FW: gofer (stock spam)

donald.dawson at bakerbotts.com donald.dawson at bakerbotts.com
Fri Jul 6 15:38:56 IST 2007 

This may have already been addressed, but is there a released rule set
or add-on that would help in identifying these type of stock spam
emails?

We use MailScanner 4.59.4 (MailScanner-v: 3.002000 Mail::SpamAssassin),
SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor.  We run
sa-update and RulesDuJour for automatic updates.

We turned off Razor since it was causing delays in processing mail.

In MailScanner, we turned off SpamHaus since we process too much email -
it appears it was just raising the score of high spam:  'Spam List =
SBL+XBL'

We also use milter-greylist during the hours of 10 PM and 5 AM.  We use
milter-null (snert) to reduce bounce backs.

We receive about 300k emails a day with about 70% identified as spam.
We deliver about 5% of the suspected spam (score below 5).

I am considering adding the botnet plugin from:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and have added a
fake MX entry.

We use BAYES, but we don't feed spam or ham so it may have little help.

Here are the cf files we use in /etc/mail/spamassassin:

00_FVGT_File001.cf           70_sare_header_eng.cf  70_sare_specific.cf
70_sare_whitelist_rcvd.cf      bakerbotts.cf            popcorn_new.cf
70_sare_adult.cf             70_sare_highrisk.cf    70_sare_spoof.cf
70_sare_whitelist_spf.cf       bogus-virus-warnings.cf  random.cf
70_sare_bayes_poison_nxm.cf  70_sare_html0.cf       70_sare_stocks.cf
70_zmi_german.cf               chickenpox.cf            tripwire.cf
70_sare_evilnum0.cf          70_sare_html_eng.cf    70_sare_unsub.cf
72_sare_bml_post25x.cf         local.cf                 weeds.cf
70_sare_genlsubj0.cf         70_sare_obfu0.cf       70_sare_uri0.cf
72_sare_redirect_post3.0.0.cf  mailscanner.cf
70_sare_genlsubj_eng.cf      70_sare_oem.cf         70_sare_uri_eng.cf
88_FVGT_headers.cf             mangled.cf
70_sare_header0.cf           70_sare_random.cf      70_sare_whitelist.cf
99_sare_fraud_post25x.cf       pdfinfo.cf

plugins from init.pre:

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Hashcash
loadplugin Mail::SpamAssassin::Plugin::SPF
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
loadplugin Mail::SpamAssassin::Plugin::PDFInfo

I don't understand why the SA files are loaded into
/var/lib/spamassassin/3.002000... insteada of /usr/share/spamassassin:

/usr/bin/spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf
--lint:
[17634] dbg: config: fixed relative path:
/var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_prefs
.cf
[17634] dbg: config: using
"/var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_pref
s.cf" for included file

Any input on our configuration would be appreciated - I enjoy this and
the spamassassin forums.

Donald

Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183

------------------------------------------------------------------------
--------------------------

--------------------------
HEADERS:
--------------------------

Microsoft Mail Internet Headers Version 2.0
Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
	 Thu, 5 Jul 2007 09:42:54 -0500
Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
	 Thu, 5 Jul 2007 09:42:54 -0500
Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
[10.20.254.236]) by housweep03.bakerbotts.net
 (Content Technologies SMTPRS 4.3.20) with ESMTP id
<T80a22b7f720a14fef63a0 at housweep03.bakerbotts.net> for
<donald.dawson at bakerbotts.com>;
 Thu, 5 Jul 2007 09:42:53 -0500
Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by
housweep01.bakerbotts.net
 (Content Technologies SMTPRS 4.3.20) with ESMTP id
<T80a22b7f820a14feec3a0 at housweep01.bakerbotts.net> for
<donald.dawson at bakerbotts.com>;
 Thu, 5 Jul 2007 09:42:53 -0500
X-Envelope-From: cgl at vsnl.net
Received: from hdxkxu ([211.201.113.55])
	by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
l65EgeXO005996
	for <donald.dawson at bakerbotts.com>; Thu, 5 Jul 2007 09:42:49
-0500
Received: from [203.176.133.112] (helo=lqiv)
	by hdxkxu with smtp (Exim 4.62 (FreeBSD))
	id 1I6Tgu-0004b8-KB; Thu, 5 Jul 2007 23:45:06 +0900
Message-ID: <468D035C.7050006 at vsnl.net>
Date: Thu, 5 Jul 2007 23:42:36 +0900
From: "Nell B. Velasquez" <cgl at vsnl.net>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: donald.dawson at bakerbotts.com
Subject: gofer
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Null-Tag: 28934f0720308f41d1b0b26ca91189b7
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05
Jul 2007 09:42:51 -0500 (CDT)
X-BakerBotts-MailScanner-Information: Please contact the ISP for more
information
X-BakerBotts-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not
cached,
	score=4.388, required 5, FH_RELAY_NODNS 1.45,
	RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_SORBS_DUL 0.88, RDNS_NONE
0.10)
X-BakerBotts-MailScanner-SpamScore: ssss
X-BakerBotts-MailScanner-From: cgl at vsnl.net
X-Spam-Status: Yes
Return-Path: cgl at vsnl.net
X-OriginalArrivalTime: 05 Jul 2007 14:42:54.0023 (UTC)
FILETIME=[C5162D70:01C7BF12]


-----Original Message-----
From: Nell B. Velasquez [mailto:cgl at vsnl.net] 
Sent: Thursday, July 05, 2007 9:43 AM
To: Dawson, Donald
Subject: gofer


ERMX Continues To Expand As Stock Climbs Up 16.6%!

EntreMetrix Inc. (ERMX)
$0.21 UP 16.6%

ERMX announced further expansion with K-9 Genetics. Healthy and Premium
dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous
years. Read up on ERMX over the holiday, we think you will see even more
fireworks on Thursday morning!

It's the kind of summer movie that's drawing families and we're very
excited for its progress going into the rest of the weekend.

The trend of cinematic schlock turned into musical theater is now upon
us. Rio's concert, the only free one for Live Earth, would include
performances by Lenny Kravitz, Macy Gray and Pharrell Williams.
"My mind is in great shape. See the Magic of Disney Parks. It will be
hosted by Ann Curry and Carson Daly and feature some of the day's
highlights from around the world as well as live performances by the
Police and others.

"It's because they are people I love as women," the French-born designer
told The Associated Press. Golijov went to Botswana last month at the
behest of the Met and discussed the opera with Minghella on the
production site of the director's latest movie project, based on "The
No.

The death was not considered suspicious, he said.

Germany backs Cruise's anti-Hitler film - Yahoo!

"Yes, it's been approved," said Christine Berg, DFFF project head at the
FFA. "I'd love to work with new music because I think that's also the
only way forward," he said then. broadcast and cable partner, using all
of the company's assets at its disposal.
" "My joke is I got to have a lot of Blue Cross," Rickles says. A brisk
Fourth of July week would help Hollywood recover from a monthlong
downturn that followed a huge start to summer in May.
"The great fear when you work for an elephant like the Met, being there
for the first time of course, is whether you can create poetry and
emotion.

com AP Photo: Director Anthony Minghella poses for photographers during
arrivals to the New York premiere of 'Breaking. We could be very
pleasantly surprised or it might perform as television is going to
perform on that weekend," Harrison said. " When he's not working, he
doesn't go to comedy clubs. "It's come around to the idea that maybe we
should take this seriously.

Beane notes that producers Joel Silver, Lawrence Gordon and a young
development executive named Brian Grazer all helped make the original
"Xanadu.

MSNBC will have live reports from New York and London throughout the
day.
com Nome Search Powered by :: Free RSS news Add RSS news to your web
site engineering news vertical portal can now be syndicated quickly and
easily using our new  Really Simple Syndication feeds. "Yes, it's been
approved," said Christine Berg, DFFF project head at the FFA. "There
will be an appropriate delay so there is no issue with standards,"
Harrison said.

" "He has enormous qualities as a human being and an absolutely
extraordinary talent for designing," Almodovar told the AP.
NBC will have three hours of primetime coverage, live and taped, from
Giants Stadium in East Rutherford, N. "I didn't think about making it.
"I took my best shots.

What happens if we change our minds? com Now Everyone Can Fly Business
Class Flat Bed and British Serive.

More information about the MailScanner mailing list