Re: Recommendations for ASF SA Implementation

Am 17.03.2015 um 22:16 schrieb Kevin A. McGrail: So I'd like any input you might have, on or off list. Here's some questions I believe will help guide things: Q1 - What is the best glue for SA for Postfix that does the following: - can implement clamav before SA call postfix does that out-o

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 16.03.2015 um 19:24 schrieb Robert Schetterer: Am 16.03.2015 um 18:33 schrieb Reindl Harald: Am 16.03.2015 um 18:19 schrieb Matus UHLAR - fantomas: On 16.03.15 00:59, Jude DaShiell wrote: I have been getting large spam messages for several years on one of my accounts. Since spamassassin

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 16.03.2015 um 18:19 schrieb Matus UHLAR - fantomas: On 16.03.15 00:59, Jude DaShiell wrote: I have been getting large spam messages for several years on one of my accounts. Since spamassassin cannot handle them, my only recourse are procmail recipes. spamassassin CAN handle them. I have

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 16.03.2015 um 03:43 schrieb Dave Warren: On 2015-03-15 17:26, Reindl Harald wrote: Am 16.03.2015 um 01:23 schrieb Dave Warren: On 2015-03-15 15:01, Reindl Harald wrote: surely, only 5% of incoming spam attempts make it to spamassassin / clamav here, but you need to keep in mind the

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 16.03.2015 um 01:23 schrieb Dave Warren: On 2015-03-15 15:01, Reindl Harald wrote: surely, only 5% of incoming spam attempts make it to spamassassin / clamav here, but you need to keep in mind the amount of your regular ham messages in your mailflow which unconditionally touch the content

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 22:19 schrieb Robert Schetterer: hypothetical... spam tagging by spamassassin is "expensive" by design so it should be the last step in a long chain of different "antispam" features mostly i.e postscreen, clamav-milter, greylisting, rbl filtering, spf dkim dmarc checks surel

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 21:12 schrieb Axb: On 03/15/2015 09:00 PM, Reindl Harald wrote: that could be even a sloppy implementation just truncate after XX bytes and analyze the remaining piece to keep that part simple and fast - at the end it would improve the result with as less as possible overhead

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 20:35 schrieb Axb: On 03/15/2015 08:22 PM, Reindl Harald wrote: Am 15.03.2015 um 19:50 schrieb Martin Gregorie: On Sun, 2015-03-15 at 19:23 +0100, Reindl Harald wrote: Am 15.03.2015 um 19:15 schrieb Axb: true but if the glue (spamass-milter) would truncate the message it

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 19:50 schrieb Martin Gregorie: On Sun, 2015-03-15 at 19:23 +0100, Reindl Harald wrote: Am 15.03.2015 um 19:15 schrieb Axb: true but if the glue (spamass-milter) would truncate the message it passes to spamc it would get back that truncated message with the added headers

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 19:15 schrieb Axb: On 03/15/2015 07:09 PM, Reindl Harald wrote: Am 15.03.2015 um 19:03 schrieb Axb: On 03/15/2015 06:49 PM, Robert Schetterer wrote: Am 15.03.2015 um 18:32 schrieb Robert Schetterer: tagging is allowed, rejecting is nice but not a must have if you like

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 19:03 schrieb Axb: On 03/15/2015 06:49 PM, Robert Schetterer wrote: Am 15.03.2015 um 18:32 schrieb Robert Schetterer: tagging is allowed, rejecting is nice but not a must have if you like reject try working in milter chaining with milter-manager http://milter-manager.sourcef

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 15.03.2015 um 17:24 schrieb Robert Schetterer: Am 15.03.2015 um 12:05 schrieb Reindl Harald: Am 14.03.2015 um 20:17 schrieb Robert Schetterer: Am 14.03.2015 um 18:11 schrieb Reindl Harald: nobody but talks about cut content we talk about how to pass only a part to spamassassin instead

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 14.03.2015 um 20:17 schrieb Robert Schetterer: Am 14.03.2015 um 18:11 schrieb Reindl Harald: nobody but talks about cut content we talk about how to pass only a part to spamassassin instead skip large messages entirely which in many case would be enough to detect a message as spam because

Re: Which milter do you prefer?

Am 14.03.2015 um 18:27 schrieb Kevin A. McGrail: On 3/14/2015 12:08 PM, Reindl Harald wrote: how do you truncate messages for the scan? I use MD and pass the load average for the box to the milter. From there, depending on the load average, I chop large messages to be smaller and send them

Re: Handling very large messages (was Re: Which milter do you prefer?)

Am 14.03.2015 um 18:01 schrieb Robert Schetterer: Am 14.03.2015 um 17:55 schrieb David F. Skoll: On Sat, 14 Mar 2015 17:08:50 +0100 Reindl Harald wrote: Am 14.03.2015 um 17:00 schrieb Kevin A. McGrail: On 3/14/2015 1:14 AM, David B Funk wrote: truncating a large message and only passing

Re: Which milter do you prefer?

Am 14.03.2015 um 17:00 schrieb Kevin A. McGrail: On 3/14/2015 1:14 AM, David B Funk wrote: truncating a large message and only passing the first N-KB to SA. As that involves munging MIME headers it has to be done inside the milter. I just truncate the message hard and it generally works bett

Re: Which milter do you prefer?

Am 14.03.2015 um 14:08 schrieb sha...@shanew.net: On Fri, 13 Mar 2015, David B Funk wrote: Looking at the source for spamass-milter it looks like they're taking the "-p socket" argument and passing it directly to smfi_setconn so you should be able to give an INET socket address if you use the

Re: is spamassassin scoring too high points

ore SA are rejected with way higher scores tagging between 5.5 and 7.9 and per day there are 10-15 messages tagged the rest has a BAYES_00 and/or is abcked by DNSWL scoring On 12 March 2015 at 12:10, Reindl Harald wrote: please don't top post Am 12.03.2015 um 13:06 schrieb Sujit Acharyya-choud

Re: whitelist_from in user_prefs is not being processed.

Am 12.03.2015 um 23:06 schrieb Rick Hantz (TirNanOg): In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com whitelist_from mailto:*@e.washingtonpost.com Do I also need whitelist_from mailto:*@*.sailthru.com ? Return-path: i guess all that "mai

Re: spamass filter blocked yahoo, but why?

Am 12.03.2015 um 21:23 schrieb @lbutlr: On Mar 12, 2015, at 2:07 PM, @lbutlr wrote: But it was NOT a junk mail from yahoo, it was a message from my brother’s yahoo account that said only “Kill it”. > Just in case I am misinterpreting something here…. Mar 11 22:28:33 mail postfix/smtpd[793

Re: whitelist_from in user_prefs is not being processed.

Am 12.03.2015 um 19:23 schrieb Rick Hantz (TirNanOg): My mail is hosted on Lunarpages.com on my own domain. I train SpamAssassin frequently. However, I get hundreds of spam messages daily (500-700). This is an old public account that I need to maintain, otherwise I’d delete it. After a while

Re: is spamassassin scoring too high points

of forwardings from different mail services all having their own spamfilter and at the end of the day it turns out they are indeed spam -Original Message----- From: Reindl Harald [mailto:h.rei...@thelounge.net] Sent: 12 March 2015 11:51 To: users@spamassassin.apache.org Subject: Re: is spama

Re: is spamassassin scoring too high points

Am 12.03.2015 um 12:40 schrieb Sujit Acharyya-choudhury: We are using MessageLabs for our most of our inward mails. However, we also get mails from other places as well. In order to get rid of spam, we have installed the latest version of spamassassin, which is set to reject any mail at smtp

Re: spamass filter blocked yahoo, but why?

Am 12.03.2015 um 05:52 schrieb @lbutlr: On 11 Mar 2015, at 22:45 , @lbutlr wrote: $ grep 3l2cbk5MbNzJMhn /var/log/maillog Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242] Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk

Re: spamass filter blocked yahoo, but why?

Am 12.03.2015 um 05:45 schrieb @lbutlr: $ grep 3l2cbk5MbNzJMhn /var/log/maillog Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242] Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: message-id=<2c89470b-6522-413d-813b

Re: Improve spam hit rate

Am 10.03.2015 um 18:29 schrieb Lorenzo Thurman: I have these messages in a paste: http://pastebin.com/jNQfRerx. They were received about 1 1/2 hours apart. After I received the first one, I ran sudo sa-learn —spam /path/to/mail/folder against it and then sudo sa-learn —sync. spamassasin reported

Re: bayes expire

Am 11.03.2015 um 19:53 schrieb @lbutlr: Non-token data: last expire time delta and last expire reduction count are currently 0. What is the time before these fields might start to see data? 0.000 0 3 0 non-token data: bayes db version 0.000 0 2928

Re: questions about the internal bayes-storage

Am 11.03.2015 um 13:25 schrieb Reindl Harald: Am 11.03.2015 um 13:20 schrieb RW: On Wed, 11 Mar 2015 12:49:55 +0100 Reindl Harald wrote: "sa-learn --backup" looks like the tokens are stored as CRC32 which (in case if i am right) brings the question which software / library / impl

Re: questions about the internal bayes-storage

Am 11.03.2015 um 13:20 schrieb RW: On Wed, 11 Mar 2015 12:49:55 +0100 Reindl Harald wrote: "sa-learn --backup" looks like the tokens are stored as CRC32 which (in case if i am right) brings the question which software / library / implementation does the checksums It's trun

questions about the internal bayes-storage

"sa-learn --backup" looks like the tokens are stored as CRC32 which (in case if i am right) brings the question which software / library / implementation does the checksums i recently faced that message after upgrade to MariaDB 10 150311 8:38:01 [Note] InnoDB: Using CPU crc32 instructions loo

Re: Chain content filters in Postfix

Am 10.03.2015 um 23:39 schrieb Roger Walters: Hello, I have my Postfix configured so smtp is filtered by SpamAssassin: smtp inet n - - - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user

Re: spamc --full don't work

wrote: On 3/5/2015 1:01 PM, Reindl Harald wrote: according to spamc --help "-R" and "--full" is the same in fact in case of a ham-message only -R works as expected --full behaves identical zu --full-spam -r, --full-spam Print full report for messages identified as spam.

Re: Bogus day old domains from RRPPROXY.NET

Am 10.03.2015 um 23:01 schrieb Kevin Miller: -Original Message- From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Sent: Tuesday, March 10, 2015 1:31 PM To: Kevin Miller; users@spamassassin.apache.org Subject: Re: Bogus day old domains from RRPPROXY.NET On 2/19/2015 2:50 PM, Kevin Mille

Re: crm114 usage

Am 09.03.2015 um 22:57 schrieb Quanah Gibson-Mount: --On Monday, March 09, 2015 11:04 PM +0100 Axb wrote: On 03/09/2015 08:00 PM, Quanah Gibson-Mount wrote: Is anyone using crm114 still these days for scoring with in SpamAssassin? If so, does it seem to be an additional effective tool in h

Re: spamc --full don't work

Am 05.03.2015 um 22:24 schrieb Kevin A. McGrail: On 3/5/2015 4:20 PM, Reindl Harald wrote: my problem is that it don't output anything while -R does and in case of spam it would - so '--full; behaves *identical* to -r instead to -R I've already agreed there is an issue i kn

Re: spamc --full don't work

Am 05.03.2015 um 21:34 schrieb RW: On Thu, 05 Mar 2015 14:08:14 -0500 Kevin A. McGrail wrote: On 3/5/2015 1:01 PM, Reindl Harald wrote: according to spamc --help "-R" and "--full" is the same in fact in case of a ham-message only -R works as expected --full behaves iden

spamc --full don't work

according to spamc --help "-R" and "--full" is the same in fact in case of a ham-message only -R works as expected --full behaves identical zu --full-spam -r, --full-spam Print full report for messages identified as spam. -R, --full Print full report for all messages. ___

Re: disable all tests except bayes

Am 05.03.2015 um 15:25 schrieb users@spamassassin.apache.org: Am 05.03.2015 15:18, schrieb Reindl Harald: and *how* to disable a plugin? Just comment them out in the *.pre files in your config directory that's it - thanks! the service i started with systemd as unprivileged user wi

Re: disable all tests except bayes

from @INC Mär 5 15:13:34.550 [6626] dbg: plugin: loading Mail::SpamAssassin::Plugin::AskDNS from @INC On 5 March 2015 at 14:38, Reindl Harald wrote: is there a way to disable *all* tests except bayes without list a bazillion "score TEST 0"? the idea is a seperate spamd ins

disable all tests except bayes

is there a way to disable *all* tests except bayes without list a bazillion "score TEST 0"? the idea is a seperate spamd instance with '--siteconfigpath=' for automated classification tests of the whole spam/ham corpus with "spamc -s 2000 --port=10029 < sample.eml", parse out the bayes res

Re: Bayes learning for legitimate users

Am 04.03.2015 um 19:57 schrieb Matus UHLAR - fantomas: On Wed, 04 Mar 2015 13:35:55 +0100 Filip Havlí?ek wrote: I would like to ask you, how can I *allow **only **legitimate* email addresses (existing users) for bayes learning? On 04.03.15 14:37, RW wrote: Why send them through SpamAssassin

Re: SA 3.3, Debian and *BL...

Am 04.03.2015 um 18:46 schrieb Marco Gaiarin: mar 4 18:26:15.655 [21702] dbg: dns: NS lookup of 172.0.0.1 using 127.0.0.1 failed, no results found ?! why try to resolve localhost with localhost? beause any sane configured nameserver has to respond? https://www.ietf.org/rfc/rfc1912.txt Co

Re: Bayes learning for legitimate users

amassassin/ no idea what "bayes_vars" is Dne 4.3.2015 v 13:45 Reindl Harald napsal(a): Am 04.03.2015 um 13:35 schrieb Filip Havlíček: I would like to ask you, how can I *allow **only **legitimate* email addresses (existing users) for bayes learning? Table bayes_token grow up to

Re: Bayes learning for legitimate users

Am 04.03.2015 um 13:35 schrieb Filip Havlíček: I would like to ask you, how can I *allow **only **legitimate* email addresses (existing users) for bayes learning? Table bayes_token grow up to 0,5GB right now, because there are thounsands of unknown email addresses like: a...@hotmail.com ablewi.

Re: DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received

Am 01.03.2015 um 14:23 schrieb Tom Hendrikx: On 01-03-15 14:13, Reindl Harald wrote: looks like the timezone is not considered properly DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received Received: Sun, 1 Mar 2015 13:49:40 +0100 (CET) Date: Sun, 01 Mar 2015 10:32:11 +0200 13:49

DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received

looks like the timezone is not considered properly DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received Received: Sun, 1 Mar 2015 13:49:40 +0100 (CET) Date: Sun, 01 Mar 2015 10:32:11 +0200 signature.asc Description: OpenPGP digital signature

Re: whitelist_from_rcvd not working, WAIDW

Am 28.02.2015 um 16:53 schrieb Ian Zimmerman: On Sat, 28 Feb 2015 13:37:29 +0100, Mark Martinec wrote: Ian> trusted_networks 198.1.2.3/32 Ian> [...lots snipped...] Ian> whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Mark> It seems the: Mark> Received: (from itz@localhost) Mark> by mya

Re: whitelist_from_rcvd not working, WAIDW

Am 27.02.2015 um 22:11 schrieb Ian Zimmerman: Header of test message, massaged for privacy, is here: http://pastebin.com/EV6g15aN I have this in user_prefs: trusted_networks 198.1.2.3/32 [...lots snipped...] whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Why is the whitelist n

Re: Custom Rule

Am 26.02.2015 um 17:58 schrieb Peter Fraser: Hi All I am completely new to writing rules in Spamassassin and would love some help. I have a Domain called say domain.com and of course if anyone sends mail from outside the domain addressed as coming from u...@domain.com

Re: pyzor false positives?

Am 26.02.2015 um 14:01 schrieb Axb: On 02/26/2015 01:26 PM, Reindl Harald wrote: i just started to play with "pyzor" according to https://wiki.apache.org/spamassassin/UsingPyzor which seems to work fine in general *but* i recentyl got an offer with two lines text, a footer.logo

pyzor false positives?

Hi i just started to play with "pyzor" according to https://wiki.apache.org/spamassassin/UsingPyzor which seems to work fine in general *but* i recentyl got an offer with two lines text, a footer.logo and a PDF attachment as well as a twitter-notify flagged with PYZOR_CHECK which makes me w

Re: Lots of Polish spam

Am 25.02.2015 um 23:23 schrieb Yves Goergen: Am 25.02.2015 um 23:04 schrieb Dave Warren: I second this. Either go all the way, or don't do it, it's worse to leave users with a false sense of security. A mentality of "The virus scanner says it's safe, so it won't do any harm" is exceedingly dang

Re: Lots of Polish spam

Am 25.02.2015 um 23:15 schrieb Yves Goergen: Am 25.02.2015 um 20:42 schrieb Bill Cole: On 24 Feb 2015, at 17:06, Yves Goergen wrote: I can't block all archives with executable files in them. Then in all seriousness: why bother filtering email specifically for malware? Email is an inherently

Re: Forex spam from botnet

Am 25.02.2015 um 19:27 schrieb Benny Pedersen: On February 25, 2015 7:22:40 PM John Hardin wrote: That risks whack-a-mole. Are all of the spams referencing the same host, and is that host *not* already hitting URIBL_BLACK? i long time dropped uribl_black since so much spam is not listed, se

Re: Lots of Polish spam

Am 25.02.2015 um 00:56 schrieb Alex Regan: Sophos reports it as Troj/Tinba-O, like most others on virustotal.com ClamAV does not detect anything suspicious. I really thought clamav was much better. Can you recommend a antivirus other than Sophos that works well with Linux/Fedora? Sophos is a

Re: Lots of Polish spam

Am 24.02.2015 um 23:39 schrieb LuKreme: On Feb 24, 2015, at 15:24, Axb wrote: *.pdf.zip is a dangerous one to block on sight - FP risk is huge Really? I've never seen a .pdf.zip that was legitimate and i sent hundrets which where by just right click on the pdf and chose "add to zip archiv

Re: Lots of Polish spam

Am 24.02.2015 um 23:18 schrieb John Hardin: On Tue, 24 Feb 2015, Alex Regan wrote: Does anyone know/think it would be a good idea to add ".pdf.zip" to the mime types reject list? Has anyone seen a real example that wasn't a virus? Pretty much *any* double-extension filename is suspect on W

Re: Lots of Polish spam

Am 24.02.2015 um 22:56 schrieb Yves Goergen: Last but not least, get your Bayes setup running and it will give you the extra edge. I once had Bayes enabled, but since it's an unattended server system, it can only learn from itself. And that had worked really bad in the past. So I disabled it c

Re: Lots of Polish spam

Am 24.02.2015 um 23:06 schrieb Yves Goergen: Am 24.02.2015 um 22:42 schrieb Axb: ClamAV has become a framework... and atm, you can open a a bottle of bubbly if the official sigs actually detect anything. Oh great. Now that I've finally set up ClamAV on the server, it's useless? At least it c

Re: Lots of Polish spam

Am 24.02.2015 um 22:49 schrieb Alex Regan: for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messa

Re: Lots of Polish spam

Am 24.02.2015 um 19:15 schrieb Yves Goergen: Am 24.02.2015 um 19:02 schrieb Reindl Harald: RBL's long before the contentfilter! Do you mean to reject messages as soon as a single RBL triggers it? That's definitely not what I want to do! I've had way too much trouble with ot

Re: Lots of Polish spam

Am 24.02.2015 um 18:58 schrieb Yves Goergen: Am 24.02.2015 um 18:39 schrieb Jeremy McSpadden: Usually scores are 6 low 10 high. Are you running any RBLs ? I have the default settings plus the attached custom configuration. There are several RBLs among them RBL's long before the contentfilte

Re: Quick question about training...

Am 23.02.2015 um 00:11 schrieb RW: On Fri, 20 Feb 2015 21:36:38 +0100 Reindl Harald wrote: And I'd suggest the same for non-spam, train duplicative ham even if it happens to be similarly addressed to different users. More data is (nearly) always better for bayesian learning systems

Re: bayes eval error

Am 22.02.2015 um 22:31 schrieb @lbutlr: On 22 Feb 2015, at 07:56 , Reindl Harald wrote: Am 22.02.2015 um 15:49 schrieb @lbutlr: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create lockfile /home/kreme/.spamassassin/bayes.mutex: Permission denied (And yes, that is

Re: bayes eval error

Am 22.02.2015 um 15:49 schrieb @lbutlr: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create lockfile /home/kreme/.spamassassin/bayes.mutex: Permission denied (And yes, that is correct, the spamassassin files in user’s home are not world read/writ) disable autolearning an

Re: Uptick in spam (bayes stats script)

Am 22.02.2015 um 15:30 schrieb @lbutlr: On 21 Feb 2015, at 08:34 , LuKreme wrote: On Feb 18, 2015, at 6:20 AM, Reindl Harald wrote: That is a lot cleaner and more obvious, thank you for sharing I ran this just after log rotation and got div by zero errors, so here is a (nearly

Re: updated RegistrarBoundaries.pm

Am 22.02.2015 um 02:33 schrieb Nick Edwards: On 2/22/15, Benny Pedersen wrote: Axb skrev den 2015-02-21 12:09: DOH! - need more coffee... whisky free ? :-) when corresponding with reindl, you need whiskey, just to tolerate his rhetoric re-read the thread - that above had nothing to do

Re: updated RegistrarBoundaries.pm

Am 22.02.2015 um 02:48 schrieb Dave Pooser: On 2/21/15 7:31 PM, "Nick Edwards" wrote: Plenty appreciate your work, dont worry about $INDIVIDUAL, that $EXPLETIVE I'm not a moderator or anything, but this kind of personal attack is neither necessary nor appropriate here, IMO typical Nick Ed

Re: updated RegistrarBoundaries.pm

Am 21.02.2015 um 16:26 schrieb Axb: On 02/21/2015 04:04 PM, Jim Popovitch wrote: On Sat, Feb 21, 2015 at 9:35 AM, Axb wrote: Many moons ago, obviously before you started using SA, what you *now* consider "dynamic", was very static with less than than handfull of changes /release. There's s

Re: updated RegistrarBoundaries.pm

Am 21.02.2015 um 15:01 schrieb Axb: On 02/21/2015 02:57 PM, Reindl Harald wrote: Am 21.02.2015 um 11:17 schrieb Axb: I just updated "RegistrarBoundaries.pm" to reflect http://data.iana.org/TLD/tlds-alpha-by-domain.txt # Version 2015022100, Last Updated Sat Feb 21 07:07:01 2015

Re: Some tips email gateway

zen.spamhaus.org ? it makes exactly the same job, but halves number of queries On 17.02.15 22:16, Reindl Harald wrote: it contains more zenhaus lists and hence more false positives It includes only one more which is CSS. some time before it was only sbl-xbl+pbl, and I have forgot about CSS addition

Re: updated RegistrarBoundaries.pm

Am 21.02.2015 um 11:17 schrieb Axb: I just updated "RegistrarBoundaries.pm" to reflect http://data.iana.org/TLD/tlds-alpha-by-domain.txt # Version 2015022100, Last Updated Sat Feb 21 07:07:01 2015 UTC NOTE: This is not updated via sa-update, only with release updates this should really go to

Re: Quick question about training...

Am 20.02.2015 um 21:29 schrieb Dave Warren: On 2015-02-20 09:44, Bowie Bailey wrote: On 2/20/2015 12:35 PM, Kevin Miller wrote: When a fresh spam flood comes in, sometimes 50 or more of my users will get hit with the same message - just a different user in the To: line. When one trains the ba

Re: Quick question about training...

Am 20.02.2015 um 18:35 schrieb Kevin Miller: When a fresh spam flood comes in, sometimes 50 or more of my users will get hit with the same message - just a different user in the To: line. When one trains the bayes database, is there a significant difference between training on all 50+ or jus

Re: Recent spate of Malicious VB attachments II

68 the foxhole ar classified with 'high' because they don't care if it is a virus at all, they unpack the archive and reject if there is a file with a blocked extension unconditional On 19.02.2015 15:46, Reindl Harald wrote: Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Th

Re: Recent spate of Malicious VB attachments II

Am 19.02.2015 um 15:47 schrieb Dave Funk: On Thu, 19 Feb 2015, Reindl Harald wrote: well, that can you achieve directly on the MTA but that won't help in case of "emails containing MS office attachments with a Malicious VB script" cat /etc/postfix/mime_header_chec

Re: Recent spate of Malicious VB attachments II

Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns?

Re: Recent spate of Malicious VB attachments II

Am 19.02.2015 um 14:46 schrieb Chad M Stewart: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|

duplicate rules? (AXB_HELO_HOME_UN,HELO_LH_HOME)

is it expected that both fire? i don't know the message but noticed it in the logs AXB_HELO_HOME_UN,HELO_LH_HOME signature.asc Description: OpenPGP digital signature

Re: Recent spate of Malicious VB attachments II

Am 18.02.2015 um 20:00 schrieb David F. Skoll: On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs an

Re: Uptick in spam (bayes stats script)

Am 17.02.2015 um 15:23 schrieb Reindl Harald: Am 17.02.2015 um 15:19 schrieb LuKreme: On 16 Feb 2015, at 12:01 , Reindl Harald wrote: given that 24266 messages had BAYES_00 with a total number of 30401 delivered mails in the current month that training strategy seems to work well [root@mail

Re: Training new spamass-milter setup

Am 18.02.2015 um 11:41 schrieb @lbutlr: On 18 Feb 2015, at 02:06 , Reindl Harald wrote: Am 18.02.2015 um 05:50 schrieb @lbutlr: On 17 Feb 2015, at 15:46 , Reindl Harald wrote: because in a default milter-setup the one and only user is the user which SA and the miler service are running

Re: Training new spamass-milter setup

Am 18.02.2015 um 05:50 schrieb @lbutlr: On 17 Feb 2015, at 15:46 , Reindl Harald wrote: because in a default milter-setup the one and only user is the user which SA and the miler service are running as, hence my script which needs maybe small adjustments for your environment (--no-sync and

Re: Training new spamass-milter setup

Am 17.02.2015 um 23:37 schrieb LuKreme: On 17 Feb 2015, at 08:27 , Robert Schetterer wrote: Am 17.02.2015 um 16:13 schrieb LuKreme: OK, so I have spamass-milter running, but I need to train it. What is the proper way to do this? you dont train spamass-milter, you should train spamassassin

Re: Training new spamass-milter setup

Am 17.02.2015 um 23:37 schrieb LuKreme: On 17 Feb 2015, at 08:27 , Robert Schetterer wrote: Am 17.02.2015 um 16:13 schrieb LuKreme: OK, so I have spamass-milter running, but I need to train it. What is the proper way to do this? you dont train spamass-milter, you should train spamassassin

Re: Some tips email gateway

Am 17.02.2015 um 22:50 schrieb Axb: On 02/17/2015 10:44 PM, Martin Gregorie wrote: On Tue, 2015-02-17 at 13:38 -0600, ricky gutierrez wrote: this solution looks cool , I was thinking of putting another server with a specific account and through transport map from the gw send e-mail server to a

Re: Some tips email gateway

Am 17.02.2015 um 22:44 schrieb Martin Gregorie: On Tue, 2015-02-17 at 13:38 -0600, ricky gutierrez wrote: this solution looks cool , I was thinking of putting another server with a specific account and through transport map from the gw send e-mail server to another server with a specific accoun

Re: Some tips email gateway

Am 17.02.2015 um 22:04 schrieb Matus UHLAR - fantomas: 2015-02-17 13:06 GMT-06:00 Jeremy McSpadden : Are you using any RBLs with postfix ? On 17.02.15 13:25, ricky gutierrez wrote: Yes , only these two: reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, why not rej

Re: Some tips email gateway

Am 17.02.2015 um 21:16 schrieb Antony Stone: On Tuesday 17 Feb 2015 at 20:05, ricky gutierrez wrote: 2015-02-17 13:44 GMT-06:00 Reindl Harald : where the ccount lives don't matter the only resticiton is that "header_checks" BCC in Postfix 3.0 only works for "hea

Re: Some tips email gateway

Am 17.02.2015 um 21:05 schrieb ricky gutierrez: 2015-02-17 13:44 GMT-06:00 Reindl Harald : where the ccount lives don't matter the only resticiton is that "header_checks" BCC in Postfix 3.0 only works for "header_checks" and *not* "smtp_header_checks",

Re: Some tips email gateway

lf is located don't matter, postfix just generates a BCC and sends it to that local or remote address but be sure you consider the legal implications! 2015-02-17 13:14 GMT-06:00 Reindl Harald : Am 17.02.2015 um 20:03 schrieb ricky gutierrez: Hi , I have mounted one gateway filterin

Re: Some tips email gateway

Am 17.02.2015 um 20:25 schrieb ricky gutierrez: 2015-02-17 13:06 GMT-06:00 Jeremy McSpadden : Are you using any RBLs with postfix ? Yes , only these two: reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org while my other answer solves the "how to get training messages

Re: Some tips email gateway

Am 17.02.2015 um 20:03 schrieb ricky gutierrez: Hi , I have mounted one gateway filtering me all spam in the business, I have to postfix + centos6.6 + amavisd-new 2.8 + clamav + spamassassin, currently captures 65% of spam the other 35 gets through, I want to improve the effectiveness making a

Re: Some tips email gateway

Am 17.02.2015 um 20:06 schrieb Jeremy McSpadden: Are you using any RBLs with postfix ? that was not the question the question was how to get spam/ham-samples for train bayes after all other filters and RBL's are running in a sane setup long before contentfilters see me response to that t

Re: Training new spamass-milter setup

Am 17.02.2015 um 16:13 schrieb LuKreme: OK, so I have spamass-milter running, but I need to train it. What is the proper way to do this? cat /var/lib/spamass-milter/training/learn.sh #!/usr/bin/bash # Home-Directory und Name des Milter-Users SA_MILTER_HOME="/var/lib/spamass-milter" SA_MILTE

Re: Uptick in spam

Am 17.02.2015 um 15:19 schrieb LuKreme: On 16 Feb 2015, at 12:01 , Reindl Harald wrote: given that 24266 messages had BAYES_00 with a total number of 30401 delivered mails in the current month that training strategy seems to work well [root@mail-gw:~]$ bayes-stats.sh What is bayes

Re: train filter based on spam to ex-employees?

Am 17.02.2015 um 00:54 schrieb ttgh: @Antony, I particularly appreciated your response (and the spelling of your name). To clarify: I am not saying that all messages to ALL ex-staff are spam, only the messages to specific ex-staff. Also, this email server is acting as relay/filter for an inter

Re: train filter based on spam to ex-employees?

Am 16.02.2015 um 21:16 schrieb ttgh: i saw last week a mail to our previous front-office which left the company in 2007 and i know the sender in person - it was not spam, he just replied to a years old message for whatever reason Thank you, that's an excellent point. In your example, however

Re: Uptick in spam

Am 16.02.2015 um 21:10 schrieb Amir Caspi: On Feb 16, 2015, at 1:01 PM, RW wrote: IIWY I'd look into rescoring the BAYES_* rules. I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the o

Re: train filter based on spam to ex-employees?

Am 16.02.2015 um 20:53 schrieb ttgh: Also I still don't understand why everyone is so reticent to immediately black-list messages based on these 100% known-bad addressess. For instance, is it possible for a bulk spam message to trigger false positives? because we all may have long years expie

<    5   6   7   8   9   10   11   12   13   14   >