Lost mail during update
While updating spamassassin, several emails were destructive lost because of the absence of spamc. To be fair, the date did get stuck unexpectedly asking for a confirmation, but still I’d like to avoid this happening again. Nov 20 10:20:34 mail postfix/pipe[73448]: 42zsss3jHVzcfQ1: to=, orig_to=, relay=spam-filter, delay=0.63, delays=0.61/0/0/0.02, dsn=2.0.0, status=sent (delivered via spam-filter service (/usr/local/bin/spam-filter: line 23: /usr/local/bin/spamc: No such file or directory)) Nov 20 10:20:34 mail postfix/qmgr[85457]: 42zsss3jHVzcfQ1: removed The result is a message that has a minimal set of headers and no content. -- 'There's Mr Dibbler.' 'What's he selling this time?' 'I don't think he's trying to sell anything, Mr Poons.' 'It's that bad? Then we're probably in lots of trouble.' --Reaper Man
Port Spamass-rules?
When updating Spam Assassin today I noticed that the notes at the end of the port install still recommend installing mail/spamass-rules. This should not be done, right? -- Get in there you big furry oaf! I don't care what you smell!
Re: semi-OT - reporting an organization that ignores unsubscribe requests
On Tue, 20 Nov 2018, Rupert Gallagher wrote: The email address is an address, part of your personally identifiable data. I'm not disputing that. I write software that deals with PII in my day job. If an identifiable entity in the US sends mass mail to European addresses, then they must have a representative in Europe and comply with the GDPR. (1) how do you *force* someone in the US to have a representative in Europe? (2) if they do no business in the EU, and do not have any presence in the EU (sending email to addresses in the EU is not "having a presence in the EU"), how are they subject to fines for violating the law in the EU? If, for example, I - a private, non-commercial entity - hosted a mailing list on my private server (which I have done in the past), and someone in the EU subscribed and posted to that list and their email address was captured in the list archives, and they later unsubscribed and asked for their email address to be removed from the list archives, and I (for whatever reason) did not do so, *how* would an EU court levy fines against me? The US is not a signatory to the GDPR as far as I am aware, and I have *no* legal presence outside the US. On Tue, Nov 20, 2018 at 17:03, John Hardin wrote: On Tue, 20 Nov 2018, Rupert Gallagher wrote: Yes, if you are European, and might get some money as compensation. From a US political advocacy group which has no commercial presence in EU? How does GDPR apply in that situation? On Mon, Nov 19, 2018 at 04:19, Joe Acquisto-j4 wrote: Gents, I somehow became subscribed to a list, political in nature, in whose mail I have no interest. This is a legitimate AFAIK, US organization. Thus far, several uses of their unsubscribe link had not provided relief. Direct email to the founder and operations manager seem to have been ignored as well. While I can just dump their mail, it offends my finely hones sense of propriety, justice and my all around good nature. Besides, it hoses me off. So, is there some "authority" to which I can report these a**holes? that might have an effect? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 600 days since the first commercial re-flight of an orbital booster (SpaceX)
RE: semi-OT - reporting an organization that ignores unsubscribe requests
On 21. november 2018 01.32.37 Kevin Miller My particular favorite fix is, if the mail list has a web preferences page, to go to there and edit the preferences then set the email address to postmaster@localhost. Now it's their problem. If thay test fqdn it Will be your problem :)
Re: whitelisting DCC messages
Hi, > $ /var/lib/dcc/bin/dccproc -QCw whiteclnt < dcc-empty > X-DCC--Metrics: mail01.example.com 1102; Body=0 Fuz1=0 Fuz2=many > reported: 0 checksum server > env_From: d41d8cd9 8f00b204 e9800998 ecf8427e > From: 7c09f5ba dd3f6a43 24f75466 afda2915 >Message-ID: 145d9d01 f7b21152 a86b0141 1fd5c0f1 > Received: 9d8accc4 f9eeba67 8dde18da fbe46c50 > Body: 3de7141d 134f5fb4 0186aa32 545805ad 0 > Fuz1: 104f1b8d 6fc72af7 ff2d1c1f 2a7c9f6d 0 > Fuz2: ad6b5492 77db8305 4fddeebd fdb30168many I believe I figured it out. The "body" hash above must be for either an empty text body or the "empty" quoted-printable HTML body. Adding the following to /var/lib/dcc/whiteclnt appears to work. ok hex fuz2 ad6b5492 77db8305 4fddeebd fdb30168 ok hex body 3de7141d 134f5fb4 0186aa32 545805ad
whitelisting DCC messages
Hi, This is perhaps off-topic, but does anyone have any tips on how to whitelist a message that hits DCC? I believe it's hitting DCC because it has an empty body. I've created digests for pyzor and razor, but DCC is much more involved. I've tried generate a checksum, but I don't know if this is right or what to do with it next. $ /var/lib/dcc/bin/dccproc -QCw whiteclnt < dcc-empty X-DCC--Metrics: mail01.example.com 1102; Body=0 Fuz1=0 Fuz2=many reported: 0 checksum server env_From: d41d8cd9 8f00b204 e9800998 ecf8427e From: 7c09f5ba dd3f6a43 24f75466 afda2915 Message-ID: 145d9d01 f7b21152 a86b0141 1fd5c0f1 Received: 9d8accc4 f9eeba67 8dde18da fbe46c50 Body: 3de7141d 134f5fb4 0186aa32 545805ad 0 Fuz1: 104f1b8d 6fc72af7 ff2d1c1f 2a7c9f6d 0 Fuz2: ad6b5492 77db8305 4fddeebd fdb30168many Is it possible to enable checksum logging in addition to what SA reports when not running a dcc daemon?
RE: semi-OT - reporting an organization that ignores unsubscribe requests
No worries. Someone with a similar issue will search for a solution someday, and have one at hand. :-) My particular favorite fix is, if the mail list has a web preferences page, to go to there and edit the preferences then set the email address to postmaster@localhost. Now it's their problem. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -Original Message- From: Joe Acquisto-j4 [mailto:j...@j4computers.com] Sent: Tuesday, November 20, 2018 10:43 AM To: users@spamassassin.apache.org Subject: Re: semi-OT - reporting an organization that ignores unsubscribe requests >>> On 11/19/2018 at 4:35 PM, in message , "Kevin A. McGrail" wrote: > On 11/18/2018 10:19 PM, Joe Acquisto-j4 wrote: >> So, is there some "authority" to which I can report these a**holes? that > might have an effect? > I would say some blacklists might be interested. I certainly list > emails based on consent. Ever have one of those days where you wish you had never raised your hand in class? Seems I may have maligned this un named organization. For legacy reasons I have two email accounts with similar domains aggregated into one. Short story, I was un-subscribing the wrong one. Still, they could, perhaps, have done a quick check against their subscriber list, instead of reporting it as successfully unsubscribed. See, there is always a way to make it someone else's fault. Sorry for the wasted time.
Re: semi-OT - reporting an organization that ignores unsubscribe requests
> The email address is an address, part of your personally identifiable data.
> If an identifiable entity in the US sends mass mail to European addresses,
> then they must have a representative in Europe and comply with the GDPR.
I somehow missed that John is in the U.K., and actually re-reading his email
suggests that he may be in Canada ("hoses me off" ;-) )... John, if you are in
Canada than this may fall under CASL, in which case you can report the email
here:
http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00017.html
If you are, in fact, in the EU, then by all means I'd go the route of invoking
GDPR. Many (if not most..sigh) entities in the U.S. believe that they don't
have to worry or care about GDPR..however the language in GDPR that says, in
essence, "we will go after anybody anywhere in the world who violates GDPR"
coupled with the private right of action suggests that you'd at least have a
shot. The reason that political spam is exempted in the U.S. is because of the
1st Amendment..which of course does not apply outside the U.S.. ;-)
Anne
Anne P. Mitchell,
Attorney at Law
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Board of Directors, Denver Internet Exchange
Board of Directors, Asilomar Microcomputer Workshop
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
California Bar Association
Cal. Bar Cyberspace Law Committee
Colorado Cyber Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop
>
>
> On Tue, Nov 20, 2018 at 17:03, John Hardin wrote:
>> On Tue, 20 Nov 2018, Rupert Gallagher wrote:
>>
>> > Yes, if you are European, and might get some money as compensation.
>>
>> From a US political advocacy group which has no commercial presence in EU?
>> How does GDPR apply in that situation?
>>
>> > On Mon, Nov 19, 2018 at 04:19, Joe Acquisto-j4
>> > wrote:
>> >
>> >> Gents,
>> >>
>> >> I somehow became subscribed to a list, political in nature, in whose mail
>> >> I have no interest. This is a legitimate AFAIK, US organization.
>> >>
>> >> Thus far, several uses of their unsubscribe link had not provided relief.
>> >> Direct email to the founder and operations manager seem to have been
>> >> ignored as well.
>> >>
>> >> While I can just dump their mail, it offends my finely hones sense of
>> >> propriety, justice and my all around good nature. Besides, it hoses me
>> >> off.
>> >>
>> >> So, is there some "authority" to which I can report these a**holes? that
>> >> might have an effect?
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> ---
>> The world has enough Mouse Clicking System Engineers.
>> -- Dave Pooser
>> ---
>> 600 days since the first commercial re-flight of an orbital booster (SpaceX)
>
>
Re: semi-OT - reporting an organization that ignores unsubscribe requests
The email address is an address, part of your personally identifiable data. If an identifiable entity in the US sends mass mail to European addresses, then they must have a representative in Europe and comply with the GDPR. On Tue, Nov 20, 2018 at 17:03, John Hardin wrote: > On Tue, 20 Nov 2018, Rupert Gallagher wrote: > >> Yes, if you are European, and might get some money as compensation. > > From a US political advocacy group which has no commercial presence in EU? > How does GDPR apply in that situation? > >> On Mon, Nov 19, 2018 at 04:19, Joe Acquisto-j4 wrote: >> >>> Gents, >>> >>> I somehow became subscribed to a list, political in nature, in whose mail I >>> have no interest. This is a legitimate AFAIK, US organization. >>> >>> Thus far, several uses of their unsubscribe link had not provided relief. >>> Direct email to the founder and operations manager seem to have been >>> ignored as well. >>> >>> While I can just dump their mail, it offends my finely hones sense of >>> propriety, justice and my all around good nature. Besides, it hoses me off. >>> >>> So, is there some "authority" to which I can report these a**holes? that >>> might have an effect? > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > The world has enough Mouse Clicking System Engineers. > -- Dave Pooser > --- > 600 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: semi-OT - reporting an organization that ignores unsubscribe requests
> > Gents, Ahem. ;-) > > I somehow became subscribed to a list, political in nature, in whose mail I > have no interest. This is a legitimate AFAIK, US organization. > > Thus far, several uses of their unsubscribe link had not provided relief. > Direct email to the founder and operations manager seem to have been ignored > as well. > > While I can just dump their mail, it offends my finely hones sense of > propriety, justice and my all around good nature. Besides, it hoses me off. > > So, is there some "authority" to which I can report these a**holes? that > might have an effect? Speaking as someone who actually wrote part of the U.S. anti-spam law (of which I'm the first to say that it is pathetic and anemic (except of course, the part that I wrote ;-) )...I can say categorically that political email is exempt from most Federal law relating to email, email marketing, etc.. But THAT said, a word to their provider can (and sometimes does) still have the desired (individual) effect, because providers care about their IP space reputation (more so than most political campaigns). Anne Anne P. Mitchell, Attorney at Law GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Board of Directors, Denver Internet Exchange Board of Directors, Asilomar Microcomputer Workshop Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center California Bar Association Cal. Bar Cyberspace Law Committee Colorado Cyber Committee Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
Re: semi-OT - reporting an organization that ignores unsubscribe requests
Spam is income for those who sell it, a cost for those who buy it, and a liability for those who receive it. Thousands of junk and weaponized messages try their luck while wasting our resources. It is not by accident that we have anti-spam laws. Our unpaid job is to reject spam efficiently. Sometimes you cannot reject it, because sent properly, by someone you can identify, and it falls within your legal reach. That's when you file a complaint to the ombudsman and cash in a small reward for the inconvenience. Laws are there for us, not against us. On Tue, Nov 20, 2018 at 11:36, Martin Gregorie wrote: > On 18 Nov 2018, at 22:19, Joe Acquisto-j4 wrote: >> >> > Gents, >> > >> > I somehow became subscribed to a list, political in nature, in >> > whose mail I have no interest. This is a legitimate AFAIK, US >> > organization. >> > > I just auto-bin this stuff if their 'unsubscribe' link doesn't work. > Emirates, the well-known airline, is the latest outfit to get this > treatment here. > > However, given the recently mentioned US freedoms of political speech, > why can't you simply exercise your freedoms by reflecting it back to > the mailing list unseen but with a polite note added to the the body in > big caps saying something along the lines of: > > "I tried to unsubscribe from your list but that doesn't work, so here's > your unwanted mail back. Kindly take me off your list". > > I don't see how that could be twisted into offensive speech, but it > just might embarrass their mailadmin into taking you off the list. > > Martin
Re: multiplying in rules
On Tue, 20 Nov 2018 13:14:54 -0800 (PST) John Hardin wrote: > On Tue, 20 Nov 2018, RW wrote: > > > On Tue, 20 Nov 2018 13:36:52 -0500 > > micah anderson wrote: > >> > >> How can I do it without the fractions? > > > > meta LOCAL_EXCEEDED_PHISH __MAILBOX + __LOCAL_EXCEEDED + > > __LOCAL_STORAGE + __LOCAL_LIMIT >= 3 > though I would do "> 2" A lot of people would, but IMO writing it as >= is clearer than >
Re: multiplying in rules
On Tue, 20 Nov 2018, RW wrote: On Tue, 20 Nov 2018 13:36:52 -0500 micah anderson wrote: How can I do it without the fractions? meta LOCAL_EXCEEDED_PHISH __MAILBOX + __LOCAL_EXCEEDED + __LOCAL_STORAGE + __LOCAL_LIMIT >= 3 D'oh! That's actually the clearest solution (though I would do "> 2") -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Insofar as the police deter by their presence, they are very, very good. Criminals take great pains not to commit a crime in front of them. -- Jeffrey Snyder --- 600 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: multiplying in rules
On Tue, 20 Nov 2018 13:36:52 -0500 micah anderson wrote: > > But > > as I said it's the decimal fractions that cause it to fail and the > > above rule doesn't need to contain decimal fractions. > > How can I do it without the fractions? meta LOCAL_EXCEEDED_PHISH 4*__MAILBOX + 4*__LOCAL_EXCEEDED + 4*__LOCAL_STORAGE + 4*__LOCAL_LIMIT > 10 or meta LOCAL_EXCEEDED_PHISH __MAILBOX + __LOCAL_EXCEEDED + __LOCAL_STORAGE + __LOCAL_LIMIT >= 3
Re: semi-OT - reporting an organization that ignores unsubscribe requests
On 11/20/2018 2:43 PM, Joe Acquisto-j4 wrote: > Seems I may have maligned this un named organization. Other than maligning their cosmic karma, not really sure asking about how to gritch about them but not actually doing anything does any real harm :-) -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: semi-OT - reporting an organization that ignores unsubscribe requests
>>> On 11/19/2018 at 4:35 PM, in message , "Kevin A. McGrail" wrote: > On 11/18/2018 10:19 PM, Joe Acquisto-j4 wrote: >> So, is there some "authority" to which I can report these a**holes? that > might have an effect? > I would say some blacklists might be interested. I certainly list > emails based on consent. Ever have one of those days where you wish you had never raised your hand in class? Seems I may have maligned this un named organization. For legacy reasons I have two email accounts with similar domains aggregated into one. Short story, I was un-subscribing the wrong one. Still, they could, perhaps, have done a quick check against their subscriber list, instead of reporting it as successfully unsubscribed. See, there is always a way to make it someone else's fault. Sorry for the wasted time.
Re: 9D character used in words to avoid detection.
Pedro, I just checked a spample I have and it hits on the rule. Note, I do not use normalize charset but just expanded the rule to allow for that thanks to RW's post. Regards, KAM -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sun, Nov 18, 2018 at 1:40 PM Pedro David Marco wrote: > Kevin, > > i think KAM_ZWNJ only triggers with "rawbody". Actual KAM.cf uses > "body"... > > does the SA body pre-processor removes nulls?? > > --- > PedroD > > On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail < > kmcgr...@apache.org> wrote: > > > Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf. Please > let me know if those help. > -- > Kevin A. McGrail > VP Fundraising, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171 > > > On Fri, Nov 16, 2018 at 7:37 PM John Hardin wrote: > > On Fri, 16 Nov 2018, Mark London wrote: > > > I just received a spam email with the 9D character placed inside of > words, > > that prevented my custom BODY rules from being hit. I.e.: > > > > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr > a=9Dlready > > change=9Dd it. > > > > Is there a way to define BODY rules, so that they will be triggered? > > Thanks. > > No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in > my sandbox. It isn't performing well in masschecks so I expect this tactic > isn't widespread (yet?) > > I suppose I should expose it as scored in case it becomes popular... > > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >From the Liberty perspective, it doesn't matter if it's a >jackboot or a Birkenstock smashing your face. -- Robb Allen > --- > 596 days since the first commercial re-flight of an orbital booster > (SpaceX) > >
Re: multiplying in rules
"Bill Cole" writes: > On 20 Nov 2018, at 13:53, John Hardin wrote: > >> On Tue, 20 Nov 2018, micah anderson wrote: > [...] What it does do is prevent compiled rules from being installed. But as I said it's the decimal fractions that cause it to fail and the above rule doesn't need to contain decimal fractions. >>> >>> How can I do it without the fractions? >> >> Multiply everything by 10:(__rulename * 4) ...etc... > 10 > > Or replace every decimal fraction with an integer division, so '0.4' > becomes '(4 / 10)' oh, of course. I was thinking that these amounts contributed to the score, but they do not. Thanks for wiping away the grime from my brain. -- micah
Re: multiplying in rules
On 20 Nov 2018, at 13:53, John Hardin wrote: On Tue, 20 Nov 2018, micah anderson wrote: [...] What it does do is prevent compiled rules from being installed. But as I said it's the decimal fractions that cause it to fail and the above rule doesn't need to contain decimal fractions. How can I do it without the fractions? Multiply everything by 10:(__rulename * 4) ...etc... > 10 Or replace every decimal fraction with an integer division, so '0.4' becomes '(4 / 10)'
Re: multiplying in rules
On Tue, 20 Nov 2018, micah anderson wrote: RW writes: On Tue, 20 Nov 2018 12:53:18 -0500 micah anderson wrote: RW writes: On Tue, 20 Nov 2018 12:38:24 -0500 micah anderson wrote: I was doing multiplication in rules to add scores, like this: meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) 1) but now when I run spamassassin --lint, I'm told things like this: Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 It's the decimal fractions. What should I do to fix that? It should be fixed in the next release. ok, but until then, is the only option for me to disable these rules? These are particularly important rules for stopping phishing attacks, so I'd like to not disable them, but find some other kind of work around! I don't believe it prevents the rule from working. It prevents sa-compile from running because spamassassin --lint fails. What it does do is prevent compiled rules from being installed. But as I said it's the decimal fractions that cause it to fail and the above rule doesn't need to contain decimal fractions. How can I do it without the fractions? Multiply everything by 10:(__rulename * 4) ...etc... > 10 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Perfect Security and Absolute Safety are unattainable; beware those who would try to sell them to you, regardless of the cost, for they are trying to sell you your own slavery. --- 600 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: : 9D character used in words to avoid detection
On Tue, 20 Nov 2018, RW wrote: On Mon, 19 Nov 2018 13:31:47 -0800 (PST) John Hardin wrote: On Mon, 19 Nov 2018, Joseph Brennan wrote: Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt In windows-1256, the presence of =9D between characters under decimal-128 is suspicious, regardless of Bitcoin. It seems like a simple rule but even rawbody does not check quoted-printable patterns. Plugin maybe? Has this already been done and I've missed it? It's there, but performing poorly: https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail For this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c) Thanks, I'll get that change checked in shortly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Perfect Security and Absolute Safety are unattainable; beware those who would try to sell them to you, regardless of the cost, for they are trying to sell you your own slavery. --- 600 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: multiplying in rules
RW writes: > On Tue, 20 Nov 2018 12:53:18 -0500 > micah anderson wrote: > >> RW writes: >> >> > On Tue, 20 Nov 2018 12:38:24 -0500 >> > micah anderson wrote: >> > >> >> I was doing multiplication in rules to add scores, like this: >> >> >> >> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * >> >> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * >> >> __LOCAL_LIMIT)) >> >> > 1) >> >> >> >> but now when I run spamassassin --lint, I'm told things like this: >> >> >> >> Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 >> > >> > It's the decimal fractions. >> > >> >> What should I do to fix that? >> > >> > It should be fixed in the next release. >> >> ok, but until then, is the only option for me to disable these rules? >> These are particularly important rules for stopping phishing attacks, >> so I'd like to not disable them, but find some other kind of work >> around! > > I don't believe it prevents the rule from working. It prevents sa-compile from running because spamassassin --lint fails. > What it does do is prevent compiled rules from being installed. But as I > said it's the decimal fractions that cause it to fail and the above > rule doesn't need to contain decimal fractions. How can I do it without the fractions? I've applied the patch from the repo to make it work. -- micah
Re: multiplying in rules
On Tue, 20 Nov 2018 12:53:18 -0500 micah anderson wrote: > RW writes: > > > On Tue, 20 Nov 2018 12:38:24 -0500 > > micah anderson wrote: > > > >> I was doing multiplication in rules to add scores, like this: > >> > >> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * > >> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * > >> __LOCAL_LIMIT)) > >> > 1) > >> > >> but now when I run spamassassin --lint, I'm told things like this: > >> > >> Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 > > > > It's the decimal fractions. > > > >> What should I do to fix that? > > > > It should be fixed in the next release. > > ok, but until then, is the only option for me to disable these rules? > These are particularly important rules for stopping phishing attacks, > so I'd like to not disable them, but find some other kind of work > around! I don't believe it prevents the rule from working. What it does do is prevent compiled rules from being installed. But as I said it's the decimal fractions that cause it to fail and the above rule doesn't need to contain decimal fractions.
Re: multiplying in rules
On Tue, Nov 20, 2018 at 12:53:18PM -0500, micah anderson wrote: > RW writes: > > > On Tue, 20 Nov 2018 12:38:24 -0500 > > micah anderson wrote: > > > >> I was doing multiplication in rules to add scores, like this: > >> > >> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * > >> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) > >> > 1) > >> > >> but now when I run spamassassin --lint, I'm told things like this: > >> > >> Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 > > > > It's the decimal fractions. > > > >> What should I do to fix that? > > > > It should be fixed in the next release. > > ok, but until then, is the only option for me to disable these rules? > These are particularly important rules for stopping phishing attacks, so > I'd like to not disable them, but find some other kind of work around! Patch it then, it's a trivial one line change. http://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1842403=1842593=date_format=h
Re: multiplying in rules
RW writes: > On Tue, 20 Nov 2018 12:38:24 -0500 > micah anderson wrote: > >> I was doing multiplication in rules to add scores, like this: >> >> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * >> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) >> > 1) >> >> but now when I run spamassassin --lint, I'm told things like this: >> >> Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 > > It's the decimal fractions. > >> What should I do to fix that? > > It should be fixed in the next release. ok, but until then, is the only option for me to disable these rules? These are particularly important rules for stopping phishing attacks, so I'd like to not disable them, but find some other kind of work around! -- micah
Re: multiplying in rules
On Tue, 20 Nov 2018 12:38:24 -0500 micah anderson wrote: > I was doing multiplication in rules to add scores, like this: > > meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * > __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) > > 1) > > but now when I run spamassassin --lint, I'm told things like this: > > Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 It's the decimal fractions. > What should I do to fix that? It should be fixed in the next release.
multiplying in rules
I was doing multiplication in rules to add scores, like this: meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) > 1) but now when I run spamassassin --lint, I'm told things like this: Nov 20 09:34:42.096 [11146] warn: config: Strange rule token: 0.4 What should I do to fix that? Thanks! -- micah
Re: what is FromNameSpoof supposed to catch?
On Tue, 20 Nov 2018 16:36:44 +0100 Matus UHLAR - fantomas wrote: > wasn't FromNameSpoof supposed to catch this kind of mails? > > From: "RB Techgum " > > when testing this with rules proposed in FromNameSpoof docs, none hit. And it didn't work with: From: "" but it did work with: From: "robert.bx...@techgum.cz" Also I got a hit on __PLUGIN_FROMNAME_DIFFERENT with: From: "al...@mgff.co.uk" From: "al...@mgff.co.uk" this is with 'fns_check 2' where: Check levels: 0 - Strict checking of From:name != From:addr 1 - Allow for different tlds 2 - Allow for different aliases but same domain So it looks like: A. No allowance is made for differing sub-domains. B. level 1 isn't implied by 2, so it's not possible to allow for both different local-parts and TLDs I think it needs some more work. > because of > https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7624 > I have applied following patch > https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/FromNameSpoof.pm?r1=1842029=1842028=1842029=patch > - hope it's not the culprit. It didn't work with the unmodified version either
Re: semi-OT - reporting an organization that ignores unsubscribe requests
On Tue, 20 Nov 2018, Rupert Gallagher wrote: Yes, if you are European, and might get some money as compensation. From a US political advocacy group which has no commercial presence in EU? How does GDPR apply in that situation? On Mon, Nov 19, 2018 at 04:19, Joe Acquisto-j4 wrote: Gents, I somehow became subscribed to a list, political in nature, in whose mail I have no interest. This is a legitimate AFAIK, US organization. Thus far, several uses of their unsubscribe link had not provided relief. Direct email to the founder and operations manager seem to have been ignored as well. While I can just dump their mail, it offends my finely hones sense of propriety, justice and my all around good nature. Besides, it hoses me off. So, is there some "authority" to which I can report these a**holes? that might have an effect? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- 600 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: : 9D character used in words to avoid detection
On Mon, 19 Nov 2018 13:31:47 -0800 (PST) John Hardin wrote: > On Mon, 19 Nov 2018, Joseph Brennan wrote: > > > Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt > > > > In windows-1256, the presence of =9D between characters under > > decimal-128 is suspicious, regardless of Bitcoin. It seems like a > > simple rule but even rawbody does not check quoted-printable > > patterns. Plugin maybe? Has this already been done and I've missed > > it? > > It's there, but performing poorly: > > https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail For this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
what is FromNameSpoof supposed to catch?
wasn't FromNameSpoof supposed to catch this kind of mails? From: "RB Techgum " when testing this with rules proposed in FromNameSpoof docs, none hit. because of https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7624 I have applied following patch https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/FromNameSpoof.pm?r1=1842029=1842028=1842029=patch - hope it's not the culprit. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
FromNameSpoof usage examples and experience
Hello, did anyone set up rules to use the FromNameSpoof plugin? Do you have any experiences about it? Thanks. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: : 9D character used in words to avoid detection
On Mon, 19 Nov 2018 15:38:58 -0500 Joseph Brennan wrote: > Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt > > In windows-1256, the presence of =9D between characters under > decimal-128 is suspicious, regardless of Bitcoin. It seems like a > simple rule but even rawbody does not check quoted-printable > patterns. Plugin maybe? Has this already been done and I've missed it? You don't need that, you can simply look for the decoded character in the body.
Re: semi-OT - reporting an organization that ignores unsubscribe requests
On 18 Nov 2018, at 22:19, Joe Acquisto-j4 wrote: > > > Gents, > > > > I somehow became subscribed to a list, political in nature, in > > whose mail I have no interest. This is a legitimate AFAIK, US > > organization. > > I just auto-bin this stuff if their 'unsubscribe' link doesn't work. Emirates, the well-known airline, is the latest outfit to get this treatment here. However, given the recently mentioned US freedoms of political speech, why can't you simply exercise your freedoms by reflecting it back to the mailing list unseen but with a polite note added to the the body in big caps saying something along the lines of: "I tried to unsubscribe from your list but that doesn't work, so here's your unwanted mail back. Kindly take me off your list". I don't see how that could be twisted into offensive speech, but it just might embarrass their mailadmin into taking you off the list. Martin
