On Mon, June 17, 2013 11:48 am, John Hardin wrote:
Well, that's a much harder problem. STYLE tags have a specified format,
and content not matching that format is (fairly) easy to detect. Comments
are freeform text - gibberish has the same meaning there that it does in
regular body text.
On Tue, June 18, 2013 1:01 pm, Martin Gregorie wrote:
The main thing I notice is that there are only two Received: headers,
and no envelope-From so IMO you're hoping for too much from the
header-related SA rules simply because there's very little for SA to get
its teeth into.
Well, I'm not
On Tue, June 18, 2013 4:36 pm, RW wrote:
One thing to watch out for is that a mailbox may contain hidden deleted
mail that remains there until the mail client compacts/expunges the
mailbox. For that reason I prefer explicit training folders rather than
folders where misclassified mails have
Another, nearly identical example I saw today , but which used trailing
slashes (/ or //) instead of parentheses.
http://pastebin.com/6XRwcjm3
Enjoy. =)
--- Amir
On Wed, June 19, 2013 2:11 pm, ceph...@3phase.com wrote:
Hi John,
See the
On Wed, June 19, 2013 2:33 pm, Axb wrote:
imo, it makes little sense to write rules to catch these hashbusters. As
If the rule is sufficiently broad, it will catch them. If the rule is so
strict that it catches only one trailing slash or something, then yes, it
makes little sense... but I think
On Aug 11, 2013, at 9:10 AM, Benny Pedersen m...@junc.eu wrote:
i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without
this rules its spam
It is NOW, it was not when it was originally processed, as you can see from the
SA headers included in the pastebin. If you read
On Dec 28, 2013, at 9:08 PM, John Hardin jhar...@impsec.org wrote:
Yes, I definitely noticed that. As you can see from the spample (link
below), none of the above rules are hitting properly; the To: line is a
bare email, not properly angle-bracketed. Or, if any of the rules are
hitting, the
On Jan 29, 2014, at 9:53 AM, Andy Jezierski ajezier...@stepan.com wrote:
I've been noticing a lot of spam getting through with the same traits, a
bunch of random words within brackets. They all seem to come after the
/body or the /html tag. Anyone much more knowledgeable than me care to
On Jan 30, 2014, at 10:28 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
If you want to share the complete rule, I can throw it into my sandbox and
see what masscheck thinks as well.
The complete rule would be something like this, assuming Andy implemented it as
I wrote it:
rawbody
On Jan 30, 2014, at 11:25 AM, John Hardin jhar...@impsec.org wrote:
I'd suggest writing it as a subrule first, to see how well it performs
against the masscheck corpora. If it does well by itself (good hits, high
S/O), then a meta can be added to expose it for scoring. If it hits a lot but
Don't know if you noticed but his email earlier today included a link to a txt
file with the list if IPs. Free. Just DL if you want. No sale, no money.
I don't see commercial pressure here when he gave it away already.
(I don't know the guy and don't plan to use the list, but just wanted to
On Feb 11, 2014, at 10:25 AM, Andy Jezierski ajezier...@stepan.com wrote:
They don't really hit on any rules
A number of image spams have certain template formats and I've written custom
rules to catch many... however, I've been hesitant to release those rules
publicly since spammers
On Feb 12, 2014, at 1:15 PM, John Hardin jhar...@impsec.org wrote:
Bayes.
Well, yes and no. Bayes isn't very good about detecting this kind of thing per
se because it's full of random crap... in fact, they specifically pull text
from innocuous things like web reviews, movie reviews, news
On Feb 14, 2014, at 11:00 AM, Adam Katz antis...@khopis.com wrote:
Given the nature of the content, I'd go the other direction and not require
the word boundary. This removes the wildcard, though it doesn't short
circuit as quickly, so one could debate which version is more efficient.
body
On Feb 14, 2014, at 11:53 AM, Adam Katz antis...@khopis.com wrote:
some of your sample's strings had an extra character on the end.
To be clear, that wasn't my sample; I am not the originator of this thread.
This version of the rule is more expensive, but is safer to score higher
(maybe
On Feb 14, 2014, at 1:04 PM, Adam Katz antis...@khopis.com wrote:
Noo, don't do that. (?:\s*\w+)+ is a ReDoS bomb (and you have it ten
times!) which will destroy your
Whoops, you're very right. Removing the + after the \w (that is, turning it to
(?:\s*\w)+ ) should match the same
On Feb 17, 2014, at 7:36 AM, Axb axb.li...@gmail.com wrote:
could we agree to set the ceilings on lower safer scores?
In the interest of full disclosure, these rules are being tested because of me
(or at my suggestion anyway). I set them up locally based on discussion on this
very list
On Feb 18, 2014, at 3:58 PM, John Hardin jhar...@impsec.org wrote:
Is there some reason the Bayes scores can't/shouldn't be static?
Indeed, I am wondering why Bayes would be auto-scored at all. By definition,
Bayes high scores should match only on spam, low scores should match only on
ham.
On Feb 20, 2014, at 10:15 AM, Axb axb.li...@gmail.com wrote:
What kind of traffic are you dealing with? personal, corporate? ISPish?
How many domains/users/msgs/day?
This is mostly personal email with a little bit of corporate. In this
instance, it is for a single domain with 3 users and
On Feb 20, 2014, at 10:34 AM, Axb axb.li...@gmail.com wrote:
I hope you're running SA 3.4 so:
I am still on 3.3.2 because nobody has yet packaged 3.4 for CentOS 5.x, from
what I can tell. I have the package from the rpmforge-extras repo, and 3.3.2
is still the most current version there (and
On Feb 20, 2014, at 11:21 AM, Kris Deugau kdeu...@vianet.ca wrote:
Have you tried learning one specific FN, then reprocessing that message
to see what Bayes score it gets? IME it will usually shift from
BAYES_00 to at least BAYES_40 in most cases, even with a large sitewide
DB with far more
On Feb 25, 2014, at 2:32 PM, John Hardin jhar...@impsec.org wrote:
perl modules named X::Y are typically in perl-X-Y.noarch.
perl-Mail-SPF-Query.noarch *may* satisfy Mail::SPF.
perl-Mail-SPF is available from rpmforge-extras, which must be manually enabled
(do a yum list available
On Feb 26, 2014, at 5:49 PM, Jeff Mincy j...@delphioutpost.com wrote:
Can't you do something like this using a look ahead regexp?
(?=[A-Z0-9]{30,})(?:[A-Z]*[0-9]){10,}
According to regexpal.com, that matches the OP's example. The lookahead works
properly in this case, since trying to use
On Mar 17, 2014, at 12:12 AM, Thomas Harold thomas-li...@nybeta.com wrote:
Well, for simplicity, RPMForge is probably the easiest, even if it
doesn't have the latest versions. Latest CentOS6 x64 version is 3.3.1.
rpmforge-extras has v3.3.2. Atomic also has it. Nobody has 3.4 yet.
--- Amir
On Mar 17, 2014, at 7:54 AM, Axb axb.li...@gmail.com wrote:
What's the benefit from installing from RPM?
In my case, it is a necessity; my server runs a control panel for virtual hosts
and distributes the software to each host based on the rpms installed.
If I install from source I would
On May 22, 2014, at 6:44 PM, John Hardin jhar...@impsec.org wrote:
You might want to do this:
rawbody MANY_BLANK_LINES /(?:(?:br)?\r?\n){9}/mi
AC_BR_BONANZA should cover the HTML case. It could be easily extended to match
standard LF or CR per above. (In my case I am matching something
On May 28, 2014, at 12:16 PM, Joe Quinn jqu...@pccc.com wrote:
It could be worth discussing again. Perhaps you could write a proof of
concept and see what other use cases it has?
In prior discussions, I think I mentioned it would be useful for spam
templates... some templates embed a hash
On Jun 9, 2014, at 4:25 PM, John Hardin jhar...@impsec.org wrote:
On Mon, 9 Jun 2014, Philip Prindeville wrote:
On Jun 9, 2014, at 7:11 PM, David B Funk dbf...@engineering.uiowa.edu wrote:
Just beware of FPs, I've seen some ugly URLs from things like airline
reservation confirmations. (spammers are getting better at stealing
features from legit messages to protect their garbage).
FWIW, I haven't had a
On Jul 2, 2014, at 12:58 PM, David F. Skoll d...@roaringpenguin.com wrote:
I don't think so. Any MUA that tried to convert #x0435; to a
Unicode character in a text/plain part with implicit US-ASCII charset
and 7bit content transfer encoding is broken. An MUA should diplay
exactly #x0435; in
On Jul 24, 2014, at 4:08 PM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
In text/plain with CTE of ‘7bit’ or ‘8bit’ it’s meaningless to use Unicode
HTML entity encodings. It’s obviously not HTML.
If you want Unicode in text/plain, it should be in base64 or
On Jul 25, 2014, at 4:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote:
You should look at the patch on bug 7068
(https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7068)
Yes, but this is within the code itself. I was referring to how to do this in
a local.cf, for example...
Amir
On Sep 3, 2014, at 2:01 PM, John Hardin jhar...@impsec.org wrote:
Did that hit any of the existing phish rules? They may need some attention...
Similar phishing just received, spample here:
http://pastebin.com/UEmb035j
It did not hit any phishing rules. In fact, because it was only BAYES_50,
Hi all,
One of my spammy URI template rules is, for some reason, not hitting
any more. Spample here:
http://pastebin.com/jy6WZhWW
In my local.cf sandbox I have the following:
uri __AC_STOPRANDDOM_URI1
On Sep 8, 2014, at 12:06 PM, Axb axb.li...@gmail.com wrote:
imo, an URI rule shouldn't have a boundary delimiter
I normally have one to signify the end of the URI, as this is intended to
reduce FPs (just in case some legitimate email might match this but have
something after the domain).
On Sep 8, 2014, at 4:09 PM, Karsten Bräckelmann guent...@rudersport.de wrote:
Pulled the sample from pastebin and fed to spamassassin -D with your
custom rule added as additional configuration. That rule hits.
It does not hit on mine, and I think I've figured out why. I'm using SA 3.3.2
with
On Sep 8, 2014, at 6:59 PM, Karsten Bräckelmann guent...@rudersport.de wrote:
It also should be possible to simply replace that Perl module
with the current trunk version.
It seems like this is doable, and I just tried it... a test run on the previous
spample now hits my template. Hopefully
On Sep 8, 2014, at 7:17 PM, Alex Regan mysqlstud...@gmail.com wrote:
Please use plain-text rather than HTML. In particular with that really
bad indentation format of quoting.
It doesn't seem possible with gmail directly any longer, so I've set up
thunderbird for this. Maybe it is, but not
On Sep 8, 2014, at 7:45 PM, Karsten Bräckelmann guent...@rudersport.de wrote:
Opinions? Discussion in here, or should I move this to dev?
Given that TLDs can and do change on a timescale more frequent than many people
update their version of SA (myself included), I would vote for a method
On Sep 10, 2014, at 7:47 AM, Axb axb.li...@gmail.com wrote:
For several months I've been using
bayes_auto_learn_threshold_nonspam -1.0
Any reason you chose -1.0 rather than something a bit closer to 0, like -0.5 or
-0.2? Most of my low-scoring spam is pretty close to 0, so I'm just
On Sep 25, 2014, at 8:51 AM, John Hardin jhar...@impsec.org wrote:
You *did* keep your initial Bayes training corpora, right?
Does it matter if you keep the initial corpora, or just that you train on known
corpora, even if they are fluid?
--- Amir
thumbed via iPhone
On Sep 25, 2014, at 10:35 AM, Axb axb.li...@gmail.com wrote:
imo, fresh spam is the best spam.
I've got plenty...
Nowadays, we tend to reejct most good fodder with all kinds of methods at
SMTP level and what's left is often hardly enough to keep a bayes DB well fed.
In my case, spam is
On Sep 30, 2014, at 11:11 AM, John Hardin jhar...@impsec.org wrote:
How are you training your Bayes database?
How much have you trained it? It requires a certain minimum amount of both
spam *and* ham before it starts evaluating messages.
I have a significantly trained DB and I get the same
On Oct 1, 2014, at 3:17 PM, Axb axb.li...@gmail.com wrote:
have you tried -L forget before -L spam ?
I thought the documentation said that if a message had previously been learned
as ham, that learning it as spam would auto-forget it beforehand. Similarly
for spam-ham training. Is the
On Oct 2, 2014, at 9:19 AM, Amir Caspi ceph...@3phase.com wrote:
On Oct 1, 2014, at 3:17 PM, Axb axb.li...@gmail.com wrote:
have you tried -L forget before -L spam ?
I thought the documentation said that if a message had previously been
learned as ham, that learning it as spam would auto
On Oct 8, 2014, at 4:23 PM, Duane Hill duih...@gmail.com wrote:
No.is a way of chaining commands together. Your cron says run
sa-update and then restart spamd. In other words, when sa-update
finishes running, regardless if there was an update applied or not,
restart spamd.
Looks like I'm late to the party. :-)
--- Amir
thumbed via iPhone
On Oct 8, 2014, at 4:46 PM, Amir Caspi ceph...@3phase.com wrote:
On Oct 8, 2014, at 4:23 PM, Duane Hill duih...@gmail.com wrote:
No.is a way of chaining commands together. Your cron says run
sa-update
On Feb 16, 2015, at 1:01 PM, RW rwmailli...@googlemail.com wrote:
IIWY I'd look into rescoring the BAYES_* rules.
I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total
score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the
other rules are
Hi all,
Over the last week I've seen a significant uptick in FN spam to my users.
We're getting tens of FNs per day per user, whereas a few weeks ago it was just
a few FNs per day per user. We're getting BAYES_99/999 on many of these, but
no other major markers are hitting (razor, pyzor,
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
I'm happy to look at a recent sample and throw it through my system to see
what it hits but overall, I've been seeing the exact opposite.
Hmmm. Well, like I said, maybe we're just first on the list and are getting
all
On Jan 9, 2015, at 12:47 PM, Benny Pedersen m...@junc.eu wrote:
keep your problem then
[...]
hopefully you know you problem now to not ask about more help here
Can I make a personal request to all on the list? PLEASE keep it civil and
professional, and stop all these pissing contests. The
On Jan 8, 2015, at 11:04 AM, Benny Pedersen m...@junc.eu wrote:
no need to sorry, its just me that hate to see more and more systems runs on
autopilot and just want to have it fixed by doing nothing on the maintainer
side of view,
Perl is maintained on the CentOS side, they backport a
I am running 3.4.0 on CentOS 5.11 with perl 5.8.8 with no issues whatsoever.
--- Amir
thumbed via iPhone
On Jan 8, 2015, at 8:51 AM, Eric Broch ebr...@whitehorsetc.com wrote:
List,
I read through the release announcements for Spamassassin 3.4.0 (I'm
currently running 3.3.2) and noticed it
On Jan 8, 2015, at 11:52 AM, Benny Pedersen m...@junc.eu wrote:
so you tested what happend if all plugins is disabled ?
Ah, no, I did not do that. I saw no need since I actually want to use the
plugins... =) So no, I guess I did not quite address you concern.
--- Amir
On Mar 30, 2015, at 9:49 AM, Kris Deugau kdeu...@vianet.ca wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
Definitely something to add to my nice to have list for the future. Sadly,
as I mentioned earlier,
Hi,
I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the
full email address in To:, not just the user part... is that right? I've been
getting a bunch of spam (some of which ends up as FNs) with just the username
portion of To: in the Subject line. This is almost
On Apr 1, 2015, at 8:08 AM, Bowie Bailey bowie_bai...@buc.com wrote:
The way it's written, it will only hit if the Subject header follows the To
header.
I thought John modified the rule to fix that, about a year ago... did that not
get implemented in production?
--- Amir
thumbed via iPhone
On Feb 21, 2015, at 6:48 PM, Dave Pooser dave...@pooserville.com wrote:
I'm not a moderator or anything, but this kind of personal attack is
neither necessary nor appropriate here, IMO.
Indeed, it seems like just a few weeks ago that I asked people to be more
professional, since some of us
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote:
Are you using network tests? These are scoring pretty high for me.
I presume you're
On Mar 27, 2015, at 1:20 PM, Axb axb.li...@gmail.com wrote:
These three samples are very different in the sense that #1 is a hacked
site, #2 #3 are the regular snowshoe.
Of course, I picked three different samples on purpose. But, I have hundreds
that replicate these.
What I miss in your
On Mar 27, 2015, at 1:33 PM, Axb axb.li...@gmail.com wrote:
Are you using Mailscanner? if yes then it's you munging URIS so they breaking
lookups on any hash type as in
Yes, I am using MailScanner. Some URIs are munged, others are not. For
example, you can see in that very pastebin you
On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote:
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
wavefront of a spam's distribution, and give it a better chance of
triggering the network-based tests.
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
I'm happy to look at a recent sample and throw it through my system to see
what it hits but overall, I've been seeing the exact opposite.
So, one of my users has been getting dozens (sometimes nearly 100) FNs per DAY
On Mar 27, 2015, at 12:20 PM, Axb axb.li...@gmail.com wrote:
- Please post missed spam samples in pastebin.com - do not post samples to
mailing lists
Of course, I would never post it to the list. I will put up a few in pastebin
but there are so many of them, and there are a few different
On Mar 27, 2015, at 12:22 PM, Reindl Harald h.rei...@thelounge.net wrote:
we have currently 577 different subjects and subject-parts scored , i don't
want to publish them because i'd like the spammers don't change to new ones
:-)
Sadly, that doesn't help me. I don't have time to compile
On Mar 27, 2015, at 2:09 PM, Axb axb.li...@gmail.com wrote:
As an AV product I'd recommend Sophos AND ESETS/Nod32.
I'll look into Sophos, I'm not entirely sure if I can deploy it on my system or
not. We have to use RPMs that can be distributed to the virtual hosts, etc...
I'll definitely
On Mar 27, 2015, at 3:34 PM, Richard Doyle lists...@islandnetworks.com wrote:
All of these were From: domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually enable
some DOB plugin in SA? (If so, please let me know how...) When I ran the third
spample
On Mar 27, 2015, at 5:12 PM, Axb axb.li...@gmail.com wrote:
DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too long, it's
no longer DOB, it's few-DOB...
I would have imagined that a DOB server would operate in a caching mode where
the first query
On Mar 27, 2015, at 6:19 PM, RW rwmailli...@googlemail.com wrote:
There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are
last-external only
Interesting. I wonder why I see those XBL/PBL hits, then. Maybe Zen timed out
on those queries from sendmail... or something. Either way I
Going back to this:
On Apr 1, 2015, at 7:47 AM, Bowie Bailey bowie_bai...@buc.com wrote:
That might be reasonable for most email addresses, but there are quite a few
people who have a usable name or nickname as the user part of their email.
(j...@example.com). It would not make sense to
On Apr 1, 2015, at 3:03 PM, Kevin Miller kevin.mil...@juneau.org wrote:
You can reject on RDNS (or lack thereof) in sendmail depending on the
version. Search for require_rdns.
Thanks, I'll look into it. Sadly I don't think I have time to manually
whitelist misconfigured servers, since I
On Apr 1, 2015, at 2:26 PM, Kevin Miller kevin.mil...@juneau.org wrote:
I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did
that, almost instantly the spam dropped dramatically.
[...]
There was some discussion in this group about blocking on DNS providers about
a
On Jun 9, 2015, at 12:29 PM, John Hardin jhar...@impsec.org wrote:
(2) Check the HELO the other guy sends and reject if it's not a FQDN (i.e.
it's not got any periods at all). This probably shouldn't be done on mail
originating locally, but for mail coming in from the Internet the other MTA
On Jun 9, 2015, at 12:51 PM, RW rwmailli...@googlemail.com wrote:
Bogofilter is pretty easy to use without a plugin. Typically it's just
a matter of piping your mail through bogofilter -e -p
In general the most efficient way to score-in an external filter is to
run it separately and have SA
On Jun 10, 2015, at 12:32 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
FEATURE(`block_bad_helo')
define(`confALLOW_BOGUS_HELO', `False')
Argh, unfortunately, that feature is only on sendmail 8.14 and higher, which
means RHEL/CentOS 6 or higher. For those of us running RHEL/CentOS 5,
On Jun 19, 2015, at 6:02 PM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
Given how many vulnerabilities CentOS 5 has, why would you want to keep
running that?
Because, while I wish I could upgrade ... various circumstances prevent that
right now.
It is fully patched, FWIW.
On Jun 29, 2015, at 10:30 AM, Kris Deugau kdeu...@vianet.ca wrote:
Ben wrote:
Second, I'm becoming less and less of a buyer on the whole report it to
the ISP malarky. Its starting to become a bit of a 1990's way of doing
it. I increasingly find myself wondering whether ISPs actually
On Oct 21, 2015, at 7:34 PM, Kevin A. McGrail wrote:
> I want to run the samples you provided and see if I can duplicate the issue
> but it definitely sounds odd.
I've got four more of them, if you want. (Includes a reply to one of the
spamples, a separate two-message
On Nov 9, 2015, at 10:20 AM, Benny Pedersen wrote:
>
> and it was the only rule that hitted ?
>
> think again
A score of 6 is a poison pill for a threshold of 5 unless there are significant
negative-score rules that hit. If an email is otherwise "neutral" (Bayes 50, no
On Nov 9, 2015, at 10:09 AM, John Hardin wrote:
>
> score URI_MALWARE_CWALL6.000
Is your threshold higher than 5? Otherwise this is a poison pill for a
"potential" hit.
--- Amir
thumbed via iPhone
Hi,
I didn't realize this until now but it looks like, for at least the
last 6 months or so, a few emails from users@spamassassin have been dropped
into my spam folder due to what I perceive to be a bug in the
HEADER_HOST_IN_BLACKLIST rule. Specifically, I've got some
On Oct 19, 2015, at 1:16 PM, RW wrote:
>
> IIWY I wouldn't try to rescore the blacklisted URIs. I'd create a
> separate list for the TLDs
Why? It might avoid this issue but IMHO the second rule is a bug, so that's a
band-aid rather than a solution. I don't want a
On Oct 19, 2015, at 1:16 PM, RW wrote:
> body URI_HOST_IN_BLACKLISTeval:check_uri_host_in_blacklist()
> header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
>
> These appear to be the same thing. The first call is just a shorthand
> form for the
On Sep 28, 2015, at 1:53 PM, John Hardin wrote:
> Is greylisting an acceptable option in your environment?
Probably not. I've got some users who would not accept it. I'm thinking of
implementing it anyway, but right now, not a viable option.
> Also: both of those samples
Hi all,
So, one of my users has been getting dozens of spams per day lately,
that have been getting BAYES_999 but not triggering any other point rules. All
of these spams have forge warnings in the Received header, and it seems like it
might be worth adding a low-scoring "may be
On Sep 28, 2015, at 1:34 PM, Axb wrote:
> you may need to start looking at a local RBL and start blocking IP ranges
>
> been blocking snowshoe from Baraka Streaming Technologies Inc 38.113.188.0/22
> since 2014-06-18 - no complaints - ymmv
Will look into it, but that
On Sep 28, 2015, at 10:17 PM, David B Funk wrote:
> By itself not a strong spam sign, but good for metas.
FWIW, I added this is a rule with 0.2 points. "Unfortunately," my user's
snowshoe hits today have all been hitting RDNS_NONE instead of this rule, so I
On Sep 28, 2015, at 3:55 PM, RW wrote:
>
> YMMV but I find that in deep received headers "may be forged" is a
> slight ham indicator. That's why I suggested limiting the match to the
> MX server's received header.
In that case it likely couldn't be a distributed
> On Sep 8, 2016, at 10:05 AM, apache.org+spamassas...@daniel-rudolf.de wrote:
>
> As you can see, SA will increase the score by 0.5 when the From: and
> Return-Path: headers don't match ("ne" for "not equal").
This particular rule will FP for most mailing list emails... including this
one.
Hi all,
So, I've been trying to tweak my setup and noticed that VERY few of my
emails are being autolearned as spam, even when their spam threshold is far
above the autolearn threshold. The threshold is set to 12; I just saw a spam
with score >25 not being autolearned.
Are
On Feb 23, 2018, at 11:47 PM, David B Funk wrote:
> It could have 20 points from a whole bunch of body rules but if it only hit 2
> points via header rules it still will not auto-learn.
Gotcha. The spam in question that triggered this hit a lot of rules, but hard
> On Feb 21, 2018, at 9:57 AM, Dianne Skoll wrote:
>
> That's why you only want to do it for URLs that are
> absolutely known to be shortened URLs. You have to keep a list of
> known URL-shorteners.
On that note -- regardless of what OTHER HW/SW solutions might do,
> On Feb 21, 2018, at 12:45 PM, Dianne Skoll wrote:
>
> Someone earlier posted a link to https://github.com/smfreegard/DecodeShortURLs
Oops, I missed that... must have thought it was just about decoding and not
about SA. Thanks for clarifying!
--- Amir
> On Feb 16, 2018, at 4:41 PM, John Hardin wrote:
>
> Not necessarily safe. If your MTA receives a message without a Message-ID, it
> is supposed to generate one. And if it does so, it will probably do so using
> your (recipient) domain...
Wouldn't this also FP on messages
> On Feb 26, 2018, at 11:00 AM, Kevin A. McGrail
> wrote:
>
>> DecodeShortURLs has been on my list of must-have plugins for years, so
>> I was a little surprised it took so long for someone to mention it
>> in this thread.
> Yeah, my firm is going to look at
On Aug 1, 2018, at 6:09 PM, John Hardin wrote:
> Recommendation: download the spamassassin-3.4.1-12 (or later) SRPM from
> Fedora and try building an RPM from it in a Centos 6 dev environment. That's
> what I did for Centos 7 and it works jes' fine.
Kevin Fenzi maintains an SA repo for
On Mar 6, 2018, at 5:19 PM, RW wrote:
>
> Or probably more commonly when running the spamassassin perl script as
> an ordinary user for test purposes.
Right, if the DB is owned by that user, then they would see the rule fire with
spamassassin and might assume it's
> On Apr 15, 2018, at 12:39 PM, Computer Bob wrote:
>
> I still am a bit puzzled how bayes db gets handled when using virtual users
> and domains. I see no trace of bayes or .spamassassin files in any of the
> virtual locations or in the sql databases.
If you want
On Apr 16, 2018, at 11:15 AM, RW wrote:
>
> You seem to be confusing unix and virtual users.
Sorry, I was confusing "virtual hosting" with "virtual users." Oops.
Ignore me!
--- Amir
On Apr 25, 2018, at 8:57 AM, Paul R. Ganci wrote:
>
> Sorry I should have mentioned that. I was aware of that issue. As you can see
> spamd is running as root in this case and the spamassassin tests were also
> done as root.
spamd running as root doesn't run as root; it
1 - 100 of 187 matches
Mail list logo