Jason Haar wrote:
Hi there
I just got a one-line piece of spam with a ipaddress-based URL.
Probably pointing at some auto infect your Windows PC app.
Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later
it had showed up in several RBLs and the score was pushed up to 4.9.
Am 2008-01-10 08:34:37, schrieb Marc Perkel:
Just a thought. I'm wondering if there are any clues the th received
lines that indicate the MTA that might be used for spam detection, or
rather ham detection. Do spammers ever use Exim, Qmail, Postfix?
- END OF REPLIED
Am 2008-01-10 08:34:37, schrieb Marc Perkel:
Just a thought. I'm wondering if there are any clues the th received
lines that indicate the MTA that might be used for spam detection, or
rather ham detection. Do spammers ever use Exim, Qmail, Postfix?
On 12.01.08 13:28, Michelle Konzack
On Wed, 16 Jan 2008, Matt Kettler wrote:
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Matt, yes this is correct, however in this particular case nonspam is
perhaps a bit broad. It's been my experience that these almost always
occur in mass marketing ham, not
The latest variant is gooogle.com, which is a legit alias for Google,
and appears to work with all the regular spammer trick parameters.
I've also seen two more google TLD variants.
- Chip
I'm looking for suggestions as to the best way to do this.
I've a catch-all mail strategy for a domain, and a number of users have
accounts - say - [EMAIL PROTECTED]; [EMAIL PROTECTED] etc. When engaging
with a new contact, or mailing list, a new email address is generated.
For example:
Steve wrote:
I'm looking for suggestions as to the best way to do this.
I've a catch-all mail strategy for a domain, and a number of users
have accounts - say - [EMAIL PROTECTED]; [EMAIL PROTECTED] etc. When
engaging with a new contact, or mailing list, a new email address is
generated.
Matt Kettler wrote:
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
STATISTICS-set0.txt:OVERALLSPAM% HAM% S/ORANK SCORE
NAME
STATISTICS-set0.txt: 0.395 0.3920 0.40010.495 0.420.10
NORMAL_HTTP_TO_IP
Note the S/O of 0.42 means that 42%
The latest variant is gooogle.com, which is a legit alias for Google,
and appears to work with all the regular spammer trick parameters.
I've also seen two more google TLD variants.
And another variation this morning with 4 slashes instead of 2 between the
domain and 'search'
Cheers,
Mike
Am 2008-01-16 14:47:33, schrieb Matus UHLAR - fantomas:
why do you (not) use SpamAssassin at all?
Because it eat too much memory and procmail is arround 100 times faster?
And since I have to call fetchmail too, spamassassin is integrated in
the procmailrc
Thanks, Greetings and nice Day
Bowie Bailey wrote:
Catch-all setups always have this problem. You could use SA to figure
out which addresses are likely to be valid, but this means that you have
to accept the message and then call SA for EVERY one of these emails.
I'm aware of that... but the benefits outweigh the
Am 2008-01-16 14:47:33, schrieb Matus UHLAR - fantomas:
why do you (not) use SpamAssassin at all?
On 16.01.08 20:08, Michelle Konzack wrote:
Because it eat too much memory and procmail is arround 100 times faster?
so why are you asking procmail question in SA list? :)
Well, many MTA's are
Hi SA experts,
We have procmail filters that see emails before SA. They can:
1. whitelist emails direct to our Inbox,
2. send emails to direct to the bit bucket (/dev/null)
3. send emails to the Junk folder for review, or
4. leave them for processing by SA.
So SA never sees the emails in
Am 2008-01-16 20:16:34, schrieb Matus UHLAR - fantomas:
so why are you asking procmail question in SA list? :)
[X] I have not read the thread and jumped only in.
Thanks, Greetings and nice Day
Michelle Konzack
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
On Wed, 16 Jan 2008 [EMAIL PROTECTED] wrote:
So, all 3 categories include emails that SA has already seen and
presumably included in its Bayesian filters,
Only if you have autolearn enabled. Can we assume that you do from
this question? You didn't explicitly say.
and emails that it has
Valid email addresses have a well-known structure (i.e. [A-z.]*_NAME) so,
for example [EMAIL PROTECTED] is clearly a bogus address.
Off the top of my head you might be able to do something like (untested):
header__GOOD_NAMETo=~
/[A-Za-z]{1,30}_[A-Za-z\d\.]{2,40}\@(?i:domain\.com)/
Matt Kettler wrote:
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Chip M. wrote:
Matt, yes this is correct, however in this particular case nonspam is
perhaps a bit broad. It's been my experience that these almost always
occur in mass marketing ham, not
In my (limited) experience, nonspam IP-based URLs almost always have
paths after the IP address, whereas a *lot* of spam just points to the
IP address.
Does this match anyone else's experience?
I've never run a masscheck to see, it would be interesting. Trying to think
about what I've seen
Thanks guys,
Problem solved now, It was a program called watchdog in Plesk which was
the problem. Somehow it is not detecting the status of process and is
starting the process again and again.
Jai
On Jan 14, 2008 11:38 PM, Mike Jackson [EMAIL PROTECTED] wrote:
My server has 8GB of ram,
19 matches
Mail list logo