Sudden Increase in Spam Mails

Discussion:

Anton Krall

2005-08-19 14:36:39 UTC

Guys.

Is it just me or has spam increased for the past few days? Its like amavis
and SA are not caching a lot anymore...

Any ideas?

Loren Wilton

2005-08-19 15:24:00 UTC

Permalink

Post by Anton Krall
Is it just me or has spam increased for the past few days? Its like amavis
and SA are not caching a lot anymore...

Haven't seen it here, but that doesn't mean a whole lot. Different people
seem to get different kinds of spam.

Loren

jdow

2005-08-19 22:19:57 UTC

Permalink

Post by Loren Wilton

Post by Anton Krall
Is it just me or has spam increased for the past few days? Its like amavis
and SA are not caching a lot anymore...

Haven't seen it here, but that doesn't mean a whole lot. Different people
seem to get different kinds of spam.

Actually in the last two to four days caught spam has jumped by about
50%. This has sort of surprised me a little.

It seemed to dip dramatically for a week after the Russian was killed.
It also dipped some after $7 million was pulled from a pocket. And it
was down until just this week when it's been climbing about 10% to 15%
per day as if a new spam organization is up or there is a huge spate of
new zombie machines.

{^_^}

Matthias Fuhrmann

2005-08-19 17:09:46 UTC

Permalink

Post by Anton Krall
Guys.
Is it just me or has spam increased for the past few days? Its like amavis
and SA are not caching a lot anymore...
Any ideas?

does it mean, there are no tags set in the header of emails, or just low
scorings?
no tags means, there were timeouts due to busy cpu or other problems.if
you post your setup, i guess, people here can help you.

regards,
Matthias

Anton Krall

2005-08-19 18:35:15 UTC

Permalink

Im getting very low scores.. Smapm emails are passing thru, containing just
1 big jpg inside or text with one html link... These spam could easily be
confused with normal email...

Which files would I need to post here?

|-----Original Message-----
|From: Matthias Fuhrmann
|[mailto:***@stud.uni-hannover.de]
|Sent: Viernes, 19 de Agosto de 2005 12:10 p.m.
|To: ***@spamassassin.apache.org
|Subject: Re: Sudden Increase in Spam Mails
|
|On Fri, 19 Aug 2005, Anton Krall wrote:
|
|> Guys.
|>
|> Is it just me or has spam increased for the past few days? Its like
|> amavis and SA are not caching a lot anymore...
|>
|> Any ideas?
|
|does it mean, there are no tags set in the header of emails,
|or just low scorings?
|no tags means, there were timeouts due to busy cpu or other
|problems.if you post your setup, i guess, people here can help you.
|
|regards,
|Matthias
|
|

Bruno S. Delbono

2005-08-19 18:37:29 UTC

Permalink

Post by Anton Krall
Im getting very low scores.. Smapm emails are passing thru, containing just
1 big jpg inside or text with one html link... These spam could easily be
confused with normal email...
Which files would I need to post here?

- The mail with full content headers + sa score
- SA version
- OS
- Bayes if any
- spamassassin --lint -D
- Setup of mailserver

jdow

2005-08-19 22:21:15 UTC

Permalink

SURBL, tweaked scores for image only, and some custom recipient rules
have kept it to virtually zero here.
{^_^}
----- Original Message -----
From: "Bruno S. Delbono" <***@mail.ac>
To: "Anton Krall" <akrall-***@intruder.com.mx>;
<***@spamassassin.apache.org>
Sent: 2005 August, 19, Friday 11:37
Subject: Re: Sudden Increase in Spam Mails

Post by Bruno S. Delbono

- The mail with full content headers + sa score
- SA version
- OS
- Bayes if any
- spamassassin --lint -D
- Setup of mailserver

Anton Krall

2005-08-20 09:14:02 UTC

Permalink

This is weird.. I don't know if it has something to do with the problem but
since Aug 12, I don't see any SURBL hits on maillog anymore...

Has anythiung changed?

Here is my SURBL ruleset, Im just updated to Mail::SpamAssassin 3.0.4

^[[A[***@server spamassassin]# cat 25_uribl.cf
# SpamAssassin - URIDNSBL rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Copyright 2004 Apache Software Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
# Note that this plugin defines a new config setting, 'uridnsbl',
# which lists the zones to look up in advance. The rules will
# not hit unless each rule has a corresponding 'uridnsbl' line.

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

# URI-DNSBL lookups can take a *maximum* of this many seconds past the
# normal DNSBL lookups.
uridnsbl_timeout 2

uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains an URL listed in the SBL blocklist
tflags URIBL_SBL net

urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
tflags URIBL_SC_SURBL net

urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
tflags URIBL_WS_SURBL net

urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL
blocklist
tflags URIBL_PH_SURBL net

urirhssub URIBL_OB_SURBL multi.surbl.org. A 16
body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL')
describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
tflags URIBL_OB_SURBL net

urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
tflags URIBL_AB_SURBL net

urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
tflags URIBL_JP_SURBL net

# Top 125 domains whitelisted by SURBL
uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
uridnsbl_skip_domain hotmail.com doubleclick.net flowgo.com ebaystatic.com
aol.com
uridnsbl_skip_domain akamai.net yahoogroups.com ebay.com classmates.com
akamaitech.net
uridnsbl_skip_domain incredimail.com tiscali.co.uk google.com chtah.com
ediets.com
uridnsbl_skip_domain directtrack.com microsoft.com paypal.com jexiste.fr
amazon.com
uridnsbl_skip_domain nytimes.com unitedoffers.com sitesolutions.it m0.net
hyperpc.co.jp
uridnsbl_skip_domain terra.com.br macromedia.com ed10.net earthlink.net
citibank.com
uridnsbl_skip_domain sourceforge.net marketwatch.com comcast.net
messagelabs.com mcafee.com
uridnsbl_skip_domain grisoft.com geocities.com yourfreedvds.com
smileycentral.com ual.com
uridnsbl_skip_domain monster.com e-trend.co.jp cnn.com cnet.com bfi0.com
uridnsbl_skip_domain atdmt.com sportsline.com rs6.net rr.com redhat.com
uridnsbl_skip_domain partner2profit.com joingevalia.com hotbar.com
advertising.com topica.com
uridnsbl_skip_domain rm04.net ed4.net dsbl.org extm.us edgesuite.net
uridnsbl_skip_domain debian.org click-url.com bbc.co.uk adobe.com gte.net
uridnsbl_skip_domain go.com weatherbug.com speedera.net sbcglobal.net
ientrymail.com
uridnsbl_skip_domain ibm.com att.net apple.com 5iantlavalamp.com verizon.net
uridnsbl_skip_domain plaxo.com pandasoftware.com p0.com mediaplex.com
gmail.com
uridnsbl_skip_domain exacttarget.com constantcontact.com sf.net roving.com
netflix.com
uridnsbl_skip_domain moveon.org cc-dt.com xmr3.com spamcop.net
postdirect.com
uridnsbl_skip_domain norman.com netatlantic.com mail.com investorplace.com
hitbox.com
uridnsbl_skip_domain citizensbank.com chase.com bridgetrack.com apache.org
washingtonpost.com
uridnsbl_skip_domain si.com shockwave.com sears.com quickinspirations.com
prserv.net
uridnsbl_skip_domain mac.com myweathercheck.com dsi-enews.net
cheaptickets.com bravenet.com
uridnsbl_skip_domain arcamax.com afa.net 4at1.com yahoo.co.uk uclick.com
uridnsbl_skip_domain suntrust.com sun.com ups.com pcmag.com mycomicspage.com

endif # Mail::SpamAssassin::Plugin::URIDNSBL

Why did it suddenly stop showing SURBL hits?

|-----Original Message-----
|From: jdow [mailto:***@earthlink.net]
|Sent: Viernes, 19 de Agosto de 2005 05:21 p.m.
|To: ***@spamassassin.apache.org
|Subject: Re: Sudden Increase in Spam Mails
|
|SURBL, tweaked scores for image only, and some custom
|recipient rules have kept it to virtually zero here.
|{^_^}
|----- Original Message -----
|From: "Bruno S. Delbono" <***@mail.ac>
|To: "Anton Krall" <akrall-***@intruder.com.mx>;
|<***@spamassassin.apache.org>
|Sent: 2005 August, 19, Friday 11:37
|Subject: Re: Sudden Increase in Spam Mails
|
|
|> Anton Krall wrote:
|>> Im getting very low scores.. Smapm emails are passing thru,
|>> containing just
|>> 1 big jpg inside or text with one html link... These spam could
|>> easily be confused with normal email... Which files would I
|need to post here?
|>
|> - The mail with full content headers + sa score
|> - SA version
|> - OS
|> - Bayes if any
|> - spamassassin --lint -D
|> - Setup of mailserver
|
|
|

jdow

2005-08-20 11:13:52 UTC

Permalink

You need to setup your trusted networks properly. Visit the wiki in this
regard. Look for trusted_networks and internal_networks.

I had to set mine something like...
trusted_networks 192.168/16 127/8 207.217.121/24
internal_networks 192.168/16

207.217.121/24 is the address for the Earthlink pop3 servers I use.

{^_^}
----- Original Message -----
From: "Anton Krall" <akrall-***@intruder.com.mx>
To: "'jdow'" <***@earthlink.net>; <***@spamassassin.apache.org>
Sent: 2005 August, 20, Saturday 02:14
Subject: RE: Sudden Increase in Spam Mails

Post by Anton Krall
This is weird.. I don't know if it has something to do with the problem but
since Aug 12, I don't see any SURBL hits on maillog anymore...
Has anythiung changed?
Here is my SURBL ruleset, Im just updated to Mail::SpamAssassin 3.0.4
# SpamAssassin - URIDNSBL rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Copyright 2004 Apache Software Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
# Note that this plugin defines a new config setting, 'uridnsbl',
# which lists the zones to look up in advance. The rules will
# not hit unless each rule has a corresponding 'uridnsbl' line.
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
# URI-DNSBL lookups can take a *maximum* of this many seconds past the
# normal DNSBL lookups.
uridnsbl_timeout 2
uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains an URL listed in the SBL blocklist
tflags URIBL_SBL net
urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
tflags URIBL_SC_SURBL net
urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
tflags URIBL_WS_SURBL net
urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL
blocklist
tflags URIBL_PH_SURBL net
urirhssub URIBL_OB_SURBL multi.surbl.org. A 16
body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL')
describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
tflags URIBL_OB_SURBL net
urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
tflags URIBL_AB_SURBL net
urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
tflags URIBL_JP_SURBL net
# Top 125 domains whitelisted by SURBL
uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
uridnsbl_skip_domain hotmail.com doubleclick.net flowgo.com ebaystatic.com
aol.com
uridnsbl_skip_domain akamai.net yahoogroups.com ebay.com classmates.com
akamaitech.net
uridnsbl_skip_domain incredimail.com tiscali.co.uk google.com chtah.com
ediets.com
uridnsbl_skip_domain directtrack.com microsoft.com paypal.com jexiste.fr
amazon.com
uridnsbl_skip_domain nytimes.com unitedoffers.com sitesolutions.it m0.net
hyperpc.co.jp
uridnsbl_skip_domain terra.com.br macromedia.com ed10.net earthlink.net
citibank.com
uridnsbl_skip_domain sourceforge.net marketwatch.com comcast.net
messagelabs.com mcafee.com
uridnsbl_skip_domain grisoft.com geocities.com yourfreedvds.com
smileycentral.com ual.com
uridnsbl_skip_domain monster.com e-trend.co.jp cnn.com cnet.com bfi0.com
uridnsbl_skip_domain atdmt.com sportsline.com rs6.net rr.com redhat.com
uridnsbl_skip_domain partner2profit.com joingevalia.com hotbar.com
advertising.com topica.com
uridnsbl_skip_domain rm04.net ed4.net dsbl.org extm.us edgesuite.net
uridnsbl_skip_domain debian.org click-url.com bbc.co.uk adobe.com gte.net
uridnsbl_skip_domain go.com weatherbug.com speedera.net sbcglobal.net
ientrymail.com
uridnsbl_skip_domain ibm.com att.net apple.com 5iantlavalamp.com verizon.net
uridnsbl_skip_domain plaxo.com pandasoftware.com p0.com mediaplex.com
gmail.com
uridnsbl_skip_domain exacttarget.com constantcontact.com sf.net roving.com
netflix.com
uridnsbl_skip_domain moveon.org cc-dt.com xmr3.com spamcop.net
postdirect.com
uridnsbl_skip_domain norman.com netatlantic.com mail.com investorplace.com
hitbox.com
uridnsbl_skip_domain citizensbank.com chase.com bridgetrack.com apache.org
washingtonpost.com
uridnsbl_skip_domain si.com shockwave.com sears.com quickinspirations.com
prserv.net
uridnsbl_skip_domain mac.com myweathercheck.com dsi-enews.net
cheaptickets.com bravenet.com
uridnsbl_skip_domain arcamax.com afa.net 4at1.com yahoo.co.uk uclick.com
uridnsbl_skip_domain suntrust.com sun.com ups.com pcmag.com
mycomicspage.com
endif # Mail::SpamAssassin::Plugin::URIDNSBL
Why did it suddenly stop showing SURBL hits?
|-----Original Message-----
|Sent: Viernes, 19 de Agosto de 2005 05:21 p.m.
|Subject: Re: Sudden Increase in Spam Mails
|
|SURBL, tweaked scores for image only, and some custom
|recipient rules have kept it to virtually zero here.
|{^_^}
|----- Original Message -----
|Sent: 2005 August, 19, Friday 11:37
|Subject: Re: Sudden Increase in Spam Mails
|
|
|>> Im getting very low scores.. Smapm emails are passing thru,
|>> containing just
|>> 1 big jpg inside or text with one html link... These spam could
|>> easily be confused with normal email... Which files would I
|need to post here?
|>
|> - The mail with full content headers + sa score
|> - SA version
|> - OS
|> - Bayes if any
|> - spamassassin --lint -D
|> - Setup of mailserver
|
|
|

Matthew Yette

2005-08-19 20:45:40 UTC

Permalink

Do you use Bayes? Are you using sa-learn to teach the message as spam?

--
Matthew Yette
Senior Engineer - NOC/Operations
MA Polce Consulting, Inc.
***@mapolce.com
315-838-1644 (w)
315-356-0597 (f)
AIM/Yahoo: MAPolceNOC
MSN: ***@mapolce.com
-----Original Message-----
From: Anton Krall [mailto:akrall-***@intruder.com.mx]
Sent: Friday, August 19, 2005 2:35 PM
To: 'Matthias Fuhrmann'; ***@spamassassin.apache.org
Subject: RE: Sudden Increase in Spam Mails

Im getting very low scores.. Smapm emails are passing thru, containing
just
1 big jpg inside or text with one html link... These spam could easily
be confused with normal email...

Which files would I need to post here?

|-----Original Message-----
|From: Matthias Fuhrmann
|[mailto:***@stud.uni-hannover.de]
|Sent: Viernes, 19 de Agosto de 2005 12:10 p.m.
|To: ***@spamassassin.apache.org
|Subject: Re: Sudden Increase in Spam Mails
|
|On Fri, 19 Aug 2005, Anton Krall wrote:
|
|> Guys.
|>
|> Is it just me or has spam increased for the past few days? Its like
|> amavis and SA are not caching a lot anymore...
|>
|> Any ideas?
|
|does it mean, there are no tags set in the header of emails, or just
|low scorings?
|no tags means, there were timeouts due to busy cpu or other problems.if

|you post your setup, i guess, people here can help you.
|
|regards,
|Matthias
|
|

Anton Krall

2005-08-20 08:06:14 UTC

Permalink

Im not using Bayes, how do I enable that and/or use sa-learn?

|-----Original Message-----
|From: Matthew Yette [mailto:***@mapolce.com]
|Sent: Viernes, 19 de Agosto de 2005 03:46 p.m.
|To: Anton Krall; Matthias Fuhrmann; ***@spamassassin.apache.org
|Subject: RE: Sudden Increase in Spam Mails
|
|Do you use Bayes? Are you using sa-learn to teach the message as spam?
|
|
|--
|Matthew Yette
|Senior Engineer - NOC/Operations
|MA Polce Consulting, Inc.
|***@mapolce.com
|315-838-1644 (w)
|315-356-0597 (f)
|AIM/Yahoo: MAPolceNOC
|MSN: ***@mapolce.com
|-----Original Message-----
|From: Anton Krall [mailto:akrall-***@intruder.com.mx]
|Sent: Friday, August 19, 2005 2:35 PM
|To: 'Matthias Fuhrmann'; ***@spamassassin.apache.org
|Subject: RE: Sudden Increase in Spam Mails
|
|Im getting very low scores.. Smapm emails are passing thru,
|containing just
|1 big jpg inside or text with one html link... These spam
|could easily be confused with normal email...
|
|Which files would I need to post here?
|
||-----Original Message-----
||From: Matthias Fuhrmann
||[mailto:***@stud.uni-hannover.de]
||Sent: Viernes, 19 de Agosto de 2005 12:10 p.m.
||To: ***@spamassassin.apache.org
||Subject: Re: Sudden Increase in Spam Mails
||
||On Fri, 19 Aug 2005, Anton Krall wrote:
||
||> Guys.
||>
||> Is it just me or has spam increased for the past few days? Its like
||> amavis and SA are not caching a lot anymore...
||>
||> Any ideas?
||
||does it mean, there are no tags set in the header of emails, or just
||low scorings?
||no tags means, there were timeouts due to busy cpu or other
|problems.if
|
||you post your setup, i guess, people here can help you.
||
||regards,
||Matthias
||
||
|
|
|

Continue reading on narkive:

Search results for 'Sudden Increase in Spam Mails' (Questions and Answers)

replies

What are some of the benefits of rolling a cigarette?

started 2010-05-28 20:21:25 UTC

society & culture

replies

Sudden Raise in Spam, Why?

started 2006-09-22 15:19:11 UTC

internet

replies

Why am i getting tons of spam all of the sudden?