Educause Security Discussion mailing list archives

Re: Image SPAM Increase?

From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Fri, 21 Apr 2006 07:52:24 -0400

We have our Barracuda set up like this;

TAG_LEVEL=3.5 QUARANTINE_LEVEL=4.0 KILL_LEVEL=1000.0

Our users do not control their own settings unless we have a specific
reason.  I spent some time training the Barracuda yesterday on "stock"
SPAM and it really made a difference.



Martin D. Flagg 
Network Engineer/Administrator 



-----Original Message-----
From: Paul Russell [mailto:prussell () ND EDU] 
Sent: Thursday, April 20, 2006 8:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Image SPAM Increase?

On 4/19/2006 12:51, Bruggeman, John wrote:

I'm seeing the same thing here at HUC-JIR, my Baraccuda is not 
detecting them.  I've tagged probably 50-75 emails in the Baraccuda 
but so far (24
-48 hours after tagging) the 'Cuda has not tagged them as BULK.

I'm just hoping that the 'Cuda folks create some rules to get these 
marked.


Our Barracuda has caught quite a bit of this stuff over the past few
weeks, but our site-wide tag and quarantine scores are a bit more
aggressive than the vendor's default values of 3.5 and 7.0,
respectively. We tag at 1.0 and quarantine at 2.0. Of course, individual
users can override these values for their own accounts.

Appended below are the X-Barracuda headers from a recent specimen. If we
had been using the vendor's recommended tag and quarantine scores, this
message would have been tagged and delivered, not quarantined.

X-Barracuda-Spam-Score: 4.60
X-Barracuda-Spam-Status: Yes, SCORE=4.60 using per-user scores of
     TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1.0 KILL_LEVEL=1000.0
     tests=HELO_DYNAMIC_SPLIT_IP, HTML_IMAGE_ONLY_04,

MIME_HTML_MOSTLY,

     MPART_ALT_DIFF
X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.11036
     Rule breakdown below
     pts  rule name              description
     ---- ----------------------

-------------------------------------------

     0.88 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious

hostname

                                     (Split IP)
     0.70 MIME_HTML_MOSTLY       BODY: Multipart message mostly

text/html

                                     MIME
     0.14 MPART_ALT_DIFF         BODY: HTML and text parts are

different

     2.88 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes

of words

--
Paul Russell, Senior Systems Administrator OIT Messaging Services Team
University of Notre Dame prussell () nd edu

Current thread:

Re: Image SPAM Increase?, (continued)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Les LaCroix (Apr 19)
- Re: Image SPAM Increase? Graham Toal (Apr 19)
- Re: Image SPAM Increase? Mark Borrie (Apr 19)
- Re: Image SPAM Increase? Lee Weers (Apr 19)
- Re: Image SPAM Increase? Lucas, Bryan (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? unisog (Apr 19)
- Re: Image SPAM Increase? Robert Mozden (Apr 20)
- Re: Image SPAM Increase? Paul Russell (Apr 20)
- Re: Image SPAM Increase? Flagg, Martin D. (Apr 21)