On Mar 5, 2018, at 11:13 PM, John Hardin wrote:
>
> *before* the @ sign.
>
> It may be perfectly valid to do that, but if it happens more often in spam
> than in legitimate mail it is useful to us.
I’m seeing a lot of spam lately with usernames like
On Tue, 6 Mar 2018, Benny Pedersen wrote:
Pedro David Marco skrev den 2018-03-06 06:22:
header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/
Sorry for spoiling the party, David, but i have seen many valid email
addresses with two dots inside.
users@spamassassin.apache.org
:-)
On 5 Mar 2018, at 15:14, David Jones wrote:
FYI This could be something for KAM.cf potentially...
I have seen a few of these this morning that would be scoring just
under the default SA threshold of 5.0 and are just under my
MailScanner 6.0 threshold.
https://pastebin.com/r2eZJaef
I am
Pedro David Marco skrev den 2018-03-06 06:22:
header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/
Sorry for spoiling the party, David, but i have seen many valid email
addresses with two dots inside.
users@spamassassin.apache.org
:-)
>header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/
Sorry for spoiling the party, David, but i have seen many valid email addresses
with two dots inside.
PedroD
On 2018-03-04 05:46, David Jones wrote:
That's great. It means you know what you are doing when you change the
default threshold to less than 5.0. In that case you need to change a
lot of other scores down too including RCVD_IN_IADB_* and the KAM.cf
rules probably score way too high for you
Hi all,
Just FYI, for those of you who use DecodeShortURLs.pm ... it appears
that, if you are running in a per-user setup (i.e., running spamd as root such
that it does a setuid when invoked from spamc, and/or allowing
individual users to run spamassassin), then the short-URL cache
On Mon, 5 Mar 2018, Alex wrote:
Hi,
On Mon, Mar 5, 2018 at 5:59 PM, John Hardin wrote:
On Mon, 5 Mar 2018, Alex wrote:
To: =?utf-8?Q?DermotO=27reilly?=
* 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe
2.6 points for this is
On 03/05/2018 05:46 PM, Alex wrote:
Hi,
On Mon, Mar 5, 2018 at 3:14 PM, David Jones wrote:
FYI This could be something for KAM.cf potentially...
I have seen a few of these this morning that would be scoring just under the
default SA threshold of 5.0 and are just under my
Hi,
On Mon, Mar 5, 2018 at 5:59 PM, John Hardin wrote:
> On Mon, 5 Mar 2018, Alex wrote:
>
>> To: =?utf-8?Q?DermotO=27reilly?=
>> * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe
>>
>> 2.6 points for this is just unreasonable. This
Hi,
On Mon, Mar 5, 2018 at 3:14 PM, David Jones wrote:
> FYI This could be something for KAM.cf potentially...
>
> I have seen a few of these this morning that would be scoring just under the
> default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold.
>
>
On Mon, 5 Mar 2018, Alex wrote:
To: =?utf-8?Q?DermotO=27reilly?=
* 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe
2.6 points for this is just unreasonable. This was a completely
legitimate email.
Is such an address even deliverable?
--
John Hardin
On Mon, 5 Mar 2018 14:39:54 -0600
David Jones wrote:
> On 03/05/2018 02:14 PM, David Jones wrote:
> > FYI This could be something for KAM.cf potentially...
> >
> > I have seen a few of these this morning that would be scoring just
> > under the default SA threshold of 5.0 and are just under my
On Mon, 5 Mar 2018 16:28:33 -0600
David Jones wrote:
> On 03/05/2018 04:20 PM, John Hardin wrote:
> > On Mon, 5 Mar 2018, Alex wrote:
> >
> >> 2.6 points for this is just unreasonable. This was a completely
> >> legitimate email.
> >
> > What is the S/O in masscheck?
> >
>
>
On 03/05/2018 04:20 PM, John Hardin wrote:
On Mon, 5 Mar 2018, Alex wrote:
2.6 points for this is just unreasonable. This was a completely
legitimate email.
What is the S/O in masscheck?
http://ruleqa.spamassassin.org/20180304-r1825801-n/APOSTROPHE_TOCC/detail
It's a high S/O in the
On Mon, 5 Mar 2018, Alex wrote:
2.6 points for this is just unreasonable. This was a completely
legitimate email.
What is the S/O in masscheck?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
David Jones skrev den 2018-03-05 21:39:
https://pastebin.com/YMx8V1J7
They have some bayes-busting text in there. Maybe the URIBLs (IVM)
will catch up to these and block them soon.
SPF_HELO_PASS && SPF_PASS && !DMARC_PASS
not spam ?
note dmarc pass can be done with a spf pass
Hi,
On Mon, Mar 5, 2018 at 4:48 PM, RW wrote:
> On Mon, 5 Mar 2018 16:23:31 -0500
> Alex wrote:
>
>> Hi,
>>
>> I just received a false-positive because of the following address:
>>
>> To: "'i...@example.se'"
>>
>> Apparently the apostrophe is enough
On Mon, 5 Mar 2018 16:23:31 -0500
Alex wrote:
> Hi,
>
> I just received a false-positive because of the following address:
>
> To: "'i...@example.se'"
>
> Apparently the apostrophe is enough to warrant 2.5 points alone? Is
> this intended to catch addresses like
Hi,
I just received a false-positive because of the following address:
To: "'i...@example.se'"
Apparently the apostrophe is enough to warrant 2.5 points alone? Is
this intended to catch addresses like tom.o'rei...@example.com or more
like my example above?
That seems like an
On 03/05/2018 02:14 PM, David Jones wrote:
FYI This could be something for KAM.cf potentially...
I have seen a few of these this morning that would be scoring just under
the default SA threshold of 5.0 and are just under my MailScanner 6.0
threshold.
https://pastebin.com/r2eZJaef
I am
FYI This could be something for KAM.cf potentially...
I have seen a few of these this morning that would be scoring just under
the default SA threshold of 5.0 and are just under my MailScanner 6.0
threshold.
https://pastebin.com/r2eZJaef
I am reporting these to Spamcop but new waves of
On 3 Mar 2018, at 3:54, Noel Butler wrote:
On 03/03/2018 11:40, John Hardin wrote:
On Sat, 3 Mar 2018, Noel Butler wrote:
On 03/03/2018 04:40, John Hardin wrote:
On Fri, 2 Mar 2018, Sebastian Arcus wrote:
-0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
[199.127.240.84
2018-03-05 11:12 GMT-03:00 Pedro David Marco :
> >Hiding an executable with a .jpg extension doesn't sound like a very
> >useful technique. The user would have to save the file, edit the file
> >name and then run it.
>
> I have seen spam with instructions like this... and
On 03/05/2018 08:00 AM, RW wrote:
On Sat, 3 Mar 2018 21:21:49 -0500
Alex wrote:
Hi,
I'm curious what people use to avoid malware executable being bypassed
because their extensions are typically associated with file types that
are not normally executable?
>Hiding an executable with a .jpg extension doesn't sound like a very
>useful technique. The user would have to save the file, edit the file
>name and then run it.
I have seen spam with instructions like this... and you can bet some user will
follow them!
On Sat, 3 Mar 2018 21:21:49 -0500
Alex wrote:
> Hi,
>
> I'm curious what people use to avoid malware executable being bypassed
> because their extensions are typically associated with file types that
> are not normally executable?
>
> https://twitter.com/jepayneMSFT/status/969742842410094593
>
27 matches
Mail list logo