Hi all,
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
thx
The only rule its triggering is the
RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
Can you post a sample somewhere for us?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
On Tue, 2009-06-02 at 09:10 -0400, Jean-Paul Natola wrote:
Hi all,
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
Yes, add the SaneSecurity clamav signatures.
codling.rtf: Sanesecurity.Spam.10307.UNOFFICIAL FOUND
Integration with spamassassin left as
Correction they are rtf not doc
ftp://ftp.fcimail.org/IT/SA_Sample/shambling.rtf
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 9:47 AM
To: Jean-Paul Natola
Cc: users@spamassassin.apache.org
Subject: Re: word doc spam
On Tue, 2 Jun
April 29?
You started your narrative on 5/28 with an explicitly specified three week time
frame. On the 29th, I looked at four weeks of history, and the factual numbers
were lower. If that's where the discrepancy arose, then we may not really
disagree about anything of consequence.
No, I
On Tue, 2 Jun 2009, Dave Walker wrote:
John Hardin wrote:
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite
word attachment?
Can you post a sample somewhere for us?
Hi,
I assume he means the recent surge in rtf attachment
On Mon, 1 Jun 2009, Bowie Bailey wrote:
Your biggest problems here are BAYES_99 and EMPTY_BODY. To fix the Bayes
problem, sa-learn some of these messages as ham. Make sure you are
learning as the right user...
Bowie,
I started doing this today. Each of the false positive messages was
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
Yep, the rules below will hit on that message.
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 11:18 AM
To: SpamAssassin Users List
Subject: Re:
How difficult would it be to let spamc control spamd's logging output on
a per-message basis?
My reason for asking is this: I maintain a body of spam that I use to
develop and regression test local rules and, during rule development,
use spamc to pass the test messages through my only copy of
I've been playing with FuzzyOcr and FacileOCR in spamassassin (current
trunk). Both plugins are built and installed, and test properly;
however, I'm not sure spamassassin is actually using them in routine
mail scanning. Basically, after 2-3 days running (ca 1000 spams) I've
yet to see a spamd
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right? So the 'no text body' would mean that the
decoder wrote:
after quite some time, I've decided to release another version of
FuzzyOcr...
snip
Where's the best place to provide feedback/bug reports for FuzzyOCR? Is
this list okay, or would you prefer folks open tickets on the website,
or something else?
Nels Lindquist
On Tue, 2 Jun 2009, Charles Gregory wrote:
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right?
I
On Tue, 2 Jun 2009, Rich Shepard wrote:
This morning not only was the mail log report and logwatch report falsely
flagged as spam, but so were several messages posted to the google group
mail list for an application I use. What is interesting to me is that every
one had a +2.5 score for
On Tue, 2 Jun 2009, John Hardin wrote:
Well, any tool that's composing MIME messages can choose to omit a text
body part if no text is available... (snip)
In practice, we're only seeing it in spams. There may be false positives in
some unusual situations, but it's not likely with legitimate
On 2-Jun-2009, at 07:10, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550
bite word
attachment?
I reject .doc attachments since they can carry macro virus payloads.
--
We will fight for Bovine Freedom and hold our large heads high
We will run free
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]: connect to spamd on 172.16.0.14
failed,
On Tue, 02 Jun 2009 12:19:50 -0400
David Ronis ro...@ronispc.chem.mcgill.ca wrote:
I've been playing with FuzzyOcr and FacileOCR in spamassassin (current
trunk). Both plugins are built and installed, and test properly;
however,
...
Doesn't look like the tests are being triggered. Anybody
Matus UHLAR - fantomas wrote:
http://puffin.net\software\spam\samples\0005_body.txt
Address Not Found
puffin.net\software\spam\samples\0005_body.txt could not be found.
Please check the name and try again.
Did nobody ever told you that URL directories are separated by
slashes, not
I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
new spam senders above the Bayes-99 score.
My problem is that this feature seems, extreemly slow.
I'm now trying to use the ( --add-to-blacklist ) option and am finding that
this is, equally, slow.
I'm running it as:
I have two spamd hosts, and spamc calls them seemingly random or doing some
kind of load balance. -H option if I remeber right.
Sometimes one of those are down when doing maintance or something..
When spamc encouters connection refused it keeps retrying as told with
--connect-retries
But if
The various eval:check_rbl() selectors are:
-notfirsthop -firsttrusted -untrusted -untrusted
My understanding from the docs:
-notfirsthop examines all IPs except the originating one, useful for
ignoring the user's direct IP, which could be a hotel or dialup IP.
-firsttrusted examines the
If you were nearby, I'd give you a gig stick of RAM to solve your
problem. It's cheap these days.
On Tue, Jun 02, 2009 at 11:06:05PM +0300, Jari Fredriksson wrote:
I have two spamd hosts, and spamc calls them seemingly random or doing some
kind of load balance. -H option if I remeber right.
If you were nearby, I'd give you a gig stick of RAM to
solve your problem. It's cheap these days.
I grabbed this 15 years old Pentium PRO machine from my cellar just for this
extra SpamAssassin process. I think EDO DRAM is not cheap, it at all available
these these days. Old rig, but but
ANTICOM-STINGER a écrit :
On Fri, 2009-05-29 at 12:16 -0600, J.D. Falk wrote:
Rob McEwen wrote:
Additionally, I'd like to ask, other than being a superb cash-generating
machine, what good is a whitelist built upon pay-to-enter and NOT based
on editorial decisions made by non-biased e-mail
Actually, Richard, yes - I have management approval for what details I choose
to share with any given online community. I am also learning to count Jann
among my friends, and I'm sure he would *appropriately* acknowledge your
greeting.
If your participation is at all typical of this
On Tue, 2009-06-02 at 13:40 -0700, Bob O'Brien wrote:
Actually, Richard, yes - I have management approval for what details I
choose to share with any given online community. I am also learning
to count Jann among my friends, and I'm sure he would *appropriately*
acknowledge your greeting.
Bob O'Brien wrote:
Actually, Richard, yes - I have management approval for what details I choose
to share with any given online community. I am also learning to count Jann
among my friends, and I'm sure he would *appropriately* acknowledge your
greeting.
If your participation is at all
I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
new spam senders above the Bayes-99 score.
My problem is that this feature seems, extreemly slow.
I'm now trying to use the ( --add-to-blacklist ) option and am finding that
this is, equally, slow.
I'm running
Well, the first problem is that the AWL has no impact on Bayes.
They're totally independent.
Perhaps you want sa-learn ?
On Tue, Jun 2, 2009 at 2:32 PM, Larry Starr lar...@fullcompass.com wrote:
I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
new spam senders above
Larry Starr lar...@fullcompass.com wrote:
I have been using the AWL ( --add-addr-to-blacklist ) for some
time, to bump new spam senders above the Bayes-99 score.
Theo Van Dinter responded:
Well, the first problem is that the AWL has no impact on Bayes.
They're totally independent.
Perhaps
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]: connect to spamd on 172.16.0.14
On Tue, 2 Jun 2009, Luis campo wrote:
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]:
On Tue, 02 Jun 2009 16:26:08 -0400
Adam Katz antis...@khopis.com wrote:
-notfirsthop examines all IPs except the originating one, useful for
ignoring the user's direct IP, which could be a hotel or dialup IP.
You'd think, but in practice -lastexternal gets used. I'm not sure why.
My
I recently was checking on servers that were sending out spam and
found one of them had the hostname called localhost which I think
is a attempt to bypass SA. The IP address is 222.252.188.181 which
maps back to Vietnam.
Also I found that a large percentage of my spam comes from Brazil and
I
On Tue, 2009-06-02 at 17:01 -0700, fchan wrote:
I recently was checking on servers that were sending out spam and
found one of them had the hostname called localhost which I think
is a attempt to bypass SA. The IP address is 222.252.188.181 which
maps back to Vietnam.
Why would that be?
On Thu, 2009-05-28 at 20:14 +0200, Karsten Bräckelmann wrote:
On Thu, 2009-05-28 at 09:43 -0700, Marc Perkel wrote:
I'm looking for domains to whitelist that meet this criteria:
Speaking of which, how would you like me to report bad listings in the
Hostkarma whitelist?
I was kind of
Hi all,
System:
MailScanner 4.76.24
spamassassin 3.2.5
MTA - postfix
ClamAV 0.95.1
I am trying to trouble shoot why a particular server cannot send into
our email system.
There is no reference in the logs to this server ever trying to connect.
I have discovered they are on
On Tue, 2009-06-02 at 13:40 -0700, Bob O'Brien wrote:
Actually, Richard, yes - I have management approval for what details I choose
to share with any given online community.
Share? Oh Sorry Bob. I only had Barracuda down as digital thieves. Let
me see;
SPAM and 'VIRUS' (lol) 'FIREWALL'
BSMTPD
Jari Fredriksson wrote:
I have two spamd hosts, and spamc calls them seemingly random or
doing some kind of load balance. -H option if I remeber right.
The documentation says that it just randomizes the ordering of the
addresses. So if luck is with you then you will split the load among
all of
40 matches
Mail list logo