SA hooked into your MTA?
Look into that, and see if there's a way to tell the glue to skip SA
entirely if that header already exists.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
is that user's home directory?
Does the service startup script make any changes to the config files or
override the config on the spamd command line it runs?
Changing the folder on every startup implies that there's no way you'll
ever be able to train bayes... that seems *very* strange...
--
John
read the list and replies directly, and when
*that* is replied to it often ends up on-list, much to our recurring
dismay.
Regards,
Rick
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
On Wed, 6 Nov 2019, Mark London wrote:
Hi - We got several hours of spam from the IP address 103.136.41.36 in India.
Tarpit 'em.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
On Tue, 22 Oct 2019, RW wrote:
If you are in a position to train manually, I think it's best to
turn-off auto-learning.
+1
Auto-learn is primarily for large sites with a diverse user base (e.g. an
ISP).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
/CentOS 7, SA 3.4.0
is available from the base repo. SA 3.4.2 is available for Fedora, and
you can build it from the SRPM pretty easily for RHEL/CentOS 7 with no
modifications.
Agreed. This is what I do for my production MTA.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
On Thu, 26 Sep 2019, Amir Caspi wrote:
On Sep 26, 2019, at 10:18 AM, John Hardin wrote:
Some of those are following a pattern I've recently noticed - fairly obviously
bogus spamvertising domain URLs with some .gov URLs thrown in as well. I'm
assuming that's an attempt to leverage naïve
?). It's
possible some of the DOTGOV combinations would work better in the Real
World than they currently are in masschecks...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
to pastebin,
all headers must be present, and post the URL for that here)?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
/sandbox/jhardin/20_shared_subrules.cf
Transmitting file data ..done
Committing transaction...
Committed revision 1867148.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F
he experts...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
that tool so I didn't know that.
Apologies to Henrik as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
ncluded in the hit. Try it with a double quote.
but it looks like they don't update their rules.
This is the crucial bit. Complain to them that their rules are extremely
stale and are generating bad analyses.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.
) to pastebin, and post
the URL for that here with a request we take a look.
If it *is* a legitimate FP, we may be able to tune the rule to avoid
doing that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
, you're going to want to include a match on your MTA name
in the header.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Tue, 3 Sep 2019, Henrik K wrote:
On Mon, Sep 02, 2019 at 12:02:15PM -0700, John Hardin wrote:
On Sun, 1 Sep 2019, John Hardin wrote:
On Sun, 1 Sep 2019, RW wrote:
It's possible that the value in NORDNS_LOW_CONTRAST rreally comes from
__RDNS_NONE && !__NOT_SPOOFED
I've adde
on meta rules.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
On Sun, 1 Sep 2019, John Hardin wrote:
On Sun, 1 Sep 2019, RW wrote:
It's possible that the value in NORDNS_LOW_CONTRAST rreally comes from
__RDNS_NONE && !__NOT_SPOOFED
I've added a test rule to explore that possibility. __NORDNS_SPOOFED
The masscheck performance is exactly
On Sun, 1 Sep 2019, RW wrote:
It's possible that the value in NORDNS_LOW_CONTRAST rreally comes from
__RDNS_NONE && !__NOT_SPOOFED
I've added a test rule to explore that possibility. __NORDNS_SPOOFED
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardi
be present at the
time of scanning.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
in the way of configuration to combat this, e.g. by combining
language detection with other tags?
Or, should I look into writing my own plugin to do something similar?
On 28.08.19 07:48, John Hardin wrote:
Generally the approach is to add an exclusion for the specific valid
non-english word
On Thu, 29 Aug 2019, Samy Ascha wrote:
On 28 Aug 2019, at 16:48, John Hardin wrote:
On Wed, 28 Aug 2019, Samy Ascha wrote:
Today, I encountered, for the first time, an issue with scanning an email that
is composed in Spanish.
It is hitting a fuzzy match somewhere in the DRUGS_ERECTILE
or similar and post that URL here.)
As this is a body rule, feel free to mangle the headers as needed for
privacy, apart possibly from the Subject...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
cept with FAR LESS collateral damage
than traditional blacklists.
Fearing consequences?
Heh. "Fearing consequences." I've said this for a long time and I still
believe it to be true: spammers will continue spamming until they start
*dying* for doing so.
--
John
+ __XFER_MONEY
+ __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON >
2) && !__THREAD_INDEX_GOOD
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 641
tely, I can't see enough of the original email, and would be
unlikely to have permission to supply it if I did.
Not a problem, noting the dupe is sufficient.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse
disabled.
What surprises me is how it got published with a score > 1 with an S/O of
0.29?
https://ruleqa.spamassassin.org/20190706-r1862645-n/PDS_NO_HELO_DNS/detail
72_scores.cf:score PDS_NO_HELO_DNS 0.001 1.294 0.001 1.294
--
John Hardin KA7OHZh
only
weekly is causing problems with rules whose S/O profile has radically
changed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
by spamassassin. The
50,000 I mentioned is how many were NOT caught that way. I wonder how many
there really are!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
spam sign along with the rest"...
I think there are also lists of domains that have been recently
registered. Which might help if the single use domains were recently
registered.
Having such a list would be very helpful for dealing with fast flux.
Day Old Bread et. al.
--
John Hardin KA7OHZ
On Sun, 30 Jun 2019, Sean Lynch wrote:
On June 30, 2019 11:20:33 AM PDT, John Hardin wrote:
...and if the same IP address is a regular abuser that never sends any
legitimate traffic, tarpit them:
http://www.impsec.org/~jhardin/antispam/spammer-firewall
I do like the idea of tarpitting
On Sun, 30 Jun 2019, Grant Taylor wrote:
On 6/30/19 12:05 PM, John Hardin wrote:
There's really no infrastructure for it. Somebody would have to hook into
the registrar data feeds to collect it and publish it in a usable form, and
nobody has done so that I am aware of.
Whois Domain Search
is a regular abuser that never sends any
legitimate traffic, tarpit them:
http://www.impsec.org/~jhardin/antispam/spammer-firewall
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
not be considered abusive.
Is there anybody in the SA user community who does have access to the raw
registrar feeds?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Fri, 28 Jun 2019, Bill Cole wrote:
On 27 Jun 2019, at 14:12, Amir Caspi wrote:
On Jun 27, 2019, at 12:04 PM, John Hardin wrote:
There's still not enough of that to trigger a scored rule, though. It may
need some review of the masscheck results, and tuning.
OK, retuned.
FWIW
On Thu, 27 Jun 2019, John Hardin wrote:
On Thu, 27 Jun 2019, John Hardin wrote:
On Wed, 26 Jun 2019, Amir Caspi wrote:
Any idea why this spample didn't hit the ZWJ obfuscation rules?
They were looking for multiple obfuscations in a *single* word. I've
loosened that a bit.
There's still
On Thu, 27 Jun 2019, John Hardin wrote:
On Wed, 26 Jun 2019, Amir Caspi wrote:
Any idea why this spample didn't hit the ZWJ obfuscation rules?
They were looking for multiple obfuscations in a *single* word. I've loosened
that a bit.
There's still not enough of that to trigger a scored
On Wed, 26 Jun 2019, Amir Caspi wrote:
Any idea why this spample didn't hit the ZWJ obfuscation rules?
They were looking for multiple obfuscations in a *single* word. I've
loosened that a bit.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
entity #x200B is being used to try to
sidestep Bayes detection of highly spammy words.
https://pastebin.com/kx0jVBtZ
I'll take a look. It's possible that there are some ZWJ the RE isn't
looking for.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz',
'zen.spamhaus.org.')
score RCVD_IN_rbl2spamhausz 3.5
On 25.06.19 07:52, John Hardin wrote:
I'll let others address SA issues with this, I just want to point out an
alternative:
Many sites consider Zen reliable enough
used "too deeply"...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Sat, 22 Jun 2019, Chris Pollock wrote:
On Sat, 2019-06-22 at 10:29 -0700, John Hardin wrote:
On Sat, 22 Jun 2019, Chris Pollock wrote:
I'm not sure how to exactly word the problem so the subject is the
best
I can do for now. Whenever a crojob is run a message is sent out
via
postfix to me
generally look like
english text.
As the message is being bounced by an ISP server, it's unlikely you will
be able to get trust defined. This is a hazard for using ISP mailboxes for
purposes like this.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Tue, 18 Jun 2019, Paul Stead wrote:
On Tue, 18 Jun 2019 at 19:14, John Hardin wrote:
On Tue, 18 Jun 2019, Giovanni Bechis wrote:
On 6/17/19 9:14 PM, Amir Caspi wrote:
There is a div here with display:none, as well as font-size:0px. The
spample hits HTML_FONT_LOW_CONTRAST but does
on my sandbox
(https://ruleqa.spamassassin.org/20190617-r1861495-n/T_HIDDEN_WORD/detail)
I have just committed a more generic version.
You probably also want to add "tflags publish" if its performance is
acceptable to you.
--
John Hardin KA7OHZhttp://www.impsec.or
into your MTA?
is there any way within that glue to recognize email originating locally
and skip scanning it entirely (vs. trying to configure SA to give it a
passing score)?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
On Tue, 11 Jun 2019, John Hardin wrote:
On Tue, 11 Jun 2019, RW wrote:
On Tue, 11 Jun 2019 09:05:55 -0700 (PDT)
John Hardin wrote:
Think MSFT's annoying "smart quotes" converting a single typed
apostrophe within a word into a Unicode right single quote so that it
Looks Good.
I
sassin.org/20190612-r1861099-n/__BOGUS_MIME_VER_01/detail
https://ruleqa.spamassassin.org/20190612-r1861099-n/__BOGUS_MIME_VER_02/detail
I'll add a scored rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@
is trusted to
not forge header information.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
not find it.
Any ideas.?
How is SA glued into your MTA? Are there options there to *completely
skip* SA scanning for given submitting IP addresses?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
On Tue, 11 Jun 2019, RW wrote:
On Tue, 11 Jun 2019 09:05:55 -0700 (PDT)
John Hardin wrote:
Think MSFT's annoying "smart quotes" converting a single typed
apostrophe within a word into a Unicode right single quote so that it
Looks Good.
I feel it's a valid issue, and the fix
On Tue, 11 Jun 2019, RW wrote:
On Mon, 10 Jun 2019 16:12:30 -0700 (PDT)
John Hardin wrote:
On Mon, 10 Jun 2019, Olivier Coutu wrote:
https://regex101.com/r/SUqMxn/1/
I understand that a single quote should be used when
writing /won't/, but it's probably not the first time __YOU_WON_01
hits
in certain text editors when there
are two apostrophes in the same sentence.
I would suggest a second negative lookahead to correct the issue.
Thanks, I'll try to get that in for tonight's masscheck.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
own to (-1, Flamebait). -- Yu Suzuki
Chuckle
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
]
X-Spam-Relays-External, not Untrusted.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
IP ranges in external Received headers.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 6 Jun 2019, Kenneth Porter wrote:
I'm seeing a lot of fake DHL delivery notices using the shortener
smarturl.it. I suggest adding it to __URL_SHORTENER.
cc.uz and smarturl.it have been added.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
it than that...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
ed? Thanks for any enlightenment, RTFM.
This may help to figure it out in debug mode:
uri_detail __ALL_URI_DTL_TXT text =~ /.*/
tflags __ALL_URI_DTL_TXTmultiple
You *should* be able to see exactly what is there - the HTML token or a
UTF-8 byte sequence.
--
John Har
rules update, you should be able to safely
remove the mitigation from your local config and no longer see ill effects
when such a message comes through.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
to be several minutes off
from the core dumps and signal 11 errors.
Well, it doesn't appear to be sa-spamd related after all, but rather sa-learn.
...I thought I had commented on that based on your log entries, but I
can't find that message in my outbox. :(
--
John Hardin KA7OHZ
On Thu, 30 May 2019, Yves Goergen wrote:
* There are 5 processes named "spamd child" with very high (100%) CPU usage
...
I have never seen this behaviour before. As it is now, the spam filter is
making my mail service very unreliable for incoming mail. What can I do to
fix that?
This will
understand the complex version that is
causing the hang. However, I have experimented with limiting some of the
ranges in it with no success.
I was able to beat it into submission. The corrected version should go out
in tonight's update, masscheck willing...
--
John Hardin KA7OHZ
On Thu, 16 May 2019, John Hardin wrote:
On Thu, 16 May 2019, Amir Caspi wrote:
On Apr 26, 2019, at 4:51 PM, RW wrote:
headerBOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
it may be better to change that to
/^(?!.*\b1\.0\b).+/
to avoid punishing the form
Mime-Version
advice, filing a bug report
...for rules that generate runaway scan times. General complaints about
FPs should go to the list first.
as well as generally using pastebin or similar external method to
provide samples...
Definitely.
--
John Hardin KA7OHZhttp://www.impsec.org
was that version also has runaway runtime
problems on certain gibberish styles. Reverting would be substituting one
failure mode for another.
I am working on it now. I have a partial fix already.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
for HTML body parts.
There are a few things that might add enough points to push it over the
spam threshold; I notice for instance the List-Help and potentially
List-ID headers.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
the message was
received. That shouldn't be *too* difficult to write (modulo what TZ your
MTA uses to add the local date).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
on remote (untrusted) hosts.
On 23.05.19 14:09, John Hardin wrote:
Probably the latter. For an untrusted host, match on any HELO that does not
have a period.
in such case it should match X-Spam-Relays-Untrusted, not Received headers.
Right.
--
John Hardin KA7OHZhttp
. For an untrusted host, match on any HELO that does
not have a period.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Is this the expected behaviour?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
.
This would seem to be a pretty good poison pill, and although I imagine
you may not want poison pills within the primary ruleset,
They are generally not a great idea.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
CVD Received =~ /.*/
tflags __ALL_RCVD multiple
Then you can look in the hits log and see exactly what the full header
strings are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
substantive analysis.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
xclusion actually seems to be *improving*
the S/O of the more-generic variant.
I am not sure whether it's wise to have rule depending on test (T_) rule.
On 29.04.19 07:49, John Hardin wrote:
That is potentially a concern.
In this situation it would be better to make the second rule a
test (T_) rule.
That is potentially a concern.
In this situation it would be better to make the second rule a combination
of a subrule (used in the exclusion) and a scored rule (which at the
moment is performing too poorly to promote and publish).
--
John Hardin KA7OHZhtt
On Fri, 26 Apr 2019, John Hardin wrote:
On Fri, 26 Apr 2019, Matus UHLAR - fantomas wrote:
Btw, sorry John for not answering your last question:
https://marc.info/?l=spamassassin-users=153633826515464=2
For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
is jus
mp; !ALL_TRUSTED &&
!__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST &&
!__DOS_RELAYED_EXT
I see no reason to object to this.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 p
__ALL_URI /.+/
tflags __ALL_URI multiple
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
that,
worry about whether or not the messages get correctly classified.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
ote: if you're only looking for hitcount > 1, then do this to
avoid extra work finding matches that don't matter:
tflags __HAS_URI multiple maxhits=2
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse
spamassassin -D against that message we found
Mar 25 11:53:01.005 [7527] dbg: rules: ran uri rule __HAS_URI ==>
got hit: "g"
Try this if you're debugging:
uri __ALL_URI /.+/
tflags __ALL_URI multiple
--
John Hardin KA7OHZhttp://www.impsec.org/~j
On Fri, 22 Mar 2019, Benny Pedersen wrote:
John Hardin skrev den 2019-03-22 22:23:
Instead of taking on the job of filtering email for all of your clients
(this, to me, will open up a can of worms), why not set a policy that port
25 is blocked by default and customers must request
for it to be
unblocked?
+1
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 21 Mar 2019, Martin Gregorie wrote:
On Thu, 2019-03-21 at 12:20 -0700, John Hardin wrote:
...wrong thread? :)
Unfortunately so. For some reason my mail reader's editor (I use
Evolution) locked up on my first attempt to reply and when I got it to
respond it again it sent the stupid
On Thu, 21 Mar 2019, Martin Gregorie wrote:
On Thu, 2019-03-21 at 09:23 -0700, John Hardin wrote:
On Thu, 21 Mar 2019, Savvas Karagiannidis wrote:
What should be considered is the message's language. All messages
that were
false positives had the following mime encoding (messages were
l be leveraged by spammers who are using
that obfuscation...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
eqa.spamassassin.org/20190320-r1855888-n/NORDNS_LOW_CONTRAST/detail
Can you post a spample?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
0 non-token data: nspam
0.000 0 51031938 0 non-token data: nham
I'd generally expect those numbers to be somewhat reversed as most people
get more spam than ham...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
hat? Bayes
requires samples of both before it can make an evaluation.
Is there a way to whitelist all the email addresses in my inboxes?
Not automagically.
You'd have to extract the sender addresses from your inboxes and dedupe
them and format them in the manner SA expects.
--
John Har
the
face of 100% SMTP rejects of anything from that IP.
The term is "TCP Tarpit".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Sat, 2 Mar 2019, Axb wrote:
On 3/2/19 7:35 PM, John Hardin wrote:
On Sat, 2 Mar 2019, John Schmerold wrote:
I subscribed to uribl's datafeed service and have read their usage
documentation on http://uribl.com/usage.shtml
I think I understand how it works, but I am confused by how things
just be using the data file URIBL provides
you; pointing it at a URIBL-hosted client domain would probably involve a
DNAME record in your local faux-master multi.uribl.com zone.
https://www.rfc-editor.org/rfc/rfc6672.txt
http://www.informit.com/articles/article.aspx?p=19798
--
John Hardin
in a rule that doesn't expect to be looking at a huge block
of base64 text...
What version of SA are you using?
Is the original message safe (from a privacy standpoint) to provide to
some SA devs to verify whether that's indeed the cause and see if there's
a failure mode we can fix?
--
John Har
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I checked.
Bummer.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
On Tue, 12 Feb 2019, Rupert Gallagher wrote
:
http://www.impsec.org/~jhardin/antispam/spammer-firewall
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
ferent message for the same email. Those who fill their emails with lots of
useless pics get the spam rating they deserve, so I intentionally count all
links.
I feel more than generous with 5+5 links, but if you want more, or less, you
can easily change to fit your local policy.
--
John
ks too.
Is there a rule which detects a certain amount of links inside an e-mail ?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
hing similar. The rule could also be cancelled by __SUBJECT_EMPTY
Thanks for the report, I will fix that tonight.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F5
.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
301 - 400 of 3243 matches
Mail list logo