Re: Bayes in V4 compared to V3
On Fri, 13 Sep 2024, Bill Cole wrote: Please send any replies to the list only. ...or to Harald only. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #20: The faster you finish the fight, the less shot you will get. --- Today: the 459th anniversary of the muslim Ottoman defeat at Malta
Re: CC: address matches To: address
On Fri, 12 Jul 2024, Peter wrote: Hi, I have been getting spam from outlook.com (surprise) and a defining feature is that the same emnail address is used as the To: and CC: address. Is there a way for Spamassassin to detect that? Thanks. There are rules for To equals From, they can be fairly easily modified. It would be easier to verify them if actual samples were available. It would be best if you don't try to obfuscate the email addresses. If you have some where you want to keep the email addresses private you can post them temporarily to pastebin as unlisted and send me the links directly rather than providing the pastebin links publicly here on the list. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 3 days until the 79th anniversary of the dawn of the Atomic Age
Re: ChatGPT > Spamassassin? :)
On Mon, 24 Jun 2024, Mark London wrote: I received a spam email with the text below, that wasn't caught by Spamassasin (at least mine). The text actually looks like something that was generated using ChatGPT. In any event, I put the text through ChatGPT, and asked if it looked like spam. At the bottom of this email , is it's analysis. I've not been fully reading this group. Has there been any work to allow Spamassassin to use AI? Thanks. - Mark In a very limited manner. There is code in the repo that allows you to set up ham and spam corpora and scan the spam corpora to pick out common phrases and filter them via the ham corpora, then create rules.based on the phrases and (IIRC) combinations of them. This was being used to generate dynamic fraud rulesets (the "sought" rules, still somewhat there as ADVANCE_FEE rules which I occasionally manually update) until Justin Mason left the project. It's been languishing since as he was providing the resources (infra and maintenance) to run it for those rules. I was feeding those corpora for a long time. Take a look in the repo at the stuff under: https://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-dev/ https://svn.apache.org/viewvc/spamassassin/trunk/masses/evolve_metarule/ I don't know whether the project would be willing to set up infra to revive dynamic advance fee fraud (or more general) rule generation, but it's possible if someone was willing to bring that code up-to-date and figure out what was needed and corpora providers were available. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 9 days until the 248th anniversary of the Declaration of Independence
Re: Where are your test definitions?
On Fri, 14 Jun 2024, Bowie Bailey wrote: On 6/14/2024 10:39 AM, Thomas Barth via users wrote: Hello, I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] You can get the definitions directly from the rule files. On my system, the updated rules are in /var/lib/spamassassin/3.004006/updates_spamassassin_org. describe RDNS_NONE Delivered to internal network by a host with no rDNS describe FONT_INVIS_MSGID Invisible text + suspicious message ID describe FONT_INVIS_NORDNS Invisible text + no rDNS describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS You can also configure SA to include the rule descriptions in an X-Spam-Report header when the message is scored as "spammy". Take a look at config "report_safe 0". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office for the development of a document format standard. --- 4 days until SWMBO's Birthday
Re: Warning: Your Pyzor may be broken.
On Sun, 9 Jun 2024, Michael Orlitzky wrote: On 2024-06-08 14:45:34, Bill Cole wrote: I went looking for a better fix and found a reported issue at https://github.com/SpamExperts/pyzor/issues/155 matching my original symptoms in which a workaround was provided: install directly from the GitHub project's master.zip link, i.e. a snapshot assembled from the current state of the repo, which claims to be v1.1.1. I do not like that solution at all, and added a comment to that issue suggesting that they fix the problem by cutting a release for PyPI. No response yet, but it has only been a matter of minutes. The same issue was reported in 2016 and ignored for eight years before being closed out of frustration (rather than because they did something about it): https://github.com/SpamExperts/pyzor/issues/54 Perhaps the project should consider retiring Pyzor as "no longer effectively maintained"? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Once more, please; I missed it the last time: what's the difference between "Quantitative Easing" and "Counterfeiting"? --- Tomorrow: the 57th anniversary of Israel's victory in the Six-Day War
Re: Score 0.001
On Fri, 10 May 2024, Thomas Barth wrote: So now I repeat my question: is it possible to increase the minimum value to 0.1 by default? Not really. The score for a rule is either a fixed value assigned by the rule developer or a dynamic value calculated by masscheck nightly. There isn't a "macro" for informational scores that would affect them all at once; each informational rule would have to be updated individually. And they are considered *informational* - they should not by themselves contribute to the ham/spam score, so a request to globally change the informational score from 0.0001 or 0.001 to 0.1 would not be approved. For example, there is a rule that matches large monetary quantities in multiple formats and languages. That rule is used in combination with other rules to look for spam signs. It's scored as informational simply to expose the fact that the message has content like that, but by itself it doesn't indicate hammy or spammy content - the message could be a 419 spam, or it could be a news article about the deficit. Note that poorly-performing rules may get a score that looks informational, but that may change over time based on the corpora. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 4 days until the 76th anniversary of Israel's independence
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On Fri, 19 Jan 2024, Thomas Cameron wrote: On 1/19/24 16:32, Byung-Hee HWANG wrote: There is a filtering rule in Gmail: *Never send it to Spam* I apply that rule to extremely important emails such as debian-bugs- dist and debian-devel-announce. You know that. I know that. But trying to explain to the board members I'm helping out is... painful. Very simply worded step by step instructions, with screenshots amended with arrows, outlines, highlights and so forth as needed. ...the .sigmonster agrees. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 4 days until John Moses Browning's 169th Birthday
Re: Dinged for .Date
On Mon, 15 Jan 2024, Cabel Sasser wrote: There are 1,239 gTLDs. The SpamAssassin source* blocks just *22* of them. If you believe every new gTLD is garbage (and I get that!), why isn’t SpamAssassin automatically dinging, say, 1,200+ of them? Or put another way, why _these_ 22, and _only_ these 22, and not the rest? That’s the “science” I’m trying to understand! :) Primarily it's the real-world email traffic that scoring contributors use to evaluate the effectiveness of the rules and automatically assign their scores (called "masscheck"). We basically see a lot of spam from those 22 TLDs, and little or no ham, so rules that penalize those TLDs perform well with few "false positives" in that corpora. (And I’m still curious if there is any path of redemption for these 22. ) Most likely, SA specifically whitelisting legit domains in those poisonous TLDs which are brought to our attention by, for instance, reports like yours. Less likely but possible: seeing enough ham claiming to be from those TLDs in the masscheck contributors' corpora that the scores for those rules are automatically reduced. A possible alternative that is under your control and will likely get faster positive results than SA rules changes: register the domain playdatesupport.com for your support department's use. They can still *receive* email at supp...@play.date, but for outbound email that wouldn't be the From: domain and thus wouldn't suffer the TLD reputational hit. (If you do that, avoid setting "ReplyTo: supp...@play.date", as that would also take a reputation hit.) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People that keep dreaming about the wasteland, labyrinths and quick cash, die in amusing ways. -- Root the Dragon --- 2 days until Benjamin Franklin's 318th Birthday
Re: Too many dots?
On Thu, 16 Nov 2023, Matus UHLAR - fantomas wrote: Alex wrote: I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource <mailto:do.not.re...@vitalsource.com>> On 16.11.23 10:29, Kris Deugau wrote: Just FYI: AC_FROM_MANY_DOTS stock SA rule and has score 3 as OP complained: score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999 ...because it performs very well in masschecks. I have added an exclusion for this use case and dropped the score limit to 2.500 plus another 1.5 simply for having been sent by sendgrid? Is that all that rule does, vs. hitting *specific* SendGrid accounts? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 1,265 days since the first private commercial manned orbital mission (SpaceX)
Re: when whitelisting, do what with marked SPAM?
On Tue, 14 Nov 2023, joe a wrote: On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. Move previously tagged SPAM into HAM folder and "relearn"? Right. Train on misclassifications. Also if there was a ham in your spam corpus review why it got misclassified in the first place. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Poor planning on your part does not create an obligation on my part. --- 1,264 days since the first private commercial manned orbital mission (SpaceX)
Re: when whitelisting, do what with marked SPAM?
On Tue, 14 Nov 2023, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? For a low volume home office user, I would simply NOT autolearn. Set up a hambox and a spambox and manually feed them and train from them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The reason it took so long to get Bin Laden is that it took the SEALs five years to swim that far into the desert. -- anon --- 1,263 days since the first private commercial manned orbital mission (SpaceX)
Re: external API request
On Fri, 27 Oct 2023, Antony Stone wrote: On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote: Hi, Anyone know if there is a way to request an external API throught a spamsassassin plugin ? It will be to search an URL extracted by SA from a body of a mail and check if it's referenced with an API request on an external service (virustotal or other). We receive some mails with URL inside whose page contains malware. One day, a user will click on it... If I can junk it before, it would be great. You may want to be cautious about "checking" URLs in this way, because some emails will contain things like "to unsubscribe, click here" or "accept meeting invitation?" and so on. You do not really want some automated system "clicking" on URLs like that and triggering external events either without the user's knowledge (they haven't even seen the email at this stage) or indeed doing something they do not want. It doesn't sound like it will *visit* the link, just ask some service if the like has a reputation. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 4 days until Halloween
Re: STY_INVIS_DIRECT
On Tue, 3 Oct 2023, Noel Butler wrote: 72_active.cf/STY_INVIS_DIRECT Invisible styling is sadly fairly common in legit commercial emails. Sigh. This should only hit on direct-to-MX emails. Are the hits coming from sources that strip internal topology history so that they look like the mail client is directly hitting your MX? Are they coming from sources in your trust list? Friday's net masscheck had enough corpora to publish, the rules and scores have been updated. Its masscheck performance is strongly spammy, S/O 0.979. https://ruleqa.spamassassin.org/20231001-r1912645-n/STY_INVIS_DIRECT/detail I'll try some FP tuning, but I can't guarantee that will help. Anyone else seeing this go haywire? It's triggering on legit emails everywhere, even from paypal, for past few days by looks of helpdesk, and my own paypal email this morning, 2.5 score is pushing a lot of Email into "Junk folders", for now I'ma change that score to 0.25 2.5 points by itself shouldn't be enough to quarantine/junk messages. What else is spammy about those messages? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 1,220 days since the first private commercial manned orbital mission (SpaceX)
Re: Stealth HREF= (missed by SA)
On Fri, 15 Sep 2023, Bill Cole wrote: On 2023-09-14 at 11:01:37 UTC-0400 (Thu, 14 Sep 2023 15:01:37 + (UTC)) Pedro David Marco via users is rumored to have said: The same happens with other HTML tags... <= DEFANGED_IMG src= can be replaced with <= DEFANGED_IMG xyz/src= virtually any char but > so, with Giovanni permission, i tighten the nut 1 more turn (limiting to 100 chars to prevent Regex Self-DOS) rawbody BADHREF /<(a|img|video)[^>]{0,100}\/(src|href)\=/ Pete. I've tweaked this a bit and added it to my ruleQA sandbox: describe HTML_BADATTR Illegal char in HTML attribute name rawbody HTML_BADATTR /<[a-z]{1,10}[^>]{1,80}\/(src|href)\=/ Probably should loosen that a tiny bit to allow for whitespace between the attr and the equals sign, and a whitespace after the tag name will keep the two variable-length REs from competing: /<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Microsoft is not a standards body. --- Today: the 236th anniversary of the signing of the U.S. Constitution
Re: new rule for kam :)
On Thu, 24 Aug 2023, Matus UHLAR - fantomas wrote: On 23.08.23 15:24, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail not so good numbers here. Only spam that wasn't rejected here: % grep -c '^From ' spam 9332 % grep -Fc 'src=""' spam 3 % grep -Fc 'href=""' spam 18 Not so great in masschecks, either: SPAM% HAM%S/O RANKSCORE NAME 0.1225 0.2296 0.348 0.42(n/a) __SRC_EMPTY 0.5682 1.8685 0.233 0.41(n/a) __HREF_EMPTY https://ruleqa.spamassassin.org/20230824-r1911889-n/__SRC_EMPTY/detail https://ruleqa.spamassassin.org/20230824-r1911889-n/__HREF_EMPTY/detail They might be useful in metas with other conditions, but not in isolation. overlap spam: 81% of __HREF_EMPTY hits also hit T_FSL_RCVD_TR_1; 1% of T_FSL_RCVD_TR_1 hits also hit __HREF_EMPTY (ham 1%) overlap spam: 42% of __HREF_EMPTY hits also hit __HAS_X_AUTHED_SENDER; 19% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%) I'll add a few of those to see how they do. F'ing legit emailers that generate crap HTML {fume} -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Once more, please; I missed it the last time: what's the difference between "Quantitative Easing" and "Counterfeiting"? --- 4 days until Exercise Your Rights day
Re: new rule for kam :)
On Wed, 23 Aug 2023, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail I'll put the subrules in my sandbox so they can be evaluated by masscheck. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XI: Everything is air-droppable at least once. --- 5 days until Exercise Your Rights day
Re: new rule for kam :)
On Wed, 23 Aug 2023, Andy Smith wrote: Hello, On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ I checked this against about 80k of my recent personal emails and it matched quite a lot of previously not found spam, but did also match on every auto response from one of my suppliers. It seems after every customer service interaction they send a "how did we do? fill in this survey" email from qualtrics.com which contains: It wouldn't be much of a loss, but it's not spam either. How did they perform individually? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 5 days until Exercise Your Rights day
Re: My apologies
On Thu, 3 Aug 2023, Ken D'Ambrosio wrote: On 2023-08-02 15:49, Loren Wilton wrote: I've blocked him on my mail server, as well. I don't know that I'd block him, but you do need to take anything he says witha few horselicks of salt. I (who have almost nothing to contribute to Spamassassin itself, other than being a user) think he should be blocked. He was voted off the list a few years ago. That does not prevent him from reading and replying to list posts. I've been online for over 40 years, and it's rare to have someone so actively hostile right out of the gate -- Agreed. I admit, it made me worried what kind of environment was fostered on the Spamassassin list when I asked my newbie question, and was outright mocked by him. That sort of behavior is why he was banned. And so, while I have zero sway as a team member or anything like that, as a newbie mailing list member, looking for help, I humbly submit that he's not someone you want being the first interaction a new list member has. Sadly, we cannot control that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Tomorrow: the 288th anniversary of John Peter Zenger's acquittal
Re: Welcome/unwelcome list not working correctly.
On Thu, 20 Jul 2023, Grant Keller wrote: I have the following config entries: | gvk | unwhitelist_from| grant.kel...@sonic.com | 7421538 | | gvk | whitelist_from | grant.kel...@sonic.com | 7526210 | Still, a message from that address to the gvk user results in the following rules being hit: tests=ALL_TRUSTED,SCC_BODY_SINGLE_WORD,SONIC_BX_A2,SONIC_FRIEND,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST Wild guess: it's processing them in order by the 4th column, so the whitelist_from is the last seen and is the one whose effects remain. Column headers would aid analysis. Can you swap the numbers in the 4th column and see if that changes the behavior? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Back in 1969 the technology to fake a Moon landing didn't exist, but the technology to actually land there did. Today, it is the opposite. -- unknown --- Today: the 54th anniversary of Apollo 11 landing on the Moon
Re: Help with rule
On Mon, 5 Jun 2023, jacklistm...@gmail.com wrote: header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/ Missing a period in that one. meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP Extra "from" already noted. If you're looking to whitelist specific senders coming from specific IP addresses, there's already built-in features for that. Look into whitelist_from_rcvd, it may do exactly what you want. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Today: the 79th anniversary of D-Day
Re: 0 score not voiding rule
On Sat, 27 May 2023, Noel Butler wrote: USER_IN_WELCOMELIST 0 apparently does not disable the rule (like 0 disables all the others), it is still scoring negative values on messages despite being set some time ago, and surviving "new kernel" server restarts Did you also add: USER_IN_WHITELIST 0 They are synonyms, might need to kill both explicitly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Microsoft is not a standards body. --- 2 days until Memorial Day - honor those who sacrificed for our liberty
RE: comparing sender domain against recipient domain
On Thu, 11 May 2023, Marc wrote: I was wondering if spamassassin is applying some sort of algorithm to comparing sender domain against recipient domain to detect a phishing attempt? There is a suite of meta rules and subrules with names containing TO_EQ_FROM in the default rule channel. Consult the rules files for implementation details. hmmm, I guess not some test message with these headers test2:~# spamassassin -D < spam-test.txt > out2 Date: Mon, 24 Oct 2016 22:10:07 +0200 To: recipi...@alexander.com From: Lara Try this: header __TO_OUR_DOMAIN To:addr =~ /alexander\.com/i header __FROM_OUR_DOMAIN_FUZZY From =~ /(?!alexander)\.com/i replace_rules __FROM_OUR_DOMAIN_FUZZY meta OUR_DOMAIN_SPOOFED_FROM __TO_OUR_DOMAIN && __FROM_OUR_DOMAIN_FUZZY Note that the Levenshtein distance plugin would be a more general solution, but this might be quite useful. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An operating system design that requires a system reboot in order to install a document viewing utility does not earn my respect. --- Tomorrow: the 75th anniversary of Israel's independence
Re: comparing sender domain against recipient domain
On Sat, 13 May 2023, Matus UHLAR - fantomas wrote: But I was more interested if SA already has something like that? It does not. On Fri, 12 May 2023, Loren Wilton wrote: Weren't there a whole set of "FUZZY" rules once? On 12.05.23 20:01, John Hardin wrote: There still are. however these rules only search for words like viagra, unubscribe etc. they don't compare domains to each other. The techniques should apply to header rules assuming the ReplaceTags works on header rules. I don't know any reson it wouldn't, I've just never tried it. It would be difficult to provide site-specific phishing rules in the base ruleset, of course, but perhaps some examples could be added for domains like (as noted) paypal.com, and those could be used as examples for someone wanting to make a site-custom phishing rule. I'll try to play with that this weekend and see if it bears fruit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When designing software, any time you think to yourself "a user would never be stupid enough to do *that*", you're wrong. --- Tomorrow: the 75th anniversary of Israel's independence
Re: comparing sender domain against recipient domain
On Fri, 12 May 2023, Loren Wilton wrote: But I was more interested if SA already has something like that? It does not. Weren't there a whole set of "FUZZY" rules once? There still are. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Before Adolph Hitler came to power, there was a black market in firearms, but the German people had been so conditioned to be law abiding, that they would never consider buying an unregistered gun. The German people really believed that only hoodlums own such guns. What fools we were. -- Theodore Haas, Dachau survivor --- 2 days until the 75th anniversary of Israel's independence
Re: comparing sender domain against recipient domain
On Fri, 12 May 2023, Matija Nalis wrote: I wonder if someone has already done it, and something sufficiently similar to be used to that purpose? There are a lot of ReplaceTags rules in the base ruleset. I don't know if offhand that works with header rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XXXV: That which does not kill you has made a tactical error. --- 2 days until the 75th anniversary of Israel's independence
Re: parameters: use_pyzor and use_razor2
On Sat, 29 Apr 2023, i...@servermx.com wrote: Hello, we have installed Spamassassin (debian 11.6) vesion 4.0 from source. With backend MariaDB 10.5.18-MariaDB-0+deb11u1 - Debian 11. Spamassassin is raising these messages info: config: not parsing, administrator setting: use_pyzor\t0 info: config: failed to parse line in (sql config) (line 9): use_pyzor\t0 info: config: not parsing, administrator setting: use_razor2\t0 info: config: failed to parse line in (sql config) (line 10): use_razor2\t0 ... in SQL config? perhaps the lines are misplaced? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gridlock is the next best thing to having constitutional government. -- Steven Hayward --- 2 days until May Day - Remember 110 million people murdered by Communism
Re: replay RBL queries one hour later
On Sat, 25 Feb 2023, hg user wrote: The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? Another more common approach to this situation is "greylisting", where the first attempt to submit a message from an unrecognized source is tempfailed for some period of time. The mailer will retry and the submission will be accepted after the greylisting period has expired, which may give RBLs time to list the IPs/domains/hashes/etc. This also theoretically blocks fire-and-forget mass spammers who only try submission once, but I don't know how common that model is these days. https://duckduckgo.com/?q=milter-greylist There are scenarios where this delay is unwelcome, for example commercial accounts where you don't want a delay in receiving communications from customers or potential customers. There are ways to tune it that may mitigate these concerns somewhat. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is not a suicide pact, it is a restraining order against government. And government, like any abusive person, does not respect or obey restraining orders. -- Anonymous --- 1,001 days since the first private commercial manned orbital mission (SpaceX)
Re: DecodeShortURL fails with postgresql
On Sun, 29 Jan 2023, Benny Pedersen wrote: Jan 29 01:02:00 localhost postgres[15177]: [11-3] DELETE FROM short_url_cache Jan 29 01:02:00 localhost postgres[15177]: [11-4] WHERE short_url $1 = AND created < CAST(EXTRACT(epoch FROM NOW()) AS INT) - 86400 Jan 29 05:40:38 localhost postgres[24315]: [11-1] 2023-01-29 04:40:38.502 UTC [24315] ERROR: syntax error at or near "$1" at character 62 I'm not an SQL expert. Can you give me more details on how to trigger the bug you are pointing out, what it does, and what is expected? same here, i just report it This bit: WHERE short_url $1 = AND ...should probably be: WHERE short_url = $1 AND The basic expression syntax of SQL is the same as other (infix!) languages.. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XI: Everything is air-droppable at least once. --- 3 days until the 20th anniversary of the loss of STS-107 Columbia
Re: bz 8116
On Sat, 28 Jan 2023, Bill Cole wrote: On 2023-01-28 at 12:16:53 UTC-0500 (Sat, 28 Jan 2023 18:16:53 +0100) Benny Pedersen is rumored to have said: is imho clearly spam ? Yes, and I expect that when someone with Bugzilla admin rights sees it (a subset of the PMC) it will be appropriately trashed. Poof, gone. We don't sit watching our MUAs 24/7 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: the 37th anniversary of the loss of STS-51L Challenger
Re: Rule Help - not sure what is wrong with my syntax
On Thu, 12 Jan 2023, John Hardin wrote: On Thu, 12 Jan 2023, Martin Gregorie wrote: On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote: Hello All, I created this rule to check for email addresses matching a list to get added some negative value. I also tried it with just domains so it would be more efficient, but I can't seem to get them to run. Any suggestions? Use a database to store addresses you accept mail from. Apart from the database, you'll need a Perl module to let SA look up addresses in the database. Simpler as it involves no new coding: a local DNS server and a DNSBL lookup rule with a negative score. There are instructions for setting such up for local blacklists, that works equally well for a local whitelist. Ah, whoops. I had it in my head that emailBL had been implemented. Never mind! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva --- 5 days until Benjamin Franklin's 317th Birthday
Re: Rule Help - not sure what is wrong with my syntax
On Thu, 12 Jan 2023, Martin Gregorie wrote: On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote: Hello All, I created this rule to check for email addresses matching a list to get added some negative value. I also tried it with just domains so it would be more efficient, but I can't seem to get them to run. Any suggestions? Use a database to store addresses you accept mail from. Apart from the database, you'll need a Perl module to let SA look up addresses in the database. Simpler as it involves no new coding: a local DNS server and a DNSBL lookup rule with a negative score. There are instructions for setting such up for local blacklists, that works equally well for a local whitelist. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #20: The faster you finish the fight, the less shot you will get. --- 5 days until Benjamin Franklin's 317th Birthday
Re: Refused by block lists
On Fri, 6 Jan 2023, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.) Google? Best practice is to set up a local, non-forwarding (potentially non-forwarding only for the DNSBL domains, see my email from a week or so back) DNS server for your MTA and SpamAssassin to use (potentially your entire local network as well, but that's not relevant to your question). DNSBL providers generally don't like requests from public DNS servers as they aggregate a lot of requests from a lot of sources. One of many things puzzling me at the moment is something found in the related Wiki that states "A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to its external address." I think you're getting distracted by the word "resolve" there... This sounds like a DNS issue. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Je ne suis pas Charlie. Je suis armé. --- Tomorrow: the 8th anniversary of the Charlie Hebdo massacre
Re: Re: Re: Re: Re: DNSWL_HI testing wrong Received header?
On Wed, 28 Dec 2022, Matus UHLAR - fantomas wrote: On 28.12.22 12:55, John Stimson via users wrote: The machine has bind9 running locally to provide DNS for its own domain, and uses it for name resolution. This is the problem: Bind9 is configured to use OpenDNS and Google as forwarders. BIND does NOT need forwarders and by using it, you mostprobably have created this problem. remove forwarders statement. You can also set up per-DNSBL forwarding suppression while still forwarding for other lookups: // Don't forward DNSBL/URIBL lookups to ISP zone "list.dnswl.org" IN { type forward; forward first; forwarders { }; }; zone "multi.uribl.com" IN { type forward; forward first; forwarders { }; }; ...etc. for all DNSBL subdomains. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- These Sarah Brady types must be educated to understand that because we have an armed citizenry, that a dictatorship has not yet happened in America. These anti-gun fools are more dangerous to Liberty than street criminals or foreign spies. -- Theodore Haas, Dachau survivor --- 942 days since the first private commercial manned orbital mission (SpaceX)
Re: Whitelist or add negative values for score
On Wed, 21 Dec 2022, Joey J wrote: But in better seeing the welcomelist_from_spf option, I think this will be my first try. If you are *really* worried about getting faked mail from that correspondent, you can do something like: whitelist_from_spf j...@company.com blacklist_from j...@company.com I have a bunch of these sort of entries in my local config: whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@netflix.com blacklist_from *@netflix.com whitelist_auth *@*.netflix.com blacklist_from *@*.netflix.com You may need to dial back the blacklist score a bit for it to work reliably: score USER_IN_BLACKLIST 85.000 # let whitelist override blacklist -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 3 days until Christmas
Re: phishtank api usage from spamassassin ?
On Fri, 26 Aug 2022, Kris Deugau wrote: Raymond Dijkxhoorn via users wrote: Hello Benny, Many of the SARE people are around but are now doing things RBL style. Including me and Alex to name just two. And the link -subdomains- you see in spams you can report to various lists if needed (feedb...@surbl.org for example). In case you want to send abuse reports to google who operates this service: https://firebase.google.com/support/troubleshooter/contact "You must sign in to access this page". That's... rather unhelpful, Google. ...see Hoops, Jumping Through. "Go away and stop bothering us." It's not the only place Google won't let you report problems from outside their ecosystem either - you can't report spam coming through Google Groups with the link in the messages without logging in to a Google account. I gave up trying to report these, Me, too. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem with socialism is that you can vote your way into it but you need to shoot your way out of it. -- Larry Lambert --- 2 days until Exercise Your Rights day
Re: phishtank api usage from spamassassin ?
On Thu, 25 Aug 2022, Axb wrote: On 8/25/22 16:10, Benny Pedersen wrote: https://phishtank.com/phish_detail.php?phish_id=7691984 https://phishtank.com/phish_detail.php?phish_id=7680788 why is page.link have subdomain tjeking ?, is it marked at sa as a redirector ? tjeking? i consider block all page.link, whois says its hosted by google :/ go ahead.. There are legitimate sites using that domain. I added it as a 2tld for URIBL, so please report such domains to URIBL. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The one political issue that strips all politicians bare is individual gun rights. --- Today: the 1943rd anniversary of the destruction of Pompeii
Re: subscribe to blacklist for domains
On Tue, 23 Aug 2022, Vincent Lefevre wrote: On 2022-08-18 12:11:04 -0400, Kris Deugau wrote: Mmm. So how would you, as sender or sender's mail provider, troubleshoot a message rejected with "550 Too spammy"? I have seen several rejections that were equally clear and to the point, without divulging any particular detail about what, exactly, was objectionable. I doubt that spammers take 550 messages into account, or even read them. Agreed. Perhaps dumping the list of SA rules that hit, absent scores. That's not a bad violation of opsec as there are public evaluation tools available that would return much the same information, and that would give something helpful to discuss with the site admin when trying to resolve the situation. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Law is too dangerous a tool to leave in the hands of opposing tribes who just want to use it to bludgeon one another. -- J.D. Tuccile --- Tomorrow: the 1943rd anniversary of the destruction of Pompeii
Re: subscribe to blacklist for domains
On Sat, 13 Aug 2022, joe a wrote: Why waste your own system resources to help a scoundrel? Drop them and be done. I personally perfer to TCP tarpit repeat offenders. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Human beings are born with different capacities. If they are free, they are not equal. And if they are equal, they are not free.-- Aleksandr Solzhenitsyn --- Tomorrow: the 77th anniversary of the end of World War II
Re: Matching on missing To field?
On Wed, 20 Jul 2022, Loren Wilton wrote: header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism That rule just says: look at all the raw header data and match if there's none of Subject, From, To, Reply-To entries. IE a really malformed message. Hum. As I read it, that is "headers misspelled" (not "headers missing") MISSP = misspaced and it is checking for any of the listed words at the start of a line, followed by a colon, and NOT followed by a space. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- Today: the 53rd anniversary of Apollo 11 landing on the Moon
Re: shit from serverion
On Wed, 29 Jun 2022, Vincent Lefevre wrote: On 2022-06-29 13:14:58 +, Marc wrote: Today I decided to spend some time getting all the ip's[1] (these are all /24 thus you have to add 164.215.103.1-164.215.103.255) of serverion, who is sending out constant stream of crap. I thought about posting it here so you do not need to do this work. If you do some random checks, you can see this looks weird[2]. Do as you please with this info. FYI, I'm rejecting them at the postfix level. *cough* TCP Tarpit *cough* -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always "loopholes" to absolute authority. --- 5 days until the 246th anniversary of the Declaration of Independence
Re: Rule to detect non-standard headers that aren't X- prefixed
On Tue, 10 May 2022, Philip Prindeville wrote: Anyone have a rule to detect the following nonsense headers seen in this message I got? Return-Path: Received: from cp24.deluxehosting.com (cp24.deluxehosting.com [207.55.244.13]) by mail (envelope-sender ) (MIMEDefang) with ESMTP id 23C2ch8H717309 for ; Mon, 11 Apr 2022 20:38:50 -0600 To: "xy...@redfish-solutions.com" From: "Nabil, Home Depot" Message-ID: <35ee7c.8b8cf6.a...@uakron.edu> Date: Mon, 11 Apr 2022 22:38:48 + (UTC) Minicomputers-Exhume: sides Subject: Nabil, 1 searches this week Malthus-Films: 88976dea List-Unsubscribe: <https://uakron.edu/?e=d567f7ae55e4&t=lun&midToken=39e56a34&ek=email_notification_single_search_appearance_01&li=7&m=unsub&ts=unsub&loid=cd5be889cc8fde15c6d1ebf62c92cc37375723f3fea3ce35af8da> Parasitic-Homogeneity: db5da28ba3e69a MIME-Version: 1.0 Capitalizations-Grievously: oilers Content-type: multipart/mixed; boundary="--=_1649731129-716331-86" Obviously, the following bogus header names are present: Minicomputers-Exhume Malthus-Films Parasitic-Homogeneity Capitalizations-Grievously Take a look at __RAND_HEADER and RAND_HEADER_MANY -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Of the twenty-two civilizations that have appeared in history, nineteen of them collapsed when they reached the moral state the United States is in now. -- Arnold Toynbee --- 3 days until the 74th anniversary of Israel's independence
Re: OT - Hotmail/Outlook.com marking most of our email as Junk
On Sat, 19 Feb 2022, Greg Troxel wrote: As for your "domain", also look up the IP address your mail comes from, because that's more important. A lookup service I have found useful is: https://multirbl.valli.org/ Ok, actually, I got some interesting results for 136.143.188.53, which is a Zoho server I have apparently sent mail from. Some blacklists, some yellow lists, some whitelists, and a bunch of blue and red. Do you think Zoho is the bigger problem than NameCheap? I said you should understand if you have a shared IP, and *who else is sharing it*. When they spam, it gets the IP on lists, which causes you trouble. ...or *who had it before you did* (particularly for static or not-so-dynamic dynamic IPs). A spammer could have set up a "throwaway" server and blasted spam from that IP until it got blacklisted, then moved on, leaving you to inherit an IP with a bad reputation. That may or may not be an easy problem to address. Potentially the simplest solution is to ask your provider to assign you a different IP address and hope that one isn't listed as well. You could proactively spot-check IP addresses in the network block managed by your provider and if a more than a few of them are listed (particularly by multiple DNSBLs) then your provider is probably problematic and you should look elsewhere. [Ooo, look, the .sigmonster is listening...] -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Back in 1969 the technology to fake a Moon landing didn't exist, but the technology to actually land there did. Today, it is the opposite. -- unknown --- 3 days until George Washington's 290th Birthday
Re: Regex error in most recent update
On Fri, 18 Feb 2022, Damian wrote: invalid regexp for __URI_TRY_3LD 'm,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(? Wow, this one is pretty subtle. It is due to: Note that under "/i", a few single characters match two or three other characters. This makes them variable length [...] Or vice-versa - in this case "ss"/"st" collapses to "ß"... ...and it's not universal, either. It passed lint here or I wouldn't have checked it in. It passed the masscheck lint or it wouldn't have been published. I've checked in a fix, there may be one more bad update tonight before it goes out. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until George Washington's 290th Birthday
Re: REMOVE
On Fri, 18 Feb 2022, da...@grmcompany.com wrote: Dan: The SA users mailing list is self-managed. list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org> -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until George Washington's 290th Birthday
Re: CONTENT_AFTER_HTML: better not discuss formatting!!
On Tue, 8 Feb 2022, Loren Wilton wrote: Are you talking about the use of m'' as the regex delimiter? Yes. It will probably work just fine for the foreseeable future, as long as the input validation of rules files is lenient. I think you may have a very hard time removing the m matching delimiters from SA. I suspect there are at least hundreds of rules like that in the release database. I have about a hundred local rules of my own that use that. Indeed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Journalism is about covering important stories. With a pillow, until they stop moving. -- David Burge --- 74 more days working to pay your (average) annual US tax bill before you're finally working for yourself.
Re: CONTENT_AFTER_HTML: better not discuss formatting!!
On Mon, 7 Feb 2022, Loren Wilton wrote: But, it had: * 2.5 CONTENT_AFTER_HTML More content after HTML close tag but one was only text/plain and I could see nothing wrong. reading 72_active.cf I found: rawbody__CONTENT_AFTER_HTML/<\/htnl>\s*[a-z0-9]/i > which fires on a text/plain part that discusses html formatting! Note you show __CONTENT_AFTER_HTML and CONTENT_AFTER_HTML, which are not the same rule. I suspect the meta for CONTENT_AFTER_HTML contains some other things that should in theory make it not hit in this case. I've personally never seen this rule hit, and didn't know it existed. Are you sure it isn't a local rule? I have a rule of my own that gives 1 point for extra trash after the /html end tag. I see it frequently on spam and UCE that has a tracking tag in the HTML section after the official end of the html. No, I added that after observing multiple spams with random garbage after the closing HTML tag in the HTML body part. Presumably it was an attempt at Bayes poison, checksum avoidance, or some other filter evasion technique. I'll tighten it up. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 5 days until Abraham Lincoln's and Charles Darwin's 213th Birthdays
Re: CONTENT_AFTER_HTML: better not discuss formatting!!
On Mon, 7 Feb 2022, Greg Troxel wrote: and then I got a reply back with the content he was trying to send etc. But, it had: * 2.5 CONTENT_AFTER_HTML More content after HTML close tag but one was only text/plain and I could see nothing wrong. reading 72_active.cf I found: rawbody__CONTENT_AFTER_HTML/<\/htnl>\s*[a-z0-9]/i which fires on a text/plain part that discusses html formatting! Ah, I'll see if I can add something to that so it only fires when there's an actual HTML body part. Thanks for the report. Pity there's not an "htmlbody" rule type... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #2: Anything worth shooting is worth shooting twice. Ammo is cheap. Your life is expensive. --- 5 days until Abraham Lincoln's and Charles Darwin's 213th Birthdays
Re: XM_RANDOM hits for Qi Mail Connector
On Thu, 20 Jan 2022, Matus UHLAR - fantomas wrote: Hello, looks like there's mailer hitting XM_RANDOM from multiple mails: X-mailer: Qi Mail Connector 101.21 X-mailer: Qi Mail Connector 103.2 apparently generated by czech company information system: https://www.qi.cz/system-qi/ Will update, thanks for the report. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- 3 days until John Moses Browning's 167th Birthday
Re: Managing long welcome_senders list
On Thu, 2 Dec 2021, Dominic Raferd wrote: I have a score-reducing algorithm for SA based on known 'good' senders. From a simple one-address-per-line file (which can easily be manually or automatically edited) is built a local_welcoming.cf file which is used by SA - with lines like this: score LOCAL_WELCOMING_4 -4 header LOCAL_WELCOMING_4 From =~ /(\@myfriend\.com|jennifer_smith\@btinternet\.com|\fred321@gmail\.com)>?\s*$/i But this is a just a short example with 3 addresses. In reality I have a single line with c.2000 addresses all concatenated like this, and it is growing. The tools available in the MTA may be easier to leverage for this than SA - for example, something like matching the envelope sender to a pattern or list in a dynamic database and modifying the message if it hits. In that case you have the option of conditionally adding a custom header to the message prior to passing it off to SA for scanning. Then you could have a SA rule that hits on something like "header X-LOCAL-WELCOME-SENDER-salt exists". You could also potentially hard-whitelist those senders in the MTA and just bypass SA scanning for them entirely, but that does have the downside of accepting spam from them if their account gets hacked, for example. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 5 days until The 80th anniversary of Pearl Harbor
Re: MIME_BASE64_TEXT only on us-ascii
On Tue, 30 Nov 2021, Philip Prindeville wrote: On Nov 17, 2021, at 9:50 AM, Bill Cole wrote: SpamAssassin rules are not laws in any sense. They do not prescribe or proscribe any action. They do not reflect any sort of moral or ethical judgment. They do not express or define technical correctness. Isn't that exactly what we're discussing here? "Technical correctness"? The way I generally put it is: SpamAssassin is not an RFC-compliance audit tool. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The police of a state should never be stronger or better armed than the citizenry. An armed citizenry, willing to fight, is the foundation of civil freedom.-- Robert A. Heinlein, 1942 --- 549 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
On Thu, 18 Nov 2021, Matt Corallo wrote: On 11/18/21 16:49, John Hardin wrote: On Thu, 18 Nov 2021, Matt Corallo wrote: I followed up on the exim-users list on this - Exim *did* verify the FcRDNS here and the above header line is what it generates by default for FcRDNS. The RFC quote they responded with is at [1]. A FcRDNS-failed received line is at [2]. I've modified that rule a bit to also look at the HELO and envelope From address to see if they are from Shopify. Granted that's less reliable than rDNS, but it's probably Good Enough. Note that the subject is, in hindsight, a bit of a misnomer. Not really - it is accurate, but the scope was found to be larger. If this discussion continues, it might be reasonable to re-title the thread to be more representative. Perhaps "SA mis-parsing Exim Received headers". Obviously there's a ton of rules that rely on FcRDNS, and in this case it seems like Exim's Received lines just do not match SA's current detection, causing this and many other rules to fail. Recognized. Sadly, it won't be fixed in 3.4.x -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell "Fire!" in a crowded theater. -- Peter Venetoklis --- 537 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
On Thu, 18 Nov 2021, Matt Corallo wrote: I followed up on the exim-users list on this - Exim *did* verify the FcRDNS here and the above header line is what it generates by default for FcRDNS. The RFC quote they responded with is at [1]. A FcRDNS-failed received line is at [2]. I've modified that rule a bit to also look at the HELO and envelope From address to see if they are from Shopify. Granted that's less reliable than rDNS, but it's probably Good Enough. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- These Sarah Brady types must be educated to understand that because we have an armed citizenry, that a dictatorship has not yet happened in America. These anti-gun fools are more dangerous to Liberty than street criminals or foreign spies. -- Theodore Haas, Dachau survivor --- 537 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
On Tue, 16 Nov 2021, Bill Cole wrote: On 2021-11-15 at 20:06:22 UTC-0500 (Mon, 15 Nov 2021 20:06:22 -0500) Matt Corallo is rumored to have said: Full headers follow, but it seems the shopify detection in the above isn't quite correct; Return-path: Envelope-to: vmstfp...@mattcorallo.com Delivery-date: Mon, 15 Nov 2021 21:10:55 + Received: from o13.mailer.shopify.com ([149.72.221.62]) by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02 (envelope-from ) for vmstfp...@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 + The lack of any name inside the parentheses before the bracketed IP in that Received header implies that mail.as397444.net could not get a verifiable rDNS name for that relay. In short, SA trusts your MTA's indication that this may not really be a shopify relay. Even shorter: It's DNS. It's ALWAYS DNS. [...] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 2.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS 2.5 SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify 0.0 NORDNS_LOW_CONTRASTNo rDNS + hidden text X-Spam-Score: 6.3 That's 5.3 out of 6.3 caused by the inability of mail.as397444.net to get a verifiable rDNS name for 149.72.221.62 at delivery time. It's ALWAYS DNS. ...then again, nothing can be done to fix the rule... Complain to Shopify that their lack of rDNS is causing their mail to be considered spam. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Never forget, even for an instant, that the one and only reason anyone has for taking your gun away is to make you weaker than he is, so he can do something to you that you wouldn’t let him do if you were equipped to prevent it. This goes for burglars, muggers, and rapists, and even more so for policemen, bureaucrats, and politicians. -- Alexander Pope --- 535 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
On Mon, 15 Nov 2021, Matt Corallo wrote: Full headers follow, but it seems the shopify detection in the above isn't quite correct; Thanks for the report, will fix. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Never forget, even for an instant, that the one and only reason anyone has for taking your gun away is to make you weaker than he is, so he can do something to you that you wouldn’t let him do if you were equipped to prevent it. This goes for burglars, muggers, and rapists, and even more so for policemen, bureaucrats, and politicians. -- Alexander Pope --- 535 days since the first private commercial manned orbital mission (SpaceX)
Re: Seeing "check: exceeded time limit in ..." and need to resolve it
On Mon, 15 Nov 2021, Philip Prindeville wrote: On Nov 12, 2021, at 8:49 PM, John Hardin wrote: On Fri, 12 Nov 2021, Philip Prindeville wrote: I got the message, saved it to a flat file, and ran "spamassassin -t -D rules < netdev.eml" and saw: ... Nov 12 11:45:38.048 [36367] dbg: rules: ran eval rule __ANY_TEXT_ATTACH_DOC ==> got hit (1) ... Nov 12 11:45:38.063 [36367] dbg: rules: ran eval rule __ANY_TEXT_ATTACH ==> got hit (1) Nov 12 11:49:58.565 [36367] info: check: exceeded time limit in Mail::SpamAssassin::Plugin::Check::_eval_tests_type11_pri0_set1, skipping further tests ... Am I correct that __ANY_TEXT_ATTACH alone took 4:30s? "ran ... got hit" is past tense. And it needs to complete the rule to know whether it got a hit. 11:45:38.048 -> 11:45:38.063 = less than 20 msec. The next rule, whatever that was, is the one that timed out after 4m20s. Ah, the rule _eval_tests_type11_pri0_set1() took 4:20. Why can't I even find the rule? Run it with "-D rules,rules-all" and it should list each rule as it starts executing. Could there be rules that *aren't* matching but are taking a while? It's timing out on a rule that's running away. The timeout triggers before "hit/no hit" is known. What would be helpful here would be logging of when a rule *starts* evaluation. Normally that would be painful, but for tracking a runaway it would be useful. Perhaps I can code up something to capture that and log it on a timeout... Whenever a rule gets started, you could save the name and start time, and then burp that during timeout handling, right? The rule name at least. If you want to send me that message zipped up I can try it here with those changes and see if it's a base rule running away. Sent out-of-band. Doh. Forgot to zip it. I'll be happy to take a look, but running with rules-all at your end would be faster... I forgot I'd already added that. But I will still take a look at capturing the rule name for the timeout message. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Never forget, even for an instant, that the one and only reason anyone has for taking your gun away is to make you weaker than he is, so he can do something to you that you wouldn’t let him do if you were equipped to prevent it. This goes for burglars, muggers, and rapists, and even more so for policemen, bureaucrats, and politicians. -- Alexander Pope --- 535 days since the first private commercial manned orbital mission (SpaceX)
Re: Seeing "check: exceeded time limit in ..." and need to resolve it
On Sat, 13 Nov 2021, Loren Wilton wrote: What would be helpful here would be logging of when a rule *starts* evaluation. Normally that would be painful, but for tracking a runaway it would be useful. Perhaps I can code up something to capture that and log it on a timeout... Actually what sounds like it would be useful would be knowing the name of the rule that timed out. I'm presuming when the timeout occurs that there is still some indication of the current rule being processed so it can be killed. I'd think that should be enough to backtrack to the rule name. A modification to the timeout message could display the name of the rule and even how long it took to that point. That's what I was thinking when I said "capture and log". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Running away is the coward's way out of a war; appeasement is the coward's way into a war. -- Thorax --- 532 days since the first private commercial manned orbital mission (SpaceX)
Re: Seeing "check: exceeded time limit in ..." and need to resolve it
On Sat, 13 Nov 2021, Henrik K wrote: On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wrote: What would be helpful here would be logging of when a rule *starts* evaluation. Normally that would be painful, but for tracking a runaway it would be useful. Perhaps I can code up something to capture that and log it on a timeout... It already exists spamassassin -D all,rules-all < msg Ugh, yeah, I remember doing that now. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Running away is the coward's way out of a war; appeasement is the coward's way into a war. -- Thorax --- 532 days since the first private commercial manned orbital mission (SpaceX)
Re: Seeing "check: exceeded time limit in ..." and need to resolve it
On Fri, 12 Nov 2021, Philip Prindeville wrote: I got the message, saved it to a flat file, and ran "spamassassin -t -D rules < netdev.eml" and saw: ... Nov 12 11:45:38.048 [36367] dbg: rules: ran eval rule __ANY_TEXT_ATTACH_DOC ==> got hit (1) ... Nov 12 11:45:38.063 [36367] dbg: rules: ran eval rule __ANY_TEXT_ATTACH ==> got hit (1) Nov 12 11:49:58.565 [36367] info: check: exceeded time limit in Mail::SpamAssassin::Plugin::Check::_eval_tests_type11_pri0_set1, skipping further tests ... Am I correct that __ANY_TEXT_ATTACH alone took 4:30s? "ran ... got hit" is past tense. And it needs to complete the rule to know whether it got a hit. 11:45:38.048 -> 11:45:38.063 = less than 20 msec. The next rule, whatever that was, is the one that timed out after 4m20s. Could there be rules that *aren't* matching but are taking a while? It's timing out on a rule that's running away. The timeout triggers before "hit/no hit" is known. What would be helpful here would be logging of when a rule *starts* evaluation. Normally that would be painful, but for tracking a runaway it would be useful. Perhaps I can code up something to capture that and log it on a timeout... If you want to send me that message zipped up I can try it here with those changes and see if it's a base rule running away. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The most glaring example of the cognitive dissonance on the left is the concept that human beings are inherently good, yet at the same time cannot be trusted with any kind of weapon, unless the magic fairy dust of government authority gets sprinkled upon them. -- Moshe Ben-David --- 531 days since the first private commercial manned orbital mission (SpaceX)
Re: Unicode considered harmful again
On Fri, 5 Nov 2021, Benny Pedersen wrote: On 2021-11-04 09:34, Damian wrote: >> Please convert all source code to ASCII. If it fails to compile, then it may have a trojan hiding in Unicode clothing. >Instructions unclear. CVE 2021-42574 It remains unclear (to me). What source code should spamassassin-users convert? Attached source code in emails? How should they convert, is there a SpamAssassin-Plugin? Should they install compilers on their mail system? https://bugs.gentoo.org/807781 not all 3dr party have clean rules with leds to that problem == $ perl -ne 'print "$. $_" if m/[\x80-\xFF]/' /var/lib/spamassassin/3.004006/updates_spamassassin_org/50_scores.cf 526 # Validity (née ReturnPath) Certified == And what of the BIDI sequence that actually causes the problem? All Of Unicode is not the problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Daylight Saving Time ends in U.S. - Fall Back Getting an extra hour of 2021 is like getting a free track on a Yoko Ono album.
Re: timeouts on processing some messages, started October 24
On Wed, 3 Nov 2021, Bill Cole wrote: The most common reason for SA to hit its internal timeout is the combination of a rule with a pattern that can generate a large number of backtracks while scanning (exponential or factorial order) and a message which causes such backtracking. Typically that's caused by a '*' or '+' in a pattern where a fixed range for the number of repeats should be used instead. ...or a non-greedy match if you're running a newer Perl. If you have any unbounded wildcards in your local rules, tightening those rules up should be your first step. If you can't find and fix the problematic rule by eye, you can get clues about it by scanning a problematic message with the "-D all" option to get a detailed rundown of what SA does in scanning a message. That will show you what rules are checked successfully. You can find a problematic rule by comparing that debug output from a bad message to that of a message which doesn't hang SA. There's also the HitFreqsRuleTiming plugin if you're running in a dev environment and can let it scan for a potentially long time (until completion). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 4 days until Daylight Saving Time ends in U.S. - Fall Back Getting an extra hour of 2021 is like getting a free track on a Yoko Ono album.
Re: Starting Clean with Bayes
On Sat, 23 Oct 2021, Benny Pedersen wrote: On 2021-10-20 16:58, John Hardin wrote: On Wed, 20 Oct 2021, Axb wrote: On 10/19/21 8:06 PM, Jerry Malcolm wrote: Where do I find a starter toks file? You don't need a "starter" file. Your Bayes starter is your training corpora, which you should retain in case you ever need to start over from scratch as you're doing now. no one asked how to make a backup/restore, with imho would have answered all this just like one would just use corpus retraining data A backup is fine for migration. A backup of a database that has gone off the rails is useless. It fairly accepted that there's no such thing as a "generic starter Bayes database" due to the variability of peoples' ham. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 511 days since the first private commercial manned orbital mission (SpaceX)
Re: Starting Clean with Bayes
On Wed, 20 Oct 2021, Axb wrote: On 10/19/21 8:06 PM, Jerry Malcolm wrote: Where do I find a starter toks file? You don't need a "starter" file. Your Bayes starter is your training corpora, which you should retain in case you ever need to start over from scratch as you're doing now. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- At what point then is the approach of danger to be expected? I answer, if it ever reach us, it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher. As a nation of freemen, we must live through all time, or die by suicide. -- Abraham Lincoln ...popularly summarized as: "America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves." --- 508 days since the first private commercial manned orbital mission (SpaceX)
Re: FSL_BULK_SIG in 72_active.cf
On Tue, 5 Oct 2021, Matus UHLAR - fantomas wrote: It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked the wrong checksum, chief! It does not appear that the actual rule matches the spirit of the rule. On 23.09.21 22:07, Kevin A. McGrail wrote: Jared, looks to me like an FP in Pyzor. On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote: RAZOR, PYZOR and DCC often hit on e-mail with short or no text and attachments. (Haven't done stats tho, I can look during workweek.) Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have unsubscribe header. On 25.09.21 13:19, John Hardin wrote: Perhaps it needs a short-message exclusion? On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote: short messages with attachments. if you have an idea how, I'll be glad to try. On 25.09.21 15:04, John Hardin wrote: I've done some masscheck review and tuning of it, added avoidance of hits on very short messages. I'm afraid it did not help. It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and FSL_BULK_SIG pushes such mail easily over default spam score. I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY with sa -D, many of them hit __HTML_LENGTH_1024_1536 (damn microsoft! 1k of "empty" message). OK, I will work around locally. I noticed the PDF attachment hit in masschecks, but presumed (since the attachments were images) that it wasn't germane to the OP's problem. I should have added an exclusion for that as well. I will later today, work is booting up... :) I'd be interested in the rule hits if you're willing to share. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 493 days since the first private commercial manned orbital mission (SpaceX)
Re: FSL_BULK_SIG in 72_active.cf
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote: It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked the wrong checksum, chief! It does not appear that the actual rule matches the spirit of the rule. On 23.09.21 22:07, Kevin A. McGrail wrote: Jared, looks to me like an FP in Pyzor. On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote: RAZOR, PYZOR and DCC often hit on e-mail with short or no text and attachments. (Haven't done stats tho, I can look during workweek.) Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have unsubscribe header. On 25.09.21 13:19, John Hardin wrote: Perhaps it needs a short-message exclusion? short messages with attachments. if you have an idea how, I'll be glad to try. I've done some masscheck review and tuning of it, added avoidance of hits on very short messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- But if there is no such inalienable right [to self defense], the entire nature of the social contract is changed. Each man’s worth is measured solely by his utility to the state, and as such the value of his life rides a roller coaster not unlike the stock market: dependent not only upon the preferences of the party in power but upon the whims of its political leaders and the permanent bureaucratic class. -- Mike McDaniel --- 4 days until the 80th anniversary of the massacre at Babi Yar Disarmament enables genocide - Registration enables disarmament
Re: FSL_BULK_SIG in 72_active.cf
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote: It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked the wrong checksum, chief! It does not appear that the actual rule matches the spirit of the rule. On 23.09.21 22:07, Kevin A. McGrail wrote: Jared, looks to me like an FP in Pyzor. RAZOR, PYZOR and DCC often hit on e-mail with short or no text and attachments. (Haven't done stats tho, I can look during workweek.) Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have unsubscribe header. Perhaps it needs a short-message exclusion? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), armenians (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 4 days until the 80th anniversary of the massacre at Babi Yar Disarmament enables genocide - Registration enables disarmament
RE: Question about whitelisting of naadac.org
On Thu, 12 Aug 2021, Lukasz Maik wrote: Dear John, Sure, please find full tests results here: https://www.mail-tester.com/test-bw02eaxrt We've lost a point for not having DKIM/DMARC authentication, which is unfortunately not supported by our hosted exchange. That's not something SA scores for. We also lost 0.5 point for not having alt attribute in the images, so we will add it. That's also not something SA scores for. The above problems are things mail-tester thinks you can do to improve your message, independent of whatever SA thinks of it. The net SA score for that test message is 0.644 points, which is well under the default spam threshold of 5 points. This is in the headers in that test message: X-Spam-Status: No/0.7/5.0 "No". I agree with Bill's comments regarding www.mail-tester.com, and echo that "www.naadac.org" is not listed at SBL. Total is 7.8/10. Meaningless. The problem, when user is sending normal work e-mails, recipients are finding those messages in the Junk Email folder. Even people with who he was previously working before. If we could see one of *those* mails (which was quarantined in a production environment versus analyzed in a misconfigured and stale theoretical environment), with all headers intact (<- this is important), then we might be able to tell you why it ended up there. Kind Regards Lukas -Original Message- From: John Hardin Sent: Thursday, August 12, 2021 5:43 AM To: users@spamassassin.apache.org Subject: Re: Question about whitelisting of naadac.org On Wed, 11 Aug 2021, Lukasz Maik wrote: Hi All, The company naadac.org is experiencing problems with their e-mails being marked as SPAM, when they are putting link to their domain https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.naadac.org%2F&data=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IkcJvzYcpJvlUWr3l%2FzGbvD3IbSSaeia66LNwTjOj60%3D&reserved=0 in the signature of their mails. Is it possible to whitelist this domain/link in your SPAM filtering? Results from the mail-tester.com tool are available below: [cid:image001.png@01D78EFB.CD78CAE0] 0.644 points is not sufficient to mark a message as spam using the default scoring, and isn't worth hitting the panic button. If it's being marked as spam by some recipients, there are other reason(s). Is this analysis the only thing you are basing your analysis on? As Kenneth said, contact Spamhaus regarding why that domain is listed. In order to offer more advice, we would have to see the results from a site that is actually marking such a message as spam (i.e. where it's scoring 5 or more points). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --- Today: the 900th anniversary of the muslim Seljuq defeat at Didgori
Re: Question about whitelisting of naadac.org
On Wed, 11 Aug 2021, Lukasz Maik wrote: Hi All, The company naadac.org is experiencing problems with their e-mails being marked as SPAM, when they are putting link to their domain www.naadac.org in the signature of their mails. Is it possible to whitelist this domain/link in your SPAM filtering? Results from the mail-tester.com tool are available below: [cid:image001.png@01D78EFB.CD78CAE0] 0.644 points is not sufficient to mark a message as spam using the default scoring, and isn't worth hitting the panic button. If it's being marked as spam by some recipients, there are other reason(s). Is this analysis the only thing you are basing your analysis on? As Kenneth said, contact Spamhaus regarding why that domain is listed. In order to offer more advice, we would have to see the results from a site that is actually marking such a message as spam (i.e. where it's scoring 5 or more points). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference between ignorance and stupidity is that the stupid desire to remain ignorant. -- Jim Bacon --- Tomorrow: the 900th anniversary of the muslim Seljuq defeat at Didgori
Re: Website "help" spams
On Thu, 29 Jul 2021, Robert S wrote: I am getting deluged with emails coming from semi-legitimate looking sources offering to "improve" my website, which is hosted with the same domain name as my email address (example below). Does anybody have a rule that helps to increase the spam score of these, or any other tips? My email address isn't on the website. The message below got a score of 4.6 (5 required to be marked as spam). Thanks & Regards, Nikita Bee– SEO Manager "SEO Manager" seems a good indicator. body SEO_SOMETHING /\bSEO (?:[Mm]anager|[Aa]dvisor|[Cc]onsultant)/ Intentionally *not* case-insensitive. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Britain used to be the most powerful empire in the world. Now they're terrified of pocketknives. How the mighty have fallen. -- Matt Walsh --- 7 days until the 286th anniversary of John Peter Zenger's acquittal
Re: DKIM_* scores
On Mon, 26 Jul 2021, RW wrote: On Mon, 26 Jul 2021 18:05:35 +0100 RW wrote: "&& !DKIM_SIGNED " means the rule can only be true if there's no signature, so none of the terms with __DKIM_DEPENDABLE, DKIM_VALID, and DKIM_VALID_AU make any difference. Actually it's worse than that __DKIM_DEPENDABLE is always true if there are no signatures, so !DKIM_SIGNED && !__DKIM_DEPENDABLE is always false. Thanks for pointing that out. Those are "FP exclusions", not part of the base rule logic - generated by inspecting the rulequ results and excluding hits on other rules where the combination is hammy and not (or very weakly, like 1%) spammy. The interactions of combinations of those exclusions isn't considered. They also need to be reviewed periodically, which I'm doing now for XPRIO. __DKIM_DEPENDABLE is no longer a useful FP exclusion for XPRIO, as it hits 100% of the spam hits. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim IX: Never turn your back on an enemy. --- 8 days until the 286th anniversary of John Peter Zenger's acquittal
Re: Email Phishing and Zloader: Such a Disappointment
On Sun, 11 Jul 2021, Kenneth Porter wrote: --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall wrote: The Word document (without macros) loads an external encrypted Excel file It has macros. It tricks the user into enabling and running them by telling him to enable the document for editing and enabling "content" (ie. macros). Hiding macros from the user in this way (calling them "content") is a terrible piece of UI. Both articles conclude with the statement "We suggest it is safe to enable them (macros) only when the document received is from a trusted source". I really don't understand that comment since the entire unique nature of the exploit is to disable the macro warnings entirely. A forged From line means the average Joe will assume the source is trusted. Another nice analysis, I think with better details, showing how this evades the usual scanners: <https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/> The Word document is assembled from MIME fragments so there's no extension to block. "The other parts contain an application/vnd.ms-officetheme and an application/x-mso file. Which (in addition to the text/xml files) are used by Microsoft Word to load the embedded Word document." Would the presence of all three of those MIME types be a scorable indicator? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- 9 days until the 52nd anniversary of Apollo 11 landing on the Moon
Re: number in sender name
On Sun, 11 Jul 2021, Martin Gregorie wrote: BTW, the online regex development page URLs I gave were working as expected at the time I wrote that note. I second those resources, especially regex101.com - it has a visual debugger that will step through the pattern matching process. It's *very* helpful when you just can't figure out why the RE is failing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- 9 days until the 52nd anniversary of Apollo 11 landing on the Moon
Re: number in sender name
On Sat, 10 Jul 2021, Joe Acquisto-j4 wrote: Using SpamAssassin 3.4.5 (2021-03-20) Perhaps memory fails, but was there not, once, a standard rule that detected non alpha characters in sender name? The domain/provider is not of interest for this question. Such as this item (not the actual sender name) * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider * [abcd531if7[at]gmail.com] https://ruleqa.spamassassin.org/20210709-r1891395-n/__FROM_ENDS_IN_NUMS/detail It's not currently used in any scored base rules, though. Related base rules: FROM_STARTS_WITH_NUMS __FROM_ALL_NUMS __TO_ALL_NUMS __FM_TO_ALL_NUMS -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Back in 1969 the technology to fake a Moon landing didn't exist, but the technology to actually land there did. Today, it is the opposite. -- unknown --- 10 days until the 52nd anniversary of Apollo 11 landing on the Moon
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Fri, 28 May 2021, Greg Troxel wrote: John Hardin writes: On Thu, 27 May 2021, Greg Troxel wrote: The other problem on a small number of messages was RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but getting a message of 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5 points is a lot for something likely to appear in legitimate mail. (In my case it was a notification of air conditioning shutdown in a particular building, and that's all there was to say.) Score limit adjusted. Thanks. Do you know whether it happened to hit ALL_TRUSTED? I added an exclusion for that. It did not hit ALL_TRUSTED, and I'd say that's not really wrong. The edu in question has outlook hosted mail which has a lot of servers. I'm not actually part of the edu, but am on some lists, and have something to do with it. I expanded trusted_networks and then it did hit, but the rule still fired. That exclusion won't be published until sometime today. I wasn't suggesting expanding ALL_TRUSTED, I was just curious as to whether you had a relationship to the school and had added their MTAs to your trusted list because of that. I will see if after the regexp fixes just made arrive on my system, it's still the case. I also modified the header check to restrict it to .edu RDNS, so if their email is hosted by Outlook it probably isn't going to hit any longer anyway. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 3 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Fri, 28 May 2021, RW wrote: There is a minor problem: header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i allows a match on "by=" from the LE header, when it should just be on helo/rdns. D'oh! Fixed, thanks for catching that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Thu, 27 May 2021, Greg Troxel wrote: The other problem on a small number of messages was RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but getting a message of 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5 points is a lot for something likely to appear in legitimate mail. (In my case it was a notification of air conditioning shutdown in a particular building, and that's all there was to say.) Score limit adjusted. Do you know whether it happened to hit ALL_TRUSTED? I added an exclusion for that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 4 days until Memorial Day - honor those who sacrificed for our liberty
RE: Header exists with a dollar sign in it
On Wed, 26 May 2021, Douglas, Daniel wrote: We need to detect it so that we can route emails with that header to a different server. SpamAssassin does scoring, not routing. Isn't it important that your *MTA* be able to detect that header? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until Memorial Day - honor those who sacrificed for our liberty
Re: heads up for false uribl black hits
On Thu, 20 May 2021, Riccardo Alfieri wrote: On 20/05/21 18:59, Benny Pedersen wrote: Is that not working correctly? only place i find it https://spameatingmonkey.com/lookup/libera.chat Hi, by checking: http://multirbl.valli.org/lookup/libera.chat.html it looks like that is indeed listed on URIBL too: http://lookup.uribl.com/?domain=libera.chat Ot at least it is *now* , maybe it comes and goes for some reasons ...and now it's listed at https://admin.uribl.com/ as well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- To be civilized is to restrain the ability to commit mayhem. To be incapable of committing mayhem is not the mark of the civilized, merely the domesticated.-- Trefor Thomas --- 355 days since the first private commercial manned orbital mission (SpaceX)
Re: heads up for false uribl black hits
On Thu, 20 May 2021, Noel Butler wrote: On 20/05/2021 11:58, Bill Cole wrote: On 2021-05-19 at 21:13:41 UTC-0400 (Thu, 20 May 2021 11:13:41 +1000) Noel Butler is rumored to have said: By now most of you are aware of the hostile takeover of freenode and the mass exodus that's currently underway (if not see kline.sh for more) [1] Interestingly it seems uribl.com has the replacement, Im going to obfuscate it else you wont likely see this :) just replace digits with their alpha lib3ra dott ch4t in their listings, interesting because they dont seem to list new domains that way and that one is new, heh maybe andrew lee controls that too, who knows... The new domain was NOT listed in any RHSBL at 13:55 UTC. OTOH, they didn't like something about my usual single-venue address pattern so I had to register with an alternative tagging pattern. still listed in URI Domain Status Manage libe.cxxx Listed on URIBL black Odd, the URIBL website lookup tool says libera (.chat) is not listed, and didn't yesterday when you first posted this. https://admin.uribl.com/ Lookup Results (obfuscated just in case) DomainStatus libera_chat NOT Listed on URIBL Is that not working correctly? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 355 days since the first private commercial manned orbital mission (SpaceX)
Re: RCVD_IN_DNSWL_HI false positives
On Thu, 13 May 2021, Henrik K wrote: On Thu, May 13, 2021 at 01:34:37PM -0400, Greg Troxel wrote: I wonder if it would be sensible for spamassassin to have a configuration option for all default-on dnsrbls (one option, applying to all): disabled auto enabled where the default is auto, and auto means "enabled if resolver is 127.0.0.1, ::1 or localhost, else disabled". No. Local resolver could be configured to forward everything to Google. True, but that would be a conscious configuration. Or all servers could have one central nameserver in the local network. So add "on local network". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: FROMNAME and PDS_FROM_2_EMAILS
On Sun, 9 May 2021, RW wrote: PDS_FROM_2_EMAILS is similar to what the plugin does, but it contains exclusions that, amongst other things, reduce matches on mail from actual mail servers. It include "&& !__DKIM_EXISTS", so it's useless in the case where is from an account or mail-system abused to gain a DMARC pass. That was done because only (or mostly) masscheck corpora ham was hitting that combination. overlap ham: 95% of __PDS_FROM_2_EMAILS hits also hit __DKIM_EXISTS; 1% of __DKIM_EXISTS hits also hit __PDS_FROM_2_EMAILS (spam 6%) Excluding DKIM_VALID_AU is a little better from the POV of not ignoring spam, but it excludes less ham: overlap ham: 72% of __PDS_FROM_2_EMAILS hits also hit DKIM_VALID_AU; 1% of DKIM_VALID_AU hits also hit __PDS_FROM_2_EMAILS (spam 2%) ...possibly because fewer sites sign the author? If you want to build a meta rule regarding a from name mismatch, you should be using the raw __PDS_FROM_2_EMAILS subrule, **not** the FP-reduced scored rule PDS_FROM_2_EMAILS. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: the 76th anniversary of VE day
Re: How do I search and capture text for use in a rule?
On Fri, 7 May 2021, Steve Dondley wrote: On 2021-05-07 10:33 AM, Henrik K wrote: On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote: I want to extract the first part of an email address from the "Delivered-To" header and use it witin a custom rule. Example pseudo code: my ($first_part) = $email_file =~ /^Deliver-To: (.*)/; body __LOCAL_AWKWARD_INTRO /hi $first_part/i How can I do this in my .cf file? With a silly kludge, a full rule that matches the complete raw email with a single regex. Example in stock rules: full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm So something like (untested) full __LOCAL_AWKWARD_INTRO /^Delivered-To:\s+<([^@>]+)(?=.{1,2048}\bHi\s+\1\b)/sm Thanks. I don't quite understand the {1,2048} bit. That looks like a look ahead assertion up to 2048 characters? What is magical about 2048? A limit there it to prevent runaway matching and excessive scan times. What if the "Delivered-To" header is more than 2048 characters away from the salutation, which doesn't seem unlikely. That is indeed a shortcoming with this approach. As Henrik says, it's a kludge. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Tomorrow: the 76th anniversary of VE day
Re: How do I search and capture text for use in a rule?
On Fri, 7 May 2021, Henrik K wrote: On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote: I want to extract the first part of an email address from the "Delivered-To" header and use it witin a custom rule. Example pseudo code: my ($first_part) = $email_file =~ /^Deliver-To: (.*)/; body __LOCAL_AWKWARD_INTRO /hi $first_part/i How can I do this in my .cf file? With a silly kludge, a full rule that matches the complete raw email with a single regex. We're discussing neater ways to do that on the dev list, it's something that's been desired for a long time. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Tomorrow: the 76th anniversary of VE day
Re: ExtractText and docx
On Thu, 6 May 2021, Alex wrote: Hi, I'm trying to use the latest ExtractText plugin, but the docx2txt program the plugin references is no longer available from http://docx2txt.sourceforge.net Do you have any recommendations for an alternative...? Perhaps one of (from Stack Overflow): unzip -p some.docx word/document.xml |\ sed -e 's/<[^>]\{1,\}>//g; s/[^[:print:]]\{1,\}//g' unzip -p document.docx word/document.xml |\ sed -e 's/<\/w:p>/\n/g; s/<[^>]\{1,\}>//g; s/[^[:print:]\n]\{1,\}//g' unzip -p document.docx word/document.xml |\ sed -e 's/<\/w:p>/ /g; s/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' ...though html2text might be better than sed for reliably de-XMLizing the document text. There's also this: http://abisource.com/downloads/wv/ There's conflicting information on whether Antiword groks .docx, you may want to try it and see. It may be available from your distro, otherwise: http://www.winfield.demon.nl/index.html It might be worthwhile to use native perl utilities to unzip the file, extract the document.xml content and pass it through XML::XPath to extract the text, but that would probably involve code changes to ExtractText rather than just configuring an it to use external utility. Caveat: I have never looked at the ExtractText plugin. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 2 days until the 76th anniversary of VE day
Re: My 10 years old domain have a bad TLD
On Tue, 4 May 2021, Denis Chenu wrote: Yes, You receive spam from pro and then all pro gTLD owner received a punishment. One whole point. Wooo. You're badly overreacting to this. This rule is not a "poison pill", it will not by itself put your mail over a threshold leading to it being quarantined, rejected or discarded. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The only solution for bad and violent people is good people who are more skilled at violence.-- Samurai Bushido --- 4 days until the 76th anniversary of VE day
Re: My 10 years old domain have a bad TLD
On Mon, 3 May 2021, Denis Chenu wrote: Is there a way other than change my domain to fix score and get again a perfect score . If you obsess about a "perfect score" you will never be happy. If all you're getting dinged for is one point for your unusual TLD, your mail is still getting through. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 5 days until the 76th anniversary of VE day
Re: More fake order spam
On Wed, 28 Apr 2021, Giovanni Bechis wrote: On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote: -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager I have disabled his rule some time ago. Many spammers use mailing list or their signatures. Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ? According to masscheck it's a fairly hammy indicator: https://ruleqa.spamassassin.org/20210427-r1889231-n/MAILING_LIST_MULTI/detail#new SPAM% HAM% S/ORANK SCORE NAME 3.4717 19.9221 0.1480.48 -1.00 MAILING_LIST_MULTI -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When violence comes, and brings your death with it -- *die well*, for that is the only thing you can change about your death. -- Lawdog --- 3 days until May Day - Remember 110 million people murdered by Communism
Re: More fake order spam
On Tue, 27 Apr 2021, @lbutlr wrote: On 27 Apr 2021, at 11:57, Steve Dondley wrote: On 2021-04-27 01:19 PM, Dave Wreski wrote: Invalid List-ID. You can then use that with other weirdness in a meta. header__LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/ meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS score LIST_ID_IMPROPER_FORMAT 0.001 describe LIST_ID_IMPROPER_FORMAT List-id has improper format You lost me here. The spam has this: List-Id: MzY3NDAxMi01Nzg2LTU= That's not legit? It's in brackets. That was my question as well, AFAIK that conforms to the requirements of a List-ID header. Looks legit to me. This is the spec. ... Starts with one of atext? Yep. No consecutive periods? Yep. What's the problem? SpamAssassin is not a standards-compliance audit tool. If a given header formatting is compliant but weird and appears more in spam than in ham, it's useable. What catches my eye about that header is that it appears to be base64 encoded, and is *not* "properly" annotated with a character set like: =?ISO-8859-1?B?MzY3NDAxMi01Nzg2LTU=?= Thus, while complaint to the spec, the format may make it a useful spam sign. FWIW, I have one example like that in my ham: List-Id: MTYxNzU4MS0zNjUtMg== and several in spam: List-Id: MjMwNDI4NS05OTM1MDktMTI= List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= List-Id: MjcyODE0MS02ODgxNTktNDQ= List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= List-Id: MzAzNzIzMS0yMzk4NzEtMTA= List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= It appears to be a feature of a specific mailing list or mass mailing application - Sendinblue, perhaps, as the ham has: X-Mailer: Sendinblue Is it worth a rule for evaluation in masscheck? Maybe. Not tonight, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men, it has been well said, think in herds; it will be seen that they go mad in herds, while they only recover their senses slowly, and one by one. -- Charles MacKay, 1852 --- 4 days until May Day - Remember 110 million people murdered by Communism
Re: Bad entries in HOSTKARMA_W
On Tue, 27 Apr 2021, Ted Mittelstaedt wrote: My guess is if you contact the admin of hostkarma directly and offer to host a honeypot he might take you up on it. But that still won't give you the ability to change anything in the database. I cannot imagine trusting a RBL that allowed any humans to blacklist something. Whitelisting is different - you cannot trust the computer to get it right all the time and there's going to always be IPs BLed that shouldn't be. But allowing people to BL stuff is just opening the door for attackers to target or retaliate against hosts. IIRC the Hostkarma list is fed by people pointing a backup MX DNS host record at *their* MTAs so that they can analyze the traffic and harvest the spammers doing "use backup MX to avoid filtering on the primary MX". I clearly recall being surprised that Marc assumed people would be willing to do that with their email. Sherman, set the wayback machine for (goodness) 2009... Marc Perkel wrote: No list is perfect. Thanks for reporting it. Although I try to get everything right there will always be mistakes. Sometimes I do get to leaning white because false positives are 100 times worse than a few spams getting through. Probably what happened with that is that the sender does a pretty good job of stopping spam and after we get 25 good emails and no spam they get white listed. So what a spam sneaks through is gets past. ... err...@junkemailfilter.com will work. If that's still the way it works, then reducing the score to -1.0 or even -0.5 sounds reasonable. There were a lot of "I did that too" comments back then. Maybe the way it works has changed since Marc died. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men, it has been well said, think in herds; it will be seen that they go mad in herds, while they only recover their senses slowly, and one by one. -- Charles MacKay, 1852 --- 4 days until May Day - Remember 110 million people murdered by Communism
Re: XM_RANDOM rule seems to hit too often
On Mon, 26 Apr 2021, John Hardin wrote: Thanks for your report. I've added some exclusions and resuced the score limit. "reduced". The coffee hasn't reached my fingertips yet. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Rights can only ever be individual, which means that you cannot gain a right by joining a mob, no matter how shiny the issued badges are, or how many of your neighbors are part of it. -- Marko --- 5 days until May Day - Remember 110 million people murdered by Communism
Re: XM_RANDOM rule seems to hit too often
On Mon, 26 Apr 2021, jahli...@gmx.ch wrote: We for the last couples of days we see many hits of XM_RANDOM rule on legit mail. Samples of X-Mailers it hits *X-Mailer:* AspQMail 2.0 4.03 (QSM260971F) X-Mailer: WebService/1.1.18138 YahooMailAndroidMobile YMobile/1.0 (com.yahoo.mobile.client.android <http://com.yahoo.mobile.client.android/>.mail/6.27.0; Android/11; RP1A.200720.012; a52xq; samsung; SM-A526B; 5.99; 2186x1080;) > *X-Mailer:* WebService/1.1.18121 YahooMailAndroidMobile YMobile/1.0 (com.yahoo.mobile.client.android.mail/6.10.5; Android/10; QP1A.190711.020; starlte; samsung; SM-G960F; 5.68; 1450x720;) *X-Mailer:* Traveler 11.0.2.0 Build 202010261910_30 on server DETR02/SRV/BAUHAUS/DE at 20210418173104417 by DelQ-18bc[NoticeMgr] especially the AspQMail (hits on stuff within '()') and the yahoo mailer are quite common in our message flow. Think that rule should be revised Thanks for your report. I've added some exclusions and resuced the score limit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Rights can only ever be individual, which means that you cannot gain a right by joining a mob, no matter how shiny the issued badges are, or how many of your neighbors are part of it. -- Marko --- 5 days until May Day - Remember 110 million people murdered by Communism
Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?
On Sun, 25 Apr 2021, Alan wrote: I've posted to a 13 month old thread on the cPanel forums that was left at "we'll update you", asking for an update. I can't see any useful purpose to having that header in there. There isn't. Why should the spam score provided by the sender be trusted by anyone else? If you're scanning outbound messages then use the results in your decision whether to send the message on from your system, but don't include the results as they aren't useful to anyone downstream and are trivially abusable. I've reduced the score limit to 2.0 and I'm looking for more ham exclusions. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Rights can only ever be individual, which means that you cannot gain a right by joining a mob, no matter how shiny the issued badges are, or how many of your neighbors are part of it. -- Marko --- 5 days until May Day - Remember 110 million people murdered by Communism
Re: Two different machines running same versoin of SA giving different scores for scores that are commented out
On Sun, 25 Apr 2021, John Hardin wrote: On Sun, 25 Apr 2021, Steve Dondley wrote: On 2021-04-25 01:00 AM, John Hardin wrote: On Sun, 25 Apr 2021, Steve Dondley wrote: That rule has this line in the 72_active.cf file: Look in 72_scores.cf and compare the modification dates on that file. The date is Jan 30, 2020. I'm running SA 3.4.4 (the version supplied by backports on my debian machine). Then sa-update is not running. Those scores are more than a year old. Fix that first. ...which you did. Ah, the hazards of answering as you read... The installs might be giving different scores for the same rule due to configuration differences - for example, one might have Bayes enabled and the other doesn't, or one might have network checks enabled and the other does not. It sounds like this isn't the case as your scores are now the same. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 330 days since the first private commercial manned orbital mission (SpaceX)
Re: Two different machines running same versoin of SA giving different scores for scores that are commented out
On Sun, 25 Apr 2021, Steve Dondley wrote: On 2021-04-25 01:00 AM, John Hardin wrote: On Sun, 25 Apr 2021, Steve Dondley wrote: That rule has this line in the 72_active.cf file: Look in 72_scores.cf and compare the modification dates on that file. The date is Jan 30, 2020. I'm running SA 3.4.4 (the version supplied by backports on my debian machine). Then sa-update is not running. Those scores are more than a year old. Fix that first. The installs might be giving different scores for the same rule due to configuration differences - for example, one might have Bayes enabled and the other doesn't, or one might have network checks enabled and the other does not. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 330 days since the first private commercial manned orbital mission (SpaceX)
Re: Two different machines running same versoin of SA giving different scores for scores that are commented out
On Sun, 25 Apr 2021, Steve Dondley wrote: I'm running the same version of SA on the same email on two different machines and getting different scores in for some rules in the report: Machine A gives: 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe Machine B gives: 1.0 FSL_BULK_SIG Bulk signature with no Unsubscribe On both machines, /usr/share/spasmassassin/72_active.cf has this rule which is commented out: ... Machine A: 0.3 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII Machine B: 1.0 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII That rule has this line in the 72_active.cf file: Look in 72_scores.cf and compare the modification dates on that file. Their scores as of today (saturday): 72_scores.cf:score FSL_BULK_SIG 0.001 0.001 0.001 0.001 72_scores.cf:score PP_MIME_FAKE_ASCII_TEXT 0.999 0.837 0.999 0.837 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 329 days since the first private commercial manned orbital mission (SpaceX)
Re: Script or command for testing new rules to ensure new rules don't generate false positives/negatives?
On Sat, 24 Apr 2021, Steve Dondley wrote: And if you want to test your rules against a corpus rather than testing against a few one-off spamples, then look into setting up a local masscheck instance. You don't need to upload the results to SA, but it will give you a good overview of how a rule behaves against multiple messages. I'm not sure what you mean by "Local masscheck instance". https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MassCheck -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Making good people helpless does not make bad people harmless. --- 329 days since the first private commercial manned orbital mission (SpaceX)
Re: Script or command for testing new rules to ensure new rules don't generate false positives/negatives?
On Sat, 24 Apr 2021, Steve Dondley wrote: On 2021-04-23 05:41 PM, Martin Gregorie wrote: On Fri, 2021-04-23 at 16:28 -0400, Steve Dondley wrote: I'm experimenting with writing a library of my own SA rules and scores. Treat this like any other code development project: use a rule development SA installation like I describe so you never develop rules using the live mail stream. This way your rules will be better written and tested and you'll cause fewer false positives in your live mail stream. Sounds like the best plan. Thanks for the advice. And if you want to test your rules against a corpus rather than testing against a few one-off spamples, then look into setting up a local masscheck instance. You don't need to upload the results to SA, but it will give you a good overview of how a rule behaves against multiple messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Human beings are born with different capacities. If they are free, they are not equal. And if they are equal, they are not free.-- Aleksandr Solzhenitsyn --- 329 days since the first private commercial manned orbital mission (SpaceX)
Re: Why single periods in regex in spamassassin rules?
On Fri, 23 Apr 2021, RW wrote: On Fri, 23 Apr 2021 13:52:40 -0500 (CDT) David B Funk wrote: On Fri, 23 Apr 2021, Steve Dondley wrote: I'm looking at KAM.cf. There is this rule: body__KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used instead of something like \s+ which would catch multiple spaces whereas a singe period doesn't. Because '/indian.based.website'/ will match 'indian-based_website' but \s will not. \W+ might be better though Not unbounded it isn't. \W{1,5} might be better without being runaway. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 329 days since the first private commercial manned orbital mission (SpaceX)
Re: Spamassassin goes to folder spam
On Tue, 20 Apr 2021, mau...@gmx.ch wrote: if header :contains "To" users@spamassassin.apache.org <mailto:users@spamassassin.apache.org> { This header might be a better check: List-Id: -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our politicians should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- Today: the 246th anniversary of The Shot Heard 'Round The World
Re: KAM_DMARC_REJECT on internal emails
On Mon, 19 Apr 2021, Bill Cole wrote: On 19 Apr 2021, at 11:05, Matus UHLAR - fantomas wrote: On 19 Apr 2021, at 8:42, Simon Wilson wrote: Yes, my trusted_networks, internal_networks and msa_networks are all set correctly... I had a long discussion with this mailing list on the subject last year and got excellent help on resolving that! :) On 19.04.21 09:17, Bill Cole wrote: Then the most direct tactic would be to modify KAM_DMARC_REJECT to not hit if ALL_TRUSTED is hit. On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote: that would cause problems if you set up trusted_servers to any foreign server you trust not to fake headers. On 19.04.21 09:46, Bill Cole wrote: A valid point. That raises the question of why we don't have an ALL_INTERNAL rule. && __LAST_EXTERNAL_RELAY_NO_AUTH should do that. I don't think that works if X-Spam-Relays-External is empty, i.e. all relays are internal. ...so: header ALL_INTERNAL X-Spam-Relays-External =~ /^$/ ? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our politicians should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- Today: the 246th anniversary of The Shot Heard 'Round The World
Re: Spoofed amazon order email
On Fri, 16 Apr 2021, RW wrote: On Fri, 16 Apr 2021 11:25:19 -0400 Greg Troxel wrote: Probably not for normals, score up MPART_ALT_DIFF because nobody should be sending mail with a text/plain part that is not semantically equivalent to the html. Unfortunately it's quite common. +1 {fume} -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our politicians should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- 3 days until the 246th anniversary of The Shot Heard 'Round The World