I’m seriously thinking about doing the same (block all emails that contain a
bitcoin address). I’ve had good luck with my custom rule that also tests for
Unicode obfuscation:
body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2
> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.
Well, actually, no. I sent you a snippet of my rule and inflated the score to
10 for
Yes, absolutely.
On 10/5/18, 1:42 PM, "John Hardin" wrote:
On Fri, 5 Oct 2018, Zinski, Steve wrote:
> Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>
> body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
Here's how I'm blocking bitcoin emails with Unicode characters embedded:
body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3 /\b\W*b\W*t\W*c\W*\b/i
body__BTC4
I see that a lot in sextortion emails. So far, I’ve seen the word “bitcoin”
encoded (obfuscated) the following ways:
bitc%D0%BEin
bit%D1%81oin
bit%D1%81%D0%BEin
And the word “wallet” as:
w%D0%B0ll%D0%B5t
These sextortion scammers are clever. So, instead of filtering on the word
“bitcoin”, I
Report to – supp...@bitly.com
On 9/12/17, 1:29 PM, "Benny Pedersen" wrote:
Chip M. skrev den 2017-09-12 15:28:
>
> Does anyone have a contact at BitLy? These would be trivially
> easy for them to block.
..@impsec.org> wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> Here’s the “view source” of the message in question.
>
> http://pastebin.com/AnwkAf9t
>
> Again, it’s line 88 that I’m trying to match.
...let's try this again...
Here’s the “view source” of the message in question.
http://pastebin.com/AnwkAf9t
Again, it’s line 88 that I’m trying to match.
Thanks.
On 1/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> I’m trying to
Hello, I have a problem that I hope someone can help me with.
I’m trying to write a custom rule to block a certain type of spam. When I view
the message source, the very last lines of the spam look like this:
http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu;>
Every
I’m seeing the same thing here, I’ve had to adjust that score lower. Also
seeing lots of RCVD_IN_SORBS_WEB false-positives.
On 9/8/16, 4:53 PM, "Shane Williams" wrote:
Hey all,
I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in
digging
We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m
running MIMEdefang and it’s configured to skip messages larger than 100KB (and
I hesitate to increase the limit due to performance issues). I read somewhere
that there’s a way to have MIMEdefang (or spamassassin) strip
A possibly better method is to block SMTP outbound from the ISP.
That's what we do here at the University of Richmond. Our firewall is
configued to block all outbound SMTP connections (except those of our
legitimate SMTP servers). This dramatically reduced the flow of spam
from our campus. We
I'm using your rule here with a low score and in addition:
rawbody INLINE_IMAGE2/src\s*=\s*[']cid:image001\.gif/i
describe INLINE_IMAGE2 Inline Image image001.gif
score INLINE_IMAGE2 5.0
I know, I should have used a meta rule intead of duplicating the
pattern.
Will work wonders
I use SpamCop to report my spam.
I use the SpamHaus RBL as a first line of defense then I use
SpamAssassin to catch the rest of the spam coming to my server.
Am I wasting my time? Should I just delete low-scoring spam and let the
honeypots harvest and report to the various RBLs, or should I keep
I stand corrected I was at SpamCop.com and not SpamCop.net
Yes, I'm sorry, I was referring to SpamCop.net.
Tried that, and it didn't work. Even with file permissions set to 777, I
was seeing these log entries:
Jul 25 12:36:10 vps spamd[28501]: locker: safe_lock: cannot create tmp
lockfile /.spamassassin/auto-whitelist.lock.vps.zinski.net.28501 for
/.spamassassin/auto-whitelist.lock: Permission denied
Well, guys, I think I resolved my problem. Since exim runs under the
nobody account (I could not get it to run as another user, believe me,
I tried!), I simply copied all of the bayes files from a known working
account to /.spamassassin and chown'ed them to nobody. Everything is
working great now
I need some help trying to figure out why spamassassin scores the same
message differently.
I am using an ACL with exim4 to scan email during the actual smtp
connection (so I can reject spam before my server accepts it). It's
pretty straightforward. My ACL looks like this:
# Reject messages
+ forwarding + spamassassin
Your first scan is running as nobody (that's bad) but the second is
running as szinski. That would explain the BAYES_99. I'm not sure
about the FORGED_RCVD_HELO and HTML_50_60 though.
Zinski, Steve wrote:
I need some help trying to figure out why spamassassin scores
19 matches
Mail list logo