Re: Question about whitelisting of naadac.org

2021-08-11 Thread John Hardin 

On Wed, 11 Aug 2021, Lukasz Maik wrote:


Hi All,

The company naadac.org is experiencing problems with their e-mails being 
marked as SPAM, when they are putting link to their domain 
www.naadac.org in the signature of their mails.


Is it possible to whitelist this domain/link in your SPAM filtering?
Results from the mail-tester.com tool are available below:

[cid:image001.png@01D78EFB.CD78CAE0]


0.644 points is not sufficient to mark a message as spam using the default 
scoring, and isn't worth hitting the panic button. If it's being marked as 
spam by some recipients, there are other reason(s). Is this analysis the 
only thing you are basing your analysis on?


As Kenneth said, contact Spamhaus regarding why that domain is listed.

In order to offer more advice, we would have to see the results from a 
site that is actually marking such a message as spam (i.e. where it's 
scoring 5 or more points).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference between ignorance and stupidity is that the stupid
  desire to remain ignorant. -- Jim Bacon
---
 Tomorrow: the 900th anniversary of the muslim Seljuq defeat at Didgori

Re: spamassassin 3.4.5 wide chars

2021-08-11 Thread Bill Cole 
On 2021-08-11 at 22:03:24 UTC-0400 (Thu, 12 Aug 2021 04:03:24 +0200)
Benny Pedersen 
is rumored to have said:

> https://bugs.gentoo.org/807781
>
> is it solved in 3.4.6 ?

That's not a SA bug report. It's a Gentoo bug report.

Fix your rules.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

2021-08-11 Thread Kevin A. McGrail 
As a note, I sometimes make my rules harder to read on purpose to dissuade
bad actors from trying to unwind them.

On Wed, Aug 11, 2021, 11:21 Kenneth Porter  wrote:

> On 8/11/2021 8:05 AM, Kenneth Porter wrote:
> >
> > BTW, does SA permit use of Perl-style regex delimiters to avoid
> > leaning toothpick syndrome?
> >
> > https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome
> >
> Answering my own question, I see it used in this rule:
>
> uri__IMGUR_IMG
> m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
>
> I see a dozen rules in the latest SA rule update using the m
> scheme to avoid having to escape slashes in a uri. The result is
> significantly more readable.
>
>
>

spamassassin 3.4.5 wide chars

2021-08-11 Thread Benny Pedersen 



https://bugs.gentoo.org/807781

is it solved in 3.4.6 ?

Re: Question about whitelisting of naadac.org

2021-08-11 Thread Kenneth Porter 
--On Wednesday, August 11, 2021 8:57 PM + Lukasz Maik 
 wrote:



The company naadac.org is experiencing problems with their e-mails being
marked as SPAM, when they are putting link to their domain
www.naadac.org in the signature of their mails. Is
it possible to whitelist this domain/link in your SPAM filtering? Results
from the mail-tester.com tool are available below:


You should copy/paste the text of the report, not a screen capture.

According to the image, your domain and/or its A record are in the SBL 
blocklist. So you need to find out why and go fix that.

Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

2021-08-11 Thread Kenneth Porter 

On 8/11/2021 8:05 AM, Kenneth Porter wrote:


BTW, does SA permit use of Perl-style regex delimiters to avoid 
leaning toothpick syndrome?


https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome


Answering my own question, I see it used in this rule:

uri    __IMGUR_IMG 
m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i


I see a dozen rules in the latest SA rule update using the m 
scheme to avoid having to escape slashes in a uri. The result is 
significantly more readable.

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

2021-08-11 Thread Kenneth Porter 

On 8/11/2021 7:39 AM, Jared Hall wrote:


*Maybe* a little more refinement could prevent it picking  up .hidden 
folders that have a BAD_TLD name.


/[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i 



The CVS/Kodak uri would still fail on this pattern, as the BAD_TLD is 
the extension in the final path component.


My initial idea for fixing this in the negative pattern wouldn't work 
because a spammer could use https://example.badtld/example.badtld to 
sneak through.


Perhaps something like 
"//[^/]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|/)"i 
?


That might also need a matcher on the end for the optional port number.

BTW, does SA permit use of Perl-style regex delimiters to avoid leaning 
toothpick syndrome?


https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

2021-08-11 Thread Jared Hall 

Kenneth Porter wrote:


uri  __KAM_SOMETLD_ARE_BAD_TLD_URI 
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i




I have a client whose NVR writes its archived video spools to a .cam 
folder on their server.  Heaven forbid ".well-known" ever becomes a TLD :)


*Maybe* a little more refinement could prevent it picking  up .hidden 
folders that have a BAD_TLD name.


/[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i 



$0.02,

-- Jared Hall