Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On Mon, 30 Oct 2017 22:35:08 -, David Gessel wrote: 1) sa-learn seems really, really slow. Slow enough that spam sometimes comes in faster. This seems far slower than the benchmark results suggest is within the range of normal. I'm sure I'm doing

Re: Whitelisting amazon where no DKIM_VALID_AU exists

On Wed, 30 Aug 2017 19:54:19 +0100, David Jones wrote: That ab...@amazonaws.com address is on this page: https://aws.amazon.com/forms/report-abuse Surely you can forward as attachment or either paste in the original headers to provide them enough detail to track down their

Re: Identifiying PDF phish docs

On Wed, 23 Aug 2017 02:02:58 +0100, Alex wrote: John wrote: clamav? It's too slow to react, particularly when the PDFs are written specifically to reach a domain. Sometimes the PDF will never be detected by any of the antivirus scanners because of this.

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

On Thu, 10 Aug 2017 15:12:11 +0100, Felix Defrance wrote: In the first lines on log, you could see opendkim results are success. Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D:

Re: Mail::SpamAssassin::Plugin::EmailBL??

On Thu, 27 Jul 2017 08:28:06 +0100, hospice admin wrote: the above plugin doesn't seem to be distributed with the version of SpamAssassin I'm running: spamassassin --version SpamAssassin version 3.4.0 running on Perl version 5.16.3 Also, I can't find mention of

Re: Direct download link detection

On Mon, 24 Jul 2017 23:00:33 +0100, Alex wrote: Link to malicious file removed... Generally not a good idea to post direct links like that. What would be involved in following these links in SA to determine if they immediately download a file (other than a web

Re: "bout u" campaign

On Mon, 17 Jul 2017 18:38:24 +0100, David Jones wrote: It would be nice if there was a local tool that could be part of the SA project that would extend the masscheck processing and help build content and meta rules. As John's already mentioned, there is a surprising array

Re: No rule updates since 1/1/17

On Sat, 21 Jan 2017 19:08:39 -, Jari Fredriksson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hardin kirjoitti 20.1.2017 22:38: Collecting spam after RBL filtering is much less helpful to masscheck. Ideally your spam corpus is from a totally unfiltered feed.

Re: No rule updates since 1/1/17

On Sat, 21 Jan 2017 16:35:12 -, David Jones wrote: I think the "barrier to entry" is too difficult for most. I would have to setup a new MX on a domain without MTA checks (DNS and RBL) then create a honeypot email address to attract spam if I didn't have established

Re: No rule updates since 1/1/17

On Fri, 20 Jan 2017 19:02:09 -, Tom Hendrikx wrote: I think I can say the same about my platform, but since this issue keeps popping up I just applied for an account just to find out if my contribution could help. I can't speculate so I'm just gonna try if it helps :)

Re: No rule updates since 1/1/17

On Fri, 20 Jan 2017 17:26:01 -, Bill Keenan wrote: What is the fix needed so /usr/bin/sa-update starts getting updates? I too have not received an update from updates.spamassassin.org since 1-Jan-17. Besides

Re: .info TLD gives 2.1?

On Mon, 21 Nov 2016 19:00:59 -, Alex wrote: The part I was unsure of was if those 2.1 points were warranted because I've only ever seen it in ham. Now I understand that it is. http://ruleqa.spamassassin.org/ is a very good source for understanding how rules get

Re: DKIM Score

On Tue, 16 Aug 2016 09:00:12 +0100, Merijn van den Kroonenberg wrote: Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED

Re: R: R: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 16:43:50 +0100, Nicola Piazzi wrote: WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing

Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine

Re: eval:check_uridnsbl to check subdomains

On Fri, 05 Aug 2016 19:17:16 +0100, robertboyl wrote: .com.br afaik is TLD nibo.com.br is a 2tld conteudo.nibo.com.br a 3tld Your counting is off: .br is a top level domain - ref: http://www.iana.org/domains/root/db .com.br is a 2nd level domain .nibo.com.br is a 3rd

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 13:49:17 +0100, jimimaseye wrote: Regarding the range: the range belongs to our mail host provider who receive the emails then pass them amongst their own servers (doing their own teats no doubt). Plus they dont have just the one

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 13:07:14 +0100, jimimaseye wrote: I did try adding the "internal_networks 195.26.90. " option to my LOCAL.CF before, and in fact I have just tried it again based on your advice, but it doesnt make any difference. Here are the

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 07:22:19 +0100, jimimaseye wrote: 1, You can see that Spamassassin considered and evaluated the IP address 195.26.90.72 (as reported in its report). Now this is the SECOND received header in the list. And yet it doesnt evaluate

Re: malware campaign: javascript in ".tgz"

On Thu, 21 Apr 2016 14:33:01 +0100, Chip M. wrote: Starting about two hours ago, about 40% of my real-time honeypot spam is a new malware campaign. About a third are hitting "BAYES_00", with about 10% of all having negative SA scores. :( I've just checked 4 that

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 17:21:32 -, John Hardin <jhar...@impsec.org> wrote: On Wed, 23 Mar 2016, Kevin Golding wrote: Even transcribing it for the list I used the new domain instead of the original rule. I was going to ask about that, but I figured it was just a typo so I

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 16:33:16 -, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: On 23.03.16 16:06, Kevin Golding wrote: Well the whitelisting failure was the first debug I posted, to clarify. When using (only): def_whitelist_auth *@*.bbcmail.co.uk The debug is: Mar 23 11:17:

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 15:38:33 -, RW <rwmailli...@googlemail.com> wrote: On Wed, 23 Mar 2016 14:36:08 - Kevin Golding wrote: On Wed, 23 Mar 2016 14:04:03 -, RW <rwmailli...@googlemail.com> wrote: > On Wed, 23 Mar 2016 13:45:29 - > Kevin Golding wrote: > &

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 14:04:03 -, RW <rwmailli...@googlemail.com> wrote: On Wed, 23 Mar 2016 13:45:29 - Kevin Golding wrote: On Wed, 23 Mar 2016 12:30:43 -, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 23.03.16 11:56, Kevin Golding wrote: >> I can't f

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 12:30:43 -, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: On 23.03.16 11:56, Kevin Golding wrote: I can't figure this one out so I'll throw it out. When receiving mail from the address b...@e.bbcmail.co.uk def_whitelist_auth *@*.bbcmail

def_whitelist_auth inconsistencies

I can't figure this one out so I'll throw it out. When receiving mail from the address b...@e.bbcmail.co.uk def_whitelist_auth *@*.bbcmail.co.uk # is not whitelisted whitelist_from_dkim *@*.bbcmail.co.uk # is whitelisted Now I thought this a bit odd since the docs say: Using whitelist_auth

Re: DOS_OUTLOOK_TO_MX and fp

On Sat, 05 Mar 2016 04:09:55 -, David B Funk wrote: On Fri, 4 Mar 2016, Alex wrote: I have a legitimate mail that received 2.8 points, making it spam, as a result of what appears to be a false positive with DOS_OUTLOOK_TO_MX http://pastebin.com/dbm2Q4k6

Re: txrep and bayes_sql_override_username

On Thu, 25 Feb 2016 16:47:05 -, bOnK wrote: I'm using bayes_sql_override_username. Mysql userpref: @example.combayes_sql_override_usernameSomeName Table bayes_vars uses SomeName for all users @example.com, but txrep seems to ignore this

Re: TxRep Template Tags staying as tags

On Thu, 31 Dec 2015 13:52:45 -, Kevin A. McGrail <kmcgr...@pccc.com> wrote: On 12/30/2015 4:52 AM, Kevin Golding wrote: Simplest option is submitted: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7280 Agreed. It's a good pointer since I never paid attention to it

Re: TxRep Template Tags staying as tags

On Tue, 29 Dec 2015 17:17:38 -, Kevin A. McGrail <kmcgr...@pccc.com> wrote: On 12/29/2015 7:18 AM, Kevin Golding wrote: The big thing I've confirmed is the _Y part of the tag is redundant for me, since I see the following in debug: dbg: check: tagrun - tag TXREP_EMAIL_IP

Re: TxRep Template Tags staying as tags

On Mon, 28 Dec 2015 18:21:35 -, Kevin A. McGrail <kmcgr...@pccc.com> wrote: On 12/24/2015 10:04 AM, Kevin Golding wrote: I know I'm a bit weird but I like stuffing headers with all kinds of data like I'm stuffing a turkey for Christmas, but I've never been able to get anything s

TxRep Template Tags staying as tags

I know I'm a bit weird but I like stuffing headers with all kinds of data like I'm stuffing a turkey for Christmas, but I've never been able to get anything showing up for TxRep (it is referenced in _TESTSSCORES_ but none of the TxRep specific ones seem to convert). I feel I can't be the

Re: DNS lookups fail with SpamAssassin since Net::DNS 1.03

On Wed, 16 Dec 2015 16:13:03 -, Ian Eiloart wrote: On 16 Dec 2015, at 16:09, Reindl Harald wrote: Am 16.12.2015 um 17:00 schrieb Ian Eiloart: On 16 Dec 2015, at 15:30, Kevin A. McGrail wrote: Downgrade tour netdns.

Re: Spamassassin SPF plugin headers

On Wed, 18 Nov 2015 14:37:38 -, Elod G wrote: The SPF plugin is already checking for the the standard Received-SPF and Authentication-Results headers. Those headers are added by the SPF policy server and used by other milters. It is just the SA milter that is not finding

Re: spam with url redirects

- Original Message - From: michael reimer michael.rei...@falke.com To: users@spamassassin.apache.org Sent: Friday, 14 August, 2015 7:44:33 AM Subject: spam with url redirects X-Spam-Status: No, score=2.999 tagged_above=2 required=6.9 tests=[DATE_IN_PAST_96_XX=2.07,

Re: SOUGHT 2.0 ?

On Thu, 13 Nov 2014 02:17:54 -, Ian Zimmerman i...@buug.org wrote: On Sat, 01 Nov 2014 10:06:57 -, Kevin Golding k...@caomhin.org wrote: Kevin So anyone else want to raise their hands? It depends. Would I mind a bit of regular maintenance work? No, I wouldn't mind. Would I mind

Re: SOUGHT 2.0 ?

On Thu, 30 Oct 2014 20:10:22 -, Bob Proulx b...@proulx.com wrote: Axb wrote: It would be nice to be able to use this experience to replace the SOUGHT rules for everyone BUT: ... All very good, reasonable and understandable reasons. And those reasons also aply to me too. Insert all of

Re: Checking Rules

In article 4b827244.2060...@caos.uab.es, Personal Técnico tecni...@caos.uab.es writes Another question: is there any way for configuring SA for getting a detailed score of rules in a mail when X-Spam-Status: No. By default, SA does a detailed score when mail is marked as SPAM, but not in HAM

Re: Pipe characters in From and To's

In article 20100212103757.4dde0...@goof.off.knossos.net.nz, Spiro Harvey sp...@knossos.net.nz writes So I'm just wondering if others encounter this with enough regularity, and if so what your thoughts and advice are. I don't particularly want to add rules into sendmail, so SA is my avenue of

Re: Should I block Experian/Free Credit Report

In article 4b5b125e.2050...@perkel.com, Marc Perkel m...@perkel.com writes This is a tricky decision. What they Free Credit Report / Experian is doing is fraudulent. Although they aren't stealing they way phishers are, just because they aren't just as bad. In fact I suspect they rip off far

Re: FP on blacklist hostkarma

In article 4b226758.90...@perkel.com, Marc Perkel m...@perkel.com writes If you have any other domain names for me to list let me know. I'm always looking to expand my white lists. shop.marksandspencer.com is one I always see hitting black, and SPF_HELO_PASS so...

Re: All emails being tagged URIBL

In article a517d8b10812282155j346a44d6w571ad02dcef0...@mail.gmail.com, David Hasbrouck davidlhasbro...@gmail.com writes I am having an issue where all my emails are getting tagged with URIBL_RED/GREY/BLACK.  Emails that contain invalid domains in them are also getting tagged.

Re: sought rules updates

In article a64af57c-7838-455f-b529-669e95386...@kreme.com, LuKreme krem...@kreme.com writes The gpg installed on my FreeBSD does not have a man page (installed by ports for SA3.2.5, IIRC), just a --help which says the syntax is: Logically you have security/gnupg installed which means... %ls -l

Re: I'd like to get my blacklist/whitelist included in SA

In article [EMAIL PROTECTED], Marc Perkel [EMAIL PROTECTED] writes What kind of license do I need to provide to be SA compatible? I'd imagine the line anyone who uses our lists or our data either directly from us or indirectly through a third party grants us a license for us to use your data from

Re: Lots of scam messages getting through SA

In article [EMAIL PROTECTED], ram [EMAIL PROTECTED] writes But ultimately this boils down to end user education. Recipients must realize that no one from Africa is going to transfer all the millions of dollars in an unknown account , or there is nothing called as a national lottery in the united

Re: new google trick: docs

In article [EMAIL PROTECTED], Chip M. [EMAIL PROTECTED] writes A brief search shows this actually started at least a month ago: http://chris.pirillo.com/2007/01/16/google-docs-spam/ Erm, that's from 13 months ago :-) Kevin

Re: Time to make multi.uribl.org optional rather than default?

In article [EMAIL PROTECTED], Andy Dills [EMAIL PROTECTED] writes I must be stupid, I'm not able to invent an explanation that doesn't involve a profit motive. I think it's very safe to assume that URIBL is not profit making and never likely to be so. providing free service (in theory) to

Re: Russian and Chinese spam rulesets?

In article [EMAIL PROTECTED], Eray Aslan [EMAIL PROTECTED] writes Some Russian and Chinese spam (especially Russian) is making its way to our users inboxes. We do business with those 2 countries. Consequently, lots of legitimate emails go back and forth so that I cannot just bump up the score for

Minor FP on ham with logo - 5.173

I've had a few FPs on a legitimate mail from someone who apparently enjoys large fonts and a logo. I'm using network tests but not bayes and these are the stock rules being hit along with their scores from sa- update: EXTRA_MPART_TYPE0.815 DK_POLICY_SIGNSOME 0.001 TVD_FW_GRAPHIC_ID1 2.100

Re: Breaking up the Bot army - we need a plan

In article [EMAIL PROTECTED], John Rudd [EMAIL PROTECTED] writes I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. Registrant: eBay Inc. 2145 Hamilton Avenue San Jose, CA 95125 US Domain name: EMAILEBAY.COM Registrar of Record: TUCOWS, INC. Record last updated

Re: Breaking up the Bot army - we need a plan

Someone, quite probably John Rudd, once wrote: Kevin Golding wrote: In article [EMAIL PROTECTED], John Rudd [EMAIL PROTECTED] writes I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. Registrant: eBay Inc. 2145 Hamilton Avenue San Jose, CA 95125 US Domain

Re: Easyjet e-mail scoring very high

In article [EMAIL PROTECTED], David B Funk [EMAIL PROTECTED] writes FYI, easyjet.com appears to have a valid SPF record, so whitelist_from_spf [EMAIL PROTECTED] should also work with out the hastle of trying to stay ahead of mailserver changes. Unfortunately it looks like savvis.net wouldn't

Re: Percentage of email that is spam after filtering?

In article [EMAIL PROTECTED] , Kelly Jones [EMAIL PROTECTED] writes I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? I realize it varies by user, sensitivity to false positives, tools used, etc, but do people who use spam filtering find

Re: ALL_TRUSTED creating a problem

Someone, quite probably Jo Rhett, once wrote: Kevin Golding wrote: FWIW I've run SpamAssassin on a bog-standard, normal, plain, old- fashioned FreeBSD box sitting in a rack with a public IP, no NAT, no patches, and no pixies or faeries. Auto-detection worked fine. Just for my reference Worked

Re: ALL_TRUSTED creating a problem

In article [EMAIL PROTECTED], Jo Rhett [EMAIL PROTECTED] writes These arguments are getting sillier and sillier. I'm asking why it doesn't work in a plain-jane do-nothing normal public box not behind a NAT. And every argument so far has been some strange configuration that is very

Re: How can I (we) get rid of this?

In article [EMAIL PROTECTED], DAve [EMAIL PROTECTED] writes I really don't want to install X on my mailgateways. It would have to be as good as URIBL and SURBL before I would consider that. Is there a way around the dependencies? The FreeBSD port shows the following, xorg-libraries-6.9.0,

Re: Mail from btinternet outlook express users tagged as FORGED_MUA_OUTLOOK

In article [EMAIL PROTECTED] c.ac.uk, brandon pearson (BITS) [EMAIL PROTECTED] writes SpamAssassin version 3.1.1 We are getting valid mail from outlook express users on btinternet tagged as FORGED_MUA_OUTLOOK. It looks to me like spamassassin does not identify the message-id as an outlook express

Re: Which Operating Systems Do You Use and Why?

In article [EMAIL PROTECTED], Mike Jackson [EMAIL PROTECTED] writes The question is does FreeBSD make binary package updates, or are security updates source-patch only. From what I've observed, the base OS updates are source-patch only, at least until the next full FreeBSD release. Anything

Re: V*I*A*

In article [EMAIL PROTECTED], [EMAIL PROTECTED] online.de writes I just received some spam built like Vspan style=display: none some words /spanIspan style=display: none more text /spanI Is there any way to detect these? Working on the logic that display:none is highly unlikely to ever appear in

Re: German Spam followup

In article [EMAIL PROTECTED], Loren Wilton [EMAIL PROTECTED] writes Since I have legitimate users communicating all over the world, I am very interested in other rulesets that would block spam in languages besides English. Not sure how big of a problem this is - I know we get I believe there