Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

I don't have the specifics at hand but I created a rule that places a heavy score (like 2.0) on anything that matches existing sex and bitcoin rules. These messages usually match a bunch of other signals and that rule pushes the score over my delete-on-sight threshold (8.0). On 2023-11-10

Re: FP on KAM_SOMETLD_ARE_BAD_TLD

On 2023-04-12 20:42, Greg Troxel wrote: Alan writes: A lovely message from a reputable sender with a penchant for fancy email formatting has CSS rules expressed in JSON, presumably so it can adjust for the mail client or some such. A segment contains the text: "items":[{"ty

FP on KAM_SOMETLD_ARE_BAD_TLD

A lovely message from a reputable sender with a penchant for fancy email formatting has CSS rules expressed in JSON, presumably so it can adjust for the mail client or some such. A segment contains the text: "items":[{"type":"Input.Date","id":"date"}]} The KAM_SOMETLD_ARE_BAD_TLD rule is

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote: > How do I stop this?  paypal.com is in the default DKIM whitelist! > That message really looks like it came from Paypal and then was forwarded by Microsoft to your server. Was it really a fake? That's a lot of headers to fake if so. If it

Re: DMARC fails for valid record?

On Mon, 2022-05-09 at 14:35 -0400, Alex wrote: > Hi, > > I'm trying to understand why this email from a bank fails DMARC > when mxlookup says the DMARC record is just fine. > > https://pastebin.com/0T4Gjn3v > >  *  1.8 DMARC_REJECT DMARC reject policy >  *  6.0 KAM_DMARC_REJECT DKIM has Failed

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

FWIW at least I've found them to be responsive to abuse reports, unlike Amazon SES. On 2022-03-04 08:01, Marc wrote: Is anyone blocking already connections from outbound-mail.sendgrid.net? Does that generate a lot of false positives? PS. just posting this so it is on web archives and people

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

On Fri, 2022-03-04 at 13:01 +, Marc wrote: > Is anyone blocking already connections from outbound- > mail.sendgrid.net? Does that generate a lot of false positives? > PS. just posting this so it is on web archives and people searching > for sendgrid hopefully chose a better service. >

False "bad domain" positive

Here's a lovely edge case... I've got someone who posted text from MS Office into an email (wish I could ban that). The text contained a numbered list. The fourth list item started with "Date & Time". The 4 and following period were in a span element with a margin to separate it from the text

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 10:55 -0800, Alan Hodgson wrote: > > I got a couple to an actual human who answered > ab...@princeton.edu. I can forward them privately. Let me rephrase that; I complained to ab...@princeton.edu and actually heard back from a human, to whom I have since se

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 13:24 -0500, Charles Sprickman wrote: > Does anyone have a sample of one of their emails? > > I’m composing a brief nastygram and would like to get my eyes on > one before finishing up. > I got a couple to an actual human who answered ab...@princeton.edu. I can forward

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 11:39 -0500, Bill Cole wrote: > > A customer has expressed mild dismay at the concept that a fine > research institution should be "punished for doing research." I'm > less attached to Princeton than my NJ-based customer and (having > worked in a NIH-funded lab) less

Re: Fw: spam from gmail.com

This is why I flood their abuse box with reports: problem comes back. Eventually some brain cell will realize that it's not doing much for their brand. Moments later it will become an Important Issue, because brand is everything these days. On 2021-11-09 08:49, Jared Hall wrote: On 11/8/2021

Re: Fw: spam from gmail.com

A real spike lately, too. Send messages with full headers to ab...@gmail.com. It might be a bit bucket since I've never heard anything back, but it can't hurt. On 2021-11-08 13:27, Rupert Gallagher wrote: Spammers are using gmail.com. Congratulations to Google for their fine work...

Re: Does anyone know what generates these email headers?

The originating PHP script header helps people who run shared servers track down the source of problematic mail. The two most common cases are: - A contact form with poor security and the option to send a copy to the "commenter". Hackers find these and flood them. - A completely compromised

Re: Score for certain spam

On 2021-08-17 18:53, Greg Troxel wrote: Alan <> writes: I manage email for a couple of hundred domains, so a fair bit of stuff that arrives to my inbox are spam complaints (they're supposed to open tickets or use the support mailbox but... users). I flag anything over 5.0 a

Re: Score for certain spam

I manage email for a couple of hundred domains, so a fair bit of stuff that arrives to my inbox are spam complaints (they're supposed to open tickets or use the support mailbox but... users). I flag anything over 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to the bit

Re: Lint failing

ot;Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 1489. ) channel: lint check of update failed, channel failed Update failed, exiting with code 4 -Alan On 7/29/2021 1:36 PM, Kevin A. McGrail wrote: Fixes are likely done and just waiting on masscheck, etc. to publish rules.  If it isn'

Re: Lint failing

Thanks.  For me, there's no update package for my distribution. And still working on general upgrade testing here. -Alan On 7/29/2021 1:36 PM, Kevin A. McGrail wrote: Fixes are likely done and just waiting on masscheck, etc. to publish rules.  If it isn't fixed by Monday, please let us know

Lint failing

Starting yesterday, my SA 3.3.1 running on CentOS started throwing lint errors, as below.  Is there a fix for this? Thanks in advance. -Alan $ sudo /usr/bin/sa-update -vvv Update available for channel updates.spamassassin.org rules: failed to run URI_HOST_IN_BLOCKLIST test, skipping

Discord used to share malware

Not sure if this is news or not but it's the first time I've seen this. I got a fake "here's the invoice" message with a link to a Excel Macro file from https://cdn.discordapp.com/attachments/{redacted}.xlsm This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only trigger of

Re: Maybe it's time to revive EvilNumbers?

On 2021-06-15 19:44, Loren Wilton wrote: My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases.   They are getting past a lot of URL block lists because

Re: KAM_SENDGRID and SPF_HELO_NONE

On Thu, 2021-05-20 at 16:12 -0400, Alex wrote: > > X-Envelope-From: >     > > > Perhaps it's because Return-Path is null? > Return-Path: <> Return-Path is supposed to be where your MTA stores the envelope sender. That it doesn't match is probably a problem. And yes, SPF falls back to

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

On 2021-04-26 10:07, Bill Cole wrote: [...] It is probably worth digging into the cPanel exim.conf editor (I don't recall what they call it, but it's there somewhere at the WHM level...) to kill the header. You may want to look through the deployed exim.conf to make sure that it's not

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

On 2021-04-25 19:31, Bill Cole wrote: On 25 Apr 2021, at 18:40, Alan wrote: We run cPanel servers and scan every outbound message with SA in order to reduce the amount of garbage that comes through website contact forms. That's good. However, in a default cPanel configuration

Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

We run cPanel servers and scan every outbound message with SA in order to reduce the amount of garbage that comes through website contact forms. However, in a default cPanel configuration, HAS_X_OUTGOING_SPAM_STAT scores a whopping 2.3. I'm not sure what the distribution default is but that's

Re: Are X-MC-xxx headers legit?

On 2021-03-29 12:11, John Hardin wrote: On Mon, 29 Mar 2021, Loren Wilton wrote: I'd call these headers a great spam sign. Depending on their rarity... :) Occasionally spammers will screw up and leave template replacement tokens in their message bodies. Great spam sign, too rare to be

Re: Rules for a recent flood of BTC/webcam spam

On 2021-02-25 10:54, John Hardin wrote: On Thu, 25 Feb 2021, RW wrote: On Wed, 24 Feb 2021 18:37:42 -0800 (PST) John Hardin wrote: On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32

Re: Rules for a recent flood of BTC/webcam spam

On 2021-02-24 17:52, I wrote: I've seen a recent flood of "I hacked your camera and caught you doing stuff" emails. I doubt they'll continue for a long time, but I made some rules to target them. Find them here https://pastebin.com/B5Q6emBU -- For SpamAsassin Users List After a little more

Rules for a recent flood of BTC/webcam spam

I've seen a recent flood of "I hacked your camera and caught you doing stuff" emails. I doubt they'll continue for a long time, but I made some rules to target them. Find them here https://pastebin.com/B5Q6emBU -- For SpamAsassin Users List

Re: PDS_URISHORTENER or __KAM_SHORT

On 2021-02-01 08:36, RW wrote: On Mon, 1 Feb 2021 13:23:58 + RW wrote: On Mon, 1 Feb 2021 00:28:12 -0500 Alan wrote: I'm working on a rule to up the spam score for messages that contain a large number (>=30) of Mailchimp CSS declarations and a link shortener, since all links in someth

PDS_URISHORTENER or __KAM_SHORT

I'm working on a rule to up the spam score for messages that contain a large number (>=30) of Mailchimp CSS declarations and a link shortener, since all links in something actually sent through Mailchimp are forced through their click tracking, this is turning out to be a decent indicator. In

Re: UNSUBSCRIBE

On 2020-12-23 16:33, Antony Stone wrote: On Wednesday 23 December 2020 at 22:29:50, Alan wrote: On 2020-12-23 16:22, Richard Ozer wrote: To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org <mailto:users-unsubscr...@netbeans.apache.org> For additional commands, e-mail: u

Re: UNSUBSCRIBE

On 2020-12-23 16:22, Richard Ozer wrote: To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org -- For SpamAsassin Users List

Re: A few noob questions

On 2020-12-20 21:11, John Hardin wrote: On Sun, 20 Dec 2020, Alan wrote: n.b.: you're not subscribed to the list from netbeans.5zc...@ambitonline.com but I pushed it through moderation. If you're going to post regularly from that address you should register it as an alternate. Oh nuts. I

Re: A few noob questions

Many thanks for your help. On 2020-12-20 15:26, John Hardin wrote: On Sat, 19 Dec 2020, Alan wrote: The reason for asking is that I want to use SpamAssassin to flag some things that are suspicious but only when other conditions are met for specific users. I'd like to have SA insert the rule

Re: A few noob questions

Thanks Bill. I know very little about Perl, so while I saw the reference to Mail::SpamAssassin::Conf without the "perldoc" in front of it, I had no clue what to do with that information. On 2020-12-20 00:18, Bill Cole wrote: On 19 Dec 2020, at 23:39, Alan wrote: Please

A few noob questions

Please forgive me if these are easy/common questions. I have done some searching and haven't found any clear answers. I'm running SpamAssassin 3.4.4 in a cPanel environment. 1. What is the smallest increment for a rule score? I see some indications that it's 0.1, others seem to say it is

Re: to: header is not in my domain

On Tue, 2020-10-20 at 20:38 +0100, Miki wrote: > Thanks for quick reply, but blacklist what? > The problem is I do not know this spammy domains. > I want to give a score when To: field is NOT in anyaddr...@mydomain.com Not tested, but something like this should work: header __LOCAL_TO_ME To =~

Re: SpamAssassin DKIM with Virtual Hosting

> > > Or is there some criteria to determine which domain name > > should have the DKIM signature? Is there a penalty score if one or > > the other is missing? > > It's doesn't make much difference, unless there's a whitelist involved. If you publish a DMARC record, DMARC requires that the

Re: 1.6 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla

On Wed, 2020-09-23 at 14:46 -0500, Jerry Malcolm wrote: > On 9/23/2020 2:33 PM, iulian stan wrote: > > Most of the time the IPs from AWS are already blacklisted and you > > cannot do anything. > > I'm curious why such a blanket statement. Why does AWS have such a bad > reputation? With

Re: base64 encoded subjects

On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote: > I'm seeing a lot of spam with base64 encoded subjects: > > Subject: > =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= > > Subject:

Re: help with simple test?

On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote: > I'm hoping this is a relatively simple test... > I'm seeing emails "From Me, To Me", typically extortion types. I'm not > even seeing which of the SA tests are getting hit, because I have my > own email in my Whitelist. > Is there a way I can

Re: Custom rule to please the Mayor

On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote: > Good day, > I know I will incur some wrath for this but I have the Mayor breathing > down my neck. We stop nearly all spam now, but some does get through. > Mostly it has been mail from gmail and outlook servers that pass DKIM > and SPF. >

Re: Spamassassin using remote rules definition source?

On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote: > I simply need to write custom rules to block certain mails, domain names. Do > I have to learn programming language for this? Is not it easy like create a > conf file and let Sa update rules from that source remotely via http? > > cron +

Re: SpamSender with 2 @-signs in the address

On Wed, 2018-12-05 at 00:17 +, David Jones wrote: > I think he meant that DKIM related to DMARC means the DKIM signature has > to align/match the From: header domain to pass which is DKIM_VALID_AU in SA. > > In the case of SPF, DMARC will pass if the envelope-from domain check > hits

Re: SpamSender with 2 @-signs in the address

On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote: > Yeah, I see all these same things. Better to test against From:addr > rather than the full From: Perhaps something like: > > From:addr =~ /\@[^\s]+\@/ > > Of course, there might still be legit cases of that kind of usage. > The

Re: SpamSender with 2 @-signs in the address

On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote: > I don't think the multiple @ signs have worked in a very long time. So > I see no reason not to add score based on multiple @ signs. Or if there > is a legitimate use for it, it should be extremely rare and the false > positive rate

Re: spoofing mail

On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > > > Wow, that's hard to read. > > > > It was close to being tagged because of the Pakistan relay. Just > > add a few points for Word docs

Re: spoofing mail

On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote: > Hi , I have a situation a little complicated, I have emails from > spammers that come with the name of one of my users, but the email > address is not from my domain , they send it from a valid domain, > which complies with spf, DKIM etc

Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")

On Thu, 2018-04-26 at 13:41 -0700, L A Walsh wrote: > To my way of thinking, dropping someone else's email, > telling the sender the email is being rejected for having > spam-like characteristics and telling the recipient nothing > seems like it might have legal liability for the for the > user

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On Sun, 2018-03-18 at 17:14 -0500, David Jones wrote: > I have Steve Freegard's DecodeShortURLs.pm installed but didn't get any > HAS_SHORT_URL hits on this one: > > https://pastebin.com/t85b0Bns Is it getting any hits? It definitely hits on that one in a test here. Note it needs Perl's

Re: Turn OFF SA spam filtering but keep ON header examination

On Thu, 2018-01-18 at 18:49 -0500, Chip wrote: > Very well stated.  Bravo! > > The end point here is to examine the email headers that specifically > refer to dkim and spf signatures.  Based on fail or pass, or some > combination in concert with the sender's email address, they get moved > into

Re: From name containing a spoofed email address

On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote: > Would a plugin need to be created (or an existing one enhanced) to > be  > able to detect this type of spoofed From header? > > From: "h...@hulumail.com !" > > https://pastebin.com/vVhGjC8H > > Does anyone else think

Re: Malformed spam email gets through.

On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote: > On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: > > > I think some mail systems will keep the same message-ID per email  > > thread so your system must reject some replies. > > I have not seen such behavior in the past 20 years... > >

Re: TO_NO_BRKTS_DYNIP

On Mon, 2017-12-04 at 15:20 -0500, Joseph Brennan wrote: > New rule: TO_NO_BRKTS_DYNIP > > Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is > 2.639, one gets an even 5.0 score just for sending from ec2-54-225- > 189-51.compute-1.amazonaws.com without < > around the To address. >

Re: FROM header with two email addresses

On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote: > This could also be an attempt to get a mailing list to work. > > There's a continuing problem with email list traffic getting bounced by > DKIM, and various work-arounds - the gist is that the mail has to come > from the list manager,

Re: Somewhat OT: DMARC and this list

On Friday 19 May 2017 20:11:42 David Jones wrote: > >Urgg, I see that now. I looked at a few of David Jones' posts to this list > >and saw that they weren't DKIM signed, so I extrapolated that to a general > >asumption. > > They are DKIM signed so something must be striping the headers. > Well,

Re: Somewhat OT: DMARC and this list

On Friday 19 May 2017 14:47:56 Dianne Skoll wrote: > On Fri, 19 May 2017 20:43:39 +0200 > > Benny Pedersen wrote: > > some maillists break DKIM, forkus on that first, not last ! > > Thank you for not adding any value to the conversation. The > domain in question is not using

Re: Today's Google Docs phish

On Thursday 04 May 2017 17:07:31 John Hardin wrote: > I expect a basic accounts.google.com URI rule would be a good idea even if > a redirector pattern for this was added - is there any legitimate reason > for a "log in to your google account" URL to be in an email? > Not from anyone who isn't

Re: Matching To and Received addresses

On Tuesday 28 March 2017 13:58:43 Alex wrote: > I'd like to be able to use the fact that the To address is not the > same as the address shown in the Received header in a meta of some > kind. > > How frequent would you think that would appear in ham alone? It's the > basis for a number of

Re: New whitelisting trick using from and spf

On Monday 06 March 2017 11:58:25 David B Funk wrote: > On Mon, 6 Mar 2017, Alan Hodgson wrote: > >> It seems it should be easy to setup “If mail claims to be From: > >> PayPal.com > >> and is not from PayPal, score +100” but it is not. > > > > This is

Re: New whitelisting trick using from and spf

> It seems it should be easy to setup “If mail claims to be From: PayPal.com > and is not from PayPal, score +100” but it is not. This is what DMARC is for. Run opendmarc as a milter and reject failures. Or score later on DMARC failure, even if just selectively for highly phished domains.

Re: Keyword Whitelist?

On Wednesday 11 January 2017 14:31:15 John Hardin wrote: > That's more complex than needed. The message subject is automatically > included in body rules, so you only need __LOCAL_BODY_PRODUCTS. > Cool, I did not know that. txs.

Re: SA bayes file db permission issue

On Thursday 09 June 2016 16:26:26 Yu Qian wrote: > Yes, I am sure the path is correct, also, if the path is not correct, it > will show 'db not present'. > > I tried to write a small perl script to open the db file, it failed too. so > I think it maybe the file damaged during the mounting. but I

Re: DMARC auto-away rejects

On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote: > really? > > I know DMARC as > "example.com may dkim sign with example.com. relax alignment will > match even for RFC5322.From sub.example.com" > > but you claim > "sub.example.com may dkim sign with sub.example.com a message with >

Re: DMARC auto-away rejects

On Monday, April 04, 2016 09:34:56 PM RW wrote: > On Mon, 04 Apr 2016 13:18:54 -0700 > > Alan Hodgson wrote: > > On Monday, April 04, 2016 08:59:51 PM RW wrote: > > > I'm assuming that you are using these rules: > > > > > > https://blog.laussat.de/201

Re: DMARC auto-away rejects

On Monday, April 04, 2016 08:59:51 PM RW wrote: > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from

Re: how to fix this issue-spam

On Thursday, February 04, 2016 08:05:59 PM Reindl Harald wrote: > in context of "DKIM and DMARC are the present and near future" how do > you imaine that to work if you have no clue who is sending on behalf of > yours? > Well you obviously have something emotionally invested in SPF. But anyways

Re: how to fix this issue-spam

On Thursday, February 04, 2016 06:06:14 PM Reindl Harald wrote: > before Google ist telling somebody something they should better learn > the difference between "~" and "-" in a SPF record to make gmail.com at > least on envelope-level spoofing protected > > i high percentage of spam here would

Re: how to fix this issue-spam

On Thursday, February 04, 2016 04:36:14 PM Reindl Harald wrote: > > wait i tell you something (for you) new: DMARC and mailing-lists is a > awful topic - what do you think would have happened with you mail to the > list if your domain would enforce DMARC and my MX reject mails violating > the

Re: how to fix this issue-spam

On Thursday, February 04, 2016 07:41:44 PM Reindl Harald wrote: > which people don't know this? > admins? > don't maintain services then! > > users? > > just use the SMTP server your mailprovider tells you and no other one > and for smtp-admins: just don't accept enevlope senders for which you >

RE: How to find where email server has been blacklisted

That would be a very useful site, except that it shows the results as colour-coded icons, and I see the listed and not-listed icons as identical. -Original Message- From: Mikael Syska [mailto:mik...@syska.dk] Sent: 08 March 2010 01:56 To: users@spamassassin.apache.org Subject: Re: How

Re: A little help with a local.cf rule... please!

So my rule: # hotmail drug spam uri MY_HOTMAIL_SPAM m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i} describe MY_HOTMAIL_SPAM Druggy hotmail.com links score MY_HOTMAIL_SPAM 5.0 And running emails through it using -D, it does not hit it as far as I

Re: Dear Santa

On Sat, 19 Dec 2009 10:06:11 -0600 Dave Pooser dave...@pooserville.com wrote: share the code so that some of us could auto-generate rules based on our own ham/spam mailstreams, and then share those rules with you for possible SOUGHT inclusion? I think that's already done, though not well

Re: Eliminating russian spam

Thank you, John! Both how-to (http://sa-russian.narod.ru/no_russian.html) and the ruleset (http://sa-russian.narod.ru/files/20090916/99_no_russian_mail.cf) are updated.

Re: Cyrillic charsets normalization

But that would also prevent MUAs from correct rendering the contents, wouldn't it? 16.02.09, 10:48, Jeff Chan je...@surbl.org: On Sunday, February 15, 2009, 11:19:17 PM, Makoev Alan wrote: So my question is: Is it just due to developers' time shortage, or there are some reasons

Cyrillic charsets normalization

Here was recently a discussion on charset normalization feature (see e.g. http://markmail.org/message/hvdtbca6lm5tsjtm?q=list:org.apache.spamassassin.users+date:200901+page=42) I ran a simple check on results that Encode::Detect::Detector facility yields. I selected manually a set of 39 spam

Cyrillic charsets normalization

Here was recently a discussion on charset normalization feature (see e.g. http://markmail.org/message/hvdtbca6lm5tsjtm?q=list:org.apache.spamassassin.users+date:200901+page=42) I ran a simple check of results Encode::Detect::Detector facility yields. I selected manually a set of 39 spam messages

Re: FreeMail.pm

address has been maintained for a long time at http://www.oryx.com/spam/freemail/domains.txt Not sure how often they update, but I've been using their list for some years now. Alan

Re: Serious problem with scores file for todays rule update?

On Tue, 30 Dec 2008 09:55:52 + Justin Mason jma...@gmail.com wrote: Does the sa-compile step complete with an exit code of 0? If there are problems with re2c (which has happened in the past) it should exit with !=0. There were no errors visible in the output, but the script I was using

Serious problem with scores file for todays rule update?

Hey, all, I have a bunch of servers that picked up a rule update, 729912 this morning about 10am EST, at which point all hell broke loose---scores for everything but bayes dropped to almost nothing. Has anyone else experienced anything like this? Mike.

Re: Serious problem with scores file for todays rule update?

On Mon, 29 Dec 2008 23:21:48 + j...@jmason.org (Justin Mason) wrote: hmm. What do you have in /var/lib/spamassassin for the scores files? they should look like this: : 183...; ls -l /var/lib/spamassassin/3.002006/updates_spamassassin_org/50_scores.cf

MATCH_WORDS false positives

I've seen a few false positives that hit MATCH_WORDS_5. Can someone point me to this rule so I can try to determine what is causing the hit? George Butler Associates, Inc. Creating Remarkable Solutions for a Higher Quality of Life Alan Lehman, P.E. Electrical/Critical Facilities Group One

RE: MATCH_WORDS false positives

On Wed, Sep 24, 2008 at 01:52:27PM -0500, Alan Lehman wrote: I've seen a few false positives that hit MATCH_WORDS_5. Can someone point me to this rule so I can try to determine what is causing the hit? As far as I can see, there is no such rule in the standard or updates rulesets

RE: sare rule updates ?

feeds. Therefore, they are updated frequently. SEE: http://taint.org/2007/08/15/004348a.html Rob McEwen Thanks. This helps a lot! Alan

RE: sare rule updates ?

(besides me writing them myself)? George Butler Associates, Inc. Creating Remarkable Solutions for a Higher Quality of Life Alan Lehman, P.E. Electrical/Critical Facilities Group One Renner Ridge 9801 Renner Boulevard Lenexa, KS 66219-9745 T. 913.577.8829 M. 816.210.8785 F. 913.577.8264 [EMAIL

SA-3.2.4 overload

. Hardware: HP Proliant DL380 single CPU 2.4GHz, 4G RAM Thanks, Alan Lehman George Butler Associates, Inc. Creating Remarkable Solutions for a Higher Quality of Life Alan Lehman, P.E. Electrical/Critical Facilities Group One Renner Ridge 9801 Renner Boulevard Lenexa, KS 66219-9745 T

We need help with error messages

Hi, We use SPAM Assassin in Silverpop. We have been having a tough time with the messages and results after running SPAM A. Can someone help? We want a guide of definitions. The latest we got is 2.2 REMOVE_BEFORE_LINK BODY: Removal phrase right before a link Thanks, Alan D Morgan MTD

Re: BOTNET Exceptions for Today

On Tue, 21 Aug 2007 16:56:27 -0500 Andy Sutton [EMAIL PROTECTED] wrote: On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote: b) Botnet gets 0% false positives at one of my services (not just borked DNS == bad, as you're suggesting, but actual everything that triggered botnet was actually

Re: SUBJECT_ENCODED_TWICE really wrong?

with this combination. just my 2 yen worth. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMpHtE2gsBSKjZHQRAsfMAJwO8iqLnF/BpAw5tX/YOm/tsSGCVQCfaJHP JRPY+2PKlce6j0hKfKsoQ9Y= =BEbK -END PGP SIGNATURE-

DKIM

) but this has not fixed things. Is there another way I can re-install this plugins files? Thanks Alan

Re: DKIM

Mark. When I saw the lint fail I just started comparing file lists Too busy looking at a VoIP problem to think that the perl module had disappeared. Alan

Re: RelayCountry plugin doesn't add header

as listed on the ISO site. Alan #! /bin/bash echo start # shopt -s -o xtrace OUTPUT_FILE=Relay_Countries.cf OUTPUT_DIR=. #OUTPUT_DIR=/etc/mail/spamassassin # # Fields: # USE=1 # yes=1, no=0 CODE=2 # Country Code DESCRIPTION=3 # Description SCORE=4 # Score

Re: Spamassassin doesn't ding sender for saying HELO i-am-you

into the mail system to discover helo name and the associated IP? Then it can write a system specific rule. Alan

Re: rules_du_jour not working confusion?

information on using sa-update for SARE rules, there don't appear to be any references on how-to migrate to it from RDJ. The only other thing (AFAIK) that would hold someone from moving is that RDJ still covers some rule sets that are not available via sa-update. Alan

Re: rules_du_jour not working confusion?

on moving from RDJ to sa-update? Alan

Re: spam

followed by 1 to 3 \n characters *AND* there *ARE* alphabetical characters in the body. I'm guessing this isn't what you want. your meta should probably look like (!ORNL_B0RKEN1_BODYTEXT ORNL_B0RKEN1_SHORTNUM) (this is untested, but should work as expected) Alan -BEGIN PGP SIGNATURE- Version

Re: How to examine a system and determine the mail delivery agent.

easily is the heart of the matter. Don, to my knowledge, there is no way to determine the MDA (mail delivery agent) without having access to the mail server's configuration files. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http

Re: Problem with spam from non-existant users of my domain.

. (or with something like MIMEDefang you could just reject on failed SPF if you chose to) hope this helps, Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFb8lfE2gsBSKjZHQRAqenAKDrcNu7h2l7xZFKC09CgQERto3OEwCgo1x

Score=x+5

pattern 0.5 SARE_HTML_MANY_BR05Tooo many br's! 0.7 AWLAWL: From: address is in the auto white-list I've not seen this before (in over 4 years) and could not see and answer from a quick search. Thanks Alan

  1   2   3   >