As a note, I sometimes make my rules harder to read on purpose to dissuade
bad actors from trying to unwind them.
On Wed, Aug 11, 2021, 11:21 Kenneth Porter wrote:
> On 8/11/2021 8:05 AM, Kenneth Porter wrote:
> >
> > BTW, does SA permit use of Perl-style regex delimiters to avoid
> > leaning
On 8/11/2021 8:05 AM, Kenneth Porter wrote:
BTW, does SA permit use of Perl-style regex delimiters to avoid
leaning toothpick syndrome?
https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome
Answering my own question, I see it used in this rule:
uri __IMGUR_IMG
On 8/11/2021 7:39 AM, Jared Hall wrote:
*Maybe* a little more refinement could prevent it picking up .hidden
folders that have a BAD_TLD name.
/[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i
The CVS/Kodak uri would still fail on this pattern,
Kenneth Porter wrote:
uri __KAM_SOMETLD_ARE_BAD_TLD_URI
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i
I have a client whose NVR writes its archived video spools to a .cam
folder on their server. Heaven forbid ".well-known" ever becomes a TLD :)
--On Wednesday, August 11, 2021 12:29 AM -0400 "Kevin A. McGrail"
wrote:
Hi Kenneth, the ruleset is designed for a system scoring over 5.0.
Did the rule from the cell provider cause an fp?
Is your threshold higher than 5.0?
I use the stock threshold of 5.0. I'm using the ruleset via the
Hi Kenneth, the ruleset is designed for a system scoring over 5.0.
Did the rule from the cell provider cause an fp?
Is your threshold higher than 5.0?
There is a way to report problems listed in the file but feel free to
contact me off list and I'll tell you how to send me a sample.
Regards,
My cellular supplier has a weekly bag of goodies (coupons, schwag) and last
week's included a free photo refrigerator magnet from CVS. So I signed up a
CVS/Kodak account to put in my order. Like most such offers, they start
sending me marketing mail, and the first one hit
I was surprised to see KAM_SOMETLD_ARE_BAD_TLD hit as a false
positive. The file was a DNS domain transfer file that someone
emailed as part of a security bug report.
To trigger the false positive include the following. In the real
world case this was in a dns zone file that was sent
On Fri, 26 Feb 2021, Matus UHLAR - fantomas wrote:
Hello,
it seems that BIGNUM_EMAILS on signatures containing e-mail address after
telephone number like:
Mobil: +421 904 000 111
e-mail: addr...@example.com
Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==>
got
Hello,
it seems that BIGNUM_EMAILS on signatures containing e-mail address after
telephone number like:
Mobil: +421 904 000 111
e-mail: addr...@example.com
Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==> got hit:
"000 111 e-mail"
--
Matus UHLAR - fantomas,
John Hardin wrote
> The problem is that there are no Received headers internal to his domain,
> and that makes it look like a MUA is directly contacting your MTA to send
> an email - hence, "DIRECT_TO_MX".
>
> If you can, advise the sender to not remove all the Received headers from
> their
On Sat, 1 Feb 2020 17:38:52 +0100
Matus UHLAR - fantomas wrote:
> >On Thu, 30 Jan 2020 15:37:47 -0800 (PST)
> >John Hardin wrote:
> >> That a given rule hits on some ham does not make the rule a FP.
> >> This rule is working as designed.
>
> On 31.01.20 15:09, RW wrote:
> >DOS_OUTLOOK_TO_MX
On Thu, 30 Jan 2020 15:37:47 -0800 (PST)
John Hardin wrote:
That a given rule hits on some ham does not make the rule a FP. This
rule is working as designed.
On 31.01.20 15:09, RW wrote:
DOS_OUTLOOK_TO_MX is defined in 72_active.cf, but its score is in
50_scores.cf, set 10 years ago. Is that
On Thu, 30 Jan 2020 15:37:47 -0800 (PST)
John Hardin wrote:
> That a given rule hits on some ham does not make the rule a FP. This
> rule is working as designed.
DOS_OUTLOOK_TO_MX is defined in 72_active.cf, but its score is in
50_scores.cf, set 10 years ago. Is that supposed to happen?
On 1/30/2020 6:37 PM, John Hardin wrote:
> The problem is that there are no Received headers internal to his
> domain, and that makes it look like a MUA is directly contacting your
> MTA to send an email - hence, "DIRECT_TO_MX".
>
> If you can, advise the sender to not remove all the Received
On Thu, 30 Jan 2020, premax wrote:
Hello there,
The sender is using Outlook and his own mail server. Mail comes to my
server and scores against DOS_OUTLOOK_TO_MX, because of
__DOS_DIRECT_TO_MX false positive. I've been looking into message
headers for hours and see nothing strange over
Hello there,
The sender is using Outlook and his own mail server. Mail comes to my server
and scores against DOS_OUTLOOK_TO_MX, because of __DOS_DIRECT_TO_MX false
positive. I've been looking into message headers for hours and see nothing
strange over there. 'Received' header are present. Why
On 23/01/20 18:56, RW wrote:
I'm curious as to what's actually going on here. If I use
dig ns fluent.ltd.uk @
some caches give the 2 servers supplied by Nominet, others give the 3
servers from dns[1-3].fluent.ltd.uk (an extra round-trip).
If I look on Google's 8.8.8.8 I get a random result
On Thu, 23 Jan 2020 13:48:58 +
RW wrote:
> These two are supplied by the ltd.uk nameservers, but if you do an NS
> lookup on one of these you get a third server, dns3.fluent.ltd.uk with
> the IP address 195.78.94.20.
I'm curious as to what's actually going on here. If I use
dig ns
On Thu, Jan 23, 2020 at 05:01:20PM +0100, Benny Pedersen wrote:
> RW skrev den 2020-01-23 16:51:
>
> >I opened bug 7242 for that in 2015 - I thought it had been fixed years
> >ago. It looks like it narrowly missed 3.4.2.
>
> i remember it was that it did 2 lockups for the same ips, and it could
RW skrev den 2020-01-23 16:51:
I opened bug 7242 for that in 2015 - I thought it had been fixed years
ago. It looks like it narrowly missed 3.4.2.
i remember it was that it did 2 lockups for the same ips, and it could
not be resolved to one since it was not same data that is tested, there
On Thu, 23 Jan 2020 14:31:01 +
Riccardo Alfieri wrote:
> >>* 0.1 URIBL_SBL_A Contains URL's A record listed in the
> >> Spamhaus SBL
> > I'm not seeing this at present.
>
> I guess it's because you are running 3.4.3+. On previous versions it
> would hit because, as stated in
On 23/01/20 14:48, RW wrote:
On Thu, 23 Jan 2020 13:06:01 +
Jonathan Gilpin wrote:
Hi,
It seems that SpamAsassin is giving out a false positive on a
Spamhaus SBL lookup:
* 0.1 URIBL_SBL_A Contains URL's A record listed in the
Spamhaus SBL
I'm not seeing this at present.
I
Hello Riccardo,
On Thursday, January 23, 2020, 7:53:18 AM, Riccardo Alfieri wrote:
RA> if you would care to forward me offlist a complete sample that triggers
RA> the FPs I'll be happy to investigate
FWIW, these very messages to the SA list this morning mentioning this domain
triggered for me
Hello Jonathan,
if you would care to forward me offlist a complete sample that triggers
the FPs I'll be happy to investigate
On 23/01/20 14:51, Jonathan Gilpin wrote:
Our local resolver is 195.78.94.4 and this was verified by another
Spamasassin user who has their own resolver on another
found
anyone using spamassassin that is not getting the same result
Jonathan
> On 23 Jan 2020, at 13:46, Dominic Raferd wrote:
>
>
>
> On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin <mailto:jonat...@fluent.ltd.uk>> wrote:
> Hi,
>
> It seems that SpamAsass
On Thu, 23 Jan 2020 13:06:01 +
Jonathan Gilpin wrote:
> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a
> Spamhaus SBL lookup:
>
> * 0.1 URIBL_SBL_A Contains URL's A record listed in the
> Spamhaus SBL
I'm not seeing this at present.
>
On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin
wrote:
> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL
> lookup:
>
> * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
> * blocklist
> * [URIs: fluent.lt
Hi,
It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL
lookup:
* 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
* blocklist
* [URIs: fluent.ltd.uk]
* 2.1 URIBL_SBL Contains an URL's NS IP listed
On Wed, 18 Sep 2019 12:29:43 +0200
Matus UHLAR - fantomas wrote:
> I have received following spam:
>
> https://pastebin.com/SkvkVWik
>
> This hits FORGED_GMAIL_RCVD although the message came from google mail
> servers.
>
> According to HeaderEval.pm, message apparently misses
>
On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote:
> On Wed, 18 Sep 2019 12:29:43 +0200
> Matus UHLAR - fantomas wrote:
>
> > Hello,
> >
> > I have received following spam:
> >
> > https://pastebin.com/SkvkVWik
> >
> > This hits FORGED_GMAIL_RCVD although the message came from google mail
> >
On Wed, 18 Sep 2019 12:29:43 +0200
Matus UHLAR - fantomas wrote:
> Hello,
>
> I have received following spam:
>
> https://pastebin.com/SkvkVWik
>
> This hits FORGED_GMAIL_RCVD although the message came from google mail
> servers.
>
> According to HeaderEval.pm, message apparently misses
>
Hello,
I have received following spam:
https://pastebin.com/SkvkVWik
This hits FORGED_GMAIL_RCVD although the message came from google mail
servers.
According to HeaderEval.pm, message apparently misses X-Google-Smtp-Source
header
is there any reason to expect that header in mail from gmail?
The attached innocuous message confirming a dentist appointment
triggered URI_PHISH because of __EMAIL_PHISH because of __UPGR_MAILBOX
("If you would like to update your email preferences...") and
__TVD_PH_BODY_ACCOUNTS_POST (consecutive links to "Confirm
Appointment" and "Access My Account").
Ok, your headers sample finally showed up.
On Thu, 16 Aug 2018, Michael D. Maus Jr. wrote:
I have attached the full header from the recipient to this email in a
.txt file as well as the msg from the source computer.
None of these headers are from base SpamAssassin:
X-CMAE-Verdict: spam
On Sun, 29 Jul 2018, Daniele Duca wrote:
On 29/07/2018 09:53, Yves Goergen wrote:
No I can't because it's a locked system. I'd need an account for that. And
I'm not going to register just for saving another admin's system. So either
stackexchange admins repair their entry themselves, or the
On 29/07/2018 09:53, Yves Goergen wrote:
No I can't because it's a locked system. I'd need an account for that.
And I'm not going to register just for saving another admin's system.
So either stackexchange admins repair their entry themselves, or the
blacklist operator needs a review.
-Yves
No I can't because it's a locked system. I'd need an account for that.
And I'm not going to register just for saving another admin's system. So
either stackexchange admins repair their entry themselves, or the
blacklist operator needs a review.
-Yves
Oh I can surely change anything I want. But I don't want to weaken my
spam filter. It's weak enough already. Spam is getting more and more
through. It got to the point where I have to reconsider my complete mail
receiving strategy with subaddresses, filters and a set of inbox
subfolders to
Yes, I have changed the value of this rule long ago. It seemed to be
better. I may have to turn it down a little.
And I am the admin myself but I'm no expert in spam fighting. Especially
what the reason or source of that blacklisting is. I just see the rule
matched and I consider that wrong
On Sat, 28 Jul 2018 21:20:49 +0200
Yves Goergen wrote:
> Hello,
>
> I've received a notification e-mail from stackexchange.com
> (stackoverflow.com) with a high spam score. It has this line in its
> report:
>
>5.7 URIBL_BLACKContains an URL listed in the URIBL
> blacklist
5.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: stackexchange.com]
I guess that's not supposed to be like that. I can't change anything at
it, just for information for somebody in the position to fix that.
It is indeed
Hello,
I've received a notification e-mail from stackexchange.com
(stackoverflow.com) with a high spam score. It has this line in its report:
5.7 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: stackexchange.com]
I guess that's not
We got a few hits on RCVD_IN_PBL for the IP 24.137.53.2 that do not
appear to be listed on spamhaus. I tried
dig 2.53.137.24.zen.spamhaus.org
on that same server and got no results, and even then SA kept hitting
that rule. My understanding of /eval:check_rbl('zen-lastexternal',
W dniu 30.01.2018 o 14:51, Kevin A. McGrail pisze:
> On 1/30/2018 4:11 AM, Marcin Mirosław wrote:
>> Can error pasted below be related to this commit?
>
> Yes, without a doubt the same bug.
Hi!
I'm answering with one email, thanks for your anwsers and now sa-update
works fine.
Have a nice day
On 1/30/2018 4:11 AM, Marcin Mirosław wrote:
Can error pasted below be related to this commit?
Yes, without a doubt the same bug.
On 01/30/18 10:11, Marcin Mirosław wrote:
> W dniu 29.01.2018 o 08:26, Giovanni Bechis pisze:
>> On 01/29/18 06:00, Alex wrote:
>>> Hi,
>>>
FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
triggers for valid hotmail messages... (SA 3.4.1)
This small change
W dniu 29.01.2018 o 08:26, Giovanni Bechis pisze:
> On 01/29/18 06:00, Alex wrote:
>> Hi,
>>
>>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>>> triggers for valid hotmail messages... (SA 3.4.1)
>>>
>>> This small change solves the problem but i do not know whether it is
Thanks/ Grazie mile Giovanni...
PedroD
On Monday, January 29, 2018, 8:27:01 AM GMT+1, Giovanni Bechis
wrote:
On 01/29/18 06:00, Alex wrote:
> Hi,
>
>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>> triggers for valid hotmail
On 01/29/18 06:00, Alex wrote:
> Hi,
>
>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>> triggers for valid hotmail messages... (SA 3.4.1)
>>
>> This small change solves the problem but i do not know whether it is the
>> correct way...maybe "hotmail" string should
Hi,
> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
> triggers for valid hotmail messages... (SA 3.4.1)
>
> This small change solves the problem but i do not know whether it is the
> correct way...maybe "hotmail" string should be changed widelly to
>
On 01/17/18 19:29, David Jones wrote:
> On 01/17/2018 11:59 AM, Giovanni Bechis wrote:
>> On 01/17/18 07:14, Pedro David Marco wrote:
>>> Hi,
>>>
>>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>>> triggers for valid hotmail messages... (SA 3.4.1)
>>>
>>> This small
On 01/17/2018 11:59 AM, Giovanni Bechis wrote:
On 01/17/18 07:14, Pedro David Marco wrote:
Hi,
FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers
for valid hotmail messages... (SA 3.4.1)
This small change solves the problem but i do not know whether it is the
On 01/17/18 07:14, Pedro David Marco wrote:
> Hi,
>
> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
> triggers for valid hotmail messages... (SA 3.4.1)
>
> This small change solves the problem but i do not know whether it is the
> correct way... maybe "hotmail"
Hi,
FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers
for valid hotmail messages... (SA 3.4.1)
This small change solves the problem but i do not know whether it is the
correct way... maybe "hotmail" string should be changed widelly to
"outlook|hotmail"...
Dianne Skoll skrev den 2017-08-08 20:09:
On Tue, 08 Aug 2017 20:01:52 +0200
Benny Pedersen wrote:
why does the OP need to tell sendgrid his users passwords ?
That is indeed a very good question. :)
+1
It's not as if this is some sort of mass-mailing or marketing-oriented
On Tue, 08 Aug 2017 20:01:52 +0200
Benny Pedersen wrote:
> why does the OP need to tell sendgrid his users passwords ?
That is indeed a very good question. :)
It's not as if this is some sort of mass-mailing or marketing-oriented
email that needs to be tracked.
Regards,
Dianne.
Dianne Skoll skrev den 2017-08-08 15:05:
On Tue, 8 Aug 2017 08:00:04 -0500
David Jones wrote:
I absolutely agree but it's possible that this part is out of his
control. Sendgrid might be receiving a plain text email from the
normal source and adding HTML to get that image in
Skoll [mailto:d...@roaringpenguin.com]
Sent: Tuesday, August 08, 2017 8:43 AM
To: users@spamassassin.apache.org
Subject: Re: Sender needs help with false positive
On Tue, 8 Aug 2017 07:36:01 -0500
David Jones <djo...@ena.com> wrote:
> The origin of the email and the path it takes ma
On Tue, 8 Aug 2017 08:00:04 -0500
David Jones wrote:
> I absolutely agree but it's possible that this part is out of his
> control. Sendgrid might be receiving a plain text email from the
> normal source and adding HTML to get that image in there for
> tracking.
If you can't
On 08/08/2017 07:43 AM, Dianne Skoll wrote:
On Tue, 8 Aug 2017 07:36:01 -0500
David Jones wrote:
The origin of the email and the path it takes makes a big difference
in how it's filtered.
Sure, but doing a plain-text message with no HTML will immediately knock
2.2 points off
On Tue, 8 Aug 2017 07:36:01 -0500
David Jones wrote:
> The origin of the email and the path it takes makes a big difference
> in how it's filtered.
Sure, but doing a plain-text message with no HTML will immediately knock
2.2 points off the score. That's a pretty cheap and easy
On 08/07/2017 07:36 PM, Jacek Osuchowski wrote:
David,
Thanks a lot. I will try to modify the email text to have more 'meat on the
bone'. I am just surprised email with no links, no adds, no attempts to sell
anything can be interpreted as a spam.
That img in the email is a tag from SendGrid
Required score -20 on inbound scanning to protect outbound spam?
Op MSG was dkim signed and valid au, why was it not ADD to whitelist auth,
maybe i was sleeping :(
Avoid marketing mass-mailers when sending administrative messages.
Sent from ProtonMail Mobile
On Tue, Aug 8, 2017 at 12:56 AM, Jacek Osuchowski wrote:
> We use emails to allow users to reset their passwords to our website. We send
> very brief emails containing the reset
On Tue, 8 Aug 2017, Benny Pedersen wrote:
Jacek Osuchowski skrev den 2017-08-08 00:56:
I understand you trying to provide great software to fight email spam
stop using bad amavisd.conf, ask for help on amavisd maillist since your
issue is not spamassassin
if you like to get a better
On Mon, 2017-08-07 at 19:15 -0400, Alex wrote:
> > version=3.4.0
>
> Version 3.4.0 is like ten years old. I also don't recall BAYES_999
> being available in that version, so one thing or the other is not
> correct.
Minor nitpick: 3.4.0 was released in Feb 2014, slightly less than 10
years ago.
Message-
From: David B Funk [mailto:dbf...@engineering.uiowa.edu]
Sent: Monday, August 07, 2017 7:54 PM
To: users@spamassassin.apache.org
Subject: Re: Sender needs help with false positive
On Mon, 7 Aug 2017, David Jones wrote:
[snip..]
> This IP is listed on SORBS and Spamhaus ZEN wh
On Mon, 7 Aug 2017, Jacek Osuchowski wrote:
This is an email I sent to IsNotSpam.com. They list the whole thing when
testing for spam. I am getting a lot of complains from our customers that our
emails are not received. Our domain is not blacklisted anywhere so I suspect it
is the spam
On Mon, 7 Aug 2017, David Jones wrote:
[snip..]
This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems
with delivery to many receiving mail filters, not just SpamAssassin.
http://multirbl.valli.org/lookup/68.192.71.191.html
That's his PC which is the MSA. As it's the
On Mon, 7 Aug 2017 19:28:04 -0400
"Jacek Osuchowski" wrote:
> This is an email I sent to IsNotSpam.com. They list the whole thing
> when testing for spam. I am getting a lot of complains from our
> customers that our emails are not received. Our domain is not
> blacklisted
Jacek Osuchowski skrev den 2017-08-08 00:56:
I understand you trying to provide great software to fight email spam
stop using bad amavisd.conf, ask for help on amavisd maillist since your
issue is not spamassassin
if you like to get a better life use spampd instaed of amavisd, amavisd
is
Mailing list
Subject: Re: Sender needs help with false positive
Hi,
On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski <ja...@osuchowski.net> wrote:
We use emails to allow users to reset their passwords to our website.
We send very brief emails containing the reset password. Example b
[Just replying to one aspect of the original message.]
On Mon, 7 Aug 2017 18:26:00 -0500
David Jones wrote:
> First, it's a bad idea for a number of reasons to send passwords via
> email. Most modern "lost password" mail loops use a unique URL that
> expires after a short
On Mon, 7 Aug 2017, Alex wrote:
Hi,
On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote:
We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :
Your password to access
On 08/07/2017 05:56 PM, Jacek Osuchowski wrote:
We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :
Your password to access your account is:
S]U3bC7k
Upon successful login you may change your
with false positive
Hi,
On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski <ja...@osuchowski.net> wrote:
> We use emails to allow users to reset their passwords to our website.
> We send very brief emails containing the reset password. Example between >>>>:
>
>>>>&g
Hi,
On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote:
> We use emails to allow users to reset their passwords to our website. We
> send very brief emails containing the reset password. Example between :
>
>>
> Your password to access your account is:
>
>
We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :
>
Your password to access your account is:
S]U3bC7k
Upon successful login you may change your password by going to Modify
Account /
On Fri, 7 Oct 2016, Yves Goergen wrote:
Hello,
I received a message from a friend today and it was rated this, among others:
2.5 FROM_WORDY From address looks like a sentence
I have no idea what the author of this rule considers a sentence, but that
line looks like it always
On Friday 07 October 2016 at 18:24:27, Yves Goergen wrote:
> Hello,
>
> I received a message from a friend today and it was rated this, among
> others:
> > 2.5 FROM_WORDY From address looks like a sentence
>
> I have no idea what the author of this rule considers a sentence, but
>
Hello,
I received a message from a friend today and it was rated this, among
others:
> 2.5 FROM_WORDY From address looks like a sentence
I have no idea what the author of this rule considers a sentence, but
that line looks like it always looked, with the well-known legitimate
On Fri, 4 Mar 2016, Alex wrote:
Hi,
Is there something that can be done to improve this rule?
ran body rule URI_OBFU_WWW ==> got hit: "www..facebook.com"
2.45 points, putting it over the edge in a number of messages where
the sender accidentally typed it wrong in their signature, is just
Hi,
Is there something that can be done to improve this rule?
ran body rule URI_OBFU_WWW ==> got hit: "www..facebook.com"
2.45 points, putting it over the edge in a number of messages where
the sender accidentally typed it wrong in their signature, is just too
much.
thanks,
alex
Am 12.07.2015 um 16:38 schrieb RW:
On Sun, 12 Jul 2015 16:22:09 +0200
Reindl Harald wrote:
What I don't get is where the URI is.
i guess the mailaddress Reply to: @***
That'll be it
on the other hand that one did not hit it while save the message as eml
and pass it
On Sun, 12 Jul 2015 13:35:53 +0200
Reindl Harald wrote:
BODY_URI_ONLY
Message body is only a URI in one line of text or for an image
i guess one problem is the text/html instead text/plain but anyways
that mailbody hardly qualifies for BODY_URI_ONLY
I just spotted a bug in that rule
BODY_URI_ONLY
Message body is only a URI in one line of text or for an image
i guess one problem is the text/html instead text/plain but anyways that
mailbody hardly qualifies for BODY_URI_ONLY
_
Content-Type: text/html;
On Sun, 12 Jul 2015 16:22:09 +0200
Reindl Harald wrote:
What I don't get is where the URI is.
i guess the mailaddress Reply to: @***
That'll be it.
Am 12.07.2015 um 16:19 schrieb RW:
On Sun, 12 Jul 2015 13:35:53 +0200
Reindl Harald wrote:
BODY_URI_ONLY
Message body is only a URI in one line of text or for an image
i guess one problem is the text/html instead text/plain but anyways
that mailbody hardly qualifies for BODY_URI_ONLY
I
Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive?
—
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.orghttp://sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’)
—
All of a sudden, it scores 40-50% false positive, latest 2-3 days. All summin
On 12/19/2014 11:55 AM, Dharma Monie wrote:
Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive?
—
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.orghttp://sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’)
—
All of a sudden, it scores 40-50
on this is most welcome.
// Dharma Moniemailto:dha...@dharmacode.se
On 19 Dec 2014, at 12:01, Axb axb.li...@gmail.commailto:axb.li...@gmail.com
wrote:
On 12/19/2014 11:55 AM, Dharma Monie wrote:
Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive?
—
uridnsbl
hit that lookup?
// Dharma Moniemailto:dha...@dharmacode.se
On 19 Dec 2014, at 12:01, Axb axb.li...@gmail.commailto:axb.li...@gmail.com
wrote:
On 12/19/2014 11:55 AM, Dharma Monie wrote:
Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive?
—
uridnsbl URIBL_SBLXBL
sbl
On 12/19/2014 12:28 PM, Dharma Monie wrote:
The rule is shipped with SA by default,
regarding if it’s enabled by default - checking against that exact uribl - I’m
affraid I can’t provide you with
a satisfying answer there, as I was not the initial admin configuring “this”
file.
On 19.12.14
On Fri, 19 Dec 2014 14:12:47 +0100
Matus UHLAR - fantomas wrote:
On 12/19/2014 12:28 PM, Dharma Monie wrote:
The rule is shipped with SA by default,
regarding if it?s enabled by default - checking against that exact
uribl - I?m affraid I can?t provide you with a satisfying answer
there, as I
URIBL (spammhaus/local.cf) score false positive?
—
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’)
—
All of a sudden, it scores 40-50% false positive, latest 2-3 days. All
summin' up to now - users missing a whole lot of mail
On Nov 30, 2014, at 15.42, Benny Pedersen m...@junc.eu wrote:
On 30. nov. 2014 21.12.06 listsb-spamassas...@bitrate.net wrote:
http://dpaste.com/3XTYV0V.txt
Is trusted_networks and internal_networks correct both for ipv4 and ipv6 ?
Does it match settings in amavisd ?
Both sa and
for other
reasons, doesn't seem to be the culprit here [in my cursory look at
check_for_forged_yahoo_received_headers, i didn't see any references to dkim]?
was this a false positive, or am i ignorant?
http://dpaste.com/3XTYV0V.txt
-ben
On 30. nov. 2014 21.12.06 listsb-spamassas...@bitrate.net wrote:
http://dpaste.com/3XTYV0V.txt
Is trusted_networks and internal_networks correct both for ipv4 and ipv6 ?
Does it match settings in amavisd ?
Both sa and amavisd need to know ALL your own ips including all non routeble :)
I have been seeing some issues with bayes detection from base64 strings
within attachments causing false positives.
Example:
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'H4f' = 0.71186828264
Oct 6 09:02:14.374 [15869] dbg: bayes: token 'wx2' = 0.68644662127
Oct 6 09:02:14.374 [15869]
1 - 100 of 498 matches
Mail list logo