Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 17:02:09 -0700 (PDT) John Hardin jhar...@impsec.org wrote: I suggest that this rule should treat 0/8 as equivalent to 127/8. That's essentially what it's reserved for, just local to the LAN vs. local to the host. Does 0/8 really mean that? On at least one OS (Linux), the

Re: FPs on RCVD_ILLEGAL_IP

On Tue, 21 Apr 2015 16:56:48 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: what if Microsoft starts using other IP range tested by RCVD_ILLEGAL_IP? Then it deserves what it gets. Market forces are intended to penalize companies that do stupid things and if we interfere in those market

RCVD_ILLEGAL_IP hit data

Hi, The attached graph shows what we were seeing. Yellow rectangles denote weekends. It seems that the problem started on Friday, 17 April. Based on hits so far today, it appears that MSFT has stopped using 0.0.0.0/8 in Office 365. Regards, Dianne.

Re: v=spf1 +all

On Fri, 24 Apr 2015 13:13:12 +0200 Benny Pedersen m...@junc.eu wrote: thanks for update, nice work Yes. I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all or even: v=spf1 exists:gmail.com -all Unfortunately, the SPF spec makes it tricky to chase down all

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:55:50 +0200 Reindl Harald h.rei...@thelounge.net wrote: and how does that care a SA setup? It probably doesn't seriously affect a default SA setup, but I have quite a few customers who (despite my warnings) knock off a couple of points on SPF pass for any domain. Also,

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:17:45 +0200 Reindl Harald h.rei...@thelounge.net wrote: v=spf1 exists:gmail.com -all makes no sense - the spammer don't own the domain in most cases and if they do then they just don't add a SPF policy to use it with infected clients Spammers often register and use

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald h.rei...@thelounge.net wrote: well, and how becomes SPF part of the game in case of a throw-away domain as long as score SPF_NONE 0 - why in the world should a spammer add a TXT record to a throw-away domain? Ummm are you really that

Re: FPs on RCVD_ILLEGAL_IP

On Wed, 22 Apr 2015 02:17:00 +0200 Mark Martinec mark.martinec...@ijs.si wrote: Received: from unknown (HELO localhost) (bsobolew...@stockton-house.com@236.139.213.194) by 76.172.150.91 with ESMTPA; Tue, 21 Apr 2015 11:41:10 -0800 so by a lucky coincidence a misparsed Received ends up

Re: FPs on RCVD_ILLEGAL_IP

On Wed, 22 Apr 2015 00:47:56 +0200 Mark Martinec mark.martinec...@ijs.si wrote: I can only conclude that a rule like RCVD_ILLEGAL_IP will hit mostly on misconfigured or misguided sending mailers, not primarily on spam. I disagree. Now that the Microsoft issue has been fixed, well over 95% of

Re: v=spf1 +all

On Fri, 24 Apr 2015 17:03:11 +0200 Reindl Harald h.rei...@thelounge.net wrote: besides that i am responsible for a single domain with currently 12000 users and the usernumber don't matter because it don't say anything about your insight it's pointless what spammers do and don't do OK. You

Re: v=spf1 +all

On Fri, 24 Apr 2015 16:40:07 +0200 Reindl Harald h.rei...@thelounge.net wrote: WTF read the thread and context - i just statet I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all makes no sense for spammers, not more and not less It makes plenty of sense. We

Re: v=spf1 +all

On Fri, 24 Apr 2015 16:20:41 +0100 Paul Stead paul.st...@zeninternet.co.uk wrote: I've had thoughts of an extension which calculates the number of IP addresses specified in an SPF record, then calculating the % of world-wide addresses this SPF declares... I don't seem to be able to bend the

FPs on RCVD_ILLEGAL_IP

Hi, Not sure if this is still an issue in 3.4, but I'm seeing tons of FPs on RCVD_ILLEGAL_IP. Why? Because Microsoft (damn it to hell) has started using RESERVED IP ranges internally! Have a look: Received: from BLUPR10MB0835.namprd10.prod.outlook.com (0.163.216.13) by

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:59:19 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: I don't show it hitting on ham on my system though I trust DFS and AXB's experience in this matter. You might want to score it to 0 because I'm not going to raise a panic flag on a 1.3 score rule when Microsoft

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:20:35 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: Are you seeing it on a lot of emails? Over 25000 today; every single one of them from an ...outlook.com server. :( Regards, Dianne.

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:42:35 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: Weird. Any chance you know one of the senders and can ask them to email kmcgr...@pccc.com and raptorrevie...@pccc.com with a test? then you and I can compare tests hit, etc. Hmm... that'd be awkward because it's not

Weird empty messages

Hi, We are seeing a trickle of weird empty messages. Here's a sample Sendmail log: May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100: from=ragland_rosell...@cttstone.com, size=18, class=0, nrcpts=1, msgid=8[10, proto=SMTP, daemon=MTA, relay=50-242-22-73-static.hfc.comcastbusiness.net

Re: Weird empty messages

On Fri, 08 May 2015 13:14:56 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: Haven't seen any get through our spam filters, though and they typically score really high (40+). Yes, none have got through for us either... all scoring at least 15 or so. I'm just trying to figure out the motivation

DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Wed, 10 Jun 2015 13:56:49 + David Jones djo...@ena.com wrote: [One should run a caching DNS server on a mail server.] We are giving you solid advice based on real experiences where we ran into problems and worked around them. Just try to enable RBLs and see how it works for you. I'm

Re: DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Wed, 10 Jun 2015 14:56:40 + David Jones djo...@ena.com wrote: My point was that running a local caching server is the only way one can know exactly how the lookups are happening. Ah, true. I missed that point I guess. Regards, Dianne.

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 22:55:41 +0200 Reindl Harald h.rei...@thelounge.net wrote: the question is *how* is that de-listing managed and how do you manage i will take care in the future and if that's not true because de-listing is just a click how easy is it for spammers to not realy care I

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 16:26:54 -0400 Jim Popovitch jim...@gmail.com wrote: On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll you should not have to pay for delisting one IP. and with BN you are NOT paying for a delisting. You are splitting hairs. Essentially, you are paying for delisting. We run

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 19:23:58 +0200 Reindl Harald h.rei...@thelounge.net wrote: spammers don't invest money, never Of course not. They pay using a stolen credit card. I don't approve of Barracuda's behaviour. If they're blocking /24s because of some bad machines, you should not have to pay

Re: Must-Have Plugins?

On Fri, 19 Jun 2015 12:51:28 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: [stuff] With this, we avoid ever accepting about 98% of the SPAM that we’d otherwise receive. Really? 98%? I find that surprising. We get quite a lot of spam from gmail, hotmail, yahoo etc. that

Re: Must-Have Plugins?

On Tue, 23 Jun 2015 18:00:27 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: I should have mentioned we also blacklist yahoo... and are thinking about blocking google, too. I see. If we did this, then yes, we'd probably stop a lot of spam (though nowhere near 98%) but we'd

Caching nameserver vs. resolver library (was Re: Must-Have Plugins?)

[I have lost the attribution, but someone wrote:] That's not what I'm saying. It should not be necessary to run a full-blown DNS server for SA to do it's queries. It should be possible to call a library and create a DNS context that has all of it's own parameters and then use that in an

Re: DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Thu, 11 Jun 2015 01:00:45 +0200 Reindl Harald h.rei...@thelounge.net wrote: cache-min-ttl: 600 Even a 10-minute cache time buys you very little. My original analysis assumed a 15-minute TTL. Regards, Dianne.

Re: MailBlacklist.com Integration Testing Phase

On Tue, 18 Aug 2015 10:48:54 +0100 MailBlacklist.com Management managem...@mailblacklist.com wrote: Regards, MailBlacklist.com Management. Really? That's your name? This sounds very fishy, sorry. Regards, Dianne.

Re: RBL format to blacklist email addresses?

On Thu, 30 Jul 2015 01:56:08 +0200 Reindl Harald h.rei...@thelounge.net wrote: * no mailserver on this world treats the local part case-sensitive Well possibly, but that doesn't apply to all mail-handling software. Mail::SRS originally treated the local part case-sensitively, but it had to

Re: Return Path (TM) whitelists

On Wed, 15 Jul 2015 15:23:44 -0700 Dave Warren da...@hireahit.com wrote: Huh? Last I looked, somewhere near 80% of my legitimate mail flow passes SPF. It wouldn't shock me if this has gone higher. That's not what we see. We see quite a lot of legitimate mail that either doesn't have SPF in

Re: phishing_reply_addresses list

On Sat, 18 Jul 2015 20:36:21 -0400 Alex mysqlstud...@gmail.com wrote: Anyone know what happened to the phishing_reply_addresses list? It appears that the sourceforge site that was hosting it has been unreachable for a few days. As The Register saltily puts it, Sourceforge has experienced

Re: spf records and cnames

On Thu, 22 Oct 2015 00:59:04 +0200 Reindl Harald wrote: > so *read* what i refer to and read it really > YOU SET THE SPF AS ANY OTHER RECORD TYPE FOR A CNAME IMPLICITLY BY DO > THAT FOR THE A-RECORD THE CNAME IS POINTING TO You don't need to yell. A CNAME does not

Re: SPF and blocking phishing attempts

On Wed, 14 Oct 2015 17:51:23 -0400 Alex wrote: > I'd like to make sure incoming mail that appears to be "From:" one of > our internal users has indeed gone through one of the systems > specified in the SPF record, resulting in an SPF_PASS. Can't be done. SPF looks at

Simplicity (was Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains)

On Tue, 13 Oct 2015 12:24:53 -0700 Larry Goldman wrote: > So, it is not possible to simplify the process of managing an email > server via an easy-to-use software user interface? I think if your goal is to simplify the process of managing an email server,

Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains

On Tue, 13 Oct 2015 13:04:36 -0700 Larry Goldman wrote: > Point me to the documentation of the SpamAssassin framework. Where > are rules documented? What are the current rules? Describe, in > detail, the new SA technology which fights abuse of new TLDs. man

Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains

On Tue, 13 Oct 2015 16:11:49 -0400 Dianne Skoll <d...@roaringpenguin.com> wrote: > Or if you want an online resource, > https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html D'oh, that's a link to an old version... sorry. http://spamassassin.apache.org/fu

Re: Simplicity (was Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains)

On Tue, 13 Oct 2015 12:42:04 -0700 Larry Goldman wrote: > As a customer of CPanel, I was expecting the "competent someone else > who is supposed to simplify the process of managing an email server > for me" already to be working for CPanel. CPanel is just a

CPanel (was Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains)

On Tue, 13 Oct 2015 12:48:58 -0700 Larry Goldman wrote: > SpamAssassin is a framework: a framework with seemingly no > documentation at all. I was considering downloading the source files > to see if the framework is documented there. Is that what it takes

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 17:34:06 +0200 Reindl Harald h.rei...@thelounge.net wrote: it's enough *once time* overlook the small letters besides soem checkbox saying we give your data to our partners and so agree without intention while it's hard to impossible to realize the connection when wekks or

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 09:06:58 +0200 Matthias Leisi matth...@leisi.net wrote: For the record, this is the reason why dnswl.org http://dnswl.org/ does not charge for listings (and we don’t call it certification): it always leads to conflicts of interest. Yes, I trust dnswl.org. What we need is

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 07:58:39 +1000 Noel Butler noel.but...@ausics.net wrote: +1 I'll throw my +1 in on this also. Almost by definition, the kinds of organizations who buy into these certifications to get their mail delivered are unlikely to be the kinds of organizations I want to hear from.

Re: Resume / Doc Spam

On Wed, 09 Sep 2015 09:23:44 +0200 Benny Pedersen wrote: > i would run "strings vbaProject.bin" and make clamav signature based > on it ClamAV is totally useless. Here's a trick: Macro viruses must define a subroutine called "Document_Open" So finding the string "Document_Open"

Re: Resume / Doc Spam

On Wed, 9 Sep 2015 16:51:11 +0200 Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 09.09.15 10:44, Dianne Skoll wrote: > >ClamAV is totally useless. > Do you mean generally, or in this case? Generally, at least if you use the official signatures. And the unofficial ones

Re: The word on messages w/ no Message-Id

On Mon, 28 Sep 2015 12:22:20 -0600 Philip Prindeville wrote: > I’m getting a lot of messages from head-hunters, my wife’s auto > dealership, etc. that look like they’re being generated by legitimate > [sic] email campaigns, but they don’t have a message-id.

Re: Test for empty EnvelopeFrom

On Thu, 24 Sep 2015 12:21:33 + David Jones wrote: > I agree with Reindl. You can't block null senders or you break a lot > of legit emails. Well, if you run your own mail server, you can do whatever you like so long as you accept the consequences. I would say: A null

Re: Test for empty EnvelopeFrom

On Thu, 24 Sep 2015 14:30:42 + David Jones wrote: > I agree with you and Reindl on this point too. I guess what I meant > to say is usually the hardest spam to block with a null sender is > backscatter from a normally trusted/good reputation mail server. Yes, that can be

Re: Resume / Doc Spam

On Fri, 18 Sep 2015 21:51:59 +1000 Anthony Kamau wrote: > No courage needed. Simply install Sanboxie [0] (preferably in a VM) > and you can safely open any application inside the sandbox and see > what it invokes. Or use LibreOffice which has macros turned off by default,

Re: Rule Help

On Fri, 25 Sep 2015 14:21:50 + Dave wrote: > I am trying to create a rule that scores TLD's in received headers if > they are not certain TLD's. What I have so far: Your logic is wrong. And you can do it all with one regex: header GC_TLD_COM Received

Re: Trying to understand how bayes works.

On Fri, 11 Dec 2015 09:05:10 -0800 Marc Perkel wrote: > What I was thinking about doing was creating a string of tokens that > represented key features of the message. Then run that through a > program that created new tokens out of every possible combination of > 2

Re: Customized header (add_header) doesn't work

On Thu, 17 Dec 2015 16:16:41 -0200 (BRST) Alfredo Saldanha wrote: > My second SA is a Zimbra server. > I use Zimbra SA only to drop the message in junk folder. > I don't want to clean at the Zimbra server, it is default behavior. You can use another milter such as

Re: Trying to understand how bayes works.

On Thu, 10 Dec 2015 13:54:05 -0800 Marc Perkel wrote: > But what about combinations of tokens? I'm thinking that I'd like to > have something that says when it sees tokens X and Y and Z then > that's spam even though X,Y,Z might be in ham when not combined. The

Re: Trying to understand how bayes works.

On Fri, 11 Dec 2015 03:31:56 +0100 Benny Pedersen wrote: > if z is scored as spam, and x and y is ham, then its ham basicly > that how bayes works, but a single mail might be lots of digest to > compare for this to say spam or not The thing is, the probability of token Y is not

Re: Word macros

On Mon, 21 Dec 2015 21:02:21 -0500 Alex wrote: > Is mimedefang the de facto method for blocking Word macro files? I > haven't ever implemented it. Can it work with postfix/amavis? I don't know about de-facto, but it's what I use... hence my posting. If Amavis lets you

Re: SA Concepts - plugin for email semantics

On Wed, 25 May 2016 15:07:37 +0100 Paul Stead wrote: > Consider the following 2 basic emails: > Mail 1: > Viagra > Mail 2: > V1agra Yes, except here's the problem. A drug company might legitimately talk about Viagra, so that wouldn't be a spam token. V1agra

Re: Problem with SPF plugin and MX2

On Wed, 25 May 2016 10:17:19 -0500 (CDT) sha...@shanew.net wrote: > So, for those with more experience, what is the preferred way to run a > backup MX (or two or three, etc.) without losing or breaking the > benefit of spam filtering? For small installations, I find a backup MX is more trouble

Re: Problem with SPF plugin and MX2

On Wed, 25 May 2016 13:05:57 +0200 Support SimpleRezo wrote: > We are expecting a problem when emails are coming from our MX2 with > the SPF plugin, because the SPF test is made on the last "Received" > IP and not the first one (as we can expect for a SPF test). > Does

Re: SA Concepts - plugin for email semantics

On Wed, 25 May 2016 18:10:57 +0100 Paul Stead wrote: > > Yes, except here's the problem. A drug company might legitimately > > talk about Viagra, so that wouldn't be a spam token. V1agra almost > > certainly would be a spam token. Bayes can distinguish between

Re: SA Concepts - plugin for email semantics

On Sat, 28 May 2016 14:53:15 -0700 (PDT) John Hardin wrote: > Based on that, do you have an opinion on the proposal to add two-word > (or configurable-length) combinations to Bayes? I have an opinion. :) Extending Bayes to look at multiple tokens is a *very* good idea.

Re: SA Concepts - plugin for email semantics

On Mon, 30 May 2016 17:45:52 -0400 "Bill Cole" wrote: > So you could have 'sex' and 'meds' and 'watches' tallied up in into > frequency counts that sum up natural (word) and synthetic (concept) > occurrences, not just as incompatible types of input

Re: SA Concepts - plugin for email semantics

On Tue, 31 May 2016 21:23:11 +0100 Paul Stead wrote: > The implementation was undertaken from a personal interest - I asked > the question of what people thought of the implementation and the > impact to Bayes DB. I think what the "concepts" concept ends up doing

Re: SA Concepts - plugin for email semantics

On Thu, 26 May 2016 12:20:35 +0200 Matus UHLAR - fantomas wrote: > you apparently mistook razor to DCC, the DCC is here to measure > bulkiness, but not (necessarily) spamminess. Yes, you are correct. Thanks for the clarification! And also, just to clarify another thing:

Re: how to write body rules to match 'tortured html' variations of text phrases?

On Wed, 15 Jun 2016 13:40:25 -0700 (PDT) John Hardin wrote: > That's (more or less) "Quoted Printable" encoding. AFAIK, SpamAssassin "body" rules are applied after the Content-Transfer-Encoding: has been decoded. So the QP equal signs are a red herring. Regards, Dianne.

Re: I have developed a new method of blocking spam that's a game changer

Well... You're light on details, but from the few clues you've given, is it possible you've (re-)invented a genetic algorithm for spam classification? http://ieeexplore.ieee.org/xpl/login.jsp?tp==5982390=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5982390

Re: I have developed a new method of blocking spam that's a game changer

On Wed, 13 Jan 2016 18:01:09 -0800 Marc Perkel wrote: > When I reveal it I can explain the basic concept in about 2 > paragraphs. The core idea is amazingly simple. OK. What you need to do next is stop talking about it. :) If you disclose details, you risk

Catch rates (was Re: My new method for blocking spam - REVEALED!)

On Wed, 20 Jan 2016 15:37:33 -0800 jdow wrote: > This observation invites a heretical question. Is nearly perfect spam > classification dangerous compared to merely 99.9%/0.1% accurate > classification? I think it's meaningless to talk about classifications better than

Re: Can your bayes do this?

On Thu, 21 Jan 2016 12:11:15 + RW wrote: > "ambulatory care" -> only in ham ... > is that you have discarded the count information. And his assertion is not necessarily true, either. According to our statistics, we've seen "ambulatory care" in 1400 spams, but

Re: Can your bayes do this?

On Wed, 20 Jan 2016 22:21:49 -0800 Marc Perkel wrote: > Here is a list of 5505874 words and phrases used in the subject line > of HAM and never seen in the subject line of SPAM > Here is a list of 3494938 words and phrases used in the subject line > of SPAM and

Re: More details on my evolution filter patent

On Wed, 20 Jan 2016 11:24:52 -0800 Marc Perkel wrote: > Here's the details of how the filtering system is structured. This is > what I filed: I looked at your application. It seems to me your method is quite good at catching spams that are *already* easily caught

Re: My new method for blocking spam - example

On Wed, 20 Jan 2016 11:46:39 -0800 Marc Perkel wrote: > Let me give you an example. Here's 2 subject lines. Easy to guess > which one is spam. But those are easy for Bayes also. Your filter (and Bayes) will have trouble with the short micro-spams with fairly

Re: My new method for blocking spam - REVEALED!

On Wed, 20 Jan 2016 08:52:05 -0800 Marc Perkel wrote: > Suppose I get an email with the subject line "Let's get some lunch". > I know it's a good email because spammers never say "Let's go to > lunch". Really? You know that for a fact? > In fact there are an

Re: My new method for blocking spam - example

On Wed, 20 Jan 2016 11:52:35 -0800 Marc Perkel wrote: > Again - Bayes compares what matches. My filter compares what doesn't > match. Your filter is exactly equivalent to Bayes if you do the following things: 1) Use combinations of up to four words as tokens,

Re: My new method for blocking spam - REVEALED!

On Wed, 20 Jan 2016 11:35:33 -0800 Marc Perkel wrote: > Bayes is about matching. My Evolution filter is about NOT matching. > It's the*NOT matching* that makes it different. Unless you've described it wrong, it's not about not matching. Its about seeing if there

Re: The difference between my Evolution filter and Bayes is ...

On Wed, 20 Jan 2016 12:01:59 -0800 Marc Perkel wrote: > Bayes compares the test message to what's in the Ham corpus and > what's in the Spam corpus and comes up with a number indicating it's > more like one or the other. As I mentioned earlier, your filter is

Re: My new method for blocking spam - REVEALED!

On Wed, 20 Jan 2016 12:11:02 -0800 Marc Perkel wrote: > Again - it's not about matching as Bayes does. It's about not > matching. It's not about not matching. It's about a preprocessing step that discards tokens that don't have extreme probabilities. I think your

Re: My new method for blocking spam - REVEALED!

On Wed, 20 Jan 2016 12:19:10 -0800 Marc Perkel wrote: > The way I know what spammers never use is I store what spammers do > use and see if it doesn't match. I've processed more that 100 million > spams and it's amazing how many common words and phrases that >

Re: My new method for blocking spam - REVEALED!

On Wed, 20 Jan 2016 14:48:19 -0800 Marc Perkel wrote: > To be a little clearer. This new system isn't perfect. And it's main > strength is identifying good email. It does catch a lot more spam for > sure but when people scream at me it's because I blocked something

Re: How does SpamAssassin processing languages other than English

On Tue, 12 Apr 2016 13:41:51 -0400 Yu Qian wrote: > Yup, that's right, it becomes difficult if we want to support multiple > language in one spam detection solution. and it's true that there are > some best practice for single language. but didn't see too much >

Re: How does SpamAssassin processing languages other than English

On Tue, 12 Apr 2016 17:00:21 -0400 Yu Qian wrote: > That's nice to hear SpamAssassin can looks at word pairs, Sorry, maybe I wasn't clear... I was talking about our own Bayes engine. AFAIK, the SpamAssassin Bayes engine only looks at single words. Regards, Dianne.

Re: PDF files containing executables?

On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkel wrote: > Thanks for the response. I'm in the spam filtering business and I'm > wondering what I can use (from the command line?) to detect if a PDF > has any kind of script attached that would be executable. that way I >

Re: PDF files containing executables?

On Thu, 3 Mar 2016 13:27:18 -0800 (PST) John Hardin <jhar...@impsec.org> wrote: [Dianne Skoll] > > However, many legitimate PDF files contain Javascript snippets. > > Blocking solely on that basis will lead to many FPs. > I'd argue the "legitimate" part of th

Re: SA cannot block messages with attached zip

On Fri, 20 May 2016 15:00:55 + David Jones <djo...@ena.com> wrote: > >From: Dianne Skoll <d...@roaringpenguin.com> > >ClamAV is basically useless. > ClamAV helps a little with the unofficial sigatures. The operative word here is "a little".

Re: SA cannot block messages with attached zip

On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: > What do you suggest to fight these spams? ClamAV is basically useless. We do it the hard way. We list the contents of attached archives (using "lsar") and have filename-extension rules that block .js inside .zip

Re: SA cannot block messages with attached zip

On Fri, 20 May 2016 17:47:09 -0500 (CDT) David B Funk wrote: > > We do it the hard way. We list the contents of attached archives > > (using "lsar") and have filename-extension rules that block .js > > inside .zip files. While this can lead to some FPs, which we

Re: SA cannot block messages with attached zip

On Sat, 21 May 2016 12:28:48 -0400 "Bill Cole" <sausers-20150...@billmail.scconsult.com> wrote: > On 20 May 2016, at 7:07, Dianne Skoll wrote: > > Sorry for the non-easy answer. Doing it properly requires a > > non-trivial amount of coding. > I do not recall d

Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Tue, 17 May 2016 17:14:37 +0200 Reindl Harald wrote: > NOBODY is talking about BACKLIST short TTL > it's all about de-listing when you got blacklisted for good reasons IMO, the TTL is a completely irrelevant factor when considering whether or not to blacklist an IP.

Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Tue, 17 May 2016 18:50:29 +0200 Reindl Harald wrote: > >> NOBODY is talking about BACKLIST short TTL > >> it's all about de-listing when you got blacklisted for good reasons > > IMO, the TTL is a completely irrelevant factor when considering > > whether or not to

Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Tue, 17 May 2016 21:42:15 +0200 Reindl Harald wrote: > discuss that with the pople of SOBRS Aren't we just a ray of fucking sunshine? Luckily, I have http://search.cpan.org/~dskoll/Mail-ThreadKiller/ to help me out. Regards, Dianne.

Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Sun, 15 May 2016 18:08:31 +0200 Matus UHLAR - fantomas wrote: > >That seems a little aggressive, IMO. > I don't think so. If you have a mail server, you don't change its DNS > records very often. Maybe, but the TTL on the DNS records has nothing to do with whether or not

Re: TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Mon, 16 May 2016 09:12:54 +0200 Matus UHLAR - fantomas wrote: > short ttl's are more likely on abusers' DNS. good for refusing > delisting. I would love to see data on the correlation. I think it's pretty mild. A few random tests on consumer cable IPs reveals TTLs for

TTL on DNS records (was Re: understanding HELO_DYNAMIC_IPADDR)

On Sun, 15 May 2016 13:25:34 +0200 Matus UHLAR - fantomas wrote: > Note that the TTL is 3600 for both reverse and forward records. > There are blacklists that won'd delist your IP if your TTL is this > short, e.g. sorbs requirs at least 14400. What, really? What's the

Re: malware campaign: javascript in ".tgz"

Hi, Yes, we are seeing tons of these. We look inside various archive files for filenames and we quarantine .js files by default, so we didn't suffer any 0-day problems, and now I see that Sanesecurity is picking most of these up. Regards, Dianne.

Re: Using Postfix and Postgrey - not scanning after hold

On Fri, 29 Jul 2016 21:13:56 +0200 Robert Schetterer wrote: > so i.e measure mails tagged as spam by spamassassin > with pure greylisting setup running before tagging ,perhaps for one > week, then stop greylisting ,do the same with pure postscreen setup, > compare results, this way

Re: Using Postfix and Postgrey - not scanning after hold

On Fri, 29 Jul 2016 22:21:04 +0200 Robert Schetterer wrote: > now compare with pure postscreen I don't use postfix or postscreen. All I'm showing is that greylisting stops a lot of mail, quite cheaply. And hardly anyone notices it. This is a production system filtering email

Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

On Fri, 29 Jul 2016 22:39:15 +0200 Robert Schetterer wrote: > > I don't use postfix or postscreen. > hm.. that does not fit the subject..why did you involved yourself ? I am sorry. I should have changed the thread subject. > you may get that quite better, i see > a lot of

Re: Using Postfix and Postgrey - not scanning after hold

On Fri, 29 Jul 2016 08:35:46 -0700 (PDT) John Hardin wrote: > Greylisting means *you don't see the content at all during the > delay*. You tell the sending MTA to try again later when they first > connect and send the MAIL FROM and RCPT TO. If you implement the > delay

Re: detect if html attachment without plugin

On Thu, 4 Aug 2016 09:53:32 -0300 Robert Boyl wrote: > Quick question. We have a Spamassassin installation where the mail > servers implementation doesnt permit any SA plugins, so I cant use > Plugin::MIMEHeader or the such. Umm... really? I think the correct answer to

Re: Catching well directed spear phishing messages

About the only way to combat these sorts of things is to have proper financial processes in place. In other words, have checks to ensure that no-one can initiate a wire transfer without a vendor invoice, etc. Common sense stuff... but it's so easy to slip and you only have to slip once. :(

Technical solution (was Re: Childish actions of Harald Reindl)

On Thu, 4 Aug 2016 16:53:18 -0500 Ryan Coleman wrote: > Can we please have him removed from the mailing list so that every > time I send a reply to the list they are not immediately bounced back > to me by his server? I also don't like people who Cc me and a list that I'm

Re: Reply-To Munging Considered Harmful (was Re: Childish actions of Harald Reindl)

On Fri, 05 Aug 2016 11:44:16 +0200 Bernd Petrovitsch wrote: > Somewhat current "evolution" can do this without > installing/configuring anything. Claws Mail also. It seems to respect the List-Post: header. It'll be a cold day in Hell before MSFT acknowledges that

Re: Using Postfix and Postgrey - not scanning after hold

On Fri, 29 Jul 2016 18:34:30 +0200 Matus UHLAR - fantomas wrote: > what do you use? DCC? No, we have our own code. > >1) If our customer has whitelisted a sender, but the whitelisted > >sender is in the From: header and not the envelope, we want the > >ability to skip

  1   2   3   >