On Sun, Apr 26, 2009 at 02:37:06PM -0400, Adam Katz wrote:
On Fri, Apr 24, 2009 at 05:14:21PM -0400, Adam Katz wrote:
I wouldn't trust FUZZY_OCR with anything. 12 points is *WAY* too high
for any single thing. I had to disable this plugin a year or three
ago because it assigned 20+
On Sun, Apr 26, 2009 at 04:11:10PM -0400, Dan Mahoney, System Admin wrote:
On Sat, 25 Apr 2009, John Hardin wrote:
On Sat, 25 Apr 2009, Gary Forrest wrote:
We are receiving the same image spam many times, random text within
the body.
FuzzyOCR. It seems Spammers are trying image spam
On Sat, April 25, 2009 05:44, Igor Chudov wrote:
DKIM will not work, as this is purely a social engineering attack.
On 26.04.09 15:33, Benny Pedersen wrote:
will postmas...@example.com work ?
if the hacked accounts was signed with dkim remote will know what domain
to contact about it, but
While you are at it, you can also scan for
full /Content-Type: image\/gif;\n[^a-z]+name=/
It's already been mentioned, but mimeheader is the right way to look
at the headers of MIME parts.
How about multiline Content-Types?
I tried without success:
mimeheader NAMELESSGIF_ATTACHMENT
Hey,
I am trying to track down an issue on Centos 5 x86_64 with
spamass-milter-0.3.2-1 and spamassassin-3.2.5.
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D spam.eml then its correctly detected
Dan Mahoney, System Admin wrote:
Hey all,
While there's a decent amount of spamassassin list traffic to imply
otherwise, is the SA project falling dormant?
the sare-rules claim they won't be updated due to lives, wives, and
hockey.
the fuzzyOCR project claims the only thing that works
On Mon, Apr 27, 2009 at 12:56, Matt Kettler mkettler...@verizon.net wrote:
Dan Mahoney, System Admin wrote:
Hey all,
While there's a decent amount of spamassassin list traffic to imply
otherwise, is the SA project falling dormant?
the sare-rules claim they won't be updated due to lives,
mark wrote:
Hey,
I am trying to track down an issue on Centos 5 x86_64 with
spamass-milter-0.3.2-1 and spamassassin-3.2.5.
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D spam.eml then its
We've seen some of it with our webmail too.
When one of your users gives out their password and you notice their
account being abused, lookin the message headers or apache logs to see
where the perp is. We've seen them mostly to be from Africa, Nigeria
probably. I've taken to blocking their
On Fri, 24 Apr 2009, SM wrote:
From: SM s...@resistor.net
To: users@spamassassin.apache.org
Date: Fri, 24 Apr 2009 22:03:21 -0700
Subject: Re: Phishing
...
There was a project from an educational institution to target
phishing emails. I don't recall the name of the project or
whether
Dennis Davis wrote:
There was a project from an educational institution to target
phishing emails. I don't recall the name of the project or
whether the source code was released.
You might be thinking of Kochi:
http://oss.lboro.ac.uk/kochi1.html
The Google project:
jp wrote:
We've seen some of it with our webmail too.
When one of your users gives out their password and you notice their
account being abused, lookin the message headers or apache logs to see
where the perp is. We've seen them mostly to be from Africa, Nigeria
probably. I've taken to
fwiw, I was going to say Yes to the first question. Not sure about
the second question, though I've always wanted to see more
sharing/give-back from those folks.
While there have been a bunch of mails on the dev list, most of it is
incorrectly opened bugs, or other randomness.
IMO, there hasn't
mark schrieb:
Hey,
I am trying to track down an issue on Centos 5 x86_64 with
spamass-milter-0.3.2-1 and spamassassin-3.2.5.
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D spam.eml then its
On 4/27/2009 5:47 PM, Theo Van Dinter wrote:
These days there is basically no rule development going on, it seems.
Justin's sought rules are the only ones really being updated, and
that's because they're computer generated. :)
That's actually something else I'm sad about -- we had such a huge
On Mon, 2009-04-27 at 12:16 +0200, Andy Spiegl wrote:
It's already been mentioned, but mimeheader is the right way to look
at the headers of MIME parts.
How about multiline Content-Types?
They appear to be wrapped.
$ grep -A 1 image/ dsl.png.msg
Content-Type: image/png;
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja sa-l...@alexb.ch wrote:
On 4/27/2009 5:47 PM, Theo Van Dinter wrote:
These days there is basically no rule development going on, it seems.
Justin's sought rules are the only ones really being updated, and
that's because they're computer
I tried to fetchindex but it failed with
make: don't know how to make fetchindex.
-Original Message-
From: Mark Martinec [mailto:mark.martinec...@ijs.si]
Sent: Friday, April 24, 2009 12:34 PM
To: users@spamassassin.apache.org
Subject: Re: 3.2.5 upgrade - getting clobbered
Possibly
I have a few computers that I can volunteer for checking spam rules.
i
SARE had a nice system where you could submit a rule via email and got
the masscheck results via email. Sadly all the boxes which did this are
dead. I wonder if the SA masscheckers could be taught to do something
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja sa-l...@alexb.ch wrote:
SARE had a nice system where you could submit a rule via email and got
the masscheck results via email. Sadly all the boxes which did this are
dead.
actually, I _did_ come up
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D spam.eml then its correctly detected as spam and no sign of
UNPARSEABLE_RELAY.
I have created case 6103 - but this may be a milter-issue, although
the
On Mon, Apr 27, 2009 at 17:38, John Hardin jhar...@impsec.org wrote:
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja sa-l...@alexb.ch wrote:
SARE had a nice system where you could submit a rule via email and got
the masscheck results via email. Sadly
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:38, John Hardin jhar...@impsec.org wrote:
But this is only part of the problem. How difficult is it for third parties
to submit rules for review and inclusion in the base ruleset without
necessarily joining the dev group? Is
On Mon, Apr 27, 2009 at 18:00, John Hardin jhar...@impsec.org wrote:
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:38, John Hardin jhar...@impsec.org wrote:
But this is only part of the problem. How difficult is it for third
parties
to submit rules for review and
On 26-Apr-2009, at 22:36, Dan Mahoney, System Admin wrote:
While there's a decent amount of spamassassin list traffic to imply
otherwise, is the SA project falling dormant?
No. Development is proceeding on 3.3.
the sare-rules claim they won't be updated due to lives, wives, and
hockey.
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
http://code.google.com/p/anti-phishing-email-reply/
is also useful as it attempts to detail the compromised accounts.
Just block/quarantine email for those accounts.
Interesting ... this seems like it
On Mon, 2009-04-27 at 16:10 -0400, Adam Katz wrote:
Since email addresses contain everything a valid domain can contain,
the user.AT.domain.tld (which is really user.at.domain.tld since
domains are not case-sensitive) could be ambiguous if the user or
the domain contains .at. in itself, or
Adam Katz wrote:
(note, I'm guessing at the appropriate mailing list for cross-post)
Failure. I've sent a lead developer a list to an online caching of my
post.
Also, I borked my last example, and online caching sites' defanging
techniques make this proposal impossible to read, so I've spaced
On Mon, 27 Apr 2009, Henrik K wrote:
Nothing of this makes sense. If you don't have a test server, too bad. If
you don't trust the score-changing values too bad. It all worked for me.
It's a great idea, but I'd like to see it mature some first, especially
with respect to its documentation,
On Mon, 27 Apr 2009, Dan Mahoney, System Admin wrote:
3) Wordlists loadable from userprefs, if not bayes.
Along with that, the detected words should be (somehow) fed into bayes for
analysis along with the other message text.
We touched on that last time fuzzyOCR was active.
--
John
Thanks that did the trick- removed ALL Perl mods and reinstalled exim and sa
Greatly appreciated
-Original Message-
From: Jean-Paul Natola [mailto:jnat...@familycareintl.org]
Sent: Monday, April 27, 2009 12:20 PM
To: Mark Martinec; users@spamassassin.apache.org
Subject: RE: 3.2.5
On Mon, 27 Apr 2009, Karsten Bräckelmann wrote:
On Mon, 2009-04-27 at 16:10 -0400, Adam Katz wrote:
Since email addresses contain everything a valid domain can contain,
the user.AT.domain.tld (which is really user.at.domain.tld since
domains are not case-sensitive) could be ambiguous if
Karsten Bräckelmann wrote:
You are aware there's a ccTLD .at? :)
Yes, but the TLD goes at the very end of the email, so the parser,
which strips .emailbl.org with that leading dot, can only trip over
invalid domains like a.at..emailbl.org ... my latter two examples
below show what the parser
y.real-at999.z @ a.at.real-at2.bc -
y.real-at999.z.real-at1000.a.at.real-at2.bc
Still ambiguous. So the generated s/at/real-at$n/ is the last occurrence
of a numbered real-at plus 1.
What if we need it twice, and there are 3 such thingies in total? How do
we know we only need to decode 1
Any Idea of when we will expect a new version of SA or new rule updates.
We are getting hit pretty hard with Spam lately.
Hi!
Any Idea of when we will expect a new version of SA or new rule
updates. We are getting hit pretty hard with Spam lately.
Feel free to submit rules, dont just sit and wait. ;)
Bye,
Raymond.
On Mon, 27 Apr 2009, Karsten Br?ckelmann wrote:
y.real-at999.z @ a.at.real-at2.bc -
y.real-at999.z.real-at1000.a.at.real-at2.bc
Still ambiguous. So the generated s/at/real-at$n/ is the last occurrence
of a numbered real-at plus 1.
What if we need it twice, and there are 3 such thingies
Removing the quoted body and changing the Subject after hitting the
Reply button doesn't make it a new post. It is still a reply. Aka
please don't hijack unrelated threads.
Frankly, I'm almost surprised to see *that* old a version of Lotus Notes
actually honor and set an In-Reply-To header at
Adam Katz wrote:
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
http://code.google.com/p/anti-phishing-email-reply/
is also useful as it attempts to detail the compromised accounts.
Just block/quarantine email for those accounts.
Interesting ...
On Mon, 27 Apr 2009, John Hardin wrote:
How about _at_ - I think a leading and trailing underscore will be very
rare in real world domain name parts, especially as you can't register
a domain name having an underscore, and may apps will discard hostnames
with underscores as invalid.
Ever seen
On Mon, 27 Apr 2009, David B Funk wrote:
On Mon, 27 Apr 2009, John Hardin wrote:
How about _at_ - I think a leading and trailing underscore will be
very rare in real world domain name parts, especially as you can't
register a domain name having an underscore, and many apps will
discard
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue
to be, because it gets through. Right now the only way I find this
blocked is if spamcop blocks it.
Just as a point of reference, I'd like to note that we
Steve Freegard wrote:
I've been thinking about creating an emailBL to target dropboxes used
for 419 scams, phishing, russian penpals etc. as I have a reasonable way
to collect these in real-time and it would close a lot of doors on these
folks provided I can avoid being caught by address
I rely on Fuzzy OCR for some messages. I get some with Viagra/Cialis images,
and just garbage text in the message. Other than FuzzyOCR, nothing usually
scores.
Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State
On Mon, 27 Apr 2009, Jo Rhett wrote:
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue to be,
because it gets through. Right now the only way I find this blocked is if
spamcop blocks it.
Just as a point of
At 14:54 27-04-2009, David B Funk wrote:
On Mon, 27 Apr 2009, John Hardin wrote:
How about _at_ - I think a leading and trailing underscore will be very
rare in real world domain name parts, especially as you can't register
a domain name having an underscore, and may apps will discard
Adam Katz wrote:
Steve Freegard wrote:
I've been thinking about creating an emailBL to target dropboxes used
for 419 scams, phishing, russian penpals etc. as I have a reasonable way
to collect these in real-time and it would close a lot of doors on these
folks provided I can avoid being
On Tue, 28 Apr 2009, Steve Freegard wrote:
To reduce the likelihood of collisions then it's better to add the input
string length at the end of the md5 like ClamAV does in it's MD5 sigs e.g.
s...@laptop-smf:~$ perl -MDigest::MD5 -e '$email=s...@fsg.com; print
On 27-Apr-2009, at 16:06, Jo Rhett wrote:
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue
to be, because it gets through. Right now the only way I find this
blocked is if spamcop blocks it.
Just as a point of
John Hardin wrote:
On Tue, 28 Apr 2009, Steve Freegard wrote:
To reduce the likelihood of collisions then it's better to add the input
string length at the end of the md5 like ClamAV does in it's MD5 sigs
e.g.
s...@laptop-smf:~$ perl -MDigest::MD5 -e '$email=s...@fsg.com; print
On Mon, 27 Apr 2009 18:04:36 +0100
Justin Mason j...@jmason.org wrote:
that's pretty much it. low FPs and a useful number of hits (ie. over
1% iirc).
Unfortunately, that doesn't necessarily mean that the rule is useful.
It's easy to create rules that match the above criteria, but most of
mark wrote:
Thanks for this, the bug issue had some more info, which I had not
included in my email:
I have recompiled spamass-milter with this patch:-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510665
However, this has not resolved the issue, can you tell me if SA can
output
On Tue, 28 Apr 2009, Steve Freegard wrote:
Nah - I really don't like it that way; it doesn't really bring you any
benefit and is more likely to cause collisions if you do it that way.
Don't see how it can cause less DNS traffic either. At least using MD5
hashes your DNS query will only be 32
On Tue, 28 Apr 2009, Steve Freegard wrote:
John Hardin wrote:
On Tue, 28 Apr 2009, Steve Freegard wrote:
To reduce the likelihood of collisions then it's better to add the input
string length at the end of the md5 like ClamAV does in it's MD5 sigs
e.g.
s...@laptop-smf:~$ perl -MDigest::MD5
54 matches
Mail list logo
