Mailing List Archive: some problem with spam

some problem with spam

Dec 12, 2023, 2:52 AM

Post #1 of 5 (161 views)

Hi
I have a SpamAssassin version 3.4.6

And I try resolv two problem

1)I put eml with spam and learn SA like:
sa-learn --spam /root/spamik/

In /root/spamik/ is 4 e-mail
Worsk great but after 7 day i must learn agin like SA forgot what he learned

2)I have a problem with one type a spam like:
https://paste.debian.net/1300865/
beacuse:
contents - random
from - random
IP - random

The construction is only somewhat similar like base64 + html and png
All wass signed by DKIM

And I had to work around it in the following way but it is not a solution

rawbody EMAIL_20231207    /(necessary to delete the message
completely|email message and any attachments are intended|automatically
archived by Mimecast|sender and take the steps necessary)/i
describe EMAIL_20231207    Spam fake IQ password
score    EMAIL_20231207    2

rawbody EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
score    EMAIL_20231207_1   0.1
rawbody EMAIL_20231207_2
/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
meta     EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2
&& KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
score    EMAIL_20231207_ALL 2

Any idea ?

--

Re: some problem with spam [ In reply to ]

thanadon at gmail

Dec 12, 2023, 3:21 AM

Post #2 of 5 (161 views)

Permalink

uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
rawbody __IMG_SRC_CID /<img src=\"cid:\d/

meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
describe ADB_CPN_ABUSE Possible malware link
score ADB_CPN_ABUSE 2.5000

Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be
false positive. Since I don't have visibility into all headers, consider
create rules based on specific headers or other rule that match these.
Append these rules to the meta-rule and boost the overall score accordingly.

Jimmy

On Tue, Dec 12, 2023 at 5:53?PM natan <natan@epf.pl> wrote:

> Hi
> I have a SpamAssassin version 3.4.6
>
> And I try resolv two problem
>
> 1)I put eml with spam and learn SA like:
> sa-learn --spam /root/spamik/
>
> In /root/spamik/ is 4 e-mail
> Worsk great but after 7 day i must learn agin like SA forgot what he
> learned
>
> 2)I have a problem with one type a spam like:
> https://paste.debian.net/1300865/
> beacuse:
> contents - random
> from - random
> IP - random
>
> The construction is only somewhat similar like base64 + html and png
> All wass signed by DKIM
>
> And I had to work around it in the following way but it is not a solution
>
> rawbody EMAIL_20231207 /(necessary to delete the message
> completely|email message and any attachments are intended|automatically
> archived by Mimecast|sender and take the steps necessary)/i
> describe EMAIL_20231207 Spam fake IQ password
> score EMAIL_20231207 2
>
> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/
> score EMAIL_20231207_1 0.1
> rawbody EMAIL_20231207_2
> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 &&
> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
> score EMAIL_20231207_ALL 2
>
> Any idea ?
>
>
>
> --
>

Re: some problem with spam [ In reply to ]

natan at epf

Dec 12, 2023, 5:41 AM

Post #3 of 5 (161 views)

Permalink

Hi
Thenx but link is random too like:

https://paste.debian.net/1300874/

W dniu 12.12.2023 o 12:21, Jimmy pisze:
>
> uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
> rawbody __IMG_SRC_CID /<img src=\"cid:\d/
>
> meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
> describe ADB_CPN_ABUSE Possible malware link
> score ADB_CPN_ABUSE 2.5000
>
> Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it
> can be false positive. Since I don't have visibility into all headers,
> consider create rules based on specific headers or other rule that
> match these. Append these rules to the meta-rule and boost the overall
> score accordingly.
>
> Jimmy
>
>
> On Tue, Dec 12, 2023 at 5:53?PM natan <natan@epf.pl> wrote:
>
> Hi
> I have a SpamAssassin version 3.4.6
>
> And I try resolv two problem
>
> 1)I put eml with spam and learn SA like:
> sa-learn --spam /root/spamik/
>
> In /root/spamik/ is 4 e-mail
> Worsk great but after 7 day i must learn agin like SA forgot what
> he learned
>
> 2)I have a problem with one type a spam like:
> https://paste.debian.net/1300865/
> beacuse:
> contents - random
> from - random
> IP - random
>
> The construction is only somewhat similar like base64 + html and png
> All wass signed by DKIM
>
> And I had to work around it in the following way but it is not a
> solution
>
> rawbody EMAIL_20231207    /(necessary to delete the message
> completely|email message and any attachments are
> intended|automatically archived by Mimecast|sender and take the
> steps necessary)/i
> describe EMAIL_20231207    Spam fake IQ password
> score    EMAIL_20231207    2
>
> rawbody EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
> score    EMAIL_20231207_1   0.1
> rawbody EMAIL_20231207_2
> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
> meta     EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
> IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
> score    EMAIL_20231207_ALL 2
>
> Any idea ?
>
>
>
> --
>

--

Re: some problem with spam [ In reply to ]

thanadon at gmail

Dec 12, 2023, 5:59 AM

Post #4 of 5 (161 views)

Permalink

These rules should matched

rawbody __DOUBLE_HTML /<\/a><html></p>\s*<body><html>/
uri __LONG_LINK_URL
/https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i

On Tue, Dec 12, 2023 at 8:44?PM natan <natan@epf.pl> wrote:

> Hi
> Thenx but link is random too like:
>
> https://paste.debian.net/1300874/
>
>
> W dniu 12.12.2023 o 12:21, Jimmy pisze:
>
>
> uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
> rawbody __IMG_SRC_CID /<img src=\"cid:\d/
>
> meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
> describe ADB_CPN_ABUSE Possible malware link
> score ADB_CPN_ABUSE 2.5000
>
> Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be
> false positive. Since I don't have visibility into all headers, consider
> create rules based on specific headers or other rule that match these.
> Append these rules to the meta-rule and boost the overall score accordingly.
>
> Jimmy
>
>
> On Tue, Dec 12, 2023 at 5:53?PM natan <natan@epf.pl> wrote:
>
>> Hi
>> I have a SpamAssassin version 3.4.6
>>
>> And I try resolv two problem
>>
>> 1)I put eml with spam and learn SA like:
>> sa-learn --spam /root/spamik/
>>
>> In /root/spamik/ is 4 e-mail
>> Worsk great but after 7 day i must learn agin like SA forgot what he
>> learned
>>
>> 2)I have a problem with one type a spam like:
>> https://paste.debian.net/1300865/
>> beacuse:
>> contents - random
>> from - random
>> IP - random
>>
>> The construction is only somewhat similar like base64 + html and png
>> All wass signed by DKIM
>>
>> And I had to work around it in the following way but it is not a solution
>>
>> rawbody EMAIL_20231207 /(necessary to delete the message
>> completely|email message and any attachments are intended|automatically
>> archived by Mimecast|sender and take the steps necessary)/i
>> describe EMAIL_20231207 Spam fake IQ password
>> score EMAIL_20231207 2
>>
>> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/
>> score EMAIL_20231207_1 0.1
>> rawbody EMAIL_20231207_2
>> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
>> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 &&
>> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
>> score EMAIL_20231207_ALL 2
>>
>> Any idea ?
>>
>>
>>
>> --
>>
>
>
>
> --
>

Re: some problem with spam [ In reply to ]

natan at epf

Dec 12, 2023, 6:26 AM

Post #5 of 5 (161 views)

Permalink

Hi
thenx i try in this ruleset

W dniu 12.12.2023 o 14:59, Jimmy pisze:
> These rules should matched
>
> rawbody __DOUBLE_HTML /<\/a><html></p>\s*<body><html>/
> uri __LONG_LINK_URL
> /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i
>
>
>
> On Tue, Dec 12, 2023 at 8:44?PM natan <natan@epf.pl> wrote:
>
> Hi
> Thenx but link is random too like:
>
> https://paste.debian.net/1300874/
>
>
> W dniu 12.12.2023 o 12:21, Jimmy pisze:
>>
>> uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
>> rawbody __IMG_SRC_CID /<img src=\"cid:\d/
>>
>> meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
>> describe ADB_CPN_ABUSE Possible malware link
>> score ADB_CPN_ABUSE 2.5000
>>
>> Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective,
>> it can be false positive. Since I don't have visibility into all
>> headers, consider create rules based on specific headers or other
>> rule that match these. Append these rules to the meta-rule and
>> boost the overall score accordingly.
>>
>> Jimmy
>>
>>
>> On Tue, Dec 12, 2023 at 5:53?PM natan <natan@epf.pl> wrote:
>>
>> Hi
>> I have a SpamAssassin version 3.4.6
>>
>> And I try resolv two problem
>>
>> 1)I put eml with spam and learn SA like:
>> sa-learn --spam /root/spamik/
>>
>> In /root/spamik/ is 4 e-mail
>> Worsk great but after 7 day i must learn agin like SA forgot
>> what he learned
>>
>> 2)I have a problem with one type a spam like:
>> https://paste.debian.net/1300865/
>> beacuse:
>> contents - random
>> from - random
>> IP - random
>>
>> The construction is only somewhat similar like base64 + html
>> and png
>> All wass signed by DKIM
>>
>> And I had to work around it in the following way but it is
>> not a solution
>>
>> rawbody EMAIL_20231207    /(necessary to delete the message
>> completely|email message and any attachments are
>> intended|automatically archived by Mimecast|sender and take
>> the steps necessary)/i
>> describe EMAIL_20231207    Spam fake IQ password
>> score    EMAIL_20231207    2
>>
>> rawbody EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
>> score    EMAIL_20231207_1   0.1
>> rawbody EMAIL_20231207_2
>> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
>> meta     EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
>> IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
>> score    EMAIL_20231207_ALL 2
>>
>> Any idea ?
>>
>>
>>
>> --
>>
>
>
>
> --
>

--