Adam Katz wrote:
On Mon, 17 Oct 2011, Adam Katz wrote:
Time for F-U-N
I like DD and rockroll
/var/spool/mail is full
... those examples don't get a hit with the rule I cooked up (since it needs
three different odd characters), and besides, an MN_PUNCTUATION hits only
scores in meta
Date: Mon, 17 Oct 2011 19:10:28 -0400
From: dar...@chaosreigns.com
To: users@spamassassin.apache.org
Subject: Re: Why doesn't anything at all get these botnet spammers?
On 10/15, Jenny Lee wrote:
fwoicka odrp jbguybf etvwmbwm
i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl
On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/a\s[^]{0,2048}\bhref=(?:3D)?.?(https?:[^'\# ]{8,29}[^'\#
:\/?=])[^]{0,2048}(?:[^]{0,1024}(?!\/a)[^]{1,1024}){0,99}\s{0,10}(?!\1)https?[^\w]{1,3}[^]{5}/i
How about this, to only check for a changed
I've just been thinking about URIBL lookups, etc and realising that I
don't know how many of these an SA configuration does or how to estimate
it.
Is it correct to assume that every configured URIBL is sent a single
lookup request for every message that SA scans?
Martin
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find huge html comments hiding junk like
this?
Maybe something like
Rawbody OBFU_HTML_LONG_COMMENT /\--.{1024,}?--\/
Describe
On Tue, 18 Oct 2011 01:21:36 -0700 (PDT)
Mynabbler wrote:
Adam Katz wrote:
On Mon, 17 Oct 2011, Adam Katz wrote:
Time for F-U-N
I like DD and rockroll
/var/spool/mail is full
... those examples don't get a hit with the rule I cooked up (since
it needs three different odd
On 10/18/2011 8:53 AM, Daniel McDonald wrote:
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find huge html comments hiding junk
like this?
Maybe something like
Rawbody
Daniel McDonald dan.mcdon...@austinenergy.com wrote:
Rawbody OBFU_HTML_LONG_COMMENT /\--.{1024,}?--\/
Describe OBFU_HTML_LONG_COMMENT contains a ridiculously long html comment
Tried with exactly that limit, 1 kb.
TargetX, which is used by universities in recruiting, uses a long comment
in
=20111018-r1185533-nrule=%2Fspoofed_url
MSECSSPAM% HAM% S/ORANK SCORE NAME WHO/AGE
0 1.6825 1.0301 0.6200.550.01 T_SPOOFED_URL
0 1.2441 0.9989 0.5550.530.01 T_SPOOFED_URL_HOST
0 2.1419 7.9151 0.2130.42 (n
On 10/17/2011 08:42 PM, Tom wrote:
I'm using a couple rules I found here that hits when there are 5-9 or
10+ recipients:
header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/
tflags __COUNT_RCPTS multiple
meta RCPTS_5_10 (__COUNT_RCPTS = 5)
score RCPTS_5_10 1.0
describe RCPTS_5_10
On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find huge html comments hiding junk
like this?
Hmm, wait -- Bayes and HTML
On Tue, 2011-10-18 at 12:51 +0100, Martin Gregorie wrote:
I've just been thinking about URIBL lookups, etc and realising that I
don't know how many of these an SA configuration does or how to estimate
it.
Is it correct to assume that every configured URIBL is sent a single
lookup request
On 10/18/11 12:12 PM, Karsten Bräckelmann guent...@rudersport.de wrote:
On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find
RW-15 wrote:
It would hit:
Re: Did you pick-up the dry-cleaning?
Nope. Scores just two (one ':' and a '?') and the rule needs three different
odd characters.
RW-15 wrote:
I think it needs more work, maybe combine it with tests for lots of
very short words or adjacent punctuation
On Mon, 2011-10-17 at 18:03 -0400, dar...@chaosreigns.com wrote:
http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
Basically, free use only allows 100,000 queries per organization per day.
If you're handling more than 100,000 emails a day,
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
Basically, free use only allows 100,000 queries per organization per day.
If you're handling more than 100,000 emails a day,
That's a theoretical lower bound, and incorrect in real life.
The DNS TTL appears to be 12 hours, and
On Tue, 18 Oct 2011, Alex wrote:
Hi,
I'm having difficulty with figuring out how to tag spam where the body
is only one line with a URL in it. Here is an example:
http://pastebin.com/Y9mX1DRV
It would be more helpful if you provided several examples. It would be
easy enough to write a
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
The DNS TTL appears to be 12 hours, and a good share of mail (definitely
true for ham, only partly for spam) is received from a rather limited
number of distinct SMTP servers, only. With a local, caching DNS server
the number of
On Tue, 2011-10-18 at 17:27 -0500, David B Funk wrote:
So if you black-list those hosts you are generating FPs on any legit mails
that link to those sites. Would you black-list google.com because
somebody puts 'phish' forms in a google-docs spread-sheet and then
Absolutely yes, size
On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
On Tue, 2011-10-18 at 12:51 +0100, Martin Gregorie wrote:
I've just been thinking about URIBL lookups, etc and realising that I
don't know how many of these an SA configuration does or how to estimate
it.
Is it correct to
On Tue, 2011-10-18 at 23:52 +0100, Martin Gregorie wrote:
On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
[...] there is one DNS lookup per URI and
DNSBL -- e.g. SURBL (multiple lists) or URIBL (multiple listings).
OK, so the answer is not straight forward: thanks for
On Wed, 2011-10-19 at 01:29 +0200, Karsten Bräckelmann wrote:
On Tue, 2011-10-18 at 23:52 +0100, Martin Gregorie wrote:
On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
wonder if it would be useful for SA to log the number of BL lookups it
does: as it need only involve of
On Tue, 18 Oct 2011 17:27:17 -0500, David B Funk wrote:
Would you black-list google.com
Yes, happily.
On Tue, 18 Oct 2011 23:55:41 +0200
Karsten Bräckelmann guent...@rudersport.de wrote:
The DNS TTL appears to be 12 hours, and a good share of mail
(definitely true for ham, only partly for spam) is received from a
rather limited number of distinct SMTP servers, only. With a local,
caching DNS
On Wed, 2011-10-19 at 01:29 +0200, Karsten Bräckelmann wrote:
Keep in mind, the actual number of queries isn't relevant unless you're
at least in the general ball-park of 100,000 messages a day.
Indeed: I'm not remotely near that. It was just an idea that I thought
might be useful provided it
Hi,
I'm having difficulty with figuring out how to tag spam where the body
is only one line with a URL in it. Here is an example:
http://pastebin.com/Y9mX1DRV
It would be more helpful if you provided several examples. It would be
easy enough to write a rule that matched just this example.
On Tue, 18 Oct 2011 13:07:21 -0700 (PDT)
Mynabbler wrote:
RW-15 wrote:
It would hit:
Re: Did you pick-up the dry-cleaning?
Nope. Scores just two (one ':' and a '?') and the rule needs three
different odd characters.
OK the font I'm using makes ~ look very like a -, but the point
On Tue, 2011-10-18 at 20:24 -0400, David F. Skoll wrote:
On Tue, 18 Oct 2011 23:55:41 +0200, Karsten Bräckelmann wrote:
The DNS TTL appears to be 12 hours, and a good share of mail
(definitely true for ham, only partly for spam) is received from a
rather limited number of distinct SMTP
On Wed, 19 Oct 2011 03:12:34 +0200
Karsten Bräckelmann guent...@rudersport.de wrote:
That's true, though caching is much less effective than you may
suppose. In real-life measurements on real mail servers, I found a
very low cache hit rate for common DNS{B,W}Ls, on the order of only
On Tue, 2011-10-18 at 21:55 -0400, David F. Skoll wrote:
On Wed, 19 Oct 2011 03:12:34 +0200, Karsten Bräckelmann wrote:
That's true, though caching is much less effective than you may
suppose. In real-life measurements on real mail servers, I found a
very low cache hit rate for common
On Tue, 18 Oct 2011 21:55:11 -0400, David F. Skoll wrote:
X-CanIt-Geo: No geolocation information available for 192.168.10.23
bill me for that one :-)
My original measurements and script are here:
http://article.gmane.org/gmane.mail.spam.spamassassin.general/132047/match=cache
bind can
31 matches
Mail list logo
