On 4/6/2016 3:23 PM, Alex wrote:
> Can you tell us more about the OLE2 result, and how you obtained it
> from clamav, in hopes I could do something similar with amavis?
IIRC, all you have to do is make sure your clamd.conf includes
these two settings:
ScanOLE2 yes
OLE2BlockMacros yes
On 4/5/2016 8:40 PM, Alex wrote:
> These targeted macro viruses are killing us. I hoped someone would
> [...]
> What strategy are other people using to block zero-day macro viruses?
I quarantine these before they get to SA with some logic in mimedefang
that combines the OLE2 result from clamav
I am not an expert but it does seem like the main novel thing is how
(and how many) multi-word tokens are generated. I use have been using
multi-word tokens with bogofilter for years and it does help. Of course
bogofilter only uses adjacent words -- perhaps OP's way of combining
words could
In my experience, banks and financial institutions tend to be among the
worst offenders against sane bulk mailing practices. SPF or DKIM will
be broken or inconsistently applied, and sender/relay domains seem to
vary with the weather. I think it will be tough to nail down all the
valid domains a
On 2/17/2011 10:51 AM, J4K wrote:
How could I list the default?
Something like this might get you started:
grep -R RDNS_DYNAMIC /var/lib/spamassassin/* | grep -i score
On 11/19/2010 3:13 PM, Michael Scheidell wrote:
Thought you would be interested, a facebook phishing email (yes, it is,
) with SPF_PASS
(reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL)
Hi, SPF CAN BE YOUR FRIEND HERE:
header LOCAL_FROM_FBM from =~ /\...@facebookmail\.com/i
On 11/19/2010 4:22 PM, Michael Scheidell wrote:
On 11/19/10 4:17 PM, Matt Garretson wrote:
whitelist_from_spf *...@facebookmail.com
ah, not if you have dns issues. if you have dns issues, spf and/or dkim
will fail and legit email will not pass!
True, perhaps, but a *lot* of things
On 11/19/2010 5:03 PM, Michael Scheidell wrote:
with SPF, it could be the senders dns servers, or if they use includes,
the dns servers for that side, so, its dangerous to add +50 points, say,
and then use spf/dkim or auth to whitelist.
You do have a valid point, but I'm not too worried
On 4/14/2010 2:23 PM, Kris Deugau wrote:
I'm looking for a way to match on that original-message content - after
all, that's the real spam payload; the rest of the message is perfectly
legitimate.
Despite conventional wisdom to the contrary, I have been training Bayes
on bounces (both spam
On 3/29/2010 3:31 PM, Michael Scheidell wrote:
WAY too many gmail and hotmail and yahoo accounts out there, and they
HAVE TO END IN DIGITS.so, FREEMAIL-ENVFROM_END_DIGIT is redundant with
FREEMAIL.
Agreed. My data point FWIW: since yesterday, FREEMAIL_ENVFROM_END_DIGIT
here has hit on 2304
On 3/18/2010 5:15 PM, Kris Deugau wrote:
Here's one pretty much guaranteed to peg a CPU core for ~130 seconds (or
more):
http://pastebin.com/2ssy2YEk
Interesting. I see the same thing as you on that message. There's a
two-minute gap between these two debug lines:
rules: ran body rule
On 3/18/2010 5:56 PM, Matt Garretson wrote:
On 3/18/2010 5:15 PM, Kris Deugau wrote:
Here's one pretty much guaranteed to peg a CPU core for ~130 seconds (or
http://pastebin.com/2ssy2YEk
Interesting. I see the same thing as you on that message. There's a
two-minute gap between these two
On 3/18/2010 6:06 PM, Matt Garretson wrote:
It looks like a dns call (or two?) for URI-A took 120 seconds to return.
Is that a mere coincdence, or could that be causing a spin of some sort?
FWIW, strace shows spamassassin doing this about twice a second
(with varying arguments) during the two
On 2/11/2010 8:08 AM, Per Jessen wrote:
The only minor issue I see is that a lot
of people don't understand NDRs (or can't be bothered to try to).
True. Also, a lot of mail relays mangle NDR's beyond usability.
On 12/15/2009 9:31 AM, The Doctor wrote:
On Tue, Dec 15, 2009 at 12:55:00PM +0530, Rajkumar S wrote:
Occasionally I receive mail from compromised web mails asking user
name and password from my users. The source IPs are usually clean (as
they are legitimate mail servers) and do not catch any
On 12/15/2009 10:37 AM, Yet Another Ninja wrote:
even using site wide, autolearning will help your detection a LOT.
Don't underestimate it...
Heartily agreed. Site-wide bayes here (single
database for 2000+ users) catches 40% of the spam
here. It could certainly catch more, but the first
Chris Owen wrote:
Why anyone replies to this guy about anything is beyond me.
Adding him to a kill file doesn't do much good when you still
see the other half of the argument.
+1
If you must feed the trolls, please at least don't quote them.
Daniel J McDonald wrote:
Although these don't all appear to be business related, very few would
be marked as spam without the HABEAS_ACCREDITED bonus.
First, the suspicious ones:
[snip]
FWIW, a good number of those in your list I'm pretty sure
are legit opt-in newsletters (term used
Matt Garretson wrote:
FWIW, a good number of those in your list I'm pretty sure
are legit opt-in newsletters (term used loosely... they
mainly consist of ads and special offers). Sure, the're
Followup to myself: I have no opinion on the HABEAS issue,
but a couple years ago I decided
Bernd Petrovitsch wrote:
Think about domain names which (ab)use IDN to generate a very similar
text strings (read: glyphs) (especially with the default font in our
beloved monopoly-OS) to serious ones.
Good point. It will be fun when grandma loses her glasses and
clicks on a link to
Marc Perkel wrote:
I'd like to get a more complete list of banks or bank like institutions
and sites where hackers are trying to steal passwords to log into
people's accounts. Here's my small list. Like to get more. I might set
What about webmail sites that people phish for? And social
Randy J. Ray wrote:
filtering on other content, filtering that isn't the same as spam-testing. In
a
nutshell, we currently use the bogofilter application to classify messages,
and invoke it with different word-list files to represent different filtering
requirements. But this isn't going
Ned Slider wrote:
how much faith
do you place in a mail admin deploying SPF _AND_ bouncing messages on
SPF failure when they can't even address the issue that their servers
are responsible for the backscatter problem
I think that you may be assuming too much about the way other people
John Hardin wrote:
On Wed, 21 Jan 2009, rje...@vzw.blackberry.net wrote:
Didn't we already do this?
Hopefully it's just an old message that was stuck
in a blackberry queue somewhere. :)
Is there any way that a more distributed method of delivering
updates could be more resistant to DDOS attacks? E.g.
trackerless bittorrents (DHT), or something along those lines?
Just wondering in general
This thread is getting ridiculous. Just use
Subject =~ /po.*\d+/i
To avoid losing millions of dollars, surely they can put
up with a couple of porn and impotence spams. :-)
Ray Jette wrote:
PO random #s
POrandom #s
PO# random #s
PO#random #s
PO # random #s
PO #random #s
Try:
Subject =~ /PO ?\#? ?\d+/i
If you don't need case insensitivity, remove the trailing 'i'.
Bob Pierce wrote:
Of course the zip attachment contains a virus, and ClamAV does not seem
to be catching that either.
At my site, ClamAV has been catching them as Email.Trojan.GZC for
some time. You might want to check your ClamAV patterns and/or config.
For newer ones that Clam doesn't yet
Aaron Bennett wrote:
production environment -- do you see them working with the default
scores, or have you tweaked them at all?
I've set up a meta rule which adds more to the score if either
ANY_BOUNCE_MESSAGE or VBOUNCE_MESSAGE hit. I also have custom
rules that try to decrease the score
With SA 3.0, using clear_headers in local.cf does not prevent the
X-Spam-Report: header from being inserted into spam messages. Is this
a bug or a feature? Below is my local.cf.
### +++
required_score 8.0
clear_headers
report_safe 0
use_dcc 0
use_pyzor 0
use_razor2 0
dns_available yes
30 matches
Mail list logo
