Re: Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

As a note, I sometimes make my rules harder to read on purpose to dissuade bad actors from trying to unwind them. On Wed, Aug 11, 2021, 11:21 Kenneth Porter wrote: > On 8/11/2021 8:05 AM, Kenneth Porter wrote: > > > > BTW, does SA permit use of Perl-style regex delimiters to avoid > > leaning

Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

On 8/11/2021 8:05 AM, Kenneth Porter wrote: BTW, does SA permit use of Perl-style regex delimiters to avoid leaning toothpick syndrome? https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome Answering my own question, I see it used in this rule: uri    __IMGUR_IMG

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

On 8/11/2021 7:39 AM, Jared Hall wrote: *Maybe* a little more refinement could prevent it picking  up .hidden folders that have a BAD_TLD name. /[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i The CVS/Kodak uri would still fail on this pattern,

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

Kenneth Porter wrote: uri  __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i I have a client whose NVR writes its archived video spools to a .cam folder on their server.  Heaven forbid ".well-known" ever becomes a TLD :)

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

--On Wednesday, August 11, 2021 12:29 AM -0400 "Kevin A. McGrail" wrote: Hi Kenneth, the ruleset is designed for a system scoring over 5.0. Did the rule from the cell provider cause an fp? Is your threshold higher than 5.0? I use the stock threshold of 5.0. I'm using the ruleset via the

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

Hi Kenneth, the ruleset is designed for a system scoring over 5.0. Did the rule from the cell provider cause an fp? Is your threshold higher than 5.0? There is a way to report problems listed in the file but feel free to contact me off list and I'll tell you how to send me a sample. Regards,

KAM_SOMETLD_ARE_BAD_TLD false positive

My cellular supplier has a weekly bag of goodies (coupons, schwag) and last week's included a free photo refrigerator magnet from CVS. So I signed up a CVS/Kodak account to put in my order. Like most such offers, they start sending me marketing mail, and the first one hit

KAM_SOMETLD_ARE_BAD_TLD false positive

I was surprised to see KAM_SOMETLD_ARE_BAD_TLD hit as a false positive. The file was a DNS domain transfer file that someone emailed as part of a security bug report. To trigger the false positive include the following. In the real world case this was in a dns zone file that was sent

Re: BIGNUM_EMAILS false positive

On Fri, 26 Feb 2021, Matus UHLAR - fantomas wrote: Hello, it seems that BIGNUM_EMAILS on signatures containing e-mail address after telephone number like: Mobil: +421 904 000 111 e-mail: addr...@example.com Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==> got

BIGNUM_EMAILS false positive

Hello, it seems that BIGNUM_EMAILS on signatures containing e-mail address after telephone number like: Mobil: +421 904 000 111 e-mail: addr...@example.com Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==> got hit: "000 111 e-mail" -- Matus UHLAR - fantomas,

Re: __DOS_DIRECT_TO_MX false positive

John Hardin wrote > The problem is that there are no Received headers internal to his domain, > and that makes it look like a MUA is directly contacting your MTA to send > an email - hence, "DIRECT_TO_MX". > > If you can, advise the sender to not remove all the Received headers from > their

Re: __DOS_DIRECT_TO_MX false positive

On Sat, 1 Feb 2020 17:38:52 +0100 Matus UHLAR - fantomas wrote: > >On Thu, 30 Jan 2020 15:37:47 -0800 (PST) > >John Hardin wrote: > >> That a given rule hits on some ham does not make the rule a FP. > >> This rule is working as designed. > > On 31.01.20 15:09, RW wrote: > >DOS_OUTLOOK_TO_MX

Re: __DOS_DIRECT_TO_MX false positive

On Thu, 30 Jan 2020 15:37:47 -0800 (PST) John Hardin wrote: That a given rule hits on some ham does not make the rule a FP. This rule is working as designed. On 31.01.20 15:09, RW wrote: DOS_OUTLOOK_TO_MX is defined in 72_active.cf, but its score is in 50_scores.cf, set 10 years ago. Is that

Re: __DOS_DIRECT_TO_MX false positive

On Thu, 30 Jan 2020 15:37:47 -0800 (PST) John Hardin wrote: > That a given rule hits on some ham does not make the rule a FP. This > rule is working as designed. DOS_OUTLOOK_TO_MX is defined in 72_active.cf, but its score is in 50_scores.cf, set 10 years ago. Is that supposed to happen?

Re: __DOS_DIRECT_TO_MX false positive

On 1/30/2020 6:37 PM, John Hardin wrote: > The problem is that there are no Received headers internal to his > domain, and that makes it look like a MUA is directly contacting your > MTA to send an email - hence, "DIRECT_TO_MX". > > If you can, advise the sender to not remove all the Received

Re: __DOS_DIRECT_TO_MX false positive

On Thu, 30 Jan 2020, premax wrote: Hello there, The sender is using Outlook and his own mail server. Mail comes to my server and scores against DOS_OUTLOOK_TO_MX, because of __DOS_DIRECT_TO_MX false positive. I've been looking into message headers for hours and see nothing strange over

__DOS_DIRECT_TO_MX false positive

Hello there, The sender is using Outlook and his own mail server. Mail comes to my server and scores against DOS_OUTLOOK_TO_MX, because of __DOS_DIRECT_TO_MX false positive. I've been looking into message headers for hours and see nothing strange over there. 'Received' header are present. Why

Re: URIBL_SBL_A - Spamhaus false positive..

On 23/01/20 18:56, RW wrote: I'm curious as to what's actually going on here. If I use dig ns fluent.ltd.uk @ some caches give the 2 servers supplied by Nominet, others give the 3 servers from dns[1-3].fluent.ltd.uk (an extra round-trip). If I look on Google's 8.8.8.8 I get a random result

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, 23 Jan 2020 13:48:58 + RW wrote: > These two are supplied by the ltd.uk nameservers, but if you do an NS > lookup on one of these you get a third server, dns3.fluent.ltd.uk with > the IP address 195.78.94.20. I'm curious as to what's actually going on here. If I use dig ns

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, Jan 23, 2020 at 05:01:20PM +0100, Benny Pedersen wrote: > RW skrev den 2020-01-23 16:51: > > >I opened bug 7242 for that in 2015 - I thought it had been fixed years > >ago. It looks like it narrowly missed 3.4.2. > > i remember it was that it did 2 lockups for the same ips, and it could

Re: URIBL_SBL_A - Spamhaus false positive..

RW skrev den 2020-01-23 16:51: I opened bug 7242 for that in 2015 - I thought it had been fixed years ago. It looks like it narrowly missed 3.4.2. i remember it was that it did 2 lockups for the same ips, and it could not be resolved to one since it was not same data that is tested, there

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, 23 Jan 2020 14:31:01 + Riccardo Alfieri wrote: > >>* 0.1 URIBL_SBL_A Contains URL's A record listed in the > >> Spamhaus SBL > > I'm not seeing this at present. > > I guess it's because you are running 3.4.3+. On previous versions it > would hit because, as stated in

Re: URIBL_SBL_A - Spamhaus false positive..

On 23/01/20 14:48, RW wrote: On Thu, 23 Jan 2020 13:06:01 + Jonathan Gilpin wrote: Hi, It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL lookup: * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL I'm not seeing this at present. I

Re: URIBL_SBL_A - Spamhaus false positive..

Hello Riccardo, On Thursday, January 23, 2020, 7:53:18 AM, Riccardo Alfieri wrote: RA> if you would care to forward me offlist a complete sample that triggers RA> the FPs I'll be happy to investigate FWIW, these very messages to the SA list this morning mentioning this domain triggered for me

Re: URIBL_SBL_A - Spamhaus false positive..

Hello Jonathan, if you would care to forward me offlist a complete sample that triggers the FPs I'll be happy to investigate On 23/01/20 14:51, Jonathan Gilpin wrote: Our local resolver is 195.78.94.4 and this was verified by another Spamasassin user who has their own resolver on another

Re: URIBL_SBL_A - Spamhaus false positive..

found anyone using spamassassin that is not getting the same result Jonathan > On 23 Jan 2020, at 13:46, Dominic Raferd wrote: > > > > On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin <mailto:jonat...@fluent.ltd.uk>> wrote: > Hi, > > It seems that SpamAsass

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, 23 Jan 2020 13:06:01 + Jonathan Gilpin wrote: > Hi, > > It seems that SpamAsassin is giving out a false positive on a > Spamhaus SBL lookup: > > * 0.1 URIBL_SBL_A Contains URL's A record listed in the > Spamhaus SBL I'm not seeing this at present. >

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin wrote: > Hi, > > It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL > lookup: > > * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL > * blocklist > * [URIs: fluent.lt

URIBL_SBL_A - Spamhaus false positive..

Hi, It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL lookup: * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL * blocklist * [URIs: fluent.ltd.uk] * 2.1 URIBL_SBL Contains an URL's NS IP listed

Re: possible FORGED_GMAIL_RCVD false positive

On Wed, 18 Sep 2019 12:29:43 +0200 Matus UHLAR - fantomas wrote: > I have received following spam: > > https://pastebin.com/SkvkVWik > > This hits FORGED_GMAIL_RCVD although the message came from google mail > servers. > > According to HeaderEval.pm, message apparently misses >

Re: possible FORGED_GMAIL_RCVD false positive

On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote: > On Wed, 18 Sep 2019 12:29:43 +0200 > Matus UHLAR - fantomas wrote: > > > Hello, > > > > I have received following spam: > > > > https://pastebin.com/SkvkVWik > > > > This hits FORGED_GMAIL_RCVD although the message came from google mail > >

Re: possible FORGED_GMAIL_RCVD false positive

On Wed, 18 Sep 2019 12:29:43 +0200 Matus UHLAR - fantomas wrote: > Hello, > > I have received following spam: > > https://pastebin.com/SkvkVWik > > This hits FORGED_GMAIL_RCVD although the message came from google mail > servers. > > According to HeaderEval.pm, message apparently misses >

possible FORGED_GMAIL_RCVD false positive

Hello, I have received following spam: https://pastebin.com/SkvkVWik This hits FORGED_GMAIL_RCVD although the message came from google mail servers. According to HeaderEval.pm, message apparently misses X-Google-Smtp-Source header is there any reason to expect that header in mail from gmail?

URI_PHISH false positive

The attached innocuous message confirming a dentist appointment triggered URI_PHISH because of __EMAIL_PHISH because of __UPGR_MAILBOX ("If you would like to update your email preferences...") and __TVD_PH_BODY_ACCOUNTS_POST (consecutive links to "Confirm Appointment" and "Access My Account").

RE: False Positive

Ok, your headers sample finally showed up. On Thu, 16 Aug 2018, Michael D. Maus Jr. wrote: I have attached the full header from the recipient to this email in a .txt file as well as the msg from the source computer. None of these headers are from base SpamAssassin: X-CMAE-Verdict: spam

Re: stackexchange.com in URIBL (false positive?)

On Sun, 29 Jul 2018, Daniele Duca wrote: On 29/07/2018 09:53, Yves Goergen wrote: No I can't because it's a locked system. I'd need an account for that. And I'm not going to register just for saving another admin's system. So either stackexchange admins repair their entry themselves, or the

Re: stackexchange.com in URIBL (false positive?)

On 29/07/2018 09:53, Yves Goergen wrote: No I can't because it's a locked system. I'd need an account for that. And I'm not going to register just for saving another admin's system. So either stackexchange admins repair their entry themselves, or the blacklist operator needs a review. -Yves

Re: stackexchange.com in URIBL (false positive?)

No I can't because it's a locked system. I'd need an account for that. And I'm not going to register just for saving another admin's system. So either stackexchange admins repair their entry themselves, or the blacklist operator needs a review. -Yves

Re: stackexchange.com in URIBL (false positive?) *** Spam 5.7

Oh I can surely change anything I want. But I don't want to weaken my spam filter. It's weak enough already. Spam is getting more and more through. It got to the point where I have to reconsider my complete mail receiving strategy with subaddresses, filters and a set of inbox subfolders to

Re: stackexchange.com in URIBL (false positive?)

Yes, I have changed the value of this rule long ago. It seemed to be better. I may have to turn it down a little. And I am the admin myself but I'm no expert in spam fighting. Especially what the reason or source of that blacklisting is. I just see the rule matched and I consider that wrong

Re: stackexchange.com in URIBL (false positive?)

On Sat, 28 Jul 2018 21:20:49 +0200 Yves Goergen wrote: > Hello, > > I've received a notification e-mail from stackexchange.com > (stackoverflow.com) with a high spam score. It has this line in its > report: > >5.7 URIBL_BLACKContains an URL listed in the URIBL > blacklist

Re: stackexchange.com in URIBL (false positive?)

  5.7 URIBL_BLACK    Contains an URL listed in the URIBL blacklist [URIs: stackexchange.com] I guess that's not supposed to be like that. I can't change anything at it, just for information for somebody in the position to fix that. It is indeed

stackexchange.com in URIBL (false positive?)

Hello, I've received a notification e-mail from stackexchange.com (stackoverflow.com) with a high spam score. It has this line in its report: 5.7 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: stackexchange.com] I guess that's not

RCVD_IN_PBL false-positive

We got a few hits on RCVD_IN_PBL for the IP 24.137.53.2 that do not appear to be listed on spamhaus. I tried dig 2.53.137.24.zen.spamhaus.org on that same server and got no results, and even then SA kept hitting that rule. My understanding of /eval:check_rbl('zen-lastexternal',

Re: (was: FORGED_HOTMAIL_RCVD2 false positive) Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.

W dniu 30.01.2018 o 14:51, Kevin A. McGrail pisze: > On 1/30/2018 4:11 AM, Marcin Mirosław wrote: >> Can error pasted below be related to this commit? > > Yes, without a doubt the same bug. Hi! I'm answering with one email, thanks for your anwsers and now sa-update works fine. Have a nice day

Re: (was: FORGED_HOTMAIL_RCVD2 false positive) Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.

On 1/30/2018 4:11 AM, Marcin Mirosław wrote: Can error pasted below be related to this commit? Yes, without a doubt the same bug.

Re: (was: FORGED_HOTMAIL_RCVD2 false positive) Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.

On 01/30/18 10:11, Marcin Mirosław wrote: > W dniu 29.01.2018 o 08:26, Giovanni Bechis pisze: >> On 01/29/18 06:00, Alex wrote: >>> Hi, >>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers for valid hotmail messages... (SA 3.4.1) This small change

Re: (was: FORGED_HOTMAIL_RCVD2 false positive) Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.

W dniu 29.01.2018 o 08:26, Giovanni Bechis pisze: > On 01/29/18 06:00, Alex wrote: >> Hi, >> >>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') >>> triggers for valid hotmail messages... (SA 3.4.1) >>> >>> This small change solves the problem but i do not know whether it is

Re: FORGED_HOTMAIL_RCVD2 false positive

Thanks/ Grazie mile Giovanni... PedroD On Monday, January 29, 2018, 8:27:01 AM GMT+1, Giovanni Bechis wrote: On 01/29/18 06:00, Alex wrote: > Hi, > >> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') >> triggers for valid hotmail

Re: FORGED_HOTMAIL_RCVD2 false positive

On 01/29/18 06:00, Alex wrote: > Hi, > >> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') >> triggers for valid hotmail messages... (SA 3.4.1) >> >> This small change solves the problem but i do not know whether it is the >> correct way...maybe "hotmail" string should

Re: FORGED_HOTMAIL_RCVD2 false positive

Hi, > FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') > triggers for valid hotmail messages... (SA 3.4.1) > > This small change solves the problem but i do not know whether it is the > correct way...maybe "hotmail" string should be changed widelly to >

Re: FORGED_HOTMAIL_RCVD2 false positive

On 01/17/18 19:29, David Jones wrote: > On 01/17/2018 11:59 AM, Giovanni Bechis wrote: >> On 01/17/18 07:14, Pedro David Marco wrote: >>> Hi, >>> >>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') >>> triggers for valid hotmail messages...  (SA 3.4.1) >>> >>> This small

Re: FORGED_HOTMAIL_RCVD2 false positive

On 01/17/2018 11:59 AM, Giovanni Bechis wrote: On 01/17/18 07:14, Pedro David Marco wrote: Hi, FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers for valid hotmail messages...  (SA 3.4.1) This small change solves the problem but i do not know whether it is the

Re: FORGED_HOTMAIL_RCVD2 false positive

On 01/17/18 07:14, Pedro David Marco wrote: > Hi, > > FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') > triggers for valid hotmail messages...  (SA 3.4.1) > > This small change solves the problem but i do not know whether it is the > correct way...    maybe "hotmail"

FORGED_HOTMAIL_RCVD2 false positive

Hi, FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers for valid hotmail messages...  (SA 3.4.1) This small change solves the problem but i do not know whether it is the correct way...    maybe "hotmail" string should be changed widelly to "outlook|hotmail"...

Re: HTML (was Re: Sender needs help with false positive)

Dianne Skoll skrev den 2017-08-08 20:09: On Tue, 08 Aug 2017 20:01:52 +0200 Benny Pedersen wrote: why does the OP need to tell sendgrid his users passwords ? That is indeed a very good question. :) +1 It's not as if this is some sort of mass-mailing or marketing-oriented

Re: HTML (was Re: Sender needs help with false positive)

On Tue, 08 Aug 2017 20:01:52 +0200 Benny Pedersen wrote: > why does the OP need to tell sendgrid his users passwords ? That is indeed a very good question. :) It's not as if this is some sort of mass-mailing or marketing-oriented email that needs to be tracked. Regards, Dianne.

Re: HTML (was Re: Sender needs help with false positive)

Dianne Skoll skrev den 2017-08-08 15:05: On Tue, 8 Aug 2017 08:00:04 -0500 David Jones wrote: I absolutely agree but it's possible that this part is out of his control. Sendgrid might be receiving a plain text email from the normal source and adding HTML to get that image in

RE: Sender needs help with false positive

Skoll [mailto:d...@roaringpenguin.com] Sent: Tuesday, August 08, 2017 8:43 AM To: users@spamassassin.apache.org Subject: Re: Sender needs help with false positive On Tue, 8 Aug 2017 07:36:01 -0500 David Jones <djo...@ena.com> wrote: > The origin of the email and the path it takes ma

HTML (was Re: Sender needs help with false positive)

On Tue, 8 Aug 2017 08:00:04 -0500 David Jones wrote: > I absolutely agree but it's possible that this part is out of his > control. Sendgrid might be receiving a plain text email from the > normal source and adding HTML to get that image in there for > tracking. If you can't

Re: Sender needs help with false positive

On 08/08/2017 07:43 AM, Dianne Skoll wrote: On Tue, 8 Aug 2017 07:36:01 -0500 David Jones wrote: The origin of the email and the path it takes makes a big difference in how it's filtered. Sure, but doing a plain-text message with no HTML will immediately knock 2.2 points off

Re: Sender needs help with false positive

On Tue, 8 Aug 2017 07:36:01 -0500 David Jones wrote: > The origin of the email and the path it takes makes a big difference > in how it's filtered. Sure, but doing a plain-text message with no HTML will immediately knock 2.2 points off the score. That's a pretty cheap and easy

Re: Sender needs help with false positive

On 08/07/2017 07:36 PM, Jacek Osuchowski wrote: David, Thanks a lot. I will try to modify the email text to have more 'meat on the bone'. I am just surprised email with no links, no adds, no attempts to sell anything can be interpreted as a spam. That img in the email is a tag from SendGrid

Re: Sender needs help with false positive

Required score -20 on inbound scanning to protect outbound spam? Op MSG was dkim signed and valid au, why was it not ADD to whitelist auth, maybe i was sleeping :(

Re: Sender needs help with false positive

Avoid marketing mass-mailers when sending administrative messages. Sent from ProtonMail Mobile On Tue, Aug 8, 2017 at 12:56 AM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We send > very brief emails containing the reset

Re: Sender needs help with false positive

On Tue, 8 Aug 2017, Benny Pedersen wrote: Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better

Re: Sender needs help with false positive

On Mon, 2017-08-07 at 19:15 -0400, Alex wrote: > > version=3.4.0 > > Version 3.4.0 is like ten years old. I also don't recall BAYES_999 > being available in that version, so one thing or the other is not > correct. Minor nitpick: 3.4.0 was released in Feb 2014, slightly less than 10 years ago.

RE: Sender needs help with false positive

Message- From: David B Funk [mailto:dbf...@engineering.uiowa.edu] Sent: Monday, August 07, 2017 7:54 PM To: users@spamassassin.apache.org Subject: Re: Sender needs help with false positive On Mon, 7 Aug 2017, David Jones wrote: [snip..] > This IP is listed on SORBS and Spamhaus ZEN wh

RE: Sender needs help with false positive

On Mon, 7 Aug 2017, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam

Re: Sender needs help with false positive

On Mon, 7 Aug 2017, David Jones wrote: [snip..] This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html That's his PC which is the MSA. As it's the

Re: Sender needs help with false positive

On Mon, 7 Aug 2017 19:28:04 -0400 "Jacek Osuchowski" wrote: > This is an email I sent to IsNotSpam.com. They list the whole thing > when testing for spam. I am getting a lot of complains from our > customers that our emails are not received. Our domain is not > blacklisted

Re: Sender needs help with false positive

Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better life use spampd instaed of amavisd, amavisd is

Re: Sender needs help with false positive

Mailing list Subject: Re: Sender needs help with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski <ja...@osuchowski.net> wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example b

Password reset strategies (was Re: Sender needs help with false positive)

[Just replying to one aspect of the original message.] On Mon, 7 Aug 2017 18:26:00 -0500 David Jones wrote: > First, it's a bad idea for a number of reasons to send passwords via > email. Most modern "lost password" mail loops use a unique URL that > expires after a short

Re: Sender needs help with false positive

On Mon, 7 Aug 2017, Alex wrote: Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access

Re: Sender needs help with false positive

On 08/07/2017 05:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your

RE: Sender needs help with false positive

with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski <ja...@osuchowski.net> wrote: > We use emails to allow users to reset their passwords to our website. > We send very brief emails containing the reset password. Example between >>>>: > >>>>&g

Re: Sender needs help with false positive

Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We > send very brief emails containing the reset password. Example between : > >> > Your password to access your account is: > >

Sender needs help with false positive

We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : > Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account /

Re: FROM_WORDY rule is a false-positive

On Fri, 7 Oct 2016, Yves Goergen wrote: Hello, I received a message from a friend today and it was rated this, among others: 2.5 FROM_WORDY From address looks like a sentence I have no idea what the author of this rule considers a sentence, but that line looks like it always

Re: FROM_WORDY rule is a false-positive

On Friday 07 October 2016 at 18:24:27, Yves Goergen wrote: > Hello, > > I received a message from a friend today and it was rated this, among > others: > > 2.5 FROM_WORDY From address looks like a sentence > > I have no idea what the author of this rule considers a sentence, but >

FROM_WORDY rule is a false-positive

Hello, I received a message from a friend today and it was rated this, among others: > 2.5 FROM_WORDY From address looks like a sentence I have no idea what the author of this rule considers a sentence, but that line looks like it always looked, with the well-known legitimate

Re: URI_OBFU_WWW false-positive

On Fri, 4 Mar 2016, Alex wrote: Hi, Is there something that can be done to improve this rule? ran body rule URI_OBFU_WWW ==> got hit: "www..facebook.com" 2.45 points, putting it over the edge in a number of messages where the sender accidentally typed it wrong in their signature, is just

URI_OBFU_WWW false-positive

Hi, Is there something that can be done to improve this rule? ran body rule URI_OBFU_WWW ==> got hit: "www..facebook.com" 2.45 points, putting it over the edge in a number of messages where the sender accidentally typed it wrong in their signature, is just too much. thanks, alex

Re: BODY_URI_ONLY: False-Positive

Am 12.07.2015 um 16:38 schrieb RW: On Sun, 12 Jul 2015 16:22:09 +0200 Reindl Harald wrote: What I don't get is where the URI is. i guess the mailaddress Reply to: @*** That'll be it on the other hand that one did not hit it while save the message as eml and pass it

Re: BODY_URI_ONLY: False-Positive

On Sun, 12 Jul 2015 13:35:53 +0200 Reindl Harald wrote: BODY_URI_ONLY Message body is only a URI in one line of text or for an image i guess one problem is the text/html instead text/plain but anyways that mailbody hardly qualifies for BODY_URI_ONLY I just spotted a bug in that rule

BODY_URI_ONLY: False-Positive

BODY_URI_ONLY Message body is only a URI in one line of text or for an image i guess one problem is the text/html instead text/plain but anyways that mailbody hardly qualifies for BODY_URI_ONLY _ Content-Type: text/html;

Re: BODY_URI_ONLY: False-Positive

On Sun, 12 Jul 2015 16:22:09 +0200 Reindl Harald wrote: What I don't get is where the URI is. i guess the mailaddress Reply to: @*** That'll be it.

Re: BODY_URI_ONLY: False-Positive

Am 12.07.2015 um 16:19 schrieb RW: On Sun, 12 Jul 2015 13:35:53 +0200 Reindl Harald wrote: BODY_URI_ONLY Message body is only a URI in one line of text or for an image i guess one problem is the text/html instead text/plain but anyways that mailbody hardly qualifies for BODY_URI_ONLY I

SA rule - URIBL_SBL-XBL scores false positive?

Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive? — uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.orghttp://sbl-xbl.spamhaus.org. TXT body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’) — All of a sudden, it scores 40-50% false positive, latest 2-3 days. All summin

Re: SA rule - URIBL_SBL-XBL scores false positive?

On 12/19/2014 11:55 AM, Dharma Monie wrote: Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive? — uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.orghttp://sbl-xbl.spamhaus.org. TXT body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’) — All of a sudden, it scores 40-50

Re: SA rule - URIBL_SBL-XBL scores false positive?

on this is most welcome. // Dharma Moniemailto:dha...@dharmacode.se On 19 Dec 2014, at 12:01, Axb axb.li...@gmail.commailto:axb.li...@gmail.com wrote: On 12/19/2014 11:55 AM, Dharma Monie wrote: Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive? — uridnsbl

Re: SA rule - URIBL_SBL-XBL scores false positive?

hit that lookup? // Dharma Moniemailto:dha...@dharmacode.se On 19 Dec 2014, at 12:01, Axb axb.li...@gmail.commailto:axb.li...@gmail.com wrote: On 12/19/2014 11:55 AM, Dharma Monie wrote: Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive? — uridnsbl URIBL_SBLXBL sbl

Re: SA rule - URIBL_SBL-XBL scores false positive?

On 12/19/2014 12:28 PM, Dharma Monie wrote: The rule is shipped with SA by default, regarding if it’s enabled by default - checking against that exact uribl - I’m affraid I can’t provide you with a satisfying answer there, as I was not the initial admin configuring “this” file. On 19.12.14

Re: SA rule - URIBL_SBL-XBL scores false positive?

On Fri, 19 Dec 2014 14:12:47 +0100 Matus UHLAR - fantomas wrote: On 12/19/2014 12:28 PM, Dharma Monie wrote: The rule is shipped with SA by default, regarding if it?s enabled by default - checking against that exact uribl - I?m affraid I can?t provide you with a satisfying answer there, as I

Re: SA rule - URIBL_SBL-XBL scores false positive?

URIBL (spammhaus/local.cf) score false positive? — uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’) — All of a sudden, it scores 40-50% false positive, latest 2-3 days. All summin' up to now - users missing a whole lot of mail

Re: possible false positive with FORGED_YAHOO_RCVD?

On Nov 30, 2014, at 15.42, Benny Pedersen m...@junc.eu wrote: On 30. nov. 2014 21.12.06 listsb-spamassas...@bitrate.net wrote: http://dpaste.com/3XTYV0V.txt Is trusted_networks and internal_networks correct both for ipv4 and ipv6 ? Does it match settings in amavisd ? Both sa and

possible false positive with FORGED_YAHOO_RCVD?

for other reasons, doesn't seem to be the culprit here [in my cursory look at check_for_forged_yahoo_received_headers, i didn't see any references to dkim]? was this a false positive, or am i ignorant? http://dpaste.com/3XTYV0V.txt -ben

Re: possible false positive with FORGED_YAHOO_RCVD?

On 30. nov. 2014 21.12.06 listsb-spamassas...@bitrate.net wrote: http://dpaste.com/3XTYV0V.txt Is trusted_networks and internal_networks correct both for ipv4 and ipv6 ? Does it match settings in amavisd ? Both sa and amavisd need to know ALL your own ips including all non routeble :)

SpamAssassin false positive bayes with attachments

I have been seeing some issues with bayes detection from base64 strings within attachments causing false positives. Example: Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264 Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127 Oct 6 09:02:14.374 [15869]

  1   2   3   4   5   >