URIBL_RHS_DOB high hits
Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2.?
Re: URIBL_RHS_DOB high hits
Am 06.10.2014 um 13:55 schrieb David Jones: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2. yes - completly disabled the rule in local.cf signature.asc Description: OpenPGP digital signature
Re: URIBL_RHS_DOB high hits
On 10/6/2014 7:56 AM, Reindl Harald wrote: Am 06.10.2014 um 13:55 schrieb David Jones: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2. yes - completly disabled the rule in local.cf Concur that we are seeing something very odd as well, thanks David for the heads-up. I've reached out to the generic contact information at http://www.support-intelligence.com/contact/ If someone has a better contact, please see if you can find out what's going on. regards, KAM
Re: URIBL_RHS_DOB high hits
On 10/06/2014 02:04 PM, Kevin A. McGrail wrote: On 10/6/2014 7:56 AM, Reindl Harald wrote: Am 06.10.2014 um 13:55 schrieb David Jones: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2. yes - completly disabled the rule in local.cf Concur that we are seeing something very odd as well, thanks David for the heads-up. I've reached out to the generic contact information at http://www.support-intelligence.com/contact/ If someone has a better contact, please see if you can find out what's going on. I attempted to contact Rick directly but msg bounced back... (so much to ancient speed dial :(
SpamAssassin false positive bayes with attachments
I have been seeing some issues with bayes detection from base64 strings within attachments causing false positives. Example: Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264 Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127 Oct 6 09:02:14.374 [15869] dbg: bayes: token 'z4f' = 0.68502147581 Oct 6 09:02:14.378 [15869] dbg: bayes: token '0vf' = 0.66604823748 Is there a solution to prevent triggering bayes from the base64 data in an attachment? It was my impression that attachments should not trigger bayes data, but it seems that it is parsing it as text rather than an attachment. This is with SpamAssassin v3.3. Thanks
Re: SpamAssassin false positive bayes with attachments
On October 6, 2014 3:03:30 PM jdime abuse jdimeab...@gmail.com wrote: I have been seeing some issues with bayes detection from base64 strings within attachments causing false positives. Train more data then, bayes needs more data to prevent it Example: Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264 Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127 Oct 6 09:02:14.374 [15869] dbg: bayes: token 'z4f' = 0.68502147581 Oct 6 09:02:14.378 [15869] dbg: bayes: token '0vf' = 0.66604823748 Above is pretty normal for how bayes works Is there a solution to prevent triggering bayes from the base64 data in an attachment? It was my impression that attachments should not trigger bayes data, but it seems that it is parsing it as text rather than an attachment. Dokumentation is in perldoc Mail::SpamAssassin::Conf perldoc Mail::SpamAssassin::Plugin::Bayes If not dokumented its not supported This is with SpamAssassin v3.3. While 3.4 is now stable
Re: Many X- headers - possible spam sign?
Hi, Postfix header_checks: /^Received\-SPF/ IGNORE /^X\-Antispam/ IGNORE /^X\-Antivirus/ IGNORE ... Can you explain how this helps someone using postfix? Thanks, Alex
Re: Many X- headers - possible spam sign?
Am 06.10.2014 um 16:03 schrieb Alex: Postfix header_checks: /^Received\-SPF/ IGNORE /^X\-Antispam/ IGNORE /^X\-Antivirus/ IGNORE ... Can you explain how this helps someone using postfix? headers from outside are meaningless and untrustable i don't to see a header suggesting a mail was scanned not coming from my own MX the only software which has add them are own filters header_checks = incoming mail smtp_header_checks = outgoing mail signature.asc Description: OpenPGP digital signature
Re: Many X- headers - possible spam sign?
On October 6, 2014 4:03:11 PM Alex mysqlstud...@gmail.com wrote: Postfix header_checks: /^Received\-SPF/ IGNORE /^X\-Antispam/ IGNORE /^X\-Antivirus/ IGNORE Can you explain how this helps someone using postfix? It helps nothing in postfix, but it might help on content filters, carefull not removeing headers that are dkim signed is risky
Re: Help needed with possible DNS problems
On 10/4/2014 4:38 PM, Yasir Assam wrote: Thanks Reindl. I haven't investigated ipv6 properly, but looking at my Hosting provider's wiki and a few of my config files, it seems ipv6 is available (I have been assigned an ipv6 subnet). I have something like this: http://wiki.hetzner.de/index.php/Netzkonfiguration_Debian/en#Dedicated_Servers_3 I'd rather not turn ipv6 off, but I'll need to investigate further to see why it isn't working (with bind9 at least). Thanks for the tip about unbound. If you don't want to disable ipv6 completely, you can disable it for bind by adding the -4 option to the /etc/sysconfig/named file and restarting named. OPTIONS=-4 This tells bind to only talk on the ipv4 network. -- Bowie
Re: URIBL_RHS_DOB high hits
On 10/06/2014 01:55 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2.? According to my last check, Rick has fixed the issue. host yahoo.com.dob.sibl.support-intelligence.net Host yahoo.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN)
Re: Many X- headers - possible spam sign?
Hi, Postfix header_checks: /^Received\-SPF/ IGNORE /^X\-Antispam/ IGNORE /^X\-Antivirus/ IGNORE Can you explain how this helps someone using postfix? It helps nothing in postfix, but it might help on content filters, carefull not removeing headers that are dkim signed is risky Okay, I think I understand. You're saying that, if not ignored, postfix will strip these headers, making them inaccessible to spamassassin for scoring. Correct? Thanks, Alex
Re: Many X- headers - possible spam sign?
Am 06.10.2014 um 18:04 schrieb Alex: Postfix header_checks: /^Received\-SPF/ IGNORE /^X\-Antispam/ IGNORE /^X\-Antivirus/ IGNORE Can you explain how this helps someone using postfix? It helps nothing in postfix, but it might help on content filters, carefull not removeing headers that are dkim signed is risky Okay, I think I understand. You're saying that, if not ignored, postfix will strip these headers, making them inaccessible to spamassassin for scoring. Correct? http://www.postfix.org/header_checks.5.html that has nothing to do directly with SA i just don't want to have headers suggesting that anything outside my network pretends it has done spam-filtering or viurs-scans, that happens here with SA and ClamAV and only that results are worth anything signature.asc Description: OpenPGP digital signature
recent channel update woes
Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past weekend (possibly yesterday, Oct 5)? It looks like something caused our once-adequate-and-happy required_hits value of 7.0 to be way too restrictive suddenly blocking nearly every inbound email that wasn't previously whitelisted. For the moment, I've had to raise required_hits to 25.0 to quell the torrent of rejected emails. Any ideas, explanations or, more importantly, help to remedy this are appreciated. Thank you.
Re: recent channel update woes
On 10/6/2014 12:39 PM, Eric Cunningham wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past weekend (possibly yesterday, Oct 5)? It looks like something caused our once-adequate-and-happy required_hits value of 7.0 to be way too restrictive suddenly blocking nearly every inbound email that wasn't previously whitelisted. For the moment, I've had to raise required_hits to 25.0 to quell the torrent of rejected emails. Any ideas, explanations or, more importantly, help to remedy this are appreciated. Thank you. Did you see the RHS_URIBL_DOB issue? Further, I would look at one specific email and find out why it got over the threshold. Repeat for a few emails until a pattern or a lack of pattern emerges. Making systemic statements without any individual data points just leads to chicken little scenarios. regards, KAM
Re: recent channel update woes
On 10/06/2014 12:51 PM, Kevin A. McGrail wrote: On 10/6/2014 12:39 PM, Eric Cunningham wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past weekend (possibly yesterday, Oct 5)? It looks like something caused our once-adequate-and-happy required_hits value of 7.0 to be way too restrictive suddenly blocking nearly every inbound email that wasn't previously whitelisted. For the moment, I've had to raise required_hits to 25.0 to quell the torrent of rejected emails. Any ideas, explanations or, more importantly, help to remedy this are appreciated. Thank you. Did you see the RHS_URIBL_DOB issue? Further, I would look at one specific email and find out why it got over the threshold. Repeat for a few emails until a pattern or a lack of pattern emerges. Making systemic statements without any individual data points just leads to chicken little scenarios. regards, KAM No, I did not see anything about an RHS_URIBL_DOB issue. Could you, as you say, offer some data points on this?
Re: URIBL_RHS_DOB high hits
On 10/06/2014 01:55 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? Looks like every query is returning 127.0.0.2.? According to my last check, Rick has fixed the issue. host yahoo.com.dob.sibl.support-intelligence.net Host yahoo.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) Still looks broken to me: http://multirbl.valli.org/lookup/google.com.html I tried a few domains and they all hit this DBL.
Re: recent channel update woes
On 10/6/2014 1:00 PM, Eric Cunningham wrote: No, I did not see anything about an RHS_URIBL_DOB issue. Could you, as you say, offer some data points on this? http://spamassassin.1065346.n5.nabble.com/URIBL-RHS-DOB-high-hits-td112138.html And being discussed on users list right now... Regards, KAM
Re: URIBL_RHS_DOB high hits
On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh
Re: Many X- headers - possible spam sign?
On October 6, 2014 6:04:54 PM Alex mysqlstud...@gmail.com wrote: Okay, I think I understand. You're saying that, if not ignored, postfix will strip these headers, making them inaccessible to spamassassin for scoring. Correct? No ignore means dont pass to mailbox, think like postfix just lie to content filters that this header have never existed
Re: recent channel update woes
On October 6, 2014 6:39:21 PM Eric Cunningham e...@whoi.edu wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past And spammassin only tags mail, it does not reject, so stop saying it an sa issue when its not
Re: recent channel update woes
On 10/6/2014 1:11 PM, Jason Goldberg wrote: How to i get removed from this stupid list. I love begin spammed by a list about spam which i did not signup for. Email users-h...@spamassassin.apache.org and the system will mail you instructions. If you did not sign up for the list, that is very troublesome and we can ask infrastructure to research but I believe we have a confirmation email requirement to get on the list. Regards, KAM
Re: URIBL_RHS_DOB high hits
From: Axb axb.li...@gmail.com On 10/06/2014 07:01 PM, David Jones wrote: Anyone else seeing an unusually high hit count today for URIBL_RHS_DOB? host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh http://multirbl.valli.org/lookup/google.com.html For the record, I normally use the dig command but I wanted to: a) show everyone this excellent site if they don't know about it and b) give everyone an easy way to test to see if this problem has been resolved by checking throughout the day and in the future. BTW, it s a very handy site to scrape the RBLs from. I wrote a script to check all of my servers using the public RBLs on that page. It's also a nice site to show people that don't know what FCrDNS is and that it's very important for a sending mail server to be correct. Dave RHCE
Re: recent channel update woes
Am 06.10.2014 um 19:22 schrieb Benny Pedersen: On October 6, 2014 6:39:21 PM Eric Cunningham e...@whoi.edu wrote: Hello, has anyone else experienced an HUGE uptick in the number of rejected legitimate emails following an sa-update run over this past And spammassin only tags mail, it does not reject, so stop saying it an sa issue when its not on a sane setup it is part of a milter and rejects above a specific level because it makes little sense to accept high score spam and only move it in a different folder frankly 3 weeks ago we had about 3 junk attemps per day and now we have the same per week - guess why - because delayes, postscreen and reject highscore spam instead sign 250 OK to the bot client X-Spam-Status: No, score=-106.2, tag-level=4.5, block-level=8.0 signature.asc Description: OpenPGP digital signature
Re: recent channel update woes
On 10/6/2014 1:23 PM, Kevin A. McGrail wrote: On 10/6/2014 1:11 PM, Jason Goldberg wrote: How to i get removed from this stupid list. I love begin spammed by a list about spam which i did not signup for. Email users-h...@spamassassin.apache.org and the system will mail you instructions. If you did not sign up for the list, that is very troublesome and we can ask infrastructure to research but I believe we have a confirmation email requirement to get on the list. Obviously we take this very seriously as anti-spammers because the definition I follow for spam is it's about consent not content. If you didn't consent to receive these emails, we have a major issue. I've confirmed we have a confirmation email process in place that requires the subscribee to confirm the subscription request. And I believe this has been in place for many years. So if you did not subscribe to the list or confirm the subscription, you may need to check if your email address credentials have been compromised as that's the second most likely scenario for the cause beyond an administrator adding you directly. Karsten, any thoughts other than if a list administrator added them directly? Have infrastructure check the records for when and how the subscriber was added? Open a ticket with Google? Regards, KAM
Re: URIBL_RHS_DOB high hits
On October 6, 2014 7:28:02 PM David Jones djo...@ena.com wrote: host google.com.dob.sibl.support-intelligence.net Host google.com.dob.sibl.support-intelligence.net not found: 3(NXDOMAIN) web tools sigh http://multirbl.valli.org/lookup/google.com.html http://multirbl.valli.org/lookup/goo.gl.html Yes its google
Re: Local URL blocking based on NS records?
On Fri, 03 Oct 2014 00:08:49 +0200, Axb axb.li...@gmail.com wrote: Axb What's wrong with running rbldnsd? It's the tool all BLs use for Axb mirroring BL data. It's so stable and simple to use nothing can Axb beat it. From the website: There is no config file, rbldnsd accepts all configuration in command line. A bit too simple, I'd say. What about kernel argv limits? -- Please *no* private copies of mailing list or newsgroup messages. Local Variables: mode:claws-external End:
Re: Local URL blocking based on NS records?
On 10/06/2014 07:47 PM, Ian Zimmerman wrote: On Fri, 03 Oct 2014 00:08:49 +0200, Axb axb.li...@gmail.com wrote: Axb What's wrong with running rbldnsd? It's the tool all BLs use for Axb mirroring BL data. It's so stable and simple to use nothing can Axb beat it. From the website: There is no config file, rbldnsd accepts all configuration in command line. A bit too simple, I'd say. What about kernel argv limits? What's wrong with simple? Have you come across a caveat while running it?
Re: Local URL blocking based on NS records?
Am 06.10.2014 um 19:47 schrieb Ian Zimmerman: On Fri, 03 Oct 2014 00:08:49 +0200, Axb axb.li...@gmail.com wrote: Axb What's wrong with running rbldnsd? It's the tool all BLs use for Axb mirroring BL data. It's so stable and simple to use nothing can Axb beat it. From the website: There is no config file, rbldnsd accepts all configuration in command line. A bit too simple, I'd say. What about kernel argv limits? what has this to do with the kernel and how does it matter if you specify the few RBLs you have local in one line or 10? it is that efficient *because* it is that simple designed [root@localhost:~]$ cat /etc/sysconfig/rbldnsd RBLDNSD=-f -n -r/var/lib/rbldnsd -c 60s -t 600:300:600 -e -v -a -q -4 -b 127.0.0.1/1053 dnsbl.example.com:ip4set:dnsbl.example.com dnswl-aggregate.example.com:ip4set:dnswl-aggregate.example.com dnsbl-ix.example.com:ip4set:dnsbl-ix.example.com dnsbl-backscatterer.example.com:ip4set:dnsbl-backscatterer.example.com dnswl-whitelisted-org.example.com:ip4set:dnswl-whitelisted-org.example.com dnsbl-uce.example.com:ip4set:dnsbl-uce.example.com dnsbl-uce-2.example.com:ip4set:dnsbl-uce-2.example.com dnsbl-surriel.example.com:ip4set:dnsbl-surriel.example.com [root@localhost:~]$ cat /etc/systemd/system/rbldnsd.service [Unit] Description=DNSBL/DNSWL Daemon After=network.service systemd-networkd.service network-online.target Before=unbound.service [Service] Type=simple EnvironmentFile=/etc/sysconfig/rbldnsd ExecStart=/usr/sbin/rbldnsd $RBLDNSD ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 PrivateTmp=yes NoNewPrivileges=yes CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_KILL ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib [Install] WantedBy=multi-user.target signature.asc Description: OpenPGP digital signature
Re: Local URL blocking based on NS records?
On 10/6/2014 1:47 PM, Ian Zimmerman wrote: On Fri, 03 Oct 2014 00:08:49 +0200, Axb axb.li...@gmail.com wrote: Axb What's wrong with running rbldnsd? It's the tool all BLs use for Axb mirroring BL data. It's so stable and simple to use nothing can Axb beat it. From the website: There is no config file, rbldnsd accepts all configuration in command line. A bit too simple, I'd say. What about kernel argv limits? I'd say not to look for windmills to fight. I know AXB runs rbldnsd. I also know my firm runs it for at least 6 public RBL mirrors and has never had an ARGV limitation. Instead I've found it to be a straightforward package that has been historically rock solid with uptimes in the multiple years. Try it and I hope you are pleasantly surprised. regards, KAM
Administrivia (was: Re: recent channel update woes)
On Mon, 2014-10-06 at 13:36 -0400, Kevin A. McGrail wrote:
On 10/6/2014 1:23 PM, Kevin A. McGrail wrote:
On 10/6/2014 1:11 PM, Jason Goldberg wrote:
How to i get removed from this stupid list.
I love begin spammed by a list about spam which i did not signup for.
Email users-h...@spamassassin.apache.org and the system will mail you
instructions.
If you did not sign up for the list, that is very troublesome and we
can ask infrastructure to research but I believe we have a
confirmation email requirement to get on the list.
First of all: Jason's posts are stuck in moderation. The sender address
he uses is not the one he subscribed with.
Sidney and I (both list moderators) have been contacting Jason off-list
with detailed instructions how to find the subscribed address and
offering further help.
Obviously we take this very seriously as anti-spammers because the
definition I follow for spam is it's about consent not content. If you
didn't consent to receive these emails, we have a major issue.
The list server requires clear and active confirmation of the
subscription request by mail, validating both the address as well as
consent.
I've confirmed we have a confirmation email process in place that
requires the subscribee to confirm the subscription request. And I
believe this has been in place for many years. So if you did not
subscribe to the list or confirm the subscription, you may need to check
if your email address credentials have been compromised as that's the
second most likely scenario for the cause beyond an administrator adding
you directly.
Karsten, any thoughts other than if a list administrator added them
directly? Have infrastructure check the records for when and how the
subscriber was added? Open a ticket with Google?
He has not been added by a list administrator.
Without the subscribed address, there is absolutely nothing we can do. I
grepped the subscription list and transaction logs for parts of Jason's
name and company. The address in question is entirely different.
Just to give some answers. This issue should further be handled
off-list.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SpamAssassin false positive bayes with attachments
On Mon, 2014-10-06 at 09:03 -0400, jdime abuse wrote:
I have been seeing some issues with bayes detection from base64
strings within attachments causing false positives.
Example:
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'z4f' = 0.68502147581
Oct 6 09:02:14.378 [15869] dbg: bayes: token '0vf' = 0.66604823748
Is there a solution to prevent triggering bayes from the base64 data
in an attachment? It was my impression that attachments should not
trigger bayes data, but it seems that it is parsing it as text rather
than an attachment.
Bayes tokens are basically taken from rendered, textual body parts (and
mail headers). Attachments are not tokenized.
Unless the message's MIME-structure is severely broken, these tokens
appear somewhere other than a base64 encoded attachment. Can you provide
a sample uploaded to a pastebin?
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SpamAssassin false positive bayes with attachments
On Mon, 06 Oct 2014 21:28:02 +0200 Karsten Bräckelmann guent...@rudersport.de wrote: Unless the message's MIME-structure is severely broken, these tokens appear somewhere other than a base64 encoded attachment. Agreed, and a Qmail bounce message is a prime example of a message whose MIME structure is severely broken. I wonder if that's what the OP is seeing? Qmail's bounce message starts with: Hi. This is the and then (sometimes) includes the entire raw MIME message as a giant glob of text. http://cr.yp.to/proto/qsbmf.txt We have custom code specifically to detect such messages and avoid tokenizing them. :( Regards, David.
hacked sites by the dildo_du_jour
as SA update will take quite long till it publishes this: uri AXB_URI_HCKD_MUHMADEMAD /\/\/images\/jdownloads\/screenshots\/muhmademad\.png/ describeAXB_URI_HCKD_MUHMADEMAD dildo_du_jour score AXB_URI_HCKD_MUHMADEMAD 5.0 beware of MUA line break !!! enjoy
Re: hacked sites by the dildo_du_jour
Am 06.10.2014 um 21:44 schrieb Axb: as SA update will take quite long till it publishes this: uri AXB_URI_HCKD_MUHMADEMAD /\/\/images\/jdownloads\/screenshots\/muhmademad\.png/ describeAXB_URI_HCKD_MUHMADEMADdildo_du_jour scoreAXB_URI_HCKD_MUHMADEMAD5.0 beware of MUA line break !!! enjoy thank you! signature.asc Description: OpenPGP digital signature
Re: Administrivia
On 10/6/2014 2:50 PM, Karsten Bräckelmann wrote: Just to give some answers. This issue should further be handled off-list. Thanks for your $0.02. I hate being accused of spamming...
Re: hacked sites by the dildo_du_jour
On 10/06/2014 09:52 PM, Reindl Harald wrote: Am 06.10.2014 um 21:44 schrieb Axb: as SA update will take quite long till it publishes this: uri AXB_URI_HCKD_MUHMADEMAD /\/\/images\/jdownloads\/screenshots\/muhmademad\.png/ describeAXB_URI_HCKD_MUHMADEMADdildo_du_jour scoreAXB_URI_HCKD_MUHMADEMAD5.0 beware of MUA line break !!! enjoy this rule hits hacked sites In case your domain is affected, here's the list: (domains detected as from 2014-09-27) http://pastebin.com/Pe8fa2Mi (some may have been fixed)
Re: SpamAssassin false positive bayes with attachments
After reading your reply, I re-examined the message and found the case was
an incorrect Content-Type:
~~~
Content-Type: text/plain; charset=windows-1250;
name=pdfname.pdf
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=pdfname.pdf
~~~
So it was scanning the base64 as text and tokenizing it.
On Mon, Oct 6, 2014 at 3:28 PM, Karsten Bräckelmann guent...@rudersport.de
wrote:
On Mon, 2014-10-06 at 09:03 -0400, jdime abuse wrote:
I have been seeing some issues with bayes detection from base64
strings within attachments causing false positives.
Example:
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'z4f' = 0.68502147581
Oct 6 09:02:14.378 [15869] dbg: bayes: token '0vf' = 0.66604823748
Is there a solution to prevent triggering bayes from the base64 data
in an attachment? It was my impression that attachments should not
trigger bayes data, but it seems that it is parsing it as text rather
than an attachment.
Bayes tokens are basically taken from rendered, textual body parts (and
mail headers). Attachments are not tokenized.
Unless the message's MIME-structure is severely broken, these tokens
appear somewhere other than a base64 encoded attachment. Can you provide
a sample uploaded to a pastebin?
--
char *t=\10pse\0r\0dtu\0.@ghno
\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
Re: half-OT: please remove [spam]-markers from subjects
On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote: Am 03.10.2014 um 19:34 schrieb LuKreme: [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me You are assuming, I think wrongly, that the [SPAM] tag is being used because of a content filter and not simply a tag to identify the name of the list it is the *default* tag for a lot of commercial spamfilters if a message was detected as spam but not high enough to drop Those are very stupid filters then. Let me guess, the shitpile that is Barracuda? Honestly, shitpile implies a much higher value than I believe Barracuda has, at leas t ahit pile can be used to fertilize. there is a reason why i had that sieve-filter and i saw that tagging over many years from a lot of other users not only the one with Barracuda Networks products You should never filter on Subject. Period. -- A musicologist is a man who can read music but can't hear it. - Sir Thomas Beecham (1879 - 1961)
Re: half-OT: please remove [spam]-markers from subjects
On Mon, 6 Oct 2014, LuKreme wrote: On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote: Am 03.10.2014 um 19:34 schrieb LuKreme: [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me You are assuming, I think wrongly, that the [SPAM] tag is being used because of a content filter and not simply a tag to identify the name of the list it is the *default* tag for a lot of commercial spamfilters if a message was detected as spam but not high enough to drop Those are very stupid filters then. Huh? How else would you suggest that a spam filter mark messages that are scored high enough to be spammy yet not high enough to be discarded/rejected, in a manner that will clearly convey that status to the end user? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson --- 858 days since the first successful private support mission to ISS (SpaceX)
Re: half-OT: please remove [spam]-markers from subjects
On Mon, 6 Oct 2014, LuKreme wrote: On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote: Am 03.10.2014 um 19:34 schrieb LuKreme: [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me You are assuming, I think wrongly, that the [SPAM] tag is being used because of a content filter and not simply a tag to identify the name of the list it is the *default* tag for a lot of commercial spamfilters if a message was detected as spam but not high enough to drop Those are very stupid filters then. Huh? How else would you suggest that a spam filter mark messages that are scored high enough to be spammy yet not high enough to be discarded/rejected, in a manner that will clearly convey that status to the end user? I completely agree with Lukreme that you should never modify the subject to indicate spam since users just reply back to the sender causing the sender to think the reply is spam. I filter for almost 100,000 mailboxes and I got tired of explaining over and over when we tagged the subject. Now I just set the X-Spam-Status: Yes and hopefully the mail client will work with that and move it to the Junk folder. (Can't count on Outlook to do anything logical though. The Junk Mail Filter in Outlook seems to have a mind of it's own and it's not consistent.)
Re: half-OT: please remove spam-markers from subjects
Am 07.10.2014 um 01:38 schrieb John Hardin: On Mon, 6 Oct 2014, LuKreme wrote: On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote: Am 03.10.2014 um 19:34 schrieb LuKreme: [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me You are assuming, I think wrongly, that the [SPAM] tag is being used because of a content filter and not simply a tag to identify the name of the list it is the *default* tag for a lot of commercial spamfilters if a message was detected as spam but not high enough to drop Those are very stupid filters then. Huh? How else would you suggest that a spam filter mark messages that are scored high enough to be spammy yet not high enough to be discarded/rejected, in a manner that will clearly convey that status to the end user? he just thinks everybody out there study his mailheaders or even have the knowledge to do so and write perfect filters by the headers while that assumption is naive - that said, restart the thread once again after 3 days is questionable to say it polite - if all people would be that perfect they would not need the list P.S.: it was your Re: [SPAM] Re: False positive in rule: FUZZY_XPILL i refered implicitly as i started that thread - mayb eyou can make clear that the [SPAM] part was not your personal prefix for the SA list as LuKreme repeatly pretends instead just accept the hint instead make a stink signature.asc Description: OpenPGP digital signature
Re: half-OT: please remove [spam]-markers from subjects
Am 07.10.2014 um 01:48 schrieb David Jones: On Mon, 6 Oct 2014, LuKreme wrote: On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote: Am 03.10.2014 um 19:34 schrieb LuKreme: [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me You are assuming, I think wrongly, that the [SPAM] tag is being used because of a content filter and not simply a tag to identify the name of the list it is the *default* tag for a lot of commercial spamfilters if a message was detected as spam but not high enough to drop Those are very stupid filters then. Huh? How else would you suggest that a spam filter mark messages that are scored high enough to be spammy yet not high enough to be discarded/rejected, in a manner that will clearly convey that status to the end user? I completely agree with Lukreme that you should never modify the subject to indicate spam since users just reply back to the sender causing the sender to think the reply is spam boah and at least try to avoid that was the point of my original post - so can we now agree that [SPAM] as part of the subject is not the best idea and continue to do other things?! signature.asc Description: OpenPGP digital signature
Re: half-OT: please remove spam-markers from subjects
On Tue, 7 Oct 2014, Reindl Harald wrote: P.S.: it was your Re: [SPAM] Re: False positive in rule: FUZZY_XPILL i refered implicitly as i started that thread - mayb eyou can make clear that the [SPAM] part was not your personal prefix for the SA list as LuKreme repeatly pretends instead just accept the hint instead make a stink Apologies for that, I'm not in the habit of editing the subject line (or even looking closely at it) when I reply. I will try to develop that habit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 858 days since the first successful private support mission to ISS (SpaceX)
Re: half-OT: please remove spam-markers from subjects
Am 07.10.2014 um 02:10 schrieb John Hardin: On Tue, 7 Oct 2014, Reindl Harald wrote: P.S.: it was your Re: [SPAM] Re: False positive in rule: FUZZY_XPILL i refered implicitly as i started that thread - mayb eyou can make clear that the [SPAM] part was not your personal prefix for the SA list as LuKreme repeatly pretends instead just accept the hint instead make a stink Apologies for that, I'm not in the habit of editing the subject line (or even looking closely at it) when I reply. I will try to develop that habit no reason to apologize, the only people which need to aplogize are the ones pretending things without any need or knowledge how spamfilters are setup for most users out there and even restart to do so days later after the thread was done my intention was just a friendly reminder because i had that old filter from many years ago and i'm watching my junk-folder anaways for pull out things to train bayes, so i just wondered why twice a SA-list message landed there and though uhm, for sure not the intention of the sender :-) signature.asc Description: OpenPGP digital signature
