On 01/07/15 15:18, Marc Perkel wrote:
Is there any way to detect macros inside of word doc files as
attachments? Or linux command line utils to do so?
If you use ClamAV; you can enable the "OLE2BlockMacros yes" option and
then catch the 'Heuristics.OLE2.ContainsMacros' reported by ClamAV
(wh
On 19/06/15 16:57, Steve Freegard wrote:
spamd will already log the envfrom= line provided it has this
information passed through from whatever calls it. I send it over via a
X-Envelope-From: (see 'envelope_sender_header' in man
Mail::SpamAssassin::Conf).
Actually - I'm tal
On 19/06/15 15:50, Kevin A. McGrail wrote:
On 6/19/2015 10:43 AM, Reindl Harald wrote:
if you only have one user=sa-milter then you're screwed
and how does a "user=rcpt" give you any useful information to grep for
the sender of the mail in the case above?
We need to agree to disagree because
Hi Quanah,
On 22/04/15 02:52, [*] Quanah Gibson-Mount wrote:
--On Tuesday, April 14, 2015 11:05 PM +0100 Steve Freegard
wrote:
Just because *you* can't find any sense in it; others might be able to.
For example:
meta __FSL_ANY_BULK ((DCC_CHECK || RAZOR2_CHECK ||
PYZOR_
On 14/04/15 19:45, Reindl Harald wrote:
Am 14.04.2015 um 20:26 schrieb Kevin A. McGrail:
On 4/14/2015 2:16 PM, Reindl Harald wrote:
DCC isn't designed to tell you if a message is spam/not-spam. It's a
*BULK* indicator. e.g. have lots of people seen this message?
that is simply not true an
Quanah,
On 14/04/15 18:59, Quanah Gibson-Mount wrote:
I've noticed that DCC_CHECK is flagging on tons of items that are
clearly not spam. The most recent hit for me today was a release
announcement from the mariadb folks. Overall, it's a trend I'm
routinely seeing where it is flagging a lot o
On 26/03/15 22:23, Tom Hendrikx wrote:
Your single message was delivered by two different hosts, with a
single recipient in each.
This is actually very logical because the recipients don't share the
same MX hosts or IP addresses.
*nod* - I'd missed that fact when I glanced over this thread
On 26/03/15 13:47, Reindl Harald wrote:
that below was *one* message with two different recipients
X-Spam-Status: No, score=-10.1, tag-level=5.5, block-level=8.0
X-Spam-Status: No, score=-8.1, tag-level=5.5, block-level=8.0
I hate to piss on your parade, but your example here is totally flaw
Kevin,
On 26/03/15 11:18, Kevin A. McGrail wrote:
On 3/26/2015 7:09 AM, Reindl Harald wrote:
why in the world would a reject *before queue* trigger a backscatter
or bounce on my side?
To me, your recommend action makes you only worried about your tiny star
in the universe of mail servers and
On 18/03/15 21:46, Reindl Harald wrote:
Am 18.03.2015 um 22:29 schrieb David B Funk:
> Just have an internal mail-submission port that isn't routed thru SA
may not be possible if you have hundrets of domains without setup a
internal DNS view just for a different MX
In general you don't want
On 15/08/14 18:54, Joe Quinn wrote:
On 8/15/2014 1:50 PM, David F. Skoll wrote:
On Fri, 15 Aug 2014 10:39:03 -0700 (PDT)
John Hardin wrote:
On Fri, 15 Aug 2014, David F. Skoll wrote:
SPF is so easy ("v=spf1 +all")
Doing *that* should be worth a point or two by itself.
Yes. I even through
On 19/12/13 15:50, Joe Quinn wrote:
According to this thread of five years ago, that RBL is not very well
maintained. I wonder if that's still the case?
(http://spamassassin.1065346.n5.nabble.com/New-Day-old-Bread-list-trick-td52989.html)
There also don't appear to be any alternative RBLs that
On 08/08/13 04:29, Thomas Harold wrote:
Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
Sure - I wro
On 01/05/13 19:40, Andrew Talbot wrote:
Hi, Seve -
Thanks for your response. Is that just for performance reasons?
Performance is one of the things that bayes_auto_learn_on_error 1 will
give you. It means that if the message was already considered spam by
Bayes, then the message won't be a
All good advice there from Axb; the only thing I'd add to that is:
bayes_auto_learn_on_error 1
Which prevents Bayes from over-training when the classifier already
agrees with what the autolearn is trying to train on.
Cheers,
Steve.
On 01/05/13 19:14, Axb wrote:
On 05/01/2013 08:01 PM, Andre
On 16/03/13 00:04, Christian Recktenwald wrote:
On Fri, Mar 15, 2013 at 02:39:17PM -0500, David B Funk wrote:
On Fri, 15 Mar 2013, Christian Recktenwald wrote:
On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
On 3/15/2013 9:17 AM, Tom K
On 12/02/13 18:47, Daniel McDonald wrote:
I’ve had a simple rule I use to see if mail is forwarded through a
“foreign country”:
header RELAY_NOT_USX-Relay-Countries =~
/\b(?:[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}|\b/
describeRELAY_NOT_USRelayed though any country other than the U
On 22/03/11 23:28, Lawrence @ Rogers wrote:
Something is definitely off. We use SA with MailScanner, and that rule
never hits anything (less than 1 or 2 messages in several thousand).
My guess would be that you aren't using MailScanner with Sendmail
whereas the original poster is.
I've been
Hi David,
On 08/02/11 15:57, David F. Skoll wrote:
Hi, Steve,
http://www.fsl.com/index.php/resources/whitepapers/99
Interesting. I think you should credit me for this:
"Once that has been proven then that â is exempted from further
greylisting for 40 days since it was last seen."
Our CanI
On 19/01/11 15:02, David F. Skoll wrote:
On Wed, 19 Jan 2011 09:56:47 -0500
Lee Dilkie wrote:
The second was that I've found that the other spam-catching filtering
is doing a much better job than it was years ago and turning off
greylisting didn't adversely affect the amount of spam that got
t
On 01/01/11 11:51, Warren Togami Jr. wrote:
I'll help you start the process with a Bugzilla ticket. I also hope
you could get it into some sort of public source control mechanism
soon so we can see the changes that go into it before inclusion in
upstream. I feel uncomfortable using something
On 01/01/11 12:02, Warren Togami Jr. wrote:
http://www.surbl.org/faqs#redirect
BTW, this page mentions SpamCopURI and urirhdbl as existing tools that
handle redirection to some degree. Have you confirmed that you are
not needlessly reinventing the wheel? It is entirely possible that
your de
Hi Warren,
On 01/01/11 09:17, Warren Togami Jr. wrote:
What is the status of this plugin?
As far as I'm concerned - I'm actively maintaining it and have been
using it in production on several sites; I've been planning to push out
an update as I've recently been contributed a massive list o
Hi All,
On 17/09/10 14:11, Steve Freegard wrote:
Hi All,
Recently I've been getting a bit of filter-bleed from a bunch of spams
injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foo
that upon closer inspection would have been rejected with a high score
if the real URL had
On 22/09/10 13:44, Michael Scheidell wrote:
one more: if # url_shortener_cache /tmp/DecodeShortURLs.sq3
you should not try to load SQLLite.pm.
ent host [79.98.90.156] blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=79.98.90.156;
from= to=
proto=ESMTP helo=
Sep 22 08:38:40 sns
On 20/09/10 15:28, Bowie Bailey wrote:
You can get rid of the 'backslashitis' by using a different delimiter.
uri URI_BITLY_BLOCKED m~^http://bit\.ly/a/warning~i
You still need to escape the period, but since the tilde (~) is now the
delimiter rather than the slash, you don't need to escape
On 20/09/10 16:17, Michael Scheidell wrote:
On 9/20/10 8:15 AM, Steve Freegard wrote:
Caching; if desired it will now cache URLs to a SQLite database for
additional speed-up and to prevent DoS of the shortener services.
any anticipated write lock problems with this due to sqlite not handling
On 17/09/10 14:48, RW wrote:
I think it might be better to take the "blocked page" handling out of
the perl and turn it into an ordinary uri rule.
Yeah; really don't know why I did it like that in the first place.
I've just uploaded version 0.2 which does it this way instead and adds
the fo
On 17/09/10 14:33, Jari Fredriksson wrote:
It has a typo.
describe URIBL_SHORT...
The rule name is wrong, should be SHORT_URIBL
Didn't you --lint it? ;)
Doh! - fixed.
Regards,
Steve.
Hi All,
Recently I've been getting a bit of filter-bleed from a bunch of spams
injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foo
that upon closer inspection would have been rejected with a high score
if the real URL had been used.
To that end - it annoyed me enough to wr
On 08/09/10 16:10, Mike Bro wrote:
Thanks for your interest in this topic. The part of mail.log and the
qf file is at:
http://pastebin.com/0QzqLxs1
This particular example has been marked as spam, but the sender's
information didn't play a role in this classification.
Re: Joseph Brennan:
Why d
[ 3rd attempt to send this message; without it being rejected by
apache.org for being spam... ]
I picked two of those domains at random:
[r...@vm2 tmp]# host -t TXT trigasplumet.net.fresh.spameatingmonkey.net
trigasplumet.net.fresh.spameatingmonkey.net descriptive text "Domain
first seen 2010-
On 12/03/10 15:48, Ray Dzek wrote:
I just received the dreaded URIBL “You send us to many DNS queries”
notice. This is fine. We have been growing and I am sure our queries
have gone up. But when looking at their data feed service options the
first thing I noticed was that there is no fee structu
Marc Perkel wrote:
>
>
> John Hardin wrote:
>> On Fri, 9 Oct 2009, Marc Perkel wrote:
>>
>> It's essentially Perl logical expression syntax, and basic math
>> expression syntax if you want to count:
>>
>> meta NAME rule1 && (rule2a + rule2b + rule2c + rule2d > 2)
>
> When adding rules is it a
Tomasz Chmielewski wrote:
> Is it possible to count recipients with Spamassassin?
>
> Some of the spam I receive has multiple recipients in To: and/or CC:
> headers, i.e.:
>
> To: 1...@example.com, 2...@example.com, 3...@example.com
> CC: 1...@example.com, 2...@example.com, 3...@example.com
>
>
Matt Kettler wrote:
>>> It's no plugin I know of, but it's a feature we intentionally left out
>>> of SA for security reasons. So given that it's a really bad idea I'd
>>> guess barracuda did implement it themselves.
>>>
>>>
>> Are you forgetting URIBL_SBL?? That requires the A or NS records
Matt Kettler wrote:
> rich...@buzzhost.co.uk wrote:
>> On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote:
>>
>>> On 07/10/2009 09:01 PM, Paweł Tęcza wrote:
>>>
Please see my initial post on Pastebin:
http://pastebin.com/f6a83e9fb
>>> If it's true that al
rich...@buzzhost.co.uk wrote:
> On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote:
>> On 07/10/2009 09:01 PM, Paweł Tęcza wrote:
>>> Please see my initial post on Pastebin:
>>>
>>> http://pastebin.com/f6a83e9fb
>>>
>> If it's true that all those domains resolve to just a handful of IP
>> addre
Marc Perkel wrote:
> Does anyone have a list of all domains that provide short url redirection?
I'd start here: http://longurl.org/services
Cheers,
Steve.
Kasper Sacharias Eenberg wrote:
> On Thu, 2009-07-02 at 08:20 +0100, rich...@buzzhost.co.uk wrote:
>> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
>>> On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote:
On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
>
Matthew Elson wrote:
> Justin Mason wrote:
>> hey Matt -- what version of re2c is installed?
>
> Knew I forgot something :P.
>
> re2c 0.13.2 was what was on all of the machines that had the issue -
> when I ran into the issue, the first thing I did was upgrade it to
> 0.13.5 on one of them; the
Michael Scheidell wrote:
> spam, with a url link in it that opens up a yahoo.com web mail page and
> asks for yahoo.com credentials.
>
> don't know how that can help spammer, unless spammer is looking to only
> get email from yahoo.com users.
>
> see line 119 (highighted)
>
> http://pastebin.com
Paweł Tęcza wrote:
> Steve Freegard pisze:
>> Paweł Tęcza wrote:
>>> Also a lot of spams I received have good reverse IP address. We use
>>> greylisting for our mail system, but we still receive that spam.
>>>
>>> Maybe that IP address above
Steve Freegard wrote:
> Normally I wouldn't post these rules here; but I'm interested to see how
> long before this rule gets rendered unless by the botmaster that's
> sending these.
/me waves at the botmaster; that *was* fast - but you still suck
Paweł Tęcza wrote:
> Also a lot of spams I received have good reverse IP address. We use
> greylisting for our mail system, but we still receive that spam.
>
> Maybe that IP address above has been noted on popular RBL lists, but the
> spammers still use new infected machines, so they can leave RBL
Justin Mason wrote:
> http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM/detail
Would be interesting to see if the 5 ham hits really were ham or whether
they were accidentally misclassified and what the e-mail address was.
Cheers,
Steve.
Henrik K wrote:
> On Sat, May 16, 2009 at 08:25:58AM -0500, Chris wrote:
>> Started running the plug-in Thursday and though I don't get much spam a
>> day I am getting hits:
>>
>> Ham: 232
>> Spam: 113
>> (thats a total count since 3 May)
>>
>> EmailBL.cf:
>> Rule Name Score Ha
Michael Monnerie wrote:
> I generally like the idea. But this project is in the beginners phase,
> and a whole lot of people will want to wait until others report it's
> benefits. After all, who wishes to put it in production and then maybe
> it causes a lot of FPs?
Duh:
score EMAILBL 0.001
*
Mike Cardwell wrote:
> Steve Freegard wrote:
>
>>>> A word of caution. Be very careful how you use the list. The
>>>> intended usage for the list is to prevent (or monitor) local users
>>>> from sending email to the listed addresses. The phisher
John Hardin wrote:
> On Wed, 29 Apr 2009, Jesse Thompson wrote:
>
>> A word of caution. Be very careful how you use the list. The
>> intended usage for the list is to prevent (or monitor) local users
>> from sending email to the listed addresses. The phishers frequently
>> use compromised end-u
John Hardin wrote:
>
> I suppose I should ask, what do you mean by a spammer "reversing the list"?
>
I guess I meant that it makes it harder for the spammer if he/she gets a
copy of the list to casually look for addresses to avoid without doing
the extra work of encoding the address in the same
Justin Mason wrote:
> On Mon, Apr 27, 2009 at 17:38, John Hardin wrote:
>> On Mon, 27 Apr 2009, Justin Mason wrote:
>>
>>> On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja wrote:
>>>
SARE had a nice system where you could submit a rule via email and got
the masscheck results via email.
John Hardin wrote:
> On Tue, 28 Apr 2009, Steve Freegard wrote:
>
>> To reduce the likelihood of collisions then it's better to add the input
>> string length at the end of the md5 like ClamAV does in it's MD5 sigs
>> e.g.
>>
>> s...@laptop-smf:
Adam Katz wrote:
> Steve Freegard wrote:
>> I've been thinking about creating an emailBL to target dropboxes used
>> for 419 scams, phishing, russian penpals etc. as I have a reasonable way
>> to collect these in real-time and it would close a lot of doors on these
>
Adam Katz wrote:
> (note, I'm guessing at the appropriate mailing list for cross-post)
>
> Dennis Davis wrote:
>> http://code.google.com/p/anti-phishing-email-reply/
>>
>> is also useful as it attempts to detail the compromised accounts.
>> Just block/quarantine email for those accounts.
>
> Inte
Sahil Tandon wrote:
> On Sun, 25 Jan 2009, Chris wrote:
>
>> I just noticed this when manually testing a newly learned spam that was
>> receiving a less than 1 score. Had to use the kill command to stop the
>> process. Is ixhasn.net possibly down?
>
> s/ixhasn.net/ixhash.net/ :-) That host is
Marc Perkel wrote:
> I'm doing an experimental free MX backup service and wondering if it
> will get exploited. I'm wondering if I'm overlooking anything obvious?
> Here's the info on it:
>
> http://www.free-mx-backup.com
>
> The idea is that it detects if we are the secondary and not the primary
Sujit Acharyya-Choudhury wrote:
No I am talking about mails to our University with fake (or undesirable) address so
that some of our users can reply-to them with their identities, i.e. usernames
& passwords and there by allowing the spammer to steal the identities.
What I meant that how can
ram wrote:
Is this news true ( spams down by 75% )
http://www.securecomputing.net.au/News/128340%2cspam-volumes-drop-75-percent-in-a-day.aspx
On my servers I havent seen any big change
I've seen a drop on a number of servers that I manage.
The best illustration I've found is from Spamcop;
Loren Wilton wrote:
X-SpamFilter-By: BOX Solutions SpamTrap 1.1 with qID lBDNlb6m031347,
This message is to be blocked by code: bkndr63272
Subject: [Spam-Mail] We invite you to join us as a Silver PowerSeller!
(This message should be blocked: bkndr63272)
Shame they didn't just block it so I wo
Hi Wes,
Wes wrote:
On 11/29/07 2:23 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
wrote:
But to get hold of the timeout problems and the bad performing bayes db we
did what the spamassassin people suggest since quite some time:
- use global bayes instead bayes per user
- do not use auto_expire
Hi,
Yet Another Ninja wrote:
On 9/5/2007 5:27 PM, Marc Perkel wrote:
mouss wrote:
ram wrote:
I am using SA 3.2.3 and very few spam get thru
But I can still see some spam with urls because the the urls are not
yet
listed in uribls
I tried to do some analysis on my quarantine, I found atlea
yossim wrote:
Hi Steve,
Thanks for the info.
However the version of MailScanner that i use does not support this
attribute.
Is there other place were i can add this header.
No - you'll have to upgrade MailScanner if you want to be able to do
this (it isn't hard).
Kind regards,
Steve.
Matt Kettler wrote:
yossim wrote:
Hi forum, I am running MailScanner integrated with SA sendmail based.
I would like to add a new header to SA report, so the next stage of
spam filtering which is the trend micro will always forward the email
the outlook junk mail. The header is as follows: X-TM-
[ repost: obfusicating domains to avoid the apache.org SMTP filter... ]
Hi John,
John Rudd wrote:
I'm a prophet now!?
:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone know
the right Net::DNS way to extract the TTL?
I could probably set it up as a value in Botnet.cf,
Per Jessen wrote:
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=
Justin's response is far better reading:
http://taint.org/2007/07/19/122638a.html
Kind regards,
Steve.
Hi Simon,
On Wed, 2005-11-02 at 11:11 +, Simon Hogg wrote:
> Folks, we've been using SpamAssassin as part of MailScanner for just
> over a year with no problems at all.
>
> However, output (plain ASCII text files of a few k in size) from out
> student admin system, which is mailed to users
67 matches
Mail list logo