Re: ATTENTION: DNSWL to be disabled by default.

> > Maybe disable VALIDITY rule as well... They also have 10k limit in 30 days > window .. > > My understanding is that Validity returns a specific value (127.255.255.255) > for blocked queries. I kept going back and forth as to whether to jump in on this thread and point out that our own

Re: ATTENTION: DNSWL to be disabled by default.

On 2024-09-24 at 12:59:51 UTC-0400 (Tue, 24 Sep 2024 12:59:51 -0400) Jared Hall via users is rumored to have said: > On 9/24/2024 10:10 AM, Matus UHLAR - fantomas wrote: >> >> I understand this case as "abusers" instead of users. > One man's use is another man's abuse.  Limits are reached and Fal

Re: ATTENTION: DNSWL to be disabled by default.

On 9/24/2024 10:10 AM, Matus UHLAR - fantomas wrote: I understand this case as "abusers" instead of users. One man's use is another man's abuse.  Limits are reached and False Negatives are produced by DNSWL. Here's the actual use case: 1) Stefan's a web guy.  He hosts his stuff at ScalaHos

Apology (was Re: ATTENTION: DNSWL to be disabled by default.)

On 2024-09-24 at 09:13:16 UTC-0400 (Tue, 24 Sep 2024 09:13:16 -0400) Bill Cole is rumored to have said: > On 2024-09-24 at 04:18:06 UTC-0400 (Tue, 24 Sep 2024 10:18:06 +0200) > Matthias Leisi > is rumored to have said: > (Quoting me) >>> >>> people who don't configure it correctly, in a way that

Re: ATTENTION: DNSWL to be disabled by default.

On 2024-09-24 at 05:09:50 UTC-0400 (Tue, 24 Sep 2024 11:09:50 +0200) Tom Bartel is rumored to have said: > I'm not sure if the 10,000 limit is possibly in reference to the Validity > allow list... > > https://knowledge.validity.com/s/articles/Accessing-Validity-reputation-data-through-DNS?languag

Re: ATTENTION: DNSWL to be disabled by default.

On 2024-09-24 at 10:10:24 UTC-0400 (Tue, 24 Sep 2024 16:10:24 +0200) Matus UHLAR - fantomas is rumored to have said: TL;DR: Rather than using an in-band signal of a special reply value to queries from blocked users, as do other DNS-Based List operators, DNSWL.org sends back a "li

Re: ATTENTION: DNSWL to be disabled by default.

TL;DR: Rather than using an in-band signal of a special reply value to queries from blocked users, as do other DNS-Based List operators, DNSWL.org sends back a "listed high" response to all queries. I was unaware On 2024-09-24 at 04:18:06 UTC-0400 (Tue, 24 Sep 2024 10:18:06 +0200) Matthias Le

Re: ATTENTION: DNSWL to be disabled by default.

On 2024-09-24 at 04:18:06 UTC-0400 (Tue, 24 Sep 2024 10:18:06 +0200) Matthias Leisi is rumored to have said: (Quoting me) people who don't configure it correctly, in a way that is *almost invisible.* The lower rate limit which they established in March of this year isn't inherently bad, it ju

Re: ATTENTION: DNSWL to be disabled by default.

I'm not sure if the 10,000 limit is possibly in reference to the Validity allow list... https://knowledge.validity.com/s/articles/Accessing-Validity-reputation-data-through-DNS?language=en_US We recently added a registration gate - no fees for usage above 10,000 / 30 days, however registration of

Re: ATTENTION: DNSWL to be disabled by default.

> > people who don't configure it correctly, in a way that is *almost invisible.* > The lower rate limit which they established in March of this year isn't > inherently bad, it just meant that enough people were hitting the limit that > someone bothered opened a bug about it. > There is none

Re: ATTENTION: DNSWL to be disabled by default.

On 24/09/24 05:02, Bill Cole wrote: Note that as of 2024-03-01 (as documented at the DNSWL link above) they have reduced the free limit to 10,000 queries per 30 days. A site feeding 350 messages/day to SpamAssassin will exceed that limit. That is small even for "personal" systems. I've hunted t

Re: Bayes in V4 compared to V3

probability is 60 to 80%1.50437127 29.131070.9 BAYES_80Bayes spam probability is 80 to 95%7.002661 0.426599.6 I only have BAYES_40 to BAYES_80 after clearing bayes DB and manually RE-learning on 2500 HAM and 2500 SPAM messages. So NO BAYES lower than

Re: ATTENTION: DNSWL to be disabled by default.

On 2024-09-23 at 13:08:17 UTC-0400 (Mon, 23 Sep 2024 17:08:17 +) Grega via users is rumored to have said: Maybe disable VALIDITY rule as well... They also have 10k limit in 30 days window .. My understanding is that Validity returns a specific value (127.255.255.255) for blocked queries

Re: ATTENTION: DNSWL to be disabled by default.

Maybe disable VALIDITY rule as well... They also have 10k limit in 30 days window .. Regards,G From: Bill Cole Sent: Monday, September 23, 2024 19:03 To: SpamAssassin-Users Subject: ATTENTION: DNSWL to be disabled by default. Context: https://bz.apache.org/Sp

Re: mailspike dot net Minus 1?

On 9/21/2024 14:06:28, Reindl Harald (privat) wrote: Am 21.09.24 um 18:51 schrieb joe a: Noticed some obvious spam slipping in due in great part to this: * -1.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) *  [209.85.166.199 listed in wl.mailspike.net] Not a big deal for my low

Re: Disable validity rules

On 2024-09-23 at 09:15:25 UTC-0400 (Mon, 23 Sep 2024 13:15:25 +) Grega via users is rumored to have said: Hi. Where can one disable this? One can disable any rule by adding a score line in local.cf for the rule with a score of 0, e,g,: score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED

Re: Disable validity rules

True. I have added it and will report back in few days... Regards,G From: Reindl Harald (privat) Sent: Monday, 23 September 2024 15:31 To: Grega; users@spamassassin.apache.org Subject: Re: Disable validity rules Am 23.09.24 um 15:23 schrieb Grega via

Re: Disable validity rules

: Re: Disable validity rules Am 23.09.24 um 15:15 schrieb Grega via users: > Where can one disable this? > > RCVD_IN_VALIDITY_CERTIFIED_BLOCKED ADMINISTRATOR NOTICE: The query to > Validity was blocked. See > https://knowledge.validity.com/hc/en-us/articles/20961730681243 for mor

Re: Bayes in V4 compared to V3

es to skip some? 4. Race condition (IDK I`m not coder) 5. Bayes behaves non consistent on BOTH installs I have it on From: John Hardin Sent: Friday, 13 September 2024 20:38 To: SpamAssassin-Users Subject: Re: Bayes in V4 compared to V3 On Fri, 13 Sep 2024,

Re: SPAM-DETECTOR Re: Tips on training bayes?

W dniu 18.09.2024 o 16:29, Matus UHLAR - fantomas pisze: On 18.09.24 16:19, natan wrote: I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ amavis should clean this itself. which amavis version do you have installed? did you tune it anyhow? amavisd-

Re: Use of uninitialized value $response[0]

Hello Bill, Tuesday, September 17, 2024, 7:15:49 PM, you wrote: BC> You should upgrade to 4.0.1. That error on that line indicates that you are running an obsolete 3.4.x version. As far as that goes I'm just waiting to hear what the host of our VM says about updating it, as CentOS7 went EOL

Re: Tips on training bayes?

On 2024-09-17 at 16:29:52 UTC-0400 (Tue, 17 Sep 2024 16:29:52 -0400) Alex is rumored to have said: It is up to the user, ie you, what is and what is not spam. Well, yes, and no. Of course it's my own system and I can define these terms however I wish. I'm also familiar with the need to i

Re: Tips on training bayes?

Alex writes: > It's only these few types of messages that are very subjective and > experience from the broader open source community would be appreciated. > > If it has a legitimate unsubscribe link, does that make it ham? > > What criteria do you use to determine "spamminess/haminess of EVERY >

Re: Tips on training bayes?

Jared Hall via users skrev den 2024-09-18 20:08: On Deb-based distros, you can add this in /etc/amavis/conf.d/50-user under the $max_servers parameter. also remember its safe to use tmpfs for tmp dir in amavisd no joke

Re: Tips on training bayes?

On 9/18/2024 10:19 AM, natan wrote: Hi I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ With SA 3.4.X - on average 100MB and it deletes on the fly With SA 4.X - on average 2-6GB and I had to do a quick fix: 59 23 * * * root find /var/lib/amavis/tmp/

Re: Tips on training bayes?

natan skrev den 2024-09-18 16:36: W dniu 18.09.2024 o 16:30, Reindl Harald (privat) pisze: who reply here ? :) don't blame SA when a blind man can see that your problem is on the Amavis side - why do one need Amavis tu begin with when there is SA and spamass-milter yes yes everyone know

Re: Tips on training bayes?

W dniu 18.09.2024 o 16:30, Reindl Harald (privat) pisze: Am 18.09.24 um 16:19 schrieb natan: Hi I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ With SA 3.4.X - on average 100MB and it deletes on the fly With SA 4.X - on average 2-6GB and I had t

Re: Tips on training bayes?

On 18.09.24 16:19, natan wrote: I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ amavis should clean this itself. which amavis version do you have installed? did you tune it anyhow? Did you enable and configure extracttext plugin? Because that one m

Re: Tips on training bayes?

Hi I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ With SA 3.4.X - on average 100MB and it deletes on the fly With SA 4.X - on average 2-6GB and I had to do a quick fix: 59 23 * * * root find /var/lib/amavis/tmp/ -mtime +0 -delete; W dniu 18.09.202

Re: Tips on training bayes?

On 18.09.24 13:42, Grega via users wrote: Right now in SA 4.0.1 bayes at least for me is really challenging to train and set up. I had good trained DB from past V3 install, and it behaved really odd. I trained it on new set of mails 3000 spam and 3000 ham (HAND PICKED mail it was PAIN) and I

Re: Tips on training bayes?

, that some mails aren`t even bayes scored at all. BAYES_XX is missing from headers entirely and I don`t know why... I`m kind of sorry that I upgraded to 4.0.1... Regards,G From: Alex Sent: Tuesday, 17 September 2024 22:29 To: SA Mailing list Subject: Re: Tips

RE: non-free Services

We use invalument.com ... good for the stuff that often slips by. Your mileage may vary, etc. -Original Message- From: Philipp Ewald Sent: 18 September 2024 11:27 To: users@spamassassin.apache.org Subject: Re: non-free Services Hello, >The idea is that you can use those services

Good DNSBLs not in standard spamassassin (Was Re: non-free Services)

Hi, On Wed, Sep 18, 2024 at 10:18:18AM +, Laurent S. wrote: > Some good RBL are not in standard spamassassin. Out of interest, which DNSBLs do you use/recommend that are not in standard spamassassin? Thanks, Andy

Re: non-free Services

Hello, The idea is that you can use those services for free if you are a small user (spam filter for me and my dog) but if you start to look like a commercial service yourself, you need to pay your part. Yes we use commercial. We allready paying SURBL because we got a information about limit

Re: non-free Services

On 18.09.24 11:37, Philipp Ewald wrote: > Hello,, > > im searching for all non-free comercial services in Spamassasin. > > > ATM i found: > dns_query_restriction deny sorbs.net > dns_query_restriction deny bl.mailspike.net > dns_query_restriction deny wl.mailspike.net > Spamcop (ZEN) > > Does i

Re: non-free Services

OK, thank for that input. Am 18.09.24 um 11:46 schrieb Marc: im searching for all non-free comercial services in Spamassasin. ATM i found: dns_query_restriction deny sorbs.net dns_query_restriction deny bl.mailspike.net dns_query_restriction deny wl.mailspike.net Spamcop (ZEN) Does i need to

RE: non-free Services

> > im searching for all non-free comercial services in Spamassasin. > > > ATM i found: > dns_query_restriction deny sorbs.net > dns_query_restriction deny bl.mailspike.net > dns_query_restriction deny wl.mailspike.net > Spamcop (ZEN) > > Does i need to disable other services as well? > cant fi

Re: Use of uninitialized value $response[0]

Hello Bill, Tuesday, September 17, 2024, 7:15:49 PM, you wrote: BC> The likely root cause there is the lack of any reply from the Pyzor server, which is unlikely to be a per-user BC> condition. But another user logs this- procmail: Match on "< 512000" procmail: Locking "spamassassin.lock" pr

Re: Tips on training bayes?

> > > It is up to the user, ie you, what is and what is not spam. > Well, yes, and no. Of course it's my own system and I can define these terms however I wish. I'm also familiar with the need to investigate every message - perhaps I should have made that clear initially. It's only these few typ

Re: Use of uninitialized value $response[0]

On 2024-09-17 at 13:10:13 UTC-0400 (Tue, 17 Sep 2024 18:10:13 +0100) Niamh Holding is rumored to have said: > Hello > > I'm seeing the following logged by Procmail in one and only one mailbox and > as far as I can see there is no difference in the Procmail recipe calling > Spamassassin in all t

Re: Tips on training bayes?

Jared Hall via users skrev den 2024-09-17 08:15: On 9/16/2024 8:48 PM, Alex wrote: Hi, Now that I'm using SA4, and my bayes database is quite old, I'd like to retrain it with new ham and spam. I hoped someone had some pointers on some of the gray area and what you consider to be spam and ham.

Re: Tips on training bayes?

On 9/16/2024 8:48 PM, Alex wrote: Hi, Now that I'm using SA4, and my bayes database is quite old, I'd like to retrain it with new ham and spam. I hoped someone had some pointers on some of the gray area and what you consider to be spam and ham. Are reliable newsletters, like those from, sa

Re: Bayes in V4 compared to V3

On Fri, 13 Sep 2024, Bill Cole wrote: Please send any replies to the list only. ...or to Harald only. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C

Re: Bayes in V4 compared to V3

Grega via users skrev den 2024-09-13 16:16: Sorry guys if I replied to all, my intentions were not to spam :) top posters :) imho not impossible to request 3dr party list archives to make a password for users, never mind eggs came before chickens :=)

Re: Bayes in V4 compared to V3

Sorry guys if I replied to all, my intentions were not to spam :) From: Benny Pedersen Sent: Friday, 13 September 2024 15:13 To: users@spamassassin.apache.org Subject: Re: Bayes in V4 compared to V3 Bill Cole skrev den 2024-09-13 15:03: > Please send

Noise Around This List (was Re: Bayes in V4 compared to V3)

On 2024-09-13 at 09:13:58 UTC-0400 (Fri, 13 Sep 2024 15:13:58 +0200) Benny Pedersen is rumored to have said: Bill Cole skrev den 2024-09-13 15:03: Please send any replies to the list only. unsubscribe listarchivers ? and make archived on apache.org with bugzilla login don't know if it wil

Re: Bayes in V4 compared to V3

On Friday 13 September 2024 at 15:13:58, Benny Pedersen wrote: > Bill Cole skrev den 2024-09-13 15:03: > > Please send any replies to the list only. > > unsubscribe listarchivers ? > and make archived on apache.org with bugzilla login > don't know if it will help or not, but chicken and egg I do

Re: Bayes in V4 compared to V3

Bill Cole skrev den 2024-09-13 15:03: Please send any replies to the list only. unsubscribe listarchivers ? and make archived on apache.org with bugzilla login don't know if it will help or not, but chicken and egg

Re: Bayes in V4 compared to V3

9-13 at 05:00:17 UTC-0400 (Fri, 13 Sep 2024 09:00:17 +) Grega is rumored to have said: Do you have V3 or V4 SA? From: Reindl Harald (privat) Sent: Friday, 13 September 2024 10:57 To: Grega; Bill Cole; Grega via users Subject: Re: Bayes in V4 compared to V3

Re: Bayes in V4 compared to V3

Do you have V3 or V4 SA? From: Reindl Harald (privat) Sent: Friday, 13 September 2024 10:57 To: Grega; Bill Cole; Grega via users Subject: Re: Bayes in V4 compared to V3 autolearn was always a blackbox that below are the stats for the current month and that

Re: Bayes in V4 compared to V3

September 2024 10:22 To: Grega; Bill Cole; Grega via users Subject: Re: Bayes in V4 compared to V3 Am 13.09.24 um 06:53 schrieb Grega via users: > And I`m reconfiguring autolearn to -4 for HAM and 12 for SPAM to really > auto-train on correct mails... this is even more nonsense than autolearn

Re: Bayes in V4 compared to V3

September 2024 21:38 To: Grega via users Subject: Re: Bayes in V4 compared to V3 On 2024-09-12 at 14:05:11 UTC-0400 (Thu, 12 Sep 2024 18:05:11 +) Grega via users is rumored to have said: Hi. I have SA 4.0.1 configured it, all is good, except for bayes. It IS working, it IS learning b

Re: Bayes in V4 compared to V3

their metrics. We also updated 'stopword' lists for various languages, removing tokens that are so common that they cannot help scoring in principle. So, no, you are not doing anything wrong. We may need to re-examine the default scores for the BAYES_* rules to adapt but that has no

Re: M365 phish with USER_IN_DKIM_WHITELIST

> > > I'm hoping someone can help me understand how what appears to be an > invoice > scam was passed through legitimate MS servers and > even USER_IN_DKIM_WHITELIST. > > USER_IN_DKIM_WHITELIST refers to an explicit (i.e site or user-specific) > welcomelist, so this you did to yourself... > Thanks

Re: M365 phish with USER_IN_DKIM_WHITELIST

On 2024-08-30 at 13:35:02 UTC-0400 (Fri, 30 Aug 2024 13:35:02 -0400) Alex is rumored to have said: Hi, I'm hoping someone can help me understand how what appears to be an invoice scam was passed through legitimate MS servers and even USER_IN_DKIM_WHITELIST. USER_IN_DKIM_WHITELIST refers to

Re: QR phish missed

> > > dbg: extracttext: [3209409] (/usr/bin/zbarimg) finished: exit 1 > dbg: extracttext: [3209409] (/usr/bin/zbarimg) stderr output: execvp > failed, errno = 2 (No such file or directory) > warn: extracttext: error from /usr/bin/zbarimg, please verify > configuration: execvp failed, errno = 2 (No

Re: QR phish missed

Hi, > On Sat, Aug 17, 2024 at 12:14 PM wrote: > >> On 8/16/24 2:03 PM, Alex wrote: >> > The body was empty with a PDF attachment. It's too big for pastebin. >> > >> https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing >> < >> https://drive.google.com/file/d/1FzBgTKoB

Re: QR phish missed

Hi, On Sat, Aug 17, 2024 at 12:14 PM wrote: > On 8/16/24 2:03 PM, Alex wrote: > > The body was empty with a PDF attachment. It's too big for pastebin. > > > https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing > < > https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqj

Re: QR phish missed

On 8/16/24 2:03 PM, Alex wrote: The body was empty with a PDF attachment. It's too big for pastebin. https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing Any success stories with s

Re: QR phish missed

On 2024-08-16 at 08:03:05 UTC-0400 (Fri, 16 Aug 2024 08:03:05 -0400) Alex is rumored to have said: It says that SPF failed, but SPF_PASS was hit, presumably from our connection to Microsoft, not their connection to the spammer client: Correct. You can only check SPF on the first SMTP transact

Re: What is RP? many false negatives and dont respond to emails

On 13.08.24 15:18, Philipp Ewald wrote: Thanks, it was on hold. I will upgrade it. configuring (daily) rule updates could be enough. Of course, upgrading SpamAssassin is better than not upgrading it. On 13.08.24 13:17, Axb wrote: On 8/13/24 11:37, Philipp Ewald wrote: User getting Spams wit

Re: What is RP? many false negatives and dont respond to emails

Thanks, it was on hold. I will upgrade it. On 13.08.24 13:17, Axb wrote: On 8/13/24 11:37, Philipp Ewald wrote: User getting Spams with Score -5 because of this... other experiences? does they answer e-mails? mine got not in weeks RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_RNBL=1.31, RCVD_I

Re: What is RP? many false negatives and dont respond to emails

On 8/13/24 11:37, Philipp Ewald wrote: User getting Spams with Score -5 because of this... other experiences? does they answer e-mails? mine got not in weeks     RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_RNBL=1.31, RCVD_IN_RP_SAFE=-2] many thanks Are you using an ancient SA version? Those ru

Re: Warning: Your Pyzor may be broken.

I've been in touch with a former developer of pyzor. Bottom line is that the company that had it was acquired, and pyzor is not being maintained by the new owners. I'm still trying to get a contact who might be able to pass on the maintenance ownership of the GitHub repository, but have yet to

Re: Questions about the operating platform

tomoe skrev den 2024-08-07 10:17: I would like to install SpamAssassin on a newly built mail server. Does SpamAssassin work on Ubuntu 24.04LTS ? how do you install postfix ? :) spamassassin can be installed same way I look forward to Answer from you. sorry i just use gentoo, and freebsd,

Re: Questions about the operating platform

tomoe wrote on 7/08/24 8:17 pm: Dear Developers and members of the PMC My name is Tomoe. I would like to install SpamAssassin on a newly built mail server. Does SpamAssassin work on Ubuntu 24.04LTS ? I look forward to Answer from you. https://ubuntu.pkgs.org/24.04/ubuntu-main-amd64/spamassas

Re: DATE_IN_FUTURE_24_48 more often?

>> > > I think I am starting to see this more often. Today I was >> > > checking again every server to see if the ntp time is syncing >> > > properly. But don't notice anything weird, can't really believe >> > > this sending had a bad clock. Can anyone suggest what/where to >> > > look for?

RE: DATE_IN_FUTURE_24_48 more often?

> > >> > > I think I am starting to see this more often. Today I was checking > >> > > again every server to see if the ntp time is syncing properly. But > >> > > don't notice anything weird, can't really believe this sending had > a > >> > > bad clock. Can anyone suggest what/where to look for? >

Re: DATE_IN_FUTURE_24_48 more often?

> > I think I am starting to see this more often. Today I was checking > > again every server to see if the ntp time is syncing properly. But > > don't notice anything weird, can't really believe this sending had a > > bad clock. Can anyone suggest what/where to look for? > > > > > > DATE_IN_FUTUR

Re: uridnsbl_skip_domain question

Hello, I was hoping to fix this finally... On 5/17/24 3:17 PM, Matus UHLAR - fantomas wrote: I have configured exclusion for some common domains e.g. gov.sk in SA: uridnsbl_skip_domain [...] gov.sk slovensko.sk However it seems that that domain is still queried:  9826  68.951573    127.0.0.

RE: DATE_IN_FUTURE_24_48 more often?

> > > > > > I think I am starting to see this more often. Today I was checking > > > again every server to see if the ntp time is syncing properly. But > > > don't notice anything weird, can't really believe this sending had a > > > bad clock. Can anyone suggest what/where to look for? > > > > > >

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

On 7/19/24 5:34 AM, giova...@paclan.it wrote: do you intend to have a rule like this one ? header __TO_NAME To:name =~ /(?.*)/ body   DEAR_NAME /Dear %{TO_NAME}/ Once I'm dealing with versions of SpamAssassin that support such, yes. I'm currently caring for and feeding a small group o

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

On 7/18/24 5:10 AM, Grant Taylor via users wrote: On 7/17/24 18:04, Matija Nalis wrote: I.e. would you consider it to be significantly less likely to be spam if it contained "Dear Elizabeth," while being addressed to "mark@domain" instead of to "elizabeth@domain" ? I've seen quite a bit of sp

RE: DATE_IN_FUTURE_24_48 more often?

> > > I think I am starting to see this more often. Today I was checking > > again every server to see if the ntp time is syncing properly. But > > don't notice anything weird, can't really believe this sending had a > > bad clock. Can anyone suggest what/where to look for? > > > > > > DATE_IN_FUT

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

On 7/18/24 15:58, Mark London wrote: I asked ChatGPT how to test for a "Dear 'username'".  After a bit of work, I got working code. Okay. ChatGPT knows perl. I question the value of "knows" as in knowledge of Perl. I already had a Perl file EvalTests.pm file with customized Perl eval func

Re: DATE_IN_FUTURE_24_48 more often?

Marc writes: > I think I am starting to see this more often. Today I was checking > again every server to see if the ntp time is syncing properly. But > don't notice anything weird, can't really believe this sending had a > bad clock. Can anyone suggest what/where to look for? > > > DATE_IN_FUTUR

Re: Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

I asked ChatGPT how to test for a "Dear 'username'". After a bit of work, I got working code. ChatGPT knows perl. I already had a Perl file EvalTests.pm file with customized Perl eval functions, so I threw it in there. Otherwise, you'll need to create your own file with the proper headers.

Re: Blocking Malformed "From" Headers

On 2024-07-17 at 13:17:16 UTC-0400 (Wed, 17 Jul 2024 10:17:16 -0700) Kirk Ismay is rumored to have said: I have a spammer using a malformed From header, as follows: From: sha...@marketcrank.com The envelope from is: direcc...@delher.com.mx, and I've set up blocks for that address. Sendmail

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

On 7/17/24 18:04, Matija Nalis wrote: I.e. would you consider it to be significantly less likely to be spam if it contained "Dear Elizabeth," while being addressed to "mark@domain" instead of to "elizabeth@domain" ? I've seen quite a bit of spam that opens message bodies with: Where is

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

On Wed, Jul 17, 2024 at 04:45:16PM -0400, Mark London wrote: > Does anyone have a rule to detect "Dear xxx," in the body of the message, > where the "To:" address is xxx@domain? > > We've been getting phishing email sent to us with variations of that. Hi, > Dear, etc, followed by the username of t

Re: Blocking Malformed "From" Headers

I am already using the no_default_msa, but the system does accept mail both as an MTA and MSA.  I am using DAEMON_OPTIONS to listen on port 465 etc, but even adding the M=C (no canonify) switch, the From: header rewriting still occurs. I've tested with another system using Postfix, and it does

Re: Blocking Malformed "From" Headers

The SMTP protocol RFCs are pretty clear, anything in angle-brackets '<' & '>' take priority in defining an address field. So technically that's a legit local address and sendmail is doing default MSA processing on it (IE treating it as a bare username that needs the local hostname added). Is

Re: Finance spam

> this whole range of 185.3.229.x is on my dns blacklist and everything on > that is either rejected or marked. I can only suggest doing something > similar ;) > Very helpful. Thanks for sharing. > RCVD_IN_HOSTKARMA_W=-2.5 > change to -0.1 That does seem to be a bit heavy-handed. > and lastly i

Re: X-Amavis-Alert: BANNED, message contains x.com

Hi, On 16.07.24 17:28, Thomas Barth via users wrote: today a mail has been banned (false positive). It says message contains x.com X-Quarantine-ID: X-Amavis-Alert: BANNED, message contains x.com I couldnt find x.com in the mail body itself, but the mail had a zipfile as an attachment. The

Re: X-Amavis-Alert: BANNED, message contains x.com

Bill Cole skrev den 2024-07-16 19:00: asking to be sure That is NOT a SpamAssassin message, as SA does nothing so silly. It is clearly and strictly an Amavis issue. i know :)

Re: X-Amavis-Alert: BANNED, message contains x.com

On 2024-07-16 at 11:55:50 UTC-0400 (Tue, 16 Jul 2024 17:55:50 +0200) Benny Pedersen is rumored to have said: Thomas Barth via users skrev den 2024-07-16 17:28: X-Quarantine-ID: X-Amavis-Alert: BANNED, message contains x.com Are there any further explanations for the banning of x.com? as

Re: Finance spam

Alex skrev den 2024-07-16 15:00: Hi all, Does anyone have any further ideas on how to block "approved for funding" spam? https://pastebin.com/2rKiAEpt This one is another namecheap domain registered from Reykjavik. I can create body rules, but the language is very much in line with legitimate l

Re: X-Amavis-Alert: BANNED, message contains x.com

Thomas Barth via users skrev den 2024-07-16 17:28: X-Quarantine-ID: X-Amavis-Alert: BANNED, message contains x.com Are there any further explanations for the banning of x.com? ask on amavis maillist are spamassassin using extractext ? asking to be sure

RE: Finance spam

this whole range of 185.3.229.x is on my dns blacklist and everything on that is either rejected or marked. I can only suggest doing something similar ;) 185.3.229.4 perfstat.hostex.lt. 185.3.229.5 post.alfa.lt. 185.3.229.6 185.3.229.7 185.3.229.8 185.3.229.9 185.3.22

Re: CC: address matches To: address

Peter skrev den 2024-07-12 05:25: I have been getting spam from outlook.com (surprise) and a defining feature is that the same emnail address is used as the To: and CC: address. Is there a way for Spamassassin to detect that? i have a plugin, but not one i need anymore :) lets see if thay d

Re: CC: address matches To: address

On Fri, 12 Jul 2024, Peter wrote: Hi, I have been getting spam from outlook.com (surprise) and a defining feature is that the same emnail address is used as the To: and CC: address. Is there a way for Spamassassin to detect that? Thanks. There are rules for To equals From, they can be fairl

Re: Requesting help, sa-update, cron, gpg, unsafe ownership on homedir

On 2024-07-12 at 10:51:08 UTC-0400 (Fri, 12 Jul 2024 10:51:08 -0400) Steve Charmer is rumored to have said: I have a cron job running as root, which calls sa-update it warns about unsafe ownership gpg: WARNING: unsafe ownership on homedir `

Re: namechep and DOB

On Mon, Jul 8, 2024 at 7:33 PM Matija Nalis wrote: > On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote: > > Are there RBLs available that can be used to determine registrar or date > of > > registration? I understand the limits of querying a registrar but thought > > there might be an RBL out

Re: namechep and DOB

On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote: > Are there RBLs available that can be used to determine registrar or date of > registration? I understand the limits of querying a registrar but thought > there might be an RBL out there with this info? https://spameatingmonkey.com/services l

Re: namechep and DOB

Hi, Alex - Check out the FROM_FMBLA_NEWDOM rules. Are you seeing any emails > hitting them? > Yes, got them, from here: https://github.com/fmbla/spamassassin/blob/master/FMBLA.cf Didn't hit. Jul 8 18:02:53.537 [4189153] dbg: dnseval: checking [sendersrv.com] / FROM_NEWDOMAIN_FMBLA / blfmbla /

Re: namechep and DOB

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails hitting them? In my case, URIBL_RHS_DOB is no longer working at all.   Is this still working? - Mark On 7/8/2024 5:13 PM, Alex wrote: Hi, I'm seeing emails from smartlendingclub dot com getting through that are clearl

Re: whitelist_auth return_path / from

On Thursday, July 04, 2024 02:01 AEST, Benny Pedersen wrote: > Simon Wilson via users skrev den 2024-07-03 15:54: > > > header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass') > > header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from() > > keep scores of them neutral >

Re: whitelist_auth return_path / from

On Thursday, July 04, 2024 01:11 AEST, Bill Cole wrote: > On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000) > Simon Wilson via users > is rumored to have said: > > > On 03.07.24 23:54, Simon Wilson via users wrote: > >> Simon Wilson via users skrev den 2024-07-03 14:56: > >>

Re: whitelist_auth return_path / from

On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from  bot

Re: whitelist_auth return_path / from

Simon Wilson via users skrev den 2024-07-03 07:48: whitelist_auth supp...@wasabi.com whitelist_auth *@mmemail.wasabi.com its more simple to set From: "Simon" in mua then both spf and dkim gives pass on same domain, note -d in dkim is not same domain, so you need a new dkim sign key for subd

  1   2   3   4   5   6   7   8   9   10   >