Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

On 12/6/2023 5:19 AM, Benny Pedersen wrote: can't procmail use X-Spam-Flag ? I think the reason I run it twice is that the mimedefang invocation doesn't have access to personal Bayes data. When it runs, it's not yet known what user(s) the mail is destined for.

Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

On 12/5/2023 10:57 PM, Benny Pedersen wrote: mimedefang does not use spamd, you only need either spamassassin only with spamd or mimedefang with spamassassin not running spamd It's a small server so I can afford to run SA twice, once at the MTA level through mimedefang (which can potentially

Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

After installing the package, I found I needed to manually restart spamd and also mimedefang with: # systemctl restart spamassassin # systemctl restart mimedefang After that I saw errors from my nightly sa-learn jobs about a missing HashCash module. I checked for a .rpmnew file in

Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

I want to relate my experience in packaging the latest RH RPM for CentOS 7: I first checked out the package sources from Fedora. This is the spec file and patches but not the SA tarballs. I already have a regular user for building packages and have run rpmdev-setuptree to create a packaging

Re: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...

Check the systemd unit file. It should set the user the service runs as.

Re: DMARC Aggregate reports - false positives

Mine don't get reported as spam. But I'm getting daily reports from mimecast.org that claim to be "Content-Type: application/gzip" but have file extension .zip. Examination finds that they're really PK zip files. So the script I use to process them tosses them as malformed. The source domain

Seeing big (>1MB) spam

I started seeing some spam today in the 1-1.5 MB range. I was surprised to see obvious spam in my Inbox, but discovered it had no SA headers. It turned out that my procmailrc rule was only scanning messages smaller than 700k. I boosted it to 2MB: :0fw * < 200 | /usr/bin/spamc -s 200

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

On 12/19/2022 7:59 PM, Kenneth Porter wrote: https://bugzilla.redhat.com/show_bug.cgi?id=2154501 https://bodhi.fedoraproject.org/updates/FEDORA-2022-e341ba52a1 https://koji.fedoraproject.org/koji/buildinfo?buildID=2102188 It looks like the packaging fails before building anything because

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

On 12/19/2022 11:10 PM, Greg Troxel wrote: Actually, not really. Packages should be able to run out of the box, with no network fetching needed. The pkgsrc entry -- also updated to 4.0.0 -- fetches the release rules at package build time and includes them. But, it does build  I haven't yet

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

RPM status for Red Hat distros: https://bugzilla.redhat.com/show_bug.cgi?id=2154501 https://bodhi.fedoraproject.org/updates/FEDORA-2022-e341ba52a1 https://koji.fedoraproject.org/koji/buildinfo?buildID=2102188 It looks like the packaging fails before building anything because the filename in

Re: why are not all rules run all the time

--On Friday, October 08, 2021 2:04 PM +0200 Thomas Seilund wrote: When you say a rule hits do you then mean that the rule contribute to the score? Can a rule hit and contribute with a value of zero to the score? Setting a rule's score to zero (eg. in local.cf) disables the rule. This is

Re: TLD rules catch non-domain data

On 8/20/2021 1:53 PM, Greg Troxel wrote: I just had it falsely hit, in that it triggered on mail that was ham. There was a .club URL, but it was to a club website mentioned in mail that I actually agreed to get and that was on topic. So I would suggest that rules that do not show actual

Re: TLD rules catch non-domain data

On 8/20/2021 6:23 AM, Matus UHLAR - fantomas wrote: it seems that some TLD rules catch strings that are not domains: *  2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs *  [URI: ups.mfr.date (date)] *  5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, *  .guru,

Re: Question about whitelisting of naadac.org

--On Wednesday, August 11, 2021 8:57 PM + Lukasz Maik wrote: The company naadac.org is experiencing problems with their e-mails being marked as SPAM, when they are putting link to their domain www.naadac.org in the signature of their mails. Is it possible to

Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

On 8/11/2021 8:05 AM, Kenneth Porter wrote: BTW, does SA permit use of Perl-style regex delimiters to avoid leaning toothpick syndrome? https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome Answering my own question, I see it used in this rule: uri    __IMGUR_IMG m,^https

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

On 8/11/2021 7:39 AM, Jared Hall wrote: *Maybe* a little more refinement could prevent it picking  up .hidden folders that have a BAD_TLD name. /[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i The CVS/Kodak uri would still fail on this pattern,

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

--On Wednesday, August 11, 2021 12:29 AM -0400 "Kevin A. McGrail" wrote: Hi Kenneth, the ruleset is designed for a system scoring over 5.0. Did the rule from the cell provider cause an fp? Is your threshold higher than 5.0? I use the stock threshold of 5.0. I'm using the ruleset via the

KAM_SOMETLD_ARE_BAD_TLD false positive

My cellular supplier has a weekly bag of goodies (coupons, schwag) and last week's included a free photo refrigerator magnet from CVS. So I signed up a CVS/Kodak account to put in my order. Like most such offers, they start sending me marketing mail, and the first one hit

Re: Email Phishing and Zloader: Such a Disappointment

--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" wrote: We use the olevbmacro detection added to SA. I would guess that's blocking the payload.I would guess that's blocking the payload. I see the plugin in the distribution but it doesn't appear to be loaded by default and the

Re: Email Phishing and Zloader: Such a Disappointment

--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall wrote: The Word document (without macros) loads an external encrypted Excel file It has macros. It tricks the user into enabling and running them by telling him to enable the document for editing and enabling "content" (ie. macros).

Re: Looking for a sample of the Microsoft zero day print nightmare

On 7/2/2021 6:39 PM, Kevin A. McGrail wrote: Anyone know if this is delivered via email? I'm trying to make sure I block the payload if it is. I found a copy of the repo and see that it works by adding an evil printer driver to the remote server over an IP connection. So email is a vector

Re: sa-update error 3 no mirrors.sought.rules.yerp.org

--On Sunday, March 14, 2021 1:23 PM +1000 Simon Wilson wrote: You've not stated your OS but on a RHEL/CentOS 7 box the correct way to remove is to go to /etc/mail/spamassassin/channel.d and delete sought.conf. RHEL bugzilla for the issue:

Re: URLs hidden in Morse code

On 2/10/2021 11:30 AM, Bill Cole wrote: CONFIRMED: SeaMonkey v2.53.6 (latest version) DOES NOT execute JavaScript in email. I don't think the intent is to run it in the MUA. It's probably distributed as an attachment (ie. inline) to save to disk and be viewed outside the MUA in a normal

URLs hidden in Morse code

I'm reminded of the recent post suggesting that SA parse QR codes to feed URLs to block lists. The email includes a web document pretending to be an Excel document (double extension

Backscatter to role addresses

What do others do about backscatter to their role addresses? It seems spammers have recently discovered the role addresses noc, hostmaster, and webmaster for one of my business domains and are forging them as senders. As a result, I'm seeing lots of backscatter from various spam-detectors.

Fedora sa-update and systemd randomized timer

With the discussion of the KAM channel and Fedora's sa-update script that uses directory-based channel configuration, I went snooping into their script and systemd units. It looks like sa-update.cron has a 2-hour random delay before it looks for updates. I'm thinking it would be nice to move

Re: Rule for plussed adddress

--On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole wrote: You definitely want to escape that '+' and catch the recipient instead of sender: header RULENAME To:addr =~ /\+.+\@/ score RULENAME -1 That looks like what I want. Although since my server is hacked to accept a dot

Rule for plussed adddress

I usually sign up for a web service using a "plussed" address like shiva+vendorn...@sewingwitch.com. (My server also recognizes a dot instead of a plus, to deal with broken websites that won't allow me to use a plus in my email address.) I use procmail rules on my server to filter messages

Re: mark emails as being spam originating from an ip range owner

--On Tuesday, September 29, 2020 10:48 AM + Andy Smith wrote: Or consider using ASN plugin: With that hint, I found this interesting service: One could use this to, for example, create firewall rules to block connections from hostile ASNs.

Re: Moving Spam to Junk Folder

--On Thursday, September 03, 2020 3:03 PM -0400 bobby wrote: I would prefer it to go into my Junk folder. How can I make this happen? That blog article shows how to do it with Dovecot's lmtp using its dovecot-pigeon rule system. But it can't put a message in a folder if it never gets it.

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. Would not Pyzor accomplish the same thing? Submit the SendGrid spam to

Re: Zero-point garbage text that isn't caught by the small-font rules

--On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? I just got one with this tag: Another:

Re: update fail

--On Wednesday, July 15, 2020 9:59 AM -0400 "Kevin A. McGrail" wrote: I'm sure someone has produced an RPM for CentOS 6 for 3.4.4 by now. I'm using John Hardin's recommendation from his 2020-02-07 post and it's working fine on CentOS 7: You can download the original (as well as later

Re: Spamassassin RPM for Centos 7

--On Thursday, February 06, 2020 2:30 PM -0800 John Hardin wrote: The RPM is available here, assuming you trust me: http://www.impsec.org/~jhardin/antispam/centos7/ 3.4.4 is now available as well, I've been running it for about a day now and I don't see any problems - but my volume is

Facebook notifications sent from dynamic address

(Nothing wrong with SA. Just an FYI about a popular service that abuses the Internet and SA catches it.) I noticed one of my notifications from Facebook today got tagged by SA. Here's the two that put it over: 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.5

New URL shortener

I'm seeing a lot of fake DHL delivery notices using the shortener smarturl.it. I suggest adding it to __URL_SHORTENER.

Re: recent update to __STYLE_GIBBERISH_1 leads to 100% CPU usage

On 5/29/2019 6:12 AM, Karsten Bräckelmann wrote: I see this has been filed in bugzilla by now. Fo those looking for the bug report: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7707

Re: spamd child high CPU usage, connection reset

On 5/29/2019 3:41 PM, Yves Goergen wrote: Hello, Today SpamAssassin started failing on my server system. I could observe the following: * There are 5 processes named "spamd child" with very high (100%) CPU usage This could be the style gibberish rule hanging. There's another thread here

Bad List-Id from SparkPost mailing service

You may recall I have a local rule that flags badly-formatted List-Id headers as probable spam. It works quite well. However, I've seen a couple false positives recently from my bank and credit card companies. The Message-IDs make it clear that both are coming from SparkPost, which seems to be

Re: ClamAV - low detection rates on malware attachments lately

--On Thursday, November 08, 2018 10:59 AM -0500 Kris Deugau wrote: https://sourceforge.net/projects/unofficial-sigs/ It's been in Debian for a while too. That upstream link is an old version; it was forked or taken over (not sure which) by extremeshok.com at

Re: ClamAV - low detection rates on malware attachments lately

On 11/7/2018 1:24 PM, Kris Deugau wrote: I use a combination of adding local signatures (mainly hashes for "random-executable-inna-archive") and selected signatures from a number of third parties to the stock set in a "primary" Clam instance that's an absolute yes/no check, and using only

Re: config files in spamasassin is unintended tlds :/

--On Monday, November 05, 2018 12:14 PM -0500 Bill Cole wrote: FWIW, BIND 9.x (since 9.4-ish) will parse and load a zone with such an A in it, but complains and does not serve the record: NXDOMAIN for a normal query, no hint of it in a zone transfer. BIND's check-names directive controls

Re: config files in spamasassin is unintended tlds :/

--On Sunday, November 04, 2018 7:28 PM -0500 Bill Cole wrote: most of my examples of "Not A URI" were in fact turned into clickable links by some horrific MUA. If it's clickable, some user will click on it. If it's not, a malicious message may beg the user to copy and paste it into the

Re: Spamassassin 3.4.2 RPM for CentOS 6

--On Monday, October 22, 2018 3:46 PM + Emanuel Gonzalez wrote: rpm for Centos 7??? If you're comfortable rebuilding a source RPM, see my thread on using the Fedora 29 SRPM on CentOS 7. If you've modified your sysconfig file, you'll need to remove the daemon switch to use it with that

Re: sa-compile after sa-update

An RH bug was opened and closed on this in 2014: https://bugzilla.redhat.com/show_bug.cgi?id=1151565 I attached a patch to the bug for the latest sa-update.cron script from the 3.4.2 RPM to invoke sa-compile if the plugin is enabled and re2c is installed.

sa-compile after sa-update

I'm experimenting with the Rule2XSBody plugin and I've figured out that I have to run sa-compile after sa-update to create the compiled versions of local rules. I don't see anything in either sa-update or the Red Hat-supplied sa-update.cronscript invoked from cron (or a systemd timer) that

Using SpamAssassin 3.4.2 Fedora 29 package on CentOS 7

I'm trying to update my CentOS 7 distro 3.4.0 package to the 3.4.2 source package in the Fedora 29 repo and wanted to alert others to possible issues. (Why is

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

--On Monday, September 17, 2018 3:13 PM -0400 "Kevin A. McGrail" wrote: You can install the srpm and then in /usr/src/RedHat you get various files like tar files and patches with a spec file that says how to build it. That path would be if you were building as root, which is not

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

--On Monday, September 17, 2018 3:13 PM -0400 "Kevin A. McGrail" wrote: You can install the srpm and then in /usr/src/RedHat you get various files like tar files and patches with a spec file that says how to build it. That path would be if you were building as root, which is not

Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

On 9/16/2018 5:44 PM, Kevin A. McGrail wrote: Thanks for the post.  The bug is way out of line though. Earlier bug that should probably be the one tracked: https://bugzilla.redhat.com/show_bug.cgi?id=1629474

Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

Here's the Red Hat Bugzilla bug requesting a new package for Fedora/RHEL be issued ASAP: https://bugzilla.redhat.com/show_bug.cgi?id=1629491 Once the official package drops, you should be able to download the SRPM here:

Re: Malforrmed List-id

--On Thursday, May 03, 2018 1:16 PM -0500 David Jones wrote: I agree. Whitelisting or subtracting points should be tied to domain authentication or IP reputation. Spammers are reading this email thread and are already crafting emails to match this rule. That's a

Re: Malforrmed List-id

--On Thursday, May 03, 2018 8:58 PM +0200 Benny Pedersen wrote: corpus testing should show how bad it is if it is Indeed. The scores I gave are just what work well for me. They'd need to go through corpus testing to work for general release, and then sites could override the

Re: Malforrmed List-id

--On Thursday, May 03, 2018 8:44 PM +0200 Benny Pedersen wrote: hallo, mimedefang does not use spamd MD compiles and runs its own copy of SA internally. I have spamd running for individuals to filter email after it's past the MTA.

Re: Malforrmed List-id

--On Thursday, May 03, 2018 4:16 PM +0100 RW wrote: The '?' seems superfluous. Agreed. I removed it and restarted my SA services (spamd and mimedefang).

Re: Malforrmed List-id

--On Thursday, May 03, 2018 3:28 AM +0200 Benny Pedersen wrote: List-Id: valid or invalid ? :=) Your message got this score: X-Spam-Status: No, score=-23.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,

Malforrmed List-id

I'm having very good results with this rule. I'm scoring it at 5 with no false positives. The high negative score for a legitimate looking List-id will file it into my List/Unknown folder for new lists and for any spammers trying to abuse this, so it's not a problem for my personal filtering.

Re: Blacklist for reply-to?

On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,    

Re: Blacklist for reply-to?

On 2/18/2018 5:09 PM, Antony Stone wrote: On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: Question time! You receive spam with a reply-to your own address. What do you do? I take it that this is now a rather different question that the one you originally asked in this thread,

Re: Blacklist for reply-to?

--On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: It is not spam. You get it if you have an account with alibaba. Just configure it. These emails are addressed to many of my web-page-only addresses that I've never used to sign up for anything.

Blacklist for reply-to?

Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that.

Re: Malformed List-Id header

On 2/16/2018 12:57 PM, Alex wrote: I think it's a mistake to whitelist (or even deduct significant points) based on a header that can be controlled by a spammer. We see tons of spam that has properly crafted MIDs. If you're using procmail, it sounds like this is on a personal account, so

Re: Malformed List-Id header

I just put this into service. I'm white-listing mailing lists. Most go to their own folder via procmail filtering, and unrecognized ones go to the folder Lists/Unknown until I write a procmail rule. But this rule should catch lazy abusers. After a bit more experience I'll crank up the

Re: Malformed List-Id header

On 2/4/2018 3:35 PM, Kenneth Porter wrote: I've noticed quite a bit of spam lately with a malformed List-Id header. Most notably, the angle brackets are missing, but the contents of the angle brackets when present often don't look like a domain. No dots, for example. <https://www.ietf.

Malformed List-Id header

I've noticed quite a bit of spam lately with a malformed List-Id header. Most notably, the angle brackets are missing, but the contents of the angle brackets when present often don't look like a domain. No dots, for example.

Matching base64 subject

I'm trying to use this set of rules to spot Chinese or Russian characters in the subject line: http://www.timk.de/it-blog/howto-find-chinese-or-russian-spam-encoded-in-utf-8-with-spamassassin/ To debug the rules, I've replaced the leading __ in sub-rules with T_. The rules don't seem to match

Re: Romance spam

--On Thursday, March 07, 2013 11:26 PM +0100 Benny Pedersen m...@junc.eu wrote: only bayes hitting ?, and it autolearns ham ? Presumably the autolearn=ham applies to anything that doesn't get marked as spam. Once I move it to my Uncaught folder, it gets retrained that night as spam. But

Re: Romance spam

--On Wednesday, March 06, 2013 3:35 PM +0100 Axb axb.li...@gmail.com wrote: aren't these the ones with the @yandex.ru dropbox in the body? Good catch. I just checked for that in my Uncaught folder (which I feed to Bayes each night) and the List-Id appears in most but not all that have that

Re: Romance spam

--On Wednesday, March 06, 2013 9:27 AM -0500 Kevin A. McGrail kmcgr...@pccc.com wrote: I haven't seen any of this at all. Do you have an example on pastebin and I can look through my logs? Might be getting hammered by another rule/rbl/etc. Here's an example:

Romance spam

I'm noticing the following header in recent romance spam that looks like it might be an easy pattern to match. It's an unsubscribe link with a mailto link with a hex digit username of up to 20 digits. This is from a grep of my Uncaught folder. List-Unsubscribe:

Re: blizzard (and others) faux messages

--On Tuesday, June 29, 2010 11:17 AM +0200 Mark Martinec mark.martinec...@ijs.si wrote: What I want: 1) Message from blizzard that has no dkim gets scored +10 adsp_override blizzard.com custom_high I just checked some recent messages and found that auto-replies from the

Re: blizzard (and others) faux messages

--On Tuesday, June 29, 2010 2:37 PM -0700 John Hardin jhar...@impsec.org wrote: So it sounds like they're not sending everything through the same system. Time to post a report about that in one of their game forums. (Which one? Suggestions? Bug Reports? Customer Support? I think the last one,

Novel indentation

I'm getting some nonsense spams that contain a big block of text/plain and matching HTML part, and the text/plain part has an interesting indentation pattern: The first line is indented with a single space, and all subsequent lines start with 3 spaces: Debate Over Vaccines And Autism/ADD

Re: percentage off spam

--On Tuesday, May 18, 2010 10:59 AM -0400 Charles Gregory cgreg...@hwcn.org wrote: I agree that full smaples are needed. The % Subject alone is not enough. But I would expect there is something 'common' to the body that would combine in a meta rule for decent score with minimal fp... So throw

Re: Low-scoring discount ED spam

--On Wednesday, May 05, 2010 11:29 AM +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: do you wipe bayes database often? If not, it's not needed to retrain on all messages, since they are not forgotten. I don't recall ever deleting the DB. It's my understanding that sa-learn remembers

Low-scoring discount ED spam

I've been getting regular spam that advertises a percentage discount for ED in the subject line, and names the ED in the From line. It consistently fails to breach the 5.0 score line and keeps showing up in my regular Inbox. I think I have the latest code and rules. Am I suffering from the

Re: Low-scoring discount ED spam

--On Tuesday, May 04, 2010 4:22 AM +0100 RW rwmailli...@googlemail.com wrote: Are you training BAYES? A lot of these are hitting BAYES_50 or even BAYES_00. I've been copying them into my Uncaught folder which is run with sa-learn --spam --mbox each night. I just noticed that my Uncaught

Re: Google feedproxy redirector abuse

--On Monday, November 16, 2009 10:27 AM -0800 John Hardin jhar...@impsec.org wrote: meta MANY_GOOG_PROXY __FEEDPROXY 5 Got one with exactly 5 today. Looks like they're learning.

Google feedproxy redirector abuse

I've been seeing pill spam with lots of identical URIs pointing at feedproxy.google.com over the last week or two. All the URI's seem to be this (leading http slash slash removed): feedproxy.google.com/~r/CraigslistHoustonAllForSale/WantedSearchquothealthquot/~3/3yX2enlGlyE/ I've no idea

SpamAssassin is not a filter

From http://wiki.apache.org/spamassassin/: SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering

Subject keyword plugin?

Is there a plugin that can read a text file of keywords, one per line, and build the equivalent Perl regex rule for keywords in the Subject line?

Geographical distance

A recent thread on spam detection suggested that geographical distance from sender to recipient correlates with spam, and that spammers tend to cluster geographically. Are there any plugins that can calculate these distances? I suppose the output would be two rules (or two sets of rules, with

Using ASN plugin on internal SA scanner

--On Thursday, August 06, 2009 2:53 PM -0400 Michael Scheidell scheid...@secnap.net wrote: enable the ASN plugin.. it will create bayes tokens. then train your system, any ASN that sends you mostly spam will hit bayes_50%? Is there a way to get the ASN plugin to report on other than the

Pet photo signatures

This just seems like another good way to sneak spam through: http://myemailpets.com/ I love to share photos of my cat, but I don't want to choke up the email system with them, esp. if it enables spammers one more avenue to piggyback their crap on.

Re: large unicode email nails CPU

--On Tuesday, August 04, 2009 2:17 PM +1200 Jason Haar jason.h...@trimble.co.nz wrote: strace shows spamd running around looking for unicore/lib/gc_sc files - which is related to unicode stuff. I don't know if that's the problem - but that's all I could find. This looks like a good candidate

Re: Any one interested in using a proper forum?

On Thursday, July 30, 2009 2:01 PM -0700 ktn j_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. Or you could use a news reader pointed at Gmane's news server and subscribe to the SA newsgroups. A web

Re: Titter invite spam

--On Monday, June 22, 2009 5:59 PM -0700 John Hardin jhar...@impsec.org wrote: On Mon, 22 Jun 2009, Cerebus wrote: The zip file contains a file with the name: document.pdf .exe (note the long run of spaces) My security sanitizer would

Re: spam and carbon emissions

--On Wednesday, April 15, 2009 4:22 PM +0100 Martin Hepworth max...@gmail.com wrote: Interesting article http://www.newscientist.com/article/dn16951-spam-tramples-environment-wit h-huge-carbon-footprint.html?DCMP=OTC-rssnsref=online-news I wonder how they figure out the transmission costs are

Re: RFC's suck

--On Saturday, April 04, 2009 9:11 PM +0100 Nix n...@esperi.org.uk wrote: I hasten to point out (a little late) that the talk itself was excellent and hiliarious, but that you need excellent eyes or telepathy to grasp it all without the slides. Agreed. The presenter is very entertaining and

Re: RFC's suck

On Thursday, April 02, 2009 12:13 PM -0600 LuKreme krem...@kreme.com wrote: You should be sending mail out through your ISP which should be accepting your outbound mail as from you since they know who you are. Once your ISP (with their correctly configured SASL enabled mailserver) passes it

Re: RFC's suck

On Thursday, April 02, 2009 12:53 AM +0200 mouss mo...@ml.netoyen.net wrote: Spam is a social problem, and social problems can't be solved by technical means only. technology des certainly help, to some extent. One of the ways technology can help is by increasing the cost of spam. SA has

Re: RFC's suck

--On Tuesday, March 31, 2009 3:03 AM -0600 LuKreme krem...@kreme.com wrote: Because the idea is to be able to simply retire the current SMTP and that will be a lot simpler if the new service is on a new port. It will also be much easier to justify. You're reminding me how long it's taking to

Pastebin for spam examples

--On Saturday, March 28, 2009 3:32 PM -0700 RobertH robe...@abbacomm.net wrote: pastebin said the headers tripped the spam filter so i have to post this way... I've seen this complaint before. Perhaps SA or one of the other anti-spam websites could host a pastebin for spam examples, that

RFC's suck

This video was recently posted to the MIMEDefang list, and illustrates how bad the RFC's for mail format are. No wonder SA has such trouble deciding what's spam and what's legitimate. NOTHING is legitimate, due to problems with the standards. (And this doesn't even discuss SMTP, just the format

Re: RFC's suck

--On Monday, March 30, 2009 7:52 PM +0100 Rik hlug090...@buzzhost.co.uk wrote: The MAIL RFC's were conceives a long time ago and have had some changes. Sure - the mail system is not ideal - however, with no RFC's we would end up with closed, stupid proprietary systems that don't talk.

Re: RFC's suck

On Monday, March 30, 2009 2:13 PM -0600 LuKreme krem...@kreme.com wrote: The changes (RFC2822) did not change enough. What is really needed is SoSMTP (Son of SMTP) defined for port 26. It would be 8bit compatible and would NOT be backward compatible with current SMTP. It would not have

Re: Pastebin for spam examples

On Monday, March 30, 2009 10:15 PM +0200 KarstenBräckelmann guent...@rudersport.de wrote: There's a reason, pastebins (just like URL shortener services) are implementing spam filtering and various other spam/bulk counter- measures. That's because they have been abused by spammers. Creating a

Re: Blacklisting Cyrillic

--On Friday, March 27, 2009 3:30 AM +0100 KarstenBräckelmann guent...@rudersport.de wrote: There aren't many. Can you read any but the western ones? Then add it. Oh, and yes, western includes all those language specific stuff like German, French, Finland, etc chars. What's needed for Asian

Re: New kind of spam

On Thursday, March 26, 2009 8:10 AM -0700 John Hardin jhar...@impsec.org wrote: That too is unusual enough to be a good spam sign. There are also existing rules for high image-to-text ratios. I wonder if tag-to-text ratio is a good spam sign? Another possible advantage of having a

Blacklisting Cyrillic

I'd like to score anything in Windows-1251 fairly high, as I don't expect to get anything legitimate in that charset. How can I read the charset declared in a Subject header, or in a MIME part, for matching in a rule? The only tools I see are ok_locales and CHARSET_FARAWAY, but those seem

  1   2   3   4   >