On Aug 30, 2013, at 3:23 PM, Matt matt.mailingli...@gmail.com wrote:
I am seeing tons of junk getting through claiming to be from the USPS
about a missed delivery package. Anyone else seeing this?
Yes. I've got some decent rules for killing off the FedEx and RPS variants as
well. I'd
On Aug 29, 2013, at 6:41 AM, RW rwmailli...@googlemail.com wrote:
On Thu, 29 Aug 2013 00:55:29 +0200
Michael Schaap wrote:
On 29-Aug-2013 00:30, John Hardin wrote:
On Wed, 28 Aug 2013, Michael Schaap wrote:
Hi,
I'm getting loads of fake LinkedIn invites, most of which
-Original Message-
From: RGB Camera [mailto:zauschne...@gmail.com]
Sent: Thursday, March 24, 2011 4:34 PM
To: users@spamassassin.apache.org
Subject: Re: URIBL_RHS_DOB false positives?
Yes, we set the pointage to 0.01 until whatever is broken gets fixed.
We normally score that
On Jun 27, 2010, at 8:22 PM, bongomania o...@usa.net wrote:
My email server, squirrelmail, has spamassassin already installed. To
configure, it says to enter the score above which emails should be
quarantined.
Generally, 5 indicates spam. As a few false positives do occur at those
Please excuse the top-post. This truly brain-damaged mua does not allow me to
edit the body.
Easiest way to disable whitelists is:
grep -E score\ RCVD.+-
/var/lib/spamassassin/updates_spamassassin_org/50_scores.cf | cut -d\ -f1-3
/etc/mail/spamassassin/no-whitelists.cf
Sent with Good
On Dec 19, 2009, at 8:42 PM, jida...@jidanni.org
jida...@jidanni.org wrote:
Regarding sa-update,
EXIT CODES
This would then not stop Makefiles that call it, nor would one need to
do case $? in 0|1)...; esac.
But it would break scripts that check for a 0 and then run sa-compile
on the
On Dec 16, 2009, at 8:13 AM, Bowie Bailey bowie_bai...@buc.com
wrote:
Christian Brel wrote:
The point comes back to this and it has *not* been answered sensibly;
WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE SCORING RULE
THAT
FAVOURS A COMMERCIAL BULK MAILER. Namely the negative
On Dec 16, 2009, at 9:42 PM, David B Funk dbf...@engineering.uiowa.edu
wrote:
On Wed, 16 Dec 2009, Marc Perkel wrote:
I don't know if anyone still remembers this but this is what I had
for
my first computer back on 1979.
I miss my Ohio Scientific C3. I had a Tektrinix 4027 terminal
On Dec 7, 2009, at 12:12 PM, R-Elists list...@abbacomm.net wrote:
in the post there was mention of
- added or updated many rules; incomplete list in no particular order:
vbounce, lotsa_money, muchmoney, image spam, fill_this_form,
FreeMail...snipped
Q1)is there a location that shows the
On Dec 6, 2009, at 12:02 AM, Benny Pedersen m...@junc.org wrote:
i think it could be added to freemail.pm to test if sender domain
have spf or dkim and if no spf and or no dkim consider it as a
freemail domain ?
Sorry, but SPF and DKIM simply don't have the saturation required for
On Dec 6, 2009, at 12:56 PM, Marc Perkel m...@perkel.com wrote:
Benny Pedersen wrote:
i think it could be added to freemail.pm to test if sender domain
have spf or dkim and if no spf and or no dkim consider it as a
freemail domain ?
I don't see the relationship that SPF has to
On Dec 5, 2009, at 4:20 AM, Per Jessen p...@computer.org wrote:
Charles Gregory wrote:
On Fri, 4 Dec 2009, Per Jessen wrote:
The other side of the argument is - why does any legitimate company
need to employ a service such as Habeas/Returnpath/whatever?
Any legitimate drug company that
The textcat plugin does a fair job. It's part of the default build,
but not enabled by default.
On Dec 5, 2009, at 10:03 AM, Marc Perkel m...@perkel.com wrote:
Are there any rules to determine what language a message is in?
On Tue, 2009-11-24 at 09:22 -0800, R-Elists wrote:
didnt anyone think that the emailBL project was good enough in adding an
extra factor of protection to continue development?
I'm using it with a locally sourced set of bad actors. Unfortunately,
I don't believe I'm allow to share the data.
On 11/12/09 9:42 PM ,
luis.daniel.lu...@gmail.com wrote:
Again me, Well, in the security scope i use a principle that states that you
souldnt use a lower layer solution to fix a higher one. So SPAM is a Layer 7
problem that is used to fixed with a Layer 3 solution (RBL).
So, worms like
On Tue, 2009-10-27 at 18:52 -0400, Adam Katz wrote:
McDonald, Dan wrote:
I run sa-update and sa-compile from a cron job at a regular interval.
gpg: WARNING: unsafe permissions on homedir
`/etc/mail/spamassassin/sa-update-keys'
[8641] info: generic: base extraction
I run sa-update and sa-compile from a cron job at a regular interval.
At seemingly random times, it simply fails to run. All I get in the
cron log is:
gpg: WARNING: unsafe permissions on homedir
`/etc/mail/spamassassin/sa-update-keys'
[8641] info: generic: base
On Fri, 2009-10-23 at 03:34 -0700, Marc Perkel wrote:
Does SA support host name based black/white lists?
like whitelist_rcvd_from ?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
On Fri, 2009-10-23 at 13:02 +0200, klop...@gmx.de wrote:
Hi,
I use Spamassassin 3.2.5 with CentOS
On October 20 I startet an update with this commands:
sa-update --channel updates.spamassassin.org
When I start now the update, the date of the folder and file
in
On Thu, 2009-10-22 at 01:42 -0700, Karolis wrote:
Hi,
I have two mail servers one with domain aaa.com, second bbb.com. Both have
spamassassin installed. Most distribution lists on aaa.com routes emails to
bbb.com. So email gets checked twice.
Adding whitelist_to aaa.com in bbb
On Wed, 2009-10-21 at 17:40 +0200, Lars Ebeling wrote:
Why aren't mail from United Parcel Service scanned?
The last 24 hours have i got about 20 of them and none scanned.
check the size of the messages, see if the embedded images make it
larger than your cutoff...
But a pastebin example
On Tue, 2009-10-20 at 14:23 +, Luis campo wrote:
Dear Sirs,
I have the problem that many SPAM emails being filtered to the mail
box users, who might that be?
what would be the problem that keeps coming in much spam our users,
and that he could do to catch any mail that has no
Lately, a few 419 scams have been slipping through to me, written in
French - I get two or three a week. It's sort of amusing to me, but
wondered if anyone is collecting them to write rules.
X-Spam-Status: No, score=4 tagged_above=-999 required=4.5
tests=[BOTNET_SOHO=-0.1, L_P0F_UNKN=0.8,
of some sort, but the
output of that command will reveal much to assist in troubleshooting...
McDonald, Dan wrote:
On Thu, 2009-01-22 at 06:14 -0800, prkr wrote:
Hi,
/var/lib/spamassassin/3.002005/updates_spamassassin_org.pre
;; query(5.2.3.updates.spamassassin.org, TXT)
[1237] dbg
On Tue, 2009-10-13 at 15:42 +0200, Matus UHLAR - fantomas wrote:
On søn 11 okt 2009 02:31:58 CEST, John Rudd wrote
On Sat, Oct 10, 2009 at 16:44, Warren Togami wtog...@redhat.com wrote:
Given that zen.spamhaus.org is a combination of XBL and PBL, this
data seems to confirm the good
We are getting a number of word docs with scams in them.
e.g.:
http://pastebin.com/m7e7efaac
Note that this message has been MUNGed by Outlook, so the html parts
have truly been Mashed Until No Good. As far as I can tell, the
following rules didn't hit in the original, pre-MUNGed message:
1.6
On Mon, 2009-10-05 at 09:32 -0700, Jefferson Davis wrote:
Keep getting similar obvious (to me) spam - tuning recommendations?
My threshold is torqued down to 3.5
AV:Sanesecurity.Junk.14595.UNOFFICIAL=6.1,
AE_DETAILS_WITH_EMAIL=2.5, AE_DETAILS_WITH_MONEY=2, BOTNET_SOHO=-0.1,
On Mon, 2009-10-05 at 20:17 +0200, Karsten Bräckelmann wrote:
On Mon, 2009-10-05 at 11:01 -0700, Jefferson Davis wrote:
Thanks for the tips and low-grade knuck-wrap. Investigating -
installed 20_sought, tweaked local.cf back to 5.0 per list
recommendation.
Just a minor nit, in case it
On Mon, 2009-10-05 at 22:00 +0200, Karsten Bräckelmann wrote:
On Mon, 2009-10-05 at 15:42 -0400, Thomas Mullins wrote:
We have been running Spamassassin for maybe eight years now. But, my
coworkers do not like OpenSource. So they have finally complained
enough that my boss is going to
On Mon, 2009-10-05 at 16:49 -0400, Thomas Mullins wrote:
I have no explanation,
I will pull out our BSD box, and I will let them connect the Exchange
box straight to the Net.
They probably just want to connect their iPhones to the exchange server
with Active-Sync, and couldn't be bothered
On Mon, 2009-09-28 at 15:50 -0700, Marc Perkel wrote:
This should be easy but I'm missing something. I have a RBL list (dnset)
for host testbl.junkemailfilter.com
:2:Test
.xx.host.example.com :4:
.host.example.com :3:
.example.com :9:
.com :6:
Works fine. But - I want to create an A
On Tue, 2009-09-29 at 08:19 +0200, to...@starbridge.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
to...@starbridge.org a écrit :
to...@starbridge.org a écrit :
Benny Pedersen a écrit :
On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org wrote
I've tested with SA 3.2.5
On Sat, 2009-09-26 at 09:25 -0700, John Hardin wrote:
On Sat, 26 Sep 2009, Karsten Brckelmann wrote:
On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
Another note which I've seen here before: Drop the [.,] for the host
part of a uri rule. It's not a URI if it contains a comma, it'll
On Mon, 2009-09-28 at 16:52 -0400, Michael Scheidell wrote:
I sent this to our support group, but looks like there can be some
issues, and maybe a better way.
Wrong list - this is an amavisd question
while there cannot be a duplicate id:
(maddr id = 5) can't exist in partition_tag 23
On Fri, 2009-09-25 at 09:30 +0200, Guillaume Gelle wrote:
Dear all,
As usual, spammers improved and instead of receiving profiles|groups|
personnal.yahoo.com links, now, I'm being hit with
www.google.com/reader links.
(ie : A
On Fri, 2009-09-11 at 00:51 -0700, franc wrote:
Hello,
i just installed spamassassin 3.2.4 (running on Perl 5.8.8) with postfix
2.5.1 on a Ubuntu 8.04.
Now i want to use a personal blacklist an i put into
/etc/spamassassin/myblacklist.cf
That's an odd path name. I'm used to the config
On Fri, 2009-09-11 at 04:27 -0700, franc wrote:
rich...@buzzhost.co.uk wrote:
Yes, i restarted spamassassin, and now i found out, that amavis is handling
some configurations in 20-debian_defaults,
restarting spamassassin won't do any good. You need to restart amavisd.
Amavisd loads the
On Fri, 2009-09-11 at 04:47 -0700, franc wrote:
McDonald, Dan wrote:
estarting spamassassin won't do any good. You need to restart amavisd.
Amavisd loads the perl libraries and daemonizes itself instead of using
spamd.
Does this mean with amavis spamassassin is NOT used
On Fri, 2009-09-11 at 14:37 +0200, Matus UHLAR - fantomas wrote:
On 10.09.09 18:28, MySQL Student wrote:
I've seen this pattern in spam quite a bit lately:
href=http://EXAMPLE.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
On Fri, 2009-09-11 at 15:09 -0400, MySQL Student wrote:
Hi,
The 'doubleheadedrover' domain currently shows up in Razor(E8),
uribl_black, surbl_jp, and invaluement.
But it wasn't in all of those when he first started posting about it.
Yes, that's correct. Thanks for your help. That's
On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote:
Hi all,
I've seen this pattern in spam quite a bit lately:
href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
From: Matt Kettler [mailto:mkettler...@verizon.net]
This rule should detect 10 consecutive occurrences.
uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
Warning: I wrote this quickly without too much thought. It may have
bugs, but I'm short on time at the moment.
your variant would require
On Tue, 2009-09-08 at 18:24 +0100, Martin Gregorie wrote:
On Tue, 2009-09-08 at 18:54 +0200, Benny Pedersen wrote:
On Tue 08 Sep 2009 06:25:49 PM CEST, Mark Martinec wrote
Sure, if you want it to be be whitelisted.
tidy give me 95 warns on the html part :)
That's normal. The HTML
On Tue, 2009-08-25 at 07:21 -0500, Igor Chudov wrote:
On Mon, Aug 24, 2009 at 12:54:08PM -0700, Evan Platt wrote:
At 12:48 PM 8/24/2009, you wrote:
Lately I have been receiving quite a bit of spams that promote films
of the most indecent kind, involving persons of minor age. Examples
are
On Sat, 2009-08-22 at 00:24 +0200, mouss wrote:
Dan Schaefer a écrit :
Karsten Bräckelmann wrote:
On Fri, 2009-08-21 at 08:06 -0400, Dan Schaefer wrote:
That is incorrect. I put double spaces in the subject, because I knew
someone would bring that up. :-)
at a time where we
On Wed, 2009-08-05 at 10:34 -0600, LuKreme wrote:
On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote:
Quoting LuKreme krem...@kreme.com:
On 3-Aug-2009, at 18:36, Dennis G German wrote:
If you use the lists as an RBL to reject at SMTP, you will end up
rejecting legitimate email.
On Tue, 2009-08-04 at 21:18 +0200, a...@exys.org wrote:
This assumption is wrong. You did receive a message from the From:
header address and the same originating
net-block in the past.
Should I disable AWL, or can i
unlearn it?
Apparently you previously (maybe not this week)
+0530, ganesh payelkar wrote:
Will it work if i put below entry
in /etc/mail/spamassassin/local.cf
yes.
On Thu, Jul 30, 2009 at 5:43 PM, McDonald, Dan
dan.mcdon...@austinenergy.com wrote:
On Thu, 2009-07-30 at 17:36 +0530, ganesh payelkar
On Tue, 2009-07-28 at 06:16 -0700, John Rudd wrote:
Though ... it'd be nice if there was a direct RSS feed for the users
list. Hopefully Nabble isn't my only choice for an RSS feed :-}
(esp. since it posts 1 RSS message per email message, and only appears
to do periodic RSS updates, not more
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
http://pastebin.com/m2cbc0965
This is scoring way low. Coming in from Hotmail (I would love to
blacklist these but some people just insist on using it).
Scores a healthy 13 here. Mostly using custom rules.
X-Spam-Report:
Looks like the pilz spammers have finally ditched the letters+numbers format.
I'm now using this rule:
body__MED_OB
From: Robert [mailto:list...@abbacomm.net]
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
what is this supposed to do?
select all of your whitelist_from entries, parse out the domain part, dig the
On Wed, 2009-07-22 at 04:27 -0700, twofers wrote:
I'm writing rules for header Subject and have a rule question.
I want a rule that would hit on specific words, no matter what order
they were. Would a rule written like this rule below accomplish that?
No. That rule would match every subject
From: Dan Schaefer [mailto:d...@performanceadmin.com]
For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as
spam
I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting
anything currently.
From: MySQL Student [mailto:mysqlstud...@gmail.com]
I'm having trouble catching spam that contains lotto/money schemes or
simply asks the user to email a particular address for a loan or
otherwise. Here's an example:
Please use pastebin.
It hit BAYES_99, but that's it. Are there any rules that
From: John Hardin [mailto:jhar...@impsec.org]
On Sun, 19 Jul 2009, Mike Wallace wrote:
I got one today that wasn't caught by your rule
Whose, mine or Dan's?
it had 22232 for the domain name inside of www and net and used bracket
dot bracket for the separator.
I just got a couple of those
From: McDonald, Dan [mailto:dan.mcdon...@austinenergy.com]
From: John Hardin [mailto:jhar...@impsec.org]
On Sun, 19 Jul 2009, Mike Wallace wrote:
I got one today that wasn't caught by your rule
Whose, mine or Dan's?
it had 22232 for the domain name inside of www and net and used bracket
dot
On Wed, 2009-07-15 at 01:53 +0200, Karsten Bräckelmann wrote:
On Tue, 2009-07-14 at 12:33 -0500, McDonald, Dan wrote:
On Tue, 2009-07-14 at 16:13 +0100, Steve wrote:
This is very pretty;
Can we change the header layout with SA to format it similar to this?
You can, I guess -- even
On Thu, 2009-07-16 at 09:11 -0400, Dan Schaefer wrote:
The rules should also proactively cover (dot) and {dot} as well as [dot]
and dot, and {dot, and /dot/, and ...
That's why I like using [[:punct:]], which includes ! ' # S % ' ( ) *
+ , - . / : ; = ? @ [ \ ] ^ _ { | } ~
I've simplified
On Fri, 2009-07-17 at 00:04 +0200, Michelle Konzack wrote:
Good Evening,
Am 2009-07-16 23:42:44, schrieb Karsten Bräckelmann:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a
On Tue, 2009-07-14 at 16:13 +0100, Steve wrote:
This is very pretty;
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.3379
Rule breakdown below
pts rule name description
--
On Tue, 2009-07-14 at 12:42 -0700, John Hardin wrote:
On Tue, 14 Jul 2009, neroxyr wrote:
tks cheking the local.cf i had a blacklist_from *...@*.*
i delete that line and put the whitelist_from *...@gmail.com
I restart spamassassin and sendmail service and it worked!!. But putting
On Tue, 2009-07-14 at 12:54 -0700, Bazooka Joe wrote:
any idea why this rule never works for domain1 or domain2 but only domain3
header whitelist_from_luser From =~ /domain1\.com/i
header whitelist_from_luser From =~ /domain2\.com/i
header whitelist_from_luser From =~ /domain3\.com/i
On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
It shouldn't. The
On Mon, 2009-07-13 at 17:38 +0100, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 18:28 +0200, Matus UHLAR - fantomas wrote:
On 13.07.09 16:26, rich...@buzzhost.co.uk wrote:
Do the RFC's state that they need to?
yes, RFC4954 in section 7 does
Where - I don't see it say it needs
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD They are using underscores, which are a [:punct:], but don't
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD The rules I posted last night catch those. They switched from
MD underscores to commas this morning, and my rules still catch them.
I still wonder, though, if we shouldn't
On Thu, 2009-07-09 at 19:42 -0700, Evan Platt wrote:
As the headers of every message state:
list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org
I tried that when I went on vacation last month. My ack bounced after
three days, so it never unsubscribed me. I'm back from
On Fri, 2009-07-10 at 06:56 -0700, Evan Platt wrote:
So - you attempted to unsubscribe. You didn't reply to the
confirmation e-mail that was sent.
I did reply, but the ezlm software refused to accept the message. And
exchange is dumb enough that it didn't tell me that it failed for 3
days.
On Fri, 2009-07-10 at 17:11 +0200, Sim wrote:
/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
^
John,
Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing
On Fri, 2009-07-10 at 11:39 -0400, Daniel Schaefer wrote:
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/
You should avoid the use
From: fchan [mailto:fc...@molsci.org]
Don't tempt them, I already get enough spam not
only from these guys. Also they will flood the
network with smtp useless connections and unless
you have good network attack mitigation system so
you don't have a DDoS, don't tempt them.
Pretty soon they
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD They are using underscores, which are a [:punct:], but don't form
MD a \b break.
I'm becoming confused as to what they could possibly hope to
accomplish by that.
right now I think
I recently received a spam with a mailbox-list in the from: and senderd:
headers
From: Inversiones inversiones.fo...@live.com,
i...@lasinversionesforex.com
Sender: Inversiones inversiones.fo...@live.com,
i...@lasinversionesforex.com
Since I had not seen
Coming home for some minutes I saw, I am hit by 23.000 spams in my inbox
from today...
The rule:
bodyAE_MEDS35
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describeAE_MEDS35 obfuscated domain seen in spam
score
On Wed, 2009-07-01 at 13:20 +0100, Adam Stephens wrote:
__SEEK_1R0JFS
I can confirm that removing that test and recompiling eliminates my
segfaults. running re2c 0.12.0
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally
AOL is making it easier for spammers to come up with unique names to
avoid the freemail.pm plugin. They have a service called tunome.com
with about 150 domains that are freemail. I just received a lottery
spam that used two of the tunome.com aliases.
Guess I'd best make a list...
--
Daniel J
On Mon, 2009-06-22 at 13:15 +0300, Jari Fredriksson wrote:
Am 2009-06-22 10:52:54, schrieb Pawe?? T??cza:
This seems to compile:
body AE_MEDS35 /\(\s?w{2,4}\s(meds|shop)\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS35 obfuscated domain in message
scoreAE_MEDS35 3.0
I'd suggest
On Mon, 2009-06-22 at 14:37 +0200, Paweł Tęcza wrote:
McDonald, Dan pisze:
I'm considering a low-scoring rule like:
body AE_MEDS37
/\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS37 rule to catch the next wave of spaced domains
score
On Fri, 2009-06-19 at 15:12 -0700, SM wrote:
At 22:59 18-06-2009, Chip M. wrote:
Here's a dump of the complete Countries routes of your samples
(frequency first, then square brackets around the IP immediately
outside your own network):
2 [France], Nigeria
Do you really get such emails
On Thu, 2009-06-18 at 18:01 -0400, MySQL Student wrote:
I'm also having a problem with one of my rules:
[32692] info: config: invalid expression for rule LOCAL_XPS: Subject
=~ /Free\ DELL\ XPS/i: syntax error
Here is the full rule:
meta LOCAL_XPSSubject =~ /Free\
On Tue, 2009-06-16 at 13:44 +0200, Matus UHLAR - fantomas wrote:
On Mon, 15 Jun 2009 09:29:13 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
On 15.06.09 12:30, RW wrote:
Would you care to elaborate? You comment makes no sense to me.
the more people use DKIM/PGP, the less
On Tue, 2009-06-16 at 13:52 -0400, Charles Gregory wrote:
On Tue, 16 Jun 2009, RW wrote:
On Tue, 16 Jun 2009 12:03:43 -0500
Andy Dorman ador...@ironicdesign.com wrote:
##{ FS_TEEN_BAD
header FS_TEEN_BADSubject =~
/\b(?:teens?|girls?|boys?...
describe FS_TEEN_BADSubject says
On Wed, 2009-06-10 at 21:40 -0700, John Rudd wrote:
On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote:
Jake Maul wrote:
Interesting that I'm just now running into this... I've been using
Botnet on this server for several months without issue.
Thanks for the link, shorter
On Mon, 2009-05-25 at 23:12 +0200, Rudy Gevaert wrote:
Hi Matus,
On Mon, May 25, 2009 at 10:48:25PM +0200, Matus UHLAR - fantomas wrote:
On 25.05.09 17:12, Rudy Gevaert wrote:
Is it possible to generate a rule that when it applies gives the message
that specific score? If so, how do I
On Tue, 2009-06-02 at 09:10 -0400, Jean-Paul Natola wrote:
Hi all,
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
Yes, add the SaneSecurity clamav signatures.
codling.rtf: Sanesecurity.Spam.10307.UNOFFICIAL FOUND
Integration with spamassassin left as
On Mon, 2009-06-01 at 09:28 -0700, Rich Shepard wrote:
I'm running SA-3.2.5 on Slackware-12.2 and encountering false positives on
messages that have not before been seen as spam by SA. Specifically, the
daily postfix mail log summary report and the daily logwatch report are
marked at spam;
On Mon, 2009-06-01 at 11:26 -0700, Ernie Dunbar wrote:
We have a cron job that runs every day to update the spamassassin rules, but
there have been no new updates since March 30.
Correct. updates_spamassassin_org has not been updated since March 30.
I have seen updates on
On Wed, 2009-05-27 at 07:44 -0700, hateSpam wrote:
Dear All,
I have spamassassin 3.1.9
Running on...
[] Redhat linux version 6.0
[] Minix
[] OpenVMS
[] Sun/OS 2.0
[] Timex Sinclair ZX81
[] Windows NT 3.02B
[] Something else?
Installed using...
[] tarball install
[] CPAN
[] RPM
[]
-Original Message-
From: Henrik K [mailto:h...@hege.li]
Sent: Fri 22-May-09 23:06
To: users@spamassassin.apache.org
Subject: Re: Stats (was: The EmailBL test zone period has been extended toJuly
1st.)
On Fri, May 22, 2009 at 09:28:55PM +0200, Karsten Bräckelmann wrote:
The EmailBL
On Fri, 2009-05-22 at 10:56 +0200, Karsten Bräckelmann wrote:
On Fri, 2009-05-22 at 08:00 +0200, Mester wrote:
You did enable razor in the server-wide config, right? Not per-user
settings.
I have enabled razor this way:
I have this lines in my /etc/spamassassin/local.cf
#razor
On Fri, 2009-05-22 at 13:55 +0200, Mester wrote:
Check in the ~/.spamassassin/user_prefs file for the user that runs
amavisd-new. I know the Mandriva package has that set to 'use_razor2
0', so I always have to hunt it down and fix it.
I had no use_razor2 line in the
On Fri, 2009-05-22 at 14:14 +0200, Arvid Ephraim Picciani wrote:
Greetings.
I'm thinking of implementing:
- greylisting
very effective. I cut my incoming mail by about 80% when we put up
greylisting. I'm using sqlgrey.
- honeypots
- rejecting broken HELO at smtp time (such as
On Fri, 2009-05-22 at 12:07 +0200, Yet Another Ninja wrote:
FYI:
The EmailBL test zone period has been extended to July 1st.
Since it has been extended, I decided to go ahead and fire it up this
morning.
I'm mainly looking at overlap. It seems to be relatively distinct from
other tests that
I've got a couple of users getting 419 scams, and it looks like
20_advance_fee.cf has got most of the good stuff for finding these
nasties. Unfortunately, it's only matching one of the sub-tests
( __FRAUD_DBI ).
If I wanted to extend it a bit, how should I go about it? Maybe create:
meta
On Fri, 2009-05-15 at 12:15 -0700, John Hardin wrote:
On Fri, 15 May 2009, McDonald, Dan wrote:
Or would it be better to just overwrite ADVANCE_FEE_{2,3,4} with more
subtests?
The sought_fraud rules are dynamically generated from current 419 emails.
Were you aware of them? Granted
On Mon, 2009-05-11 at 19:36 -0700, John Hardin wrote:
On Tue, 12 May 2009, Ned Slider wrote:
Then you get phish where the From address is a bank domain, and the
envelope address is from a completely unrelated domain with a valid spf
record so even a simple From_Bank spf_pass isn't
On Fri, 2009-05-08 at 12:05 +0200, Benny Pedersen wrote:
On Thu, May 7, 2009 14:11, Matus UHLAR - fantomas wrote:
On 07.05.09 03:59, jida...@jidanni.org wrote:
Ah ha, you can use something like
header FROM_SAME_AS_TO ALL=~/\nFrom: ([^\n]+)\n.*To: \1/sm
add spf to your domain
But see
From: Ned Slider [mailto:n...@unixmail.co.uk]
I had one sneak through today which didn't hit any rules at all (it hits
a few DNSBLs now but not when I received it). It contained an inline png:
Any idea how to tackle these? I have the DSC png rule in place but
obviously that doesn't apply
From: Ned Slider [mailto:n...@unixmail.co.uk]
McDonald, Dan wrote:
From: Ned Slider [mailto:n...@unixmail.co.uk]
I had one sneak through today which didn't hit any rules at all (it hits
a few DNSBLs now but not when I received it). It contained an inline png:
meta AE_PNG_ATTACH
1 - 100 of 231 matches
Mail list logo