header FROM_ADDRESS_EQ_REAL From =~ /^\s*([^@[EMAIL
PROTECTED]@]+)\s+\1\s*$/i
describe FROM_ADDRESS_EQ_REAL To: repeats address as real name
score FROM_ADDRESS_EQ_REAL 1
--
Jo Rhett
Network/Software Engineer
Net Consonance
for it. So this isn't how to deal with it properly it is a
recipe for how to negate the score which is entirely different.
Am I overlooking anything? Or do I need to change the code and submit a
patch so that a person can optionally avoid doing DUL and SPF checks on
authenticated e-mail?
--
Jo
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
Any help clarifying how the LOCAL_AUTH_RCVD rule is used, or an alternative to
make SA recognize the authenticated user, will be appreciated.
Using SA 3.1.7, under Solaris 9 with sendmail 8.13.8 and Windwos XP manually for
testing.
--
Jo
to decrement the score a bit, but it doesn't extend the trust
path at all.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=1 id=kB3G26P6019032 auth=Sendmail ]
...
The full path to the patched file is
/usr/lib/perl5/site_perl/5.8/Mail/SpamAssassin/Message/Metadata/Received.pm
--
Jo Rhett
Network/Software Engineer
Net Consonance
Sorry, in my reply I meant to point out that the original line was
working properly for me (Sendmail environment) but that the line working
did not solve my problem.
John Rudd wrote:
Jo Rhett wrote:
René Berber wrote:
If I change Received.pm, line 414, like this:
# Sendmail, MDaemon
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
If I change Received.pm, line 414, like this:
# Sendmail, MDaemon, some webmail servers, and others
- elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+ elsif (/^from .*?(.*?authenticated.*?\).*? by/) {
This can't
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and sending
a message (to me) using his ISP account, the header includes a lot of extra text
with the usual dynamic IP stuff and may be forged and there was no way
.
That's your argument. That may not have been the thought process of
the person who wrote that rule, was all I was trying to say.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Jo Rhett wrote:
Do you know why the SMTP authenticating server was forging the
HELO name? Normal mail clients will give their IP address,
right? And the may be forged only appears if they gave a full
name and resolution succeeded *and* none of the addresses returned
matched the helo
attention in the
more than two years since I wrote that code.
It'll be fixed in the next version of SpamAssassin to be released.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5223
Daryl
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other
On Dec 5, 2006, at 4:17 PM, Daryl C. W. O'Shea wrote:
Jo Rhett wrote:
While you are fixing bugs related to authentication, any chance
you'll fix the SPF plugin to skip checks on authenticated
delivery? Or have an option to enable this behavior?
Or do you want a patch from me? It'll take
This is now bug 5235
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5235
On Feb 7, 2007, at 1:47 PM, John D. Hardin wrote:
On Wed, 7 Feb 2007, Jo Rhett wrote:
So this user's e-mail keeps getting tagged with rules that aren't
right. There's no base64 here, at all (looked at the raw text) and
there's certainly no stock spam. What's going on here?
Have you run
;-)
--
Jo Rhett @ Lizard Arts
velociRaptor Racing
#5 SMRRC
#553 WERA West / AFM
Matt Kettler wrote:
Jo Rhett wrote:
On Feb 7, 2007, at 8:31 PM, Matt Kettler wrote:
As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
is base-64 encoded text AND has a Date: header that's missing a proper
timezone. Apparently a batch of stock spam went out at some point
On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote:
Jo Rhett wrote:
Again, I have a 100% stock SA configuration.
No you don't have a 100% stock config. There are at least two
differences relevant to them message you posted:
1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock
Jo Rhett wrote:
Can you explain how this isn't an FP in the standard config?
There's absolutely nothing custom about my config, so what
standard are you applying here?
Again, I have a 100% stock SA configuration. Why do I need a
custom rule to work around an FP in the ruleset?
On Feb
of the rule.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
the score about 5.0. I simply
couldn't function with *ANY* of my mailboxes at 5.0 -- I'd be
deleting 1-2 pieces of spam per minute. I run my public mailboxes at
3.8 and I'm trying to determine if 3.2 is reasonable.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open
On Feb 9, 2007, at 9:34 AM, Adam Lanier wrote:
On Fri, 2007-02-09 at 09:01 -0800, Jo Rhett wrote:
It's really hard not to be really annoyed with this answer. What
kind of nonsense did you think my question was?
If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to
the SARE rule
600 spam messages would have hit this mailbox today. That's
just this one, and nevermind hostmaster/webmaster/etc that get nailed
harshly.
I don't have that kind of time.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
On Feb 21, 2007, at 3:19 PM, SM wrote:
At 12:36 21-02-2007, Jo Rhett wrote:
However, all blackberry messages also hit base64 text and excess
base64 which puts them right on the edge. Anything that hits any
other rule will cause a problem.
The alternatives are:
1. Fix the rule
2. Lower
On Feb 21, 2007, at 12:54 PM, Coffey, Neal wrote:
Jo Rhett wrote:
You're making all sorts of claims that I can positively tell you are
wrong. I have *NO* local customizations to SpamAssassin other than
the use of SA-update to retrieve the recommended SARE rules.
That would be the very
are down to less than 1 a week, you are
probably safe leaving it that way.
--
Jo Rhett
Network/Software Engineer
Net Consonance
At 16:17 21-02-2007, Jo Rhett wrote:
The point of sending a note about this to the mailing list is that
this problem will effect *EVERYONE* who gets crackberry messages, and
thus it could probably use a real fix instead of forcing everyone to
fix it locally.
SM wrote:
The problem affects
a dozen examples.
Honey, if I ever cared about your problems, I sure as heck don't now.
Code either works or it doesn't. Your code doesn't. How you feel about
that is irrelevant.
--
Jo Rhett
Network/Software Engineer
Net Consonance
, and never got better than .5% (point-
five or .005) difference in spam detection. So we stopped using it.
In comparison, we've jacked the AWL score range and this works great
for us.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
, and it needs to be fixed.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
, but keep monitoring and whitelisting broken
sender.
Way too much work.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
: June 29, 2007 9:00:06 AM PDT
To: [EMAIL PROTECTED]
Subject: Cron [EMAIL PROTECTED] /etc/webmin/time/sync.pl
Failed to connect to ntp0.svcolo.com:37 : Connection refused
--
Jo Rhett
senior geek
Silicon Valley Colocation
Support Phone: 408-400-0550
On Jun 30, 2007, at 6:23 PM, Theo Van Dinter wrote:
On Sat, Jun 30, 2007 at 12:07:04PM -0700, Jo Rhett wrote:
There's no URL in this message. What is it mis-matching against?
When in doubt, run through spamassassin -D:
[9710] dbg: uridnsbl: domains to query: sync.pl svcolo.com
Thanks
From: Jo Rhett [mailto:[EMAIL PROTECTED]
I need to completely disable this over-opportunistic behavior. 90%
of my e-mails have either system output, or are concerning code
segments or router interfaces, etc, etc. I need these mails to get
through.
At the very least, common collisions like
that stupid Windows programs will
try to interpret for the user. The file.pl example above will never
get a user to the file.pl spam site.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
that the real world should accept backup MX servers which reject the
mail, and should retry to a higher level MX?
Please include RFC documentation of this behavior.
(last I checked, a bounce is bounce from coast to cost ...)
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other
Theo Van Dinter wrote:
Sure, one for PDF has been available via sa-update for weeks.
Where? I'm using sa-update and almost all of the sare rulesets, and I'm
getting a metric ton of these. Searching rulesemporium for empty or
pdf gets nothing.
--
Jo Rhett
Net Consonance ... net
SM wrote:
At 19:39 10-08-2007, Jo Rhett wrote:
Where? I'm using sa-update and almost all of the sare rulesets, and
I'm getting a metric ton of these. Searching rulesemporium for
empty or pdf gets nothing.
TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
http
this out if the original problem was
fixed and you wanted to receive the mail?
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
Kai Schaetzl wrote:
Jo Rhett wrote on Fri, 10 Aug 2007 20:30:37 -0700:
Thank you for the very useless reference to sa-update.
Please, don't do this! You got a nice answer that exactly answered your
question.
No, I didn't. I asked where a given rule was. I was given a reference
Kai Schaetzl wrote:
Jo Rhett wrote on Sat, 11 Aug 2007 09:31:05 -0700:
No, I didn't. I asked where a given rule was. I was given a reference
to a page that described how to set up sa-update.
You were given the exact name of the rule, that reference to sa-update was
an additional courtesy
% perfect and seeing some corner cases slip through
is not unusual. It is a process of continual improvement.
Bob
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
-jrhett.pdf
Content-Disposition: attachment;
filename=marketing-jrhett.pdf
JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAx
NjU5
L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ
+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg
*snip*
--
Jo Rhett
, with an example spam
included.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
On Aug 14, 2007, at 2:22 PM, Robert - elists wrote:
You might consider the clamav integration into SA, as clamav is
catching all
the ecard ones
Apparently with alternate virus files, which I had not yet tested.
Someone mentioned that earlier today and I'm investigating it.
--
Jo Rhett
. I am not an SA committer,
so I can't run these through their test environment and them commit
them to the tree. So I'm asking someone who is if they'd be willing
to do this.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
it up, etc.
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
are on this (short and easy to read) page.
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
Can someone clue me in on why this rule isn't matching?
Jo Rhett wrote:
So I've been getting a metric ton of PDF spam. Investigating the rule
that is supposed to match this, I see
rawbody __TVD_BODY /\S{4}/
header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i
On Aug 15, 2007, at 3:31 AM, Kai Schaetzl wrote:
I can just tell you what *I* would do.
- test the rules
- test the rules
- test the rules
- gather statistics about hits, FPs and FNs
The SA-team has an environment designed to do this, I don't. Nor do
most people on this list.
--
Jo Rhett
in SpamAssassin.
Thanks for that informative answer. So the right way to get this
fixed is to ask the rule developer to provide them with a compatible
(or no) license? In bugzilla or where do you want them?
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
clamav does not catch these.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
of the multiline possibility
in __TVD_MIME_ATT.
Loren
describe TVD_PDF_FINGER01 Mail matches standard pdf spam
fingerprint
- Original Message - From: Jo Rhett
[EMAIL PROTECTED]
To: SpamAssassin Users users@spamassassin.apache.org
Sent: Tuesday, August 14, 2007 10:16 PM
Subject
Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:
The SA-team has an environment designed to do this, I don't. Nor do
most people on this list.
Kai Schaetzl wrote:
Sigh, I give up.
I find it vastly amusing that when there is real work to do (ie fix a
broken rule) the list grows very
Chris Lear wrote:
* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is wrong:
mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i
mimeheader
useful as generalized testing tools in my environment.
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
, actually, and I recommend you try it out. These are the
tools we use:
http://wiki.apache.org/spamassassin/MassCheck
http://wiki.apache.org/spamassassin/HitFrequencies
They are bundled with SpamAssassin in the masses folder. All the
documentation is there on the wiki.
--j.
Jo Rhett writes
/MassCheck
http://wiki.apache.org/spamassassin/HitFrequencies
They are bundled with SpamAssassin in the masses folder. All the
documentation is there on the wiki.
--j.
Jo Rhett writes:
Since nobody is paying attention, let me clarify. The current rule is
wrong:
mimeheader __TVD_MIME_ATT_AP
)1865 842300
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: 15 August 2007 23:46
To: Arthur Dent
Cc: users@spamassassin.apache.org
Subject: Re: Rule for PDF and eCard Spam Needed
On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
I am only a home user, but I have found
Loren Wilton wrote:
From: Jo Rhett [EMAIL PROTECTED]
So the only thing which is actually working to catch these is bayes
and bayes-based systems. Not rules, and not AV.
Is that a statement about your own system? MANY people have responded
that quite a number of other things like pdfinfo
Theo Van Dinter wrote:
On Thu, Aug 16, 2007 at 09:47:06AM -0700, Jo Rhett wrote:
(dropping __TVT_MIME_ for ease of typing)
You just don't like typing my initials... ;)
Honestly not. I just skip common prefixes when typing ;-)
ATT is a meta of ATT_AP *or* ATT_AOPDF.
But the PDF_FINGER01
Marc Perkel wrote:
OK - it's interesting that of all of you who responded this is the only
person who is doing it right. I have to say that I'm somewhat surprised
that so few people are preprocessing their email to reduce the SA load.
As we all know SA is very processor and memory expensive.
more IO-intensive.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
and bayes are stored in MySQL
tables.
It seems to mostly help when it drops the message into a file for
clamav to scan.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
]:10024
Filtering the localhost generated mails.
But I donno if it's the right approach.
Any help appreciated
Cheers
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
of that module.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
way to (a) snap into sendmail without using a
separate front-end scanner and (b) had useful end-user tools for
managing spam controls.
That said, it does white/black/etc listing in its own databases, not
the SA ones, etc etc. So research it.
--
Jo Rhett
Net Consonance : consonant endings
: can't find symbol
command failed! at /usr/local/bin/sa-compile line 279, $fh line 3509.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Thiago Henrique
Network Administration
Digirati Networks
K8 Networks
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
compile SA
rules, a package is created for the installed binaries. I don't see
the point myself since all the installed files are in a SA specific
directory.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
valid e-mail with
no text in it.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
one provides a place to report a spam
sent by Yahoo.
Nutshell: Yahoo no longer accepts spam reports. I am therefore blocking Yahoo
on every mail gateway for which I have control, and listing them in the Pink
Providers blacklist effective immediately.
--
Jo Rhett
+1 (415) 999-1798
Skype: jorhett
Team
I’m blocking 64.4.0.0/18 on all MX targets now, aren’t you?
--
Jo Rhett
+1 (415) 999-1798
Skype: jorhett
Net Consonance : net philanthropy to improve open source and internet projects.
, and while it is capable it’s more than 15 clicks and manual hand
editing to send a report. The two key combinations was far easier to use.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
HAM from their IP blocks over 3
years ago. Seems like they’ve turned a corner.
192.227.128.0/17
198.23.128.0/17
172.245.0.0/16
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
Looking at my spam block statistics, not a single IP I’ve reported to SoftLayer
over the last two years has been shut down. Is there any reason I shouldn’t
just block all their allocations and save myself some effort?
--
Jo Rhett
Net Consonance : net philanthropy to improve open source
On Oct 5, 2015, at 7:36 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 06.10.2015 um 04:33 schrieb Jo Rhett:
>> Looking at my spam block statistics, not a single IP I’ve reported to
>> SoftLayer over the last two years has been shut down. Is there any
>> reason
201 - 277 of 277 matches
Mail list logo