on it...
Be careful when you say "redirect". It may not look like a forwarded
RFC-822 attachment in that case, it might instead be "resent" by the (MUA
or MTA of the) user who originally received it and just look like a
regular message that went via a few e
rks on most often
correctly.
Any ideas?
Can you upload the message to someplace like pastebin so that we can look
at it? Otherwise we're just guessing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.
nchor the end with (?:/|$) - if it's a bare domain
the TLD will be at the end of the URI. If it's got a path part the domain
will be followed by a slash.
Thanks for bringing that up, fixed here too.
Dunno about __KAM_TINYDOMAIN
--
John Hardin KA7OHZhttp://www.impsec.org/~jhard
HEADER,
MIME_CHARSET_FARAWAY hits seem problematic here).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
r is being warmed up. Please, everyone, just
stop now, before it's too late.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
people, what do you propose
should be put into the To: header?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> I’m trying to write a custom rule to block a certain type of spam. When I
view the message source, the very last lines of the spam look like this:
>
uri __ALL_URI /.*/
tflags __ALL_URI multiple
Then all the detected URIs appear in the rule hits debug output.
Post the full email on Pastebin or similar, we can't meaningfully comment
on what you provided beyond "uri *should* work for that".
--
John Hardin KA7OHZ
authenticated senders?
Can you provide the full headers from such a message? It's possible that
the authentication information is (for some reason) being incorporated in
a manner that SA does not recognize.
Also post your trusted_networks and internal_networks settings.
--
John Hardin KA7OHZ
On Sat, 21 Jan 2017, Kevin Golding wrote:
On Sat, 21 Jan 2017 19:08:39 -, Jari Fredriksson <ja...@iki.fi> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Hardin kirjoitti 20.1.2017 22:38:
> Collecting spam after RBL filtering is much less helpful to masscheck.
>
lack box, but pretty close. You
do, however, have to get all the bits working initially.
I like the idea of a VM image.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
and rule scoring is thus baised against non-English languages to a
degree.
(however there are some honeypots in Europe feeding masscheck so that may
actually be less of a problem than I believe it is...)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
technical RE tuning suggestions... :)
score LOCAL_WHITELIST_PRODUCTS -10
describe LOCAL_WHITELIST_PRODUCTS Message names one of my products
Reload spamassassin if you modified local.cf.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic
nabled.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
know enough mails yet it will
state it in the log file.
Have you trained your Bayes filter accordingly or just enabled it and expect
it to start autolearning out of the box?
The sample hit BAYES_99 so he has done basic training.
--
John Hardin KA7OHZhttp
. Particularly, the BAYES rules don't contribute to the
autolearning decision in order to avoid positive feedback loops.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
decision that is self-reinforcing.
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel. +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it
-Messaggio originale-
Da: John Hardin [mailto:jhar...@impsec.org]
Inviato: giovedì 5 gennaio
safely be automated, though I'd
agree once per minute is a bit excessive. The classification of messages
into the folders that are trained from is what needs manual supervision.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
On Mon, 19 Dec 2016, Shao Miller wrote:
Regarding the following:
0.0 LOTS_OF_MONEY Huge... sums of money
Is this a Monty Python reference about huge tracts of land?
Of course.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
der's DNS sever, and the local MTA/SA DNS server not forward queries
to an upstream DNS server. Caching results is not related to that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E
as ham.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
/spamassassin start
- Michael
On 6/12/16 11:15, John Hardin wrote:
On Tue, 6 Dec 2016, Michael Heuberger wrote:
> Anyone?
If you shut down SA and run the /etc/init.d/spamassassin script to restart
it, how long does that take to complete?
Is there something like a rules recompile bu
On Mon, 5 Dec 2016, geoff.sa_users_161...@alphaworks.co.uk wrote:
On 05/12/2016 22:38, John Hardin wrote:
On Mon, 5 Dec 2016, geoff.sa_users_161...@alphaworks.co.uk wrote:
> OK, blindly following your suggestion yielded the following; does it
> tell you anything?
>
> Dec 5
ain it with at least 200 ham and 200 spam messages
before it can start analyzing messages.
Are you training at all?
Are you training the right Bayes database?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.
g how
it starts up.
Any clues welcome
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
pache.org/SpamAssassin/show_bug.cgi?id=7374)
disable html postings on maillist still left to do ? :=)
and output to this ticket of "spamassassin --lint -D 2>&1 >/tmp.txt"
so all installed plugins versions are known, in case its already fixed
"I can repro on trunk" sugg
.
Please open a bug and attach that spample as a repro test case. I'm not
too familiar with that bit of the code so I don't have a fast fix.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
to identify specific individual e-mails that generate this
diagnostic, but I've looked at them and can't see anything obviously
strange.
Any thoughts?
The RE at that line looks pretty firmly anchored...
Can you gzip up a sample that fails for you and send it to me?
--
John Hardin KA7OHZ
5. CGI script parameters.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
On Thu, 17 Nov 2016, Alex wrote:
We have a lot of users who use email to share photos. Empty body, 2M
JPG attachment, nothing in the subject.
Is the subject header missing entirely, or present but empty?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
also a great way for a spammer to then sending image spam.
Indeed, though I haven't seen that type of spam for a long time and
IIRC they tended to carry obfuscatory text as well as the image
payload.
It's performing well in masscheck, so there is that type of spam out
there currently.
--
John
but don't put much in it, which seems more sensible.
Agreed. I hope iceportal/surgemail is open to doing the same.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
authentication?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Given the S/O I can't understand why
it's being scored that high (ignoring the score limit!), or even being
published.
I've disabled it as masscheck still doesn't seem to be handling this rule
correctly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
. That should fix you when it goes out.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Sat, 12 Nov 2016, Alex wrote:
Hi,
On Sat, Nov 12, 2016 at 12:07 PM, John Hardin <jhar...@impsec.org> wrote:
On Sat, 12 Nov 2016, Alex wrote:
Hi,
We have one user whose mail server consistently hits
URI_ONLY_MSGID_MALF for what appears to be a misconfigured Exchange
server:
Mess
could communicate this to the sender, and I will try, but
everyone knows how that goes. If it's warranted, I'll make a local
adjustment, but just wanted to make sure this was scored properly.
What is the total score his messages are getting? 2.7 points isn't a
poison pill score.
--
John Hardin
the last good results?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
imes (only sometimes) if i modify the rule,
spamassassin keeps using the compiled version... does it make sense?
I'm assuming that you *are* recompiling the rules and restarting
spamd/Amavis after you make changes to the rules?
--
John Hardin KA7OHZhttp://www.impsec.or
orrect it, and if necessary wipe and retrain the Bayes database from
scratch. Don't discard messages after you're trained from them.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F
members' email addresses?
They caused the problem in the first place, after all, with their
promiscuous creation of new TLDs.
(I kid (sorta))
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
"B
2) Put in crontab a line like this to run every 15 minutes :
# 0/15 * * * * /batch/postban.sh
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
)?)$/
metaTAGMATCH_TXREP_IP_HIGHSCORE __TXREP_IP_MEAN > 5.0
describeTAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large
score TAGMATCH_TXREP_IP_HIGHSCORE 0.1
(...this sort of thing might be really useful as a general purpose rule
type in base SA too...)
--
John Hardin KA7OHZ
lag exists to allow SA to know what tests to disable when it is
told to run only local tests.
And which score set to use.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Fri, 21 Oct 2016, Paul Stead wrote:
On 21/10/16 18:40, Paul Stead wrote:
On 21/10/16 16:22, John Hardin wrote:
> I was going to say: you can't write a rule based on the *current* AWL
> adjustment because that's calculated after all the rules have hit. But
> SA *could* potenti
content scanning and save time & cycles.
+1
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
ical average
that AWL uses...
I suggest you file a New Feature bug to expose a mechanism to use the
current AWL average (not the per-message adjustment) in a rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@imp
On Thu, 20 Oct 2016, Bowie Bailey wrote:
On 10/20/2016 12:55 PM, David B Funk wrote:
On Thu, 20 Oct 2016, John Hardin wrote:
> On Thu, 20 Oct 2016, Ian Zimmerman wrote:
>
> > On 2016-10-20 08:34, simplerezo wrote:
> >
> > > My understanding is that AWL is h
e affected if you do it
right.
ITYM -100 points. :)
Small but important detail... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
) to pastebin?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
throughout the full
system... and no more files contain that string.
Bizarre.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
l GetResponse fixes their systems.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-
n what the current
base rules are providing
A recommendation for GetResponse: include the names of the rule hits in
that report. It won't have meaning to most nontechnical users, but if it
reaches the point you have reached it will really help the analysis.
--
John Hardin KA7OHZ
is looking for
mangled "cialis" without considering word boundaries.
Were there any other problems reported? While that rule may hit, its score
is currently 0.001 so it would not cause your email to be classified as
spam.
--
John Hardin KA7OHZhttp://www.impsec
ody you're trying to send, and if there are more
details about the spam analysis than just that one line, please post that
as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 --
multiple attachments?
A "full" rule would probably support "multiple".
Most of the base rule types do (not, of course, meta).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.
ot; in MIMEHeader.pm
If it is not designed to work with it, would there be any workarounds to
detect multiple attachments?
perhaps:
rawbody __MIME_ATTACH_MULT /^Content-Disposition: /
tflags__MIME_ATTACH_MULT multiple maxhits=3
but that has obvious drawbacks.
--
John Hardin KA7OHZ
ere are other spammy characteristics to the message as well.
What's the complete list of rules that hit?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
On Mon, 3 Oct 2016, Axb wrote:
On 10/03/2016 09:03 PM, John Hardin wrote:
On Mon, 3 Oct 2016, Axb wrote:
> On 10/03/2016 07:46 PM, Alex wrote:
> > Hi,
> >
> > These are a real concern. If you receive any kind of real mail
> > volume,
> > you're
infected attachments
Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
PDFs (which I am starting to see).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
be scanned as if they were body text.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
information in a database of some sort since doing a search of a
large text file for every incoming email would probably be too slow.
That sounds like two-word Bayes to me... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
ent them out to make the warning go away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Sun, 25 Sep 2016, Alex wrote:
On Sun, Sep 25, 2016 at 6:18 PM, John Hardin <jhar...@impsec.org> wrote:
BAYES_50? Are you training ham? :)
Yes :-) Does this hit bayes00 for you?
No, but if you were training things that looked like order confirmations
I'd expect that to have
tebin.com/3qw6jLZp
BAYES_50? Are you training ham? :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 1
; <customer.supp...@e.heritageparts.com>
dbg: rules: ran header rule __FROM_WORDY ==> got hit: "Customer.Support@"
It is causing those hams to be incorrectly classified as spam?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
the masscheck performance,
score limit and possible exclusions.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 23 Sep 2016, Greg Troxel wrote:
"Bill Cole" <sausers-20150...@billmail.scconsult.com> writes:
On 22 Sep 2016, at 23:24, John Hardin wrote:
As far as I understand it, dnsmasq cannot be used for local
recursion; it's purely a lightweight local DNS cache layer.
Yo
ay do both.
Why is the use of iteration the defining feature of
a recursive server and not the support for recursion.
Think "actual behavior", not "capability".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
On Fri, 23 Sep 2016, RW wrote:
On Thu, 22 Sep 2016 20:24:21 -0700 (PDT)
John Hardin wrote:
Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.
Focus on the "recursion" and "no forwarding"
On Fri, 23 Sep 2016, li...@rhsoft.net wrote:
Am 23.09.2016 um 05:24 schrieb John Hardin:
On Thu, 22 Sep 2016, Thomas Barth wrote:
> Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> >
> > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't
> > g
age and tell it to not forward.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 15 Sep 2016, John Hardin wrote:
On Wed, 15 Sep 2016, Chip M. wrote:
Sadly, I have more FP data for you. :(
Here's one specific example (just a single very long line from
one corpse):
background-image: url("data:image/svg+xml;charset=utf8,%3Csvg
width='104px' height=
etect either of those. At the
least, detecting javascript (much less hostile javascript) within a
data:image/svg+xml block probably would be really inefficient.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a
years back.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 12 Sep 2016, Ian Zimmerman wrote:
On 2016-09-12 11:06, John Hardin wrote:
Consider greylisting.
This will depend on the OP business needs,
Right, which is why I said "consider".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@
On Mon, 12 Sep 2016, thomas cameron wrote:
On 09/12/2016 01:06 PM, John Hardin wrote:
On Mon, 12 Sep 2016, thomas cameron wrote:
Make sure you have a local recursing (**NOT** forwarding) DNS server
that your MTA and SA are configured to use. Reason: if you're forwarding
your MTA DNS requests
Harald on this list regarding weighted DNSBL scoring that you may
find useful. You'll have to search the archives to find those.
There are some other MTA-level checks you can perform, like greet pause
and HELO validation (e.g. reject if the HELO has no dots).
Consider greylisting.
--
John Hardin
On Thu, 8 Sep 2016, Chip M. wrote:
Last week, I sent John Hardin some spamples, and he very kindly
wrote & masschecked rules over the long weekend (Geek!). :)
He found a significant FP risk.
It's possible meta'ing with some of the conditions mentioned above would
reduce the
On Thu, 8 Sep 2016, Chip M. wrote:
On Sat, 3 Sep 2016, John Hardin wrote:
I've tweaked the FP avoidance a bit, maybe that will be enough
to get the S/O up high enough to publish it.
John, do you have any detailed info about the Ham hits?
It's possible to look up what rules hit those
to be more
lightweight than an actual EBNF syntax verifier :) , there are limits to
what can be done...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
erform well
enough to publish depending on them.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Mon, 5 Sep 2016, RW wrote:
On Sun, 4 Sep 2016 17:52:48 -0700 (PDT)
John Hardin wrote:
On Sun, 4 Sep 2016, RW wrote:
if you skip running sa-compile, the shared library is unaltered.
...thus the rules update has no effect?
If you've ever tested updates to local body rules without
On Sun, 4 Sep 2016, RW wrote:
if you skip running sa-compile, the shared library is unaltered.
...thus the rules update has no effect?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
2012 (I read SANS too...):
https://svn.apache.org/viewvc?view=revision=1378630
but it isn't performing well enough to be published:
http://ruleqa.spamassassin.org/20160902-r1758905-n/T_URI_DATA/detail
I've tweaked the FP avoidance a bit, maybe that will be enough to get the
S/O up high enough to pu
or amavis or whatever
is using the rules.
Question for others: if you're using compiled rules does the compiler need
to be run explicitly, or is that automatic?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
/data:
data:text/html;base64
I'll see about getting those into the sandbox.
*** Do any of you HTML gurus have additional suggestions? :)
... a poison-pill rule for < script > tags in email HTML? (only slightly
toungue-in-cheek)
--
John Hardin KA7OHZ
On Wed, 31 Aug 2016, li...@rhsoft.net wrote:
Am 30.08.2016 um 22:03 schrieb John Hardin:
On Tue, 30 Aug 2016, Joseph Brennan wrote:
> We've had errors the past 2 nights for all of the uridnsbl_skip_domain
> rules. It's just us?
It's been fixed, waiting for a new update to be gen
On Tue, 30 Aug 2016, Joseph Brennan wrote:
We've had errors the past 2 nights for all of the uridnsbl_skip_domain
rules. It's just us?
It's been fixed, waiting for a new update to be generated by masscheck.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
it's been at least a couple of years since they were
regenerated.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 26 Aug 2016, John Hardin wrote:
body __ALL_BODY /./
Oops.
body __ALL_BODY /.+/
{blush}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
ight want to add this rule:
body __ALL_BODY /./
That would make it clear whether or not SA was breaking the paragraph at
that point.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732
ither
manual or other SA rules.
The restriction to probabilities 0 or 1 may mitigate the
robot-off-the-rails syndrome to a degree.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D
of "token".
...and it looks like we're venturing into the "SA Bayes multiple-word
token support" realm (as a surrogate).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8
On Thu, 18 Aug 2016, Jerry Malcolm wrote:
On 8/18/2016 12:16 PM, John Hardin wrote:
There are also potential DNS issues that may contribute. In addition to
describing your environment, perhaps you could post the X-Spam-Status
header from a couple of the low-scoring spams.
John
an example uncaught spam message. SA scored it
a 4.7. http://pastebin.com/T1CfVgP4
That's just the rendered body. We need to see all the message headers too.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse
it to recognize your particular email
traffic.
There are also potential DNS issues that may contribute. In addition to
describing your environment, perhaps you could post the X-Spam-Status
header from a couple of the low-scoring spams.
--
John Hardin KA7OHZhttp://www.impsec.org
is an intelligence test. You just failed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
how I do it (among other things) with sendmail and milter-regex:
http://www.impsec.org/~jhardin/antispam/milter-regex.conf
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
801 - 900 of 3243 matches
Mail list logo