Re: BITCOIN_PAY_ME and new type of blackmail, non porn.

I’m seriously thinking about doing the same (block all emails that contain a bitcoin address). I’ve had good luck with my custom rule that also tests for Unicode obfuscation: body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ body__BTC2

Re: Bitcoin update

> The trouble with this is that you would be adding 10 point to anything > with a bitcoin address whether anything's obfuscated or not. If you want > to avoid this take a look at the FUZZY_* rules. Well, actually, no. I sent you a snippet of my rule and inflated the score to 10 for

Re: Bitcoin update

Yes, absolutely. On 10/5/18, 1:42 PM, "John Hardin" wrote: On Fri, 5 Oct 2018, Zinski, Steve wrote: > Here's how I'm blocking bitcoin emails with Unicode characters embedded: > > body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/

Re: Bitcoin update

Here's how I'm blocking bitcoin emails with Unicode characters embedded: body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i body__BTC3 /\b\W*b\W*t\W*c\W*\b/i body__BTC4

Re: Using UTF-8 characters to avoid spam filter rules.

I see that a lot in sextortion emails. So far, I’ve seen the word “bitcoin” encoded (obfuscated) the following ways: bitc%D0%BEin bit%D1%81oin bit%D1%81%D0%BEin And the word “wallet” as: w%D0%B0ll%D0%B5t These sextortion scammers are clever. So, instead of filtering on the word “bitcoin”, I

Re: new campaign: bitly & appengine.google

Report to – supp...@bitly.com On 9/12/17, 1:29 PM, "Benny Pedersen" wrote: Chip M. skrev den 2017-09-12 15:28: > > Does anyone have a contact at BitLy? These would be trivially > easy for them to block.

Re: Custom rule problem

..@impsec.org> wrote: On Tue, 31 Jan 2017, Zinski, Steve wrote: > Here’s the “view source” of the message in question. > > http://pastebin.com/AnwkAf9t > > Again, it’s line 88 that I’m trying to match. ...let's try this again...

Re: Custom rule problem

Here’s the “view source” of the message in question. http://pastebin.com/AnwkAf9t Again, it’s line 88 that I’m trying to match. Thanks. On 1/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote: On Tue, 31 Jan 2017, Zinski, Steve wrote: > I’m trying to

Custom rule problem

Hello, I have a problem that I hope someone can help me with. I’m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this: http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu;> Every

Re: RCVD_IN_SORBS_SPAM and google IPs

I’m seeing the same thing here, I’ve had to adjust that score lower. Also seeing lots of RCVD_IN_SORBS_WEB false-positives. On 9/8/16, 4:53 PM, "Shane Williams" wrote: Hey all, I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in digging

Large spam

We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip

RE: What changes would you make to stop spam? - United Nations Paper

A possibly better method is to block SMTP outbound from the ISP. That's what we do here at the University of Richmond. Our firewall is configued to block all outbound SMTP connections (except those of our legitimate SMTP servers). This dramatically reduced the flow of spam from our campus. We

RE: Image spams getting thru

I'm using your rule here with a low score and in addition: rawbody INLINE_IMAGE2/src\s*=\s*[']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 5.0 I know, I should have used a meta rule intead of duplicating the pattern. Will work wonders

Am I wasting my time with SpamCop?

I use SpamCop to report my spam. I use the SpamHaus RBL as a first line of defense then I use SpamAssassin to catch the rest of the spam coming to my server. Am I wasting my time? Should I just delete low-scoring spam and let the honeypots harvest and report to the various RBLs, or should I keep

RE: Am I wasting my time with SpamCop?

I stand corrected I was at SpamCop.com and not SpamCop.net Yes, I'm sorry, I was referring to SpamCop.net.

RE: exim4 + forwarding + spamassassin

Tried that, and it didn't work. Even with file permissions set to 777, I was seeing these log entries: Jul 25 12:36:10 vps spamd[28501]: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.vps.zinski.net.28501 for /.spamassassin/auto-whitelist.lock: Permission denied

RE: exim4 + forwarding + spamassassin

Well, guys, I think I resolved my problem. Since exim runs under the nobody account (I could not get it to run as another user, believe me, I tried!), I simply copied all of the bayes files from a known working account to /.spamassassin and chown'ed them to nobody. Everything is working great now

exim4 + forwarding + spamassassin

I need some help trying to figure out why spamassassin scores the same message differently. I am using an ACL with exim4 to scan email during the actual smtp connection (so I can reject spam before my server accepts it). It's pretty straightforward. My ACL looks like this: # Reject messages

RE: exim4 + forwarding + spamassassin

+ forwarding + spamassassin Your first scan is running as nobody (that's bad) but the second is running as szinski. That would explain the BAYES_99. I'm not sure about the FORGED_RCVD_HELO and HTML_50_60 though. Zinski, Steve wrote: I need some help trying to figure out why spamassassin scores