Using -t to test rule changes

Hi, I'm using the latest version of SA from trunk (although I don't think that matters) and trying to make adjustments to rules on a particular false-positive email that was quarantined by amavis so I can adjust the rules to prevent it from being quarantined. The problem is that amavis

Tips for improving bounce message deliverability?

Hi, I'm using SA 4.0.1 and amavisd with postfix. I've identified a few bounce messages in the quarantine because they weren't identified properly. Here's one: https://pastebin.com/RMNkcyhF For example, it matches on * 3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra,

Re: dcc on empty email

Hi, > I'm noticing DCC is triggering on emails with an empty body. I'd like to > create a hash that matches messages with an empty body and other simple > messages. > > What am I doing wrong? I've tried it with a zero-length file as well as > one with just a few characters. It looks like I don't

dcc on empty email

Hi, I'm noticing DCC is triggering on emails with an empty body. I'd like to create a hash that matches messages with an empty body and other simple messages. What am I doing wrong? I've tried it with a zero-length file as well as one with just a few characters. It looks like I don't understand

Re: QR code phish?

Hi, On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail wrote: > Hi Alex, we are definitely seeing them. There is code in trunk for this > with one of the plugins and rules in the KAM ruleset using the new > code. LMK if you need more info. > It looks like it's tied to the Ra

QR code phish?

Hi, I'm just wondering if there is any mechanism for detecting and blocking QR code emails? Would that require using image detection? Perhaps instead it's a database of known malicious QR codes? Has anyone even really seen any?

wellsfargo/google drive

Hi, Google Drive is being used to send links with malicious content. I know, shocking. But should Google Drive be in the DKIM WL? What more can be done to stop these? I have a few body filters, but these are just links sent using Google to PDFs with malicious links. https://pastebin.com/Qpj1drSa

Spreadsheet::Excel ?

Hi, Barracuda recently announced they've identified a vulnerability in the Spreadsheet::Excel library used by amavis in their appliances. I didn't realize they were still using amavis and open source (and presumably spamassassin?). https://www.barracuda.com/company/legal/esg-vulnerability I

Re: Too many dots?

s, so it also seemed somewhat punitive to award so many points and to be expected to offset them for a completely benign email. Thanks, Alex

Too many dots?

Hi, I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam. * 1.5 KAM_SENDGRID Sendgrid being exploited by scammers * 0.8 BAYES_50 BODY: Bayes

Re: sorbs :/

> https://www.irccloud.com/pastebin/XPl5OZ0y/sorbs.pl > > lets just test more dns fails, please fix qname, reduce zones that ends > in same nameserver ip > Yes, seeing that here, too, for months and months. Spamhaus also sucks real bad. 06-Oct-2023 13:57:12.880 resolver: loop detected resolving

DMARC and SA4

Hi, All the way back in 2016, RW posted these rules on pastebin for DMARC, before it was part of SA proper: https://pastebin.com/gr41CvCc Is this effectively what's been implemented in functions in the latest SA? The scores from the above are a lot more aggressive than what's currently in SA

Re: uninitialized value $result in string eq at AuthRes.pm line 302

Hi, > > Aug 19 23:02:27 xavier amavis[3615]: (03615-10) _WARN: Use of > uninitialized value $result in string eq at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > >292 sub check_authres_result { >293my ($self, $pms, $method, $wanted_result) = @_; >

uninitialized value $result in string eq at AuthRes.pm line 302

Hi, Just upgraded to fedora38, using the spamassassin included with it and have the following warning: Aug 19 23:02:27 xavier amavis[3615]: (03615-10) _WARN: Use of uninitialized value $result in string eq at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. 292 sub

unsubscore down?

Hi all, anyone else having problems with unsubscore? Aug 9 15:57:41 polaris postfix-126/dnsblog[3671494]: warning: dnsblog_query: lookup error for DNS query 154.51.76.80.ubl.unsubscore.com: Host or domain name not found. Name service error for name= 154.51.76.80.ubl.unsubscore.com type=A: Host

URL Time-of-Click Protection

Hi all, I'm curious what people think of URL rewriting or otherwise having some kind of idea of whether a URL could or should be scanned at some later time to determine if it's potentially malicious at the current time where it may not have been initially? Is anyone implementing that in open

Re: AuthRes plugin test rules

, $opts) = @_; 307 Any idea how to troubleshoot this? Thanks, Alex On Sun, Mar 12, 2023 at 11:41 AM Matus UHLAR - fantomas wrote: > >>>Matus UHLAR - fantomas skrev den 2023-03-12 10:15: > >>>>I have also commited patch to bug 6918 to handle "arc.chain=&quo

SHORT_WORD_LINES & KAM_LINEPADDING

Hi, I'm curious about the SHORT_WORD_LINES, KAM_LINEPADDING and HK_RANDOM rules. I received a legitimate email from a gmail sender that was pushed beyond 5.0 because of these rules. It hit both SCC_5_SHORT_WORD_LINES and SCC_10_SHORT_WORD_LINES, and because a score isn't explicitly set, the two

Re: ExtractText tuning

Hi, I have successfully set up ExtractText plugin with proposed settings (those > in pod/manual page) and here's a tip: > > - put extracttext.pm into /etc/spamassassin or similar directory >(extracttest settings aren't loaded from user_prefs) > > - tesseract takes too much time to process (at

Re: BAYES_00 BODY. Negative score?

Hi, > > However, many of tokens in even Forbes and WP newsletters may occure in > different spamy newsletters, so be careful when traning even these. > This is exactly what I was thinking. When going through the quarantine, it's also very difficult to always not only identify which newsletters

Re: BAYES_00 BODY. Negative score?

Hi, >*-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > >* [score: 0.] > > This indicates a mistrained database, which means you have trained too > many > spams or spam-like messages (commercial messages) as ham. > > Proper training of spams should help. Just keep your spam (and

FROM_GOV_SPOOF and Zix SPF softfail?

Hi, I received an email from ncua.gov sent through Zix that apparently was an SPF softfail. It also hit FROM_GOV_SPOOF. I wanted to see if the two were related, or what the reason was for this email hitting so many spam rules. meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (!

Re: sharepoint phish routed through sharepointonline/outlook

Hi, > RBL checks for FQDN not just domains would be a good idea... > ... > > I assume you are not running SA4. That does this. (And the sharepoint > domain you have in your mail is listed on SURBL ) > Yes, I am running SA4 and have been for probably more than a year. What am I doing wrong

sharepoint phish routed through sharepointonline/outlook

Hi, X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, LOC_FILE_SHARE_PHISH1=0.75,

Re: welcomelist_auth and SPF

Hi, On Fri, Dec 16, 2022 at 5:35 PM Marc wrote: > > The sender's SPF record includes the sending IP (40.107.96.128) in the > > secureserver.net entry, and SPF_PASS is hit. > > > > Without even checking anything I can already remember that this > secureserver.net is

welcomelist_auth and SPF

Hi, This GoDaddy/M365 quarantined email passes SPF, but despite now adding it to my welcomelist, it is still marked as spam. https://pastebin.com/VpPmgGN4 Only when I create a welcomelist_from_rcvd does it get delivered. The sender's SPF record includes the sending IP (40.107.96.128) in the

RBL timeouts

Hi, Is anyone (everyone?) also experiencing DNS timeouts with barracuda? 02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968 127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed (timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at ../../../lib/ns/query.c:7729

Re: Mial hits MISSING rules despite presence of headers

On Mon, Nov 28, 2022 at 10:42 AM Kevin A. McGrail wrote: > What's the score on that short circuit Validity rule? > -2.0 RCVD_IN_VALIDITY_SAFE RBL: Sender in Validity Safe - Contact certificat...@validity.com [Return Path SenderScore Safe

Re: Mial hits MISSING rules despite presence of headers

Hi, > Well, a short circuit rule kind of breaks things in the middle so I do not > think you should really spend too much time on rules that hit/didn't hit. > > I like validity but I don't think it justifies a short circuit, FYI. > Okay, it's been removed, but somehow the presence of that didn't

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* >> > rules >> > but these headers are clearly displayed. >> > >> > * 0.5 MISSING_MID Missing Message-Id: header >> > * 1.0 MISSING_FROM Missing From: header >> > * 1.8 MISSING_SUBJECT Missing Subject: header >> > *

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* > > rules > > but these headers are clearly displayed. > > > > * 0.5 MISSING_MID Missing Message-Id: header > > * 1.0 MISSING_FROM Missing From: header > > * 1.8 MISSING_SUBJECT Missing Subject: header > > * 1.4

Mial hits MISSING rules despite presence of headers

Hi, I have emails from wayfair and Dell that hit many of the MISSING_* rules but these headers are clearly displayed. * 0.5 MISSING_MID Missing Message-Id: header * 1.0 MISSING_FROM Missing From: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.4 MISSING_DATE Missing Date: header

Re: pyzor and failure to parse response

On Sun, Nov 20, 2022 at 12:54 PM Henrik K wrote: > On Sun, Nov 20, 2022 at 11:58:31AM -0500, Alex wrote: > > Hi, > > I'm using the latest SA from trunk and trying to get pyzor working. It > runs > > correctly to check a message from the command-line, but SA apparently

pyzor and failure to parse response

Hi, I'm using the latest SA from trunk and trying to get pyzor working. It runs correctly to check a message from the command-line, but SA apparently fails to properly parse the output? Nov 20 11:55:13.213 [2531397] dbg: pyzor: network tests on, attempting Pyzor Nov 20 11:55:15.756 [2531397] dbg:

Re: FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, > Boring Stuff > We have some restrictions on the usage of our data. You can read all > about it here. > Yeah, turns out not so much. I'm working with Paul directly, thanks,

FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, I just noticed I've apparently hit the regular limits of use for fmbla and dkimwl for my few domains and honeypots. I believe this is a service provided by Paul Stead - does anyone know if there's a "pro" version or how I might be able increase the permissible capacity allowed? Given it's

Re: PBL and rejects

Hi, > > >These aren't new netblocks for us from them, but it seems awfully weird > >that we would be operating on these IPs for 2+ years then all of the > sudden > >have them listed like they're dialup IPs. > > generic/dialup DNS names can help here. If they aren't dynamically > allocated, their

Re: PBL and rejects

Hi, > > > I'm hoping I can ask this question here. Somehow the PBL considered the > IP > > addresses given to us by our ISP (I can share this if needed) as > ineligible > > to send email, resulting in any recipient domain that checks the PBL to > > reject our email, > > AIUI, PBL is supposed to

PBL and rejects

Hi, I'm hoping I can ask this question here. Somehow the PBL considered the IP addresses given to us by our ISP (I can share this if needed) as ineligible to send email, resulting in any recipient domain that checks the PBL to reject our email, including every email sent to a Microsoft 365

Re: Gmail confidential mode

> > > > What do you know about "Gmail confidential mode" emails? I'm starting to > > see a few of these come in to users now, and not sure how to treat them. > > They are sent through gmail, but require a one-time passcode sent to the > > recipient, > > Did you actually look at them? What do they

Gmail confidential mode

Hi, What do you know about "Gmail confidential mode" emails? I'm starting to see a few of these come in to users now, and not sure how to treat them. They are sent through gmail, but require a one-time passcode sent to the recipient, so any potential threat is not transferred through the same

Re: Mail with image marked as spam

Hi, > * 1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg > > That rule is nowhere in the current standard rules or the KAM rules. > > If you don't like your custom local rules, only you can change them. > Ah, thanks. Usually my local rules are indicated as such, so I didn't even realize

Re: Mail with image marked as spam

On Sun, Sep 25, 2022 at 1:56 PM Matus UHLAR - fantomas wrote: > On 25.09.22 13:35, Alex wrote: > >I've asked variations of this question in the past, but I'm still not sure > >what to do about it. Should an email with just an image attachment, with > no > >subject and no

Mail with image marked as spam

Hi, I've asked variations of this question in the past, but I'm still not sure what to do about it. Should an email with just an image attachment, with no subject and no body be treated as spam? This is the circumstance where users are using email as a file transfer device. There seems to be one

Re: Matching on missing To field?

It does match on "ALL", but I think I need to be more specific than that, to avoid matching on "From:" or Return-Path or EnvelopeFrom./ Thanks, Alex

Matching on missing To field?

that shouldn't be. Can someone explain how this rule works and if something similar would apply to my situation? header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism Thanks, Alex

Re: Attachment policy

nts. Please keep us updated on the progress of the ExtractText plugin. Thanks, Alex

Attachment policy

Hi, I'm looking for input from people on how they handle attachments, and people using email as a file transfer service. One of our users must have posted to a job site recently, soliciting resumes from people internationally. This resulted in 100+ emails from random people who had never emailed

Re: DKIM fails on v4

Hi, >> At some point after that, and even until yesterday's version, DKIM > stopped > >> working. DMARC still passes with SPF, but there are no longer any > occurrences > >> of DKIM. > > > > I think Giovannis changes don't work when amavisd is passing > $suppl_attrib: > > > >

Re: DKIM fails on v4

> > Amavisd-new works fine here. Maybe $enable_dkim_verification or something > is different. > It's good to know you're using amavisd. It's very dependent upon the SA version you're using, though. It appears both DKIM and DMARC worked until the May 29th version from svn (1901385). At some

Re: DKIM fails on v4

://svn.apache.org/repos/asf/spamassassin/trunk Mail-SpamAssassin-4.0.0 On Sat, Jun 25, 2022 at 3:07 PM Alex wrote: > Hi, > I've been having problems with DMARC failing over the past few weeks using > the latest SA, even on sites I know have passed. It appears to have > coincided wi

DKIM fails on v4

Hi, I've been having problems with DMARC failing over the past few weeks using the latest SA, even on sites I know have passed. It appears to have coincided with an update to DMARC.pm related to timing. I just now happened to notice that maybe the problem is with DKIM, or there's a separate DKIM

Re: block emails with fake FROM

Hi, seems it did not catch this one: > > From: " Dr Perfect "@mail.gepesdaru.hu > > but still it's a leap forward > Is it designed to also identify From addresses that have no name component? From: l...@beroe-inc.com This is an invoice phish that isn't tagged. Ideas on how to block these

Re: DMARC fails for valid record?

Hi, > >> doesn't amavisd by any chance use old SA installation/libraries? > > On 30.05.22 15:12, Alex wrote: > >I don't think so - the current paths it uses are: > > > >/usr/share/spamassassin > >/var/lib/spamassassin/4.00/updates_spamassassin_org &

Re: DMARC fails for valid record?

> > > > >> did you reload/restart amavis after installing new SA? > >> This header is added by amavis which uses SA libraries internally. > > On 30.05.22 09:50, Alex wrote: > >Yes, thanks. This has been ongoing for weeks. > > doesn't amavisd by any c

Re: DMARC fails for valid record?

> > >X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5 > >tests=[BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1, > >DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1, > >FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, > >

Re: DMARC fails for valid record?

Hi, On Sun, May 29, 2022 at 8:10 PM Kevin A. McGrail wrote: > There is also a rule update for priority levels. Did you install the > latest rules too? > Yes, sa-update runs every day. Last run was 00:29 this morning.

Re: DMARC fails for valid record?

Hi, We have been DMARC issues so no, it is not you Are you running the latest > trunk right now? There have been a flurry of patches and some of them are > for this issue. > Yes, just downloaded, compiled, and installed the latest as of this moment and still seeing the same problems initially.

Re: DMARC fails for valid record?

Hi, just wondering if anyone else has any ideas on how to solve this? Is everyone with any v4 having problems with DMARC now or is it something specific to my environment? On Thu, May 26, 2022 at 2:36 PM Alex wrote: > Hi, > > > On Thu, May 26, 2022 at 1:15 PM Bill Cole <

Re: DMARC fails for valid record?

Hi, On Thu, May 26, 2022 at 1:15 PM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400) > Alex > is rumored to have said: > > [...] > > Ugh, and again we already have DKIM_AU and SPF_PA

Re: DMARC fails for valid record?

Hi, >> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not. > >> > >> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might > be > >> relevant to this thread. > > according to: > >

Re: DMARC fails for valid record?

On Thu, May 26, 2022 at 10:40 AM Alex wrote: > Hi, > > > > Any further thoughts on this? It appears removing the DMARC perl >> library >> > > has disabled any DMARC support altogether. >> > >> > disabling Mail::SpamAssassin::Plugin::DMARC s

Re: DMARC fails for valid record?

Hi, > > Any further thoughts on this? It appears removing the DMARC perl library > > > has disabled any DMARC support altogether. > > > > disabling Mail::SpamAssassin::Plugin::DMARC should > > make KAM.cf revert to it's simpler DMARC > > functioality > > > > note that it requires: > >

Re: DMARC fails for valid record?

Hi, > > >I also haven't any references to DMARC whatsoever from any SA rules since > >it was uninstalled. > > >I otherwise have no way of telling if there should have been any hits, but > >I'd imagine there should have been at least one in 24-hours. > > > >It appears to have disabled DMARC

Re: DMARC fails for valid record?

> > > > >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas > > >wrote: > >> have there been rejects often before? > > On 24.05.22 13:58, Alex wrote: > >I have hundreds of these over the last few days (week?), but they could go > >back

Re: DMARC fails for valid record?

EJECT and DMARC_REJECT > >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC > >>> isn't available, but uses the library if it does. > >>> > >>> could you (temporarily) uninstall the > >>> perl-Mail-Dmarc-PurePerl-1.2021

Re: DMARC fails for valid record?

On Mon, May 23, 2022 at 8:16 PM Alex wrote: > >> >> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed. >> >> ... and this is the perl library. >> >> I see you have both KAM_DMARC_REJECT and DMARC_REJECT >> - KAM_DMARC_REJECT has

Re: DMARC fails for valid record?

> > > > >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed. > > ... and this is the perl library. > > I see you have both KAM_DMARC_REJECT and DMARC_REJECT > - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC > isn't available, but uses the library if it

Re: DMARC fails for valid record?

duction and we are working on edge cases from my end. > > Alex (OP), do you have Mail::DMARC installed? > May 22 15:12:59.482 [865542] dbg: plugin: loading Mail::SpamAssassin::Plugin::DMARC from @INC I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

Re: DMARC fails for valid record?

? On Sun, May 22, 2022 at 11:10 AM Alex wrote: > Hi, is it possible the DMARC_REJECT problem still exists? > > https://pastebin.com/DCu9cq4t > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK signatur

Re: DMARC fails for valid record?

="UglVB1nr" $ spamassassin --version SpamAssassin version 4.0.0-r1900583 running on Perl version 5.34.1 On Wed, May 11, 2022 at 9:01 AM Alex wrote: > Hi, > > On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail > wrote: > >> I believe this is a bug and fixed in tru

Re: DMARC fails for valid record?

Hi, On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail wrote: > I believe this is a bug and fixed in trunk. > > On 5/10/2022 1:55 PM, Bill Cole wrote: > > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and > also DMARC_REJECT and/or KAM_DMARC_REJECT > This was from svn version

DMARC fails for valid record?

Hi, I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine. https://pastebin.com/0T4Gjn3v * 1.8 DMARC_REJECT DMARC reject policy * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message * and the domain has a

Re: SPF skipped for whitelisted relay domain

Hi, > this is question for policyd-spf and its configuration. > > >The problem here is that something appears to be preventing my > >welcomelist_auth entries from working properly, but I don't really > >understand how. > > I guess it's the whitelist in policyd-spf. Is it possible that it's

Re: SPF skipped for whitelisted relay domain

Hi, > >https://pastebin.com/TvTx6KzY > > X-Comment: SPF skipped for whitelisted relay domain - > client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com; > envelope-from=re...@support.meridianlink.com; receiver= > X-Greylist: whitelisted by SQLgrey-1.8.0 > > isn't it possible that it's

Re: SPF skipped for whitelisted relay domain

> >I'm trying to understand why some domains are not whitelisted even > >though they pass SPF and are in my local welcomelist_auth entries. I'm > >using policyd-spf with postfix, and it appears to be adding the > >following header: > > > >X-Comment: SPF skipped for whitelisted relay domain - >

SPF skipped for whitelisted relay domain

=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all" Thanks, Alex

Re: Untrustworthy TLDs and KAM

On Sun, May 1, 2022 at 9:47 PM Kevin A. McGrail wrote: > > Did it cause a fp with a score of 5.0 or higher? Yes. https://pastebin.com/AqezMHjQ Thanks!

Untrustworthy TLDs and KAM

Hi, Four points for a .online TLD with KAM rules * 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs * [URI: www.lci-mtc.online (online)] * 2.0 KAM_SOMETLD_ARE_BAD_TLD .bar, .buzz, .cam, .casa, .cfd, .club, * .date, .guru, .live, .online, .press, .pw, .quest, .rest, .sbs, * .shop,

Re: How to deal with bounce messages

Hi, > >> >https://pastebin.com/s032ndrA > >> > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > >> > >> where did you get these from? > > On 22.04.22 10:02, Alex wrote: > >I just realized these are from

Re: How to deal with bounce messages

> >https://pastebin.com/s032ndrA > > > >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > > where did you get these from? I just realized these are from my local rules, put together from a conversation many years ago, apparently from before SA had built-in DMARC support.

How to deal with bounce messages

defined it. The description says the BOUNCE_MESSAGE won't fire if this isn't defined, yet this rule was triggered. It's also somehow hitting BAYES_99 - do you train your bounce messages? Thanks, Alex

Microsoft to block Office VBA macros by default

Hi, I'm just curious if this announcement has changed anyone's thinking about how we should be handling docx/xlsx/etc attachments in email? This obviously doesn't prevent someone from emailing a document with a malicious macro, but is this going to provide sufficient protection once a potentially

DCC/pyzor questions

Hi, I'm seeing a lot of DCC/pyzor mail being marked as spam that shouldn't be, and want to see what can be done to prevent that. For example, many emails with just an image attachment and an empty body are hitting DCC. I thought I recalled a way to create a checksum of these empty messages and

Re: fuglu 1.0.1

ed in python - it's much easier to find python developers than perl developers these days. > But I doubt this mailing list is the best place to talk about fuglu. Yes, not strictly related, but I'm hoping it's closely related enough for someone to give me some pointers, given we're all using S

Re: freshworks and DKIM and KAM

Hi, > > I can't figure out why attempts at adding emails from the > > freshworks.com domain to the welcome list aren't successful. This is > > from a quarantined message on my amavis/SA/fedora system. > > > > I'm not sure why the entirety of freshworks.com would be blocked in > > the first place?

freshworks and DKIM and KAM

Hi, I can't figure out why attempts at adding emails from the freshworks.com domain to the welcome list aren't successful. This is from a quarantined message on my amavis/SA/fedora system. I'm not sure why the entirety of freshworks.com would be blocked in the first place? * 9.0

Re: Office phish

Hi, > >> I realize blocking all javascript is prone to error, > > What legitimate email uses javascript? > And more important: which email clients do actually process Javascript > that comes within an email? Thunderbird doesn't since 10 or 20 years > ago. I don't know of any other as well. This

Re: Office phish

I realize blocking all javascript is prone to error, What legitimate email uses javascript? And more important: which email clients do actually process Javascript that comes within an email? Thunderbird doesn't since 10 or 20 years ago. I don't know of any other as well. This phish is

Re: Office phish

Hi, > > I modified the ExtractText plugin to also process HTML files > > > > extracttext_externalhtmlcat /usr/bin/cat {} > > extracttext_use htmlcat .htm .html > > > > Quite horrible hack, as the result should be _rendered_ text. Inserting raw > HTML for all body rules is probably

Re: Office phish

Hi, > SpamAssassin has plugins for PhishTank and OpenPhish. I would suggest > you submit the link to them. > You can also reach out to the domain provider, hosting provider(s) and > other companies involved. > > https://pastebin.com/JMSrY6KU We've got to do better than that. These O365 phishing

Office phish

Hi, Would anyone like to help me block this office phish? It includes an HTML file that presents an O365 login page: https://pastebin.com/JMSrY6KU More javascript in an HTML file.

adobe cloud malicious link

Hi, I received what appears to be a legitimate email from what looks like a compromised adobe account that itself contains no malicious links, but redirects to a malicious link once on the adobe site. https://pastebin.com/thp1Atah I don't suppose there's any protection against this, considering

Re: KAM_SENDGRID and SPF_HELO_NONE

Hi, > > I have an email that matched KAM_SENDGRID because it also matched > > SPF_HELO_NONE, despite it apparently being a legitimate sendgrid > > email. This is from SA trunk. I only meant it as a reference for the version of SA (and SPF.pm) that's being used, in case it was necessary. > >

KAM_SENDGRID and SPF_HELO_NONE

Hi, I have an email that matched KAM_SENDGRID because it also matched SPF_HELO_NONE, despite it apparently being a legitimate sendgrid email. This is from SA trunk. 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record

FROMNAME and PDS_FROM_2_EMAILS

Hi, I'm trying to understand the FROMNAME rules and a potential conflict with PDS_FROM_2_EMAILS. I understand FROMNAME_SPOOF is designed to catch differences like: From: "no-re...@amazon.com" but what other spoofs is the FromName.pm plugin designed to catch? And I would assume it would be

ExtractText and docx

Hi, I'm trying to use the latest ExtractText plugin, but the docx2txt program the plugin references is no longer available from http://docx2txt.sourceforge.net I've located a working replacement at https://github.com/ankushshah89/python-docx2txt/ (although it's written in python and I don't have

Re: More fake order spam

Hi, > >-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list > >manager > > I have disabled his rule some time ago. > Many spammers use mailing list or their signatures. Where is the score coming from for this rule? There isn't an explicit "score"

Re: OT: Re: Unsubscribe link at the bottom.

John Hardin schrieb am 06.04.2021 um 16:34: On Mon, 5 Apr 2021, Grant Taylor wrote: On 4/5/21 8:41 PM, Peter West wrote: I’d agree it’s address verification, as with the Unsubscribe link at the bottom. I'm of the opinion that if I have any inclining of knowledge of the company sending the

Re: Problem with local.cf rules

Peter West schrieb am 14.03.2021 um 14:30: header CASINO From =~ /\bcasino\b/i score 100.0 === It’s hitting the CASINO rule, but no matter what valoue I assign to the casino rules - 5, 20 , 100, these messages always come through with a value of 4.1. It’s as though some toerh rule is

  1   2   3   4   5   6   7   8   9   10   >