Spamihilator

[Ponder]

I have noticed that certain spam mails do not get caught by spami...and they seem to usually contain the same format when I look at the header info.

On the "From" and "Reply to" lines in the header information, the Spammer's name appears, but following this name are brackets, inside which my email address is listed. When I examine non-spam mails, the senders name appears and is followed by His email address, not mine.

Is this some kind of known format that Spammers use to trick anti-spam systems? or should I be looking for something else in the header info to help Spami? Or can I add something to one of the filters to help Spami catch these as spam?

Thanks again for so much help..

Regards, Ponder

[Quellcore]

I have noticed that certain spam mails do not get caught by spami...and they seem to usually contain the same format when I look at the header info.

I guess you mean by "not getting caught by Spami" that these mails go right to your mailclient without appearing in the Training area

On the "From" and "Reply to" lines in the header information, the Spammer's name appears, but following this name are brackets, inside which my email address is listed.

So, Mails which pretend to come from one of your mail adresses

Is this some kind of known format that Spammers use to trick anti-spam systems?

Yep, that's one of the most common ones.

Or can I add something to one of the filters to help Spami catch these as spam?

You have to delete something instead of adding something
Guess what, it's your mail adress (all of them, if you have more than one) in the friend's list that should be removed

See also this thread:
http://www.spamihilator.com/forum/viewtopic.php?p=20495#20495

Regards,
Quellcore

[Ponder]

Hi Quellcore


Just checked my friends list and don't have any of my email addresses listed. What do you think?

Thanks....Ponder

[Quellcore]

Hallo Ponder!

You didn't answer my question yet, if my assumption was right that these mails dont show up in the training area.
I simply want to clarify that by stating "I have noticed that certain spam mails do not get caught by spami" you actually mean exactly that.

If a mail is bypassing the Training Area and goes right to your mail client it should be easy to check all possibilities one by one.

1. account where you receive that mail is not configured to work through Spami
2. Sender of that mail is on your firends list (please also check wildcard-entries)
   "Automatically learn from messages from my friends" is activated
3. You've put your own Email- adress in the section "Newsgroups" within the Newsletter-Plugin
   "Don't store Newsletters in the Trainings Area" is activated

In theory Spami's plugin architecture allows every plugin to beahve like that:

Code: Alles auswählen

classify a mail as Non-Spam and don't put a copy of the mail in the training area

But then i don't know any actual plugin that does that except for the Newsletter-Plugin.

If your Email adresse is not on the friends list my next guess would be the Newsletter-Plugin.
See also this thread for a explanation:
http://www.spamihilator.com/forum/viewt ... 4100#34100

For future investigation:
Do you have Bob's Filter Statistics v1.1.1 installed.
This plugins enables Filter-Logging which you can also do manually if you don't have it installed or you don't want to install it.
http://www.spamihilator.com/forum/viewtopic.php?p=36751#36751
After a restart Spami will log all filtering. This is done for evrey Mail that reaches Spami and includes the reason (e.g. Friend, Blocked Sender, Plugin BlaBlaBla)
Depending on the Spami version and the installation method this file called filter.log might be in Spami's installation folder or in the USER-Folder. It will be created when the first new mail is received by Spami, so if you didn't receive any new mails through Spami don't panic that you can't find that file.

Regards,
Quellcore

[Ponder]

Hi Quellcore..

Sorry I did not realize that more info was needed....

When these spams come to my inbox (all three email accounts) each does go through spami....and each is noted as Non-spam by Spami in the training area.

I noticed that the spam mail lists the senders name and lists one of my email addresses as the spammers email address....so the mail looks like it's from me, and then the delivered line shows where the mail is going....which is one of my email addresses. This take place in each of my three email addresses, but this might be interesting. I notice that after the spammers name, my email address is listed, and I think it's always the same email address...which is one of the three that I use.

Does this change what I should be checking since Spami does see the spam mail and considers it non-spam?

One additional thought: When I first started to use Spami, I did list my email addresses in the friends list but realized the problems with this strategy...so I deleted them.....Is it possible that one of the logs continues to list my email addresses. But then Spami would not record seeing the emails at all, right?

Sorry my initial info was not clear....and thanks for helping me...Ponder

[Quellcore]

When these spams come to my inbox (all three email accounts) each does go through spami....and each is noted as Non-spam by Spami in the training area.

Then you should provide much more information:

• Please post your filter priority list
• Which Filter classifies these mails as Non-Spam

Spami seems to be working ok then, so it's just a matter of a smart selection of filters and their order.

I notice that after the spammers name, my email address is listed, and I think it's always the same email address

Check out the Misnamed Filter: http://www.spamihilator.com/plugins/index.php?category=1&start=0&limit=15&detail=77
That might be a good filter for this kind, but i'm sure it sghould also work without this one.

Does this change what I should be checking since Spami does see the spam mail and considers it non-spam?

Yes, that changes everything. All 300 lines that i've written before don't apply anymore.

One additional thought: When I first started to use Spami, I did list my email addresses in the friends list but realized the problems with this strategy...so I deleted them.....Is it possible that one of the logs continues to list my email addresses. But then Spami would not record seeing the emails at all, right?

Can you try to put it in other words, i'm afraid i misunderstand you again.
Don't want to make another lenghtly post for nothing.
Are you using the filter.log already

Regards,
Quellcore

[Ponder]

Hi Quellcore.

After this, I would not blame you for not helping if I have more questions. I'll try to be more clear and complete here...and try to answer your questions from your last post..

Here are my filters in priority order

1 Newsletter
2. Whitestring
3. URL
4. Substring
5. Learning
6. Word
7. Hercule
8. RFC
9. Empty Mail
10. DCC
11. Blacklist

Filter Logging is enabeled, and shows that the learning filter is classifying these spam mails as non-spam.

While I do not have any of my email addresses listed in the friends filter, I did have them listed at one time in the past...Since Spami is treating these emails like my email address is listed in the friends filter, is it possible that the record of my email addresses in the friends filter is not completely deleted and is still in a log or in history somewhere???

Thanks Quellcore for your help...I sure appreciate it...Regards, Ponder

[Quellcore]

Hello Ponder!

I didn't mean to sound angry with you, i was just unlucky to make a wrong guess which i used as a base for my replies.

Thanks for your information, might be able to reply tomorrow, right now it's getting too late.

Good night,
Quellcore

[Quellcore]

Filter Logging is enabeled, and shows that the learning filter is classifying these spam mails as non-spam.

This gives us several points to start tuning/optimizing.

1. Making the learning filter more effective by compacting the wordlists
2. Adjust the filter order that other filters plugins have a chance to classify these mails as Spam before the learning filter is able to classify it as non-Spam
3. Install additional filters and put them before the learning filter to catch those mails

Since Spami is treating these emails like my email address is listed in the friends filter....

No, it doesn't
If it would the mails wouldn't show up in the training area (I think this even applies when " ... automatically learn from my friends" is unchecked)

First i wanted to give you some more ideas how to improve the filter order and other filters, but when i reread your posts again i'm starting to focus on #1
Maybe the word lists from the learning filter are full again. Do you remember this post <click>
Spami will stop adding new entries to the bad.spamihilator.wordlist and good.spamihilator.wordlist and just increase the hits from the words that are already in these list if the size limit is reached.
Try to compact it again through the Spami settings (this time the Non-Spam-Words are more important) and consider increasing the size limit, too.
See if it'll help and report back, pls.

Regards,
Quellcore

[Ponder]

Thanks Quellcore...

I compacted the learning filter and increased the size...last time was early April when we were posting back then. Yes, I remember that post.

Is the Bad Recipient filter same as the Addressee filter?

As information...I saw an email today that was spam and that the sender had used my email address as the sender....Spami correctly listed it as spam by the word filter....

Will advise further in a day or two...

Thanks for so much help....Ponder

[Ponder]

Hi Quellcore

I think I am seeing some progress against spammers sending mails from my own address....
Got quite a few today...total spam 105 so far, and many were from spammers using my email address....In the past, most or all would be classified as non-spam...but today only 3 were classified as non spam....and all the rest were classified as spam...

Some of the ones that were classified as spam were classified by the learning filter...and I know in the past these would have been classified as non spam....so I think we have made some progress by compacting the learning filter......

I just wish there was a defined way to classify mail as spam if the sender uses my own email address.

Thank you for all your good help....Ponder

[Quellcore]

Hello Ponder!

Thanks for your feedback!
To get back on the topics tuning/optimizing:
You have only two filters iin front of the learning filter that can classify spam.
We're talking about the URL-Filter and the Substring-Filter.
You can't do anything about the URL-Filter since it's automated, but it might be worth checking some of these tricky mails to find some common expressions that you could add to the substring-filter.

Here is an incomplete list of common expression that i added to the substring-filter:

Code: Alles auswählen

Accucast
advertisement
ANUNCIO
asshole
Back to School Special
best meds
big5
bitches
black cock
brainchild
Buy cheap
Campaign Enterprise
Canon Rebel
Cartier
cheapest pills
Cheating-Wives
* POLICY VIOLATION ! * Soft Tab
-Claim your
CLERICAL
Dell Laptop
Dell Notebook
diet pills
Do you want a Watch?
Ejaculation
Enlargement
e-pharmacy
euc-kr
Flat Screen TV
found a school for you
free laptop
Girls Gone Wild
GoIdenStake
Health Newsletter
-Help us
Historic Low Retes
IBM Laptop
IBM Thinkpad
Icy1112
iMac G5
infiltrate
Internet pharamcy
iPod mini
iso-2022-jp
iso-2022-kr
iso-8859-3
Keep your memories
koi8
koi8-r
ks_c_5601-1987
ks_c_5601-1987
Large Screen TV
let's shake hands or Not
life-insurance companies-nationwide
Livecam
Lose your weight
losethosepounds
low rates
Lower Your Monthly
Make Memories Last
manhood
Matchmaker News
MedCentral
medications
meds available
metabolic
m o r t g a g e
msnmessenger
natural enlargement
Natural Weight Loss
Need a cheap watch
Need a Laptop
Need a low cost watch
new laptop
No classes!
No examinations!
No textbooks!
Online Education
online pharmacy
Only Few Minutes
painkiller
PermanentEnlarger
Pharmaceuticals
Please see attachment for today's special offers
Police Bribe
Premature
Prescription
Preview Free Teen
Preview Hot Babes
pussy ripping
Regalis
sexual health
Size does matter
Sony DVD
Sony Vaio
stamina
stretched pussy
tripod
VP-RX
want a cheap
want a free
want a new
Want a Watch?
watch replica
We give you
weightloss
You can be smart

The best ones with the most hits within the last weeks are probably:

Code: Alles auswählen

Cartier
Enlargement
Girls Gone Wild
koi8
koi8-r
medication
metabolic
m o r t g a g e (without the spaces)
Natural Weight Loss
online pharmacy
Pharmaceuticals
Premature
Prescription
weightloss

How about pushing other filter like the empty mail filter in front of the learning filter
Other canditates for this acton would also be the RFC-Validator and the Spam-Word-Filter.
The Hercule is a little bit tricky. It offers a huge amount of options, unfortunetely the preconfigured standard setting tend to give some false-positives.
After i disabled quite few of the standard settings it seems to be pretty safe now, but it doesn't filter that much anymore:

These are the settings in german, sorry.
I guess you can still figure what is what


That's it for now, be good!

Regards,
Quellcore

[Quellcore]

I just wish there was a defined way to classify mail as spam if the sender uses my own email address.

You might want to take look at the signature plugin:
http://www.spamihilator.com/plugins/index.php?category=1&start=15&limit=15&detail=35

I'm not using it these days, but ccording to the desription it could work, too.

Regards,
Quellcore

[Ponder]

Hi Quellcore.

I configured Hercule almost like your configuration....and did some more work on spam words...

It' no doubt working....received about 120 spam mails today...Many of which listed my email address as sender and receiver.....but Spami with the new configuration of the filters etc...classified every one correctly!!

Have also noticed that since I compacted the Learning filter, that there are several filters now classifying spam and non spam...before Learning was compacted, it seemed that the learning Filter was classifying most of the emails...

I just read what is available on the signature filter......this one looks very interesting....I'll add it and see.....

Thanks for everything once again....Best Regards...Ponder

[Quellcore]

Hello Ponder!

Thanks for the feeback, X-Files closed.

Good luck with your Spami-Setup in the future.


greetings,
Quellcore

P.S. New version 0.9.9.29 out today