On Wed, 10 Aug 2016, Benny Pedersen wrote:
On 2016-08-10 00:23, John Hardin wrote:
You could score a meta of SPF_FAIL + return-path in your domain as a
poison pill, but as others have said, these shouldn't make it all the
way to SA.
waste of time, mta stage should not accept local
on the internet side
that claims to be from my domain. Legit mail from my domain will only ever
come from the private side.
You could score a meta of SPF_FAIL + return-path in your domain as a
poison pill, but as others have said, these shouldn't make it all the way
to SA.
--
John Hardin KA7OHZ
of domain names, does digs to get those
domains' MX hosts, and writes whitelist_from_rcvd rules for them to a
local config file. Run that every night as part of your scheduled
sa-update script.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
most unsubscribe links are scripts with
variables!
Ruga doesn't say whether or not that is in combination with the
excessively-long paragraph hit.
On Aug 3, 2016, at 4:07 PM, Ruga <r...@protonmail.com> wrote:
An additional rule scores 1.0 for any uri to a php page,
--
John Hardin
low you to *NOT* stop at the first match.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Tue, 2 Aug 2016, Benny Pedersen wrote:
On 2016-08-02 20:00, John Hardin wrote:
Is there any way to use postscreen as a frontend filter for a sendmail
MTA?
content-filter works nicely in postfix, but that postscreen will not use
content-filter to help on its problem
postfix can use
sounds great.
Is there any way to use postscreen as a frontend filter for a sendmail
MTA?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Fri, 29 Jul 2016, Reindl Harald wrote:
Am 29.07.2016 um 18:15 schrieb John Hardin:
On Fri, 29 Jul 2016, Reindl Harald wrote:
> Am 29.07.2016 um 03:30 schrieb Ryan Coleman:
> > > On Jul 28, 2016, at 2:49 PM, Reindl Harald
> > <h.rei...@thelounge.net> > wro
with mockery and
abuse.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 29 Jul 2016, Dianne Skoll wrote:
On Fri, 29 Jul 2016 08:35:46 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:
Greylisting means *you don't see the content at all during the
delay*. You tell the sending MTA to try again later when they first
connect and send the MAIL FROM an
ly reduces its value. Potentially to
zero.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
your mail to work right again,
in which case, nevermind.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
Fixing up. "
:0 fhw
| sed -e '1s/^/F/'
}
This should probably be before you attempt delivery to CaughtSpam,
otherwise you might be corrupting that folder.
sample header of a missed spam/false negative:
http://txt.do/5em14
To echo Reindl, it doesn't look like that message was scann
few spamples to something like
pastebin or a webserver you control and send the URLs to the list so that
we can see the complete raw messages.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E
" filter checks
that expect the first extension to actually be present (e.g. something
like /\.[a-z]{1,3}\.wsf$/ ).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
On Wed, 6 Jul 2016, Paul Stead wrote:
On 06/07/16 16:16, John Hardin wrote:
Does that cache-min-ttl also affect NXDOMAIN? Is it possible to
configure different TTL for NXDOMAIN (relatively low) and positive
results (relatively high)?
For this cache-max-negative-ttl exists :)
:) It's
cache-min-ttl also affect NXDOMAIN? Is it possible to configure
different TTL for NXDOMAIN (relatively low) and positive results
(relatively high)?
If not, you might want to file a bug with unbound to ask them to make that
possible.
--
John Hardin KA7OHZhttp://www.i
since djo...@ena.com was no where in the email
thread. Pretty dumb if you ask me.
Gotta keep from scaring the users with all that complex technical computer
language stuff...
{rolleyes}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #1117
say
Here is the sample
1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
This, too.
A meta on "(x-sender not in our domain OR reply-to not in our domain) AND
FILL_THIS_FORM_FRAUD_PHISH" is what I'd recommend as a local rule.
--
John Hardin KA7OHZ
Just a FYI for everybody:
We finally got enough masscheck ham corpus to cross the minimum threshold,
a weekly rules update was produced.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
uոt." - account).
This is a hugely common obfuscation technique.
Take a look at
https://svn.apache.org/viewvc/spamassassin/trunk/rules/25_replace.cf
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec
ted above.
There is something else in that sample that *may* be a somewhat useful
spam sign, the style name:
#hearthrugs-tablecloths-dishcovers-coalscuttles-a {
A long style name consisting of long dash-broken subwords *might* be
unusual enough for a while to give a point.
--
John Hardin KA7OHZ
on Mach, which is an offshoot of Unix?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
to a docker container, then sa-learn failed to read the DB.
the permission looks good, because the error just show "failed to open
bayes_toks"
Anyone know the potential problems?
Are you sure the path is correct?
Run sa-learn in debug mode to see where it's looking for the bayes DB.
r or other test)?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
should we
punish them by underscoring those rules?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
to masscheck please get in touch with Kevin
McGrail! Non-English ham is especially welcome. Even a little.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
On Thu, 2 Jun 2016, John Hardin wrote:
On Thu, 2 Jun 2016, Antony Stone wrote:
On Thursday 02 June 2016 at 13:16:57, Martin Gregorie wrote:
> On Thu, 2016-06-02 at 12:28 +0200, Matus UHLAR - fantomas wrote:
> > > Therefore I agree that there could be better way of not
a problem, to
bother doing this.
You get that if URIBL_BLOCKED hits on a ham and you look at the rule
descriptions on that message.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
es by
definition untrusted content from the web in case of spammails
su -c "command" - username
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar.
This is the only reliable method.
3. Training with inbox as HAM
See earlier comments.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
hams to another folder that sa-learn actually trains from, but I
don't know whether you have privacy concerns with family members.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D
On Mon, 30 May 2016, Reindl Harald wrote:
Am 30.05.2016 um 01:20 schrieb John Hardin:
On Sun, 29 May 2016, Reindl Harald wrote:
> Am 29.05.2016 um 23:38 schrieb John Hardin:
> > On Thu, 26 May 2016, RW wrote:
> >
> > > I noticed that Bayes is picking-up on
On Sun, 29 May 2016, Reindl Harald wrote:
Am 29.05.2016 um 23:38 schrieb John Hardin:
On Thu, 26 May 2016, RW wrote:
> I noticed that Bayes is picking-up on very strong tokens from "eval" and
> "code" in headers like this:
>
>X-PHP-Originating-Script:
t's
never occurred in a single ham in my corpus.
It doesn't do too well in masscheck:
http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail
The spams seem to be coming from exploited web-servers, and I'm
wondering if it might be a symptom of the expl
numerology.
Based on that, do you have an opinion on the proposal to add two-word (or
configurable-length) combinations to Bayes?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
On Fri, 27 May 2016, Kris Deugau wrote:
SA on mail delivery, where you are (supposedly) guaranteed exactly one
recipient/"user", and you can use unique preferences on a per-user
basis.
And which, of course, multiplies the scanning load on multiple-recipient
messages.
--
John Har
transparently try to deliver the email to postmaster@, as you are
*supposed* to have an abuse@ address...)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
)'d code" part is in just over 2% of my spam, but it's
never occurred in a single ham in my corpus.
The spams seem to be coming from exploited web-servers, and I'm
wondering if it might be a symptom of the exploit
looks like worth a rule to add points
I've asked for samples and will add a
On Thu, 26 May 2016, Reindl Harald wrote:
Am 13.05.2016 um 18:18 schrieb John Hardin:
On Fri, 13 May 2016, RW wrote:
> On Fri, 13 May 2016 15:42:07 +0200
> Reindl Harald wrote:
>
> > WTF - Received: from daves-air.home ([1.125.7.92]) is another time a
> > D
On Tue, 17 May 2016, Marc Perkel wrote:
Is there any address that I can forward gmail spam to google for reporting?
Theoretically <gmail-ab...@google.com>
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -
to be triggered based on the "home" in the hostname?
What was the intention of this rule? To catch mail with "home" in the
HELO string?
A HELO that ends with ".home", regardless of the hostname. Your example
above should not have hit that rule.
--
John Hardin
. Apparently there's
been some discussion of this rule already :-)
Plus the update that just went out (1743621) doesn't score it at all, so
it will use the default of 1.0, and it's been disabled in the sandbox so
the next update will remove it entirely.
--
John Hardin KA7OHZhttp
bmail-.*
I expect no ISP is going to use "webmail" for their dynamic IP pool.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 13
On Sat, 14 May 2016, Reindl Harald wrote:
Am 14.05.2016 um 19:10 schrieb John Hardin:
On Sat, 14 May 2016, Reindl Harald wrote:
> Am 14.05.2016 um 04:50 schrieb John Hardin:
> > On Sat, 14 May 2016, Reindl Harald wrote:
> > > Am 14.05.2016 um 04:04 schrieb John Hard
On Sat, 14 May 2016, Reindl Harald wrote:
Am 14.05.2016 um 04:50 schrieb John Hardin:
On Sat, 14 May 2016, Reindl Harald wrote:
> Am 14.05.2016 um 04:04 schrieb John Hardin:
> > How would a webservice be better? That would still be sending
> > customer
> > em
exit 23
http: (curl) GET http://sa-update.dnswl.org/1743481.tar.gz, FAILED, status:
exit 23
channel: could not find working mirror, channel failed
Update failed, exiting with code 4
...what happens when you try to download that file interactively?
--
John Hardin KA7OHZhttp://
On Sat, 14 May 2016, Reindl Harald wrote:
Am 14.05.2016 um 04:04 schrieb John Hardin:
On Fri, 13 May 2016, Reindl Harald wrote:
> i can't rsync customer mails to a 3rd party
You don't have to. You run the masscheck locally and only upload the
rule hit results. I upload my corp
On Fri, 13 May 2016, Reindl Harald wrote:
Am 13.05.2016 um 18:11 schrieb John Hardin:
On Fri, 13 May 2016, Reindl Harald wrote:
> the problem is blowing out such rules with such scores at all with a
> non working auto-QA (non-working in: no correction for days as well as
>
report.
Please don't. The rule has been disabled.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
: SpamAssassin: No update available
Perhaps you could help with that by participating in masscheck. You seem
to get a lot of FPs on base rules; contributing masscheck results on your
ham would reduce those.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Thu, 12 May 2016, Kim Roar Foldøy Hauge wrote:
On Thu, 12 May 2016, John Hardin wrote:
> 2. Is anyone interested in my current rule set of about 120 rules that
> target norwegian spam.
One thing to be aware of is publishing rules *can* reduce their
effectiveness, as tha
read this list (at least the more-clueful ones do).
Here's a question for you in return: would you be willing to contribute to
SA masscheck? The SA masscheck system is often hurting for corpa, and
pretty much always has insufficient non-English ham.
--
John Hardin KA7OHZ
s rule apparently matches due to the envelope-from line above.
header __LOC_APPLE_RCVDReceived =~ /apple\.com/
How can I get it to only match on the server name in that line?
Try matching on the external relays pseudo-header where that all gets
normalized.
--
John Hardin
On Wed, 4 May 2016, Ian Zimmerman wrote:
On 2016-05-04 08:13 -0700, John Hardin wrote:
alias sa-update='env http_proxy=http://myserver:myport/
https_proxy=http://myserver:myport/ sa-update'
Lose the "env"?
Why? Apart from using an extra process, this should work exactl
there.
Another way:
2- I set on my
alias sa-update='env http_proxy=http://myserver:myport/
https_proxy=http://myserver:myport/ sa-update'
Lose the "env"?
And nothing, any suggestion?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaho
LOCAL__H_from_sample ALL =~ /mail\.sample\.com/i
Post the headers from such a message so we have something to work from.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
arge portion of your userbase receiving them, and it's
not a well-known website, then it is probably safe to consider it spam.
What proportion of your user base would be technical enough to be
interested in security audit software?
It looks to me like Acton made a bad marketing decision.
--
.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 8 Apr 2016, Bowie Bailey wrote:
On 4/8/2016 11:09 AM, Reindl Harald wrote:
Am 08.04.2016 um 17:05 schrieb John Hardin:
> On Fri, 8 Apr 2016, Reindl Harald wrote:
>
> > /.*need to buy products.*\?.*/i
> >
> > .* = any chars independent how often
>
On Fri, 8 Apr 2016, Reindl Harald wrote:
Am 08.04.2016 um 17:05 schrieb John Hardin:
On Fri, 8 Apr 2016, Reindl Harald wrote:
> /.*need to buy products.*\?.*/i
>
> .* = any chars independent how often
Do NOT use ".*" in body or rawbody rules. That can lead to un
d "." where possible.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-
work for
you?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
r point
or two from this standards violation push them over the top, or are they
already obviously spammy?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Thu, 31 Mar 2016, RW wrote:
On Thu, 31 Mar 2016 08:12:10 -0700 (PDT)
John Hardin wrote:
I don't follow what you're saying, can you provide an example?
They have something like:
Content-Type: text; charset="utf-8"
rather than
Content-Type: text/plain; charset="utf-8&
On Thu, 31 Mar 2016, RW wrote:
On Wed, 30 Mar 2016 18:22:21 -0700 (PDT)
John Hardin wrote:
MIME_NO_TEXT is a *very* simple rule: "has a content-type:
multipart/* header in the main message headers" and "has no
content-type: text/* MIME header anywhere."
I've only 3 hits
On Thu, 31 Mar 2016, Bill Cole wrote:
On 30 Mar 2016, at 21:22, John Hardin wrote:
Not sure what you mean by "in the original message body" because it seems
having a CT:t/* header in the original message suppresses that rule in my
and David's testing.
randomly added into the
On Wed, 30 Mar 2016, Bill Cole wrote:
On 30 Mar 2016, at 11:20, John Hardin wrote:
On Tue, 29 Mar 2016, David B Funk wrote:
> Now my original message was a CT: text/plain. Maybe if the original
> message had no textural components at all it might fire as you
> describe bu
On Tue, 29 Mar 2016, David B Funk wrote:
On Tue, 29 Mar 2016, Bill Cole wrote:
On 29 Mar 2016, at 19:36, John Hardin wrote:
> Can you send me some samples?
Probably. Tomorrow. Afternoon. When I can spin up a bullshit VM (what
still uses sendmail with a default workingish con
On Tue, 29 Mar 2016, Bill Cole wrote:
On 29 Mar 2016, at 19:36, John Hardin wrote:
Can you send me some samples?
OR: if you can submit mail through a Sendmail instance, send mail to any bad
address anywhere on any machine running any MTA, all it has to do is say '5yz
blah blah we hate
make them.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
3
On Sat, 26 Mar 2016, Reindl Harald wrote:
Am 26.03.2016 um 03:54 schrieb David B Funk:
On Sat, 26 Mar 2016, Reindl Harald wrote:
> BODY_URI_ONLY Message body is only a URI in one line of text
>
> how can that hit the (anonymized) mail below?
> ___
>
>
On Wed, 23 Mar 2016, Kevin Golding wrote:
Even transcribing it for the list I used the new domain instead of the
original rule.
I was going to ask about that, but I figured it was just a typo so I
didn't.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
On Tue, 15 Mar 2016, Ted Mittelstaedt wrote:
On 3/15/2016 6:26 PM, John Hardin wrote:
On Tue, 15 Mar 2016, Ted Mittelstaedt wrote:
> > we have scripts checking any samples against current bayes
> > classification and ignore them if they already have BAYES_99,
>
> Is t
nothing preventing you from learning messages
that scored BAYES_999 (or BAYES_00).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
the v1.03 David has came
from. David, if you'd care to email me your copy, I'll see about updating
the one I host.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
same rule hit 38.98% of all mail and 50.51% of all mail?
Speculation: 38.98 %OFMAIL = %OFSPAM * %SPAM, not %TOTAL
so: HTML_MESSAGE hit 87.85% of spam, and *that* was 39.98% of total
messages processed.
?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@i
ture, is just too
much.
I'll take a look.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E
On Thu, 3 Mar 2016, David B Funk wrote:
On Thu, 3 Mar 2016, John Hardin wrote:
On Thu, 3 Mar 2016, Dianne Skoll wrote:
> However, many legitimate PDF files contain Javascript snippets.
> Blocking solely on that basis will lead to many FPs.
I'd argue the "legit
On Thu, 3 Mar 2016, John Hardin wrote:
On Thu, 3 Mar 2016, Dianne Skoll wrote:
I had no idea Java could be embedded in PDF... are you sure that's even
possible?
No idea either, I was just including it because it was mentioned upthread,
and greater insanities have happened.
I'm
On Thu, 3 Mar 2016, Dianne Skoll wrote:
I had no idea Java could be embedded in PDF... are you sure that's even
possible?
No idea either, I was just including it because it was mentioned upthread,
and greater insanities have happened.
--
John Hardin KA7OHZhttp
f that statement... :)
Sounds to me like it should be: block any PDF with javascript/flash/java
with whitelisted bypass.
What sane MTA accepts bare executable attachments from the Internet at
large any more? The same policy should apply to PDFs.
--
John Hardin KA7OHZhttp:
just need
to vet the messages before feeding them to sa_learn (unless you really
trust a given user's judgement and honesty - the big problem is users
training messages from lists they actually did subscribe to as spam,
rather than unsubscribing).
--
John Hardin KA7OHZhttp
On Mon, 29 Feb 2016, dar...@chaosreigns.com wrote:
20160228: Spam or ham is below threshold of 150,000:
http://ruleqa.spamassassin.org/?daterev=20160228
20160228: Spam: 108401, Ham: 191807
Masscheck is spam-starved again, rules updates will be spotty or
nonexistent this week.
--
John
On Fri, 26 Feb 2016, Axb wrote:
On 02/26/2016 07:07 PM, RW wrote:
On Fri, 26 Feb 2016 18:14:53 +0100
Axb wrote:
> On 02/26/2016 06:04 PM, John Hardin wrote:
> > On Fri, 26 Feb 2016, Reindl Harald wrote:
> >
> > > score VERY_LONG_REPTO_SHORT_MSG
On Fri, 26 Feb 2016, Antony Stone wrote:
On Friday 26 February 2016 at 18:14:53, Axb wrote:
On 02/26/2016 06:04 PM, John Hardin wrote:
On Fri, 26 Feb 2016, Reindl Harald wrote:
score VERY_LONG_REPTO_SHORT_MSG 3.999 3.999 3.999 3.999
header__VERY_LONG_REPTO Reply
On Fri, 26 Feb 2016, Axb wrote:
On 02/26/2016 06:04 PM, John Hardin wrote:
On Fri, 26 Feb 2016, Reindl Harald wrote:
> score VERY_LONG_REPTO_SHORT_MSG 3.999 3.999 3.999 3.999
> header__VERY_LONG_REPTO Reply-To =~ /[^\s\@]{20,}\@/
>
or 20 raised to much higher values
OK, set to 25 and limit 3.5
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 25 Feb 2016, RW wrote:
On Thu, 25 Feb 2016 13:58:03 -0800 (PST)
John Hardin wrote:
On Thu, 25 Feb 2016, Steve wrote:
b) Configure spamc -C report (run as any user) to initiate
training of the amavis bayes database (in ~amavis/.spamassassin) ?
That would probably be a code change
On Thu, 25 Feb 2016, Steve wrote:
Please keep the discussion on-list so others may help/benefit.
On 25/02/2016 01:14, John Hardin wrote:
The second one has autolearn=yes, so I would say that autolearn is
probably the cause of this behavior.
You're right... Manual training wasn't working
On Thu, 25 Feb 2016, Bill Cole wrote:
On 25 Feb 2016, at 11:42, John Hardin wrote:
On Thu, 25 Feb 2016, Bill Cole wrote:
> I haven't had much time for analysis of this yet and likely will not
> today , but last night's update is missing a number of 'describe' lines
&
in one standalone rule affected a
bunch of totally unrelated rules...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 25 Feb 2016, Reindl Harald wrote:
7.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: leslie-bib***b.org]
That, too. Steve, you might consider boosting your local score for
URIBL_BLACK. :)
--
John Hardin KA7OHZ
On Thu, 25 Feb 2016, Steve wrote:
On 24/02/2016 22:59, John Hardin wrote:
On Wed, 24 Feb 2016, Steve wrote:
> I've used spamassassin for many years - on Ubuntu, using amvisd - with
> great success. In recent months, I've been receiving several spam
> messages each day t
ning corpora, review it for misclassifications (FNs),
wipe and retrain.
If you *don't* have base training corpora, start building them.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
think this is a valid issue, I think you should file a bug.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -
://pastebin.com/zKWUUQ0Q
google docs, yes, google drive, I don't think so.
Also, there would need to be examples in the masscheck corpus for them to
be published.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
al.cf" for
included file
Feb 16 20:16:26.746 [17171] dbg: config: read file
/var/lib/spamassassin/3.004000/updates_spamassassin_org/local.cf
Which caught my attention.
Opps! Forgot to cc the users - sorry for the duplicate
On Tue, Feb 16, 2016 at 5:06 PM, John Hardin <jhar...@impsec.org>
updates downloaded from the SA live rules maintenance process are
stored. Any changes you make there will *probably* be lost on the next
rules update.
Is that the *only* local.cf file that the debug output mentioned?
I'd much more expect the "real" local config file to be under /etc/
some
ssassin to query a database directly?
Did you try iptables to block/allow IPs?
If you're getting that much abuse from specific IPs and you're sure that
it's all spam, then set up a TCP tarpit.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaho
901 - 1000 of 3243 matches
Mail list logo