body rule only for txt or html?

to search only in the text and/or html representation of a message? Cheers tobi

Re: SPF_FAIL

> If I only had a ready-made list of those important domains. If you filter for customer domains then maybe (depending the customer domain) adding the customer domain to spf checks is worth a look too. On 11/11/20 6:29 AM, Victor Sudakov wrote: > John Hardin wrote: >> >>> Moreover, after

Re: Spamssassin seems to append .com TLD to uri link domains found

p for "ch.com" which seems to be a chinese news page or something like that. Its hard to explain to a customer that a URI domain he did not use in the message lead to a hit on blocklists lookup ;-) Cheers tobi

Re: Spamssassin seems to append .com TLD to uri link domains found

(the expanded version) "ch.com" was checked on uribl lists. Cheers tobi On 11/7/20 8:04 PM, John Hardin wrote: > On Sat, 7 Nov 2020, RW wrote: > >> On Sat, 7 Nov 2020 10:05:21 -0800 (PST) >> John Hardin wrote: >> >>> On Sat, 7 Nov 2020, RW wrote:

Re: Spamssassin seems to append .com TLD to uri link domains found

ah understand, should have better checked what SA really adds to domain list. So both versions are checked. Just bad luck if the expanded version of the uri domain (ex ch.com) has a blacklisting at uribl or spamhaus ;-) But that's another story Have a good weekend tobi On 11/6/20 5:42 PM, RW

Re: Spamssassin seems to append .com TLD to uri link domains found

Sorry but that imho is a bug that should (better must) be fixed :-) Cheers tobi On 11/6/20 5:10 PM, RW wrote: > On Fri, 6 Nov 2020 15:40:31 +0100 > "Tobi wrote: > >> Hi list >> >> we currently see the following "issue" where SA does append .com TLD >&

Spamssassin seems to append .com TLD to uri link domains found

me than "www" does not trigger that behavior. So ftp.ch get correctly queried as ftp.ch and not ch.com We use SA 3.4.4 SpamAssassin Server version 3.4.4 running on Perl 5.16.3 with SSL support (IO::Socket::SSL 1.94) with zlib support (Compress::Zlib 2.061) Is that a bug or intended? Cheers tobi

Suggestion to FromNotReplyTo plugin in cwiki.apache.org

' ); Cheers -- tobi

Re: LASTEXTERNALRDNS and LASTEXTERNALHELO not set in PerMsgStatus.pm ?

Henrik, thanks a lot, can confirm your fix works in my tests :-) Cheers tobi Am 28.11.19 um 11:09 schrieb Henrik K: > > Fixed: > http://svn.apache.org/viewvc?view=revision=1870552 > > On Thu, Nov 28, 2019 at 11:29:19AM +0200, Henrik K wrote: >> >> Trunk has alr

Re: LASTEXTERNALRDNS and LASTEXTERNALHELO not set in PerMsgStatus.pm ?

on that tags are run. Removing the lines from pm and debug shows that the tests are **not** run anymore. So I somewhat doubt that the set_tag "code is redundant and should be removed" :-) Using: SA 3.4.2 on centos7 / perl 5.16.3 Cheers tobi Am 28.11.19 um 08:36 schrieb Henrik K: > >

Re: shortcircuit on alread x-spam-flag: yes

and not in any other filter software ;-) Cheers tobi Am 27.11.19 um 18:30 schrieb Benny Pedersen: > On 2019-11-27 17:56, Philipp Ewald wrote: > >> we only want to trust "X-Spam-Flag: YES" or why should someone >> (spammer, other mailserver with outgoing spamfil

Re: shortcircuit on alread x-spam-flag: yes

remote. Cheers tobi Am 27.11.19 um 17:56 schrieb Philipp Ewald: > Hi Tobi, > > we only want to trust "X-Spam-Flag: YES" or why should someone (spammer, > other mailserver with outgoing spamfilter) set this Flag to Yes? > > but like RW wrote: >> If you wa

Re: shortcircuit on alread x-spam-flag: yes

at all? Cheers tobi Am 26.11.19 um 14:06 schrieb Philipp Ewald: > Hi guys, > > i want to bypas scanning mail if mail has already X-Spam-Flag: YES set. > I found "clear_headers" in "/usr/share/spamassassin/10_default_prefs.cf". > > how can i override this setting?

Re: LASTEXTERNALRDNS and LASTEXTERNALHELO not set in PerMsgStatus.pm ?

dns rule From my point of view it would be very nice to have these two tags set by default Cheers tobi Am 27.11.19 um 16:18 schrieb Kevin A. McGrail: > After a 10 minute or so study of the issue and comparing 3.4 and trunk, > it definitely looks like the code is missing.  I am not 100%

LASTEXTERNALRDNS and LASTEXTERNALHELO not set in PerMsgStatus.pm ?

tags? If no deeper reasons exist it would be nice to have those two tags set as default in PerMsgStatus.pm Cheers -- tobi

Re: List of available query templates?

ote: >> On 4 Oct 2019, at 3:36, Tobi wrote: >> >>> Hi list >>> >>> is there any doc where one can find a list of supported DNS query >>> templates? >> >> What does that even mean??? >> >> SpamAssassin does many different sorts of

List of available query templates?

Hi list is there any doc where one can find a list of supported DNS query templates? I mean except grep-ing through the whole source code? ;-) Cheers tobi

LOCALPART_IN_SUBJECT does not hit

report as they contain customers personal details. -- tobi

Re: Bug or feature? ;-)

Thanks for pointing it out. Sorry did not get it in first point. Changed the regex in the rule to expect the scheme too and now we get the expected hits again. Just one thing. Does this mean that email addresses found in body always have a scheme (mailto://) too? Thanks for your help and have a

Re: Bug or feature? ;-)

Am 25.03.19 um 15:18 schrieb Henrik K: > On Mon, Mar 25, 2019 at 03:00:30PM +0100, Tobi wrote: > > You are matching "any uri" and expect it to be "reliable"? Perhaps consider > first what you are trying to accomplish. Your way will match mailto: and > st

Re: Bug or feature? ;-)

aults to 1. But set it to 0 in local.cf does not change anything. URI is still taken from dkim header Cheers tobi Am 25.03.19 um 13:25 schrieb Henrik K: > On Mon, Mar 25, 2019 at 12:09:32PM +0100, Tobi wrote: >> Hello >> >> we're running spamassassin 3.4.2 and have the is

Re: Bayes underperforming, HTML entities?

Hi I checked the first message on my SA and found multiple hits on __SCC_SHORT_WORDS rule which resulted in hits on the metas * 1.0 SCC_10_SHORT_WORD_LINES 10 lines with many short words * 1.0 SCC_5_SHORT_WORD_LINES 5 lines with many short words * 1.0

Re: Is there a way to perform selective full uri rbl lookups?

eval:check_uridnsbl('URIBL_DOMAIN_FU') score URIBL_DOMAIN_FU 200 where domains will be listed after too many entries in fullhost table. Cheers tobi Am 19.02.2018 um 16:14 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 14:43: > >> no need for this as that case is c

Re: Is there a way to perform selective full uri rbl lookups?

Am 19.02.2018 um 14:25 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 11:45: > add one more askdns to compensate on _URIDOMAINS_ > no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries o

Re: Is there a way to perform selective full uri rbl lookups?

Am 19.02.2018 um 15:04 schrieb Benny Pedersen: > > yep got it, so if you only use URIHOSTS how do you know it does not miss > in URIDOMAINS ? I do not only use URIHOSTS but also a rhs lookup for just the domain. So I have both bases covered :-)

Re: Is there a way to perform selective full uri rbl lookups?

Am 19.02.2018 um 14:25 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 11:45: > add one more askdns to compensate on _URIDOMAINS_ > no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries o

Re: Is there a way to perform selective full uri rbl lookups?

, but this seems to be the solution for me :-) Cheers tobi Am 17.02.2018 um 12:52 schrieb Tobi: > Hi Daniele (this time onlist, sorry for offlist I have a stupid mobile client > when it comes to replies to lists) > > thanks a lot for your reply. As I'm really not the perl coder I think I

Re: Is there a way to perform selective full uri rbl lookups?

if one want to perform rh lookups and fulluri lookups on the same uri found? Any chance that sa in future will support a urifullsub method to lookup fullhost of an uri? Cheers Tobi - Originale Nachricht - Von: Daniele Duca <d...@staff.spin.it> Gesendet: 17.02.18 - 09:04 An: jahli...@

Re: URIBL_BLOCKED

Am 15.02.2018 um 02:35 schrieb @lbutlr: > On 2018-02-14 (09:55 MST), Tobi <jahli...@gmx.ch> wrote: >> >> Am 14.02.2018 um 17:16 schrieb @lbutlr: >>> I can't imagine why i'd be over limit, my mail server is tiny. >> >> its not the mailserver that g

Re: URIBL_BLOCKED

hit the limits quite fast depending on how many other users use the same resolver for their uribl queries. I recommend to setup a local resolver (unbound or something similar) and use that resolver for your mailserver(s). Cheers tobi

Re: Pretty good spoof of AmEx

Not 100% sure about 168.100.1.4 ip but the 168.100.1.3 ip is used by the official postfix mailinglist. Pretty sure they should not be removed from dnswl :-) - Originale Nachricht - Von: David Jones Gesendet: 24.01.18 - 03:26 An: users@spamassassin.apache.org Betreff:

AW: dns-blocklist aren't used but should be

Use spamassassin -D Gesendet: 07.01.18 - 16:26 An: users@spamassassin.apache.org Betreff: dns-blocklist aren't used but should be > Hi. > > For work I am investigating an issue where none of the dns blacklists > are used. > We are using the current spamassassin version and also current version

Re: Flakey spam email. How to filter?

from what I see in my gmail mails) the first smtp received header without a private ip address is the one that handsoff to gmail aka the one to feed to sa Chees tobi - Originale Nachricht - Von: David Jones <djo...@ena.com> Gesendet: 11.12.17 - 17:27 An: users@spamassassin.apac

Re: Scoring mails from "not mynetworks" but using my domain in the headers?

ALL_TRUSTED should fire if msg is only transported via trusted hosts, so you can do && !ALL_TRUSTED But would it not be better to not accept such messages in first place and reject them on your border mta? Am 27.11.2017 um 13:57 schrieb Ralf Hildebrandt: > How can I distinguish my internal

How does spamassassin see multiple of the same headers?

assin somehow concatenate the values of headers with the same name so the regexp does not match "/^clean$/i" anymore? Cheers tobi

Re: Header tests shown

I currently add bayes token information and relay information as headers to each msg processed. Especially relay information can be helpful ex if you have a script that parses received headers. With such headers thats much more easy, just look for the first untrusted hop

Re: Random word spams and wiki spams

defining own ones. Will do it this evening Cheers tobi - Originale Nachricht - Von: Alex <mysqlstud...@gmail.com> Gesendet: 08.07.2017 - 05:05 An: jahli...@gmx.ch, SA Mailing list <users@spamassassin.apache.org> Betreff: Re: Random word spams and wiki spams > Hi, > &g

Re: Random word spams and wiki spams

> typo? Ups thats a c error :-) I score the HAS_LIST_ UNSUB with 0.1 As I need this test to show up in sa headers for my dovecot sieve rules to act upon, therefore I cannot use __RULE. I'll check the built in rules to ensure that I do not reinvent the wheel :-) Cheers tobi - Origin

Re: Random word spams and wiki spams

plugin: https://github.com/eilandert/Botnet.pm and with the built in rules MIME_BASE64_TEXT and FROM_EXCESS_BASE64. As well RCVD_DOUBLE_IP_SPAM hit on that sample Regards tobi

Re: updates.spamassassin.org gone?

afaik updates.spamassassin.org does not need to be resolvable The two important records for updates exist and resolve: $dig mirrors.updates.spamassassin.org txt +short "http://spamassassin.apache.org/updates/MIRRORED.BY; $dig 0.4.3.updates.spamassassin.org txt +short "1799552" Am 06.07.2017 um

Re: Why both DNS lookup checks fire?

Problem solved :-) After changing the urirhssub lines to urirhssub XXX_RCVD_MY_URIBL_DOMAIN multi.mydomain.tld. A 127.0.0.16 urirhssub XXX_RCVD_MY_URIBL_HOSTmulti.mydomain.tld. A 127.0.0.24 only the XXX_RCVD_MY_URIBL_DOMAIN check fires Regards tobi Am

Why both DNS lookup checks fire?

: kelasalbaghdadi.com.multi.mydomain.tld. 6052 IN A 127.0.0.16 There is no mention of 127.0.0.24 which would be required for XXX_RCVD_MY_URIBL_HOST to fire. Any idea how to avoid that both checks fire up? Did I mess something up in config? Thanks for any idea on how to solve that tobi