Re: RCVD_IN_RP_CERTIFIED always -3

hostmas...@audiogen.ch wrote: I found the related configuration in 20_dnsbl_tests.cf: /# ---/ /# Return Path Certified:/ /# https://www.returnpath.net/internetserviceprovider/certification// /# (replaces

Re: Doesn't spamc/spamd need block/welcomeliist support???

Bill Cole wrote: On 2024-03-21 at 11:57:43 UTC-0400 (Thu, 21 Mar 2024 11:57:43 -0400) Kris Deugau is rumored to have said: Bill Cole wrote: I'm not sure how I've not noticed before, but unless I'm missing something, there is no way to replicate the [block,welcome]list functionalities

Re: Doesn't spamc/spamd need block/welcomeliist support???

Bill Cole wrote: I'm not sure how I've not noticed before, but unless I'm missing something, there is no way to replicate the [block,welcome]list functionalities of the spamassassin script when using the spamc/spamd interface. Does anyone see it hiding somewhere that I don't? Does anyone

Re: symlinking config files

Thomas Krichel wrote: Hi gang, my first post here. I'm running version 4.0.0-8 on debian testing. This is for Mailman. I have a script that creates a welcomelist for all my Mailman members. I include it via a symlink. # ls -l /etc/spamassassin/88_mailman_members.cf lrwxrwxrwx

Re: sa-learn on an Exchange public folder

Emmanuel Seyman wrote: Hello all. I've set up SA at $WORK and now want to train the bayesian classifier. To that end, a public folder has been setup on our Exchange server and I want to run sa-learn on any email that is transferred to it. I'm guessing this is a popular thing to do and that

Re: Too many dots?

Alex wrote: Hi, I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource > It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam.  *  1.5 KAM_SENDGRID Sendgrid

Re: spamassassin4.x - problem

Bill Cole wrote: On 2023-06-20 at 12:33:05 UTC-0400 (Tue, 20 Jun 2023 18:33:05 +0200) Patrick Proniewski is rumored to have said: On 20 Jun 2023, at 17:49, Bill Cole wrote: On 2023-06-20 at 09:39:04 UTC-0400 (Tue, 20 Jun 2023 15:39:04 +0200) Patrick Proniewski is rumored to have said:

Re: Fine-tuning SA URI extraction

Bill Cole wrote: On 2023-04-26 at 11:06:56 UTC-0400 (Wed, 26 Apr 2023 11:06:56 -0400) Kris Deugau is rumored to have said: Am I missing some configuration option that can do this, or am I left with doing one of:  - just suppressing lookups of the canonicalized URI  - removing

Fine-tuning SA URI extraction

SA has long gone to great lengths to extract URIs from things which are not strictly URIs, on the basis that mail clients do the same and SA needs to inspect such things for DNSBL lookups. I'm fine with this. However, once in a while I come across a case where something is clearly being

Re: replay RBL queries one hour later

Rob McEwen wrote: Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later Hours. I've recently learned about this, in the context of trying to welcomelist legitimate senders. A 2-hour validity window for the DKIM signature is pretty common. :( - when

Re: adobe phishing?

Greg Troxel wrote: One of my users got mail that really looks like a phish. They are unaware of having an adobe account. It is DKIM signed, but looks a bit spammy in terms of the content (low-quality HTML markup, missing text/plain content). ... How much otherwise legitimate mail have you

Re: Whitelist or add negative values for score

Joey J wrote: Thanks Everyone. Within all of the responses, I will try to reply here. 1. The legit sender will talk about big numbers because of the real things he is involved with so big numbers is still a valid method to score, just not in this case. 2. The SPF record is set to fail on no

Re: RFH: using SOUGHT logic to combat phish

Matus UHLAR - fantomas wrote: Hello, I have quite pretty archive of phish mail (bank and mail accounts), where many words and phrases repeat. I was thinking about processing them manually and creating rules, but that would be much work. I remember that SOUGHT ruleset used to contain phrases

Re: More Sendgrid trouble?

(Please keep followups onlist) Greg Troxel wrote: Kris Deugau writes: Is anyone else seeing intermittent FNs on mail sent through Sendgrid where the nominal sender has a default welcomelist_* entry? Today's spample is a Mcafee scam email, pretty clearly sent through Intuit's Sendgrid

More Sendgrid trouble?

Is anyone else seeing intermittent FNs on mail sent through Sendgrid where the nominal sender has a default welcomelist_* entry? Today's spample is a Mcafee scam email, pretty clearly sent through Intuit's Sendgrid account based on the rDNS. On testing in my sandbox it was only allowed

Re: phishtank api usage from spamassassin ?

Raymond Dijkxhoorn via users wrote: Hello Benny, Many of the SARE people are around but are now doing things RBL style. Including me and Alex to name just two. And the link -subdomains- you see in spams you can report to various lists if needed (feedb...@surbl.org for example). In case

Re: phishtank api usage from spamassassin ?

Benny Pedersen wrote: Axb skrev den 2022-08-25 17:48: On 8/25/22 16:10, Benny Pedersen wrote: i consider block all page.link, whois says its hosted by google :/ go ahead.. /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf:url_shortener .page.link

Re: subscribe to blacklist for domains

Vincent Lefevre wrote: On 2022-08-16 12:05:43 -0400, Kris Deugau wrote: And, quite reasonably, most rejections for spam include very little or no detail, so aside from DNSBL-based rejections the sending platform has essentially zero information beyond "the receiving system doesn't li

Re: subscribe to blacklist for domains

Vincent Lefevre wrote: On 2022-08-15 10:39:05 -0400, Kris Deugau wrote: Vincent Lefevre wrote: Rejecting mail (instead of accepting it and dropping it) is useful in case of false positives. I'm a bit torn on this. On the one hand, yes, the sender now knows for sure their message didn't get

Re: subscribe to blacklist for domains

Vincent Lefevre wrote: On 2022-08-13 14:05:43 -0400, joe a wrote: On 8/13/2022 12:38 PM, Martin Gregorie wrote: . . . 2) There's no mandatory need to REJECT spam. It has always been up to the recipient to decide whether to return it to the sender or not. Agreed in part. I see returning

Re: subscribe to blacklist for domains

Bill Cole wrote: Not exactly. There are 2 distinct domain lists internal to SA that exist to reduce false positives. 1. The URIDNSBL 'skip' list of domains which are ignored in body URIs. These are known to not *per se* have any correlation to the ham/spam classification decision. IIRC the

Re: Seeking dhl.com ham samples

Bill Cole wrote: Bug 8021 reports breakage in SPF checking for dhl.com mail, due to an inability to resolve the  SPF TXT record for dhl.com. That breakage is essentially due to DHL having far too many TXT records (some are clearly stale) and having a SPF record which is right at the limit of

Re: Memory requirement for SpamAssassin/Postfix/Roundcube/Dovecot stack

Grant Taylor wrote: On 5/26/22 8:32 AM, Ian Evans wrote: Is it safe to assume that a $5/mth 1gig memory account will laugh at the resources needed to run a SpamAssassin/Postfix/Roundcube/Dovecot/Nginx stack and not ever break a sweat? Sadly, I found that I needed to quit tilting at the 1GB

Re: your mail

Matus UHLAR - fantomas wrote: On Tue, Apr 26, 2022 at 02:35:25PM +0200, Matus UHLAR - fantomas wrote: > is it possible to match message headers in rfc822 atttachments? > > from what I know, "header" rules only apply to mail headers and mimeheader > only apply to mime headers. > > body and

Re: FROM header obfuscation

(Please keep mail on-list) Laurent S. wrote: On Tuesday, February 8th, 2022 at 16:41, Kris Deugau wrote: I have a longish list of rule groups similar to below for different extended UTF8 ASCII-lookalike characters and words. Some are derived from rules discussed on this list within the past

Re: CONTENT_AFTER_HTML: better not discuss formatting!!

Bill Cole wrote: On 2022-02-08 at 04:28:16 UTC-0500 (Tue, 8 Feb 2022 01:28:16 -0800) Loren Wilton is rumored to have said: No, I added that after observing multiple spams with random garbage after the closing HTML tag in the HTML body part. Presumably it was an attempt at Bayes poison,

Re: FROM header obfuscation

Frido Otten wrote: Hi All, Recently we're seeing more spam passing our spamfilters using text obfuscating in the FROM header. The problem mainly targets users which are using mail clients like iPhone Mail which are only displaying the display name of the FROM header and not the actual email

And users wonder why spam is so hard to catch...

... when clueless nominally legitimate senders commit the same idiotic failures... I'm dissecting a false positive on a message from Quora, brought on largely by local rules targeting abuse of non-ASCII lookalike characters. In the process of chasing down what idiocy triggered these rules, I

Re: freshworks and DKIM and KAM

Alex wrote: Hi, I can't figure out why attempts at adding emails from the freshworks.com domain to the welcome list aren't successful. This is from a quarantined message on my amavis/SA/fedora system. I'm not sure why the entirety of freshworks.com would be blocked in the first place? * 9.0

Re: Score for certain spam

Greg Troxel wrote: Alan writes: It's sent to the bit bucket, not done in the MTA. In this case, each account can set individual thresholds and has an individual set of local rules, so that might be why. I'd prefer to 550 them as well, although I suspect the majority of sources just don't

Re: SA seems powerless against marketing emails for SEO/web development

David B Funk wrote: How hard would it be to modify the uribl lookup code so that it did not truncate hosts names, so we could create uribl entries of the form "name-company-track.appspot.com" or would that be prohibitively expensive in lookups? util_rb_2tld For appspot.com specifically,

data-saferedirecturl WTF?

Can anyone point me to a reference document describing what the "data-saferedirecturl" attribute on an tag is supposed to be useful for, and for bonus points any hints why it can't be trivially and horribly abused by scammers? Most of the search results I've turned up reference URL-munging

Re: google.com spam

Matus UHLAR - fantomas wrote: I see they are evolving now, using google redirects to google links, further hiding. https://www.google.com/url?q=https://sites.google.com/ I've just created local rules to give a few points to several such constructs ranging from a low-scoring hit on just

Re: "Please send us a quote..."?

John Hardin wrote: Can anybody explain to me the reason behind the blind "please send us a quote for your product X" emails? I mean, I know they are somehow a scam, but I can't figure it out how it's supposed to work when the target isn't a business... Most of the examples I've seen are

Re: Workflow for adding new ham/spam to existing site-wide database?

Matus UHLAR - fantomas wrote: On Wed, 17 Mar 2021 10:42:14 -0400 Kris Deugau wrote: My own experience has been that accumulating blobs of ham/spam and just repeatedly running sa-learn over those works just fine.  It also reduces the incidence of tokens from somewhat rarer mail automatically

Re: Workflow for adding new ham/spam to existing site-wide database?

Steve Dondley wrote: I have been accumulating spam/ham samples and sorting them out into different directories on my server. As new spam/ham comes in, I throw it into the existing pile and then run "sa-learn --spam|--ham" on the whole pile. It dawned on me that this will get very slow as I

Re: Training spamassassin past 5,000 emails

RW wrote: On Tue, 09 Mar 2021 08:52:28 -0500 Steve Dondley wrote: I will also be allowing users to flag their own spam using the roundcube webmail client. If you do that you should review the submissions. This. SO much this. ALL THE THIS. If you're using the "Mark as Junk" or "Mark as

Re: URLs hidden in Morse code

Kris Deugau wrote: Thunderbird and Seamonkey both have it supported and enabled out of the box.  I would not be surprised if Outlook did, along with no way to disable it.  Mac Mail probably does, again likely with at best a tedious hassle to disable it.  Windows Mail (AKA "the desce

Re: URLs hidden in Morse code

Bill Cole wrote: On 9 Feb 2021, at 18:37, Kenneth Porter wrote: I'm reminded of the recent post suggesting that SA parse QR codes to feed URLs to block lists. The email includes a

Re: Error "cannot open bayes databases" lock failed: File exists

Emanuel Gonzalez wrote: # SpamAssassin Deamon config SPAMDOPTIONS="-u spamd --round-robin --min-children=30 --max-children=180 --min-spare=25 --max-spare=80 --timeout-child=60 --max-conn-per-child=150 -i -A

Re: Bypass RBL checks for specific address

Bill Cole wrote: On 23 Dec 2020, at 13:57, Grant Taylor wrote: On 12/22/20 11:03 PM, Bill Cole wrote: Do you have a setup that supports per-user preferences? e.g.: real system accounts. Sort of.  The recipient is a real Unix account.  However I don't think my milter is configured to use

Re: per-user bayes

micah anderson wrote: Kris Deugau writes: There will only be one database and set of tables, but one of the fields in each table is the user identifier. Fair warning - if you go full per-user on a large system, this will MASSIVELY balloon the size of your Bayes database, and most users

Re: per-user bayes

Benoit Panizzon wrote: Hi This may help I sort of have the same issue. Unfortunately that does not help, it merely explains how to store bayes data in a database. But there is still only one 'global'

Re: User receiving hundreds of subscribe requests

Alex wrote: Hi, I have a user who is receiving hundreds of subscribe confirmation requests and password reset requests from legitimate sources like teabox.com, coupon sites, online magazines, travel sites, etc. They're in all different languages and types of sites. They're not bounce messages,

Re: Mailspike rules all return 0.0

Bill Cole wrote: On 29 Jul 2020, at 9:27, Simon Harwood wrote: Hello, I have noticed that the mailspike rules are enabled in SpamAssasin but all return zero values: 0.0 RCVD_IN_MSPIKE_BL  Mailspike blacklisted 0.0 RCVD_IN_MSPIKE_L5  RBL: Very bad reputation (-5) This is actually a

Re: Detecting SendGrid shared IPs

Pedro David Marco wrote: Is there any way to know whether a Sendgrid IP is shared or dedicated? Use the FCrDNS data and one or another of the X-Spam-Relays metaheaders. It should be possible to quickly refine these to "good enough", if they're not already (watch for word wrap): header

Re: spamhaus enabled by default

Charles Sprickman wrote: That’s unrealistic. Many ISPs these days that aren’t the “big boys” with dedicated staff for every facet of ISP operations, they are one and two man shops running WISPs in rural areas or developing countries. It’s not the 90’s anymore. It’s a terrible default, even

Re: score sender domains with 4+ chars in TLD?

AJ Weber wrote: I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just something like: header   From =~   /\.\w{4,}$/ You'll probably want to use

Re: Occasional rejections.

@lbutlr wrote: I get occasional mails like this: On 24 Apr 2020, at 18:33, users-h...@spamassassin.apache.org wrote: Hi! This is the ezmlm program. I'm managing the users@spamassassin.apache.org mailing list. Etc. What you do depends on the "Etc." bit. IIRC this is usually something

Re: SQL preferences: where does the _DOMAIN_ in the query come from

Guido Goluke, Majorlabel wrote: I'm in the process of setting up my preferences through SQL. Now spamc is invoked through a Postfix milter, but that's besides the point, since whatever way spamc is called, it can only specify one -u param as the username. However, the WIKI and Docs version of

Re: Two types of new spam

Lyle Evans wrote: Expect to see a lot more of these due to https://github.com/0x4447/0x4447_product_s3_email/blob/master/README.md That looks more like Doing It Right(TM), by way of using Amazon's outbound relay hosts. Doing It Wrong(TM) is sending direct-to-MX from your VPS without

Re: Two types of new spam

Philip Prindeville wrote: I’m getting the following Spam. http://www.redfish-solutions.com/misc/bluechew.eml Received: from phylobago.mysecuritycamera.org (ec2-34-210-5-63.us-west-2.compute.amazonaws.com [34.210.5.63]) I have a local rule adding a couple of points for anything coming

Re: Spamassassin Debug Logs

KADAM, SIDDHESH wrote: Hi, I have Postfix+MailScanner integreated with Spamassassin, I want to enable debug logs of Spamassassin for all mail transactions. I know spamassassin -D -t /tmp/sid.eml but this is limited to single mail. I want something which can store all debug logs in run time.

Re: Bitcoin ransom mail

John Hardin wrote: On Thu, 19 Dec 2019, Philipp Ewald wrote: I have a solution with ClamAV for any image that is "not allowed". I my case i create  a md5sum from images i don't want to receive and but them into hashtable. This Hashtable place into /var/lib/clamav/NAME.hsb

Re: White listing this mailing list.

RW wrote: On Thu, 19 Dec 2019 18:01:37 +0200 Henrik K wrote: But if one wanted to check the forwarders after hermes.apache.org properly, it would make more sense to add it in internal_networks, since practicall it acts as the outer MX for you. That would enable proper blacklist checks too.

Re: Where is SA getting config info?

Jerry Malcolm wrote: I am trying to add bayes to SA.  I see in the docs that there is a use_bayes parm and the path parm.  I made the changes to /usr/share/spamassassin/local.cf.  But I see no change.  I am not sure it's even loading that config file. I've got debug on, and the log doesn't

Re: MALFORMED_FREEMAIL

Joseph Brennan wrote: Oh, replying to myself... I just tested sending from a Gmail account to my regular columbia.edu address, using BCC and with no address in "To:". This did not hit MISSING_HEADERS, and in fact had /To: undisclosed-recipients:;/.  So now I don't know

Re: Facebook notifications sent from dynamic address

Kenneth Porter wrote: (Nothing wrong with SA. Just an FYI about a popular service that abuses the Internet and SA catches it.) I noticed one of my notifications from Facebook today got tagged by SA. Here's the two that put it over: 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious

Re: Report on ALL The threshold settings accross all users on the server

Thierry Lavallee wrote: Hi, First post. :) Is there any way to report on ALL the threshold settings configured across ALL users on the server? That depends a lot on how SA is integrated and what you mean by a "user". For the SA cluster at work, I'd do SELECT * FROM userpref WHERE

Re: MySQL

@lbutlr wrote: On 2 Jul 2019, at 14:21, Kevin A. McGrail wrote: I guess the tl;dr version of my question (too late!) is how is the username field populated in the database? I think you are mixing up the user preference table and the naive bayesian table. Apologies if the docs aren't

Re: Optimum Number of Spamd Children

RW wrote: On Wed, 5 Jun 2019 10:45:13 -0400 Kris Deugau wrote: jim.ander...@wohosting.net wrote: Greetings, I've searched but haven't had any luck finding documentation about how to determine the optimal settings for spamd children (max-children, min-children, max-spare, min-spare, and max

Re: Optimum Number of Spamd Children

jim.ander...@wohosting.net wrote: Greetings, I've searched but haven't had any luck finding documentation about how to determine the optimal settings for spamd children (max-children, min-children, max-spare, min-spare, and max-conn-per-child). I have a dedicated server for running spamd. It

Re: SpamAssassin Scoring For MDAEMON_DNSBL

Matus UHLAR - fantomas wrote: On 14.05.19 06:18, cyflhn wrote: but what about this one "FREEMAIL_FORGED_REPLYTO". why it got 2.1 score? this is standard rule where mail predenting to come from one freemail service really comes from another freemail service. Actually, unless I misread the

Re: GeoIP2 packages

Alex wrote: I'm looking for the GeoIP2 and IP Country packages for fedora/CentOS needed for the RelayCountry plugin. I believe there were some license changes recently that prevent them from being included with the latest distributions? I believe they also have a ton of dependencies based on

Re: track messages

Rick Gutierrez wrote: Hi list , I need to do a trace of all the messages that spamassassin cataloged as spam yesterday, I have found a bash statement but I do not make it work, some idea that it may be failing, I am using centos 6 and spamassassin 3.4.2 grep "$(date +"%b %_d" -d "yesterday")"

Re: Do I still need these old spamtips.org rules in local.cf?

Ian Evans wrote: Several years ago I added a bunch of rules to my local.cf that I picked up from spamtips.org . That was back in the days of Spamassassin 3.3.2, about 2012. Old rules aren't inherently bad, but they do need review now and them to see if

Re: Phishing.pm

RW wrote: On Mon, 21 Jan 2019 14:37:38 -0500 Kris Deugau wrote: Rick Cooper wrote: and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called Looks like it loads the data into RAM on SA startup/(reload?). It's loaded from

Re: Phishing.pm

Rick Cooper wrote: Giovanni Bechis wrote: man Mail::SpamAssassin::Plugin::Phishing to be precise. Giovanni Something that isn't answered in the docs is the default score There doesn't seem to be one set: root@tiny:/home/kdeugau# sa-update root@tiny:/home/kdeugau# grep -R URI_PHISHING

Re: sa-update not properly parsing urls in MIRRORED.BY files?

Bill Cole wrote: On 10 Jan 2019, at 23:15, listsb wrote: Update available for channel sought.rules.yerp.org: -1 -> 3402014020421 And finally: that rule channel has not been updated in almost 4 years and almost surely will never be updated again. I'm pretty sure it's been longer than that

Re: [SA 3.4.2] sa-update doesn't see custom channel

RW wrote: It looks like sa-update has lost support for paths in mirror URLs. The SA mirrors don't currently have paths, but the commented-out dostech entry suggests that they have been supported in the past. I came across this myself since my local channels also use subdirectories. It's

Re: Spamassassin using remote rules definition source?

Kevin A. McGrail wrote: On 12/10/2018 2:49 PM, Kris Deugau wrote: The master/reference files are stored in a Subversion repository. Commits to particular paths trigger the creation of the tarball, SHA* hash files, and GPG signature.  A cron job on our DNS master server polls the repository

Re: Spamassassin using remote rules definition source?

John Hardin wrote: On Mon, 10 Dec 2018, ozgurerdogan wrote: I have many servers using spamassassin. Time to time, I may need to add custom rules to SA to block certain mails. It is time consuming doing it on each server. Is it somehow possible to create a one source for all Spamassassin

Re: Lost mail during update

@lbutlr wrote: While updating spamassassin, several emails were destructive lost because of the absence of spamc. To be fair, the date did get stuck unexpectedly asking for a confirmation, but still I’d like to avoid this happening again. Nov 20 10:20:34 mail postfix/pipe[73448]:

Re: Forgery with SPF/DKIM/DMARC

RW wrote: On Fri, 16 Nov 2018 08:44:52 -0500 Robert Fitzpatrick wrote: We're having an issue with spam coming from the same company even though SPF and DKIM is setup with DMARC to reject. Take this forwarded email for instances [ fake invoice email ] SPF and DKIM rarely return "fail" on

Re: Bayes underperforming, HTML entities?

Amir Caspi wrote: On Nov 9, 2018, at 8:10 AM, Matus UHLAR - fantomas wrote: how many spams and hams did you train then? As of right now: 0.000 0 258427 0 non-token data: nspam 0.000 0 106813 0 non-token data: nham 0.000 0 438310

Re: ClamAV - low detection rates on malware attachments lately

Kenneth Porter wrote: On 11/7/2018 1:24 PM, Kris Deugau wrote: I use a combination of adding local signatures (mainly hashes for "random-executable-inna-archive") and selected signatures from a number of third parties to the stock set in a "primary" Clam instance th

Re: ClamAV - low detection rates on malware attachments lately

John Hardin wrote: Whenever I get an attachment that fails SA (or was sent to the SA list and moderated) I throw it at VirusTotal to see what they have to say. Pretty much everything recently (last 6-9 months) doesn't get detected by ClamAV, so I submit them as samples. Is this unusual? Is

Re: Best practice for learning submissions

Nick Bright wrote: On 7/23/2018 11:49 PM, Bill Cole wrote: The goal is to get a copy of the message that is identical to what SA saw when it arrived. For IMAP users, this is easiest to get with a 'missed spam' mailbox into which users can move messages for learning. If you must rely on

Re: Best practice for learning submissions

Kris Deugau wrote: Nick Bright wrote: The problem I'm trying to solve is "how to implement a training system on my server". I'd suggest a manual review step before feeding the messages to Bayes. You **WILL** get users reporting all kinds of "unwanted today because Reasons

Re: Best practice for learning submissions

Nick Bright wrote: The problem I'm trying to solve is "how to implement a training system on my server". I'd suggest a manual review step before feeding the messages to Bayes. You **WILL** get users reporting all kinds of "unwanted today because Reasons" but otherwise legitimate email as

Re: Help with own RBL

Pedro David Marco wrote: Not exactly a SA question but... i am planning to run my own RBL with a nameserver, that when queried for an IP that is not in its database, does some calculations with that IP and replies accordingly (caching the results)... Please, does anyone know of any

Re: Help with Bayes-SQL-Configuration

Julian Kippels wrote: Hi, I am in the process of setting up a bayes-sql-database but I am unsure of wether I want to set the bayes_sql_override_username option. I would like to have per-user-bayes scores, so that scores from user A will not interfere with messages sent to user B. If I

Re: Invoice phish

David Jones wrote: One more thing.  I have expanded my definition of FREEMAIL to any Google and Office 365 senders like this: header  __RCVD_YAHOO    Received =~ /\.yahoo\.com \[/ header  __RCVD_HOTMAIL  Received =~ /\.hotmail\.com \[/ header 

Re: match rules to base64 encoded body

(Please keep list mail on the list.) On 11/04/2018 16:15, Kris Deugau wrote: >> Please post the rules you think should match on this example. saqariden wrote: this is my rule: uri    __FR_SHORT_SPAM_URI_1 /(\/[a-zA-Z\d]{1,3}\.php\?[a-zA-Z\d]{3,9})|(\/[a-zA-Z\d]{3,10}\/[a-zA-Z\d]{3,9

Re: match rules to base64 encoded body

saqariden wrote: Hi all, lately i see more and more mails using base64 encoding for the body of the mails. example: [snip] This is a spam mail, my SpamAssassin did not recognize it as spam, even if i have rules that can match the decoded body. My question is: Is it possible to decode

Re: Synthesizing an Mbox Header

Kevin A. McGrail wrote: Hi All, I get a lot of spamples submitted to me and it would be nice if there was an automated way to synthesize the mbox separator.  Looking to see if there is an existing process before I reinvent the wheel. formail < messagefile >> mboxfile However, whatever

Re: FUZZY_XPILL FP hitting all Travelodge emails

Alex wrote: We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the mime attachments which are apparently

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

Alex wrote: These phishes we've received were all from otherwise trusted sources like salesforce, amazonses and sendgrid. These are examples that I believe were previously whitelisted because of having received a phish through these systems but have no been disabled. whitelist_auth

Re: Body rules hit on Subject

Alex wrote: Hi, I recall a conversation in the past about body rules hitting on the Subject of an email, but I don't believe there was ever a solution, or I otherwise missed it. It's now affecting me again, and I hoped someone had some ideas on how to prevent body rules from hitting on the

Re: Receiving a lot of junk from Office 356

David Jones wrote: First, if anyone from Microsoft is on this list, please setup proper outbound spam filtering, rate limiting, and compromised account detection with locking to prevent junk like this. I have seen a recent increase in the number of outbound junk and phishing emails that I

Re: FSL_MIME_NO_TEXT and MIME_NO_TEXT

Joseph Brennan wrote: The case in point is an application that sends a report to a few people as a plain text document, and the only mime part is the attachment, which is called application/octet-stream and has a .txt file extension. I feel like this should count in __ANY_TEXT_ATTACH. (I'm

Re: Blocking senders that are whitelisted

Alex wrote: Hi, we have a user complaining about receiving email from a solar panel company and want us to block it. The problem is that it originates from mailchimp, which is whitelisted. I don't consider ESPs to be collectively or individually "white" enough to whitelist all mail sent

Re: Whitelisting amazon where no DKIM_VALID_AU exists

David Jones wrote: Report it to Amazon's abuse Have you found a sane way to do this? Last time I tried I couldn't just forward the offending message as an attachment like nearly every other abuse contact accepts (and generally insists on!); I got pointed to a webform clearly designed for

Re: SVN rules to sa-update?

Kevin A. McGrail wrote: On 8/17/2017 9:56 PM, George Patterson wrote: As a possible workaround, can the entire meta rule be copied into local.cf ? Will this override the one in 20_meta_test.cf ? I don't remember if it will override it. Stock rules can

Re: tflags

Ian Zimmerman wrote: On 2017-08-03 10:38, sha...@shanew.net wrote: The most common ones that I make use of are "multiple" and "maxhits" in order to allow a rule to be scored for each time it hits, but to stop counting after some threshold. I also use the "net" tflag so that RBL checks only

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones wrote: Would it be beneficial to add a local.cf config option to allow SA to specify a different DNS server rather than what the OS is using in /etc/resolv.conf? IIRC it does, and a quick scan of the Mail::SpamAssassin::Conf man page turned up: dns_server ip-addr-port

Re: extract eml forwarded attached mail and sa-learn

Rejaine Monteiro wrote: Does anyone know of command or script in to extract an "forwarded attached" email (eg: Forwarded.eml file attached email) on linux command line/shell script/perl/pyton etc.. I am trying to reformime, ripmime, but I'm not succeeding yet The idea is to make the user,

Re: mk_meta_rule_scores - does it work correctly?:)

Marcin Mirosław wrote: W dniu 2017-03-14 16:23, Kris Deugau napisał(a): If I read the information flow correctly, this is actually decided by seek-phrases-in-log, which spits out subrules that reached a certain hit rate in blocks, followed by the "# passed hit-rate threshold nnn&

Re: mk_meta_rule_scores - does it work correctly?:)

mar...@mejor.pl wrote: Hi! Thanks to AXB seek-in-phrases-in-log works OK. Now I'm on the next step with automated creating rules. I suspect that mk_meta_rule_scores doesn't assign scores correctly. I set in mk_meta_rule_scores: my %scoremap = ( '70' => '1.5', '4' => '2.0', '0.01' =>

Re: how to parse back through forwarding headers to find the true source IP

(Please keep mail on the list) Marcus Schopen wrote: > Hi Kris, > > thanks for your time! > > Am Donnerstag, den 08.12.2016, 12:18 -0500 schrieb Kris Deugau: >>> On 12/8/2016 10:54 AM, Marcus Schopen wrote: >>>> Hi, >>>> >>>> some

  1   2   3   4   5   6   >