Re: Order of handling whitelist/blacklist

> On Mar 28, 2024, at 12:18 PM, Matus UHLAR - fantomas > wrote: > >>> On 27.03.24 20:56, Philip Prindeville via users wrote: >>>> I have something that looks like: >>>> >>>> whitelist_from_rcvd v...@yandex.ru vger.kernel.org >>&g

Re: Order of handling whitelist/blacklist

> On Mar 28, 2024, at 12:18 PM, Matus UHLAR - fantomas > wrote: > >>> On 27.03.24 20:56, Philip Prindeville via users wrote: >>>> I have something that looks like: >>>> >>>> whitelist_from_rcvd v...@yandex.ru vger.kernel.org >>&g

Re: Order of handling whitelist/blacklist

> On Mar 28, 2024, at 2:39 AM, Matus UHLAR - fantomas wrote: > > On 27.03.24 20:56, Philip Prindeville via users wrote: >> I have something that looks like: >> >> whitelist_from_rcvd v...@yandex.ru vger.kernel.org >> >> blacklist_from *@yandex.ru >

Order of handling whitelist/blacklist

Hi. I have something that looks like: whitelist_from_rcvd v...@yandex.ru vger.kernel.org blacklist_from *@yandex.ru And I only ever seem to see the 2nd rule being hit, but not the first. What is the order of evaluation? Mail::SpamAssassin::Conf doesn't say that I

ATT RBL f---wits

We're being blacklisted by att.net with the following message: (reason: 550 5.7.1 Connections not accepted from servers without a valid sender domain.flph840 Fix reverse DNS for 24.116.100.90) I don't know what the hell is up with these pinheads: philipp@ubuntu22:~$ dig -tmx

Re: DKIM absence

> On May 2, 2023, at 9:37 AM, Thomas Johnson wrote: > > >> On May 2, 2023, at 8:27 AM, Philip Prindeville >> wrote: >> >> Is there a way to add scoring that says, "If the sending domain has DKIM >> records, but there's no DKIM signature o

DKIM absence

Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?" We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction? If it's absent, but it

Re: Did the whitelist_from_rcvd semantics change?

> On May 1, 2023, at 3:48 AM, Reindl Harald wrote: > > > > Am 30.04.23 um 20:54 schrieb Philip Prindeville: >>> On Apr 28, 2023, at 12:17 PM, Philip Prindeville >>> wrote: >>> >>> >>> >>>> On Apr 28, 2023, at 10:

Re: Did the whitelist_from_rcvd semantics change?

> On Apr 28, 2023, at 12:17 PM, Philip Prindeville > wrote: > > > >> On Apr 28, 2023, at 10:24 AM, Reindl Harald wrote: >> >> >> >> Am 28.04.23 um 18:11 schrieb Philip Prindeville: >>>> On Apr 25, 2023, at 6:28 AM, Bill Cole &

Re: Did the whitelist_from_rcvd semantics change?

> On Apr 28, 2023, at 10:24 AM, Reindl Harald wrote: > > > > Am 28.04.23 um 18:11 schrieb Philip Prindeville: >>> On Apr 25, 2023, at 6:28 AM, Bill Cole >>> wrote: >>> >>> On 2023-04-24 at 16:32:55 UTC-0400 (Mon, 24 Apr 2023 14:32:55 -0

Re: Did the whitelist_from_rcvd semantics change?

> On Apr 25, 2023, at 6:28 AM, Bill Cole > wrote: > > On 2023-04-24 at 16:32:55 UTC-0400 (Mon, 24 Apr 2023 14:32:55 -0600) > Philip Prindeville > is rumored to have said: > >> I thought the matching included subdomains, and seem to remember that >> wor

Re: Did the whitelist_from_rcvd semantics change?

Oh, and this is on Fedora, so I'm running 3.4.6... > On Apr 24, 2023, at 2:32 PM, Philip Prindeville > wrote: > > Hi, > > I have the following line: > > whitelist_from_rcvd *@ceipalmm.com mailgun.net > > And tried it on a message that had: > >

Did the whitelist_from_rcvd semantics change?

Hi, I have the following line: whitelist_from_rcvd *@ceipalmm.com mailgun.net And tried it on a message that had: Return-Path: But it didn't get whitelisted. If I change the pattern above to "*@mg2.ceipalmm.com" it works. I thought the matching included subdomains, and seem to

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 11, 2022, at 1:53 AM, Henrik K wrote: > > On Wed, May 11, 2022 at 10:49:32AM +0300, Henrik K wrote: >> On Wed, May 11, 2022 at 10:44:05AM +0300, Henrik K wrote: >>> On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote: >>>> See my

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 11, 2022, at 9:24 AM, John Hardin wrote: > > On Tue, 10 May 2022, Philip Prindeville wrote: > >> Anyone have a rule to detect the following nonsense headers seen in this >> message I got? >> >> Return-Path: >> Received: from cp24

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 11, 2022, at 1:53 AM, Henrik K wrote: > > On Wed, May 11, 2022 at 10:49:32AM +0300, Henrik K wrote: >> On Wed, May 11, 2022 at 10:44:05AM +0300, Henrik K wrote: >>> On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote: >>>> See my

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 11, 2022, at 1:44 AM, Henrik K wrote: > > On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote: >> See my original message. >> >> I can't think of a single way to match each header, and then test for any of >> them not matching the

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 10, 2022, at 5:57 PM, Martin Gregorie wrote: > > On Tue, 2022-05-10 at 17:29 -0600, Philip Prindeville wrote: >> >> You're correct that they're different in every message received. >> > So write a rule that fires on any header name that *doesn't

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 10, 2022, at 5:57 PM, Martin Gregorie wrote: > > On Tue, 2022-05-10 at 17:29 -0600, Philip Prindeville wrote: >> >> You're correct that they're different in every message received. >> > So write a rule that fires on any header name that *doesn't

Re: Rule to detect non-standard headers that aren't X- prefixed

> On May 10, 2022, at 4:58 PM, Kevin A. McGrail wrote: > > On 5/10/2022 6:10 PM, Philip Prindeville wrote: >> Anyone have a rule to detect the following nonsense headers seen in this >> message I got? > > Interesting. Those look more like something that Bayesia

Rule to detect non-standard headers that aren't X- prefixed

Anyone have a rule to detect the following nonsense headers seen in this message I got? Return-Path: Received: from cp24.deluxehosting.com (cp24.deluxehosting.com [207.55.244.13]) by mail (envelope-sender ) (MIMEDefang) with ESMTP id 23C2ch8H717309 for ; Mon, 11 Apr 2022

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 16, 2021, at 8:03 PM, Henrik K wrote: > > On Tue, Nov 16, 2021 at 01:08:16PM -0700, Philip Prindeville wrote: >> >> Or http.sh points to an NS that's offline... > > Your resolver shoukd time out _way_ sooner than some minutes. > >>

Re: MIME_BASE64_TEXT only on us-ascii

> On Nov 30, 2021, at 1:10 PM, Matija Nalis wrote: > > On Tue, Nov 30, 2021 at 12:03:15PM -0700, Philip Prindeville wrote: >>> On Nov 17, 2021, at 9:50 AM, Bill Cole >>> wrote: >>> SpamAssassin rules are not laws in any sense. They do not prescribe o

Re: MIME_BASE64_TEXT only on us-ascii

> On Nov 17, 2021, at 9:50 AM, Bill Cole > wrote: > > SpamAssassin rules are not laws in any sense. They do not prescribe or > proscribe any action. They do not reflect any sort of moral or ethical > judgment. They do not express or define technical correctness. Isn't that exactly what

SPF_NONE scoring

Hi, I'm looking at the 0.001 scoring for SPF_NONE and scratching my head. This was discussed a bit in early 2015, but maybe it needs revisiting with new perspective. Surely no one who cares about maintaining their reputation by protecting themselves against spoofing would fail to provide SPF

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 16, 2021, at 3:30 AM, Martin Gregorie wrote: > > On Mon, 2021-11-15 at 17:12 -0700, Philip Prindeville wrote: >> >> >>> On Nov 15, 2021, at 5:06 PM, Greg Troxel wrote: >>> >>> >>> Philip Prindeville writes: >&g

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 15, 2021, at 11:12 PM, Henrik K wrote: > > On Mon, Nov 15, 2021 at 04:25:55PM -0700, Philip Prindeville wrote: >> >> >>> On Nov 12, 2021, at 10:35 PM, Henrik K wrote: >>> >>> On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wr

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

Replies... some duplication of conversation on "mimedefang". > On Nov 15, 2021, at 10:34 PM, Bill Cole > wrote: > > On 2021-11-15 at 18:08:20 UTC-0500 (Mon, 15 Nov 2021 16:08:20 -0700) > Philip Prindeville > is rumored to have said: > >>> On Nov

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 15, 2021, at 5:06 PM, Greg Troxel wrote: > > > Philip Prindeville writes: > >> Ah, the rule _eval_tests_type11_pri0_set1() took 4:20. >> >> Why can't I even find the rule? > > That looks very familiar. I was having timeouts, and saw that

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 12, 2021, at 10:35 PM, Henrik K wrote: > > On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wrote: >> >> What would be helpful here would be logging of when a rule *starts* >> evaluation. Normally that would be painful, but for tracking a runaway it >> would be useful. Perhaps

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

> On Nov 12, 2021, at 8:49 PM, John Hardin wrote: > > On Fri, 12 Nov 2021, Philip Prindeville wrote: > >> I got the message, saved it to a flat file, and ran "spamassassin -t -D >> rules < netdev.eml" and saw: >> >> ... >>

Re: spam from gmail.com

> On Nov 9, 2021, at 6:49 AM, Jared Hall wrote: > > On 11/8/2021 11:36 PM, Peter wrote: >> It seems that people aren't taking google as seriously any more. > First came Freemail. Then came SpamAssassin. I DO think that people take > Google seriously. There are just so many ways to deal

Seeing "check: exceeded time limit in ..." and need to resolve it

Hi, I got an email from net...@vger.kernel.org that was a lengthy (422K) regression test report from a patch someone had submitted. I got the message, saved it to a flat file, and ran "spamassassin -t -D rules < netdev.eml" and saw: ... Nov 12 11:45:38.048 [36367] dbg: rules: ran eval rule

Re: Seeing "razor2 had unknown error during get_server_info"

Asked and answered: http://forum.centos-webpanel.com/index.php?topic=5505.0 Need to open outgoing port 2703 (TCP) for the mail server. > On Aug 14, 2021, at 12:37 PM, Philip Prindeville > wrote: > > Hi all, > > A few days ago, I started seeing this in my /var/log/maillog:

Seeing "razor2 had unknown error during get_server_info"

Hi all, A few days ago, I started seeing this in my /var/log/maillog: Aug 14 12:15:07 mail mimedefang-multiplexor[141367]: 17EIF11E226383: Worker 4 stderr: razor2: razor2 check failed: Connection refused razor2: razor2 had unknown error during get_server_info at

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

Actually, the notion is much older than that… 12th or 13th century I believe. Students of universities (like Oxford or Sorbonne or Geneve) would get together, interview professors, and pay them directly. There was no “administration”. The professors marketed their knowledge and insight

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

Free Speech doesn’t require anyone to pay for your soap box or megaphone. But Spam is exactly that: having other people subsidize your speech through the theft of services. > On Nov 19, 2020, at 2:25 PM, Kevin A. McGrail wrote: > > Afternoon Everyone, > > So over the years, I have gotten a

Re: dbip-country-lite database

> On Nov 15, 2020, at 11:48 AM, Dominic Raferd wrote: > > > > On Sun, 15 Nov 2020, 18:27 Philip Prindeville, > wrote: > Is anyone else using this database? > > I’ve been using it with xt_geoip and Mimedefang and Plugin::URILocalBL to > block countries

dbip-country-lite database

Is anyone else using this database? I’ve been using it with xt_geoip and Mimedefang and Plugin::URILocalBL to block countries since Maxmind retired support for GeoIP on RHEL. But I keep running into cases where parts of the database are very obviously wrong. It’s showing about 50% of

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

> On Aug 21, 2020, at 1:28 PM, Rob McEwen wrote: > > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for > Sendgrid-spams! > > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a > focus on Sendgrid-sent spams. AND - there is a FREE version of

Re: SendGrid (Was: Re: Freshdesk (again))

I just add an extra 5.0 points for coming from Sendgrid now so it goes straight to the Junk folder. Users can pull it out of there if they really want it. Sendgrid is becoming to ASP’s what OVH and Softlayer are to ISP's. > On Jun 27, 2020, at 3:56 AM, Niels Kobschätzki wrote: > > Sendgrid

Re: Freshdesk (again)

> On Jul 7, 2020, at 3:16 AM, Raymond Dijkxhoorn > wrote: > > Hai! > it might help to add your complaint via ab...@sendgrid.com. > >>> I very much doubt it. Sendgrid's business is sending mail and they do not >>> care if that mail is spam or not. If enough servers block them they

Adding approximate matching (see also: another extortion email check)

Hi, I’ve recently gotten emails (a lot of them, as it happened) with the following subject line: Subject: H¡gh level of r¡sk. Your account has been hacked. Change yøur passwørd. and I’ve seen other similar emails in the past using simple mechanical substitutions (Greek alpha for ‘a’, Cyrillic

Re: Two types of new spam

> On Jan 4, 2020, at 11:57 AM, Bill Cole > wrote: > > On 3 Jan 2020, at 17:45, Philip Prindeville wrote: > [...] > >> One other question that occurs to me: why would we even need > http-equiv=“Content-Type” …> if we already have a Content-Type: header

Re: Two types of new spam

> On Jan 3, 2020, at 3:45 PM, Philip Prindeville > wrote: > > > >> On Jan 2, 2020, at 4:08 PM, Philip Prindeville >> wrote: >> >> I’m getting the following Spam. >> >> http://www.redfish-solutions.com/misc/bluechew.eml >>

Re: Two types of new spam

> On Jan 2, 2020, at 4:08 PM, Philip Prindeville > wrote: > > I’m getting the following Spam. > > http://www.redfish-solutions.com/misc/bluechew.eml > > And this is notable for having: > > > > GUID1 > GUID2 > GUID3 > GUID4 > … > One

Re: Two types of new spam

> On Jan 3, 2020, at 11:34 AM, RW wrote: > > On Fri, 3 Jan 2020 10:09:21 -0800 (PST) > John Hardin wrote: > >> On Fri, 3 Jan 2020, Pedro David Marco wrote: >> >>> header __L_RECEIVED_SPFexists:Received-SPF >>> tflags __L_RECEIVED_SPFmultiple maxhits=20 >>> >>> meta

Two types of new spam

I’m getting the following Spam. http://www.redfish-solutions.com/misc/bluechew.eml And this is notable for having: GUID1 GUID2 GUID3 GUID4 … so it should be easy enough to detect. A GUID looks like: [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{3}-[0-9a-f]{3}-[0-9a-f]{12} The 2nd type of Spam I’m

Re: HeaderEval::check_header_count_range() not working correctly?

Sigh… “downside”. > On Nov 3, 2019, at 2:32 PM, Philip Prindeville > wrote: > > What would be the downsize of having: > > my @hdrs = grep($uniq{$_}++, $pms->{msg}->get_header ($hdr)); > > instead and counting ALL instances of $hdr, not just the unique RHS

Re: HeaderEval::check_header_count_range() not working correctly?

What would be the downsize of having: my @hdrs = grep($uniq{$_}++, $pms->{msg}->get_header ($hdr)); instead and counting ALL instances of $hdr, not just the unique RHS’s? > On Nov 3, 2019, at 1:51 PM, Philip Prindeville > wrote: > > Hi. > > I’m lookin

HeaderEval::check_header_count_range() not working correctly?

Hi. I’m looking at: # Return true if the count of $hdr headers are within the given range sub check_header_count_range { my ($self, $pms, $hdr, $min, $max) = @_; my %uniq = (); my @hdrs = grep(!$uniq{$_}++, $pms->{msg}->get_header ($hdr)); return (scalar @hdrs >= $min && scalar @hdrs <=

OT: Issues w/ hughes.net not accepting messages?

Has anyone else started seeing something similar in the last 2-3 weeks? Running /var/spool/mqueue/x22LrU1S006228 (sequence 1 of 2) ... Connecting to mx.hughes.net. via esmtp... 220 mx.hughes.net ESMTP >>> EHLO mail.redfish-solutions.com 250-mx01.hughes.cmh.synacor.com says EHLO to

check_header_count_range() for MIME sections?

Hi. I’d like to be able to detect duplicated header types in MIME sections. I think you all have been seeing them too. Is there an easy way to see if a message contains any MIME sections where particular headers occur more than once? Thanks, -Philip

Re: Email address as fullname in To: field

. Or, conversely, they could simply not put any full name field in at all and just use the raw email address… It’s like someone made the conscious decision to choose the worst of both worlds… > On Jul 13, 2017, at 11:49 AM, Philip Prindeville > <philipp_s...@redfish-solutions.com> wro

Email address as fullname in To: field

I’m getting more and more email as: To: “joeb...@example.com” anyone know why there’s an increase in this? Did Exchange recently get broken so that it’s not populating the Addressbook properly? I noticed that even legitimate promotional mailers (like 1800petmeds.com) are

Re: Relitigating TB's behavior because of "villainous" SpamAssassin... hiss!

> On Feb 12, 2017, at 4:53 PM, Philip Prindeville > <philipp_s...@redfish-solutions.com> wrote: > > What an incredible waste of time: > > https://bugzilla.mozilla.org/show_bug.cgi?id=417942#c19 > > I actually think I might be dialoging with a highly arg

Relitigating TB's behavior because of "villainous" SpamAssassin... hiss!

What an incredible waste of time: https://bugzilla.mozilla.org/show_bug.cgi?id=417942#c19 I actually think I might be dialoging with a highly argumentative variant of Eliza. In which case, it’s passed the Turing Test.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

Having been through the process of authoring 2 RFC’s, perhaps I can shed some light on the process for you. All proposed standards started life as draft RFC’s (this was before the days of IDEA’s but after the days of IEN’s). If it were validated by the working group and passed up to the IAB

Re: Uninitialized values in URIDNSBL

> On Feb 3, 2017, at 6:04 PM, Kevin A. McGrail wrote: > > Re: 3.4.2 SA release > > Imminent. I'd like to start a push for a release, prioritizing bugs, etc. > > I've stepped up to be the Release Manager and I'm coordinating things at work > so I can dedicated time to the

Re: Uninitialized values in URIDNSBL

> On Feb 2, 2017, at 5:06 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > > Am 02.02.2017 um 23:41 schrieb Martin Gregorie: >> On Thu, 2017-02-02 at 15:23 -0700, Philip Prindeville wrote: >>> Anyone else seeing this? >>> >> Yes - in

Uninitialized values in URIDNSBL

Anyone else seeing this? Feb 2 08:10:23 mail mimedefang.pl[13017]: helo: mailman2.scl3.mozilla.com (63.245.214.181:3844) said "helo mail.mozilla.org" Feb 2 08:10:23 mail sendmail[14852]: v12FAHm7014852: from=, size=4727,

Re: Omitting leading whitespace on headers?

On Dec 29, 2015, at 2:14 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 12/29/2015 3:46 PM, Philip Prindeville wrote: >> On Dec 29, 2015, at 1:42 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: >> >>> On 12/29/2015 3:38 PM, Philip Prindeville wrote:

Re: Omitting leading whitespace on headers?

On Dec 29, 2015, at 1:42 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 12/29/2015 3:38 PM, Philip Prindeville wrote: >> Is there a reason that headers are left with leading spaces? >> >> I’ve noticed that I have to write rules as: >> >> Su

Re: Omitting leading whitespace on headers?

On Dec 29, 2015, at 2:39 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 12/29/2015 4:29 PM, Philip Prindeville wrote: >> On Dec 29, 2015, at 2:14 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: >> >>> On 12/29/2015 3:46 PM, Philip Prindeville wrote: >

Re: Omitting leading whitespace on headers?

On Dec 29, 2015, at 3:15 PM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 12/29/2015 5:12 PM, Philip Prindeville wrote: >> I did recall that I used the patch here: >> >> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6360#c4 >> >> to be able to

Omitting leading whitespace on headers?

Is there a reason that headers are left with leading spaces? I’ve noticed that I have to write rules as: Subject =~ /^ Great [Jj]ob [Oo]pportunity/ because of the leading space… Given the text of RFC-2822: NO-WS-CTL = %d1-8 / ; US-ASCII control characters

Omitting leading whitespace on headers?

Is there a reason that headers are left with leading spaces? I’ve noticed that I have to write rules as: Subject =~ /^ Great [Jj]ob [Oo]pportunity/ because of the leading space… Given the text of RFC-2822: NO-WS-CTL = %d1-8 / ; US-ASCII control characters

Re: any reason not to block every Softlayer allocation?

On Oct 5, 2015, at 10:57 PM, Noel Butler wrote: > On 06/10/2015 12:39, Jo Rhett wrote: > >> Sorry, let me restate: I know consequences of blocking large >> providers. I’m asking if others have found the same to be true, or if >> there is any reason to give SoftLayer

Re: tflags multiple and header exists:

On Sep 29, 2015, at 10:09 AM, Philip Prindeville <philipp_s...@redfish-solutions.com> wrote: > Can you use something like: > > header __L_X_NO_RELAY exists:X-No-Relay > tflags __L_X_NO_RELAY multiple Actually, that should probably be bounded to somet

tflags multiple and header exists:

Can you use something like: header __L_X_NO_RELAY exists:X-No-Relay tflags __L_X_NO_RELAY multiple meta MULTIPLE_X_NO_RELAY__L_X_NO_RELAY >= 8 describe MULTIPLE_X_NO_RELAYSaw an inordinate number of X-No-Relay: headers score MULTIPLE_X_NO_RELAY 10.0 I

Re: tflags multiple and header exists:

On Sep 29, 2015, at 10:44 AM, John Hardin <jhar...@impsec.org> wrote: > On Tue, 29 Sep 2015, Philip Prindeville wrote: > >> Can you use something like: >> >> header __L_X_NO_RELAYexists:X-No-Relay > > Are you seeing empty X-No-Rela

The word on messages w/ no Message-Id

I’m getting a lot of messages from head-hunters, my wife’s auto dealership, etc. that look like they’re being generated by legitimate [sic] email campaigns, but they don’t have a message-id. Since the message-id needs to be universally unique, the general guidelines are that it be generated by

Re: Test for empty EnvelopeFrom

On Sep 24, 2015, at 4:12 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 23.09.2015 um 19:24 schrieb Philip Prindeville: >> Stating facts here, not giving an opinion. Not sure what’s up for debate. >>> >>> if it is empty it's <&g

Re: Test for empty EnvelopeFrom

On Sep 22, 2015, at 12:58 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 22.09.2015 um 19:43 schrieb Philip Prindeville: >> I’m using SA with MdF on Linux (Fedora 22). >> >> MdF generates the header “Return-Path: ” for me, so that should &

Re: Test for empty EnvelopeFrom

On Sep 23, 2015, at 6:35 AM, RW <rwmailli...@googlemail.com> wrote: > On Tue, 22 Sep 2015 11:43:18 -0600 > Philip Prindeville wrote: > >> Hi. >> >> I?m using SA with MdF on Linux (Fedora 22). >> >> MdF generates the header ?Return-Path: ?

Test for empty EnvelopeFrom

Hi. I’m using SA with MdF on Linux (Fedora 22). MdF generates the header “Return-Path: ” for me, so that should be available to me in the rules. To test this, I wrote a couple of rules: header __L_EMPTY_SENDER EnvelopeFrom:addr !~ /./ header __L_MATCH_SENDER EnvelopeFrom:addr

Re: Must-Have Plugins?

On 06/19/2015 01:07 PM, Dianne Skoll wrote: On Fri, 19 Jun 2015 12:51:28 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: [stuff] With this, we avoid ever accepting about 98% of the SPAM that we’d otherwise receive. Really? 98%? I find that surprising. We get quite

Re: Must-Have Plugins?

On Jun 19, 2015, at 2:35 PM, David Jones djo...@ena.com wrote: But I’m on a LOT of high volume mailing lists (like mozilla-general and netdev) that get heavily spammed. Filtering mailing lists is a slightly different ballgame than filtering regular email. Some of the items listed

Re: Must-Have Plugins?

On 06/10/2015 04:34 AM, Amir Caspi wrote: On Jun 10, 2015, at 12:32 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: FEATURE(`block_bad_helo') define(`confALLOW_BOGUS_HELO', `False') Argh, unfortunately, that feature is only on sendmail 8.14 and higher, which means RHEL/CentOS 6 or

Re: Must-Have Plugins?

On Jun 19, 2015, at 3:28 PM, David Jones djo...@ena.com wrote: From: Philip Prindeville philipp_s...@redfish-solutions.com Sent: Friday, June 19, 2015 3:53 PM To: David Jones Cc: users@spamassassin.apache.org Subject: Re: Must-Have Plugins? On Jun 19, 2015, at 2:35 PM, David Jones djo

.science the new leper of TLD's?

No offense to lepers, but is .science to be avoided? I’ve had email this week from about 17 different .science domain names, and 13 were blocked because of ZenBL and the rest turned out to be SPAM anyway. I’m thinking that I should just refuse connections from any host whose rDNS is .science…

Re: Must-Have Plugins?

On Jun 19, 2015, at 1:01 PM, David Jones djo...@ena.com wrote: From: Philip Prindeville philipp_s...@redfish-solutions.com On Jun 9, 2015, at 12:29 PM, John Hardin jhar...@impsec.org wrote: On Tue, 9 Jun 2015, David Jones wrote: Some of the best and easiest things you can enable

Re: Must-Have Plugins?

On Jun 9, 2015, at 12:29 PM, John Hardin jhar...@impsec.org wrote: On Tue, 9 Jun 2015, David Jones wrote: Some of the best and easiest things you can enable to block spam are outside of SpamAssassin at your MTA (sendmail, postfix, etc.). - Enable greylisting. This is just about the only

Re: Can SpamAssasin convert UTF8 into ISO-8859-1?

On Apr 15, 2015, at 7:07 PM, @lbutlr krem...@kreme.com wrote: On Apr 13, 2015, at 09:03, John Hardin jhar...@impsec.org wrote: The proper place for that sort of thing would be the tool that does final delivery to the user's mailbox. There is no proper place for that. No, it’s not. But

Testing SPF DKIM configurations

Anyone know of a site that you can send an email to in order to test your SPF and/or DKIM configuration? I’ve set it up but every once in a while I get back weird messages about being blocked from certain sites and I’m wondering if something is wrong at my end or are they just misconfigured at

Re: SOUGHT 2.0

On Dec 4, 2014, at 2:41 PM, Axb axb.li...@gmail.com wrote: On 12/04/2014 10:30 PM, Bob Proulx wrote: Axb wrote: It's been more than a month since my first SOUGHT 2.0 msg. A few have shown interest but as there hasn't been the flood of enthusiasm and stuff getting done which I hoped for so

Re: Honeypot email addresses

On 11/21/2014 09:49 AM, David F. Skoll wrote: On Fri, 21 Nov 2014 08:43:22 -0800 (PST) John Hardin jhar...@impsec.org wrote: On a public mailng list isn't a great place to discuss such tactics... I suspect spammers are dumb and will just vacuum up any address they can find. Also, the

Re: Honeypot email addresses

On 12/04/2014 05:32 AM, Reindl Harald wrote: Am 03.12.2014 um 23:56 schrieb Philip Prindeville: On 11/21/2014 09:49 AM, David F. Skoll wrote: On Fri, 21 Nov 2014 08:43:22 -0800 (PST) John Hardin jhar...@impsec.org wrote: On a public mailng list isn't a great place to discuss such tactics

Re: Honeypot email addresses

On Dec 4, 2014, at 2:30 PM, Dave Pooser dave...@pooserville.com wrote: On 12/4/14, 3:10 PM, Philip Prindeville philipp_s...@redfish-solutions.com wrote: Not necessarily. If I post to a list with this address, and wait 60 days, I can assume that 99.999% of email that comes back after

Re: Give a penalty to messages with non latin UTF-8 characters?

On Oct 17, 2014, at 9:53 AM, Michael Opdenacker michael.opdenac...@free-electrons.com wrote: On 09/01/2014 01:39 AM, LuKreme wrote: On 31 Aug 2014, at 14:38 , Ian Zimmerman i...@buug.org wrote: Doesn't ok_languages and ok_locales do the job? It does for me. Not with UTF-8 encoding, that

.link TLD spammer haven?

Every connection I’ve gotten from a hostname resolving to *.link or saying helo *.link has been spam (I block the connections with MIMEDefang). Has anyone actually seen a legitimate email from a host in the .link TLD? I’ve seen (last week alone): bgo.blc-onlineconsumer140.link

Re: Googlasi, blacklotus, etc.

BTW, I finally picked up the phone and spoke to support at Blacklotus (the ARIN PoC for abuse there gives bogus info) and discussed this with them. They refused to believe that a site offering: * weight loss meds * miracle cures for diabetes * tax-deductible window upgrades * Victoria’s Secret

Local URL blocking based on NS records?

The issue we’ve been having with Blacklotus (self-appointed champions of everyone’s right to be on the internet, no matter how shady, is the impression I got from speaking to their sales department a while ago) has one commonality. All of the domains that resolve to 192.3.186.4 are registered

Re: Local URL blocking based on NS records?

On Oct 2, 2014, at 12:56 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 02.10.2014 um 20:50 schrieb Philip Prindeville: The issue we’ve been having with Blacklotus (self-appointed champions of everyone’s right to be on the internet, no matter how shady, is the impression I got from

Re: Local URL blocking based on NS records?

On Oct 2, 2014, at 1:42 PM, Axb axb.li...@gmail.com wrote: On 10/02/2014 08:50 PM, Philip Prindeville wrote: The issue we’ve been having with Blacklotus (self-appointed champions of everyone’s right to be on the internet, no matter how shady, is the impression I got from speaking

Re: Local URL blocking based on NS records?

On Oct 2, 2014, at 1:57 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 02.10.2014 um 21:39 schrieb Robert Schetterer: not exact what you want , but may help too http://www.postfix.org/postconf.5.html check_recipient_ns_access type:table Search the specified access(5) database for

Googlasi, blacklotus, etc.

I’m seeing spams like: http://pastebin.com/XXQrNURW Notice: * the message is almost always text/plain single part; * the only Received: line is the local one, even though it was received on port 25; * the message id contains the string be2aaf2163fd72c9975ec76b00288831, which seems to be a

Re: Googlasi, blacklotus, etc.

On Sep 30, 2014, at 11:41 AM, David Jones djo...@ena.com wrote: From: Philip Prindeville philipp_s...@redfish-solutions.com Sent: Tuesday, September 30, 2014 12:30 PM To: SpamAssassin Subject: Googlasi, blacklotus, etc. I’m seeing spams like

Rule priority

Is there a good discussion on how rule priority works, and short-circuited evaluation, etc? I must be looking in the wrong places because I can’t find much. I found register_method_priority() in ::Plugin but I wasn’t sure if that’s all there is… It only seems to be called in

Re: A rule for Phil

On Sep 3, 2014, at 7:36 PM, Karsten Bräckelmann guent...@rudersport.de wrote: header __KAM_PHIL1To =~ /phil\@example\.com/i header __KAM_PHIL2Subject =~ /(?:CV|Curriculum)/i Bonus points for using non-matching grouping. But major deduction of points for that entirely un-anchored

  1   2   3   4   >