Mailing List Archive

Using spamassassin to thwart sharepoint phishing attacks
I've received about a dozen phishing attack emails from Microsoft's
sharepoint service within the last couple of weeks. Only one of them was
identified by SA as spam. After running the emails through sa-learn,
they still only score a 4 to 4.5. But I could see that it would be easy
for these emails to get classified as false positives and/or false
negatives.

Has anyone developed a good way to identify these sharepoint phishing
attacks without any false positives?

I'm leaning towards figuring out how I might inject some kind of
prominent warning into the message to remind people not to click links
they don't trust. That's not an ideal solution, but perhaps it is the
best way to help protect users. I'm interested to hear what other
options might be available.

Here is how SA scored one of the emails:

4.4/5.0
Spam detection software, running on the system "email.dondley.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Doris Feaster shared a file with you STRIP BANG THE
ONLINE
REAL & MOST POPULAR 100% TRUSTED NETWORK STRIPBANG GIVING FREE ELITE
MEMBERSHIP
AND 5000CR=$750 WINNER 2021 YOUR WINNING CODE - ( STBNG5000CR )

Content analysis details: (4.4 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org/,
no trust
[52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 SUBJ_ALL_CAPS Subject is all capitals
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author's domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
from
envelope-from domain
0.0 UPPERCASE_50_75 message body is 50-75% uppercase
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On 2021-04-11 22:09, Steve Dondley wrote:

> Content analysis details: (4.4 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
> 100%
> [score: 1.0000]
> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> [52.100.189.222 listed in wl.mailspike.net]
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> https://www.dnswl.org/,
> no trust
> [52.100.189.222 listed in list.dnswl.org]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.5 SUBJ_ALL_CAPS Subject is all capitals
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> valid
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from
> author's domain
> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
> from
> envelope-from domain
> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase

i see its as a local problem

http://multirbl.valli.org/lookup/52.100.189.222.html

do you use KAM.cf channel ?
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On 2021-04-11 04:19 PM, Benny Pedersen wrote:
> On 2021-04-11 22:09, Steve Dondley wrote:
>
>> Content analysis details: (4.4 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> [score: 1.0000]
>> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
>> 100%
>> [score: 1.0000]
>> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
>> [52.100.189.222 listed in
>> wl.mailspike.net]
>> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>> https://www.dnswl.org/,
>> no trust
>> [52.100.189.222 listed in list.dnswl.org]
>> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>> -0.0 SPF_PASS SPF: sender matches SPF record
>> 0.5 SUBJ_ALL_CAPS Subject is all capitals
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
>> parts
>> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
>> signature
>> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>> necessarily
>> valid
>> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>> from
>> author's domain
>> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
>> from
>> envelope-from domain
>> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase
>
> i see its as a local problem
>
> http://multirbl.valli.org/lookup/52.100.189.222.html
>
> do you use KAM.cf channel ?

OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:

Content analysis details: (5.1 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org/,
no trust
[52.100.189.222 listed in list.dnswl.org]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[52.100.189.222 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.5 SUBJ_ALL_CAPS Subject is all capitals
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
0.0 UPPERCASE_50_75 message body is 50-75% uppercase
0.2 KAM_MANYTO Email has more than one To Header or more
than 25
recipients
0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current
years
0.0 KAM_SHORT Use of a URL Shortener for very short URL
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On 2021-04-11 22:43, Steve Dondley wrote:
> On 2021-04-11 04:19 PM, Benny Pedersen wrote:
>> On 2021-04-11 22:09, Steve Dondley wrote:
>>
>>> Content analysis details: (4.4 points, 5.0 required)
>>>
>>> pts rule name description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to
>>> 100%
>>> [score: 1.0000]
>>> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
>>> 100%
>>> [score: 1.0000]
>>> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
>>> [52.100.189.222 listed in
>>> wl.mailspike.net]
>>> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>>> https://www.dnswl.org/,
>>> no trust
>>> [52.100.189.222 listed in list.dnswl.org]
>>> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>>> -0.0 SPF_PASS SPF: sender matches SPF record
>>> 0.5 SUBJ_ALL_CAPS Subject is all capitals
>>> 0.0 HTML_MESSAGE BODY: HTML included in message
>>> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
>>> parts
>>> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
>>> signature
>>> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>>> necessarily
>>> valid
>>> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>>> from
>>> author's domain
>>> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
>>> from
>>> envelope-from domain
>>> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase
>>
>> i see its as a local problem
>>
>> http://multirbl.valli.org/lookup/52.100.189.222.html
>>
>> do you use KAM.cf channel ?
>
> OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:
>
> Content analysis details: (5.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> https://www.dnswl.org/,
> no trust
> [52.100.189.222 listed in list.dnswl.org]
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
> 100%
> [score: 1.0000]
> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> [52.100.189.222 listed in wl.mailspike.net]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> 0.5 SUBJ_ALL_CAPS Subject is all capitals
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
> from
> envelope-from domain
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from
> author's domain
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> valid
> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase
> 0.2 KAM_MANYTO Email has more than one To Header or more
> than 25
> recipients
> 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current
> years
> 0.0 KAM_SHORT Use of a URL Shortener for very short URL

sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?

anyway, you can add more scores to the rule names or create local meta
rules to add more scores on the results

just use BAYES_999 in the meta with && rulenames

or simple add more weight to BAYES_999

lets say it scored 15 on that rule name :)

i cant garenti that it have no downside on doing it YMMV
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
>
> sorbs dnsbl missing, have you denied sorbs.net results ?, or is
> spamassassin not testing sorbs.net anymore ?

How would I check if it's turned on? I tried grepping in
/etc/spamassassin on "sorb" (case insensitive) and found nothing. So I
guess it's not in my default config.

I see many mentions of "SORBS" in /usr/share/spamassassin, however. I'm
guessing I may not have a needed SA plugin enabled. I'll try to figure
out how to do it.

Also, I've heard of sorbs over the years but I'm not sure exactly what
it is. Is this the same block list run by Cisco?
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
> Also, I've heard of sorbs over the years but I'm not sure exactly what
> it is. Is this the same block list run by Cisco?

OK, I was getting SORBS confused with SenderBase Reputation Score
(SBRS). That's the one run by Cisco, I believe.

I actually have an account on the SORBS website that I set up long ago.
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
> sorbs dnsbl missing, have you denied sorbs.net results ?, or is
> spamassassin not testing sorbs.net anymore ?

Best I can tell, my SA config should be testing for sorbs. I've got this
line in /etc/spamassassin/v3220.pre:

loadplugin Mail::SpamAssassin::Plugin::DNSEval

And in /usr/share/spamassassin/20_dnsbl_test.cf, I've got:

ifplugin Mail::SpamAssassin::Plugin::DNSEval

I see a bunch of SORBS rules in there.

However, in 50_scores.cf, this line is commented out:

#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5

Maybe that's the problem?
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]

I have

5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]

I suggest raising BAYES_99 to at least 5.

Loren
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
If you have spamples for sharepoint phishes that evade kam ruleset, shoot
me an email off-list to discuss getting me the spamples.

On Sun, Apr 11, 2021, 16:43 Steve Dondley <s@dondley.com> wrote:

> On 2021-04-11 04:19 PM, Benny Pedersen wrote:
> > On 2021-04-11 22:09, Steve Dondley wrote:
> >
> >> Content analysis details: (4.4 points, 5.0 required)
> >>
> >> pts rule name description
> >> ---- ----------------------
> >> --------------------------------------------------
> >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> [score: 1.0000]
> >> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
> >> 100%
> >> [score: 1.0000]
> >> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> >> [52.100.189.222 listed in
> >> wl.mailspike.net]
> >> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> >> https://www.dnswl.org/,
> >> no trust
> >> [52.100.189.222 listed in list.dnswl.org]
> >> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> >> -0.0 SPF_PASS SPF: sender matches SPF record
> >> 0.5 SUBJ_ALL_CAPS Subject is all capitals
> >> 0.0 HTML_MESSAGE BODY: HTML included in message
> >> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> >> parts
> >> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> >> signature
> >> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> >> necessarily
> >> valid
> >> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> >> from
> >> author's domain
> >> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
> >> from
> >> envelope-from domain
> >> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase
> >
> > i see its as a local problem
> >
> > http://multirbl.valli.org/lookup/52.100.189.222.html
> >
> > do you use KAM.cf channel ?
>
> OK, I added KAM.cf to my config. It has now pushed it over 5.0, barely:
>
> Content analysis details: (5.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> https://www.dnswl.org/,
> no trust
> [52.100.189.222 listed in list.dnswl.org]
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]
> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> [52.100.189.222 listed in wl.mailspike.net]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> 0.5 SUBJ_ALL_CAPS Subject is all capitals
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.0 HTML_MESSAGE BODY: HTML included in message
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
> from
> envelope-from domain
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from
> author's domain
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> valid
> 0.0 UPPERCASE_50_75 message body is 50-75% uppercase
> 0.2 KAM_MANYTO Email has more than one To Header or more
> than 25
> recipients
> 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current
> years
> 0.0 KAM_SHORT Use of a URL Shortener for very short URL
>
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
>>sorbs dnsbl missing, have you denied sorbs.net results ?, or is
>>spamassassin not testing sorbs.net anymore ?

On 11.04.21 18:22, Steve Dondley wrote:
>Best I can tell, my SA config should be testing for sorbs. I've got
>this line in /etc/spamassassin/v3220.pre:
>
>loadplugin Mail::SpamAssassin::Plugin::DNSEval
>
>And in /usr/share/spamassassin/20_dnsbl_test.cf, I've got:
>
>ifplugin Mail::SpamAssassin::Plugin::DNSEval
>
>I see a bunch of SORBS rules in there.
>
>However, in 50_scores.cf, this line is commented out:
>
>#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>
>Maybe that's the problem?

no, there are other SORBS lists used:

score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3


have you set up own caching, non-forwarding DNS server?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
>> However, in 50_scores.cf, this line is commented out:
>>
>> #score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>>
>> Maybe that's the problem?
>
> no, there are other SORBS lists used:
>
> score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
> score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
> score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
> score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
> #score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
> score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
> score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
>
>
> have you set up own caching, non-forwarding DNS server?

Yes. And my SA scores have improved about 100% since I did this.
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
>>>However, in 50_scores.cf, this line is commented out:
>>>
>>>#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>>>
>>>Maybe that's the problem?
>>
>>no, there are other SORBS lists used:
>>
>>score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
>>score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
>>score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
>>score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
>>score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
>>#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>>score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
>>score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
>>
>>
>>have you set up own caching, non-forwarding DNS server?

On 12.04.21 09:12, Steve Dondley wrote:
>Yes. And my SA scores have improved about 100% since I did this.

great.
Now, do you have razor, pyzor and dcc installed and their equivalent SA modules
enabled?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On Sun, 11 Apr 2021, Loren Wilton wrote:

>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> [score: 1.0000]
>> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
>> [score: 1.0000]
>
> I have
> 5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]
>
> I suggest raising BAYES_99 to at least 5.

It'd be better to instead boost BAYES_999 to Poison Pill status, as the
confidence is higher.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 278th Birthday
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On 2021-04-12 16:29, John Hardin wrote:
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
>>> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to
>>> 100%
>>> [score: 1.0000]
>>> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to
>>> 100%
>>> [score: 1.0000]
>>
>> I have 5.0 BAYES_99 BODY: Bayes spam probability is 99
>> to 100%
>> [score: 1.0000]
>> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to
>> 100%
>> [score: 1.0000]
>>
>> I suggest raising BAYES_99 to at least 5.
>
> It'd be better to instead boost BAYES_999 to Poison Pill status, as
> the confidence is higher.

score BAYES_999 10....
with BAYES_99 it gives over 12.1 with is minimal for bayes learning as
spam

default rule

no ham have ever hitted this
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
John Hardin writes:
> From: John Hardin <jhardin@impsec.org>
> Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
>
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
> >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >> [score: 1.0000]
> >> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> >> [score: 1.0000]
> >
> > I have
> > 5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> > [score: 1.0000]
> > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> > [score: 1.0000]
> >
> > I suggest raising BAYES_99 to at least 5.
>
> It'd be better to instead boost BAYES_999 to Poison Pill status, as the
> confidence is higher.

Increasing the score for BAYES_99 and BAYES_999 is a fine idea as long
as bayes is accurately trained and well maintained with sufficient
email and any mistakes corrected. People with that sort of trained
bayes tend to know it. Doing a general suggestion to increase the
BAYES scores seems rather misguided.

-jeff
Re: Using spamassassin to thwart sharepoint phishing attacks [ In reply to ]
On Mon, 12 Apr 2021, jwmincy@gmail.com wrote:

> John Hardin writes:
> > From: John Hardin <jhardin@impsec.org>
> > Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
> >
> > On Sun, 11 Apr 2021, Loren Wilton wrote:
> >
> > >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> > >> [score: 1.0000]
> > >> 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> > >> [score: 1.0000]
> > >
> > > I have
> > > 5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> > > [score: 1.0000]
> > > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> > > [score: 1.0000]
> > >
> > > I suggest raising BAYES_99 to at least 5.
> >
> > It'd be better to instead boost BAYES_999 to Poison Pill status, as the
> > confidence is higher.
>
> Increasing the score for BAYES_99 and BAYES_999 is a fine idea as long
> as bayes is accurately trained and well maintained with sufficient
> email and any mistakes corrected. People with that sort of trained
> bayes tend to know it. Doing a general suggestion to increase the
> BAYES scores seems rather misguided.

I'm suggesting that *only* BAYES_999 should be increased. I agree that you
should only do so if your Bayes training is reliable (i.e. *not*
end-user-driven without review).


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What the hell is an "Aluminum Falcon"?? -- Emperor Palpatine
-----------------------------------------------------------------------
Tomorrow: Thomas Jefferson's 278th Birthday