Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Catch Chinese character spams (They are either 0 rating or very low rating)
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Hoping maybe Kerio's Spam Assassin support will chime in, or maybe someone that knows Spam Assassin. Looking for ideas on how to catch these, even though it isn't a high volume.

About once a day, maybe every other day, we get a Chinese character based spam. It always has a spreadsheet attached, and comes from various email addresses based in many different countries. It doesn't seem to carry any malware load, probably just various advertisements.

These always end up with either a very low spam assassin score, if any score at all. I have tried putting in an SA rule searching for the specific Chinese characters that have been used, but after talking to a Chinese coworker, I don't think that approach is feasible. There are over 8000 Chinese characters.

In my SA, I do have the language options set for what we should receive.
ok_languages en es
ok_locales en

Here is the headers from a couple of them:

Return-Path: <zqh<_at_>paouris.com.gr>
X-Envelope-To: me<_at_>mydomain.com
X-Spam-Status: No, hits=0.0 required=5.0
tests=TOTAL_SCORE: 0.000
X-Spam-Level:
Received: from paouris.com.gr ([219.82.4.89])
by mail.mydomain.com
for me<_at_>mydomain.com;
Thu, 17 Jul 2014 07:30:19 -0700
Received: from berhqdw (unknown [210.215.249.211])
by paouris.com.gr with SMTP id 09L61vqkcpZvRJBh.1
for <me<_at_>mydomain.com>; Thu, 17 Jul 2014 22:29:26 +0800
Date: Thu, 17 Jul 2014 22:29:12 +0800
From: "spoof" <zqh<_at_>paouris.com.gr>
To: Me <me<_at_>mydomain.com>
Subject: =?utf-8?B?6K6+5a6a5ZCE6aCF5YiG5q2n55qE6KuH5Yik55uu5qiZ?=
X-Priority: 3
X-Mailer: Foxmail 7.0.1.91[cn]
Mime-Version: 1.0
Message-ID: <201407172229267211146<_at_>paouris.com.gr>
Content-Type: multipart/mixed;
boundary="----=_000_NextPart474454362732_=----"

===

Return-Path: <hmpkujkes<_at_>technicstar.com.hk>
X-Envelope-To: me<_at_>mydomain.com
X-Spam-Status: No, hits=2.5 required=5.0
tests=DNSBL_PSBL.SURRIEL.COM: 2.50,TOTAL_SCORE: 2.500
X-Spam-Level: **
Received: from technicstar.com.hk ([211.162.34.245])
by mail.mydomain.com
for me<_at_>mydomain.com;
Tue, 8 Jul 2014 04:23:43 -0700
Date: Tue, 8 Jul 2014 19:22:37 +0800
From: "am" <hmpkujkes<_at_>technicstar.com.hk>
To: Me <me<_at_>mydomain.com>
Subject: =?utf-8?B?5Y2O5Li65Z+65pys5rOV5byV6aKG5Y2O5Li65oiQ5Li65LiW55 WM57Sa6aKG5YWI5LyB5Lia?=
X-Priority: 3
X-Mailer: Foxmail 7.0.1.91[cn]
Mime-Version: 1.0
Message-ID: <201407081922452705813<_at_>technicstar.com.hk>
Content-Type: multipart/mixed;
boundary="----=_000_NextPart284117018243_=----"

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
First aid: stop Kerio Connect and change "MessageSizeLimit" value in the mailserver.cfg file to 256 or 512. This will engage SpamAssassin so it will scan larger emails.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Thank you for the tip. I actually went to 1536. Many of the attachments are in the 900KB to 1400KB size range. I assumed that the attachment size would be considered part of the MessageSizeLimit. Is that correct?

I also enabled the TextCat plugin in the v310.pre file.

I'm also looking at some SA rules that detect the utf-8 character set being used. Need to do more research on these.
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
In your headers I see that Bayes is not running at all:

Quote:
X-Spam-Status: No, hits=0.0 required=5.0 tests=TOTAL_SCORE: 0.000


If Bayes is running it should always contain something like

Quote:
X-Spam-Status: No, hits=0.0 required=5.0 tests=BAYES_00: -1.665,TOTAL_SCORE: -1.532,autolearn=ham


On the Admin console, on Spamassassin config, what does it say for

Messages learned as Spam:
Messages learned as not Spam:

Both of them must be over 200 for Bayes to kick in.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Bayes is running, it is listed on other spams. Not sure if bayes will catch this since many times the mail is blank'ish, having just a couple of carriage returns, or maybe just a small image in the body.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
To answer your question more directly:
Learned as spam 14,703
Learned as not spam 782

So my numbers are high enough for that to kick in. Hoping that the MessageSizeLimit increase will help. Just have to wait for the next one to arrive.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
freakinvibe wrote on Fri, 18 July 2014 01:35
In your headers I see that Bayes is not running at all:


This was the result of the attachment making the message larger than the MessageSizeLimit, so the spam filter was not being used. I stopped the server, changed it from 260 to 2048, restarted the server, and sent myself a test email with a 1MB+ attachment. Spam ratings now show up.

Test with the same message and same attachment:

Before:
X-Spam-Status: No, hits=0.0 required=5.0
tests=TOTAL_SCORE: 0.000
X-Spam-Level:

Now with MessageSizeLimit 2048:
X-Spam-Status: No, hits=2.4 required=5.0
tests=AWL: 0.310,BAYES_50: 0.8,HTML_MESSAGE: 0.5,
RDNS_NONE: 0.793,TOTAL_SCORE: 2.403,autolearn=no
X-Spam-Level: **
Previous Topic: How to setup no-reply address
Next Topic: SPAM bounce attack - filter not working
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 21:13:34 CEST 2017

Total time taken to generate the page: 0.00490 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.