he corpora.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
to explain to the board members I'm
helping out is... painful.
Very simply worded step by step instructions, with screenshots amended
with arrows, outlines, highlights and so forth as needed.
...the .sigmonster agrees.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
tional hit. (If
you do that, avoid setting "ReplyTo: supp...@play.date", as that would
also take a reputation hit.)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 --
that all that rule does, vs. hitting *specific* SendGrid accounts?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
, learning
as few mail as one should fix BAYES issues.
Move previously tagged SPAM into HAM folder and "relearn"?
Right. Train on misclassifications.
Also if there was a ham in your spam corpus review why it got
misclassified in the first place.
--
John Hardin KA7OHZ
uot;Missed SPAM"?, thinking along lines of keeping
BAYES "clean and sharp". So to speak.
Leave as is? Delete and re learn?
For a low volume home office user, I would simply NOT autolearn. Set up a
hambox and a spambox and manually feed them and train from them.
--
John Hardin
seen the email at this stage) or indeed doing something they do not want.
It doesn't sound like it will *visit* the link, just ask some service if
the like has a reputation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgp
of Email into "Junk folders", for now I'ma change that score to
0.25
2.5 points by itself shouldn't be enough to quarantine/junk messages. What
else is spammy about those messages?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@
/<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136
% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%)
I'll add a few of those to see how they do.
F'ing legit emailers that generate crap HTML {fume}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jha
SRC_EMPTY
score LOCAL_BADLY_HTML 3 3 3 3
too much spams in hotmail
I'll put the subrules in my sandbox so they can be evaluated by masscheck.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8
ins:
It wouldn't be much of a loss, but it's not spam either.
How did they perform individually?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 --
list member, looking for help, I humbly submit
that he's not someone you want being the first interaction a new list member
has.
Sadly, we cannot control that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar
headers would aid analysis.
Can you swap the numbers in the 4th column and see if that changes the
behavior?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
enders coming from specific IP
addresses, there's already built-in features for that. Look into
whitelist_from_rcvd, it may do exactly what you want.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.or
u also add:
USER_IN_WHITELIST 0
They are synonyms, might need to kill both explicitly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
a more general
solution, but this might be quite useful.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
On Sat, 13 May 2023, Matus UHLAR - fantomas wrote:
But I was more interested if SA already has something like that?
It does not.
On Fri, 12 May 2023, Loren Wilton wrote:
Weren't there a whole set of "FUZZY" rules once?
On 12.05.23 20:01, John Hardin wrote:
There still are.
On Fri, 12 May 2023, Loren Wilton wrote:
But I was more interested if SA already has something like that?
It does not.
Weren't there a whole set of "FUZZY" rules once?
There still are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@
On Fri, 12 May 2023, Matija Nalis wrote:
I wonder if someone has already done it, and something sufficiently
similar to be used to that purpose?
There are a lot of ReplaceTags rules in the base ruleset.
I don't know if offhand that works with header rules.
--
John Hardin KA7OHZ
: config: failed to parse line in (sql config) (line 9): use_pyzor\t0
info: config: not parsing, administrator setting: use_razor2\t0
info: config: failed to parse line in (sql config) (line 10): use_razor2\t0
... in SQL config? perhaps the lines are misplaced?
--
John Hardin KA7OHZ
or example commercial
accounts where you don't want a delay in receiving communications from
customers or potential customers. There are ways to tune it that may
mitigate these concerns somewhat.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@
i just report it
This bit:
WHERE short_url $1 = AND
...should probably be:
WHERE short_url = $1 AND
The basic expression syntax of SQL is the same as other (infix!)
languages..
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
trashed.
Poof, gone.
We don't sit watching our MUAs 24/7
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 12 Jan 2023, John Hardin wrote:
On Thu, 12 Jan 2023, Martin Gregorie wrote:
On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote:
Hello All,
I created this rule to check for email addresses matching a list to
get
added some negative value.
I also tried it with just domains so
. There are instructions for setting such
up for local blacklists, that works equally well for a local whitelist.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
to its external
address."
I think you're getting distracted by the word "resolve" there... This
sounds like a DNS issue.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E
l.org" IN {
type forward;
forward first;
forwarders { };
};
zone "multi.uribl.com" IN {
type forward;
forward first;
forwarders { };
};
...etc. for all DNSBL subdomains.
--
John Hardin KA7OHZh
blacklist
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
. "Go away and stop bothering us."
It's not the only place Google won't let you report problems from outside
their ecosystem either - you can't report spam coming through Google Groups
with the link in the messages without logging in to a Google account.
I gave up trying to report these,
block all page.link, whois says its hosted by google :/
go ahead..
There are legitimate sites using that domain.
I added it as a 2tld for URIBL, so please report such domains to URIBL.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
available that
would return much the same information, and that would give something
helpful to discuss with the site admin when trying to resolve the
situation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
On Sat, 13 Aug 2022, joe a wrote:
Why waste your own system resources to help a scoundrel? Drop them and be
done.
I personally perfer to TCP tarpit repeat offenders.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
it, that is "headers misspelled" (not "headers missing")
MISSP = misspaced
and it is checking for any of the listed words at the start of a line,
followed by a colon, and NOT followed by a space.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
posting it here so you do not need to do this work. If you do
some random checks, you can see this looks weird[2]. Do as you
please with this info.
FYI, I'm rejecting them at the postfix level.
*cough* TCP Tarpit *cough*
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
: oilers
Content-type: multipart/mixed; boundary="--=_1649731129-716331-86"
Obviously, the following bogus header names are present:
Minicomputers-Exhume
Malthus-Films
Parasitic-Homogeneity
Capitalizations-Grievously
Take a look at __RAND_HEADER and RAND_HEADER_MANY
--
ged by your provider and
if a more than a few of them are listed (particularly by multiple DNSBLs)
then your provider is probably problematic and you should look elsewhere.
[Ooo, look, the .sigmonster is listening...]
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
versal, either. It passed lint here or I wouldn't have
checked it in. It passed the masscheck lint or it wouldn't have been
published.
I've checked in a fix, there may be one more bad update tonight before it
goes out.
--
John Hardin KA7OHZhttp://www.
On Fri, 18 Feb 2022, da...@grmcompany.com wrote:
Dan:
The SA users mailing list is self-managed.
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
delimiters from SA. I suspect there are at least hundreds of rules like that
in the release database. I have about a hundred local rules of my own that
use that.
Indeed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
hat after observing multiple spams with random garbage after
the closing HTML tag in the HTML body part. Presumably it was an attempt
at Bayes poison, checksum avoidance, or some other filter evasion
technique.
I'll tighten it up.
--
John Hardin KA7OHZhttp://www.i
" rule type...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
/
Will update, thanks for the report.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
hat does have the downside
of accepting spam from them if their account gets hacked, for example.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E
correctness.
Isn't that exactly what we're discussing here? "Technical correctness"?
The way I generally put it is: SpamAssassin is not an RFC-compliance audit
tool.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
On Thu, 18 Nov 2021, Matt Corallo wrote:
On 11/18/21 16:49, John Hardin wrote:
On Thu, 18 Nov 2021, Matt Corallo wrote:
I followed up on the exim-users list on this - Exim *did* verify the
FcRDNS here and the above header line is what it generates by default for
FcRDNS. The RFC quote
that rule a bit to also look at the HELO and envelope From
address to see if they are from Shopify. Granted that's less reliable than
rDNS, but it's probably Good Enough.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
to be
considered spam.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 15 Nov 2021, Matt Corallo wrote:
Full headers follow, but it seems the shopify detection in the above isn't
quite correct;
Thanks for the report, will fix.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
On Mon, 15 Nov 2021, Philip Prindeville wrote:
On Nov 12, 2021, at 8:49 PM, John Hardin wrote:
On Fri, 12 Nov 2021, Philip Prindeville wrote:
I got the message, saved it to a flat file, and ran "spamassassin -t -D rules <
netdev.eml" and saw:
...
Nov 12 11:45:38.048 [3636
to the timeout message could display the name of the rule and
even how long it took to that point.
That's what I was thinking when I said "capture and log".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
On Sat, 13 Nov 2021, Henrik K wrote:
On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wrote:
What would be helpful here would be logging of when a rule *starts*
evaluation. Normally that would be painful, but for tracking a runaway it
would be useful. Perhaps I can code up something
g to capture that and log
it on a timeout...
If you want to send me that message zipped up I can try it here with those
changes and see if it's a base rule running away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org p
And what of the BIDI sequence that actually causes the problem?
All Of Unicode is not the problem.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
comparing that debug output from a bad
message to that of a message which doesn't hang SA.
There's also the HitFreqsRuleTiming plugin if you're running in a dev
environment and can let it scan for a potentially long time (until
completion).
--
John Hardin KA7OHZhttp://www.
On Sat, 23 Oct 2021, Benny Pedersen wrote:
On 2021-10-20 16:58, John Hardin wrote:
On Wed, 20 Oct 2021, Axb wrote:
On 10/19/21 8:06 PM, Jerry Malcolm wrote:
Where do I find a starter toks file?
You don't need a "starter" file.
Your Bayes starter is your training corpora,
doing now.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
At
.
On 25.09.21 13:19, John Hardin wrote:
Perhaps it needs a short-message exclusion?
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be glad to
try.
On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning
.
On 25.09.21 13:19, John Hardin wrote:
Perhaps it needs a short-message exclusion?
short messages with attachments. if you have an idea how, I'll be glad to
try.
I've done some masscheck review and tuning of it, added avoidance of hits
on very short messages.
--
John Hardin KA7OHZ
an FP in Pyzor.
RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)
Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.
Perhaps it needs a short-message exclusion?
--
John
n environment versus analyzed in a misconfigured and stale
theoretical environment), with all headers intact (<- this is important),
then we might be able to tell you why it ended up there.
Kind Regards
Lukas
-Original Message-
From: John Hardin
Sent: Thursday, August 12,
5 or more points).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
[Aa]dvisor|[Cc]onsultant)/
Intentionally *not* case-insensitive.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
O, as it hits
100% of the spam hits.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
eme and an
application/x-mso file. Which (in addition to the text/xml files) are used
by Microsoft Word to load the embedded Word document."
Would the presence of all three of those MIME types be a scorable
indicator?
--
John Hardin KA7OHZhttp:
*
helpful when you just can't figure out why the RE is failing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
base rules:
FROM_STARTS_WITH_NUMS
__FROM_ALL_NUMS
__TO_ALL_NUMS
__FM_TO_ALL_NUMS
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 28 May 2021, Greg Troxel wrote:
John Hardin writes:
On Thu, 27 May 2021, Greg Troxel wrote:
The other problem on a small number of messages was
RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but
getting a message of 1-1.5 kB from an address in .edu is to me
On Fri, 28 May 2021, RW wrote:
There is a minor problem:
header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i
allows a match on "by=" from the LE header, when it should just be on
helo/rdns.
D'oh! Fixed, thanks for catching that.
--
John Hardin KA7OHZ
to appear in legitimate mail. (In
my case it was a notification of air conditioning shutdown in a
particular building, and that's all there was to say.)
Score limit adjusted. Do you know whether it happened to hit ALL_TRUSTED?
I added an exclusion for that.
--
John Hardin KA7OHZ
On Wed, 26 May 2021, Douglas, Daniel wrote:
We need to detect it so that we can route emails with that header to a
different server.
SpamAssassin does scoring, not routing. Isn't it important that your *MTA*
be able to detect that header?
--
John Hardin KA7OHZhttp
listed on URIBL too:
http://lookup.uribl.com/?domain=libera.chat
Ot at least it is *now* , maybe it comes and goes for some reasons
...and now it's listed at https://admin.uribl.com/ as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
on URIBL
Is that not working correctly?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
.
So add "on local network".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
eta rule regarding a from name mismatch, you
should be using the raw __PDS_FROM_2_EMAILS subrule, **not** the
FP-reduced scored rule PDS_FROM_2_EMAILS.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.or
out 2048?
A limit there it to prevent runaway matching and excessive scan times.
What if the "Delivered-To" header is more than 2048 characters away from
the salutation, which doesn't seem unlikely.
That is indeed a shortcoming with this approach. As Henrik says, it's a
klu
/^Deliver-To: (.*)/;
body __LOCAL_AWKWARD_INTRO /hi $first_part/i
How can I do this in my .cf file?
With a silly kludge, a full rule that matches the complete raw email with a
single regex.
We're discussing neater ways to do that on the dev list, it's something
that's been desired for a long time.
lve code changes to ExtractText
rather than just configuring an it to use external utility.
Caveat: I have never looked at the ExtractText plugin.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key:
o it being
quarantined, rejected or discarded.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
ll getting through.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
0.48 -1.00 MAILING_LIST_MULTI
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
blue
Is it worth a rule for evaluation in masscheck? Maybe. Not tonight,
though.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
y it works, then reducing the score to -1.0 or even
-0.5 sounds reasonable. There were a lot of "I did that too" comments back
then.
Maybe the way it works has changed since Marc died.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
On Mon, 26 Apr 2021, John Hardin wrote:
Thanks for your report. I've added some exclusions and resuced the score
limit.
"reduced". The coffee hasn't reached my fingertips yet.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@
e revised
Thanks for your report. I've added some exclusions and resuced the score
limit.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
'm looking for more ham
exclusions.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Sun, 25 Apr 2021, John Hardin wrote:
On Sun, 25 Apr 2021, Steve Dondley wrote:
On 2021-04-25 01:00 AM, John Hardin wrote:
On Sun, 25 Apr 2021, Steve Dondley wrote:
That rule has this line in the 72_active.cf file:
Look in 72_scores.cf and compare the modification dates on that file
On Sun, 25 Apr 2021, Steve Dondley wrote:
On 2021-04-25 01:00 AM, John Hardin wrote:
On Sun, 25 Apr 2021, Steve Dondley wrote:
That rule has this line in the 72_active.cf file:
Look in 72_scores.cf and compare the modification dates on that file.
The date is Jan 30, 2020. I'm running SA
0.999 0.837 0.999 0.837
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
a rule behaves against
multiple messages.
I'm not sure what you mean by "Local masscheck instance".
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MassCheck
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
against a corpus rather than testing
against a few one-off spamples, then look into setting up a local
masscheck instance. You don't need to upload the results to SA, but it
will give you a good overview of how a rule behaves against multiple
messages.
--
John Hardin KA7OHZ
without being runaway.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Tue, 20 Apr 2021, mau...@gmx.ch wrote:
if header :contains "To" users@spamassassin.apache.org
<mailto:users@spamassassin.apache.org> {
This header might be a better check:
List-Id:
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jh
pty, i.e. all relays
are internal.
...so:
header ALL_INTERNAL X-Spam-Relays-External =~ /^$/
?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C A
{fume}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Our
5 to 20%
Train your Bayes...
What is this?
0.0 GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
Is that local? If not, you might want to increase the score on that a bit.
Giovanni, is that something of yours that's not in your SA sandbox?
--
John Hardin KA7OHZh
process.
So I will re-configure my installation to use MariaDB.
You should also consider the Redis backend.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
On Mon, 12 Apr 2021, jwmi...@gmail.com wrote:
John Hardin writes:
> From: John Hardin
> Date: Mon, 12 Apr 2021 07:29:03 -0700 (PDT)
>
> On Sun, 11 Apr 2021, Loren Wilton wrote:
>
> >> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> >>
BAYES_999 to Poison Pill status, as the
confidence is higher.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Tue, 6 Apr 2021, Kris Deugau wrote:
John Hardin wrote:
Can anybody explain to me the reason behind the blind "please send us a
quote for your product X" emails? I mean, I know they are somehow a
scam, but I can't figure it out how it's supposed to work when the target
isn't
1 - 100 of 3243 matches
Mail list logo