Image only spam

Claas Goltz claas.goltz at rock-bunker.de
Mo Apr 24 15:51:57 CEST 2017


Hallo!
Es kommt von Zeit zu Zeit immer mal wieder vor, dass Spam Mails, die nur ein Bild mit Werbung enthalten, es durch meine Filter schaffen (amavis mit sa). Die bekommen zwar schon einen relativ hohen score, aber eben nicht genug, ab 5.2 blockiere ich die E-Mails. Mein erster Gedanke ist, dass ich einfach die Scores von HTML_IMAGE_ONLY erhöhe, aber da weiß ich leider nicht, welche Stellschraube da die Richtige ist. Meint ihr, dass ist der Richtige weg? Und wenn ja, was würdet ihr da empfehlen?

Danke!


Hier der Auszug der

/var/lib/spamassassin/3.004000/updates_spamassassin_org/50_scores.cf


score HTML_IMAGE_ONLY_04 1.680 0.342 1.799 1.172
score HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651
score HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059
score HTML_IMAGE_ONLY_16 1.969 1.048 1.199 1.092
score HTML_IMAGE_ONLY_20 2.109 0.700 1.300 1.546
score HTML_IMAGE_ONLY_24 2.799 1.282 1.328 1.618
score HTML_IMAGE_ONLY_28 2.799 0.726 1.512 1.404
score HTML_IMAGE_ONLY_32 2.196 0.001 1.172 0.001
score HTML_IMAGE_RATIO_02 2.199 0.805 1.200 0.437
score HTML_IMAGE_RATIO_04 2.089 0.610 0.607 0.556
score HTML_IMAGE_RATIO_06 0.001 0.001 0.001 0.001
score HTML_IMAGE_RATIO_08 0.001 0.001 0.001 0.001

Beispiel E-Mail:

Received: from  ex02.localdomain.de (x.x.x.x) by  ex01.localdomain.de
 (x.x.x.x) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34 via Mailbox
 Transport; Mon, 24 Apr 2017 13:55:34 +0200
Received: from mx1.localdomain.de (x.x.x.x) by  ex02.localdomain.de
 (x.x.x.x) with Microsoft SMTP Server (TLS) id 15.1.466.34; Mon, 24 Apr
 2017 13:55:34 +0200
Received: from localhost (localhost [127.0.0.1])
    by  mx1.localdomain.de (Postfix) with ESMTP id 1BE47FF2F3
    for <service at localdomain.de>; Mon, 24 Apr 2017 13:55:39 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx1.localdomain.de
X-Spam-Flag: NO
X-Spam-Score: 4.797
X-Spam-Level: ****
X-Spam-Status: No, score=4.797 tagged_above=-999 required=5.2
    tests=[HTML_IMAGE_ONLY_04=0.342, HTML_MESSAGE=0.001,
    HTML_SHORT_LINK_IMG_1=0.139, MPART_ALT_DIFF=0.724,
    RCVD_IN_BRBL_LASTEXT=1.644, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
    URIBL_ABUSE_SURBL=1.948, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
Received: from  mx1.localdomain.de ([IPv6:::1])
    by localhost (mx1.localdomain.de [IPv6:::1]) (amavisd-new, port 10024)
    with ESMTP id m76-z8EjAC2e for <service at localdomain.de>;
    Mon, 24 Apr 2017 13:55:38 +0200 (CEST)
Received: from mail.htcforum.eu (mail.htcforum.eu [163.172.221.180])
    by  mx1.localdomain.de (Postfix) with ESMTP
    for <service at localdomain.de>; Mon, 24 Apr 2017 13:55:38 +0200 (CEST)
Received: from htcforum.eu (mail.htcforum.eu [163.172.221.180])
    by mail.htcforum.eu (Postfix) with ESMTPA id F0332215573C;
    Mon, 24 Apr 2017 06:05:22 +0300 (EEST)
Message-ID: <1f7601d2bcc0$c4dee390$ea2b73a0 at uhvanrq>
Reply-To: Passionpharm <uhvanrq at htcforum.eu>
From: Passionpharm <uhvanrq at htcforum.eu>
To: <mabarthel at comparative-research.net>
Subject: Angebot der Woche!
Date: Mon, 24 Apr 2017 06:05:26 +0300
Content-Type: multipart/related; type="multipart/alternative";
    boundary="----=_NextPart_000_0006_01D2BCC0.B7951830"
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
Return-Path: uhvanrq at htcforum.eu
X-MS-Exchange-Organization-Network-Message-Id: 6db10c63-64d3-4422-444f-08d48b08d0b7
X-MS-Exchange-Organization-AuthSource:  ex02.localdomain.de
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.0926630
MIME-Version: 1.0


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 3d
broken_sasl_auth_clients = yes
check_greylist = check_policy_service inet:127.0.0.1:10023
config_directory = /etc/postfix
cyrus_sasl_config_path = /etc/postfix/sasl
inet_interfaces = all
maximal_queue_lifetime = 3d
message_size_limit = 41943040
myorigin = /etc/mailname
readme_directory = no
relay_domains = hash:/etc/postfix/relay_domains,
smtp_helo_name = mx0.contact.de
smtp_tls_CAfile = /etc/postfix/ssl/CAcert.pem
smtp_tls_cert_file = /etc/postfix/ssl/cert-2017.pem
smtp_tls_key_file = /etc/postfix/ssl/key-2017.pem
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient, check_client_access cidr:/etc/postfix/access_client, check_helo_access hash:/etc/postfix/access_helo, check_sender_access hash:/etc/postfix/access_sender, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_policy_service inet:127.0.0.1:12525 check_client_access regexp:/etc/postfix/check_client_greylist reject_unverified_recipient, permit_mx_backup, reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_restriction_classes = check_greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/CAcert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/cert-2017.pem
smtpd_tls_key_file = /etc/postfix/ssl/key-2017.pem
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport_maps, $relay_domains
unverified_recipient_reject_code = 599
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20170424/943e2fb0/attachment.html>


Mehr Informationen über die Mailingliste Postfixbuch-users