program then you <B STYLE="text-decoration:underline">must</B>
put the number shown below at the end of the subject. SPAM is a real
drag. Sorry for the inconvience.</P><A STYLE="font-size:15pt;font-weight:600;color:red" HREF="mailto:info\@urantiapersonals.org?Subject=$now">contact us!</A>
<B STYLE="color:red;font-size:18pt">$now</B>.</BODY></HTML>
EOF

the cron entry is:

5 3 * * * /home/urantiapersonals/contactus.pl

I've got the recipe to forward to my personal e-mail so I'll find out if this is a viable alternative. My suspicion is that SPAM bots look for e-mail addresses, collect, and then sell them. If all this happens under a day then I'll have to be more clever. It won't prevent people from doing it by hand, but then no one who is serious about making money SPAMMING does it by hand anyways.

The test page is http://www.urantiapersonals.org/contactus.html

SJP

lobstershell
08-27-2004, 01:34 PM
I have found fantastic results with using extra rules developed by the Spamassassin community. I use almost all of the rules referenced on Rules Emporium (http://www.rulesemporium.com/rules.htm) and then use RulesDuJour (http://www.exit0.us/index.php/RulesDuJour) and MyRulesDuJour (referenced on that same page) on a cron job to automatically update these rules.

For those that are new to this, any properly formatted Spamassassin ruleset can be dropped into /etc/mail/spamassassin and it will be used whenever spamassassin/spamc/however-you-are-running-it is called. RulesDuJour and MyRulesDuJour are shell scripts that automate the download and installs.

jalal
09-07-2004, 09:45 AM
I use Rules de Jour on four or five sites with excellent results.

Recommended!