On Wed, 2005-09-14 at 16:43 -0700, jdow wrote: > From: <kevin.kempter@xxxxxxxxxxxxxxxxx> > > On Wednesday 14 September 2005 14:16, jdow wrote: > >> Kevin, it's called a "Joe Job". It is exceptionally common. Headers in > >> email are pathetically easy to forge as far as the ones that existed > >> while the email was still on the sender's machines. Often if you trace > >> the received headers you find "discontinuities" in the chain if the > >> spammer bothered to forge them anymore. This is one of the things that > >> automated tools like SpamAssassin have gotten pretty good at finding. > >> The spammers are into cleverer tricks these days. Spammers still use > >> the "Joe Job", the forged sender, most of the time. I use it as one of > >> my customized SpamAssassin rules, as a matter of fact. It's part of a > >> set of rules and meta rules that can work on my addresses. > ... lots deleted > > > > Thanks for the info. > > > > Can you send me info on what a spam assasin filter to catch these will > > need to > > look like? > > May I suggest several things. > > 1) Join the spamassassin users list. http://www.spamassassin.org will > get you there even though it is an Apache project now. > 2) Visit the SpamAssassin Rules Emporium, SARE, and look over the > various rule sets. http://www.rulesemporium.com/ > 3) Visit the admittedly iffy SpamAssassin wiki. (Pointer on their > main page.) > 4) Brush up on your perl regular expressions and read the wiki entry > on making your own rules. > 5) Do *NOT* run anything other than 2.64 or 3.04. Earlier versions of > either string are either trash or subject to DoS attacks. 3.04 seems > to be reasonably stable. (It has a perl based problem with per user > rules (not per user scores) if the rules require a perl eval be run.) > 2.64 is also stable. But it's getting old. > // Joanne's general rules for a SMALL SpamAssassin server. > 6) Do NOT use auto-<anything>. Turn off auto-learn. Turn off auto- > whitelist. They cause problems with the default settings. If you must > use them set the trigger scores farther apart in both directions. > 7) Permit at least per user Bayes. Per user scores are good as well. > Some people consider the darndest things to be ham or spam. One > person's gold is another person's cow manure. Per user rules are > nicer yet, IFF your users are smart enough to do it right. (Loren > and I are. Erm, he is one of the SARE ninjas.) > 8) As noted visit SARE and setup to use as many rule sets as seem safe > for your needs. (I use about 42 of them.) It saves ME having to look > at a new series of spam using a new trick to find a common identifying > feature around which a good rule can be made. > 9) Set the BAYES_99 rule up to about 5 points once your Bayes is well > trained. Here it hits over 50% of all spam and 0.000% of ham. If it > hits I figure it is a VERY small chance it's messed up. It took a > year to get there. > 10) Turn off auto-Bayes everything. Since you are not training Bayes on > almost every message there is no need to expire it periodically > either. I've never expired mine. And I find I need to train with > one or two low scoring spams every few days. > a) Setup an IMAP server on your machine that is NOT outside accessible, > of course. Create IMAP folders for spam and ham for each user. > have the users slide samples of good ham and definate spam into > their respective folders. Use a cron job to train on these. > b) I grab ham samples from various mail sorts in my OE setup. I use > POP3 for grabbing mail and a separate IMAP "account" the ham and > spam. I am particular about copying most escaped spam to the spam > folder. (Some has so little indentifying virtue to them I shrug > and let them go away. Although even the geocities.co.uk url only > spams are worth Bayes training.) I also look at the lowest scoring > spam messages and see if their Bayes score is abnormally low. If > it is and there's training meat present I toss them into the > spam training folder. > 11) That brings us to another good idea, NEVER simply delete spam. Check > to see if it is a bozo friend sending you a peculiarly formatted > chunk of ham or if it is a customer trying to reach you from AOL. > (Well, same thing, really. But...) I tell spamassassin to encapsulate > spam in a mime layer and add something like **** SPAM **** 024.5 ** > to the subject line. Then subject lines with **** SPAM **** in them > get tossed into an OE spam folder. I can sort by score nicely. And > that makes getting the low scores nice. > 12) The man spamassassin page is not quite worthless if you want to do > something peculiar. "man Mail::SpamAssassin" is better if you want > details. > 13) You MUST have a trusted mail server somewhere in your chain. It may > simply be your own or it may be your ISPs if you use fetchmail as I > do. Trusted in this context *ONLY* means that the server can be > trusted far enough to NOT forge any addresses itself. So that is the > place the DNS based rules can start from. > 14) SURBL (Jeff) and URIBL (Chris) are good guys. Watch the scores on > other BLs you may use. Some are overly enthusiastic and catch some > rather significant chunks of ham in their nets. I generally make sure > they score LOW. > 15) About the only useful "SPF" is a message that violates an existing > SPF record. I give that a slight score. > 16) The various "habeas" sort of things are not generally worth anything. > The mad Russian sometimes forges them just for the grins and giggles > of it. (He is also a very smart critter who plays manipulative tricks > with his DNS servers that are beyond most people. It took me quite > awhile of patient explanation to understand one of them.) > 17) <well, that's enough for now. Just how dedicated to this do you want > to be. If you're normal, which I'm not, I've gone past reality for > you already. {^_-} But I will note that I had zero real ham marked > as spam so far today and zero escaped spam. I did have two messages > that were ham marked as spam because they contained very VERY spammy > bodies. A coorespodent and I were discussing the mad Russian's tricks. > And I don't have him whitelisted yet. I've been lazy and remiss. I > pay for it with extra work recovering his emails from my spam folder.> ---- of course this has nothing to do with his issue of being Joe Jobbed but is entertaining nevertheless. Craig
