Thanks Paul,
but your plugin uses find_parts() that turns it pointless if there is no
Content-Type mime header...
PedroD
>The magic number or file signature can be helpful in determining the
filetype: >https://en.wikipedia.org/wiki/List_of_file_signatures >I make
use of
Hi David...
I agree with you... but some functions like find_parts() do not work if there
are not Content-Type Headers... making impossible the analysis of some
attachments...
i am writing a plugin to detect suspicious PDFs...
Maybe there's a better way to analyze attachments that using
Hi everybody...
When an email has a MIME part with no Content-Type header, is there any way to
force SA "guess" the format based on other criteria... file extension, for
example?
Example:
Content-Disposition: attachment;
filename="details.pdf"Content-Transfer-Encoding: base64
Thanks!
>Also, setup the KAM.cf rules and extra signatures for ClamAV from
>Sanesecurity. These often help with new spam campaigns. I can post
>which signature DBs I am using if that would be helpful.
>--
>Dave
Hi Dave...
i have had problems in the past with the script to download Sanesecurity
>Concur. We often use linux boxes in front of exchange boxes for any type of
>mail manipulation.
> had to respond because I loved the term "Whimsical modification". I shall
> use that here out. >BTW, for those interested, work continues on masscheck.
> I spent Friday restoring two
>Yes, once the mail has been touched by exchange its not useful anymore for
>writing spam rules. Not only headers are changed/removed/reordered also
>he html body is rewritten.
>Also for testing and training the reordered received headers are very
>annoying.
Thanks Merijn..
how funny! let's party
Hi everybody!
According to Microsoft
https://technet.microsoft.com/en-us/library/aa996806(v=exchg.141).aspx
Exchange 2010 only rewirte some headers BUT... i am seeing it modifying any
header in a whimsicallyway...
Headers starting by X- are deleted every other day, and today i am seeing
Hi everybody...
just bothering you to share this:
We are detecting Petya2 inside attached PDFs... (not detected by many AV)
has anyone seen it into any MS OFFICE attachment? or maybe any .js dropper?
good hunting!
---PedroD
Thanks a lot Kevin... Thanks a lot David
--PedroD
From: Kevin A. McGrail
To: Spamassassin ; SpamAssassin Devel List
Sent: Sunday, May 14, 2017 4:11 PM
Subject: Rule Update Servers Coming Back!
>Actually xn--example.com doesn't decode to example.com because in the
>absence of a "-" separator "example" would be treated as encoded
>non-ascii characters.
>
>This means that it's impossible to encode an ASCII domain as an IDN
>because each decoded label has to encode back to the
Hi,
sorry if discussed before and i missed it but,
the rule FORGED_HOTMAIL_RCVD2 triggers when a hotmail email does not come from
hotmail or msn servers, but actually they come oftenly from outlook.com
regards,
-PedroD
of course that would be very interesting!
---Pedro.
Just wondering if anyone has - or in interested in - a list of legit
mass mailing sources?
There are many domains that remail/deliver for other domains that are
95%+ good email. And they are not perfect and sometimes they get scammed
Correction:
Some Outlook versions do show the email just as Thunderbird does.. so most
users can see the email but SA...
From: Pedro David Marco <pedrod_ma...@yahoo.com>
To: Kevin A. McGrail <kmcgr...@pccc.com>; SA Mailing List
<users@spamassassin.apache.org>
Sent:
Thanks Kevin,
I did a similar rule to detect it but with higher score (3) since we are seeing
a huge LinkedIn Phishing campaign using this technique, that on purpose or by
mistake is evading most SA rules...
I agree that Thunderbird may be doing it wrong. Outlook seems to do it right.
>I
Hi!
i have noticed that when an email contains this (wrong) headers:
Content-Type: text/html; charset="utf-8"Content-Transfer-Encoding: base64
as SMTP headers, not MIME headers, and the email body is not base64 enconded,
email clients as Thunderbird show the content correctly butSpamAssasin body
>You should be able to use the other asynchronous plugins as a reference>
>as well.
Thanks... but i cannot find documentation about thinks like
"register_async_rule_start()" for example... can anyone point to me where is
it documented, please?
Thanks!Pedro.
Hi everybody...
Is it possible to have an asynchronous plugin for something not DNS/RBL related?
I would like to write a simple plugin to check some local Databases (cannot use
rbldnsd) that takes long so making it asynchronous seems the best idea..
If possible, can anyone provide any skeleton,
Hi,
i have spam emails with a Received line like this:
Received: by 9-30-239-23.uocdn.net (Postfix) with ESMTPSA id 693A0C56B with
(unknown [158.69.130.12]) ; Sun, 20 Nov 2016 21:06:55 -0300
there is no parsing perl code for lines like this in Received.pm module so the
relay 158.69.130.12 is
Something like that must be John...
I will check my scripts once more...
Thanks!
>No problem, sometimes the obvious is overlooked.
>
>Perhaps the compile failed and SA is using the last good results?
>I'm assuming that you *are* recompiling the rules and restarting
>spamd/Amavis after you make changes to the rules?
sure, forgot to mention, sorry...
Hi!
I have a doubt about compiled rules with sa-compile:
Precedence between a "rule" and its compiled version is automatic so as long as
the rule is not modified, the compiled rule will take precedence, am i right?I
have noticed that sometimes (only sometimes) if i modify the rule, spamassassin
Great!
Thanks!
Pedro.
From: RW <rwmailli...@googlemail.com>
To: users@spamassassin.apache.org
Sent: Tuesday, November 8, 2016 7:15 PM
Subject: Re: Define new variables in local.cf
On Tue, 8 Nov 2016 04:39:55 + (UTC)
Pedro David Marco wrote:
> Hi!
> When
AM
Subject: Re: Define new variables in local.cf
On 08.11.16 04:39, Pedro David Marco wrote:
>When you the same string repeated many times in a .cf file is it possible
> to use any kind of user-defined variable or constant to avoid repetition
> and make it easier to maintain?
any
Hi!
When you the same string repeated many times in a .cf file is it possible to
use any kind of user-defined variable or constant to avoid repetition and make
it easier to maintain?
thanks!
-Pedro
Thanks!
>The 'net' tflag exists to allow SA to know what tests to disable when it
>is told to run only local tests. That is usually done when messages are
>being checked well after their arrival, because network-dependent tests
>are generally dynamic. There are also places where policy or
I have tested it in a new Debian box and as expected PYZOR_CHECK worked. So it
is obvious that i have something odd in my Debibox.
Thanks to all who helped me gently!!
This takes me to and old question: How does SA know which are network rules and
which are not? because it does itright even if
>If you set "normalize_charset 1" you can just test UTF-8
Thanks a lot RW
fool me! it was on the docs and i skimmed it through.. please accept my
apologizes...
thanks again and have a nice weekned!
--Pedro.
Hi!
can anyone, please, tell me what is the correct way to write a rule that
matches text with accents when i do not know the enconding??
shall i write a rule for utf-8,another one for iso-8859-1, etc?? i hope no...
Thanks!
-Pedro
>Hmmm... Relevant context of those lines is lost with grep, but they
>confirm something odd is going on.
Bill, your remark is welcome, what lines/info should i pay attention to or
event post here?
Pedro
Thanks in any case Bill...
Really appreciate all your help and time... Bill, John, Matus...
Pedro
From: Bill Cole <sausers-20150...@billmail.scconsult.com>
To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>
Cc: Pedro David Marco <pedr
Thanks Bill...
tested...
>1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you had:>>
>tflags PYZOR_CHECK_2 net>>Does that change whether the rule is hit?>>>2.
>Change the PYZOR_CHECK score line in 50_scores.cf to:>> score PYZOR_CHECK
>0.001 1.985 0.001 1.392>>Does that quiet
>IIRC I've seen this warning on meta rule dependencies with a non-zero
>scores. Unless you have a better reason to think Pyzor isn't working,
I>'d just ignore it.
Well... you are right, in fact i have no problem in ignoring it, but i do not
like tohave unresolved issues in something that is
ets score 0?
i am stuck...
-Pedro
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: users@spamassassin.apache.org
Sent: Wednesday, October 19, 2016 9:42 AM
Subject: Re: PYZOR_CHECK always have zero score, why?
On 19.10.16 04:28, Pedro David Marco wrote:
>i already d
ssassin_org/regression_tests.cf"
for included file
only 50_scores.cf contains string PYZOR_CHECK
--Pedro
From: John Hardin <jhar...@impsec.org>
To: SA Mailing List <users@spamassassin.apache.org>
Sent: Wednesday, October 19, 2016 6:41 AM
Subject: Re: PYZOR_CHECK a
-20150...@billmail.scconsult.com>
To: SA Mailing List <users@spamassassin.apache.org>
Sent: Wednesday, October 19, 2016 6:04 AM
Subject: Re: PYZOR_CHECK always have zero score, why?
On 18 Oct 2016, at 23:22, Pedro David Marco wrote:
> So Pyzor seems to be OK!... the problem is somehow related to
Hi!
It seems PYZOR_CHECK rule is not being used in my SA Just installed SA and
Pyzor in a Debian and executed "pyzor discover."In Debian pyzor is enabled by
default so nothing to add in local.cf. Command "pyzor check < emailfile.eml"
works ok.
.. now i try to test SA in debug mode like
Hi,
When SA 3.4.1 analyzes emails with large random URIs... like this:
.
From: Martin Gregorie <mar...@gregorie.org>
To: users@spamassassin.apache.org
Sent: Saturday, September 10, 2016 3:33 PM
Subject: Re: Plugin development help needed...
On Sat, 2016-09-10 at 13:09 +, Pedro David Marco wrote:
> Hi there...
> i am not an expert OO devel
Hi there...
i am not an expert OO developer so i am somehow flying blind in here and need
your help please
Basically i want to write my own plugin and i have some repeated calculations
in each and every plugin method that i would like to reduce to just one, but i
am not sure on how to do it...
?
---PedroD
From: Martin <ma...@ntlworld.com>
To: users@spamassassin.apache.org
Sent: Saturday, September 10, 2016 10:56 AM
Subject: RE: trusted_networks question...
From: Pedro David Marco [mailto:pedrod_ma...@yahoo.com]
Sent: Saturday, Septem
Hi there...
i have this in my local.cf:
trusted_networks 88.2.890.3
when i run SA in debug mode i see this:
[17721] dbg: received-header: relay 88.2.890.3 trusted? no internal? no msa? no
there is no error or warns anywhere...
is this normal?
Thanks!
---PedroD
i receive tons of Ransonware from Google and MS Office365 IPs..
---PedroD
From: Bowie Bailey
To: users@spamassassin.apache.org
Sent: Friday, September 9, 2016 3:35 PM
Subject: Re: RCVD_IN_SORBS_SPAM and google IPs
On 9/9/2016 9:24 AM, li...@rhsoft.net
s-20150...@billmail.scconsult.com> To:
> "users@spamassassin.apache.org" <users@spamassassin.apache.org> Sent:
> Sunday, September 4, 2016 9:52 PM Subject: Re: Local mode with some
> URI checks. Possible??
>
> On 3 Sep 2016, at 5:32, Pedro David Marco wrote:
>
>
>
To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>
Sent: Sunday, September 4, 2016 9:52 PM
Subject: Re: Local mode with some URI checks. Possible??
On 3 Sep 2016, at 5:32, Pedro David Marco wrote:
> there is a Flag to indicate when a rule is net related or not
users@spamassassin.apache.org
Sent: Saturday, September 3, 2016 1:57 PM
Subject: Re: Local mode with some URI checks. Possible??
On 03.09.16 09:32, Pedro David Marco wrote:
>Thans Axb, I already did it, but i could not found any reasonable way to
>disable all networks checks but one.
only mode.
From: Axb <axb.li...@gmail.com>
To: users@spamassassin.apache.org
Sent: Saturday, September 3, 2016 11:06 AM
Subject: Re: Local mode with some URI checks. Possible??
On 09/03/2016 08:45 AM, Pedro David Marco wrote:
> Hi!
>
> I am using "Local tests only&qu
Hi!
I am using "Local tests only" mode of SA to prevent any network checks, but
there is one URIBL i would like to use (as an exception).. is it possible to do
this???
I have added this rule lo local.cf:
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK
201 - 247 of 247 matches
Mail list logo