Stephan Paukner :: syslog

Subject: Lieber Freund

[...]
Ich bin bei einer routinen ?berpr?fung in meiner Bank (Chartered Bank von S?d Afrika) wo ich arbeite, auf einem Konto gesto?en, was nicht in anspruch genommen worden ist, wo derzeit $14.300,00(vierzehnmillionendreihundert US Dollar) gutgeschrieben sind.
[...]

Subject: Sie Won  £ 250.000.00! [...]

[...] Wir glücklich zu verkünden, ziehen Sie die der Yahoo Lotterie Intl Inc Programme am 6. Mai 2008 in London. Sie sind daher genehmigt worden ist, um Anspruch auf eine Gesamtsumme von zweihundertfünfzig tausend britische Pfund (£ 250.000,00) für den 6. Mai 2008 promo Lotterie gewinnen, [...].

YAHOO sammelt alle E-Mail-ID des Menschen, die sich an Yahoo! E-Mail, MSN, Hotmail, AOL, AltaVista, and others online. Unter den Milliarden, abonnieren Sie uns, nur fünf Menschen wird sich für Gewinne. [...]

[...]

Deshalb wird Ihnen geraten, zitieren die folgenden Informationen an die Muschel-Agent zu erleichtern ihnen die Bearbeitung der Übertragung Ihrer Fonds ohne Verzögerung.

[...]

RBLs enable mail admins to automatically block incoming mail based on DNS lookups. But I noticed that my MTA was again blocking Google and Hotmail completely, again due to the overly restrictive SORBS blacklist. This is inacceptable collateral damage, so I suggest you don’t use SORBS if you intend to receive mail from large-scaled customer sites. SpamAssassin still gives scores for that blacklist, but not enough to trigger a blocking by only that single list.

Subject: xu Hallo

Hallo {, MAILTO_USERNAME}
[...]
Sie wollen, der Ihres “ Gurke “ GROSS & STARK geworden ist, als ein STEIN?
[...]
Tippen Sie Browser (ohne Plätze) Presse Einträgt ein.
[...]

For the sake of documentation, I list the enhancements I configured for SpamAssassin since February:

• I use SA’s internal sa-update script nightly to update the standard rules that are changed between the releases of new versions. The standard channel is updates.spamassassin.org. The files automatically go into /var/lib/spamassassin/$VERSION and Debian automatically finds it, as can be seen from a call of spamassassin -D --lint.
• In addition to the previous, I call sa-compile to compile the body rulesets into binary form. This makes checking of body rules more efficient. To enable SA using these binary rules in /var/lib/spamassassin/compiled/$VERSION, I have to activate the Rule2XSBody plugin in /etc/spamassassin/v320.pre.
• I don’t update the SARE rules against stock spam manually anymore, but also use the provided sa-update channel for it.

Recently, PDF spam has become “popular”. Therefore I enabled some more things to accomplish this:

• The ClamAV virus scanner provides inofficial databases by Sanesecurity to catch various sorts of spam. So there’s actually some kind of redundancy, as the virus scanner and the anti-spam filter are now sharing some responsibility. As not a single virus occured at my site in the recent months, this has now changed in some way.
• I installed the PDFInfo plugin from SARE and enabled it in /etc/spamassassin/init.pre.

Sure, as soon as we catch enough of that new PDF spam, spammers might change to some other document file format, such as DOC or RTF or even ODF, and we are forced to scan those attached documents for spam text or even for contained images that contain spam text, what we are already considering with FuzzyOCR. There must be some better way, actually.

However, I had to reduce the score of the Botnet plugin, as the default value of 5 points is way too high. Maybe I should add the plugin that checks the operating system such that only botnet clients using that Windows crap get high scores.

The fight continues.

Recently, on the SpamAssassin mailing list, someone was reporting that a newbie spammer seemed to have forgotten to replace variables with values. Someone else noted that the construction

might lead to weird and impossible IP addresses. Now, I really found that in my spam quarantine:

SpamAssassin is doing a good job on my site. It successfully protects my users’ mailboxes for some years now. However, during the last months spamming has increased significantly around the world. Luckily, only few spam is getting through, but a handful of spam mails a day is already too much for the pampered user. So I searched for current enhancements. So far I had only used Debian Etch’s standard spamassassin and amavisd-new packages.

I consider greylisting as a solution for days where I see no other choice. I can imagine my users being confused because they receive an expected mail not immediately. So I installed three enhancements for SpamAssassin:

• FuzzyOCR
• A botnet detector
• Rules against stock spam

The first one is available from Debian ‘unstable’, whereas the other two simply go into /etc/spamassassin. The SpamAssassin Rules Emporium provides a lot of other rules I haven’t tried yet.

The rules are already having some hits adding a lot to the spam score of messages. Here are examples from within 24 hours:

FUZZY_OCR=7.000 (twice), FUZZY_OCR=8.000, FUZZY_OCR=9.000 (5 times), FUZZY_OCR=10.000 (twice), BOTNET_OCNNEJP=5 (3 times), BOTNET_SHAWCABLE=5, SARE_STOCK_MSG_ID2=2.22 (5 times), SARE_GIF_ATTACH=0.75 (16 times), SARE_GIF_STOX=1.66 (6 times), SARE_PROLOSTOCK_SYM3=1.66 (8 times), SARE_MLH_Stock1=1.66 (12 times), SARE_RMML_Stock26=1.12, SARE_MLB_Stock1=1.66 (3 times), SARE_MLB_Stock3=0.794 (7 times), SARE_LWOILCO=0.388 (twice), SARE_LWSYMFMT=1.66, SARE_PROLOSTOCK_SYM4=2.66, SARE_PROLOSTOCK_SYM1=1.66, SARE_LWSHORTT=0.794.

So, it was worth the no effort. For those who wonder why there are only few hits, Postfix is already doing most of the job by rejecting bad connections.