Jo Rhett wrote:
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
If I change Received.pm, line 414, like this:
# Sendmail, MDaemon, some webmail servers, and others
- elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+ elsif (/^from .*?(.*?authenticated.*?\).*?
Hi,
recently i saw a lot of spam that didn't get catched by spamassassin.
All the messages have in common that the first received header ist forged.
Here an example:
Received: from 141.88.223.236 (HELO mx1.ihk.de)
by mydomain.at with esmtp (08E71A-P)@7X K0'+V)
id 76)4Y6-50O4:-+8
On 12/5/2006 7:27 AM, Marc Perkel wrote:
Is anyone else getting these? Messages with a random subject and the
message is a 5 digit number. What is it?
aren't those digits the password for a password protected Bagle variant?
I'd bet some braindead AV strips the infected attachements and lets
Hi,
leemansvg wrote:
Hello,
I don't know if anyone has come across this, but my
Mailscanner/spamasssasin/sendmail bunch seems to scan messages randomly. I
noticed this because it once got behind on scanning mail and it started to
scan the ones that came in immediately first. Is there a
On Monday 04 December 2006 15:35, Evan Platt wrote:
How in the hell does one write a rule for this sh*?
Maybe a rule if the message body is less than X characters?
I mean unless you expect lots of legitimate mail that says
Hello.
Oh crap, there go all my test mails
--
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and
sending
a message (to me) using his ISP account, the header includes a lot of extra
text
with the usual dynamic IP stuff and may be forged and there was no way it
would be a match
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and sending
a message (to me) using his ISP account, the header includes a lot of extra text
with the usual dynamic IP stuff and may be forged and there was no way it
Jo Rhett wrote:
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and
sending
a message (to me) using his ISP account, the header includes a lot of
extra text
with the usual dynamic IP stuff and may be forged and
On Tue, 5 Dec 2006, Jo Rhett wrote:
René Berber wrote:
It's the same one I posted before:
Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx
[189.149.70.163] (may be forged))
(authenticated bits=0)
by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id
On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 7:27 AM, Marc Perkel wrote:
Is anyone else getting these? Messages with a random subject and the
message is a 5 digit number. What is it?
aren't those digits the password for a password protected
On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 7:27 AM, Marc Perkel wrote:
Is anyone else getting these? Messages with a random subject and the
message is a 5 digit number. What is it?
aren't those
On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 7:27 AM, Marc Perkel wrote:
Is anyone else getting these? Messages with a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alex Handle wrote:
Received: from 141.88.223.236 (HELO mx1.ihk.de)
by mydomain.at with esmtp (08E71A-P)@7X K0'+V)
id 76)4Y6-50O4:-+8
for [EMAIL PROTECTED]; Mon, 4 Dec 2006 01:20:50 +0180
[..]
Is there a way to write a custom
I've been using SA and other software for few years for antispam gateway.
During first few month, the results was very good, most spam was
rejected and finaly SA examine the rest.
However, after almost 2 years now, the spam rate received by user are
high, so I think that I have to change
On 12/5/2006 11:26 AM, Nigel Frankcom wrote:
On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
[EMAIL PROTECTED] wrote:
On 12/5/2006 7:27 AM, Marc Perkel wrote:
Is
Thanks - however I don't know anything about Perl scripts, so unfortunately
it doesn't help me! :) For example, within EvalTests.pm I can see what
appear to be four variables:
($self, $header, $ratio, $count)
The $header variable is pretty straight forward, but what's with $self,
$ratio and
It’s been discussed on Amavisd-new list.
Look here for more info: http://marc.theaimsgroup.com/?t=116483411500019r=1w=2
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 30, 2006 4:40 PM
To: לאון קולצ'ינסקי;
Dear All
Some emails from local users are getting MARKED as (S.P.A.M.) as shown in
following log.
===
Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for
[EMAIL PROTECTED]:510 in 1.9 seconds, 2862 bytes.
Dec 5
Yes,
These kind of e-mails get caught by my FuzzyOcr.
It's all in the scansets configuration and words in the dictionary.
Some other image spam couldn't be read by FuzzyOcr, but this is the best tool
for now, that I'm aware of.
-Original Message-
From: Ray Anderson [mailto:[EMAIL
Shahzad Abid skrev:
Dear All
Some emails from local users are getting MARKED as (S.P.A.M.) as shown in
following log.
===
Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for
[EMAIL PROTECTED]:510 in 1.9 seconds,
beast wrote:
I've been using SA and other software for few years for antispam gateway.
During first few month, the results was very good, most spam was
rejected and finaly SA examine the rest.
However, after almost 2 years now, the spam rate received by user are
high, so I think that I
How would, where would a mail transfer agent tell you the
mail delivery agent for a the system at hand?...
Just connect to port 25 and observe the banner. Not 100% foolproof, but most
of them either identify themselves (Sendmail) or have a recognizable banner
(Postfix, Qmail, Exchange).
my whitelist_rcvd_from works with a pair of arguments.
i was trying to get it working with multiple arguments for multiple virtual
domains.
anyone can share examples of it with 3 or more pairs of arguments?
tnx
I think you should read this http://www200.pair.com/mecham/spam/bypassing.html
-Original Message-
From: Anders Norrbring [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 05, 2006 2:19 PM
To: users@spamassassin.apache.org
Subject: Re: Spam from local users.
Shahzad Abid skrev:
Dear All
On Tue, Dec 05, 2006 at 02:06:09PM +0100, vertito wrote:
my whitelist_rcvd_from works with a pair of arguments.
i was trying to get it working with multiple arguments for multiple virtual
domains.
anyone can share examples of it with 3 or more pairs of arguments?
you can't have more than two
Hello list,
I use a mailrelay with postfix, amavisd-new 2.3.3 and Spamassassin 3.1.7.
I get the following failure ca. 25 times a day:
Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT, backtrace:
at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\teval
Bazooka Joe wrote:
rules_du_jour seems to fail on lint. I am trying to figure that out
now but I have a different question. Has channels replaced
rules_du_jour? Should I be using something else to update my sare
rules?
thx
-bazooka
ps I am using SpamAssassin 3.1.4
pps below are
On Tue, Dec 05, 2006 at 04:06:17PM +0100, Stefan Jakobs wrote:
Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT, backtrace:
at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\teval
{...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm
Hi, I have a problem with SA installation on Windows 2000 Server SP4, in
particular:
C:\Perl\bin\perl.exe version.h.pl
version.h.pl: creating version.h
copy config.h.win config.h
copy spamc.h.win spamc.h
C:\Perl\bin\perl.exe ..\build\preprocessor -Mvars -iMakefile.win -oMakefile
cd ..
NMAKE -f
nice. thanks!
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 05, 2006 3:44 PM
To: users@spamassassin.apache.org
Subject: Re: multiple whitelist_rcvd_from
On Tue, Dec 05, 2006 at 02:06:09PM +0100, vertito wrote:
my whitelist_rcvd_from works
recently i saw a lot of spam that didn't get catched by spamassassin.
All the messages have in common that the first received header ist forged.
Here an example:
Received: from 141.88.223.236 (HELO mx1.ihk.de)
by mydomain.at with esmtp (08E71A-P)@7X K0'+V)
id 76)4Y6-50O4:-+8
for
I want to use spamassassin3.1.7 on freebsd6.1
I get an error as below,
# cd /usr/ports/dns/p5-Net-DNS
# make
=== Building for p5-Net-DNS-0.59
Makefile out-of-date with respect to
/usr/local/lib/perl5/5.8.8/mach/Config.pm
Cleaning current config before rebuilding Makefile...
make -f Makefile.old
On Tue, Dec 05, 2006 at 06:43:26PM +0200, Halid Faith wrote:
# cd /usr/ports/dns/p5-Net-DNS
What Should I do ?
Ask the Net::DNS or ports guys? This has nothing to do with SpamAssassin.
--
Randomly Selected Tagline:
Decapitation cures headaches!
pgpq0bWNgrB50.pgp
Description: PGP signature
Hi,
I get a lot of e-mail where the username contains only numbers.
ex.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
These users don't exist so postfix simply throws the e-mail away but I
am curious if anyone knows why spammers bother to send all these
e-mails? Are they checking to
Am Dienstag, 5. Dezember 2006 16:12 schrieb Theo Van Dinter:
On Tue, Dec 05, 2006 at 04:06:17PM +0100, Stefan Jakobs wrote:
Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT,
backtrace: at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm
line 71\n\teval {...} called
Hi everyone,
First and foremost, excuse the cross post for those that are on the both
lists- but I'm not sure if this is an SA issue or a BSD issue
Due to disk space issues I recently created a symlink for /var/log/exim in
/usr/var2
Could the creation of the symlink be related to what my
On Tue, Dec 05, 2006 at 06:11:56PM +0100, Stefan Jakobs wrote:
71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAss
assin::Locker::UnixNFSSafe=HASH(0x9747010)')
Are you using NFS? If not, switch to flock.
No, I don't use NFS. What do you mean with switch to flock?
From: Rob Myroon [mailto:[EMAIL PROTECTED]
Hi,
I get a lot of e-mail where the username contains only numbers.
ex.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
These users don't exist so postfix simply throws the e-mail away but I
am curious if anyone knows why spammers
'spamassassin --lint' gives me some soft errors on some SARE rules (see
below) Are these known, 'ignore for now' sorts of things due to SA 2.x
and SA 3.x installs, or should I be doing something about this?
Is there any way to adjust --lint to not show these ?
Thanks,
Ken A
Pacific.Net
Hi,
Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD
4.0 and it failed during the test phase. I have attached the output.
Perl version is v5.8.8 built for i386-openbsd 4.0
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e
Anybody can guide me how to proceed. I am installing SpamAssassin on
OpenBSD
4.0 and it failed during the test phase. I have attached the output.
Perl version is v5.8.8 built for i386-openbsd 4.0
You didn't build your own perl or anything, did you?
I have installed 3.1.7 on OpenBSD
Thx Bowie
That fixed rdj.
But what about channels? Is that to replace rdj?
-bazooka
On 12/5/06, Bowie Bailey [EMAIL PROTECTED] wrote:
Bazooka Joe wrote:
rules_du_jour seems to fail on lint. I am trying to figure that out
now but I have a different question. Has channels replaced
I'm working on a series of rules to find obfuscated words in subject
lines that have been misspelled by adding an extra character (often a
repeated letter) to a word. For certain words, it seems to be
appropriate to assume that if they're misspelled in that way, it's
deliberate.
I've got
It is on OpenBSD 4.0-STABLE. I did not build perl and install it from the
package.
On 12/5/06, C. Bensend [EMAIL PROTECTED] wrote:
Anybody can guide me how to proceed. I am installing SpamAssassin on
OpenBSD
4.0 and it failed during the test phase. I have attached the output.
Perl version
Bazooka Joe wrote:
Thx Bowie
That fixed rdj.
But what about channels? Is that to replace rdj?
Yes, you can replace RDJ with the sa-update channels. I am still using RDJ
for rule updates, so I can't help you with the channel configuration.
--
Bowie
As you can see its still reading from /var/log/maillog but data is not
complete.
File /var/log/maillog : from Dec 5 00:00:00 to Dec 5 11:33:44
Total number of emails processed by the spam filter : 0
Number of spams : n/a
Number of clean messages:
Am Dienstag, 5. Dezember 2006 18:16 schrieb Theo Van Dinter:
On Tue, Dec 05, 2006 at 06:11:56PM +0100, Stefan Jakobs wrote:
71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::Spa
mAss assin::Locker::UnixNFSSafe=HASH(0x9747010)')
Are you using NFS? If not, switch to
On Tue, 5 Dec 2006, NFN Smith wrote:
I'm working on a series of rules to find obfuscated words
/\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i
I have a tool that does this (for double letters as well as other
obfuscations) automatically.
NFN Smith wrote:
I'm working on a series of rules to find obfuscated words in subject
lines that have been misspelled by adding an extra character (often a
repeated letter) to a word. For certain words, it seems to be
appropriate to assume that if they're misspelled in that way, it's
Yet Another Ninja wrote:
Just found a few ... sent directly from DULs.
(there went my theory...)
:-(
I have a theory that spammers are either doing some sort of probe or
sending out nonspam so that ther headers are learned by bayes as good. I
think it's either probes or bayes poison.
Don Saklad wrote:
So many end users looking over the SpamAssassin headers on email
haven't climbed the too steep learning curve for
making the best use of the headers.
Most end users (at least in Swden) haven't got access to the MDA configuration,
so the porcmail stuff is of no use to them.
Bowie Bailey wrote:
NFN Smith wrote:
/\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i
I'm getting hits on things like 'baddword' and 'badwoord', and even
'badworrd!', but I'm not getting a hit on 'badwordd'
I've tried a number of variants, but still am not quite getting
Bowie Bailey wrote:
Bazooka Joe wrote:
Thx Bowie
That fixed rdj.
But what about channels? Is that to replace rdj?
Yes, you can replace RDJ with the sa-update channels. I am still using RDJ
for rule updates, so I can't help you with the channel configuration.
Are you sure?
I'm using
On Tue, Dec 05, 2006 at 06:42:01PM +0100, Stefan Jakobs wrote:
Here an other hint:
Every day I execute the following command and force an expire of the Bayes DB:
/usr/bin/sa-learn --dbpath /var/amavis/.spamassassin
-p /var/amavis/.spamassassin/user_prefs -u vscan --force-expire
In
On Tue, Dec 05, 2006 at 12:20:39PM -0500, Pauk Sa wrote:
Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD
4.0 and it failed during the test phase. I have attached the output.
Perl version is v5.8.8 built for i386-openbsd 4.0
fwiw, it doesn't appear to be a major
On Tue, 05 Dec 2006 09:51:06 -0800, Marc Perkel [EMAIL PROTECTED]
wrote:
Yet Another Ninja wrote:
Just found a few ... sent directly from DULs.
(there went my theory...)
:-(
I have a theory that spammers are either doing some sort of probe or
sending out nonspam so that ther headers
Yes, it is fail only in test phase. I can do force install but, I would like
to know is there any affect on the functioning of spamassassin?
Thanks
Pauk
On 12/5/06, Theo Van Dinter [EMAIL PROTECTED] wrote:
On Tue, Dec 05, 2006 at 12:20:39PM -0500, Pauk Sa wrote:
Anybody can guide me how to
Rick Mallett wrote:
What's the proper way to submit material for the ham corpus?
I have never done it myself, by I found this in the wiki:
http://wiki.apache.org/spamassassin/UploadedCorpora
--
Chris
Nigel Frankcom writes:
On Mon, 04 Dec 2006 16:12:01 -0500 (EST), Rick Mallett
[EMAIL PROTECTED] wrote:
What's the proper way to submit material for the ham corpus?
I've got the entire newsletter that resulted in the Nigerian Scam
FP I reported but I wasn't sure if it was appropriate to
On Tue, Dec 05, 2006 at 01:36:36PM -0500, Pauk Sa wrote:
Yes, it is fail only in test phase. I can do force install but, I would like
to know is there any affect on the functioning of spamassassin?
As I said, the error looked like it was the test, and not SA, so I wouldn't
worry about it.
--
Hello,
What I usually do when a perl port does not build is first to try
perl -MCPAN -eshell
then when in the shell
install Digest::HMAC_MD5
or
install Net::DNS
One may also go to
http://search.cpan.org
then download the source for the modules, untar it, then make make
install.
On Tue, 5
I installed
postfix-2.2.8
amavisd-new-2.4.1
clamav-0.88.6
and
spamassassin-3.1.3
I would like to use local Bayesian database for each user.
Example
For andrea user I created the directory
/home/andrea/.spamassassin
and with sa-learn (ham/spam) I created in that directory bayes_*
with user
On Tue, Dec 05, 2006 at 07:51:32PM +0100, Andrea Bencini wrote:
I would test what I did. How can I do?Spamassassin should to use andrea
bayesian database for andrea e-mail and not sharing bayesian database(these
are in /var/amavis/.spamassassin)
If running SA in site-wide mode (such as using
Mike Jackson wrote:
mail delivery agent for a the system at hand?...
Just connect to port 25 and observe the banner.
That normally won't work. The banner normally only includes the mail *transfer*
agent and not the mail *delivery* agent.
Even though many MTAs have a builtin or bundled MDA,
For novice end users, neophytes, emphasis on novice, what
filtering capabilities, what features are there?...
for RMAIL in EMACS when novice end users begin to take note of
the spamassassin headers appearing on messages?...
Kenneth Porter wrote:
On Thursday, November 30, 2006 5:01 PM -0600 Richard Frovarp
[EMAIL PROTECTED] wrote:
Kenneth Porter wrote:
--On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp
[EMAIL PROTECTED] wrote:
I have a few legit messages that are scoring over 5.0 due to
René Berber wrote:
Daryl C. W. O'Shea wrote:
René Berber wrote:
I read all the page before asking, and I understand that it follows the trust
path page. The fact is SA is not detecting the authentication, and there is
nothing in that page that gives a clue as to why, it just mentions that
René Berber wrote:
Daryl C. W. O'Shea wrote:
[snip]
Sendmail should be putting a (authenticated bits=0) line in its
Received header when the user authenticates. SA will automatically use
this to extend the trust path if the header above it is trusted.
Let's start by saying two things:
1)
John Rudd wrote:
Though, CommuniGate Pro's authenticated received header looks like this:
from [$ipaddr] (acccount $account HELO $helostring) by $host
(CommuniGate Pro
So, you could match that with:
/^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/
Cool, I don't
René Berber wrote:
Bowie Bailey wrote:
Bazooka Joe wrote:
Thx Bowie
That fixed rdj.
But what about channels? Is that to replace rdj?
Yes, you can replace RDJ with the sa-update channels. I am still
using RDJ for rule updates, so I can't help you with the channel
David B Funk wrote:
On Tue, 5 Dec 2006, Jo Rhett wrote:
In short, this may have been a deliberate choice to prevent a match on
hosts with forged helo names. It would make sense.
Jo you are mistaken. Sendmail adds the (may be forged) comment when
the client's IP rDNS and DNS don't match, it
On Dec 5, 2006, at 1:38 AM, Evan Platt wrote:
At 10:27 PM 12/4/2006, you wrote:
Is anyone else getting these? Messages with a random subject and
the message is a 5 digit number. What is it?
See thre thread earlier today spam
But there is no conclusion or discussion on what the point of
Jo Rhett wrote:
Do you know why the SMTP authenticating server was forging the HELO
name? Normal mail clients will give their IP address, right? And the
may be forged only appears if they gave a full name and resolution
succeeded *and* none of the addresses returned matched the helo name.
Daryl C. W. O'Shea wrote:
John Rudd wrote:
Daryl C. W. O'Shea wrote:
John Rudd wrote:
Though, CommuniGate Pro's authenticated received header looks like
this:
from [$ipaddr] (acccount $account HELO $helostring) by $host
(CommuniGate Pro
So, you could match that with:
/^from \[\S+\]
John Rudd wrote:
Daryl C. W. O'Shea wrote:
John Rudd wrote:
Though, CommuniGate Pro's authenticated received header looks like this:
from [$ipaddr] (acccount $account HELO $helostring) by $host
(CommuniGate Pro
So, you could match that with:
/^from \[\S+\] \(account [EMAIL PROTECTED]
John Rudd wrote:
Daryl C. W. O'Shea wrote:
Could you provide me with some sample headers so that I can add these?
I can't add them without regression tests.
SMTP-AUTH:
Received: from [128.114.2.223] (account [EMAIL PROTECTED] HELO
[128.114.2.223])
by silver.ucsc.edu (CommuniGate Pro
Bowie Bailey wrote:
René Berber wrote:
[snip]
Are you sure?
I'm using both and I don't see any duplication of score hits. For
instance, what is the SA equivalent to 70_sare_stocks.cf?
By default, there is no duplication. sa-update will update only the stock
rules. However, there have
Daryl C. W. O'Shea wrote:
John Rudd wrote:
Though, CommuniGate Pro's authenticated received header looks like this:
from [$ipaddr] (acccount $account HELO $helostring) by $host
(CommuniGate Pro
So, you could match that with:
/^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+
Daryl C. W. O'Shea wrote:
René Berber wrote:
[snip]
1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what
happened to
the original subject.
It's solely a workaround, suggested by Dana from UW's CIS dept before
there was any support at all for detecting authenticated relays,
I'm back after a couple years break. SpamAssassin 3.0.1 has been doing
heroic work for us, even though I'm stuck on the windoze platform. I
recently upgraded the mailserver (unfortunately, still windoze) and thought
I should put on SpamAssassin 3.1.7.
The upgrade worked a charm, except the
Dan Barker wrote:
I'm back after a couple years break. SpamAssassin 3.0.1 has been doing
heroic work for us, even though I'm stuck on the windoze platform. I
recently upgraded the mailserver (unfortunately, still windoze) and thought
I should put on SpamAssassin 3.1.7.
The upgrade worked a
Has anybody come up with a rule for these yet? I tried the following:
body ORNL_B0RKEN1 /^\d{3,5}\n{1,3}$/s
describe ORNL_B0RKEN1 B0rken spamware, message just contains a short
number
scoreORNL_B0RKEN1 1
This matches the spam message, but it also matches messages where the
number is
Rosenbaum, Larry M. wrote:
This matches the spam message, but it also matches messages where the
number is followed by a blank line and more text, which is a false
positive.
In all cases I got the same results. What am I missing?
Try a compound rule. Look for the number, and then anything
On Dec 5, 2006, at 2:02 AM, David B Funk wrote:
Jo you are mistaken. Sendmail adds the (may be forged) comment when
the client's IP rDNS and DNS don't match, it has -nothing- to do
with the
HELO name.
RTFC(...code)
If the hello is numeric or non a domain name, the may be
By default, there is no duplication. sa-update will update only the stock
rules. However, there have been additional channels created for sa-update
to allow it to update the SARE rules as well. You just add the ones you
want to your sa-update channels file.
One advantage RDJ seems to have is
Jo Rhett wrote:
Do you know why the SMTP authenticating server was forging the
HELO name? Normal mail clients will give their IP address,
right? And the may be forged only appears if they gave a full
name and resolution succeeded *and* none of the addresses returned
matched the helo
While you are fixing bugs related to authentication, any chance
you'll fix the SPF plugin to skip checks on authenticated delivery?
Or have an option to enable this behavior?
Or do you want a patch from me? It'll take me a lot longer than you,
since I'll spend hours just tracing down the
SMTP-AUTH:
Received: from [128.114.2.223] (account [EMAIL PROTECTED] HELO
[128.114.2.223]) by silver.ucsc.edu (CommuniGate Pro SMTP 4.3.7)
with ESMTPSA id 88402416 for [EMAIL PROTECTED]; Mon, 04 Dec 2006 13:15:07
-0800
Webmail:
Received: from [128.114.2.223] (account [EMAIL PROTECTED])
Mark Martinec wrote:
Not sure if the following one is relevant, but it just fell into my hands:
Received: from 10.235.209.117
(SquirrelMail authenticated user sername)
by xxx.ijs.si with HTTP;
Tue, 5 Dec 2006 15:31:13 +0100 (CET)
Thanks Mark. Anything with a with
Jo Rhett wrote:
While you are fixing bugs related to authentication, any chance you'll
fix the SPF plugin to skip checks on authenticated delivery? Or have an
option to enable this behavior?
Or do you want a patch from me? It'll take me a lot longer than you,
since I'll spend hours just
Jo Rhett wrote:
On Dec 5, 2006, at 2:02 AM, David B Funk wrote:
It still should not matter. So long as the client can authenticate to
the server's statisfaction, SA should honor its decision regardless of
how bogus the HELO or client's DNS entrys look.
That's your argument. That may not
Alan Munday wrote:
By default, there is no duplication. sa-update will update only the
stock
rules. However, there have been additional channels created for
sa-update
to allow it to update the SARE rules as well. You just add the ones you
want to your sa-update channels file.
One
Not sure if I'm posting to the right list for this or not bvut since SA is the
one not
co-operating I figured I'd try here first.
I have the latest versions SA and DCC both installed on a Fedora Core 4 system
and am
trying to install rules du jour but it won't let me get past the lint test.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Coffey, Neal wrote:
Rosenbaum, Larry M. wrote:
This matches the spam message, but it also matches messages where the
number is followed by a blank line and more text, which is a false
positive.
In all cases I got the same results. What am I
Vernon Webb wrote:
Not sure if I'm posting to the right list for this or not bvut since SA is
the one not
co-operating I figured I'd try here first.
I have the latest versions SA and DCC both installed on a Fedora Core 4
system and am
trying to install rules du jour but it won't let
I commented out the line to the dccproc, but does that now disable dcc from running? Should I re-enable after install?
Vernon Webb
(201) 703-1232
web designs web hosting by comp-wiz.com, inc.
Information in this transmission is privileged confidential. It is intended for the use of the
I have a new client whose mail is scoring way high... several others
on the same server, different domains, score in negative numbers.
Mail sent through a mail script on this domain scores -1.0. I believe
they're using verizon dsl, windows xp w/ outlook or outlook express.
This is just
On Monday, Dec 4th 2006 at 23:34 -0500, quoth Theo Van Dinter:
=On Mon, Dec 04, 2006 at 10:12:26PM -0500, Steven W. Orr wrote:
= I have some spam getting through that has USER_IN_WHITELIST. I go and look
= and sher nuff, the From address is there in the email column of the awl
= table. I don't
He's hitting on 2 different DUL rules, because he's sending directly from
his DSL IP to your S/A server. You need to whitelist his IP address, or
otherwise have it bypasss S/A scanning.
On Tue, 5 Dec 2006, John Tice wrote:
I have a new client whose mail is scoring way high... several others
Vernon Webb wrote:
I commented out the line to the dccproc, but does that now disable dcc
from running? Should I re-enable after install?
Yes on both accounts, also enable the relevant part in v310.pre .
--
René Berber
1 - 100 of 104 matches
Mail list logo
