Re: Attachments with no Content-Type mime header

Thanks Paul,  but your plugin uses find_parts() that turns it pointless if there is no Content-Type mime header...   PedroD   >The magic number or file signature can be helpful in determining the filetype:   >https://en.wikipedia.org/wiki/List_of_file_signatures   >I make use of

Re: Attachments with no Content-Type mime header

Hi David... I agree with you... but some functions like find_parts() do not work if there are not Content-Type Headers... making impossible the analysis of some attachments... i am writing a plugin to detect suspicious PDFs... Maybe there's a better way to analyze attachments that using

Attachments with no Content-Type mime header

Hi everybody... When an email has a MIME part with no Content-Type header, is there any way to force SA "guess" the format based on other criteria... file extension, for example? Example: Content-Disposition: attachment; filename="details.pdf"Content-Transfer-Encoding: base64 Thanks!

Re: Random word spams and wiki spams

>Also, setup the KAM.cf rules and extra signatures for ClamAV from >Sanesecurity.  These often help with new spam campaigns.  I can post >which signature DBs I am using if that would be helpful. >-- >Dave Hi Dave... i have had problems in the past with the script to download Sanesecurity

Re: Exchange 2010 rewrite headers whimsically

>Concur.  We often use linux boxes in front of exchange boxes for any type of >mail manipulation.  > had to respond because I loved the term "Whimsical modification".  I shall > use that here out. >BTW, for those interested, work continues on masscheck.  > I spent Friday restoring two

Re: Exchange 2010 rewrite headers whimsically

>Yes, once the mail has been touched by exchange its not useful anymore for >writing spam rules. Not only headers are changed/removed/reordered also >he html body is rewritten. >Also for testing and training the reordered received headers are very >annoying. Thanks Merijn.. how funny! let's party

Exchange 2010 rewrite headers whimsically

Hi everybody! According to Microsoft   https://technet.microsoft.com/en-us/library/aa996806(v=exchg.141).aspx   Exchange 2010 only rewirte some headers BUT...  i am seeing it modifying any header in a whimsicallyway... Headers starting by X- are deleted every other day, and today i am seeing

About Petya2 campaign

Hi everybody... just bothering you to share this:  We are detecting  Petya2 inside attached PDFs...  (not detected by many AV) has anyone seen it into any MS OFFICE attachment?  or maybe any .js dropper? good hunting! ---PedroD

Re: Rule Update Servers Coming Back!

Thanks a lot Kevin... Thanks a lot David --PedroD From: Kevin A. McGrail To: Spamassassin ; SpamAssassin Devel List Sent: Sunday, May 14, 2017 4:11 PM Subject: Rule Update Servers Coming Back!

Re: idn phishing

>Actually xn--example.com doesn't decode to example.com because in the >absence of a "-" separator "example" would be treated as encoded >non-ascii characters.   > >This means that it's impossible to encode an ASCII domain as an IDN >because each decoded label has to encode back to the

Update suggestion for hotmail rule

Hi, sorry if discussed before and i missed it but, the rule FORGED_HOTMAIL_RCVD2 triggers when a hotmail email does not come from hotmail or msn servers, but actually they come oftenly from outlook.com   regards, -PedroD

Re: List of legit mass mailers

of course that would be very interesting! ---Pedro. Just wondering if anyone has - or in interested in - a list of legit mass mailing sources? There are many domains that remail/deliver for other domains that are 95%+ good email. And they are not perfect and sometimes they get scammed

Re: fake base64 encoding

Correction:  Some Outlook versions do show the email just as Thunderbird does.. so most users can see the email but SA... From: Pedro David Marco <pedrod_ma...@yahoo.com> To: Kevin A. McGrail <kmcgr...@pccc.com>; SA Mailing List <users@spamassassin.apache.org> Sent:

Re: fake base64 encoding

Thanks Kevin, I did a similar rule to detect it but with higher score (3) since we are seeing a huge LinkedIn Phishing campaign using this technique, that on purpose or by mistake is evading most SA rules... I agree that Thunderbird may be doing it wrong. Outlook seems to do it right. >I

fake base64 encoding

Hi! i have noticed that when an email contains this (wrong) headers: Content-Type: text/html; charset="utf-8"Content-Transfer-Encoding: base64 as SMTP headers, not MIME headers, and the email body is not base64 enconded, email clients as Thunderbird show the content correctly butSpamAssasin body

Re: Asynchronous plugin skeleton needed

>You should be able to use the other asynchronous plugins as a reference> >as well. Thanks... but i cannot find documentation about thinks like "register_async_rule_start()" for example...  can anyone point to me where is it documented, please? Thanks!Pedro.

Asynchronous plugin skeleton needed

Hi everybody... Is it possible to have an asynchronous plugin for something not DNS/RBL related? I would like to write a simple plugin to check some local Databases (cannot use  rbldnsd) that takes long so making it asynchronous seems the best idea.. If possible, can anyone provide any skeleton,

relay not detected

Hi, i have spam emails with a Received line like this: Received: by 9-30-239-23.uocdn.net (Postfix) with ESMTPSA id 693A0C56B with  (unknown [158.69.130.12]) ; Sun, 20 Nov 2016 21:06:55 -0300 there is no parsing perl code for lines like this in Received.pm module so the relay 158.69.130.12 is

Re: Doubt about compiled rules precedence

Something like that must be John... I will check my scripts once more... Thanks! >No problem, sometimes the obvious is overlooked. > >Perhaps the compile failed and SA is using the last good results?

Re: Doubt about compiled rules precedence

>I'm assuming that you *are* recompiling the rules and restarting  >spamd/Amavis after you make changes to the rules? sure, forgot to mention, sorry...

Doubt about compiled rules precedence

Hi! I have a doubt about compiled rules with sa-compile: Precedence between a "rule" and its compiled version is automatic so as long as the rule is not modified, the compiled rule will take precedence, am i right?I have noticed that sometimes (only sometimes) if i modify the rule, spamassassin

Re: Define new variables in local.cf

Great! Thanks! Pedro. From: RW <rwmailli...@googlemail.com> To: users@spamassassin.apache.org Sent: Tuesday, November 8, 2016 7:15 PM Subject: Re: Define new variables in local.cf On Tue, 8 Nov 2016 04:39:55 + (UTC) Pedro David Marco wrote: > Hi! > When

Re: Define new variables in local.cf

AM Subject: Re: Define new variables in local.cf On 08.11.16 04:39, Pedro David Marco wrote: >When you the same string repeated many times in a .cf file   is it possible > to use any kind of user-defined variable or constant to avoid repetition > and make it easier to maintain? any

Define new variables in local.cf

Hi! When you the same string repeated many times in a .cf file   is it possible to use any kind of user-defined variable or constant to avoid repetition and make it easier to maintain? thanks! -Pedro

Re: PYZOR_CHECK always have zero score, why?

Thanks! >The 'net' tflag exists to allow SA to know what tests to disable when it  >is told to run only local tests. That is usually done when messages are >being checked well after their arrival, because network-dependent tests >are generally dynamic. There are also places where policy or

Re: PYZOR_CHECK always have zero score, why?

I have tested it in a new Debian box and as expected PYZOR_CHECK worked. So it is obvious that i have something odd  in my Debibox. Thanks to all who helped me gently!! This takes me to and old question: How does SA know which are network rules and which are not? because it does itright even if

Re: rule for text with accents

>If you set "normalize_charset 1" you can just test UTF-8 Thanks a lot RW fool me! it was on the docs and i skimmed it through.. please accept my apologizes... thanks again and have a nice weekned! --Pedro.

rule for text with accents

Hi! can anyone, please, tell me what is the correct way to write a rule that matches text with accents when i do not know the enconding?? shall i write a rule for utf-8,another one for iso-8859-1, etc?? i hope no... Thanks! -Pedro

Re: PYZOR_CHECK always have zero score, why?

>Hmmm... Relevant context of those lines is lost with grep, but they >confirm something odd is going on. Bill, your remark is welcome, what lines/info should i pay attention to or event post here? Pedro

Re: PYZOR_CHECK always have zero score, why?

Thanks in any case Bill... Really appreciate all your help and time... Bill, John, Matus... Pedro From: Bill Cole <sausers-20150...@billmail.scconsult.com> To: "users@spamassassin.apache.org" <users@spamassassin.apache.org> Cc: Pedro David Marco <pedr

Re: PYZOR_CHECK always have zero score, why?

Thanks Bill... tested... >1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you had:>>     >tflags PYZOR_CHECK_2 net>>Does that change whether the rule is hit?>>>2. >Change the PYZOR_CHECK score line in 50_scores.cf to:>>    score PYZOR_CHECK >0.001 1.985 0.001 1.392>>Does that quiet

Re: PYZOR_CHECK always have zero score, why?

>IIRC I've seen this warning on meta rule dependencies with a non-zero >scores. Unless you have a better reason to think Pyzor isn't working, I>'d just ignore it. Well... you are right, in fact i have no problem in ignoring it, but i do not like tohave unresolved issues in something that is

Re: PYZOR_CHECK always have zero score, why?

ets score 0?  i am stuck...  -Pedro From: Matus UHLAR - fantomas <uh...@fantomas.sk> To: users@spamassassin.apache.org Sent: Wednesday, October 19, 2016 9:42 AM Subject: Re: PYZOR_CHECK always have zero score, why? On 19.10.16 04:28, Pedro David Marco wrote: >i already d

Re: PYZOR_CHECK always have zero score, why?

ssassin_org/regression_tests.cf" for included file only 50_scores.cf contains string PYZOR_CHECK --Pedro From: John Hardin <jhar...@impsec.org> To: SA Mailing List <users@spamassassin.apache.org> Sent: Wednesday, October 19, 2016 6:41 AM Subject: Re: PYZOR_CHECK a

Re: PYZOR_CHECK always have zero score, why?

-20150...@billmail.scconsult.com> To: SA Mailing List <users@spamassassin.apache.org> Sent: Wednesday, October 19, 2016 6:04 AM Subject: Re: PYZOR_CHECK always have zero score, why? On 18 Oct 2016, at 23:22, Pedro David Marco wrote: > So Pyzor seems to be OK!... the problem is somehow related to

PYZOR_CHECK always have zero score, why?

Hi! It seems PYZOR_CHECK rule is not being used in my SA Just installed SA and Pyzor in a Debian and executed  "pyzor discover."In Debian pyzor is enabled by default so nothing to add in local.cf. Command "pyzor check < emailfile.eml" works ok. .. now i try to test SA in debug mode like

Dealing with huge URLs and timeouts (possible evasion technique?)

Hi, When  SA 3.4.1 analyzes emails with large random URIs... like this:

Re: Plugin development help needed...

. From: Martin Gregorie <mar...@gregorie.org> To: users@spamassassin.apache.org Sent: Saturday, September 10, 2016 3:33 PM Subject: Re: Plugin development help needed... On Sat, 2016-09-10 at 13:09 +, Pedro David Marco wrote: > Hi there... > i am not an expert OO devel

Plugin development help needed...

Hi there... i am not an expert OO developer so i am somehow flying blind in here and need your help please Basically i want to write my own plugin and i have some repeated calculations in each and every plugin method that i would like to reduce to just one, but i am not sure on how to do it...

Re: trusted_networks question...

? ---PedroD From: Martin <ma...@ntlworld.com> To: users@spamassassin.apache.org Sent: Saturday, September 10, 2016 10:56 AM Subject: RE: trusted_networks question... From: Pedro David Marco [mailto:pedrod_ma...@yahoo.com] Sent: Saturday, Septem

trusted_networks question...

Hi there... i have this in my local.cf: trusted_networks    88.2.890.3 when i run SA in debug mode i see this: [17721] dbg: received-header: relay 88.2.890.3 trusted? no internal? no msa? no there is no error or warns anywhere... is this normal? Thanks! ---PedroD

Re: RCVD_IN_SORBS_SPAM and google IPs

i receive tons of Ransonware from Google and MS Office365 IPs..   ---PedroD From: Bowie Bailey To: users@spamassassin.apache.org Sent: Friday, September 9, 2016 3:35 PM Subject: Re: RCVD_IN_SORBS_SPAM and google IPs On 9/9/2016 9:24 AM, li...@rhsoft.net

Re: Local mode with some URI checks. Possible??

s-20150...@billmail.scconsult.com> To: > "users@spamassassin.apache.org" <users@spamassassin.apache.org> Sent: > Sunday, September 4, 2016 9:52 PM Subject: Re: Local mode with some > URI checks. Possible?? > > On 3 Sep 2016, at 5:32, Pedro David Marco wrote: > >

Re: Local mode with some URI checks. Possible??

> To: "users@spamassassin.apache.org" <users@spamassassin.apache.org> Sent: Sunday, September 4, 2016 9:52 PM Subject: Re: Local mode with some URI checks. Possible?? On 3 Sep 2016, at 5:32, Pedro David Marco wrote: > there is a Flag to indicate when a rule is net related or not

Re: Local mode with some URI checks. Possible??

users@spamassassin.apache.org Sent: Saturday, September 3, 2016 1:57 PM Subject: Re: Local mode with some URI checks. Possible?? On 03.09.16 09:32, Pedro David Marco wrote: >Thans Axb, I already did it, but i could not found any reasonable way to >disable all networks checks but one.

Re: Local mode with some URI checks. Possible??

only mode. From: Axb <axb.li...@gmail.com> To: users@spamassassin.apache.org Sent: Saturday, September 3, 2016 11:06 AM Subject: Re: Local mode with some URI checks. Possible?? On 09/03/2016 08:45 AM, Pedro David Marco wrote: > Hi! > > I am using "Local tests only&qu

Local mode with some URI checks. Possible??

Hi!  I am using "Local tests only" mode of SA to prevent any network checks, but there is one URIBL i would like to use (as an exception).. is it possible to do this??? I have added this rule lo local.cf:  urirhssub     URIBL_BLACK  multi.uribl.com.        A   2  body            URIBL_BLACK  

<    1   2   3