Noel Butler noel.but...@ausics.net wrote in message
news:1297993593.5473.74.camel@tardis...
/Very Ancient/
On Thu, 2010-06-10 at 18:40 +0200, Jeremy Fairbrass wrote:
Hi, I've noticed what seems to be unexpected behaviour with the Freemail
plugin, which I'm hoping someone can shed some
Hi, I've noticed what seems to be unexpected behaviour with the Freemail
plugin, which I'm hoping someone can shed some light on.
I'm using SpamAssassin 3.2.5, and the FreeMail.pm plugin v2.001 from
http://sa.hege.li, along with the rules from the 20_freemail.cf file at the
same location.
ram r...@netcore.co.in wrote in message
news:1267506187.16095.11.ca...@darkstar.netcore.co.in...
http://www.spamhaus.org/dbl/
I think sa-folks would have this already in some URIBL rule. What are
the scores you assign for a dbl positive hit ?
I assume my current datafeed would already extend to
Dirk Bonengel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Hi all,
I'm the author of the iXhash plugin, a piece of code that computes a variety of 'fuzzy checksums' along the lines of the NiXSpam
project (run by the German IT magazine iX).
I also run two DNS zones
mouss [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Mike Cisar wrote:
Hi All,
Have been trying to write a regex for a custom rule to catch a particular
spam that's been annoying the heck out of me.
I've got about 6 body rules and have narrowed the problem down to the regex
Jeremy Fairbrass [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Hi all,
Can the tflags multiple setting be used with mimeheader rules? Or only with
header, body, rawbody, uri, and full tests?
Also, where can I find some further info on how tflags multiple should be used - perhaps
Hi all,
Can the tflags multiple setting be used with mimeheader rules? Or only with
header, body, rawbody, uri, and full tests?
Also, where can I find some further info on how tflags multiple should be used - perhaps with an example or two? I can't find
anything in the SpamAssassin wiki on
Hi, could someone kindly tell me what the file triplets.txt is used for, and
if I need to have it in my rules directory or not?
Cheers,
Jeremy
Rob McEwen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Marc Perkel wrote:
I was just wondering from those of you who have done it - how to start a URIBL.
I'm guessing the process (simplified) is:
1) Mine messages for links
2) Subtract out anything matching a fairly large white
I think it's also used in Germany. The two domain names function identically, and I even think if someone sends a message to either
[EMAIL PROTECTED] or [EMAIL PROTECTED], both will reach you - ie. you can use them interchangeably. But whether you can
officially register for one or the other
news:[EMAIL PROTECTED]
for what it's worth, I just pushed Henry's version of Joe's rules into the
3.2.x sa-updates.
--j.
Jack Pepper writes:
Quoting Jeremy Fairbrass [EMAIL PROTECTED]:
HI Jack,
Any chance of sharing your rules for this?!
Cheers,
Jeremy
Sure:
score BOBAX_GEN_SPAM_2 1.800
HI Jack,
Any chance of sharing your rules for this?!
Cheers,
Jeremy
Jack Pepper [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
This info popped up on the emerging-Threats list. I have watched our
mail servers and have confirmed that it works.
The problem is that my attempts to
No, MIMEHeader works fine with 3.1.x
- Jeremy
Justin Mason [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Martin.Hepworth writes:
Hmm
I'm still running 3.1.8..
I think you need 3.2.x for the MIMEHeader plugin.
--j.
Content analysis details: (7.4 points, 5.0
Try this (for replacing your the three meta rules):
metaRCVD_IN_LRBL_W (__RCVD_IN_LRBL_W !__RCVD_IN_LRBL_B)
describeRCVD_IN_LRBL_W Local RBL Whitelist
tflags RCVD_IN_LRBL_W net
score RCVD_IN_LRBL_W -7
meta
Michael W Cocke [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
These blasted PDF spams are driving me mad! Any ideas for a rule that
would trip if there's no text in the body, just a PDF attachment ?
(I'm using the PDFinfo plugin now, but I don't really understand it)
Thanks!
multiline mode to work in a rule
- Jeremy
Per Jessen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Jeremy Fairbrass wrote:
Hi all,
I hope someone can help me with a rule I'm trying to write. My
understanding of the multi-line mode, with the /m switch at the end
Loren Wilton [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Right? If I test this rule using the Regex Coach tool at
http://weitz.de/regex-coach/ (I'm on Windows), with the 'm' switch
enabled, the rule works fine. But when I test it with SpamAssassin, it
doesn't work and I
Hi all,
I hope someone can help me with a rule I'm trying to write. My understanding of
the multi-line mode, with the /m switch at the end,
is this: in this mode, the caret (^) and dollar ($) match before and after
newlines in the string. Is that correct?
I believe this is the correct method
I'm running PDFInfo 0.3 with SA 3.1.8 and it works fine for me - and I'm
even running it on Windows! :)
Cheers,
Jeremy
Suhas Ingale [EMAIL PROTECTED] wrote in message
news:![EMAIL PROTECTED]
Hello,
I am trying to run PDFInfo plugin with SA 3.1.7. SA registers the plugin
successfully
Thanks Dirk!
I have a question: two of the RBL zones have very similar names -
nospam.login-solutions.de and nospam.login-solutions.ag. Do they
belong to the same company, and what are the differences between them? Eg. do
they both contain exactly the same data (hashes) as
each other, or are
Hi all,
Can someone please advise me: is it good or bad to add bayes_ignore_header
values in my local.cf file for the X-Spam headers that
are added by SA? For example:
bayes_ignore_header X-Spam-Status
bayes_ignore_header X-Spam-Level
bayes_ignore_header X-Spam-Checker-Version
it's acceptable to just have
[ ] without the \ inside. Although it doesn't do any harm having it in there
either...
Cheers,
Jeremy
[EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
On Thu, 8 Mar 2007, Jeremy Fairbrass wrote:
I just tested those three rules below, and none of them
Hi Justin,
What exactly is the fix, and where do I find it?
I just installed the VBounce plugin on my server this weekend (for the first
time), and have the same probs described here - ie.
although I've added my server to whitelist_bounce_relays in local.cf, I'm not
getting the
Hi all,
I'm not sure if this is a bug with the FAKE_HELO_MSN rule, or if I'm just
overlooking something...
I just received a legitimate email from MSN.com (to verify an email address
for MSN Messenger). The email triggered the FAKE_HELO_MSN rule, but I can't
see why. Here are the 3 Received
:46PM +0100, Jeremy Fairbrass wrote:
Can someone please let me know exactly what illegal characters are being
checked for with the eval:check_illegal_chars rules? Can I find a list of
those characters somewhere?
Also, what are the meanings of the variables that this rule takes? For
example
Hi all,
Can someone please let me know exactly what illegal characters are being
checked for with the eval:check_illegal_chars rules? Can I find a list of
those characters somewhere?
Also, what are the meanings of the variables that this rule takes? For
example:
Why does your rule not work? It looks good to me, if you're trying to detect
a subject consisting of (for example): hi it's John or something. Can you
give some exact samples of subject lines you're trying to flag?
If this string (hi it's ) is the only thing in those subject fields -
in
trusted_networks.
Any ideas?
Cheers,
Jeremy
Matt Kettler [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Jeremy Fairbrass wrote:
Hi all,
It says at
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options
that when an IP address is added
PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Jeremy Fairbrass wrote:
I want to block all emails that come from an IP in China (where the IP is
the one connecting to me), *BUT* I want to exclude a particular server in
China that is used by a friend who I trust, for example. How could I do
Hi all,
It says at
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options
that when an IP address is added to a 'trusted_networks' entry (eg. in
local.cf), DNS blacklist checks will never query for hosts on these
networks.
However, from what I can see
Where exactly can I find the new RCVD_FORGED_WROTE2 rule you refer to? I
have RCVD_FORGED_WROTE in my 80_additional.cf file, but I don't have any
RCVD_FORGED_WROTE2 rule. And yes, I have run sa-update to get the latest
updates available :)
Cheers,
Jeremy
Tony Finch [EMAIL PROTECTED]
Hi all,
I have a question about the MIMEHeader plugin: if I have multiple mimeheader
rules, are they all checked against the same part in a multipart message?
So let me give an example:
Let's say an email has 2 separate mime header sections (perhaps one is TXT
and the other is HTML, or perhap
Justin Mason [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Jeremy Fairbrass writes:
Hi all,
I have a question about the MIMEHeader plugin: if I have multiple
mimeheader
rules, are they all checked against the same part in a multipart message?
So let me give an example
You can change the score line to this, if you simply want the score to be
3:
score PRIVATE_RBL 3.0
Also, make sure that the file you create in your spamassassin directory, has
the .cf file extension - ie. it should be: 99_Private_Rbl.cf rather than
simply 99_Private_Rbl
A further question to this: if I want to disable one of those rules in
20_dnsbl_tests.cf, do I only need to give a score of 0 (in local.cf) to the
rule with the check_rbl part, or do I need to give a score of 0 to each of
the 'sub' rules?
For example, there are three sections to the Spamhaus
Hi all,
I've noticed with SA 3.1.5 that the length of the lines in the X-Spam-Report
header seems to have reduced, ie. the line length for each rule mentioned
there is not as long as it used to be, and thus the lines are wrapping more
often than before. Just in the X-Spam-Report only, the other
G'day everyone,
I received a legitimate email from Hotmail today, which (I believe)
inappropriately triggered the FORGED_HOTMAIL_RCVD rule in my SpamAssassin
(version 3.1.5). The email from Hotmail was actually a bounce-back to an
email sent by one of my users to a Hotmail address - it was
AFAIK it's currently residing at http://zmi.at/x/70_zmi_german.cf
- Jeremy
[EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
what is the current home of the ZMI (german) ruleset?
Wolfgang Hamann
I've had that problem in the past, and found that it was caused by an error
with some other rule elsewhere (usually a custom rule I'd written myself
which had a syntax error in it that I'd overlooked). I'd suggest doing
a --lint check of your rules, see what it turns up.
- Jeremy
scottjf8
I use a nifty tool called OLSpamCop to achieve this functionality with my
Outlook. OLSpamCop is an Outlook plugin, it adds a new toolbar to Outlook
and basically allows you to select an email, hit either a spam or ham
button on the toolbar, and OLSpamCop will forward the email to an address
you've
I'm not sure it's actually obfuscated though?? It seems to be a valid URL, I
mean in terms of it existing in DNS as-is, and in terms of it working (click
on it and it takes you to the spammer's site). I actually didn't know you
could use [] characters in a domain name, but I guess you can - this
Good point, you're completely right! Thanks for pointing that out... :)
Cheers,
Jeremy
John Rudd [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Apr 25, 2006, at 6:33 AM, Jeremy Fairbrass wrote:
/style=[^]+color:blue/
span style=color:blue; font-size:small
Thanks guys for the clarifications! My understanding of how regex worked was
the same as Bowie's, ie:
-
My understanding is that with [^]+ the engine will scan from left to
right until it finds a quote. Then, in the context of the previous
regex, it will start backtracking to find a match
Hi all,
I wonder if one of you regex gurus might be able to give me some advice
regarding the most efficiant way of writing a particular rule
Let's say I want to use regex to search for the phrase color:blue within a
span tag as in the example below (just a made-up example for the sake of
Hi Eric,
Actually the full rules don't ignore HTML at all - they are able to search
within HTML tags quite fine, and also take into account line breaks, because
they are run before SA does any decoding of the email. I use a bunch of
custom full rules for this exact purpose.
From
I use Outlook 2003 and use a freeware Outlook toolbar called Outlook Spam
Report Utility, available from http://www.olspamcop.org/download.shtml.
It's designed to enable the easy forwarding of spam to SpamCop, but can
easily be modified to forward spam or ham to your own mail server for
Hi, can anyone tell me if it's allowed to use regex with bayes_ignore_header
in local.cf? I've seen this done here and there by others but don't know if
it's actually allowed or will cause things not to function properly. For
example:
bayes_ignore_header X-Spam-\S+
If this *is* allowed, are
Hi all,
Is it possible to use the SA 3.1.x rulesets (from
http://spamassassin.apache.org/full/3.1.x/dist/rules/) on SA 3.0.4? In other
words, simply downloading the .cf files from that URL and plonking them over
the top of the existing 3.0.4 rulesets? Would that cause any problems? The
Okay, thanks anyway for the advice! I'd upgrade in a flash but unfortunately
I'm not able to - I'm using MDaemon v8 which has SA bundled in such a way
that it can't be separately upgraded.
Cheers,
Jeremy
Matt Kettler [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Jeremy Fairbrass
Hi Emmanuel,
I have a custom rule which works nicely for me to catch those spams that use
this HTML trick. I'll send it to you offline as I've heard it's not wise to
post rules to the list (coz the spammers then see them) :)
Happy to send it to anyone else who asks too...
Cheers,
Jeremy
Was this one only in plain text, or did it include an HTML part as well? Can
you give us the full body unaltered? Could be that it's using some other
type of fancy HTML to make the text look like that.
Cheers,
Jeremy
Emmanuel Lesouef [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
The wildcard isn't needed, and I doubt it's allowed either. See the info and
examples at
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
Specifically, the string at the end of whitelist_from_rcvd which refers to
the reverse DNS of
What's the difference? Your meta rule is fundamentally identical to Loren's
rule, is it not?!
Cheers,
Jeremy
[EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Loren Wilton wrote:
header LW_NONEWSSubject =~ /^Re:\s.*\bnews$/i
...
The .* should be safe in that regex since a
Correct me if I'm wrong, but would a rule like the following one of mine not
do the trick regardless of how the MTA writes the Received header, and be
less prone (actually not prone at all) to spoofing?
headerJF_NO_PTRX-Spam-Relays-Untrusted =~ /^\[ ip=[^ ]* rdns= helo=/
describe
Something's not right there - the URL mentioned in the spam
(deolich-MANGLED.com without the -MANGLED bit) should have hit on both the
SURBL.org and URIBL.com blacklists, yet I don't see hits for either in the
tests that were flagged for this spam - you only have
Hi Eric,
The text there is encoded with base64, which is decoded into the proper
text by the mail client. SpamAssassin will also decode it before running its
rules against it, for body or rawbody rules, which means SpamAssassin
will be able to filter it out whether the text was encoded with
Hi all,
Can anyone tell me if it's possible to make SA (3.0.x) save the
X-Spam-Relays-Trusted and X-Spam-Relays-Untrusted pseudoheaders within the
actual headers of each email, or at least somewhere else, so I can see what
they say for each email received? Eg. perhaps there is some setting in
You could also easily filter based on the subject, if it's always something
obvious like Parhamcy news, and perhaps on obvious misspellings like
tabIet, abIets etc (note the i in stead of l). And I don't think it
would be too hard to create a special rule to search for a long string of
individual
Hi Loren, thanks for the feedback and suggestions! I didn't actually realise
that the @ symbol had to be escaped - my bad! I'm learning as I go... What a
pain that rawbody only does one line at a time; but at least now I know this
for sure - previously I wasn't completely sure about that.
Could you kindly explain to me about the @ character and why it needs to be
escaped, or in what conditions it needs to be escaped? Eg. you seem to imply
that it only needs to be escaped if followed by an alphabetic character. Is
that the only rule or are there other occasions when it should be
Okay I've rewritten the first line of the rule in a way I think is better
(mind any line breaks)...
full__JF_STOCKSPAM1a/- Original
Message -[^\n]*\nFrom:[^\n]+\nTo:[EMAIL PROTECTED]@[^\n]+\nSent:[^\n]+\nSubject:[^\n]+\n{5,20}\w+/i
I've exchanged the .* and .+ with [^\n]
61 matches
Mail list logo
