Re: New rule for HTML spam, using comments?

On Mon, June 17, 2013 11:48 am, John Hardin wrote: Well, that's a much harder problem. STYLE tags have a specified format, and content not matching that format is (fairly) easy to detect. Comments are freeform text - gibberish has the same meaning there that it does in regular body text.

Re: New rule for HTML spam, using comments?

On Tue, June 18, 2013 1:01 pm, Martin Gregorie wrote: The main thing I notice is that there are only two Received: headers, and no envelope-From so IMO you're hoping for too much from the header-related SA rules simply because there's very little for SA to get its teeth into. Well, I'm not

Re: New rule for HTML spam, using comments?

On Tue, June 18, 2013 4:36 pm, RW wrote: One thing to watch out for is that a mailbox may contain hidden deleted mail that remains there until the mail client compacts/expunges the mailbox. For that reason I prefer explicit training folders rather than folders where misclassified mails have

Re: New rule for HTML spam, using comments?

Another, nearly identical example I saw today , but which used trailing slashes (/ or //) instead of parentheses. http://pastebin.com/6XRwcjm3 Enjoy. =) --- Amir On Wed, June 19, 2013 2:11 pm, ceph...@3phase.com wrote: Hi John, See the

Re: New rule for HTML spam, using comments?

On Wed, June 19, 2013 2:33 pm, Axb wrote: imo, it makes little sense to write rules to catch these hashbusters. As If the rule is sufficiently broad, it will catch them. If the rule is so strict that it catches only one trailing slash or something, then yes, it makes little sense... but I think

Re: New spam rule for specific content

On Aug 11, 2013, at 9:10 AM, Benny Pedersen m...@junc.eu wrote: i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without this rules its spam It is NOW, it was not when it was originally processed, as you can see from the SA headers included in the pastebin. If you read

Re: Email address in subject line

On Dec 28, 2013, at 9:08 PM, John Hardin jhar...@impsec.org wrote: Yes, I definitely noticed that. As you can see from the spample (link below), none of the above rules are hitting properly; the To: line is a bare email, not properly angle-bracketed. Or, if any of the rules are hitting, the

Re: Help with a regex to catch spam with gibberish html tags

On Jan 29, 2014, at 9:53 AM, Andy Jezierski ajezier...@stepan.com wrote: I've been noticing a lot of spam getting through with the same traits, a bunch of random words within brackets. They all seem to come after the /body or the /html tag. Anyone much more knowledgeable than me care to

Re: Help with a regex to catch spam with gibberish html tags

On Jan 30, 2014, at 10:28 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: If you want to share the complete rule, I can throw it into my sandbox and see what masscheck thinks as well. The complete rule would be something like this, assuming Andy implemented it as I wrote it: rawbody

Re: Help with a regex to catch spam with gibberish html tags

On Jan 30, 2014, at 11:25 AM, John Hardin jhar...@impsec.org wrote: I'd suggest writing it as a subrule first, to see how well it performs against the masscheck corpora. If it does well by itself (good hits, high S/O), then a meta can be added to expose it for scoring. If it hits a lot but

Re: Who wants to trade data?

Don't know if you noticed but his email earlier today included a link to a txt file with the list if IPs. Free. Just DL if you want. No sale, no money. I don't see commercial pressure here when he gave it away already. (I don't know the guy and don't plan to use the list, but just wanted to

Re: Increase in Image Spam

On Feb 11, 2014, at 10:25 AM, Andy Jezierski ajezier...@stepan.com wrote: They don't really hit on any rules A number of image spams have certain template formats and I've written custom rules to catch many... however, I've been hesitant to release those rules publicly since spammers

Re: Spam Pattern

On Feb 12, 2014, at 1:15 PM, John Hardin jhar...@impsec.org wrote: Bayes. Well, yes and no. Bayes isn't very good about detecting this kind of thing per se because it's full of random crap... in fact, they specifically pull text from innocuous things like web reviews, movie reviews, news

Re: Spam Pattern

On Feb 14, 2014, at 11:00 AM, Adam Katz antis...@khopis.com wrote: Given the nature of the content, I'd go the other direction and not require the word boundary. This removes the wildcard, though it doesn't short circuit as quickly, so one could debate which version is more efficient. body

Re: Spam Pattern

On Feb 14, 2014, at 11:53 AM, Adam Katz antis...@khopis.com wrote: some of your sample's strings had an extra character on the end. To be clear, that wasn't my sample; I am not the originator of this thread. This version of the rule is more expensive, but is safer to score higher (maybe

Re: Spam Pattern

On Feb 14, 2014, at 1:04 PM, Adam Katz antis...@khopis.com wrote: Noo, don't do that. (?:\s*\w+)+ is a ReDoS bomb (and you have it ten times!) which will destroy your Whoops, you're very right. Removing the + after the \w (that is, turning it to (?:\s*\w)+ ) should match the same

Re: BAYES_999 of score 1.0 (default)

On Feb 17, 2014, at 7:36 AM, Axb axb.li...@gmail.com wrote: could we agree to set the ceilings on lower safer scores? In the interest of full disclosure, these rules are being tested because of me (or at my suggestion anyway). I set them up locally based on discussion on this very list

Re: BAYES_999 strange behavior

On Feb 18, 2014, at 3:58 PM, John Hardin jhar...@impsec.org wrote: Is there some reason the Bayes scores can't/shouldn't be static? Indeed, I am wondering why Bayes would be auto-scored at all. By definition, Bayes high scores should match only on spam, low scores should match only on ham.

Re: Increase in Image Spam

On Feb 20, 2014, at 10:15 AM, Axb axb.li...@gmail.com wrote: What kind of traffic are you dealing with? personal, corporate? ISPish? How many domains/users/msgs/day? This is mostly personal email with a little bit of corporate. In this instance, it is for a single domain with 3 users and

Re: Increase in Image Spam

On Feb 20, 2014, at 10:34 AM, Axb axb.li...@gmail.com wrote: I hope you're running SA 3.4 so: I am still on 3.3.2 because nobody has yet packaged 3.4 for CentOS 5.x, from what I can tell. I have the package from the rpmforge-extras repo, and 3.3.2 is still the most current version there (and

Re: Increase in Image Spam

On Feb 20, 2014, at 11:21 AM, Kris Deugau kdeu...@vianet.ca wrote: Have you tried learning one specific FN, then reprocessing that message to see what Bayes score it gets? IME it will usually shift from BAYES_00 to at least BAYES_40 in most cases, even with a large sitewide DB with far more

Re: Mail SPF Check

On Feb 25, 2014, at 2:32 PM, John Hardin jhar...@impsec.org wrote: perl modules named X::Y are typically in perl-X-Y.noarch. perl-Mail-SPF-Query.noarch *may* satisfy Mail::SPF. perl-Mail-SPF is available from rpmforge-extras, which must be manually enabled (do a yum list available

Re: help with regex

On Feb 26, 2014, at 5:49 PM, Jeff Mincy j...@delphioutpost.com wrote: Can't you do something like this using a look ahead regexp? (?=[A-Z0-9]{30,})(?:[A-Z]*[0-9]){10,} According to regexpal.com, that matches the OP's example. The lookahead works properly in this case, since trying to use

Re: CentOS/RHEL repo?

On Mar 17, 2014, at 12:12 AM, Thomas Harold thomas-li...@nybeta.com wrote: Well, for simplicity, RPMForge is probably the easiest, even if it doesn't have the latest versions. Latest CentOS6 x64 version is 3.3.1. rpmforge-extras has v3.3.2. Atomic also has it. Nobody has 3.4 yet. --- Amir

Re: CentOS/RHEL repo?

On Mar 17, 2014, at 7:54 AM, Axb axb.li...@gmail.com wrote: What's the benefit from installing from RPM? In my case, it is a necessity; my server runs a control panel for virtual hosts and distributes the software to each host based on the rpms installed. If I install from source I would

Re: Blank line rules

On May 22, 2014, at 6:44 PM, John Hardin jhar...@impsec.org wrote: You might want to do this: rawbody MANY_BLANK_LINES /(?:(?:br)?\r?\n){9}/mi AC_BR_BONANZA should cover the HTML case. It could be easily extended to match standard LF or CR per above. (In my case I am matching something

Re: Capture vs non-capture groups

On May 28, 2014, at 12:16 PM, Joe Quinn jqu...@pccc.com wrote: It could be worth discussing again. Perhaps you could write a proof of concept and see what other use cases it has? In prior discussions, I think I mentioned it would be useful for spam templates... some templates embed a hash

Re: Can't keep up with spam from SolarVPS sites

On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote:

Re: Can't keep up with spam from SolarVPS sites

On Jun 9, 2014, at 7:11 PM, David B Funk dbf...@engineering.uiowa.edu wrote: Just beware of FPs, I've seen some ugly URLs from things like airline reservation confirmations. (spammers are getting better at stealing features from legit messages to protect their garbage). FWIW, I haven't had a

Re: More text/plain questions

On Jul 2, 2014, at 12:58 PM, David F. Skoll d...@roaringpenguin.com wrote: I don't think so. Any MUA that tried to convert #x0435; to a Unicode character in a text/plain part with implicit US-ASCII charset and 7bit content transfer encoding is broken. An MUA should diplay exactly #x0435; in

Re: More text/plain questions

On Jul 24, 2014, at 4:08 PM, Philip Prindeville philipp_s...@redfish-solutions.com wrote: In text/plain with CTE of ‘7bit’ or ‘8bit’ it’s meaningless to use Unicode HTML entity encodings. It’s obviously not HTML. If you want Unicode in text/plain, it should be in base64 or

Re: More text/plain questions

On Jul 25, 2014, at 4:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: You should look at the patch on bug 7068 (https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7068) Yes, but this is within the code itself. I was referring to how to do this in a local.cf, for example... Amir

Re: Re-2: Hacked Wordpress sites Cryptolocker

On Sep 3, 2014, at 2:01 PM, John Hardin jhar...@impsec.org wrote: Did that hit any of the existing phish rules? They may need some attention... Similar phishing just received, spample here: http://pastebin.com/UEmb035j It did not hit any phishing rules. In fact, because it was only BAYES_50,

Custom rule not hitting suddenly?

Hi all, One of my spammy URI template rules is, for some reason, not hitting any more. Spample here: http://pastebin.com/jy6WZhWW In my local.cf sandbox I have the following: uri __AC_STOPRANDDOM_URI1

Re: Custom rule not hitting suddenly?

On Sep 8, 2014, at 12:06 PM, Axb axb.li...@gmail.com wrote: imo, an URI rule shouldn't have a boundary delimiter I normally have one to signify the end of the URI, as this is intended to reduce FPs (just in case some legitimate email might match this but have something after the domain).

Re: Custom rule not hitting suddenly?

On Sep 8, 2014, at 4:09 PM, Karsten Bräckelmann guent...@rudersport.de wrote: Pulled the sample from pastebin and fed to spamassassin -D with your custom rule added as additional configuration. That rule hits. It does not hit on mine, and I think I've figured out why. I'm using SA 3.3.2 with

Re: Custom rule not hitting suddenly?

On Sep 8, 2014, at 6:59 PM, Karsten Bräckelmann guent...@rudersport.de wrote: It also should be possible to simply replace that Perl module with the current trunk version. It seems like this is doable, and I just tried it... a test run on the previous spample now hits my template. Hopefully

Re: Bayes autolearn questions

On Sep 8, 2014, at 7:17 PM, Alex Regan mysqlstud...@gmail.com wrote: Please use plain-text rather than HTML. In particular with that really bad indentation format of quoting. It doesn't seem possible with gmail directly any longer, so I've set up thunderbird for this. Maybe it is, but not

Re: Valid TLDs (was: Re: Custom rule not hitting suddenly?)

On Sep 8, 2014, at 7:45 PM, Karsten Bräckelmann guent...@rudersport.de wrote: Opinions? Discussion in here, or should I move this to dev? Given that TLDs can and do change on a timescale more frequent than many people update their version of SA (myself included), I would vote for a method

Re: bayes_auto_learn_threshold_nonspam

On Sep 10, 2014, at 7:47 AM, Axb axb.li...@gmail.com wrote: For several months I've been using bayes_auto_learn_threshold_nonspam -1.0 Any reason you chose -1.0 rather than something a bit closer to 0, like -0.5 or -0.2? Most of my low-scoring spam is pretty close to 0, so I'm just

Re: Spam messages autolearned as ham

On Sep 25, 2014, at 8:51 AM, John Hardin jhar...@impsec.org wrote: You *did* keep your initial Bayes training corpora, right? Does it matter if you keep the initial corpora, or just that you train on known corpora, even if they are fluid? --- Amir thumbed via iPhone

Re: Spam messages autolearned as ham

On Sep 25, 2014, at 10:35 AM, Axb axb.li...@gmail.com wrote: imo, fresh spam is the best spam. I've got plenty... Nowadays, we tend to reejct most good fodder with all kinds of methods at SMTP level and what's left is often hardly enough to keep a bayes DB well fed. In my case, spam is

Re: many spam getting scored as BAYES_50 - 'unsure' or 'untrained'. What's broken, and how do I fix it?

On Sep 30, 2014, at 11:11 AM, John Hardin jhar...@impsec.org wrote: How are you training your Bayes database? How much have you trained it? It requires a certain minimum amount of both spam *and* ham before it starts evaluating messages. I have a significantly trained DB and I get the same

Re: is my bayes working properly?

On Oct 1, 2014, at 3:17 PM, Axb axb.li...@gmail.com wrote: have you tried -L forget before -L spam ? I thought the documentation said that if a message had previously been learned as ham, that learning it as spam would auto-forget it beforehand. Similarly for spam-ham training. Is the

Re: is my bayes working properly?

On Oct 2, 2014, at 9:19 AM, Amir Caspi ceph...@3phase.com wrote: On Oct 1, 2014, at 3:17 PM, Axb axb.li...@gmail.com wrote: have you tried -L forget before -L spam ? I thought the documentation said that if a message had previously been learned as ham, that learning it as spam would auto

Re: spamd does not start

On Oct 8, 2014, at 4:23 PM, Duane Hill duih...@gmail.com wrote: No.is a way of chaining commands together. Your cron says run sa-update and then restart spamd. In other words, when sa-update finishes running, regardless if there was an update applied or not, restart spamd.

Re: spamd does not start

Looks like I'm late to the party. :-) --- Amir thumbed via iPhone On Oct 8, 2014, at 4:46 PM, Amir Caspi ceph...@3phase.com wrote: On Oct 8, 2014, at 4:23 PM, Duane Hill duih...@gmail.com wrote: No.is a way of chaining commands together. Your cron says run sa-update

Re: Uptick in spam

On Feb 16, 2015, at 1:01 PM, RW rwmailli...@googlemail.com wrote: IIWY I'd look into rescoring the BAYES_* rules. I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the other rules are

Uptick in spam

Hi all, Over the last week I've seen a significant uptick in FN spam to my users. We're getting tens of FNs per day per user, whereas a few weeks ago it was just a few FNs per day per user. We're getting BAYES_99/999 on many of these, but no other major markers are hitting (razor, pyzor,

Re: Uptick in spam

On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: I'm happy to look at a recent sample and throw it through my system to see what it hits but overall, I've been seeing the exact opposite. Hmmm. Well, like I said, maybe we're just first on the list and are getting all

Civility [WAS: Re: Can not disable checks against dnsbl.ahbl.org]

On Jan 9, 2015, at 12:47 PM, Benny Pedersen m...@junc.eu wrote: keep your problem then [...] hopefully you know you problem now to not ask about more help here Can I make a personal request to all on the list? PLEASE keep it civil and professional, and stop all these pissing contests. The

Re: 3.4.0

On Jan 8, 2015, at 11:04 AM, Benny Pedersen m...@junc.eu wrote: no need to sorry, its just me that hate to see more and more systems runs on autopilot and just want to have it fixed by doing nothing on the maintainer side of view, Perl is maintained on the CentOS side, they backport a

Re: 3.4.0

I am running 3.4.0 on CentOS 5.11 with perl 5.8.8 with no issues whatsoever. --- Amir thumbed via iPhone On Jan 8, 2015, at 8:51 AM, Eric Broch ebr...@whitehorsetc.com wrote: List, I read through the release announcements for Spamassassin 3.4.0 (I'm currently running 3.3.2) and noticed it

Re: 3.4.0

On Jan 8, 2015, at 11:52 AM, Benny Pedersen m...@junc.eu wrote: so you tested what happend if all plugins is disabled ? Ah, no, I did not do that. I saw no need since I actually want to use the plugins... =) So no, I guess I did not quite address you concern. --- Amir

Re: Uptick in spam

On Mar 30, 2015, at 9:49 AM, Kris Deugau kdeu...@vianet.ca wrote: Seconded; this is exactly what we've been finding. Invaluement is a great complement to Spamhaus for a fraction of the cost. Definitely something to add to my nice to have list for the future. Sadly, as I mentioned earlier,

TO_IN_SUBJ for username?

Hi, I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full email address in To:, not just the user part... is that right? I've been getting a bunch of spam (some of which ends up as FNs) with just the username portion of To: in the Subject line. This is almost

Re: TO_IN_SUBJ for username?

On Apr 1, 2015, at 8:08 AM, Bowie Bailey bowie_bai...@buc.com wrote: The way it's written, it will only hit if the Subject header follows the To header. I thought John modified the rule to fix that, about a year ago... did that not get implemented in production? --- Amir thumbed via iPhone

Re: updated RegistrarBoundaries.pm

On Feb 21, 2015, at 6:48 PM, Dave Pooser dave...@pooserville.com wrote: I'm not a moderator or anything, but this kind of personal attack is neither necessary nor appropriate here, IMO. Indeed, it seems like just a few weeks ago that I asked people to be more professional, since some of us

Re: Uptick in spam

On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: I see no network checks here... do you use network checks? On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: Are you using network tests? These are scoring pretty high for me. I presume you're

Re: Uptick in spam

On Mar 27, 2015, at 1:20 PM, Axb axb.li...@gmail.com wrote: These three samples are very different in the sense that #1 is a hacked site, #2 #3 are the regular snowshoe. Of course, I picked three different samples on purpose. But, I have hundreds that replicate these. What I miss in your

Re: Uptick in spam

On Mar 27, 2015, at 1:33 PM, Axb axb.li...@gmail.com wrote: Are you using Mailscanner? if yes then it's you munging URIS so they breaking lookups on any hash type as in Yes, I am using MailScanner. Some URIs are munged, others are not. For example, you can see in that very pastebin you

Re: Uptick in spam

On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote: Apologies if this is an overly obvious answer, but are you using any greylisting? This would (potentially) move your user away from the wavefront of a spam's distribution, and give it a better chance of triggering the network-based tests.

Re: Uptick in spam

On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: I'm happy to look at a recent sample and throw it through my system to see what it hits but overall, I've been seeing the exact opposite. So, one of my users has been getting dozens (sometimes nearly 100) FNs per DAY

Re: Uptick in spam

On Mar 27, 2015, at 12:20 PM, Axb axb.li...@gmail.com wrote: - Please post missed spam samples in pastebin.com - do not post samples to mailing lists Of course, I would never post it to the list. I will put up a few in pastebin but there are so many of them, and there are a few different

Re: Uptick in spam

On Mar 27, 2015, at 12:22 PM, Reindl Harald h.rei...@thelounge.net wrote: we have currently 577 different subjects and subject-parts scored , i don't want to publish them because i'd like the spammers don't change to new ones :-) Sadly, that doesn't help me. I don't have time to compile

Re: Uptick in spam

On Mar 27, 2015, at 2:09 PM, Axb axb.li...@gmail.com wrote: As an AV product I'd recommend Sophos AND ESETS/Nod32. I'll look into Sophos, I'm not entirely sure if I can deploy it on my system or not. We have to use RPMs that can be distributed to the virtual hosts, etc... I'll definitely

Re: Uptick in spam

On Mar 27, 2015, at 3:34 PM, Richard Doyle lists...@islandnetworks.com wrote: All of these were From: domains created today. Shouldn't they have been picked up by DOB? Or do I need to manually enable some DOB plugin in SA? (If so, please let me know how...) When I ran the third spample

Re: Uptick in spam

On Mar 27, 2015, at 5:12 PM, Axb axb.li...@gmail.com wrote: DOB isn't realtime/zero hour. That kind of defeats the point, isn't it? I mean, if you wait too long, it's no longer DOB, it's few-DOB... I would have imagined that a DOB server would operate in a caching mode where the first query

Re: Uptick in spam

On Mar 27, 2015, at 6:19 PM, RW rwmailli...@googlemail.com wrote: There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are last-external only Interesting. I wonder why I see those XBL/PBL hits, then. Maybe Zen timed out on those queries from sendmail... or something. Either way I

Re: TO_IN_SUBJ for username?

Going back to this: On Apr 1, 2015, at 7:47 AM, Bowie Bailey bowie_bai...@buc.com wrote: That might be reasonable for most email addresses, but there are quite a few people who have a usable name or nickname as the user part of their email. (j...@example.com). It would not make sense to

Re: Uptick in spam

On Apr 1, 2015, at 3:03 PM, Kevin Miller kevin.mil...@juneau.org wrote: You can reject on RDNS (or lack thereof) in sendmail depending on the version. Search for require_rdns. Thanks, I'll look into it. Sadly I don't think I have time to manually whitelist misconfigured servers, since I

Re: Uptick in spam

On Apr 1, 2015, at 2:26 PM, Kevin Miller kevin.mil...@juneau.org wrote: I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did that, almost instantly the spam dropped dramatically. [...] There was some discussion in this group about blocking on DNS providers about a

Re: Must-Have Plugins?

On Jun 9, 2015, at 12:29 PM, John Hardin jhar...@impsec.org wrote: (2) Check the HELO the other guy sends and reject if it's not a FQDN (i.e. it's not got any periods at all). This probably shouldn't be done on mail originating locally, but for mail coming in from the Internet the other MTA

Re: Must-Have Plugins?

On Jun 9, 2015, at 12:51 PM, RW rwmailli...@googlemail.com wrote: Bogofilter is pretty easy to use without a plugin. Typically it's just a matter of piping your mail through bogofilter -e -p In general the most efficient way to score-in an external filter is to run it separately and have SA

Re: Must-Have Plugins?

On Jun 10, 2015, at 12:32 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: FEATURE(`block_bad_helo') define(`confALLOW_BOGUS_HELO', `False') Argh, unfortunately, that feature is only on sendmail 8.14 and higher, which means RHEL/CentOS 6 or higher. For those of us running RHEL/CentOS 5,

Re: Must-Have Plugins?

On Jun 19, 2015, at 6:02 PM, Philip Prindeville philipp_s...@redfish-solutions.com wrote: Given how many vulnerabilities CentOS 5 has, why would you want to keep running that? Because, while I wish I could upgrade ... various circumstances prevent that right now. It is fully patched, FWIW.

Re: Macs/Yosemite can no longer send abuse reports

On Jun 29, 2015, at 10:30 AM, Kris Deugau kdeu...@vianet.ca wrote: Ben wrote: Second, I'm becoming less and less of a buyer on the whole report it to the ISP malarky. Its starting to become a bit of a 1990's way of doing it. I increasingly find myself wondering whether ISPs actually

Re: Misbehaving HEADER_HOST_IN_BLACKLIST? And no SPF on SA list host?

On Oct 21, 2015, at 7:34 PM, Kevin A. McGrail wrote: > I want to run the samples you provided and see if I can duplicate the issue > but it definitely sounds odd. I've got four more of them, if you want. (Includes a reply to one of the spamples, a separate two-message

Re: Malware URI rule

On Nov 9, 2015, at 10:20 AM, Benny Pedersen wrote: > > and it was the only rule that hitted ? > > think again A score of 6 is a poison pill for a threshold of 5 unless there are significant negative-score rules that hit. If an email is otherwise "neutral" (Bayes 50, no

Re: Malware URI rule

On Nov 9, 2015, at 10:09 AM, John Hardin wrote: > > score URI_MALWARE_CWALL6.000 Is your threshold higher than 5? Otherwise this is a poison pill for a "potential" hit. --- Amir thumbed via iPhone

Misbehaving HEADER_HOST_IN_BLACKLIST? And no SPF on SA list host?

Hi, I didn't realize this until now but it looks like, for at least the last 6 months or so, a few emails from users@spamassassin have been dropped into my spam folder due to what I perceive to be a bug in the HEADER_HOST_IN_BLACKLIST rule. Specifically, I've got some

Re: Misbehaving HEADER_HOST_IN_BLACKLIST? And no SPF on SA list host?

On Oct 19, 2015, at 1:16 PM, RW wrote: > > IIWY I wouldn't try to rescore the blacklisted URIs. I'd create a > separate list for the TLDs Why? It might avoid this issue but IMHO the second rule is a bug, so that's a band-aid rather than a solution. I don't want a

Re: Misbehaving HEADER_HOST_IN_BLACKLIST? And no SPF on SA list host?

On Oct 19, 2015, at 1:16 PM, RW wrote: > body URI_HOST_IN_BLACKLISTeval:check_uri_host_in_blacklist() > header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK') > > These appear to be the same thing. The first call is just a shorthand > form for the

Re: Add "may be forged" minor rule?

On Sep 28, 2015, at 1:53 PM, John Hardin wrote: > Is greylisting an acceptable option in your environment? Probably not. I've got some users who would not accept it. I'm thinking of implementing it anyway, but right now, not a viable option. > Also: both of those samples

Add "may be forged" minor rule?

Hi all, So, one of my users has been getting dozens of spams per day lately, that have been getting BAYES_999 but not triggering any other point rules. All of these spams have forge warnings in the Received header, and it seems like it might be worth adding a low-scoring "may be

Re: Add "may be forged" minor rule?

On Sep 28, 2015, at 1:34 PM, Axb wrote: > you may need to start looking at a local RBL and start blocking IP ranges > > been blocking snowshoe from Baraka Streaming Technologies Inc 38.113.188.0/22 > since 2014-06-18 - no complaints - ymmv Will look into it, but that

Re: Add "may be forged" minor rule?

On Sep 28, 2015, at 10:17 PM, David B Funk wrote: > By itself not a strong spam sign, but good for metas. FWIW, I added this is a rule with 0.2 points. "Unfortunately," my user's snowshoe hits today have all been hitting RDNS_NONE instead of this rule, so I

Re: Add "may be forged" minor rule?

On Sep 28, 2015, at 3:55 PM, RW wrote: > > YMMV but I find that in deep received headers "may be forged" is a > slight ham indicator. That's why I suggested limiting the match to the > MX server's received header. In that case it likely couldn't be a distributed

Re: New Mail::SpamAssassin::Plugin::HeadersEqual plugin

> On Sep 8, 2016, at 10:05 AM, apache.org+spamassas...@daniel-rudolf.de wrote: > > As you can see, SA will increase the score by 0.5 when the From: and > Return-Path: headers don't match ("ne" for "not equal"). This particular rule will FP for most mailing list emails... including this one.

Bayes not auto-learning?

Hi all, So, I've been trying to tweak my setup and noticed that VERY few of my emails are being autolearned as spam, even when their spam threshold is far above the autolearn threshold. The threshold is set to 12; I just saw a spam with score >25 not being autolearned. Are

Re: Bayes not auto-learning?

On Feb 23, 2018, at 11:47 PM, David B Funk wrote: > It could have 20 points from a whole bunch of body rules but if it only hit 2 > points via header rules it still will not auto-learn. Gotcha. The spam in question that triggered this hit a lot of rules, but hard

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

> On Feb 21, 2018, at 9:57 AM, Dianne Skoll wrote: > > That's why you only want to do it for URLs that are > absolutely known to be shortened URLs. You have to keep a list of > known URL-shorteners. On that note -- regardless of what OTHER HW/SW solutions might do,

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

> On Feb 21, 2018, at 12:45 PM, Dianne Skoll wrote: > > Someone earlier posted a link to https://github.com/smfreegard/DecodeShortURLs Oops, I missed that... must have thought it was just about decoding and not about SA. Thanks for clarifying! --- Amir

Re: From:name spoofing

> On Feb 16, 2018, at 4:41 PM, John Hardin wrote: > > Not necessarily safe. If your MTA receives a message without a Message-ID, it > is supposed to generate one. And if it does so, it will probably do so using > your (recipient) domain... Wouldn't this also FP on messages

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

> On Feb 26, 2018, at 11:00 AM, Kevin A. McGrail > wrote: > >> DecodeShortURLs has been on my list of must-have plugins for years, so >> I was a little surprised it took so long for someone to mention it >> in this thread. > Yeah, my firm is going to look at

Re: Periodic error

On Aug 1, 2018, at 6:09 PM, John Hardin wrote: > Recommendation: download the spamassassin-3.4.1-12 (or later) SRPM from > Fedora and try building an RPM from it in a Centos 6 dev environment. That's > what I did for Centos 7 and it works jes' fine. Kevin Fenzi maintains an SA repo for

Re: DecodeShortURLs database breaks with setuid spamd

On Mar 6, 2018, at 5:19 PM, RW wrote: > > Or probably more commonly when running the spamassassin perl script as > an ordinary user for test purposes. Right, if the DB is owned by that user, then they would see the rule fire with spamassassin and might assume it's

Re: Differing scores on spamassassin checks

> On Apr 15, 2018, at 12:39 PM, Computer Bob wrote: > > I still am a bit puzzled how bayes db gets handled when using virtual users > and domains. I see no trace of bayes or .spamassassin files in any of the > virtual locations or in the sql databases. If you want

Re: Differing scores on spamassassin checks

On Apr 16, 2018, at 11:15 AM, RW wrote: > > You seem to be confusing unix and virtual users. Sorry, I was confusing "virtual hosting" with "virtual users." Oops. Ignore me! --- Amir

Re: Spamassassin and spamc do not use same rules

On Apr 25, 2018, at 8:57 AM, Paul R. Ganci wrote: > > Sorry I should have mentioned that. I was aware of that issue. As you can see > spamd is running as root in this case and the spamassassin tests were also > done as root. spamd running as root doesn't run as root; it

  1   2   >