cored 99.99% likelihood of spam. The word
"Wopsle", for example, was a dead giveaway... that never appears in
our ham stream, but has appeared in 93 spams in our database.
Bayes poisoning, in our experience, is only occasionally effective.
Regards,
David.
Hi,
> Actually, that's a Snowshoe IP.
> Which, on balance, can be a good thing, slaying-wise. :)
You mean that it's more likely to be added to the SBL with the other
IPs in the same range sooner?
> Almost four years ago, I posted my approach to snowshoe slaying:
>
> http://mail-archives
Hi Alex!
Actually, that's a Snowshoe IP.
Which, on balance, can be a good thing, slaying-wise. :)
Almost four years ago, I posted my approach to snowshoe slaying:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e
It has cont
On Thu, 29 Nov 2012, Alex wrote:
I have an example of spam that I just can't reliably detect:
http://pastebin.com/YuuLuA1x
I was just wondering if there was something else that could be
triggered on in the header to catch these sooner? I'm assuming the
sending IP part of a botnet? I'm using v3
Hi,
I have an example of spam that I just can't reliably detect:
http://pastebin.com/YuuLuA1x
It's basically some HTML with a URL to an ad for "Lantern with 9 LED
bulbs". I've trained hundreds of these, and they still report
BAYES_50. I've just tested it now, a few hours after having first
recei
On 10/18/11 12:12 PM, "Karsten Bräckelmann" wrote:
> On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
>> One of my users submitted a spam for analysis, and I was amazed at the
>> efforts this troglodyte expended to poison bayes.
>> Is it worth the effort to try to find huge html comme
On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
> One of my users submitted a spam for analysis, and I was amazed at the
> efforts this troglodyte expended to poison bayes.
> Is it worth the effort to try to find huge html comments hiding junk
> like this?
Hmm, wait -- Bayes and HTML com
Daniel McDonald wrote:
Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/
Describe OBFU_HTML_LONG_COMMENT contains a ridiculously long html comment
Tried with exactly that limit, 1 kb.
TargetX, which is used by universities in recruiting, uses a long comment
in its generated mail (I did no
ing and ending markers are part of the same comment.
Your example would be tripped up if there was a small comment at the
beginning of the message and another small comment at the end. It would
count characters between the beginning of the first comment and the end
of the second one.
As far as &q
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find huge html comments hiding junk like
this?
Maybe something like
Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/
Describe OBFU_HTML_LONG_
On Tue, 2010-02-23 at 09:28 -0500, Bowie Bailey wrote:
> Michael Scheidell wrote:
> > you can edit the tflags and add noautolearn
> Are these settings cumulative? The man page doesn't specify.
Nope. tflags is of type CONF_TYPE_HASH_KEY_VALUE, so there's exactly one
tflags value per rule name.
Michael Scheidell wrote:
> On 2/23/10 9:28 AM, Bowie Bailey wrote:
>> Michael Scheidell wrote:
>>
>>> On 2/23/10 9:03 AM, Jason Bertoch wrote:
>>>
Are there any internal checks that disable Bayes autolearn when these
artificial whitelist rules match? I'd disabled these rules in
>
On 2/23/2010 9:35 AM, Michael Scheidell wrote:
>
why not just do tflags RULENAME nice net noautolearn
(oh.. and to find them, grep '^tflags.*RCVD_IN' *.cf
some interesting ones. not sure why they rate a net nice:
Grepping for 'autolearn' turns up the built-in whitelist and blacklist
rules.
On 2/23/10 9:28 AM, Bowie Bailey wrote:
Michael Scheidell wrote:
On 2/23/10 9:03 AM, Jason Bertoch wrote:
Are there any internal checks that disable Bayes autolearn when these
artificial whitelist rules match? I'd disabled these rules in
versions prior to 3.3.0 but, with all the disc
On 2/23/2010 9:20 AM, Michael Scheidell wrote:
Unfortunately, I'm still seeing false positives and am concerned that
they are pushing the scores low enough to poison my Bayes database.
you can edit the tflags and add noautolearn
example:
72_active.cf:tflags RCVD_IN_RP_CERTIFIEDnet nice
Michael Scheidell wrote:
> On 2/23/10 9:03 AM, Jason Bertoch wrote:
>>
>> Are there any internal checks that disable Bayes autolearn when these
>> artificial whitelist rules match? I'd disabled these rules in
>> versions prior to 3.3.0 but, with all the discussion on the matter, I
>> thought I'd l
On 2/23/10 9:03 AM, Jason Bertoch wrote:
Are there any internal checks that disable Bayes autolearn when these
artificial whitelist rules match? I'd disabled these rules in
versions prior to 3.3.0 but, with all the discussion on the matter, I
thought I'd leave them in to see the "new and imp
Are there any internal checks that disable Bayes autolearn when these
artificial whitelist rules match? I'd disabled these rules in versions
prior to 3.3.0 but, with all the discussion on the matter, I thought I'd
leave them in to see the "new and improved" version. Unfortunately, I'm
still
Craig Carriere wrote:
Matt wrote:
First - use dummy MX records. Real mail retries. Botnet and must
spammers don't. It's easier for them to try to spam someone else than to
fight your filter. MX config is as follows:
dummy - 10
real - 20
real-backups - 30
dummy - 40
dummy - 50
dummy - 60
Matt wrote:
>> First - use dummy MX records. Real mail retries. Botnet and must
>> spammers don't. It's easier for them to try to spam someone else than to
>> fight your filter. MX config is as follows:
>>
>> dummy - 10
>> real - 20
>> real-backups - 30
>> dummy - 40
>> dummy - 50
>> dummy - 60
>
First - use dummy MX records. Real mail retries. Botnet and must
spammers don't. It's easier for them to try to spam someone else than to
fight your filter. MX config is as follows:
dummy - 10
real - 20
real-backups - 30
dummy - 40
dummy - 50
dummy - 60
Currently I have mail.mydomain.com as 10.
Marc Perkel schrieb:
I'm seeing a lot of people saying that bayes isn't working like it
used to, that load levels are high, and that they are getting a lot of
image and botnet spam. There are a few simple tricks you can do to get
rid of 90% of it.
ah nice
can you tell me how to implant th
Marc Perkel schrieb:
I'm seeing a lot of people saying that bayes isn't working like it
used to, that load levels are high, and that they are getting a lot of
image and botnet spam. There are a few simple tricks you can do to get
rid of 90% of it.
56th reinvention of the square wheel
You mi
I'm seeing a lot of people saying that bayes isn't working like it used
to, that load levels are high, and that they are getting a lot of image
and botnet spam. There are a few simple tricks you can do to get rid of
90% of it.
First - use dummy MX records. Real mail retries. Botnet and must
s
maillist wrote:
I see a few emails every-now-and-then about "bayes poisoning", and am
wondering what is means. From what I understand, it is some message
that gets learned (only through autolearn?) that has certain
characteristics that throw the bayes system off.
From what I
I've been having problem with bayes as of late with it marming nonspam
as spam and spam as nonspam. I think it's the damn gif file spam causing
it. Anyone else having this problem? Any solutions?
Peter Smith wrote:
> > > The messages are simply a random stream of words, with punctuation
> > > scattered in them. No HTML, no URLs being advertised, no excessive
> > > capitalisation, just meaningless text.
>
> I'm cautious about feeding these messages to sa-learn as spam, in
> case it has a ne
> Are you runing net tests? It sounds like someone has a broken zombie net
> that is supposed to be sending out gif spams, but they forgot the images.
> Net tests would probably catch these easily.
Well I'm using the following:
score DCC_CHECK 1.0
score PYZOR_CHECK 1.0
score RAZOR_CHECK 1.0
scor
>> The messages are simply a random stream of words, with punctuation
>> scattered in them. No HTML, no URLs being advertised, no excessive
>> capitalisation, just meaningless text.
>
> Technically, then, it's not spam. Spam requires a commercial message
> of some sort. :)
Yeah, I think I said 'j
The best thing to do is probably throw the current database away and start
over. As you seem to have several users, you should have bayes working
again within a very few hours, or less.
You should delete the current database, reset the scores to normal (and
increase the bayes_99 score to somethin
, and are there any ways to avoid
bayes poisoning ?
Thanks
Ram
--
Netcore Solutions Pvt. Ltd.
Website: http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
--
31 matches
Mail list logo