Hi,
I am trying to get ifspamh working within my .qmail-user file but there is
obviously an error either with the vars set up within the ifspamh file or
somewhere else as the emails are just looping until I change the
.qmail-user file back.
I want to maybe try and run the ifspamh command from
Hi!
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
Looks like they've changed from DSL to DSC! I have a few with DSC in today's
quarantine, but they were caught by BOTNET rules. Methinks its time to update
the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even
Hello,
How to use spamassassin block *.png so that going to the quarantine?
100% of spam that gets to me a plain e-mail with attachment *.png
--
View this message in context:
http://www.nabble.com/spamassassin-block-*.png-tp23330686p23330686.html
Sent from the SpamAssassin - Users mailing list
On Fri, 1 May 2009, vibi wrote:
From: vibi ml...@go2.pl
To: users@spamassassin.apache.org
Date: Fri, 1 May 2009 02:56:34 -0700 (PDT)
Subject: spamassassin block *.png
How to use spamassassin block *.png so that going to the quarantine?
100% of spam that gets to me a plain e-mail with
The chance of a collision really is much smaller than I thought, even
including the birthday paradox. But rather than just say it's small and
ask you to take my word for it I'm providing a link. The Wikipedia page
for Birthday Attack has a chart that shows the probability of collision
for
I use FuzzyOCR and a large portion of spam is cleared to image.
But the news from *. png does not want to cut out: (
I made a record:
mimeheader GIF_ATTACHMENT Content-Type =~ /image\/gif;\s*(\n\s+)?name=/
mimeheader PNG_ATTACHMENT Content-Type =~ /image\/png;\s*(\n\s+)?name=/
How do I
Jeff Moss wrote:
This is not to suggest that I ever understood the part about using
half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's fully propagated by now. I've attached my
On 5/1/2009 3:56 PM, Adam Katz wrote:
Jeff Moss wrote:
This is not to suggest that I ever understood the part about using
half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's
Yet Another Ninja wrote:
This is not to suggest that I ever understood the part about using
half-length MD5.
No need. I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses. I must have lost the email I was composing on the topic,
but it's fully propagated by now. I've
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the big_boyz my trap feed is quite small and I
On Thu, 30 Apr 2009, LuKreme wrote:
No, the senders AWL HURTS new spam. If the score is -2 from the AWL
then -2 * -0.2 = 0.4
Ah. Missed the negative. Then this particular piece of the logic is good.
The odds of any AWL(perIP) other than the legit sender having a negative
average are
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the big_boyz my trap feed is quite small and I
On Thu, 30 Apr 2009, LuKreme wrote:
A tip: the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).
Actually, the PNGs load considerably faster for me as desktop images,
which is why I convert them.
I agree
On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
Hi all,
I just upgraded to 3.2.5 ran sa-update and I got this message with only
one
rule tripped
I'm putting a link to the message as well as the headers
If anyone can shed some light here , I would appreciate it.
I could be asking the same thing as Charles, if I am I apologize.
I installed the rules below, ran the headers.txt file- thru SA and the rules
did not trigger. Do I need to configure something else?
Thanks
Craig
Charles Gregory cgreg...@hwcn.org 5/1/2009 9:48 AM
Uh, what do these
Greetings all;
I have a script that runs daily against whatever I put in the spam folder, and
it is suddenly having a hard time.
The error:
bayes: unknown packing format for bayes db, please re-learn: 73 at
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
1883.
This
On 5/1/2009 4:52 PM, Jesse Thompson wrote:
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
the whole
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
file has 4518 entries, including vintage 2008
compared to the
From: Charles Gregory cgreg...@hwcn.org
Date: Fri, 1 May 2009 10:48:00 -0400 (EDT)
Uh, what do these 'ratware' rules trigger on?
The rules trigger on spam with a particular Message-Id and boundary pattern.
How effective are they, and what are the chances of false positives?
For
I would say it's less someone poisoning your DB and more your DB
becoming corrupt. As it says, a pack format of dec(73) is not a valid
value. It's set by the BayesStore module itself, not influenced by
the token in question.
You can try to do a dump/verify/restore ... ala:
sa-learn --sync
On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
bayes: unknown packing format for bayes db, please re-learn: 73 at
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
1883.
This seems to be repeated at about 3x for every spam I put in the spam folder.
Dave Funk wrote:
Bob Proulx wrote:
I was about to write the list and ask if there is a rule that could be
triggered when a message [contains] only an image part but no text parts.
There should already be rules for that exact format.
Which rules? I see no rule hits here.
I see that I can
On Fri, 2009-05-01 at 01:38 -0700, an anonymous Nabble wrote:
I am trying to get ifspamh working within my .qmail-user file but there is
obviously an error either with the vars set up within the ifspamh file or
somewhere else as the emails are just looping until I change the
.qmail-user file
On Fri, 1 May 2009, Raymond Dijkxhoorn wrote:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
Make that 4,5 since they also vary the size of the filenames...
You might also want to use \d instead of [0-9]. Bytes don't grow on
trees, y'know.
:)
--
John Hardin KA7OHZ
On Fri, 1 May 2009, Adam Katz wrote:
The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.
How would the phisher collect the password info from their target using a
forged sender address?
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
It seems a wave of image spam is going out. Would it be reasonable to push
this rule (with suitable modifications for length, etc.) and/or the
ImageInfo version out as a base SA update so that the most people can
benefit?
On Fri, 1 May 2009, Yet Another Ninja wrote:
Only little drawback is how to centralize (or not) all this gold to make
it useful to more than me and my dog.
I (and I'm sure others) would be willing to feed phishing corpa from our
quarantines, so long as it's easy to do.
--
John Hardin
John Hardin wrote:
How would the phisher collect the password info from their target using
a forged sender address?
A web form.
Hello,
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail into an IMAP folder. My
Hi Bob,
Am 2009-04-30 21:41:30, schrieb Bob Proulx:
I was about to write the list and ask if there is a rule that could be
triggered when a message no only an image part but no text parts. I
have no idea how to create it but that would be very useful for me and
this type of spam. As far as
On Fri, 1 May 2009, Adam Katz wrote:
John Hardin wrote:
How would the phisher collect the password info from their target using
a forged sender address?
A web form.
Hrm. Okay, I'll buy that. If you're going to spearfish a specific
organization then it would be reasonable to put the effort
At 10:23 AM 5/1/2009, you wrote:
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail
On Fri, 1 May 2009, jason_quick wrote:
I have been trying to find a way to automatically move messages that
have been tagged as spam by SA to my virtual users' .Junk folder.
Strictly speaking that isn't the province of SA. SA is only a scoring
tool.
procmail-3.22-17.1
If procmail is
jason_quick wrote:
Hello,
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail
On Fri, 1 May 2009, John Hardin wrote:
On Fri, 1 May 2009, jason_quick wrote:
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder.
Strictly speaking that isn't the province of SA. SA is only a scoring tool.
John Hardin wrote:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
It seems a wave of image spam is going out. Would it be reasonable to
push this rule (with suitable modifications for length, etc.) and/or the
ImageInfo version out as a base SA update so that the most
On Fri, 2009-05-01 at 14:04 -0400, Adam Katz wrote:
mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG __DSCL4_PNG __PNG_240_400
describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
John Hardin wrote:
On Fri, 1 May 2009, Adam Katz wrote:
The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.
On a related note: you also need to worry about the phishers
intentionally forging the
On 1-May-2009, at 08:48, Charles Gregory wrote:
Uh, what do these 'ratware' rules trigger on?
Spammish message IDs with spammish MIME boundary tags.
Message-ID: 000d01c9c74c$bc2f05d0$6400a...@venomousf
From: Shannon England venomo...@blackmanlawoffice.com
Subject: We hae the best alarm-clocks
On 1-May-2009, at 12:04, Adam Katz wrote:
mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG __DSCL4_PNG __PNG_240_400
describe DSCL4DIG_PNG Supposed digital camera photo is a PNG
Probably the
On 1-May-2009, at 11:23, jason_quick wrote:
I have been trying to find a way to automatically move messages that
have
been tagged as spam by SA to my virtual users' .Junk folder.
I use procmail to do this on the server.
I need this to
happen server-side because my users use IMAP, and most
jason_quick a écrit :
Hello,
I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail
On Friday 01 May 2009, Theo Van Dinter wrote:
I would say it's less someone poisoning your DB and more your DB
becoming corrupt. As it says, a pack format of dec(73) is not a valid
value. It's set by the BayesStore module itself, not influenced by
the token in question.
You can try to do a
On Fri, May 1, 2009 at 7:52 AM, Jesse Thompson
jesse.thomp...@doit.wisc.edu wrote:
Yet Another Ninja wrote:
I'm trying hard to convince myself this data is really useful.
I work for a Canadian provincial government, on a system with about
50,000 mailboxes. I scanned our outbound mail logs
On Friday 01 May 2009, Karsten Bräckelmann wrote:
On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
bayes: unknown packing format for bayes db, please re-learn: 73 at
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
1883.
This seems to be repeated at about 3x
On Friday 01 May 2009, Theo Van Dinter wrote:
I would say it's less someone poisoning your DB and more your DB
becoming corrupt. As it says, a pack format of dec(73) is not a valid
value. It's set by the BayesStore module itself, not influenced by
the token in question.
You can try to do a
Mandy wrote:
I work for a Canadian provincial government, on a system with about
50,000 mailboxes. I scanned our outbound mail logs over the past 6
months with this data. There were 31 replies to Your webmail is
expired!! ! type messages in that period.
If we had had been blocking
LuKreme wrote:
This is what I have in local.cf
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi
#
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
On Fri, 1 May 2009, Ned Slider wrote:
Can you please explain the rationale behind your scoring. I've just
installed these 3 rules to test and so far either all 3 are being
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.
John Hardin wrote:
On Fri, 1 May 2009, Ned Slider wrote:
Can you please explain the rationale behind your scoring. I've just
installed these 3 rules to test and so far either all 3 are being
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer
(less FP potential) than
50 matches
Mail list logo