Re: SA bayes file db permission issue

On Thursday 09 June 2016 16:26:26 Yu Qian wrote: > Yes, I am sure the path is correct, also, if the path is not correct, it > will show 'db not present'. > > I tried to write a small perl script to open the db file, it failed too. so > I think it maybe the file damaged during the mounting. but I

Re: how to fix this issue-spam

On Thursday, February 04, 2016 08:05:59 PM Reindl Harald wrote: > in context of "DKIM and DMARC are the present and near future" how do > you imaine that to work if you have no clue who is sending on behalf of > yours? > Well you obviously have something emotionally invested in SPF. But anyways

Re: how to fix this issue-spam

On Thursday, February 04, 2016 06:06:14 PM Reindl Harald wrote: > before Google ist telling somebody something they should better learn > the difference between "~" and "-" in a SPF record to make gmail.com at > least on envelope-level spoofing protected > > i high percentage of spam here would

Re: how to fix this issue-spam

On Thursday, February 04, 2016 04:36:14 PM Reindl Harald wrote: > > wait i tell you something (for you) new: DMARC and mailing-lists is a > awful topic - what do you think would have happened with you mail to the > list if your domain would enforce DMARC and my MX reject mails violating > the

Re: how to fix this issue-spam

On Thursday, February 04, 2016 07:41:44 PM Reindl Harald wrote: > which people don't know this? > admins? > don't maintain services then! > > users? > > just use the SMTP server your mailprovider tells you and no other one > and for smtp-admins: just don't accept enevlope senders for which you >

Re: DMARC auto-away rejects

On Monday, April 04, 2016 08:59:51 PM RW wrote: > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from

Re: DMARC auto-away rejects

On Monday, April 04, 2016 09:34:56 PM RW wrote: > On Mon, 04 Apr 2016 13:18:54 -0700 > > Alan Hodgson wrote: > > On Monday, April 04, 2016 08:59:51 PM RW wrote: > > > I'm assuming that you are using these rules: > > > > > > https://blog.laussat.de/201

Re: DMARC auto-away rejects

On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote: > really? > > I know DMARC as > "example.com may dkim sign with example.com. relax alignment will > match even for RFC5322.From sub.example.com" > > but you claim > "sub.example.com may dkim sign with sub.example.com a message with >

Re: Keyword Whitelist?

On Wednesday 11 January 2017 14:31:15 John Hardin wrote: > That's more complex than needed. The message subject is automatically > included in body rules, so you only need __LOCAL_BODY_PRODUCTS. > Cool, I did not know that. txs.

Re: Matching To and Received addresses

On Tuesday 28 March 2017 13:58:43 Alex wrote: > I'd like to be able to use the fact that the To address is not the > same as the address shown in the Received header in a meta of some > kind. > > How frequent would you think that would appear in ham alone? It's the > basis for a number of

Re: New whitelisting trick using from and spf

On Monday 06 March 2017 11:58:25 David B Funk wrote: > On Mon, 6 Mar 2017, Alan Hodgson wrote: > >> It seems it should be easy to setup “If mail claims to be From: > >> PayPal.com > >> and is not from PayPal, score +100” but it is not. > > > > This is

Re: New whitelisting trick using from and spf

> It seems it should be easy to setup “If mail claims to be From: PayPal.com > and is not from PayPal, score +100” but it is not. This is what DMARC is for. Run opendmarc as a milter and reject failures. Or score later on DMARC failure, even if just selectively for highly phished domains.

Re: Somewhat OT: DMARC and this list

On Friday 19 May 2017 14:47:56 Dianne Skoll wrote: > On Fri, 19 May 2017 20:43:39 +0200 > > Benny Pedersen wrote: > > some maillists break DKIM, forkus on that first, not last ! > > Thank you for not adding any value to the conversation. The > domain in question is not using

Re: Somewhat OT: DMARC and this list

On Friday 19 May 2017 20:11:42 David Jones wrote: > >Urgg, I see that now. I looked at a few of David Jones' posts to this list > >and saw that they weren't DKIM signed, so I extrapolated that to a general > >asumption. > > They are DKIM signed so something must be striping the headers. > Well,

Re: Today's Google Docs phish

On Thursday 04 May 2017 17:07:31 John Hardin wrote: > I expect a basic accounts.google.com URI rule would be a good idea even if > a redirector pattern for this was added - is there any legitimate reason > for a "log in to your google account" URL to be in an email? > Not from anyone who isn't

Re: FROM header with two email addresses

On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote: > This could also be an attempt to get a mailing list to work. > > There's a continuing problem with email list traffic getting bounced by > DKIM, and various work-arounds - the gist is that the mail has to come > from the list manager,

Re: TO_NO_BRKTS_DYNIP

On Mon, 2017-12-04 at 15:20 -0500, Joseph Brennan wrote: > New rule: TO_NO_BRKTS_DYNIP > > Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is > 2.639, one gets an even 5.0 score just for sending from ec2-54-225- > 189-51.compute-1.amazonaws.com without < > around the To address. >

Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")

On Thu, 2018-04-26 at 13:41 -0700, L A Walsh wrote: > To my way of thinking, dropping someone else's email, > telling the sender the email is being rejected for having > spam-like characteristics and telling the recipient nothing > seems like it might have legal liability for the for the > user

Re: From name containing a spoofed email address

On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote: > Would a plugin need to be created (or an existing one enhanced) to > be  > able to detect this type of spoofed From header? > > From: "h...@hulumail.com !" > > https://pastebin.com/vVhGjC8H > > Does anyone else think

Re: Malformed spam email gets through.

On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote: > On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: > > > I think some mail systems will keep the same message-ID per email  > > thread so your system must reject some replies. > > I have not seen such behavior in the past 20 years... > >

Re: Turn OFF SA spam filtering but keep ON header examination

On Thu, 2018-01-18 at 18:49 -0500, Chip wrote: > Very well stated.  Bravo! > > The end point here is to examine the email headers that specifically > refer to dkim and spf signatures.  Based on fail or pass, or some > combination in concert with the sender's email address, they get moved > into

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

On Sun, 2018-03-18 at 17:14 -0500, David Jones wrote: > I have Steve Freegard's DecodeShortURLs.pm installed but didn't get any > HAS_SHORT_URL hits on this one: > > https://pastebin.com/t85b0Bns Is it getting any hits? It definitely hits on that one in a test here. Note it needs Perl's

Re: SpamSender with 2 @-signs in the address

On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote: > I don't think the multiple @ signs have worked in a very long time. So > I see no reason not to add score based on multiple @ signs. Or if there > is a legitimate use for it, it should be extremely rare and the false > positive rate

Re: SpamSender with 2 @-signs in the address

On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote: > Yeah, I see all these same things. Better to test against From:addr > rather than the full From: Perhaps something like: > > From:addr =~ /\@[^\s]+\@/ > > Of course, there might still be legit cases of that kind of usage. > The

Re: Spamassassin using remote rules definition source?

On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote: > I simply need to write custom rules to block certain mails, domain names. Do > I have to learn programming language for this? Is not it easy like create a > conf file and let Sa update rules from that source remotely via http? > > cron +

Re: SpamSender with 2 @-signs in the address

On Wed, 2018-12-05 at 00:17 +, David Jones wrote: > I think he meant that DKIM related to DMARC means the DKIM signature has > to align/match the From: header domain to pass which is DKIM_VALID_AU in SA. > > In the case of SPF, DMARC will pass if the envelope-from domain check > hits

Re: spoofing mail

On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote: > Hi , I have a situation a little complicated, I have emails from > spammers that come with the name of one of my users, but the email > address is not from my domain , they send it from a valid domain, > which complies with spf, DKIM etc

Re: spoofing mail

On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > > > Wow, that's hard to read. > > > > It was close to being tagged because of the Pakistan relay. Just > > add a few points for Word docs

Re: Custom rule to please the Mayor

On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote: > Good day, > I know I will incur some wrath for this but I have the Mayor breathing > down my neck. We stop nearly all spam now, but some does get through. > Mostly it has been mail from gmail and outlook servers that pass DKIM > and SPF. >

Re: base64 encoded subjects

On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote: > I'm seeing a lot of spam with base64 encoded subjects: > > Subject: > =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= > > Subject:

Re: help with simple test?

On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote: > I'm hoping this is a relatively simple test... > I'm seeing emails "From Me, To Me", typically extortion types. I'm not > even seeing which of the SA tests are getting hit, because I have my > own email in my Whitelist. > Is there a way I can

Re: 1.6 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla

On Wed, 2020-09-23 at 14:46 -0500, Jerry Malcolm wrote: > On 9/23/2020 2:33 PM, iulian stan wrote: > > Most of the time the IPs from AWS are already blacklisted and you > > cannot do anything. > > I'm curious why such a blanket statement. Why does AWS have such a bad > reputation? With

Re: SpamAssassin DKIM with Virtual Hosting

> > > Or is there some criteria to determine which domain name > > should have the DKIM signature? Is there a penalty score if one or > > the other is missing? > > It's doesn't make much difference, unless there's a whitelist involved. If you publish a DMARC record, DMARC requires that the

Re: to: header is not in my domain

On Tue, 2020-10-20 at 20:38 +0100, Miki wrote: > Thanks for quick reply, but blacklist what? > The problem is I do not know this spammy domains. > I want to give a score when To: field is NOT in anyaddr...@mydomain.com Not tested, but something like this should work: header __LOCAL_TO_ME To =~

Re: KAM_SENDGRID and SPF_HELO_NONE

On Thu, 2021-05-20 at 16:12 -0400, Alex wrote: > > X-Envelope-From: >     > > > Perhaps it's because Return-Path is null? > Return-Path: <> Return-Path is supposed to be where your MTA stores the envelope sender. That it doesn't match is probably a problem. And yes, SPF falls back to

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 11:39 -0500, Bill Cole wrote: > > A customer has expressed mild dismay at the concept that a fine > research institution should be "punished for doing research." I'm > less attached to Princeton than my NJ-based customer and (having > worked in a NIH-funded lab) less

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 10:55 -0800, Alan Hodgson wrote: > > I got a couple to an actual human who answered > ab...@princeton.edu. I can forward them privately. Let me rephrase that; I complained to ab...@princeton.edu and actually heard back from a human, to whom I have since se

Re: Do these domains merit blocking?

On Wed, 2021-12-15 at 13:24 -0500, Charles Sprickman wrote: > Does anyone have a sample of one of their emails? > > I’m composing a brief nastygram and would like to get my eyes on > one before finishing up. > I got a couple to an actual human who answered ab...@princeton.edu. I can forward

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

On Fri, 2022-03-04 at 13:01 +, Marc wrote: > Is anyone blocking already connections from outbound- > mail.sendgrid.net? Does that generate a lot of false positives? > PS. just posting this so it is on web archives and people searching > for sendgrid hopefully chose a better service. >

Re: DMARC fails for valid record?

On Mon, 2022-05-09 at 14:35 -0400, Alex wrote: > Hi, > > I'm trying to understand why this email from a bank fails DMARC > when mxlookup says the DMARC record is just fine. > > https://pastebin.com/0T4Gjn3v > >  *  1.8 DMARC_REJECT DMARC reject policy >  *  6.0 KAM_DMARC_REJECT DKIM has Failed

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote: > How do I stop this?  paypal.com is in the default DKIM whitelist! > That message really looks like it came from Paypal and then was forwarded by Microsoft to your server. Was it really a fake? That's a lot of headers to fake if so. If it