On 09/03/17 13:26, Kevin A. McGrail wrote:
> On 3/9/2017 8:22 AM, Cedric Knight wrote:
>> I've reduced the score on my installation to 0.5. Would this kind of
>> thing be prevented by more people contributing to the mass checks? Or
>> could it be adjusted downwards as A
On 11/09/16 22:10, Alex wrote:
>> COMMIT/trunk/rules/50_scores.cf
>>
>> Committed revision 1760066.
>>
>> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>>
>> should show up after next SA update
>
> Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's
> hitting a lot more ham than spam here,
On 30/03/16 21:11, @lbutlr wrote:
> On Wed Mar 30 2016 13:34:23 Alex said:
>>
>> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/
>> REJECT
>
>
On 25/03/16 00:55, Alex wrote:
> Hi,
>
> First, I'm wondering why parking.ru isn't among the freemail domains?
Probably because the FreeMail plugin is designed to detect the
right-hand side of email addresses for providers like Gmail and AOL, and
parking.ru looks like a general-purpose web host.
On 18/03/16 08:39, Cedric Knight wrote:
> On 17/03/16 19:31, Chip M. wrote:
>> Starting about two hours ago, more than 80% of my real-time
>> honeypot spam is a new malware campaign.
>>
>> Full spample (with redacted/munged email addresses and
>> Message-ID):
&
On 17/03/16 19:31, Chip M. wrote:
> Starting about two hours ago, more than 80% of my real-time
> honeypot spam is a new malware campaign.
>
> Full spample (with redacted/munged email addresses and
> Message-ID):
> http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
[snips]
> So far,
On 14/08/15 02:19, Alex wrote:
in the .cf file I addes blacklist_from *.review
blacklist_from *.work blacklist_from *.date
I would use the following:
blacklist_uri_host review blacklist_uri_host work
blacklist_uri_host date
you want both: a bad sender using the domain as well a URI
On 25/01/13 13:12, Cedric Knight wrote:
Does anyone have any more information on spameatingmonkey.net, which
doesn't seem to have been resolving since UTC today (20120125) ?
It looks like ns1.urmombl.com is down.
Spam Eating Monkey provides or provided RBL, RHSBL and iXhash of what
, and particularly RHSBLs of
domains less than 15 days old.
It probably only affects a few SA users, those who have included it
manually, and was removed from SA sandboxes last year.
--
All best wishes,
Cedric Knight
GreenNet
On 25/01/13 13:20, Tom Kinghorn wrote:
On 25/01/2013 15:12, Cedric Knight wrote:
Does anyone have any more information on spameatingmonkey.net, which
doesn't seem to have been resolving since UTC today (20120125) ?
It looks like ns1.urmombl.com is down.
Spam Eating Monkey provides
Enjoy the support case party!
https://twitter.com/#!/search/?q=DSBLsrc=typd
Axb
--
All best wishes,
Cedric Knight
On 30/12/10 19:15, Lawrence @ Rogers wrote:
Lately, I notice we are getting a fair amount (10-12 per day per client)
of spam coming from freemail users (FREEMAIL_FROM triggers). Usually the
Subject is non-existent or empty, and the message is always just an URL
I see a fair amount matching
On 15/12/10 00:43, RW wrote:
On Tue, 14 Dec 2010 15:52:28 -0800 (PST)
John Hardin jhar...@impsec.org wrote:
On Tue, 14 Dec 2010, Cedric Knight wrote:
So a hash is best,
Agreed.
and I'd suggest SHA1 over MD5.
Just out of curiosity, why? An MD5 hash is shorter than an SHA hash
On 14/12/10 14:28, Marc Perkel wrote:
Are there any DNSBLs out there based on email addresses? Since you can't
use an @ in a DNS lookup
Actually, you can use '@' in a lookup. You just can't use it in a hostname.
Or you could convert the '@' to a '.' as is the format still used in SOA
records.
There seem to be an abundance of DNSBLs out there nowadays. Here are
my observations on two, and an implementation question. The Good, the
Bad and the Ugly:
GBUdb.com's truncated list (http://www.gbudb.com/truncate/) went public
in May and seems to work very well, catching a lot of things
On 13/12/10 15:06, Karsten Bräckelmann wrote:
[...] is a recent project of Julian Haight, creator of Spam
Cop. SpamCop.
Assassin.
Oh no, did I type that? Dratted absent-minded fingers.
Apologies.
C
On 13/12/10 15:44, RW wrote:
On Mon, 13 Dec 2010 13:47:14 +
Cedric Knight ced...@gn.apc.org wrote:
...
header RCVD_IN_GBUDB_TRUNC eval:check_rbl('trunc-firsttrusted',
'truncate.gbudb.net.')
That should be -lastexternal - assuming that the list contains
a lot of dynamic addresses
|fixip|srvlist\.ukfast\.net)/i
--
All best wishes,
Cedric Knight
GreenNet
GreenNet supports and promotes groups and individuals working for
peace, human rights and the environment through the use of
information and communication technologies.
GreenNet, Development House, 56-64 Leonard Street
On 09/12/10 14:33, Randy Ramsdell wrote:
I have been receiving bounces to my yahoo account for email I did not
send. From the pastebin, you see the email did originate from the yahoo
servers but is not in my sent directory. This is an interesting case and
I cannot determine how this happened.
On 09/12/10 20:30, Karsten Bräckelmann wrote:
On Thu, 2010-12-09 at 20:18 +, Cedric Knight wrote:
I noticed some bad false positives on email sent from certain web
servers that haven't (yet) been properly configured. For example, a
trusted header line starting:
Ah, so
On 09/12/10 22:43, John Hardin wrote:
On Thu, 9 Dec 2010, Cedric Knight wrote:
It appears that a client can easily set up hosting using cPanel or
something without ever setting the rDNS or hostname to anything other
than the numeric default.
Is there anything in the headers that indicates
On 30/10/10 07:42, Henrik K wrote:
On Fri, Oct 29, 2010 at 10:02:56PM -0400, dar...@chaosreigns.com wrote:
I see there's a RDNS_NONE rule for when the sending IP address has no DNS
PTR (reverse DNS) record. But no rule for when that PTR record doesn't
have a matching A (forward DNS) record
On 25/10/10 04:21, Dennis German wrote:
Is there? should there be a rule for a header like:
To: undisclosed-recipients:;
There was a rule UNDISC_RECIPS in version 3.1, and it scored about 0.8
points. I don't know why it was removed; presumably it hit too much ham.
It used to go:
header
Hello
I'm trying to get some performance data on a customised ruleset using
the instructions at
http://wiki.apache.org/spamassassin/ProfilingRulesWithDprof
and have two problems.
Firstly, I'm not actually getting any *_body_test or *_head_test data in
tmon.out. Instead, after running dprofpp,
On 11/07/10 16:04, Karsten Bräckelmann wrote:
On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote:
[nothing but 3 spam samples attached]
Uhm, dude!? I hope that was an accidental address auto-completion. Do
NOT send spam samples to the list.
Grovelling apologies. It was Thunderbird
On 07/07/10 23:26, Greg Troxel wrote:
Louis Guillaume lo...@zabrico.com writes:
I just need to clarify one thing that's not clear to me in re-reading
our thread from the other day: Is there a work-around for this?
My users are getting restless. Everytime their ISP changes their IP
address
Henrik K wrote:
On Tue, Aug 11, 2009 at 04:31:32AM +0100, RW wrote:
On Sun, 09 Aug 2009 11:33:29 +0100
Cedric Knight ced...@gn.apc.org wrote:
header FH_HELO_EQ_D_D_D_DX-Spam-Relays-Untrusted =~ /^[^\]]+
...
header HELO_MISC_IPX-Spam-Relays-Untrusted =~ /^[^\]]+
Possibly
Luis Daniel Lucio Quiroz wrote:
Le lundi 10 août 2009 19:15:15, Cedric Knight a écrit :
Stefan wrote:
[...]
You have to forward the message as an attachment un unpack it after
receiving. Have a look at:
https://po2.uni-stuttgart.de/~rusjako/sal-wrapper
Yes, I find this approach works well
Matus UHLAR - fantomas wrote:
On 09.08.09 11:33, Cedric Knight wrote:
I'm using Bayes and network tests, and have found a few rules with a
good ratio of ham to spam, but that score only 0.001 in the default
rules.
apparently there's no use for them alone and the score isn't 0 just
because
Stefan wrote:
Am Sonntag, 9. August 2009 07:36:54 schrieb Luis Daniel Lucio Quiroz:
Hi SAs,
Well, after reading this link
http://spamassassin.apache.org/full/3.2.x/doc/sa-learn.html I'm still
looking for an easy-way to let my mortal users to train our antispam. I
was thinking a mailbox
I'm using Bayes and network tests, and have found a few rules with a
good ratio of ham to spam, but that score only 0.001 in the default rules.
In some cases, it is presumably because they overlap with other rules or
are detected by remote tests, and so would score double because a
particular
a...@exys.org wrote:
exactly. The point is that scores below 2 are never spam, so i avoid
greylisting. Thats my whitelist (you usually need for greylisting) at
the same time, since i whitelist some hosts in SA.
Interesting set-up, although I don't think it would be suitable for a
high-volume
Chris wrote:
I decided last week to finally give the short circuit plug-in a try to
see how much it sped up detection. Its working great on spam:
but not so well with ham:
Aug 4 14:22:48 localhost spamd[1023]: spamd: result: . -10 -
neroxyr wrote:
I have configured our domain mail to forward messages to a gmail account.
I did a test sending an email from my gmail account to my domain mail; I
receive the message sent from my gmail account, but immediately this message
has to be sent to gmail.
Mail Delivery Subsystem
Chris Owen wrote:
On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:
To answer your next post, I don't use '\b' because the next 'trick'
coming
will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with.
Well, they're getting close. I'm seeing
neroxyr wrote:
Hope this is the log you wanted
http://www.nabble.com/file/p24471425/block.jpg
It's not possible to see from this whether the first log line that you
have highlighted is necessarily related to the second and third
highlights (the message IDs are different), but I'll assume they
schmero...@gmail.com wrote:
One of our client's websites gets hacked frequently - 1x per month -
usually with some kind of phishing scam.
I understand their first line of defense is to make sure security is
tight and systems are up to date, however, it seems to me that there
must be some
schmero...@gmail.com wrote:
So, if our client was google, the utility would search all files on the
site looking for domains. If it found microsoft.com within one of the
pages and email would be sent to the administrator who could delete the
page and look for other evidence of being hacked or
McDonald, Dan wrote:
I'm considering a low-scoring rule like:
body AE_MEDS37
/\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS37 rule to catch the next wave of spaced domains
scoreAE_MEDS37 1.0
oops. Doesn't compile. should be:
body AE_MEDS37
Cedric Knight wrote:
full NONLINK_SHORT
/^Content-Type:\s*text([^\n]+\n){0,30}\n.{0,300}\b(?:H\s*T\s*T\s*P\s*[:;](?!http:)\W{0,10}|W\s{0,10}W\s{0,10}W\s{0,10}(?:[.,\'`]\s{0,10})(?!www\.)\s{0,10})[a-z0-9\-]{3,13}\s{0,10}(?:[.,\'`]\s{0,10})?(?:net|c\s{0,10}o\s{0,10}m|org)\b/msi
Jeremy Morton wrote:
OK, so I just got one of those www medsXX com spams, and even though it
hit my rule and got 2.0 added to it, it still didn't even get over 3
points. Looks like it was sent from quite a legit host. What rules do
other people get matching for this e-mail?
Michael Scheidell wrote:
Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some
with and some without knowledge and adherence to the US Federal CAN-SPAM
laws.
Maybe I am stuck in 1994 when (most) people respected the net. Maybe I
react badly when one of these main-sleaze
Jeremy Morton wrote:
Recently I've been receiving some new image spams, subtly different
from the one this rule is designed to mark:
http://markmail.org/message/zio642mxs5p42kxa
... in that it actually does have a blank text MIME part.
Here's an example of one such spam:
Oliver Welter [EMAIL PROTECTED] wrote:
2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net [Blocked - see
http://www.spamcop.net/bl.shtml?82.113.121.16]
1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web
server
Hi
I've a possibly related enquiry to an old one below, and would be
grateful for advice or pointers.
We haven't actually *needed* Bayes thanks to greylisting, remote URI
lookups and lots of custom rules. While a few users are interested in
a filter they can manually train, most wouldn't
45 matches
Mail list logo