Re: PYZOR_CHECK always have zero score, why?

[Pedro David Marco]

Thanks John...
this is the list:
Oct 19 06:58:33.422 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/50_scores.cf" for 
included fileOct 19 06:58:33.437 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_adsp_override_dkim.cf"
 for included fileOct 19 06:58:33.439 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_awl.cf" for 
included fileOct 19 06:58:33.440 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_shortcircuit.cf" 
for included fileOct 19 06:58:33.440 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_txrep.cf" for 
included fileOct 19 06:58:33.441 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_whitelist.cf" for 
included fileOct 19 06:58:33.442 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_whitelist_dkim.cf" 
for included fileOct 19 06:58:33.445 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_whitelist_spf.cf" 
for included fileOct 19 06:58:33.446 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/60_whitelist_subject.cf"
 for included fileOct 19 06:58:33.447 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf" for 
included fileOct 19 06:58:33.573 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf" for 
included fileOct 19 06:58:33.577 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/73_sandbox_manual_scores.cf"
 for included fileOct 19 06:58:33.577 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/local.cf" for included 
fileOct 19 06:58:33.578 [28083] dbg: config: using 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/regression_tests.cf" 
for included file
only 50_scores.cf contains string PYZOR_CHECK
--Pedro


  From: John Hardin 
 To: SA Mailing List  
 Sent: Wednesday, October 19, 2016 6:41 AM
 Subject: Re: PYZOR_CHECK always have zero score, why?
   
On Wed, 19 Oct 2016, Pedro David Marco wrote:

> Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:

Run debug mode and look for the list of config files it's actually 
reading. What comes after the default 50_scores.cf?

> i have even looked for the string PYZOR_CHECK throughout the full 
> system... and no more files contain that string.

Bizarre.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhar...@impsec.org    FALaholic #11174    pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The yardstick you should use when considering whether to support a
  given piece of legislation is "what if my worst enemy is chosen to
  administer this law?"
---
  301 days since the first successful real return to launch site (SpaceX)


   

Re: PYZOR_CHECK always have zero score, why?

[John Hardin]

On Wed, 19 Oct 2016, Pedro David Marco wrote:


Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:


Run debug mode and look for the list of config files it's actually 
reading. What comes after the default 50_scores.cf?


i have even looked for the string PYZOR_CHECK throughout the full 
system... and no more files contain that string.


Bizarre.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The yardstick you should use when considering whether to support a
  given piece of legislation is "what if my worst enemy is chosen to
  administer this law?"
---
 301 days since the first successful real return to launch site (SpaceX)

Re: PYZOR_CHECK always have zero score, why?

[Pedro David Marco]

Thanks Bill..
i already did but still no clues...
Files in my Debian SA package (3.4.1) containing the string PYZOR_CHECK:
# for i in `dpkg -L spamassassin`; do grep -l PYZOR_CHECK $i 2>/dev/null ; 
done/usr/share/spamassassin/30_text_fr.cf/usr/share/spamassassin/30_text_pl.cf/usr/share/spamassassin/25_pyzor.cf/usr/share/spamassassin/50_scores.cf/usr/share/spamassassin/30_text_pt_br.cf/usr/share/spamassassin/20_net_tests.cf/usr/share/spamassassin/30_text_nl.cf/usr/share/spamassassin/30_text_de.cf
25_pyzor.cf contains:

 ifplugin Mail::SpamAssassin::Plugin::Pyzor full PYZOR_CHECK        
eval:check_pyzor()  
 describe PYZOR_CHECK    Listed in Pyzor (http://pyzor.sf.net/) tflags 
PYZOR_CHECK      net reuse  PYZOR_CHECK endif

and 50_scores.cf contains:
 ifplugin Mail::SpamAssassin::Plugin::Pyzor score PYZOR_CHECK 0 1.985 0 1.392 # 
n=0 n=2 endif # Mail::SpamAssassin::Plugin::Pyzor

i have even looked for the string PYZOR_CHECK throughout the full system... and 
no more files contain that string.
i have tried sa-compile of course but... is there maybe any cache i can delete 
manually? not to my knowledge but...
---Pedro.

  From: Bill Cole 
 To: SA Mailing List  
 Sent: Wednesday, October 19, 2016 6:04 AM
 Subject: Re: PYZOR_CHECK always have zero score, why?
   
On 18 Oct 2016, at 23:22, Pedro David Marco wrote:

> So Pyzor seems to be OK!... the problem is somehow related to 
> PYZOR_CHECK rule but why??? 

Some config file is being loaded that sets the score of PYZOR_CHECK to 
0. It is NOT 0 in the current default ruleset:

50_scores.cf:score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2

Examine the unfiltered debug output for what config files are actually 
being loaded. My suspicion is that this is some Debian modification.


   

Re: PYZOR_CHECK always have zero score, why?

[Bill Cole]

On 18 Oct 2016, at 23:22, Pedro David Marco wrote:

So Pyzor seems to be OK!... the problem is somehow related to 
PYZOR_CHECK rule but why??? 


Some config file is being loaded that sets the score of PYZOR_CHECK to 
0. It is NOT 0 in the current default ruleset:


50_scores.cf:score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2

Examine the unfiltered debug output for what config files are actually 
being loaded. My suspicion is that this is some Debian modification.

PYZOR_CHECK always have zero score, why?

[Pedro David Marco]

Hi!

It seems PYZOR_CHECK rule is not being used in my SA Just installed SA and 
Pyzor in a Debian and executed  "pyzor discover."In Debian pyzor is enabled by 
default so nothing to add in local.cf. Command "pyzor check < emailfile.eml" 
works ok.
.. now i try to test SA in debug mode like this:
# spamassassin  -D  2>&1 http://pyzor.sf.net/) score         PYZOR_CHECK_2    2
Then it works perfectly and debug mode shows:
 Oct 19 05:09:03.691 [32318] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::Pyzor from @INC Oct 19 05:09:03.693 [32318] dbg: 
pyzor: network tests on, attempting Pyzor. Oct 19 05:09:04.830 [32318] dbg: 
util: executable for pyzor was found at /usr/bin/pyzor Oct 19 05:09:04.830 
[32318] dbg: pyzor: pyzor is available: /usr/bin/pyzor Oct 19 05:09:04.831 
[32318] dbg: pyzor: opening pipe: /usr/bin/pyzor check < 
/tmp/.spamassassin32318YfxiqRtmp Oct 19 05:09:05.032 [32318] dbg: pyzor: 
[32321] finished successfully Oct 19 05:09:05.032 [32318] dbg: pyzor: got 
response: public.pyzor.org:24441 (200, 'OK') 125 0 Oct 19 05:09:05.032 [32318] 
dbg: check: tagrun - tag PYZOR is now ready, value: Reported 125 times. Oct 19 
05:09:05.032 [32318] dbg: pyzor: listed: COUNT=125/5 WHITELIST=0 Oct 19 
05:09:05.033 [32318] dbg: rules: ran eval rule PYZOR_CHECK2 ==> got hit (1) 
Oct 19 05:09:06.184 [32318] info: rules: meta test DIGEST_MULTIPLE has 
dependency 'PYZOR_CHECK' with a zero score
So Pyzor seems to be OK!... the problem is somehow related to PYZOR_CHECK rule 
but why??? 
Any idea, please??
Thanks in Advance.
Pedro.

Re: How to create a URIBL

[Alex]

Hi,

> (2) the fact that the IP is in reverse order.

How do you then enter ranges? For example, one of the rbldnsd zone
examples I've seen have entries such as:

1.168.160.0-255

That does not look to be in reverse order, as the host octet is still last.

> foo.example.com:127.0.0.2:Blocked System
>
> in my experience, I haven't been able to get this to work unless I put a
> space just before the first colon, as follows
>
> foo.example.com :127.0.0.2:Blocked System

That was my exact problem that caused me to write this post. It was
frustrating that ip4set worked fine, but dnset always failed because
of that.

> But sometimes you don't need that and can simply use just the domain or IP
> on each line, since much of that can be accomplished with a single line
> at/near the top of the file, such as this one that I use for the invaluement
> URI list:
>
> :127.0.0.2:Blocked by ivmURI - see http://www.invaluement.com/lookup/?item=$

Yes, this is what I've settled on for now.

> of course, the most difficult part is not collecting spammy IPs and
> domains... that part is easy. The most difficult part is knowing when NOT to
> blacklist a domain--which would be a decoy domain found in a spam, that
> wasn't the actual "payload" for the spam and is instead an innocent
> bystander's domain -- and/or generally keeping FPs super low. THAT is the
> hard part.

Yeah, absolutely. That's a large part of what's been delaying my
progress with my honeypots. It's still in progress, but one thing I've
been doing is checking my entries against existing whitelists, and
other ways such as seeing how long they've been around, etc.

> But try this and blacklist:
>
> .blogspot.com
>
> ...and trigger massive FPs... when you should have listed:
>
> .somehorrificspammerfromhell.blogspot.com

Yes, exactly. I've just been doing specific hostnames.

I appreciate that this is slightly off-topic, but it's an extension of
SA. Thanks so much for your help. Your service is great, btw.

Re: How to create a URIBL

[Rob McEwen]

Alex,

here are some suggestions:

In your rbldnsd-formatted file, put a dot at the beginning, which serves 
as a wildcard.


So your three examples:

109 .73 .134 .241
51steel1 .org
amessofblues1 .com

(I added spaces here to evade spam filtering, but those spaces shouldn't 
actually be there)


would like like this:

.241 .134 .73 .109
.51steel1 .org
.amessofblues1 .com

(again, the extra spaces shouldn't be there)

NOTICE 2 things:

(1) The extra dot at the beginning
-and-
(2) the fact that the IP is in reverse order. The great part about 
rbldnsd is that a lookup on either


example.com
OR
www.example.com
OR
foo.bar.foo.example.com

ALL of those will get a "hit" when the rbldnsd file has

.example.com



When it comes to formatting the rbldnsd-formatted file, in addition to 
my suggestions above, it comes down to a choice... make it a simply list 
of the domains and (reverse-ordered) IPs? Or provide more information 
for each individual IP, such as a custom text response, as you did here:


foo.example.com:127.0.0.2:Blocked System

in my experience, I haven't been able to get this to work unless I put a 
space just before the first colon, as follows


foo.example.com :127.0.0.2:Blocked System

But sometimes you don't need that and can simply use just the domain or 
IP on each line, since much of that can be accomplished with a single 
line at/near the top of the file, such as this one that I use for the 
invaluement URI list:


:127.0.0.2:Blocked by ivmURI - see http://www.invaluement.com/lookup/?item=$

...which then causes all following lines of just domains and IPs... to 
use this line above as if it were on every single line. - and the "$" 
causes the actual listed item to show up in the SMTP text message. That 
"$" feature can be very informative and helpful!


of course, the most difficult part is not collecting spammy IPs and 
domains... that part is easy. The most difficult part is knowing when 
NOT to blacklist a domain--which would be a decoy domain found in a 
spam, that wasn't the actual "payload" for the spam and is instead an 
innocent bystander's domain -- and/or generally keeping FPs super low. 
THAT is the hard part.


There are other issues as to WHERE to divide the domain.

For example, if you listed

.foo.bar.foo.bar.foo.bar.foo.bar.example.com

... but foo.bar.foo.bar.foo.bar.foo.bar. was just decoy material added 
by the spammer... then...


foo.bar.example.com comes in and guess what? your lookup fails to find 
it. Yet all such variations would be listed if you had simply blacklisted:


.example.com
(again, with the dot in front)

But try this and blacklist:

.blogspot.com

...and trigger massive FPs... when you should have listed:

.somehorrificspammerfromhell.blogspot.com

so that either

www.somehorrificspammerfromhell.blogspot.com
OR
somehorrificspammerfromhell.blogspot.com
foo.bar.foo.bar.somehorrificspammerfromhell.blogspot.com

would ALL return listing, but

blogspot.com

...wouldn't.

So it also takes some work determining those boundaries. Some of those 
are simple domains... while others like blogspot.com or wordpress.com, 
are more "artificial" (but still critically important).



--
Rob McEwen
invaluement.com

Re: How to create a URIBL

[Joe Quinn]

On 10/18/2016 6:21 PM, Alex wrote:

Hi,

I've collected a bunch of URIs that I'd like to incorporate into my
rulebase. I know how to create a DNSBL, but I don't specifically know
how to create a URIBL. Can I use rbldnsd for this? Or would I have to
extract the IP or hostname from the URL, then also use a bunch of uri
rules? If so, is there a way of automating this, given a list of URIs?

For example, I have URIs like:

http://109.73.134.241/dgq01px
http://51steel1.org/s4b5ztgcx
http://amessofblues1.com/m0dqfx

I'm also then not sure which of uri* rule definition should be used.
I've used urirhsbl before for a local host blocklist, but now after
reading the man page again for the first time in a while, I'm not even
sure that's correct.

I'm also unclear about rbldnsd config for dnset, where hostnames would
be used. Here is my current command-line:

/usr/sbin/rbldnsd -n -srbldnsd.stats -r/var/lib/rbldnsd -f -n -b
66.123.123.106/53 uri.example.com:dnset:urilist

My urilist file looks like this:

:127.0.0.2:Blocked System: http://example.com/bl?$
$NS 1w uri.example.com
$SOA 1w uri.example.com admin.uri.example.com 0 2h 2h 1w 1h
@ A 66.123.123.106
@ MX 10 uri.example.com
@ TXT "example hostname blocklist"
25z5g623wpqpdwis.onion1.to:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.3lhjyx1.top:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.7jiff71.top:127.0.0.2:Blocked System, Last-Attack: 1476825181

Using the following (and variations, including dig +short) fail with NXDOMAIN
# host 25z5g623wpqpdwis.onion1.to.uri.example.com 66.123.123.106

Can someone show me an example zone file using the dnset option?

I'm guessing my first attempt at this message being received by the
list was due to the domain samples I've included, so they've been
modified.

Any ideas greatly appreciated.
Thanks,
Alex


rbldnsd is still suitable for this, as the DNS lookups are fundamentally 
just mapping strings to IPs. Getting too deep into it is outside SA's 
scope, but the only real difference between an IP rbl and a domain rbl 
is that IP rbls tend to reverse the IP so the most significant octet is 
the most significant subdomain.


On the rules side of things there's multiple different ways to write uri 
rules that match against a dns lookup. Some of them are looking for 
nxdomain vs anything else, some of them can look for particular IPs, 
etc. Just look for the existing RBL that's most similar to what you are 
looking to create.

How to create a URIBL

[Alex]

Hi,

I've collected a bunch of URIs that I'd like to incorporate into my
rulebase. I know how to create a DNSBL, but I don't specifically know
how to create a URIBL. Can I use rbldnsd for this? Or would I have to
extract the IP or hostname from the URL, then also use a bunch of uri
rules? If so, is there a way of automating this, given a list of URIs?

For example, I have URIs like:

http://109.73.134.241/dgq01px
http://51steel1.org/s4b5ztgcx
http://amessofblues1.com/m0dqfx

I'm also then not sure which of uri* rule definition should be used.
I've used urirhsbl before for a local host blocklist, but now after
reading the man page again for the first time in a while, I'm not even
sure that's correct.

I'm also unclear about rbldnsd config for dnset, where hostnames would
be used. Here is my current command-line:

/usr/sbin/rbldnsd -n -srbldnsd.stats -r/var/lib/rbldnsd -f -n -b
66.123.123.106/53 uri.example.com:dnset:urilist

My urilist file looks like this:

:127.0.0.2:Blocked System: http://example.com/bl?$
$NS 1w uri.example.com
$SOA 1w uri.example.com admin.uri.example.com 0 2h 2h 1w 1h
@ A 66.123.123.106
@ MX 10 uri.example.com
@ TXT "example hostname blocklist"
25z5g623wpqpdwis.onion1.to:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.3lhjyx1.top:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.7jiff71.top:127.0.0.2:Blocked System, Last-Attack: 1476825181

Using the following (and variations, including dig +short) fail with NXDOMAIN
# host 25z5g623wpqpdwis.onion1.to.uri.example.com 66.123.123.106

Can someone show me an example zone file using the dnset option?

I'm guessing my first attempt at this message being received by the
list was due to the domain samples I've included, so they've been
modified.

Any ideas greatly appreciated.
Thanks,
Alex

RE: Assistance needed

[Sue Mey]

Thank you!

Best Regards

Sue Mey


-Original Message-
From: John Hardin [mailto:jhar...@impsec.org] 
Sent: 18 October 2016 06:36 PM
To: spamassassin-users 
Subject: Re: Assistance needed

On Tue, 18 Oct 2016, Kris Deugau wrote:

> Sue Mey wrote:
>
> dbg: rules: ran body rule FB_CIALIS_LEO3 ==> got hit: "Calm All is"
>
> (from "NW1826 All is Calm All is Bright")

Try:

"NW1826 All is Calm, All is Bright"

The comma will bypass that rule until GetResponse fixes their systems.


-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   Vista is at best mildly annoying and at worst makes you want to
   rush to Redmond, Wash. and rip somebody's liver out.  -- Forbes
---
  301 days since the first successful real return to launch site (SpaceX)

Re: Assistance needed

[John Hardin]

On Tue, 18 Oct 2016, Kris Deugau wrote:


Sue Mey wrote:

dbg: rules: ran body rule FB_CIALIS_LEO3 ==> got hit: "Calm All is"

(from "NW1826 All is Calm All is Bright")


Try:

"NW1826 All is Calm, All is Bright"

The comma will bypass that rule until GetResponse fixes their systems.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Vista is at best mildly annoying and at worst makes you want to
  rush to Redmond, Wash. and rip somebody's liver out.  -- Forbes
---
 301 days since the first successful real return to launch site (SpaceX)

Re: Assistance needed

[shanew]

On Tue, 18 Oct 2016, Kris Deugau wrote:


I saved the message and dug up a copy of the FB_CIALIS_LEO3 rule RW
mentioned;  I note that as he said it's not part of the current live
rules, and in fact checking further it looks like it's been commented
out entirely in the rules development sandbox, so it's not even
considered for testing.

Running the saved message through SA with the rule pasted into a
temporary rules definition file, I found:

dbg: rules: ran body rule FB_CIALIS_LEO3 ==> got hit: "Calm All is"

(from "NW1826 All is Calm All is Bright")

which is probably a good example of why this rule is no longer present.


Ideally, I'd say you should ask GetResponse to remove that rule
entirely.  If they won't do that, it should at least be scored _way_
lower (less than 1 for sure, but more like 0.2 or 0.1).

If they won't (or can't) do that, then you may want to tell them that
you'll be looking for a new provider, because that tells me they
really have don't know what they're doing (that they couldn't figure
this out for you isn't impressive either).

--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

RE: Assistance needed

[John Hardin]

On Tue, 18 Oct 2016, Sue Mey wrote:

Spam score details (in lieu of printscreen). I tried GetResonse help 
first but they seem stumped as to the reason for this. In the meantime I 
am just stuck.


Spam Assassin results

description
points

BODY: Uses a mis-spelled version of cialis.
3.10


Absent the actual rule names, this is all stabbing in the dark...

(1) there is no rule with that description in the current base rule set 
provided by the SpamAssassin project.


(2) the base SA rules that do look for "cialis" obfuscation did not hit on 
the text you provided in my local testbed. Note, however, that what you 
provided is not a complete properly-formed email message so take that test 
with a grain of salt. But based on a visual inspection there doesn't 
appear to be anything in your message that the current base SA rules would 
consider misspelled "cialis".


If you're willing to privately mail me just the HTML content as a file, I 
can test that part a bit more thoroughly. The HTML in the sample you 
provided was not really usable because it was embedded in a bunch of MSFT 
HTML Email markup garbage that I wasn't willing to try to strip off.


(3) the base SA rules that do look for "cialis" obfuscation are all 
currently scored at 2.1 points or less.


So: you do need to work with GetResponse on this. It appears that one or 
more of the following are true, none of which we can help you with:


(1) they are using old rules, or an old version of SA that is no longer 
getting rule updates from the SA project


(2) they are using custom rules that are not part of the base rules 
currently provided by the SA project, or possibly are changing the 
descriptions of base rules


(3) they are setting local scores that are higher than what the current 
base rules are providing



A recommendation for GetResponse: include the names of the rule hits in 
that report. It won't have meaning to most nontechnical users, but if it 
reaches the point you have reached it will really help the analysis.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Vista is at best mildly annoying and at worst makes you want to
  rush to Redmond, Wash. and rip somebody's liver out.  -- Forbes
---
 301 days since the first successful real return to launch site (SpaceX)

Re: Assistance needed

[Kris Deugau]

Sue Mey wrote:
> Here is a Printscreen of the Spam score:

Screenshots are generally frowned on since anyone who might do some
quick inspection and testing can't then copy-paste any relevant
fragments for local testing.  Also, attached images bulk up a message
quite a lot.

> Below is the body of my newsletter – with images (which have links to my
> site)
> 
> I have a ‘Special Offers’ section on my website and have been using
> those words and links for years without a problem. I do not use the word
> ‘specialist’ at all.
> 
> After reading about the word ‘specialist’ earlier today, I removed the
> words ‘Special Offers’ and replaced text with ‘this page’, although the
> link still contains the words ‘special offer’

I saved the message and dug up a copy of the FB_CIALIS_LEO3 rule RW
mentioned;  I note that as he said it's not part of the current live
rules, and in fact checking further it looks like it's been commented
out entirely in the rules development sandbox, so it's not even
considered for testing.

Running the saved message through SA with the rule pasted into a
temporary rules definition file, I found:

dbg: rules: ran body rule FB_CIALIS_LEO3 ==> got hit: "Calm All is"

(from "NW1826 All is Calm All is Bright")

which is probably a good example of why this rule is no longer present.

Sooner or later you get some very bizarre things misfires due to trying
to create rules that match the very bizarre things spammers have done to
get their message past filters.

-kgd

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Joseph Brennan]

--On October 18, 2016 at 02:06:38 -0400 Ruga  wrote:
> 
> >
 

... unless you're applying DMARC, which says the "From:" should instead
"align" with something other than the author of the message in some cases.

--Joseph Brennan

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On Tue, 18 Oct 2016 02:06:38 -0400
Ruga  wrote:

> < does not belong to the author(s) of the message.>>

A Quoted-String phrase is NOT a mailbox.  It's just a quoted string
that is not subject to any further interpretation.

Regards,

Dianne.

Re: Assistance needed

[Axb]

On 10/18/2016 01:22 PM, RW wrote:

On Tue, 18 Oct 2016 09:17:31 +0200
Axb wrote:


Your report doesn't show which rule hit,


The rule description is for FB_CIALIS_LEO3. It's not in the current
rules set.



Thanks! Speaks for Getresponse's "Spam Assassin" thingie .-)

Re: Assistance needed

[RW]

On Tue, 18 Oct 2016 09:17:31 +0200
Axb wrote:

> Your report doesn't show which rule hit,

The rule description is for FB_CIALIS_LEO3. It's not in the current
rules set.

Re: The real spoofing issue

[Ralph Seichter]

On 18.10.16 00:52, Ruga wrote:

> https://tools.ietf.org/html/rfc5322#section-3.6.2

The header line

  From: "John Doe " 

does not violate the RFC section you linked. It may be unusual, and you
are of course free to personally (!) use it as a spam indicator, but it
is definitely RFC-compliant, so don't try to tell people otherwise.

-Ralph

Re: Assistance needed

[Axb]

On 10/18/2016 10:46 AM, Sue Mey wrote:

Wow.


why wow?


So sorry I bothered you guys.


You didn't bother anyone, otherwise you would have been ignored. 100%



-Original Message-
From: Axb [mailto:axb.li...@gmail.com]
Sent: 18 October 2016 09:35 AM
To: users@spamassassin.apache.org
Subject: Re: Assistance needed

On 10/18/2016 09:28 AM, Sue Mey wrote:

Spam score details (in lieu of printscreen). I tried GetResonse help
first but they seem stumped as to the reason for this. In the meantime
I am just stuck.


... so take your business somewhere else...
with staff which isn't stumped by the tools they use.


Spam Assassin results


description

points


Contains an URL listed in the URIBL greylist

1.10


Sender domain is commonly abused freemail.

0.00


No valid author signature, adsp_override is

0.00


BODY: Uses a mis-spelled version of cialis.

3.10


BODY: HTML has a low ratio of text to image area

0.80


BODY: HTML included in message

0.00


Message has a DKIM or DK signature, not necessarily valid

0.10


Message has at least one valid DKIM or DK signature

-0.10


Whitelisted domain

-1.10


ADSP custom_med hit, and not from a mailing list

1.20





On 10/18/2016 09:08 AM, Sue Mey wrote:


Here is a Printscreen of the Spam score:






printscreen?  what happened to good old copy/paste?



Your report doesn't show which rule hit, which is pretty lame nor any
debug data to prove it's an uptodate rule which is hitting.



As their paying user, suggest you ask Getreponse to help you get your
bulk thru as they have insight of the rules they use and can help you
debug.






I have a 'Special Offers' section on my website and have been using







those words and links for years without a problem. I do not use the







word 'specialist' at all.















After reading about the word 'specialist' earlier today, I removed
the







words 'Special Offers' and replaced text with 'this page', although







the link still contains the words 'special offer'















"special offer" should not hit. The problem is the rule is looking
for



mangled "cialis" without considering word boundaries.















Were there any other problems reported? While that rule may hit, its
score



is currently 0.001 so it would not cause your email to be classified
as



spam.















**















Below is the body of my newsletter - with images (which have links to
my



site)







I have a 'Special Offers' section on my website and have been using
those



words and links for years without a problem. I do not use the word



'specialist' at all.







After reading about the word 'specialist' earlier today, I removed
the words



'Special Offers' and replaced text with 'this page', although the
link still



contains the words 'special offer'















<  http://scrollsawartist.com/>







Note: The items shown are linked to the website - Click on either the



Description or the Image for it to open there.















Visit this category <

http://www.scrollsawartist.com/special-offers/>  for my



 e-Magazines.



Check out my  <

https://www.youtube.com/channel/UCoDRQb85io0MoEyYmqrZfxA>



YouTube channel for scroll saw project videos.















A lighted plaque from Plaques



 & other - made by Bill Heitman.



NW1826 All is Calm All is Bright



< 
http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>
10.3"



square $5.00















< 
http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>























Last year's House advent <

http://www.scrollsawartist.com/house-advent.html>



was popular, and several requests were received for another, with a



different roof design. The example was cut and painted by Carol H.



NW1825 Santa



<

http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>
& sleigh



House advent 16.5" x 13.5" $5.50







<

http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>























Five sets of ornaments added to Christmas



 >Traditional ornaments. Adding a backer is
optional.



NW1832 Half moon 

RE: Assistance needed

[Sue Mey]

Wow.
So sorry I bothered you guys.


-Original Message-
From: Axb [mailto:axb.li...@gmail.com] 
Sent: 18 October 2016 09:35 AM
To: users@spamassassin.apache.org
Subject: Re: Assistance needed

On 10/18/2016 09:28 AM, Sue Mey wrote:
> Spam score details (in lieu of printscreen). I tried GetResonse help 
> first but they seem stumped as to the reason for this. In the meantime 
> I am just stuck.

... so take your business somewhere else...
with staff which isn't stumped by the tools they use.

> Spam Assassin results
>
>
> description
>
> points
>
>
> Contains an URL listed in the URIBL greylist
>
> 1.10
>
>
> Sender domain is commonly abused freemail.
>
> 0.00
>
>
> No valid author signature, adsp_override is
>
> 0.00
>
>
> BODY: Uses a mis-spelled version of cialis.
>
> 3.10
>
>
> BODY: HTML has a low ratio of text to image area
>
> 0.80
>
>
> BODY: HTML included in message
>
> 0.00
>
>
> Message has a DKIM or DK signature, not necessarily valid
>
> 0.10
>
>
> Message has at least one valid DKIM or DK signature
>
> -0.10
>
>
> Whitelisted domain
>
> -1.10
>
>
> ADSP custom_med hit, and not from a mailing list
>
> 1.20
>
>
>
>
>
> On 10/18/2016 09:08 AM, Sue Mey wrote:
>
>> Here is a Printscreen of the Spam score:
>
>
>
>
>
> printscreen?  what happened to good old copy/paste?
>
>
>
> Your report doesn't show which rule hit, which is pretty lame nor any 
> debug data to prove it's an uptodate rule which is hitting.
>
>
>
> As their paying user, suggest you ask Getreponse to help you get your 
> bulk thru as they have insight of the rules they use and can help you 
> debug.
>
>
>
>
>
>>> I have a 'Special Offers' section on my website and have been using
>
>>
>
>>> those words and links for years without a problem. I do not use the
>
>>
>
>>> word 'specialist' at all.
>
>>
>
>>>
>
>>
>
>>> After reading about the word 'specialist' earlier today, I removed 
>>> the
>
>>
>
>>> words 'Special Offers' and replaced text with 'this page', although
>
>>
>
>>> the link still contains the words 'special offer'
>
>>
>
>>
>
>>
>
>> "special offer" should not hit. The problem is the rule is looking 
>> for
>
>> mangled "cialis" without considering word boundaries.
>
>>
>
>>
>
>>
>
>> Were there any other problems reported? While that rule may hit, its 
>> score
>
>> is currently 0.001 so it would not cause your email to be classified 
>> as
>
>> spam.
>
>>
>
>>
>
>>
>
>> **
>
>>
>
>>
>
>>
>
>> Below is the body of my newsletter - with images (which have links to 
>> my
>
>> site)
>
>>
>
>> I have a 'Special Offers' section on my website and have been using 
>> those
>
>> words and links for years without a problem. I do not use the word
>
>> 'specialist' at all.
>
>>
>
>> After reading about the word 'specialist' earlier today, I removed 
>> the words
>
>> 'Special Offers' and replaced text with 'this page', although the 
>> link still
>
>> contains the words 'special offer'
>
>>
>
>>
>
>>
>
>> <  http://scrollsawartist.com/>
>
>>
>
>> Note: The items shown are linked to the website - Click on either the
>
>> Description or the Image for it to open there.
>
>>
>
>>
>
>>
>
>> Visit this category <
>> 
>> http://www.scrollsawartist.com/special-offers/>  for my
>
>> > pname=Y
>
>>
>> =Y=any_performed=Y=e-Magazine=
>> atch=pr
>
>>  oducts.search> e-Magazines.
>
>> Check out my  <
>> 
>> https://www.youtube.com/channel/UCoDRQb85io0MoEyYmqrZfxA>
>
>> YouTube channel for scroll saw project videos.
>
>>
>
>>
>
>>
>
>> A lighted plaque from Plaques
>
>> > s/plaqu
>
>>  es-and-other-projects/> & other - made by Bill Heitman.
>
>> NW1826 All is Calm All is Bright
>
>> < 
>> http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>
>> 10.3"
>
>> square $5.00
>
>>
>
>>
>
>>
>
>> < 
>> http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>
>
>>
>
>> 
>
>>
>
>>
>
>>
>
>> Last year's House advent <
>> 
>> http://www.scrollsawartist.com/house-advent.html>
>
>> was popular, and several requests were received for another, with a
>
>> different roof design. The example was cut and painted by Carol H.
>
>> NW1825 Santa
>
>> <
>> 
>> http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>
>> & sleigh
>
>> House advent 16.5" x 13.5" $5.50
>
>>
>
>> <
>> 
>> http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>
>
>>
>
>> 
>
>>
>
>>
>
>>

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 18, 2016 2:09:37 AM EDT, Ruga  wrote:
>RFC 2822 and 5322 are in the "Standards Track".
>RFC 822 is still the standard.

Interesting, but the example is still RFC-compliant, even with 822.

Regards, 

Dianne. 

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 18, 2016 2:27:09 AM EDT, Ruga  wrote:
>Yes, you can prefix a quoted string to the actual address. No, the
>quoted string is not part of the address.

Indeed.

>There are two approaches here: one is to defend the spammer's abuse of
>the standard (intended to trick the average Joe into believing they
>have received mail from someone else), and the other is to read the
>standard

I think you are the one with reading comprehension problems if you are still 
implying my example violates the standard.

Regards,

Dianne.

Re: Assistance needed

[Axb]

On 10/18/2016 09:28 AM, Sue Mey wrote:

Spam score details (in lieu of printscreen). I tried GetResonse help
first but they seem stumped as to the reason for this. In the
meantime I am just stuck.


... so take your business somewhere else...
with staff which isn't stumped by the tools they use.


Spam Assassin results


description

points


Contains an URL listed in the URIBL greylist

1.10


Sender domain is commonly abused freemail.

0.00


No valid author signature, adsp_override is

0.00


BODY: Uses a mis-spelled version of cialis.

3.10


BODY: HTML has a low ratio of text to image area

0.80


BODY: HTML included in message

0.00


Message has a DKIM or DK signature, not necessarily valid

0.10


Message has at least one valid DKIM or DK signature

-0.10


Whitelisted domain

-1.10


ADSP custom_med hit, and not from a mailing list

1.20





On 10/18/2016 09:08 AM, Sue Mey wrote:


Here is a Printscreen of the Spam score:






printscreen?  what happened to good old copy/paste?



Your report doesn't show which rule hit, which is pretty lame nor any
debug data to prove it's an uptodate rule which is hitting.



As their paying user, suggest you ask Getreponse to help you get your
bulk thru as they have insight of the rules they use and can help you
debug.






I have a 'Special Offers' section on my website and have been
using







those words and links for years without a problem. I do not use
the







word 'specialist' at all.















After reading about the word 'specialist' earlier today, I
removed the







words 'Special Offers' and replaced text with 'this page',
although







the link still contains the words 'special offer'















"special offer" should not hit. The problem is the rule is looking
for



mangled "cialis" without considering word boundaries.















Were there any other problems reported? While that rule may hit,
its score



is currently 0.001 so it would not cause your email to be
classified as



spam.















**















Below is the body of my newsletter - with images (which have links
to my



site)







I have a 'Special Offers' section on my website and have been using
those



words and links for years without a problem. I do not use the word



'specialist' at all.







After reading about the word 'specialist' earlier today, I removed
the words



'Special Offers' and replaced text with 'this page', although the
link still



contains the words 'special offer'















<  http://scrollsawartist.com/>







Note: The items shown are linked to the website - Click on either
the



Description or the Image for it to open there.















Visit this category <

http://www.scrollsawartist.com/special-offers/>  for my



 e-Magazines.



Check out my  <

https://www.youtube.com/channel/UCoDRQb85io0MoEyYmqrZfxA>



YouTube channel for scroll saw project videos.















A lighted plaque from Plaques



 & other - made by Bill Heitman.



NW1826 All is Calm All is Bright



< 
http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>
10.3"



square $5.00















< 
http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>























Last year's House advent <

http://www.scrollsawartist.com/house-advent.html>



was popular, and several requests were received for another, with
a



different roof design. The example was cut and painted by Carol H.



NW1825 Santa



<

http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>
& sleigh



House advent 16.5" x 13.5" $5.50







<

http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>























Five sets of ornaments added to Christmas



 >Traditional ornaments. Adding a backer is
optional.



NW1832 Half moon ornaments #1



< 
http://www.scrollsawartist.com/half-moon-ornaments-1.html>  - 5.6"
x 4.8"



$5.00











< 
http://www.scrollsawartist.com/half-moon-ornaments-1.html>

RE: Assistance needed

[Sue Mey]

Spam score details (in lieu of printscreen). I tried GetResonse help first but 
they seem stumped as to the reason for this. In the meantime I am just stuck.

 

Spam Assassin results


description

points


Contains an URL listed in the URIBL greylist

1.10


Sender domain is commonly abused freemail.

0.00


No valid author signature, adsp_override is

0.00


BODY: Uses a mis-spelled version of cialis.

3.10


BODY: HTML has a low ratio of text to image area

0.80


BODY: HTML included in message

0.00


Message has a DKIM or DK signature, not necessarily valid

0.10


Message has at least one valid DKIM or DK signature

-0.10


Whitelisted domain

-1.10


ADSP custom_med hit, and not from a mailing list

1.20

 

 

On 10/18/2016 09:08 AM, Sue Mey wrote:

> Here is a Printscreen of the Spam score:

 

 

printscreen?  what happened to good old copy/paste?

 

Your report doesn't show which rule hit, which is pretty lame nor any debug 
data to prove it's an uptodate rule which is hitting.

 

As their paying user, suggest you ask Getreponse to help you get your bulk thru 
as they have insight of the rules they use and can help you debug.

 

 

>> I have a 'Special Offers' section on my website and have been using

> 

>> those words and links for years without a problem. I do not use the

> 

>> word 'specialist' at all.

> 

>> 

> 

>> After reading about the word 'specialist' earlier today, I removed the

> 

>> words 'Special Offers' and replaced text with 'this page', although

> 

>> the link still contains the words 'special offer'

> 

> 

> 

> "special offer" should not hit. The problem is the rule is looking for

> mangled "cialis" without considering word boundaries.

> 

> 

> 

> Were there any other problems reported? While that rule may hit, its score

> is currently 0.001 so it would not cause your email to be classified as

> spam.

> 

> 

> 

> **

> 

> 

> 

> Below is the body of my newsletter - with images (which have links to my

> site)

> 

> I have a 'Special Offers' section on my website and have been using those

> words and links for years without a problem. I do not use the word

> 'specialist' at all.

> 

> After reading about the word 'specialist' earlier today, I removed the words

> 'Special Offers' and replaced text with 'this page', although the link still

> contains the words 'special offer'

> 

> 

> 

>  <  http://scrollsawartist.com/>

> 

> Note: The items shown are linked to the website - Click on either the

> Description or the Image for it to open there.

> 

> 

> 

> Visit this category <  
> http://www.scrollsawartist.com/special-offers/>  for my

>  =Y=any_performed=Y=e-Magazine==pr

> oducts.search> e-Magazines.

> Check out my  <  
> https://www.youtube.com/channel/UCoDRQb85io0MoEyYmqrZfxA>

> YouTube channel for scroll saw project videos.

> 

> 

> 

> A lighted plaque from Plaques

>  es-and-other-projects/> & other - made by Bill Heitman.

> NW1826 All is Calm All is Bright

> <  
> http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>  10.3"

> square $5.00

> 

> 

> 

>  <  
> http://www.scrollsawartist.com/all-is-calm-all-is-bright.html>

> 

> 

> 

> 

> 

> Last year's House advent <  
> http://www.scrollsawartist.com/house-advent.html>

> was popular, and several requests were received for another, with a

> different roof design. The example was cut and painted by Carol H.

> NW1825 Santa

> <  
> http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html> & sleigh

> House advent 16.5" x 13.5" $5.50

> 

>  <  
> http://www.scrollsawartist.com/santa-and-sleigh-house-advent.html>

> 

> 

> 

> 

> 

> Five sets of ornaments added to Christmas

>  tional-ornaments/> >Traditional ornaments. Adding a backer is optional.

> NW1832 Half moon ornaments #1

> <  
> http://www.scrollsawartist.com/half-moon-ornaments-1.html>  - 5.6" x 4.8"

> $5.00

> 

> 

>  <  
> http://www.scrollsawartist.com/half-moon-ornaments-1.html>

> 

> 

> 

> 

> NW1833 Half moon ornaments #2

> < 

Re: Assistance needed

[Axb]

Also:
They score URIBL Grey 1.10
but SA's score is
score URIBL_GREY 0 1.084 0 0.424

"whtelisted domain" with that score isn't something SA default SA would do.

If thy can't affford to support the report they show you, why should 
volunteers do it? for free?


On 10/18/2016 09:17 AM, Axb wrote:



On 10/18/2016 09:08 AM, Sue Mey wrote:

Here is a Printscreen of the Spam score:



printscreen?  what happened to good old copy/paste?

Your report doesn't show which rule hit, which is pretty lame nor any
debug data to prove it's an uptodate rule which is hitting.

As their paying user, suggest you ask Getreponse to help you get your
bulk thru as they have insight of the rules they use and can help you
debug.



I have a 'Special Offers' section on my website and have been using



those words and links for years without a problem. I do not use the



word 'specialist' at all.







After reading about the word 'specialist' earlier today, I removed the



words 'Special Offers' and replaced text with 'this page', although



the link still contains the words 'special offer'




"special offer" should not hit. The problem is the rule is looking for
mangled "cialis" without considering word boundaries.



Were there any other problems reported? While that rule may hit, its
score
is currently 0.001 so it would not cause your email to be classified as
spam.



**



Below is the body of my newsletter - with images (which have links to my
site)

I have a 'Special Offers' section on my website and have been using those
words and links for years without a problem. I do not use the word
'specialist' at all.

After reading about the word 'specialist' earlier today, I removed the
words
'Special Offers' and replaced text with 'this page', although the link
still
contains the words 'special offer'



 

Note: The items shown are linked to the website - Click on either the
Description or the Image for it to open there.



Visit this category 
for my
 e-Magazines.
Check out my  
YouTube channel for scroll saw project videos.



A lighted plaque from Plaques
 & other - made by Bill Heitman.
NW1826 All is Calm All is Bright
  10.3"
square $5.00



 





Last year's House advent

was popular, and several requests were received for another, with a
different roof design. The example was cut and painted by Carol H.
NW1825 Santa
 &
sleigh
House advent 16.5" x 13.5" $5.50

 





Five sets of ornaments added to Christmas
 >Traditional ornaments. Adding a backer is optional.
NW1832 Half moon ornaments #1
  - 5.6" x
4.8"
$5.00


 




NW1833 Half moon ornaments #2
  - 5.6" x
4.8"
$5.00



  

~



NW1834 Half moon ornaments #3
  - 5.6" x
4.8"
$5.00


  

~



NW1835 Half moon ornaments #4
  - 5.6" x
4.8"
$5.00



 

~



NW1836 Half moon ornaments #5
  - 5.6" x
4.8"
$5.00



 

~~



Have you seen...
NW1604 Two Compound cut (3D) Large birdhouses and birds
  - 6" and 6.7" tall. Use 2" x 2" wood, cut or sanded down to
1 7/8"
x 1 7/8" blanks $5.00
NW1642 Compound cut (3D) ornaments #15
  -
Set of
12 stars, hearts, and teardrop ornament patterns. Use a 2" x 2" blank
$5.95

Re: Assistance needed

[Axb]

On 10/18/2016 09:08 AM, Sue Mey wrote:

Here is a Printscreen of the Spam score:



printscreen?  what happened to good old copy/paste?

Your report doesn't show which rule hit, which is pretty lame nor any 
debug data to prove it's an uptodate rule which is hitting.


As their paying user, suggest you ask Getreponse to help you get your 
bulk thru as they have insight of the rules they use and can help you debug.




I have a 'Special Offers' section on my website and have been using



those words and links for years without a problem. I do not use the



word 'specialist' at all.







After reading about the word 'specialist' earlier today, I removed the



words 'Special Offers' and replaced text with 'this page', although



the link still contains the words 'special offer'




"special offer" should not hit. The problem is the rule is looking for
mangled "cialis" without considering word boundaries.



Were there any other problems reported? While that rule may hit, its score
is currently 0.001 so it would not cause your email to be classified as
spam.



**



Below is the body of my newsletter - with images (which have links to my
site)

I have a 'Special Offers' section on my website and have been using those
words and links for years without a problem. I do not use the word
'specialist' at all.

After reading about the word 'specialist' earlier today, I removed the words
'Special Offers' and replaced text with 'this page', although the link still
contains the words 'special offer'



 

Note: The items shown are linked to the website - Click on either the
Description or the Image for it to open there.



Visit this category   for my
 e-Magazines.
Check out my  
YouTube channel for scroll saw project videos.



A lighted plaque from Plaques
 & other - made by Bill Heitman.
NW1826 All is Calm All is Bright
  10.3"
square $5.00



 





Last year's House advent 
was popular, and several requests were received for another, with a
different roof design. The example was cut and painted by Carol H.
NW1825 Santa
 & sleigh
House advent 16.5" x 13.5" $5.50

 





Five sets of ornaments added to Christmas
 >Traditional ornaments. Adding a backer is optional.
NW1832 Half moon ornaments #1
  - 5.6" x 4.8"
$5.00


 




NW1833 Half moon ornaments #2
  - 5.6" x 4.8"
$5.00



  

~



NW1834 Half moon ornaments #3
  - 5.6" x 4.8"
$5.00


  

~



NW1835 Half moon ornaments #4
  - 5.6" x 4.8"
$5.00



 

~



NW1836 Half moon ornaments #5
  - 5.6" x 4.8"
$5.00



 

~~



Have you seen...
NW1604 Two Compound cut (3D) Large birdhouses and birds
  - 6" and 6.7" tall. Use 2" x 2" wood, cut or sanded down to 1 7/8"
x 1 7/8" blanks $5.00
NW1642 Compound cut (3D) ornaments #15
  - Set of
12 stars, hearts, and teardrop ornament patterns. Use a 2" x 2" blank $5.95










NW1451 Large word candle - I am the light
  -
18" x 11" $7.95

NW1453 Large word candle - I am the light #2

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Paul Stead]

The following rules look for a From label which looks to have an email address 
looks for this type of spoofed address

The following would be valid, for example:

From: "p...@domain.com" 


http://ruleqa.spamassassin.org/20161017-r1765221-n/T_PDS_FROM_2_EMAILS/detail

http://ruleqa.spamassassin.org/20161017-r1765221-n/T_FROM_2_EMAILS/detail - 
similar to above with less metas

They both seem to hit more ham than spam on the Corpus


Paul

On 18/10/16 07:27, Ruga wrote:
Yes, you can prefix a quoted string to the actual address. No, the quoted 
string is not part of the address.

There are two approaches here: one is to defend the spammer's abuse of the 
standard (intended to trick the average Joe into believing they have received 
mail from someone else), and the other is to read the standard


On Tue, Oct 18, 2016 at 4:02 AM, Dianne Skoll 
<'d...@roaringpenguin.com'> wrote:
On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:


rfc 822 (the actual standard):


Which as I mentioned is obsolete, but I'll play with you...


authentic = "From" ":" mailbox ; Single author / ...
mailbox = addr-spec ; simple address / phrase route-addr
addr-spec = local-part "@" domain


And you left out the BNF of "phrase", didn't you? Tsk tsk!

You can't pick and choose pieces of RFCs, you know. They come as a package
deal.

TL;DR, the header:

From: "Dianne Skoll " 


is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

--
Paul Stead
Systems Engineer
Zen Internet

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

Yes, you can prefix a quoted string to the actual address. No, the quoted 
string is not part of the address.

There are two approaches here: one is to defend the spammer's abuse of the 
standard (intended to trick the average Joe into believing they have received 
mail from someone else), and the other is to read the standard


On Tue, Oct 18, 2016 at 4:02 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:

> rfc 822 (the actual standard):

Which as I mentioned is obsolete, but I'll play with you...

> authentic = "From" ":" mailbox ; Single author / ...
> mailbox = addr-spec ; simple address / phrase route-addr
> addr-spec = local-part "@" domain

And you left out the BNF of "phrase", didn't you? Tsk tsk!

You can't pick and choose pieces of RFCs, you know. They come as a package
deal.

TL;DR, the header:

From: "Dianne Skoll " 

is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

RFC 2822 and 5322 are in the "Standards Track".
RFC 822 is still the standard.


On Tue, Oct 18, 2016 at 2:52 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On October 17, 2016 7:11:29 PM EDT, Ruga  wrote:
>rfc 822 (the actual standard):

Are you serious? RFC 822 is decades obsolete, long since superseded by 2822 and 
then by 5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

<>


On Tue, Oct 18, 2016 at 1:25 AM, Paul Stead <'paul.st...@zeninternet.co.uk'> 
wrote:




On 17/10/16 23:52, Ruga wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2
from = "From:" mailbox-list CRLF ... 
https://tools.ietf.org/html/rfc5322#section-3.4 ... ---8<--- mailbox = 
name-addr / addr-spec name-addr = [display-name] angle-addr display-name = 
phrase mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list Normally, a 
mailbox is composed of two parts: (1) an optional display name that indicates 
the name of the recipient (which can be a person or a system) that could be 
displayed to the user of a mail application, and (2) an addr-spec address 
enclosed in angle brackets ("<" and ">"). There is an alternate simple form of 
a mailbox where the addr-spec address appears alone, without the recipient's 
name or the angle brackets. The Internet addr-spec address is described in 
[section 3.4.1](https://tools.ietf.org/html/rfc5322#section-3.4.1).
--
Paul Stead
Systems Engineer
Zen Internet