Re: Disabling spamcop plugin

2016-04-06 Thread Jari Fredriksson
Ian Zimmerman kirjoitti 7.4.2016 5:38: Is there any way to disable the spamcop plugin for an individual user (i.e. from ~/.spamassassin/user_prefs) if the plugin is loaded by /etc/spamassassin/*.pre ? By comparison, I seem to be able to disable pyzor even if it is loaded, by writing

Disabling spamcop plugin

2016-04-06 Thread Ian Zimmerman
Is there any way to disable the spamcop plugin for an individual user (i.e. from ~/.spamassassin/user_prefs) if the plugin is loaded by /etc/spamassassin/*.pre ? By comparison, I seem to be able to disable pyzor even if it is loaded, by writing use_pyzor 0 in my user_prefs. -- Please *no*

MIME header false positives (was Rule to score word documents)

2016-04-06 Thread Cedric Knight
On 30/03/16 21:11, @lbutlr wrote: > On Wed Mar 30 2016 13:34:23 Alex said: >> >> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/ >> REJECT > >

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 12:14 PM, Matt Garretson wrote: > On 4/5/2016 8:40 PM, Alex wrote: >> These targeted macro viruses are killing us. I hoped someone would >> [...] >> What strategy are other people using to block zero-day macro viruses? > > I quarantine these

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 11:39 AM, John Hardin wrote: > On Wed, 6 Apr 2016, Alex wrote: > >> Yes, blocking all .doc files would be tough for us. However, maybe a >> rule that weights their existence them more heavily combined with >> something involving

Re: Macro virus fun

2016-04-06 Thread Matt Garretson
On 4/5/2016 8:40 PM, Alex wrote: > These targeted macro viruses are killing us. I hoped someone would > [...] > What strategy are other people using to block zero-day macro viruses? I quarantine these before they get to SA with some logic in mimedefang that combines the OLE2 result from clamav

Re: Macro virus fun

2016-04-06 Thread John Hardin
On Wed, 6 Apr 2016, Alex wrote: Yes, blocking all .doc files would be tough for us. However, maybe a rule that weights their existence them more heavily combined with something involving finance+money+invoices would be helpful. Would blocking with whitelist exceptions for expected sources

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 9:56 AM, Reindl Harald wrote: > Am 06.04.2016 um 15:53 schrieb RW: >> >> On Tue, 5 Apr 2016 20:40:20 -0400 >> Alex wrote: >> >>> These targeted macro viruses are killing us. I hoped someone would >>> like to take a shot at suggestions on how to

Re: DNS to mirror failed when running sa-update

2016-04-06 Thread RW
On Wed, 6 Apr 2016 15:48:03 +0200 Reindl Harald wrote: > Am 06.04.2016 um 15:35 schrieb Yu Qian: > > i tried to run sa-update to refresh rules, but the update > > channel(mirrors.updates.spamassassin.org > > ) is not found. > > > >Is there anyone

Re: Macro virus fun

2016-04-06 Thread Reindl Harald
Am 06.04.2016 um 15:53 schrieb RW: On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these. http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by

Re: Macro virus fun

2016-04-06 Thread RW
On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: > Hi all, > > These targeted macro viruses are killing us. I hoped someone would > like to take a shot at suggestions on how to stop these. > > http://pastebin.com/FTzbQcHb > > The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >

Re: DNS to mirror failed when running sa-update

2016-04-06 Thread Reindl Harald
Am 06.04.2016 um 15:35 schrieb Yu Qian: i tried to run sa-update to refresh rules, but the update channel(mirrors.updates.spamassassin.org ) is not found. Is there anyone can help me with this problem A screenshot for the error is

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 3:12 AM, wrote: > Alex skrev den 2016-04-06 02:40: > >> http://pastebin.com/FTzbQcHb >> >> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >> but it's apparently not something that spamassassin can manipulate > > change clamd to block

Re: DMARC auto-away rejects (updated)

2016-04-06 Thread A. Schulze
Alan Hodgson: I really believe that's incorrect. Relaxed alignment specifically means you can sign with a subdomain's key or use a subdomain for SPF. Read sections 3.1.2 and 10.4 of that same document, for instance. Alan, you're write! DMARC folks told me so, too. DMARC Relax alignment

Re: Macro virus fun

2016-04-06 Thread me
Alex skrev den 2016-04-06 02:40: http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate change clamd to block this mail, or score this with highter score in amavisd, but blocking