On 16/04/13 00:07, Alex wrote:
Hi,
But I stand by my local.cf entry reducing RP_MATCHES_RCVD to an advisory
-0.001; it may be useful in combination with other rules, but I don't
think it's valuable enough on its own to have even -0.5 points. I can't
say I've seen any evidence in the mail
On 16/04/13 14:28, Ned Slider wrote:
In an ideal world, yes. But I suspect the SA auto-generated scoring
system is far from an ideal world due to the limited number of
contributors to the spam/ham corpus and the fact that your or my mail
streams might not accurately reflect those contributed
On 15/04/13 18:46, Niamh Holding wrote:
Hello Kris,
Friday, April 12, 2013, 4:23:55 PM, you wrote:
KD score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344
I'm seeing-
score RP_MATCHES_RCVD -0.552 -2.373 -0.552 -2.373
But perhaps there is something
On 08/03/13 14:05, Sharma, Ashish wrote:
Can you pastebin an example? Not sure what you mean with the attachment
*name* contains JS code.
Here is the requested sample
http://pastebin.com/DN7PRnH4
The attachment name contains the javascript code at the bottom of the pasted
file.
thanks
On 01/03/13 17:33, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
Here's one from this morning:
http://pastebin.com/cuk595z6
that matches the pattern being discussed.
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5
Hi list,
Is it just me or is TBIRD_SPOOF hitting pretty much all initial email
sent by Thunderbird, not via a ML etc?
$ grep TBIRD_SPOOF *.cf
72_active.cf:##{ TBIRD_SPOOF
72_active.cf:meta TBIRD_SPOOF __MUA_TBIRD
!__HAS_IN_REPLY_TO !__HAS_X_REF !__THREADED !__VIA_ML
On 12/02/13 20:33, Daniel McDonald wrote:
On 2/12/13 1:15 PM, David F. Skolld...@roaringpenguin.com wrote:
PS: Beware of penalizing other countries too much. My mail originates
from Canada and the PostgreSQL mailing list is (or used to be?) hosted
in Panama. Furthermore, by far the lion's
On 14/02/13 12:04, Ned Slider wrote:
Hi list,
Is it just me or is TBIRD_SPOOF hitting pretty much all initial email
sent by Thunderbird, not via a ML etc?
$ grep TBIRD_SPOOF *.cf
72_active.cf:##{ TBIRD_SPOOF
72_active.cf:meta TBIRD_SPOOF __MUA_TBIRD !__HAS_IN_REPLY_TO
!__HAS_X_REF
On 14/02/13 14:34, Robert Schetterer wrote:
Am 14.02.2013 15:24, schrieb Walter Hurry:
Is anyone else being plagued by unreadable nonsense from hinet.net? It
originates from China, it seems. I've just had to tell procmail to send
it all to the bit bucket.
Just curious. Is hinet.net a known
On 14/02/13 14:48, John Hardin wrote:
On Thu, 14 Feb 2013, Ned Slider wrote:
Hi list,
Is it just me or is TBIRD_SPOOF hitting pretty much all initial email
sent by Thunderbird, not via a ML etc?
That was an experimental rule that hasn't panned out and has been
removed. It should go away
On 10/01/13 00:03, Ben Johnson wrote:
On 1/9/2013 5:36 PM, RW wrote:
This is not better, it indicates that SA didn't recognise it as an
email, not that it recognised it as a spam. Whatever /tmp/msg.txt was
it wasn't a properly formatted email.
Thanks for the quick replies, Marius and RW.
On 08/01/13 16:27, Kris Deugau wrote:
Ned Slider wrote:
Hi,
I'd just like to note some FPs on AXB_XMAILER_MIMEOLE_OL_B054A hitting
some ham.
Rules in this cluster seem to target obsolete versions of MSOE and its
descendants. See
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6844
On 08/01/13 16:31, Kevin A. McGrail wrote:
On 1/8/2013 11:27 AM, Kris Deugau wrote:
Ned Slider wrote:
Hi,
I'd just like to note some FPs on AXB_XMAILER_MIMEOLE_OL_B054A hitting
some ham.
Rules in this cluster seem to target obsolete versions of MSOE and its
descendants. See
https
On 30/12/12 17:13, Jari Fredriksson wrote:
30.12.2012 18:05, Jari Fredriksson kirjoitti:
So far I have created many meta rules containing those words, but the
list is endless. The words like mostly U.S. town names and U.S. sports
team names.
On the face of it that doesn't sound too difficult.
On 30/12/12 18:44, Jari Fredriksson wrote:
30.12.2012 20:25, Ned Slider kirjoitti:
Where is this list?
I can't find a jboss-us...@redhat.com (on Red Hat mailing lists, see
https://www.redhat.com/mailman/listinfo), only a
jboss-u...@lists.jboss.org on lists.jboss.org.
Can you point to some
On 30/12/12 19:27, Jari Fredriksson wrote:
30.12.2012 21:09, RW kirjoitti:
On Sun, 30 Dec 2012 19:13:01 +0200
Jari Fredriksson wrote:
Finally they are getting some Bayes too, and exterbal URIBL databases
are recognizing URIs in the payload. So I have now lowered the points
on my rule to 5.5.
On 09/12/12 10:16, Frederic De Mees wrote:
Dear list,
Here is the context.
The French-speaking countries receive tons of e-mails, mostly fraud
attempts, fake lotteries, originating from West-Africa and sent by
Yahoomail users.
Often those messages contain big attachments. The payload (text of
I'll expand a little on John's comments below
On 29/11/12 18:44, John Hardin wrote:
On Thu, 29 Nov 2012, Ed Flecko wrote:
I'll be sure to check into Postgrey.
Are there any special considerations to installing/configuring it or
is it simply a matter of installing, reading the docs and
On 28/11/12 23:32, Ed Flecko wrote:
I'm looking to set up a spam filtering server to replace our ISP's
spam filtering service.
I've seen this tutorial (
ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus
) and I'd be very interested in YOUR opinion;
Hi,
MSGID_RANDY is firing on hams from chtah.net during the last couple
days, with a not insignificant score of 2.599.
Here is the current rule:
20_head_tests.cf:header __MSGID_RANDY Message-ID =~
/[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]/
On 20/11/12 14:30, David F. Skoll wrote:
On Tue, 20 Nov 2012 14:26:49 +
Martin Gregoriemar...@gregorie.org wrote:
Nah, prevent all connections except HTML and SMTP/POP3 to the ISPs
help desk and set of 'clean your act up' pages, so they can't ignore
the mess their computer is in.
And
On 20/11/12 15:17, David F. Skoll wrote:
On Tue, 20 Nov 2012 15:10:57 +
Ned Slidern...@unixmail.co.uk wrote:
Personally I'd like to see some large corporates go after some
infected home users in the courts for wilful damage.
I think they'd lose. Most home users could make a compelling
On 20/11/12 20:26, Cathryn Mataga wrote:
Easy enough to block #25 by default -- turn it on for anyone who asks.
Indeed.
I think the idea of a botnet black hole list is great, really.
Spamhaus already do this. It's called the Exploits Block List (XBL):
http://www.spamhaus.org/xbl/
To
On 19/11/12 06:18, Michael Monnerie wrote:
[crosspost postfix-users and spamassassin-users]
Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie:
How should we report those IPs, is there a anti botnet unit
somewhere?
Lets concentrate back on the subject, I got this answer:
On 31/10/12 15:21, Axb wrote:
On 10/31/2012 04:13 PM, Niamh Holding wrote:
Hello Andy,
Wednesday, October 31, 2012, 2:22:10 PM, you wrote:
AJ Your message scored a 7.1 on my system.
Not a good score for ham :)
AJ 0.5 KAM_LOTTO1 Likely to be an e-Lotto Scam Email
But it isn't... maybe 2
On 22/10/12 19:15, dar...@chaosreigns.com wrote:
On 10/22, JP Kelly wrote:
Should I set the BAYES_99 score high enough to trigger as spam?
I get plenty of spam getting through which does not get caught because BAYES_99
is the only rule which fires and it is not set to score at or above the
On 17/10/12 18:51, Alexandre Boyer wrote:
Right, but you have the content on the other link:
http://igor.chudov.com/tmp/spam013.trace.txt
It scores 5.7 and should be blocked.
The message scored 2.3 when it was originally received.
It only scored 5.7 when it was later reevaluated by SA at
On 16/10/12 07:50, John Wilcock wrote:
Le 16/10/2012 07:57, Frederic De Mees a écrit :
When I receive mails from servers hosted in IP address space 5.0.0.0/8,
SA tags them with RCVD_ILLEGAL_IP. This address space is currently
heavily distributed in Europe.
I have found a bug report #6810
On 16/10/12 16:25, Joseph Acquisto wrote:
Wondering about this detection:
2.4 RDNS_NONE Delivered to internal network by a host with no
rDNS
Yes,
I see this on *all* SPAM marked email some of which are from legitimate
senders. I have set my internal boxes as trusted and
On 09/10/12 14:52, Niamh Holding wrote:
Hello
maillog in showing-
Oct 9 08:18:25 mail spamd[25346]: spamd: server killed by SIGTERM, shutting
down
Oct 9 08:18:25 mail spamd[28876]: logger: removing stderr method
Oct 9 08:18:26 mail spamd[28878]: Can't locate Crypt/OpenSSL/Bignum.pm in
On 06/09/12 12:08, Andreas Schulze wrote:
Hello,
for technical reasons I have no Mail::SPF::Query. So my SA has no view to the
spf settings of an incomming mail.
But I run an SPF-Milter in front of SA without Mail::SPF::Query. That Filter
adds an Received-SPF header to the mails but do not
On 06/09/12 17:45, Andreas Schulze wrote:
Am 06.09.2012 17:08 schrieb Ned Slider:
If your milter adds the Received-SPF header before the mail is
passed to SA then maybe you could simply write a rule to check the
Received-SPF header and score as you see appropriate.
Yes, the Milter add
On 01/09/12 01:14, Ned Slider wrote:
Hi list,
Would anyone from ReturnPath care to take a look at the following:
Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102])
which just spammed a contact@ address scraped off website and has -5pts
awarded by ReturnPath
On 05/09/12 15:39, Tom Bartel wrote:
-Original Message-
From: Ned Slider [mailto:n...@unixmail.co.uk]
Sent: Wednesday, September 05, 2012 8:11 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone from ReturnPath want to deal with this
On 01/09/12 01:14, Ned Slider wrote:
Hi list
Hi list,
Would anyone from ReturnPath care to take a look at the following:
Received: from mail5.eventbrite.com (mail5.eventbrite.com [67.192.45.102])
which just spammed a contact@ address scraped off website and has -5pts
awarded by ReturnPath:
RCVD_IN_RP_CERTIFIED=-3
RCVD_IN_RP_SAFE=-2
On 24/08/12 15:37, David F. Skoll wrote:
Hi,
Somewhat OT, but I figure there are SPF experts here:
http://technet.microsoft.com/en-us/library/aa995992.aspx
It appears to me that Microsoft uses header sender/from addresses
to do an SPF lookup (see How Sender ID Works)
Am I the only one who
On 24/08/12 16:03, David F. Skoll wrote:
On Fri, 24 Aug 2012 15:58:27 +0100
Ned Slidern...@unixmail.co.uk wrote:
The Microsoft Sender ID system is not the same as SPF.
The technet article I posted implied (and real-world tests seem to confirm)
that MSFT Exchange 2003 really does SPF lookups
On 24/08/12 16:55, David F. Skoll wrote:
On Fri, 24 Aug 2012 16:29:18 +0100
Ned Slidern...@unixmail.co.uk wrote:
If Microsoft want to examine the From header then that is their
concern. Googling shows others tend to agree with you that their
implementation is broken, or in your words wrong.
On 23/08/12 04:31, Kevin A. McGrail wrote:
On 8/22/2012 8:33 PM, Ned Slider wrote:
So if I hit all mail claiming to be sent from fedex.com that fails SPF
I can easily weed out all the fakes:
# Fedex
header __LOCAL_FROM_FEDEX Return-Path:addr =~ /\@fedex\.com$/i
meta LOCAL_SPF_FEDEX
On 23/08/12 12:08, RW wrote:
On Thu, 23 Aug 2012 01:33:56 +0100
Ned Slider wrote:
# Fedex
header __LOCAL_FROM_FEDEX Return-Path:addr
=~ /\@fedex\.com$/i meta
LOCAL_SPF_FEDEX ((SPF_SOFTFAIL || SPF_FAIL)
__LOCAL_FROM_FEDEX) describeLOCAL_SPF_FEDEX
Fedex SPF Fail
On 23/08/12 18:18, Marc Perkel wrote:
Let's take wellsfargo.com (Wells Fargo Bank) as an example.
If the FCrDNS of the connecting server is *.wellsfargo.com it is ham.
If wellsfargo.com is in the received lines and not forged it is ham.
If wellsfargo.com is in the received headers and it is
On 22/08/12 16:22, Marc Perkel wrote:
I'd like to make a suggestion as to how to block a lot of fraud. This
would involve making a list of domains similar to the successful
freemail list plugin. The idea is to block email that spoofs major
institutions such as banks, credit cards, ebay, and
On 23/08/12 00:07, RW wrote:
On Wed, 22 Aug 2012 17:40:23 +0100
Ned Slider wrote:
On 22/08/12 16:22, Marc Perkel wrote:
I'd like to make a suggestion as to how to block a lot of fraud.
This would involve making a list of domains similar to the
successful freemail list plugin. The idea
On 09/06/12 20:32, jdow wrote:
I rather enjoyed it when the list passed spam. Every spam received to
the list was instant grist for the SARE mill leading to better and tighter
rules for killing similar spams.
After awhile the amount of spam from actual spammers dropped fairly
dramatically as
On 24/04/12 15:23, Martin Gregorie wrote:
My bank says up front and in writing that they will never ask for
account or login details by e-mail. I suggest moving your account away
from any bank that doesn't have the same policy and stick to it. Make
sure you tell them why you're leaving, though.
On 16/04/12 04:56, John Hardin wrote:
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey bowie_bai...@buc.com
wrote:
That sounds like it might be good rule-fodder. subject, Subject,
and SUBJECT are possibly
On 20/04/12 20:17, Ned Slider wrote:
On 16/04/12 04:56, John Hardin wrote:
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey bowie_bai...@buc.com
wrote:
That sounds like it might be good rule-fodder. subject
On 20/04/12 23:24, Ned Slider wrote:
On 20/04/12 20:17, Ned Slider wrote:
On 16/04/12 04:56, John Hardin wrote:
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey bowie_bai...@buc.com
wrote:
That sounds like
On 17/04/12 11:54, joea wrote:
Getting scanned document, pills and stuff with a url of blah.blah.ru
Would emails with Russian URLs be legitimate in your organisation? Any
.ru URL gets 6pts here by default - no complaints yet.
Some of these contain something like the snippet below,
On 17/04/12 12:40, xTrade Assessory wrote:
Ned Slider wrote:
On 17/04/12 11:54, joea wrote:
Getting scanned document, pills and stuff with a url of
blah.blah.ru
Would emails with Russian URLs be legitimate in your organisation? Any
.ru URL gets 6pts here by default - no complaints yet
On 11/04/12 03:50, Julian Yap wrote:
On Tue, Apr 10, 2012 at 4:28 PM, Michael Parkerpark...@pobox.com wrote:
On Apr 10, 2012, at 4:12 PM, Julian Yap wrote:
I'm running SpamAssassin 3.3.2 port revision 6 (latest from FreeBSD
ports) on FreeBSD 8.2-RELEASE 64-bit.
I recently upgraded my Perl
On 14/03/12 02:36, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=iquXBnH0
While I could create a rule to block this specific domain, or submit
it to a RBL, I'd appreciate any ideas how to more generally block
them, rather than by one characteristic in the message.
We need more examples.
On 14/03/12 03:09, David B Funk wrote:
On Tue, 13 Mar 2012, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=iquXBnH0
While I could create a rule to block this specific domain, or submit
it to a RBL, I'd appreciate any ideas how to more generally block
them, rather than by one characteristic
On 14/03/12 03:09, David B Funk wrote:
On Tue, 13 Mar 2012, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=iquXBnH0
While I could create a rule to block this specific domain, or submit
it to a RBL, I'd appreciate any ideas how to more generally block
them, rather than by one characteristic
On 15/03/12 00:39, Alex wrote:
One clue: X-Originating-IP: [41.189.207.189]
Check the various RBL hits on that address. ;)
Are there existing plugins for this?
Is there a way to check a range to see if it's part of a known
blacklisted botnet?
Or if you don't expect to receive email from
On 12/03/12 17:02, David B Funk wrote:
On Mon, 12 Mar 2012, Paul Russell wrote:
On 3/10/2012 16:43, Ned Slider wrote:
This one is easy enough - if the latter is the only valid url that
should ever appear in an email, create a meta rule that looks for a
url containing bway.net (or even just
On 10/03/12 20:27, sporkman wrote:
Generally it is easier to offer suggestions if examples are provided (on
pastebin)
Here's the latest example:
http://broomesol.com/upgrade.webmail.bway.net/main_login.htm
Compare to our actual webmail login:
https://webmail.bway.net/
This one is
On 04/01/12 07:35, email builder wrote:
Anyone have any other insights? Thanks!
I have spamassassin-3.3.2-2.el5 installed from rpmforge on el5 - that
package, besides being more up to date than the distro version also does
not require perl-IO-Socket-INET6. I suspect your version does not
On 04/01/12 15:30, Ned Slider wrote:
What does the following show:
rpm -q --requires perl-IO-Socket-INET6
Oops, I meant:
rpm -q --whatrequires perl-IO-Socket-INET6
On 04/01/12 21:33, email builder wrote:
What is the Net::DNS version, are you pure ipv6 and are you 64-bit?
perl-Net-DNS-0.63-1.el5.rf
You are in no man's land there - the distro uses perl-Net-DNS-0.59-3.el5
and the latest rpmforge package is perl-Net-DNS-0.66-1.el5.rfx.
If you're
On 04/01/12 21:41, email builder wrote:
I have spamassassin-3.3.2-2.el5 installed from rpmforge on el5 - that package,
besides being more up to date than the distro version also does not require
perl-IO-Socket-INET6. I suspect your version does not really require
perl-IO-Socket-INET6 either.
On 05/01/12 01:28, email builder wrote:
What is the Net::DNS version, are you pure ipv6 and are you 64-bit?
perl-Net-DNS-0.63-1.el5.rf
You are in no man's land there - the distro uses perl-Net-DNS-0.59-3.el5
and the latest rpmforge package is perl-Net-DNS-0.66-1.el5.rfx.
If you're
On 02/01/12 06:03, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=1Y5QCkfh
http://pastebin.com/raw.php?i=KdmZXM0d
give dkim invalid positive score if it was not pass on recieved ?
add sbcglobal.net to freemail_domains
add sanjit.in to local.cf url rule
Thanks for your help. I should have
Hi List,
I noticed the recent addition of URIBL_DBL_REDIR hitting on a few spams:
25_uribl.cf:urirhssub URIBL_DBL_REDIR dbl.spamhaus.org. A
127.0.1.3
25_uribl.cf:bodyURIBL_DBL_REDIR
eval:check_uridnsbl('URIBL_DBL_REDIRECTOR')
25_uribl.cf:describe
On 12/12/11 19:50, Ted Mittelstaedt wrote:
I concur 100%. Daniel is wrong. The problem isn't
dnswl.org the problem is the person who made the decision in
SpamAssassin to have the default for the dnswl plugin ENABLED
by default. That decision has been recognized to have been a
mistake which is
On 01/12/11 08:29, Tom Kinghorn wrote:
Good morning list.
could someone possibly explain how the scoring for ph.surbl.org works?
I see the following in my spam logs
spam-1DSMgl4+-YFV.gz: TO_NO_BRKTS_HTML_ONLY=1.258, URIBL_PH_SURBL=0.001]
spam-1DSMgl4+-YFV.gz: * 0.0 URIBL_PH_SURBL Contains an
On 26/11/11 01:21, Karsten Bräckelmann wrote:
On Fri, 2011-11-25 at 20:27 +, Ned Slider wrote:
header __L_BT_YAHOO_WEBMAIL01 Received =~ /from
\[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by
web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i
but it would be far easier if I could somehow do
Hi list,
One of the main strengths of SpamAssassin is the ability to allow the
user to write their own custom rules. However, writing good rules is not
always easy and one of the hardest parts is identifying trends in spam
worth targeting.
So what trends have you noticed this week?
Here's
On 26/11/11 21:36, Karsten Bräckelmann wrote:
On Sat, 2011-11-26 at 19:46 +, Ned Slider wrote:
# URIs matching http://some.domain.com/profile/12FirstLastname/
uri LOCAL_URI_PROFILE
m{https?://.{1,40}/profile/\d\d[A-Z][a-z]{1,20}[A-Z][a-z]{1,20}/}
^^^
Using
Hi,
I'm looking at try to write some rules to detect these. Specifically,
I'd like to target btinternet.com accounts (one of the largest UK
telecom companies) who have recently outsourced their email to Yahoo.
An example (spam) crossed my path today that only hit bayes_99. Looking
at the
In addition to other replies...
On 23/11/11 14:13, Simon Loewenthal wrote:
I have spam that hits on these rules.
X-Spam-Report:
* 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: europjobs.eu]
* 1.2 URIBL_JP_SURBL Contains an URL listed in the JP
On 05/11/11 20:52, John Hardin wrote:
On Sat, 5 Nov 2011, Cherubini Enrico wrote:
Good day,
I would like to remove rbl check from postfix and using them in
spamassassin, this because for some users rbl are too aggressive while
for others they aren't enough. I would like to know if it is
On 31/10/11 19:54, Alex wrote:
I'd rather not whitelist all of auth.ccsend.com, but only as it
relates to bertolini-sales.com, just as I wouldn't want to whitelist
all of constantcontact.com, or am I misunderstanding?
Thanks again,
Alex
I'm not sure why you feel the need to whitelist these
On 30/10/11 20:45, Jeremy McSpadden wrote:
Thanks for the help Benny. .. Anyone besides this guy have anything to say ?
--
See here:
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
and also the thread on this list from the archives dated
On 27/10/11 18:36, Jenny Lee wrote:
From: list...@abbacomm.net
To: users@spamassassin.apache.org
Subject: real world spamassassin experiences re: processing on servers emailing
from .info domains
Date: Thu, 27 Oct 2011 09:15:13 -0700
greetings SA
On 22/10/11 03:03, Chip M. wrote:
R - elists wrote:
does anyone get legit emails that come from the mailengine1.com
email marketing servers?
Yes, I've seen a trickle of ham, so did some data mining for you...
The IP ranges I have for them are:
66.59.0.0 - 66.59.31.255
On 17/10/11 19:07, Jenny Lee wrote:
Every 2nd of my emails to this list from hotmail is returning as a
nondeliverable. Hotmail does not give any info as to what failed but I am
assuming it is the SPAM filters of the mailing list. Well done!
Then stop posting spam to the list. You can see
On 16/10/11 19:28, Martin Gregorie wrote:
On Sun, 2011-10-16 at 20:02 +0200, Benny Pedersen wrote:
I may never know they sent me an email.
Unless I spend time going over my logs.
ah you have logs ? :=)
A possible way out is to process the logs overnight, possibly as part of
logwatch, and
On 10/12/2011 07:01 PM, Christian Grunfeld wrote:
Hi,
I have an idea that I want to discuss with users and developers.
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
atractive link text that points to hiden,
On 07/10/11 13:27, Daniel McDonald wrote:
Something like this Unverified Yahoo rule I shameless stole from Mark
Martinec:
I have some similar rules...
header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header
On 04/10/11 05:50, Alex wrote:
Hi,
I have a fedora15 box with v3.3.2 and I have some hotmail spam that I
can't figure out how to catch:
http://pastebin.com/kkUUvYQp
It's hitting BAYES_00 and no blacklists or other significant spam
rules and not sure how to tag it. The user has reported
On 30/09/11 01:41, jida...@jidanni.org wrote:
Sure a lot of Your mailbox has exceeded spam these days. I'll use
body J_MAILBOX_FULL /^Your mailbox has exceeded/
score J_MAILBOX_FULL ...
myself for now.
I've seen a few of these, but probably not enough examples to have Bayes
reliably catch
On 30/09/11 18:04, John Hardin wrote:
On Fri, 30 Sep 2011, Ned Slider wrote:
On 30/09/11 01:41, jida...@jidanni.org wrote:
Sure a lot of Your mailbox has exceeded spam these days. I'll use
body J_MAILBOX_FULL /^Your mailbox has exceeded/
score J_MAILBOX_FULL ...
myself for now.
I've seen
On 26/09/11 19:00, David F. Skoll wrote:
On Mon, 26 Sep 2011 13:49:36 -0400
dar...@chaosreigns.com wrote:
On 09/24, David Bennett wrote:
It occurred to me that a sender that is paying their way into my
inbox is almost certainly sending me junk mail. A little research
in my inbox and it
On 22/08/11 20:37, Adam Katz wrote:
On 08/14/2011 02:17 PM, Ned Slider wrote:
Hi all,
The following email hits __HAS_ANY_URI and I'm not sure why:
http://pastebin.com/jvFrFhA4
When I run the message through SpamAssassin in debug mode I see:
dbg: rules: __DOS_HAS_ANY_URI merged duplicates
On 22/08/11 21:46, John Hardin wrote:
On Mon, 22 Aug 2011, Ned Slider wrote:
uri __REALLY_HAS_ANY_URI m{https?://.}
and if we want to test for email addresses:
uri __HAS_ANY_URI_EMAIL /@/
and make __HAS_ANY_URI (and __DOS_HAS_ANY_URI) a meta of the above two
rules.
Given they're the vast
Hi all,
The following email hits __HAS_ANY_URI and I'm not sure why:
http://pastebin.com/jvFrFhA4
When I run the message through SpamAssassin in debug mode I see:
dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI
dbg: rules: ran uri rule __DOS_HAS_ANY_URI == got hit: r
On 01/08/11 12:23, Mark Martinec wrote:
Ned,
On the same basis that some DNSWLs have high, medium and low scores
depending upon the level of trust, I'm wondering if it would be useful
to have user defined high, medium and low scores available to rules such
as whitelist_from_dkim and
Hi all,
On the same basis that some DNSWLs have high, medium and low scores
depending upon the level of trust, I'm wondering if it would be useful
to have user defined high, medium and low scores available to rules such
as whitelist_from_dkim and whitelist_from_spf so mail admins can score
Hi,
JM_SOUGHT_3 is hitting Facebook notifications again.
The offending rule appears to be:
body __SEEK_2GW7AI
/\. If you don\'t want to receive these emails from Facebook in the
future or have your email address used for friend suggestions, you can
unsubscribe\. /
Channel update was:
Jul
On 28/07/11 15:28, RW wrote:
There seems to be a consensus that SPF and DKIM passes aren't worth
significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
it just a circumstantial version of what SPF does explicitly.
For me it's hitting more spam that ham, and what's worse, it's
On 18/07/11 02:58, Warren Togami Jr. wrote:
On 7/17/2011 7:55 AM, Axb wrote:
On 2011-07-17 18:32, Warren Togami Jr. wrote:
On 7/16/2011 4:54 AM, dar...@chaosreigns.com wrote:
On 07/15, ssapp80 wrote:
Running spamassassin-3.3.2 on CentOS 5.5
perl-Net-DNS ver 0.59 installed
When I run
On 06/07/11 09:17, Lars Jørgensen wrote:
I think many people run with tag at 5.0 and discard at 10.0
I should have mentioned that we are running amavisd-new. I thought that was the
de facto way of integrating spamassassin into a mail gateway, but reading this
list reveals that most people
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays-Last-External option that I'm missing, and if
not would it be
On 29/06/11 11:12, Axb wrote:
On 2011-06-29 12:02, Ned Slider wrote:
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last External header
as DNSBL rules are able to do with -lastexternal.
Is there a X-Spam-Relays
On 29/06/11 11:24, Benny Pedersen wrote:
On Wed, 29 Jun 2011 11:02:13 +0100, Ned Slider wrote:
header __RCVD_FROM_SOMEISP X-Spam-Relays-Last-External =~ /someisp\.com/i
bad rule, hostnames can have more then one ip, would you trust every ip
now ?
Who said anything about trusting the IP
On 29/06/11 12:50, Henrik K wrote:
On Wed, Jun 29, 2011 at 01:28:48PM +0300, Henrik K wrote:
On Wed, Jun 29, 2011 at 11:02:13AM +0100, Ned Slider wrote:
Hi List,
I see the useful X-Spam-Relays-External pseudo header but what I'd
really like to be able to specifically check is the Last
On 23/06/11 01:42, Noel Butler wrote:
Resurrecting an old thread but
Lately I see a lot of false hits on FSL_RU_URL
The only place in the email where .ru is, is in envelope-from , from,
and the received headers, this is supposed to be
from 72_active.cf:uriFSL_RU_URL
1 - 100 of 319 matches
Mail list logo
