I'm using maia-mailguard with spamassassin 3.2.5. For the most part
it seems to be working ok but I feel like too many messages are
hitting BAYES_00 (roughly 3.7% of all messages) and BAYES_99 is only
hitting about 1.7%. I have bayes autolearn on with ham being learned
at -1.0 and spam
Quoting RW rwmailli...@googlemail.com:
Bear in mind that autolearning uses it's own version of the score that
excludes whitelisting and Bayes, which means that very little ham will
reach the -1 threshold unless you've added your own site-specific rules
for identifying it.
Yeah I knew that.
Quoting twofers twof...@yahoo.com:
I have a post I have tried several times over the last week to post
to this forum and it never seems to get posted. I don't understand
why?
There is nothing exotic about it, just text, a question and email
header info I pasted.
Any idea whats up?
Quoting LuKreme krem...@kreme.com:
On Jul 30, 2009, at 18:12, Dennis B. Hopp dh...@coreps.com wrote:
Yeah I knew that. I have a few negative scoring rules but not many
(outside of what might be in the misc rules sets I have). What is
a good threshold for ham then?
5.0 is the score SA
Quoting RW rwmailli...@googlemail.com:
On Fri, 31 Jul 2009 03:55:48 +0200
Karsten Bräckelmann guent...@rudersport.de wrote:
The default of 0.1. It's a default for a reason.
But that *really* is not your problem. Your problem is with learning
spam, not learning even more ham. Just as you
Quoting John Hardin jhar...@impsec.org:
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has triggered 4510 times, BAYES_99 2366 times and BAYES_50
1568 (all the other BAYES_XX are less then 1000 times).
Do they all add
Quoting Karsten Bräckelmann guent...@rudersport.de:
On Fri, 2009-07-31 at 06:07 -0700, John Hardin wrote:
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has
triggered 4510 times, BAYES_99 2366 times and BAYES_50 1568
Quoting Karsten Bräckelmann guent...@rudersport.de:
If I'm reading that correctly less then 50% of mail is actually
being filtered (seems like it should be higher then that). Those stats
Actually, the numbers you gave for the last couple days are even
lower. About one third, 15k out of 45k do
Quoting Gary Smith gary.sm...@holdstead.com:
I've been having a pretty good hit rate on spam until recently
(about two weeks). Two types of email have been coming through at a
good rate. I'm receiving at least four per hour from the domains
included below. I've also been training
I have been seeing a few spam mails slip past that talk about being
able to get bogus dollar amounts. What I mean by that is it will give
a large value in the e-mail but where there should be a comma it puts
a period.
I put an example of one of these messages at:
Nevermind...it was also hitting
T_LOTS_OF_MONEY
and once I expired old bayes tokens it no longer hit BAYES_00. Now I
just have to figure out whats up with my bayes db.
--Dennis
Quoting Dennis B. Hopp dh...@coreps.com:
I have been seeing a few spam mails slip past that talk about being
It is common in many parts of the world to use a period instead of a
comma as a digit group separator, and vice-versa for the decimal
separator.
http://en.wikipedia.org/wiki/Thousands_separator#Digit_grouping
I knew it was common in other parts of the world, but for some reason
was
Quoting Kai Schaetzl mailli...@conactive.com:
Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600:
Obviously I have something going on with my bayes, but that's a
separate issue
Indeed. But it's an important issue. If it is that biased for other
spam as well
youa re better off
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers (hotmail,yahoo, etc.) and so they get passed through
our spam filters.
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote:
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these messages out
1) Spammers rotate sender addresses and hijacked account info more
often than most of us change our underwear. An account *may* get
reused; chances are it'll be months before it does, and the spammers
will have rotated through hundreds or thousands of others - both
phish-cracked and
Its not conditional, just using a meta rule and negating the Reply-to
test in the meta:
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address
header __FORGED_HM1 From ~= /\...@hotmail\.com/i
header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i
meta
I don't think the accounts were hijacked: the headers showed that the
messages the OP posted were not sent from the domain hosting the mail
accounts. It looked to me as if somebody has sold on lists of valid
hotmail etc. accounts.
I smell an inside job, or at least some careful
...and I suppose the same would apply to social networks. I don't use
either, so am somewhat clueless about what goodies are available if you
can access their accounts.
I have some free e-mail accounts that I use as throw away accounts.
When a site just HAS to have a valid e-mail so you can
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address
header __FORGED_HM1 From ~= /\...@hotmail\.com/i
header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i
meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2)
scoreFORGED_HOTMAIL 5.0
and write cookie
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2)
(remove the negation from the meta)
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote:
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO
My headers look like:
X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on mail.iamghost.com
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=6.3
tests=EXTRA_MPART_TYPE,HTML_MESSAGE autolearn=no version=3.3.0
*
The message scored a 1.0 (score=1.0) but the
On Wed, 2010-03-17 at 11:35 -0400, Kaleb Hosie wrote:
Hello,
I'm running SA 3.2.5 on CentOS 5.4 and I've noticed that a newer major
release has been released. The server is currently in production so I'm a bit
leery to upgrade.
Do you feel that it is worth the upgrade to 3.3? Is there
I received the following e-mail
http://pastebin.com/JXr9buxi
It had a total score of 4.973 (blocked at 5). Among other rules it hit:
KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001
So is the KHOP_RCVD_TRUST score too low? Should I possibly consider
making that -0.75 or
On Fri, 2010-03-26 at 11:35 -0400, Michael Scheidell wrote:
On 3/26/10 10:41 AM, Dennis B. Hopp wrote:
I received the following e-mail
http://pastebin.com/JXr9buxi
It had a total score of 4.973 (blocked at 5). Among other rules it hit:
KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED
I have AWL enabled and it seems to be ok with helping out legitimate
senders that occasionally send a spammy type message, but lately I
have seen an increase where AWL is adding a negative score to a very
blatant spam.
So my questions are, do people feel AWL is worth having enabled?
Is there
Not that I'm aware of.
Is the AWL score enough to prevent the messages from being marked as
spam, or are you seeing the negative AWL score on messages that are
marked as spam? It is normal for AWL to give negative scores to spam
from time to time, but for the most part, it should not be
Quoting Alex mysqlstud...@gmail.com:
Hi,
Just wondering what other tools are out there that people like.
I use postfix as my MTA right now, but am not completely opposed to using
something else if necessary to use a specific quarantine system.
Amavisd-new works well with postfix
maia
On Fri, 2010-04-16 at 10:08 -0700, Gary Smith wrote:
I have a need to run several different instances of SA on a single box (in
development). In production, we have 3 different SA environments (with 2+
servers each) that have different rule sets and specific routing rules
determine which
On Wed, 2010-04-28 at 11:53 -0400, Carlos Mennens wrote:
I noticed when reviewing headers today that there was a section for
'autolearn=no' and was wondering what exactly does this mean and
wouldn't autolearn be a good thing? I use Amavisd-new which calls out
to SpamAssassin modules but I
On Wed, 2010-04-28 at 12:38 -0400, Carlos Mennens wrote:
I checked /etc/mail/spamassassin/local.cf just now and found only the
following:
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
However I don't know if Amavisd-new is looking at local.cf because I
show parameters
32 matches
Mail list logo
