Re: Spam from compromised accounts scoring just under block threshold

On Mar 5, 2018, at 11:13 PM, John Hardin wrote: > > *before* the @ sign. > > It may be perfectly valid to do that, but if it happens more often in spam > than in legitimate mail it is useful to us. I’m seeing a lot of spam lately with usernames like

Re: Spam from compromised accounts scoring just under block threshold

On Tue, 6 Mar 2018, Benny Pedersen wrote: Pedro David Marco skrev den 2018-03-06 06:22: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside. users@spamassassin.apache.org :-)

Re: Spam from compromised accounts scoring just under block threshold

On 5 Mar 2018, at 15:14, David Jones wrote: FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am

Re: Spam from compromised accounts scoring just under block threshold

Pedro David Marco skrev den 2018-03-06 06:22: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside. users@spamassassin.apache.org :-)

Re: Spam from compromised accounts scoring just under block threshold

>header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside.  PedroD

Re: IADB whitelist - again

On 2018-03-04 05:46, David Jones wrote: That's great.  It means you know what you are doing when you change the default threshold to less than 5.0.  In that case you need to change a lot of other scores down too including RCVD_IN_IADB_* and the KAM.cf rules probably score way too high for you

DecodeShortURLs database breaks with setuid spamd

Hi all, Just FYI, for those of you who use DecodeShortURLs.pm ... it appears that, if you are running in a per-user setup (i.e., running spamd as root such that it does a setuid when invoked from spamc, and/or allowing individual users to run spamassassin), then the short-URL cache

Re: APOSTROPHE_TOCC score

On Mon, 5 Mar 2018, Alex wrote: Hi, On Mon, Mar 5, 2018 at 5:59 PM, John Hardin wrote: On Mon, 5 Mar 2018, Alex wrote: To: =?utf-8?Q?DermotO=27reilly?= * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe 2.6 points for this is

Re: Spam from compromised accounts scoring just under block threshold

On 03/05/2018 05:46 PM, Alex wrote: Hi, On Mon, Mar 5, 2018 at 3:14 PM, David Jones wrote: FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my

Re: APOSTROPHE_TOCC score

Hi, On Mon, Mar 5, 2018 at 5:59 PM, John Hardin wrote: > On Mon, 5 Mar 2018, Alex wrote: > >> To: =?utf-8?Q?DermotO=27reilly?= >> * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe >> >> 2.6 points for this is just unreasonable. This

Re: Spam from compromised accounts scoring just under block threshold

Hi, On Mon, Mar 5, 2018 at 3:14 PM, David Jones wrote: > FYI This could be something for KAM.cf potentially... > > I have seen a few of these this morning that would be scoring just under the > default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. > >

Re: APOSTROPHE_TOCC score

On Mon, 5 Mar 2018, Alex wrote: To: =?utf-8?Q?DermotO=27reilly?= * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe 2.6 points for this is just unreasonable. This was a completely legitimate email. Is such an address even deliverable? -- John Hardin

Re: Spam from compromised accounts scoring just under block threshold

On Mon, 5 Mar 2018 14:39:54 -0600 David Jones wrote: > On 03/05/2018 02:14 PM, David Jones wrote: > > FYI  This could be something for KAM.cf potentially... > > > > I have seen a few of these this morning that would be scoring just > > under the default SA threshold of 5.0 and are just under my

Re: APOSTROPHE_TOCC score

On Mon, 5 Mar 2018 16:28:33 -0600 David Jones wrote: > On 03/05/2018 04:20 PM, John Hardin wrote: > > On Mon, 5 Mar 2018, Alex wrote: > > > >> 2.6 points for this is just unreasonable. This was a completely > >> legitimate email. > > > > What is the S/O in masscheck? > > > >

Re: APOSTROPHE_TOCC score

On 03/05/2018 04:20 PM, John Hardin wrote: On Mon, 5 Mar 2018, Alex wrote: 2.6 points for this is just unreasonable. This was a completely legitimate email. What is the S/O in masscheck? http://ruleqa.spamassassin.org/20180304-r1825801-n/APOSTROPHE_TOCC/detail It's a high S/O in the

Re: APOSTROPHE_TOCC score

On Mon, 5 Mar 2018, Alex wrote: 2.6 points for this is just unreasonable. This was a completely legitimate email. What is the S/O in masscheck? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org

Re: Spam from compromised accounts scoring just under block threshold

David Jones skrev den 2018-03-05 21:39: https://pastebin.com/YMx8V1J7 They have some bayes-busting text in there. Maybe the URIBLs (IVM) will catch up to these and block them soon. SPF_HELO_PASS && SPF_PASS && !DMARC_PASS not spam ? note dmarc pass can be done with a spf pass

Re: APOSTROPHE_TOCC score

Hi, On Mon, Mar 5, 2018 at 4:48 PM, RW wrote: > On Mon, 5 Mar 2018 16:23:31 -0500 > Alex wrote: > >> Hi, >> >> I just received a false-positive because of the following address: >> >> To: "'i...@example.se'" >> >> Apparently the apostrophe is enough

Re: APOSTROPHE_TOCC score

On Mon, 5 Mar 2018 16:23:31 -0500 Alex wrote: > Hi, > > I just received a false-positive because of the following address: > > To: "'i...@example.se'" > > Apparently the apostrophe is enough to warrant 2.5 points alone? Is > this intended to catch addresses like

APOSTROPHE_TOCC score

Hi, I just received a false-positive because of the following address: To: "'i...@example.se'" Apparently the apostrophe is enough to warrant 2.5 points alone? Is this intended to catch addresses like tom.o'rei...@example.com or more like my example above? That seems like an

Re: Spam from compromised accounts scoring just under block threshold

On 03/05/2018 02:14 PM, David Jones wrote: FYI  This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am

Spam from compromised accounts scoring just under block threshold

FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am reporting these to Spamcop but new waves of

Re: IADB whitelist - again

On 3 Mar 2018, at 3:54, Noel Butler wrote: On 03/03/2018 11:40, John Hardin wrote: On Sat, 3 Mar 2018, Noel Butler wrote: On 03/03/2018 04:40, John Hardin wrote: On Fri, 2 Mar 2018, Sebastian Arcus wrote: -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record [199.127.240.84

Re: Portable Executables that end in .gif/.jpg

2018-03-05 11:12 GMT-03:00 Pedro David Marco : > >Hiding an executable with a .jpg extension doesn't sound like a very > >useful technique. The user would have to save the file, edit the file > >name and then run it. > > I have seen spam with instructions like this... and

Re: Portable Executables that end in .gif/.jpg

On 03/05/2018 08:00 AM, RW wrote: On Sat, 3 Mar 2018 21:21:49 -0500 Alex wrote: Hi, I'm curious what people use to avoid malware executable being bypassed because their extensions are typically associated with file types that are not normally executable?

Re: Portable Executables that end in .gif/.jpg

>Hiding an executable with a .jpg extension doesn't sound like a very >useful technique. The user would have to save the file, edit the file >name and then run it. I have seen spam with instructions like this...  and you can bet some user will follow them!  

Re: Portable Executables that end in .gif/.jpg

On Sat, 3 Mar 2018 21:21:49 -0500 Alex wrote: > Hi, > > I'm curious what people use to avoid malware executable being bypassed > because their extensions are typically associated with file types that > are not normally executable? > > https://twitter.com/jepayneMSFT/status/969742842410094593 >