Educause Security Discussion mailing list archives
Re: Image SPAM Increase?
From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Fri, 21 Apr 2006 07:52:24 -0400
We have our Barracuda set up like this; TAG_LEVEL=3.5 QUARANTINE_LEVEL=4.0 KILL_LEVEL=1000.0 Our users do not control their own settings unless we have a specific reason. I spent some time training the Barracuda yesterday on "stock" SPAM and it really made a difference. Martin D. Flagg Network Engineer/Administrator -----Original Message----- From: Paul Russell [mailto:prussell () ND EDU] Sent: Thursday, April 20, 2006 8:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Image SPAM Increase? On 4/19/2006 12:51, Bruggeman, John wrote:
I'm seeing the same thing here at HUC-JIR, my Baraccuda is not detecting them. I've tagged probably 50-75 emails in the Baraccuda but so far (24 -48 hours after tagging) the 'Cuda has not tagged them as BULK. I'm just hoping that the 'Cuda folks create some rules to get these marked.
Our Barracuda has caught quite a bit of this stuff over the past few weeks, but our site-wide tag and quarantine scores are a bit more aggressive than the vendor's default values of 3.5 and 7.0, respectively. We tag at 1.0 and quarantine at 2.0. Of course, individual users can override these values for their own accounts. Appended below are the X-Barracuda headers from a recent specimen. If we had been using the vendor's recommended tag and quarantine scores, this message would have been tagged and delivered, not quarantined.
X-Barracuda-Spam-Score: 4.60 X-Barracuda-Spam-Status: Yes, SCORE=4.60 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1.0 KILL_LEVEL=1000.0 tests=HELO_DYNAMIC_SPLIT_IP, HTML_IMAGE_ONLY_04,
MIME_HTML_MOSTLY,
MPART_ALT_DIFF X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.11036 Rule breakdown below pts rule name description ---- ----------------------
-------------------------------------------
0.88 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious
hostname
(Split IP) 0.70 MIME_HTML_MOSTLY BODY: Multipart message mostly
text/html
MIME 0.14 MPART_ALT_DIFF BODY: HTML and text parts are
different
2.88 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes
of words -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame prussell () nd edu
Current thread:
- Re: Image SPAM Increase?, (continued)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Les LaCroix (Apr 19)
- Re: Image SPAM Increase? Graham Toal (Apr 19)
- Re: Image SPAM Increase? Mark Borrie (Apr 19)
- Re: Image SPAM Increase? Lee Weers (Apr 19)
- Re: Image SPAM Increase? Lucas, Bryan (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? unisog (Apr 19)
- Re: Image SPAM Increase? Robert Mozden (Apr 20)
- Re: Image SPAM Increase? Paul Russell (Apr 20)
- Re: Image SPAM Increase? Flagg, Martin D. (Apr 21)