Hi!
Loads of phishing is done that way.
Having a shtml with a post command to whatever they want from you… usually
banking/dhl …
With kind regards,
Raymond Dijkxhoorn
> Op 12 mrt 2024 om 20:37 heeft Jared Hall via users
> het volgende geschreven:
>
> Is there a use case
SURBL_MULTI_HDR Domain in email headers found in
surbl multi
And score accordingly.
You could also check off reply-to/the from and so on seperately.
Have fun± Raymond Dijkxhoorn - SURBL
Hi!
Yes, I am running SA4 and have been for probably more than a year. What
am I doing wrong that RBL checks wouldn't be checking the FQDN?
Could be several reasons but will contact you offlist.
uniabujaedung-my[.]sharepoint[.]com[.]multi[.]surbl[.]org
has address 127.0.0.64
Meaning its
Hello All,
RBL checks for FQDN not just domains would be a good idea...
>X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
>tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
>DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01,
legit subdomains you definately don’t want to
block.
With kind regards,
Raymond Dijkxhoorn
> Op 26 aug. 2022 om 00:40 heeft Benny Pedersen het volgende
> geschreven:
>
> Raymond Dijkxhoorn via users skrev den 2022-08-25 23:45:
>> Benny,
>> Sorry for the top p
SURBL lookups will be done on the right level.
With kind regards,
Raymond Dijkxhoorn - SURBL
> Op 26 aug. 2022 om 02:47 heeft Benny Pedersen het volgende
> geschreven:
>
> John Hardin skrev den 2022-08-26 02:32:
>>> On Thu, 25 Aug 2022, Axb wrote:
>>> On 8/25/
for several of
the datasources.
With kind regards,
Raymond Dijkxhoorn - SURBL
> Op 25 aug. 2022 om 23:27 heeft Benny Pedersen het volgende
> geschreven:
>
> Axb skrev den 2022-08-25 17:48:
>>> On 8/25/22 16:10, Benny Pedersen wrote:
>>> https://phishtank.com/phi
Hi!
verified with spamassassin -D that this file is loaded.
...maybe because local.cf is parsed before URI rules are defined?
There is over 500 page[.]link subdomains inside SURBL right now so if
you run the latest code its also having fixes to automaticly lookup the
subdomains of those.
.
(The mentioned page is also listed on SURBL)
This has been ongoing for a few months now with page[.]link and not new
unfortunately.
If you see new ones (and not listed) feel free to send them over to me
directly for listing.
Thanks! Raymond Dijkxhoorn - SURBL
,
Raymond Dijkxhoorn
> Op 13 mei 2021 om 00:12 heeft Matthias Leisi het
> volgende geschreven:
>
>
>>
>> I would suggest to follow rfc’s. So return 127.0.0.1 for example. Or don’t
>> answer at all. Deliberate giving ‘yes to any request’ is something I can
>&
Hi Benny,
The operator of the specific rbl is doing this, on purpose. Can’t make it more
clear then that.
Dnssec would not add anything here.
Thanks,
Raymond Dijkxhoorn
> Op 13 mei 2021 om 00:01 heeft Benny Pedersen het volgende
> geschreven:
>
> On 2021-05-12 23:30, Raymon
Hi Benny,
It’s the authoritive nameserver giving that answer. With likely a view or acl
response. So adding dnssec would not make much of a difference here.
Thanks,
Raymond Dijkxhoorn
> Op 12 mei 2021 om 23:24 heeft Benny Pedersen het volgende
> geschreven:
>
> On 2021
Hi!
I would suggest to follow rfc’s. So return 127.0.0.1 for example. Or don’t
answer at all. Deliberate giving ‘yes to any request’ is something I can
understand you would do but it’s plain wrong.
Thanks,
Raymond Dijkxhoorn
> Op 12 mei 2021 om 23:17 heeft Michael B Allen het volge
Hi!
I don't believe that use-case has been considered before.
What does the rule you are using look like and I will double check?
Not even sure why you want to add that with the asteriks there.
Let's assume 2.0.0.0/24 is full of abusers and you decide to throw their
whole /24
Hai!
That isn't only Phishtank data...
+1
and using that data in that particular way hardly scales to bigger setups
data could be stored in DB_File just like GeoIP2, that saves ram imho
Treansferring the complete set over and over might now be the best way of
doing the distribution of
Hai!
I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.
is another reporting problem
whatever that may mean
if all phishes is reported to google then safebrowsing would be more
usefull
FTR: GoogleSafeBrowsing is not free for all, anymore
If i recall
Ha!
>We report abuse to many organisations, including, but not limited to company's
like sendgrid.
We are so tired af reporting abuse with no answer at all, that we
stopped reporting problems time ago :-( as Marc Roos has said...
we are not paid for it !
Understand completely.
.
We report abuse to many organisations, including, but not limited to
company's like sendgrid.
Raymond Dijkxhoorn - SURBL
the system a lot i think.
We list new abused subdomains daily and there shiuld be no interaction on
that with the users of the data IMHO.
How could we get something like this into action? File a bug?
Thanks! Raymond Dijkxhoorn - SURBL
Hai!
it might help to add your complaint via ab...@sendgrid.com.
I very much doubt it. Sendgrid's business is sending mail and they do not
care if that mail is spam or not. If enough servers block them they will go
away.
They do, however, apparently care about phishing - they did disable
Hai!
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: techwrestle.com]
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
blocklist
Hai!
Malwarepatrol has just released a list of 13,000+ domains related to
coronavirus scams:
https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt
https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.zip
Anyone else have any rules or changes
utterly
best to limit damage of people who try to exploit this as such.
Thanks! Raymond Dijkxhoorn (SURBL)
was based on gudo
from Karsten.
SURBL maintains a seperate list of shortners.
It has a little over 2040 entry's...
If that helps.
Bye, Raymond Dijkxhoorn - SURBL
Hai!
I dont understand why they would match your spf record either. Are they sended
out by a IP adres you 'approved' ??
Thanks,
Raymond Dijkxhoorn
> Op 28 jun. 2016 om 03:27 heeft jdebert <jdeb...@garlic.com> het volgende
> geschreven:
>
> On Mon, 27 Jun 2016 18:41
) that might be a good match for that
problem but isnt available as a free product.
More information can be requested offlist.
Thanks,
Raymond Dijkxhoorn, SURBL.
Op 11 aug. 2015 om 05:02 heeft Sujit Acharyya-choudhury
s.choudh...@bbk.ac.uk het volgende geschreven:
The URIBL_PH_SURBL
Hai!
How about just cvent.com? I've uploaded the headers from one FP here:
http://pastebin.com/UDuDcp4F
How would another RBL handle a company that I have personally received
evidence of spamming even if it causes FPs?
Apparently none of the other RBLs consider it spam.
Apparently other
Hai!
Grin.
Your MTA most likely supports RBL's.
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 25 apr. 2013 om 21:09 heeft Blason rock blaso...@gmail.com het volgende
geschreven:
Hi folks,
Curious to know if i can implement prerbl with SA? What i mean is with SA as
soon as sombody
Hai!
Since a couple of years they have something thats called google. :)
The first hit on 'rbl and postfix' gives:
http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 25 apr. 2013 om 21:20 heeft Blason rock blaso
Hi!
Just to follow up we have seen a huge decrease in the amount of SPAM
received since we implemented the Invaluement RBLs.
Overall spam volumes went down generally. So even without any RBL enabled
you would notice this. Stats show this about anywhere.
Just my 2 cents.
Bye,
Raymond.
Hi!
I am not able to lookup surbl
Infact the domain surbl.org does not seem to exist at all.
[root@pop2 bin]# dig surbl.org +short
[root@pop2 bin]#
I am sorry if this is old news .. I have no idea since when SURBL went down ?
[raymond@noc ~]$ dig ns surbl.org
; DiG
Hi!
Easiest way would be putting them inside a uribl.
Whats the reason to get on this list?
Eg what policy?
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 13 dec. 2011 om 08:54 heeft Tom Kinghorn thomas.kingh...@gmail.com het
volgende geschreven:
Good morning List.
The nice guys
Hi!
TVD_SPACED_SUBJECT_WORD3 is.
http://spamassassin.apache.org/tests_3_2_x.html does not give a
description. This rule bit me when sending a mail with the subject Re:
MySQL.
This rule can hit about anything.
72_active.cf:##{ TVD_SPACED_SUBJECT_WORD3
72_active.cf:header
Hi!
TVD_SPACED_SUBJECT_WORD3 is.
http://spamassassin.apache.org/tests_3_2_x.html does not give a
This rule can hit about anything.
As per the link I included I did see *what* the rule looks like.
However, I would like to understand why it is there and what it is
supposed to filter.
Hi!
For the regexp challenged:
This rule hits a subject with an optional Re: or Fw: followed by one
word starting with at least one uppercase letter followed by at least
one lowercase letter followed by at least one uppercase letter. It will
not match if there are multiple words or any
Warren,
It appears that under 1% of spam is abusing shortening redirectors.
~40% of the shortening redirector spam has local-only spamassassin
scores below the 5 point threshold. We'll see next
Saturday how it scores with all network rules.
Could you please quote the old messages and not
Hi!
Now i do like this :
uri url_1 /www.domain1.com/
uri url_2 /www.domain2.com/
uri url_3 /www.domain3.com/
uri url_4 /www.domain4.com/
score url_1 10
score url_2 10
score url_3 10
score url_4 10
Isnt this a bit expensive? Report to SURBL or something and you get them
added ;) (send a
Hi!
http://www.sdsc.edu/~jeff/spam/cbc.html
It seems barracuda is still leading, but is that also everyone's
experience? Can anyone provide details on how Jeff computed this
information and is it as cut-and-dried as this makes it seem? IOW,
barracuda, the free service, is better than all the
Hi!
Setup a blacklist blocking ANY ip and you are ranked #1 in this test.
Its of no use at all IMHO.
Yes, certainly, and I guess it was a loaded question of me to ask,
because it was almost too obvious that I thought I was missing
something. I don't think it's _completely_ useless though,
Hi!
Also note that SARE Ninjas are long gone - see main page
http://www.rulesemporium.com/. So nobody could fix those rules even if they
thought it was a good idea (and at least some people are not convinced it is
a bad idea); and even if the rules could be fixed, still at least half the
world
Hi!
Upgrade to SVN version this is a issue with RC1.
It looks to me like one of the devs fixed the rule. I'm still running rc1,
but the errors have disappeared.
Ah okay perfect!
Thanks,
Raymond.
Hi!
When I add this to override the URL SA uses,
header RCVD_IN_PBL eval:check_rbl('pbl-lastexternal',
'subscriber_key.zen.dq.spamhaus.net.', '127.0.0.1[01]')
I get this is my spam reporting,
0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
Hi!
Can't you do zone transfers? Then you can do away with the
subscriber_key thing and have DNS resolve locally for spamhaus.org and
not have to query their DNS servers.
They sell datafeed and they sell queries, we bought queries. I do not
believe they would think kindly on my trying a zone
Hi!
config: failed to parse line, skipping, in
/tmp/.spamassassin7365XWGL4Stmp/10_default_prefs.cf:
clear_originating_ip_headers
config: failed to parse line, skipping, in
/tmp/.spamassassin7365XWGL4Stmp/10_default_prefs.cf:
originating_ip_headers X-Yahoo-Post-IP X-Originating-IP
Hi!
somewhere in SA? should i enable special logging?
or, should i check the MTA and it's assigns that deal with the header?
The rule is probably also defined in some other file.
Are you using 00_FVGT_File001.cf? If so check there.
00_FVGT_File001.cf is updated on the rulesemporium
Hi!
I'm investigating it further but what appears is that the IP also
failed to close the connection with a QUIT.
OK, but it really is a legitimate mail server, so shouldn't be listed.
So if you have a crappy connection towards your mailserver Marc you can
get listed, thats rather funny,
Hi!
27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *
* It is clear that the two main blacklists are Spamhaus and BRBL. The
Zen combinatoin of Spamhaus zones is extremely
Hi!
Again me, Well, in the security scope i use a principle that states that you
souldnt use a lower layer solution to fix a higher one. So SPAM is a Layer 7
problem that is used to fixed with a Layer 3 solution (RBL).
I'd like a brainstorm to convince that a RBL solution is not the best
Hi!
I reject the notion that spam is a L7 problem.
It is more of a L8 problem... money.
Warren
Or L9, users. In the end :)
Bye,
Raymond.
Hi!
Spamassassin doesnt delete mail. This is most likely a issue with the
tools you use around it? MailScanner?
Bye,
Raymond.
On Thu, 29 Oct 2009, Khaled Hussein wrote:
Hi all,
i am recently added saupdates.openprotect.com channel to my server but after
that i am receiving complains from
Hi!
One factor in scoring white list like mine is that different people have
different definitions as to what is spam. And people have different values as
to blocking spam at the expense of blocking good email. In my business if I
block a good email it's worse than 100 spams getting through.
Hi!
7263 T_CN_URL hits in 15517 spam corpus
7200 T_CN_8_URL hits in 15517 spam corpus
Does this make any sense? This is funny. Could someone add this rule to
the sandbox? I'm just curious.
I have to admire one thing about spammers. They respond very rapidly to
threats to their ability
Hi!
So I am quite aware of losing good rules. HOWEVER, as he found out WE
keep the old rules and add new ones and his keyhole through which he
could squeeze his spam decreased. It's still decreasing, although at a
slower rate due to the relative inactivity of the SARE ninjas.
Most Ninja's
Hi Warren!
It seems then the only way to feed a URIBL fresh .cn domains would be a
spam trap. This proposed URIBL would be extremely easy to build on the
infrastructure of existing trap-based DNSBL's like PSBL, HOSTKARMA or SEM.
My own volume of spam is too small to do this.
you haven't
Hi!
The other part of the problem is determining the age of a domain. The
only way to do that absent a registrar feed is to do a whois query,
which may or may not return the data you need, and which is considered
abusive when automated and done often.
It would be nice if Google could help
Hi!
How does that simplify the problem? The difficulty is in getting data about
when a domain was created.
I thought the problem was in getting data for recently created domains, not
all domains.
If it's a problem with all domains, this won't help at all.
If you rely on whois data, and
lists that are not up
to the task yet).
thanks for you time.
Raymond Dijkxhoorn.
Hi!
No one has actually implemented the rules for my blacklists correctly. My
lists support both IP and hostname lookups. The hostname assumes that you
have forward confirmed the RDNS so that you eliminate those who might spoof.
Most people copy/paste from your wiki, so if this is true ... i
Hi!
If that's so, then we probably want that in the spamassassin rule name. Your
wiki page suggests JMF is the name. A number of people probably already
configured their spamassassin using your suggested JMF rule names and they
would need to be educated to remove it.
How about these for
Hi!
header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5
Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not only a
Hi!
Ouch, from your point of view it might be fine, but we see strange stuff
with DNSWL allready i certainly would not use this to shortcircuit
things.
What exactly is the strange stuff you see with DNSWL?
Granted, I'm not processing millions of messages, only tens of thousands,
but I'm not
Hi!
We're bikeshedding here, but I believe these names are better because it
is absolutely clear what it means without _IN. Shorter name is better
and easier to read I think.
Could you please decide between the existing JMF rule names or the above
proposed HOSTKARMA names? It seems opinions
Hi!
Also consider the invalument block lists, see http://dnsbl.invaluement.com/
A very, very good list that is usable for blocking. Not free, but
very affordable.
I don't like how involvement does their pricing structure, actually.
Firstly, I don't feel comfortable telling a 3rd party how
Hi!
For what it's worth I'm now ahead of Barracuda on Jeff Makey's blacklist
comparison chart. Not a scientific comparison but it's about all there is to
compare blacklists. Now only abuseat.org and spamhaus have me beat. (apews
doesn't count because they blacklist everything)
Hi!
lets redefine how a url is in the first place ?
www localhost localdomain
www.localhost.localdomain
one of them does not work :)
spammers more or less just use the first one, so what ?
It doesnt matter much if it works or not. Spam is not a message with urls
that work. So its ending
Hi!
Will users be ringing the helpdesk asking if the antispam system is
broken when all this www space something dot ends up in their INBOX?
Answer: you bet they do.
in my webmail there is a SPAM and NOT SPAM link, so i dont have
this problem
If you have to press the 'SPAM' link you
Hi!
http://log.perl.org/2009/06/email-issues-org-blocked-now-fixed.html
anyone know what URIBL provider this was?
Wouldn't we all have noticed if this would have been the case?
Doesnt ring a bell here either, best to ask the guys who posted that?
Bye,
Raymond.
Hi!
http://pastebin.com/m586e296c
As you can see they tend to hit a couple of blacklists, but don't get a
high enough score to be marked as spam. What do your SpamAssassin
analyses give of this e-mail, and any tips as to how I can get these
marked as spam?
But;
93.5.36.134 listed in
Hi!
I'm seeing regular FPs against FORGED_MUA_OUTLOOK from one particular
(legitimate) sender, and not really understanding the rule it's difficult
to understand why or how to go about fixing it.
Hmm, sounds familiar.
we got so many that we set the score to 0.001 maybe a year ago.. I
Hi!
Hmm, sounds familiar.
we got so many that we set the score to 0.001 maybe a year ago.. I thinks
it a combination of outlook xp and exchange 2003+
What i dont understand, i mean, i did the exact same thing. Why isnt it
either removed from SA Update or downscored???
Because for many
Hi!
Honestly, I am sure I don't know /all/ he does for the community.
To submit a bug of that type, you need to have access to samples, and
per policy, he may not.
He dumped it on others to provide the evidence, in Raymondish
wording... but trust me, he's more that OK.
Sorry for the
Hi!
I wanted to ask if others were seeing timeouts with the DOB lookups within
spamassassin. Also, it looks like their website
http://www.support-intelligence.com/dob/ is timing out as well.
Are others seeing this as well? I'm assuming most are zero'ing out the rule
for the time being?
We
Hi!
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
Looks like they've changed from DSL to DSC! I have a few with DSC in today's
quarantine, but they were caught by BOTNET rules. Methinks its time to update
the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even
Hi!
Any Idea of when we will expect a new version of SA or new rule
updates. We are getting hit pretty hard with Spam lately.
Feel free to submit rules, dont just sit and wait. ;)
Bye,
Raymond.
Hi!
Normal sa-update sa-compile takes about 2 minutes here.
If I add JM's saught rules it takes over 30 minutes.
Here's another data point. With JM's sought and sought-fraud rules the
compile takes less than 7 minutes on a server running an Intel Core 2 Duo
running at 2.13 GHz.
# time
Hi!
the presence of uridnsbl_skip_domain prevent it from being
checked? And if so, how do I unskip that domain?
no its just subdomain that might be blacklisted in url, and the
domain is still whitelisted
Spam including livejournal subdomains is just next episode after almost
identical
Hi!
TVD_PH_SUBJ_ACCOUNTS_POST, TVD_QUAL_MEDS, TVD_RCVD_SINGLE
What does TDV stand for?
Theo Van Dinter
Bye,
Raymond.
Hi!
Personally I wouldn't use OpenDNS on a server (except maybe for
squid). It's not a normal DNS server, it does things that are aimed at
browsers like spelling correction, and redirecting failures to it's own
web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
and I wouldn't
Hi!
Last week all worked as expected. The hundreds of spam droped to 0;
until this weekend. Looking at the headers, mail is going directly to
the mail.domain.tld even though it isn't listed as mx anywhere.
Yeah, I've heard other stories of spam bots caching old MX records for
months after
Hi!
We have some strong spam attacks done by combination of our webmail, viruses
and open proxies.
Situation is like this:
Our outgoing SMTP server is open only for users from our IP addresses and is
filtered for rest of the world. Our webmail interface is open to whole world
as our users need
Hi!
Besides the DDOS issue, there's a privacy issue, which is messy with
DNSBLs already. Nothing SA does should send network traffic to a place
controlled by the mail sender. Checking a DNSBL for which there's some
reason to believe they aren't underhanded is one thing, but fetching
stuff
Hi!
steadyrelationships DOT com is currently blacklisted on ivmURI
It was added to ivmURI at 12/16/2008, 6:31:03 PM EST
(I think that time is before that spam arrived at your server, but
double-check me on that)
steadyrelationships .com is on SURBL lists: JP
Bye,
Raymond.
Hi!
I would like to remove the SURBL lookups from our servers since they
are no longer free (and their charges are unreasonable )
show links where this is stated or make a bug on it :)
http://www.surbl.org/usage-policy.html
So you have bigger message volume, this applies to many lists.
Hi!
Given this change in SURBL in policy and pricing, I would strongly
suggest removing their rules from the SA rule base. Otherwise, you will
likely get lots of complaints from users of systems that have embedded
SA installs, or others who do not monitor this list. I can see many
Barracuda
Hi!
I am very tempted to bump the score of it to 6.0 or higher, as it would
drastically reduce spam, but I'd like to get any false positive feedback
on doing that first. I haven't seen any so far, but I figure others must
be doing this.
meta URIBL_BLACK_ADJ (URIBL_BLACK)
describe
Hi!
describe URIBL_BLACK_ADJ Meta: i trust uribl more :)
score URIBL_BLACK_ADJ 1.5
that way you still benefit from score adjust on sa-rules
Huh, why not simply:
score URIBL_BLACK 6
Inside your local.cf? This is wasting CPU... ?
olso works, but when sa-rules change the score you did not
Hi!
So what is your point Raymond?
That we are end users should find out every external subsystem call and
document it and search for and get on lists that may or may not exist let
alone email us if their baby fails and bites the dust?
You expect the same from the other people on this dont
Hi!
If dsbl has been down for awhile, since around June, why hasn't it been
removed from the configuration via sa-update before now? That's one of the
purposes of sa-update.
Yeah ... i would file a complaint with your local sales droid. ;)
I guess since nobody bothered to open a ticket
Hi!
When people design and build a system(s) of any type, there should be checks
and balances designed in that can check and see if sub parts of the systems
(or called by the system(s)) are broken or disappeared or what have you so
that allowances / changes can be made in a quicker, more
Hi!
unname -a results in :
Linux .Domain.com 2.6.25.10-47.fc8 #1 SMP Mon Jul 7 18:31:41 EDT
2008 x86_64 x86_64 x86_64 GNU/Linux
When I tried to do so manually with the command :
yum update
I receive the follow error message:
Determining fastest mirrors
Could not retrieve mirrorlist
Hi!
maybe i'm missinterpreting the headers, but this message actually looks like
it has been sent by this mailinglist.
yeah, sorry about that. I accidentally moderated it through.
I assume subscribers to the SpamAssassin users list know that it's
spam, though ;)
ROFL ... SA list, of all
Hi!
I was actually thinking the same thing about configuring SA to use a
different resolver, but could not find such a configuration option.
What is the generally approved way to disable individual RBL checks? I can
easily disable all of them, but I haven't figured out how to disable
Hi!
But I want to stop the test from even being done at all. I guess I should
have included more of the previous post. Sorry :(
Just score the tests you want to disable 0.
Same answer, just score them 0.
Bye,
Raymond.
Hi!
i.e.: All the messages contain the following line somewhere within:
Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193])
I can't figure out how to mark any messages that originally sourced from
that IP so that that can be dropped by Procmail (that approach would appears
to
Hi!
And exactly why dont you block those on your MTA? Bit waste on CPU cycles
like this... first process then, and then trash it anyway.
Well, mostly because I don't have any idea how to do so at the MTA level
and also I would think it would be harder to add other offending IPs in
the
Hi!
You can even drop the IP with a route command.
Do: route add -host ip reject
Not if the IP address you want to block is several MTA relay hops
removed from you.
Ok. I think i missed that ;)
Bye,
Raymond.
Hi!
Message-id: Q0150625piByoZfn/[EMAIL PROTECTED]
Message-id: N7556814WYcmtrMl/[EMAIL PROTECTED]
Message-id: P5195955SYbtbcft/[EMAIL PROTECTED]
Message-id: P2384398XFKSgzjs/[EMAIL PROTECTED]
also, odd spaces:
Date: Thu, 19 Jun 2008 17:04:32 +0200
Date: Thu, 19 Jun 2008 18:03:54 +0300
Hi!
dsbl.org are having problems. it would be nice if people who use it disable
it, at least temporarily.
We had errors in our monitoring system also due to this last night. The
test point was invalid. (2.0.0.127).
But i could not reach the site either so...
Most likely Ian will respond to
Hi!
I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are
some samples of messages that have got through:
http://pastebin.com/m16055c85
http://pastebin.com/m52635526
http://pastebin.com/m491c4882
http://pastebin.com/m7c1240f2
I get a HTTP/1.1 404 Not Found on all
Hi!
similar to ISBN)
I just got an order confirmation from a music book store with a pretty high
score
Easy fix:
In local.cf
score SARE_PROLOSTOCK_SYM3 0
And we will update the rule also, in my local version of the rule i could
not even find that string, so it might be a SARE update on
1 - 100 of 232 matches
Mail list logo
