Long Subject spam

Discuss our MailScanner install script and MailScanner itself
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36

Long Subject spam

Post by dieter »

I have a certain type of spam that is getting through the system. Training SA does not help increasing the score. Here are two examples:

Received: from snt0-omc4-s15.snt0.hotmail.com ([65.55.90.218])
by xxxxxxxxx with esmtp (Exim 4.69)
(envelope-from <marietteqyxdkykl@hotmail.com>)
id 1Q0Dkp-00031l-MQ
for xxxxxxx; Thu, 17 Mar 2011 16:00:44 +0200
Received: from SNT138-W46 ([65.55.90.199]) by snt0-omc4-s15.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 17 Mar 2011 07:03:00 -0700
Message-ID: <SNT138-w4613B042F30A19D88A8F12D9B10@phx.gbl>
Content-Type: multipart/alternative;
boundary="_327a61e3-8f13-43e7-90f6-fcad1738c13e_"
X-Originating-IP: [41.137.61.66]
From: Mariette Mahaffey <marietteqyxdkykl@hotmail.com>
To: <xxxxxxxx>
Subject:
TheFiristAndMmostWell-KnownFunctoinnOfHummanGrowthHoromneIsOurrGrwoth.It'SAMmustHaveForrUs.
Date: Thu, 17 Mar 2011 14:03:00 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Mar 2011 14:03:00.0544 (UTC) FILETIME=[068A8400:01CBE4AC]

And:
Received: from snt0-omc3-s2.snt0.hotmail.com ([65.55.90.141])
by xxxxxxxx with esmtp (Exim 4.69)
(envelope-from <jacquettemcgxqhmlo@hotmail.com>)
id 1Q0N86-0003Cn-OL
for xxxxxxx; Fri, 18 Mar 2011 02:01:23 +0200
Received: from SNT136-W53 ([65.55.90.135]) by snt0-omc3-s2.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 17 Mar 2011 17:03:36 -0700
Message-ID: <SNT136-w53DF0A0F422F69EB5A411BC5B00@phx.gbl>
Content-Type: multipart/alternative;
boundary="_b8425fec-85b0-4b8b-a887-f5b5c43e67d8_"
X-Originating-IP: [77.250.160.43]
From: Jacquette Grimsted <jacquettemcgxqhmlo@hotmail.com>
To: <safetyman@awesomenet.net>
Subject:
RenewYourSeuxualVitallittyToTheMaixummm!OuurUnbeleiavbbleDicsountsWilllHellpYouu
Date: Fri, 18 Mar 2011 00:03:36 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 18 Mar 2011 00:03:36.0627 (UTC) FILETIME=[EDB86830:01CBE4FF]


Is there anyway to block this kind of spam?

Regards,

Dieter
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Long Subject spam

Post by Sarah »

Are these emails getting ANY spamassassin score? Since you don't provide that information (i.e. from mailwatch) or the full contents of the spam email, it is impossible to offer any ideas. If you could put a couple of samples in a pastebin somewhere that we can download and test on our server we can try to help.
dieter
Junior Member
Posts: 11
Joined: 18 Mar 2011, 05:36

Re: Long Subject spam

Post by dieter »

Here are a few examples, some of them score high, and other low or 0:

1 low score :
Received: from col0-omc4-s15.col0.hotmail.com ([65.55.34.217])
by xxxxxx with esmtp (Exim 4.69)
(envelope-from <ivonnejysjqyrm@hotmail.com>)
id 1Q1pTS-0005Y4-70
for xxxxxx ; Tue, 22 Mar 2011 02:29:26 +0200
Received: from COL110-W3 ([65.55.34.200]) by col0-omc4-s15.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Mar 2011 17:31:49 -0700
Message-ID: <COL110-W3E203552D5ACF397C1B93C7B40@phx.gbl>
Content-Type: multipart/alternative;
boundary="_5fd1e436-995d-42d2-9821-b610e41721ea_"
X-Originating-IP: [110.136.254.182]
From: Ivonne Katz <ivonnejysjqyrm@hotmail.com>
To: <xxxxx>
Subject:
IfYouLifeStopsFor4-5DaysEveryyMotnthh,TryThiisMedictaiionForWomenAndEnjoyTheLifee
Date: Tue, 22 Mar 2011 00:31:49 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 22 Mar 2011 00:31:49.0696 (UTC) FILETIME=[88853C00:01CBE828]
From:
ivonnejysjqyrm@hotmail.com
To: xxxxx
Subject: IfYouLifeStopsFor4-5DaysEveryyMotnthh,TryThiisMedictaiionForWomenAndEnjoyTheLifee
Size: 2.5Kb

cached not
score=3.309
5 required
-0.00 BAYES_40
0.00 FREEMAIL_FROM
0.00 HTML_MESSAGE
0.50 RAZOR2_CF_RANGE_51_100
1.89 RAZOR2_CF_RANGE_E8_51_100
0.92 RAZOR2_CHECK
-0.00 RCVD_IN_DNSWL_NONE
-0.00 SPF_PASS
0.00 URIBL_RED

HigghSexexualAcvtiityHassNeeverBeeenThatAfofrdalble!HHurryUpToBuyOurNnewMedicatoions

http://www.marcelamelanie.com/


Luzon, it is bounded en the north by the Strait of San Bernardino,
he could help it, would he notice her.
Your affairs will move agreeably.


2: high score:
Received: from snt0-omc1-s7.snt0.hotmail.com ([65.55.90.18])
by xxxxxx with esmtp (Exim 4.69)
(envelope-from <camilaiewaozes@hotmail.com>)
id 1Q1ny6-0002xt-4F
for xxxxxxx; Tue, 22 Mar 2011 00:52:58 +0200
Received: from SNT132-W32 ([65.55.90.8]) by snt0-omc1-s7.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Mar 2011 15:55:21 -0700
Message-ID: <SNT132-w3213685EF53B3ABF28611FDDB50@phx.gbl>
Content-Type: multipart/alternative;
boundary="_dbcadc27-284f-4e83-bfca-44eefac5313a_"
X-Originating-IP: [186.88.155.86]
From: Camila Finn <camilaiewaozes@hotmail.com>
To: <michkoen@awesomenet.net>
Subject:
ImptoenceRuinsMoreFamlieiesThanAdltueery!Isn'TItAReasonToTakeCareOfYoourSeuxalHealth?
Date: Mon, 21 Mar 2011 22:55:20 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 21 Mar 2011 22:55:21.0141 (UTC) FILETIME=[0E45D650:01CBE81B]
From:
camilaiewaozes@hotmail.com
To: xxxxx
Subject: ImptoenceRuinsMoreFamlieiesThanAdltueery!Isn'TItAReasonToTakeCareOfYoourSeuxalHealth?
Size: 2.6Kb

cached not
score=7.528
5 required
1.50 BAYES_50
0.00 FREEMAIL_FROM
0.00 HTML_MESSAGE
0.99 PLING_QUERY
0.50 RAZOR2_CF_RANGE_51_100
1.89 RAZOR2_CF_RANGE_E8_51_100
0.92 RAZOR2_CHECK
-0.00 RCVD_IN_DNSWL_NONE
-0.00 SPF_PASS
1.73 URIBL_BLACK

RehabsCanStopThheAdidctFromTakaingPainiklelrs,BbutCannotReutrnBacckHissHeallthToatlly.

http://www.frankyfelice.com/

annuity generally sells for something more than it is worth. In
herself Glafira never would allow a portrait to be taken.
But the industrious man was received by
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Long Subject spam

Post by Sarah »

Sorry, I should have specified that in order to test it I will need the original source of the email, not copied from MailWatch. (You should be able to get this from the mail client, in Thunderbird it is "View Message Source".)

It looks like spamassassin *is* scanning the mail, so unless you are also having problems with low scores for other spam emails I'm not sure whether I can suggest anything. You might get more help from the spamassassin mailing list itself.
http://www.gossamer-threads.com/lists/s ... sin/users/

I don't recall seeing anything about this type of spam on the MailScanner list.
emmi
Junior Member
Posts: 20
Joined: 26 Oct 2009, 15:39

Re: Long Subject spam

Post by emmi »

I'm having this problem as well, very annoying.
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Long Subject spam

Post by Sarah »

This is really a SpamAssassin issue rather than a MailScanner issue, so not really something we can help with on this forum.
emmi
Junior Member
Posts: 20
Joined: 26 Oct 2009, 15:39

Re: Long Subject spam

Post by emmi »

Ok, would be possible to greylist hotmail.com somehow though?
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Long Subject spam

Post by Sarah »

emmi wrote:Ok, would be possible to greylist hotmail.com somehow though?
That can't be done via MailScanner so is outside the scope of this forum. Check the exim mailing list or exim documentation.
TheTechGuide
Junior Member
Posts: 10
Joined: 16 Feb 2009, 07:44

Re: Long Subject spam

Post by TheTechGuide »

This is more a spamassassin (SA) issue than mailscanner. The below configuration for SA has helped stop the long subject spam for our servers. It assumes you are using MailScanner in conjunction with SA 3.3.1. I found this rule somewhere on the net, but don't remember where so I can't give them proper credit.

The general disclaimer: make a backup copy of the below file before you change it! Make changes to your system at your own risk, we are not responsible for screwed up configurations.

In /usr/mailscanner/etc/spam.assassin.prefs.conf, create the new rule below in the "Adding Spamassasin Rules" section:

header LW_SUBJECT_SPAMMY Subject =~ /^[0-9a-zA-Z,.+_\-'!\\\/]{31,}$/
describe LW_SUBJECT_SPAMMY Subject appears spammy (31 or more characters without spaces. Only numbers, letters, and formatting)
score LW_SUBJECT_SPAMMY X X X X (replace X X X X with actual spam scores [like 6.0 6.0 6.0 6.0] relevant to your SA setup)

In the "Change Spamassissin Rule Scores" section, we increased the score of the below default rules as this seems to work for the type of spam we receive and the below lists have been accurate for us:
score URIBL_BLACK 3.0 3.0 3.0 3.0 (fill in scores relevant to your SA setup for this rule and the below rules)
score URIBL_SBL 3.0 3.0 3.0 3.0
score RCVD_IN_SORBS_WEB 2.0 2.0 2.0 2.0

Save the file
perform an sa-update
Then run spamassassin -D --lint and look for any errors in rules
Lastly restart and/or reload MailScanner and monitor for improvement in catching this spam.
jensond
Junior Member
Posts: 4
Joined: 25 Jun 2011, 01:45

Re: Long Subject spam

Post by jensond »

I have been getting complaints with mailscanner being a little to strict and out of context with chm types of files. The client described it as, downloaded a compiled html format from an online repository that performs stringent virus and spyware eliminations but still fails with mailscanner. Do you guys have any clue on who is at fault here? I have been trying to test it and still yields the same result even though it passed a series of tests.
Post Reply