with a huge identifying key on it, yet the
unsubscribe page still asks you to enter your email address...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
Can anybody explain to me the reason behind the blind "please send us a
quote for your product X" emails? I mean, I know they are somehow a
scam, but I can't figure it out how it's supposed to work when the
target isn't a business...
--
John Hardin KA7OHZ
On Sat, 3 Apr 2021, Amir Caspi wrote:
For what it's worth, using the Fedora package has been exceedingly
stable on my CentOS 7 system.
Another CentOS 7 user here. I've been using self-compiled Fedora Rawhide
SRPMs in production for years with no issues.
--
John Hardin KA7OHZ
, thanks for the report.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 29 Mar 2021, Loren Wilton wrote:
I'd call these headers a great spam sign.
Depending on their rarity... :)
Occasionally spammers will screw up and leave template replacement tokens
in their message bodies. Great spam sign, too rare to be useful in
practice.
--
John Hardin
ssage attachments. Why would a voicemail be
delivered in that format?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
rules now and cleaning up in a day or two is probably
a reasonable approach.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
link. All the changes are there.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
P_RNBL -> RCVD_IN_VALIDITY_RPBL
Please audit your local config for score overrides and meta rules
depending on the old names.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
for a few weeks and see how it goes, but am interested in
comments on its usefulness?
It pretty much been replaced by TxRep.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
it locally, and run the tests in the Testing section of
that Confluence page. If that works, point SpamAssassin at it as described
in the Using section of that Confluence page.
On 15 Mar 2021, at 1:29 am, John Hardin wrote:
On Sun, 14 Mar 2021, jwmi...@gmail.com wrote:
Peter West writes:
erver for SpamAssassin".
If that isn't enough to set you on the right path, search the mailing list
archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of
this topic. If that history isn't enough, feel free to ask for assistance.
--
John Hardin KA7OHZ
On Mon, 15 Mar 2021, Peter West wrote:
Well, that was simple. Thank you. What’s the default value of a rule? Does it
have one?
The default score for all rules is 1 point.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
would be a positive confirmation. I'm not sure offhand if BAYES_50 hits
when bayes is enabled but insufficiently trained...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Sun, 28 Feb 2021, RW wrote:
On Sun, 28 Feb 2021 07:42:42 -0800 (PST)
John Hardin wrote:
On Sun, 28 Feb 2021, Michael Grant wrote:
I've traced through the AskDNS plugin and it's definitely only
looking at the first response that gets returned in this case. I
also tried a regex submatch
that *is* useful - critical, in
fact - is being discarded.
Please open a bugzilla ticket for this.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
hit: "000 111 e-mail"
OK, I will see about tuning it. Thanks for the report.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E
8 0
29 3
30 1
31 4
321659
33 50290
34 8
Interesting analysis, thanks. I'll tighten it up a bit based on that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB87
==> got hit:
"http://fnord04.com/blah;
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F50
On Thu, 25 Feb 2021, RW wrote:
On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
John Hardin wrote:
On Wed, 24 Feb 2021, Alan wrote:
After a little more research, a better regex for an obfuscated BTC
address is
/[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
It might be worth
On Thu, 25 Feb 2021, Jared Hall wrote:
On 2/24/2021 9:43 PM, John Hardin wrote:
The __XM_RANDOM header rule is intended to catch the specific condition of
the email, the scored XM_RANDOM meta is intended to add points for when
that condition indicates spam.
Ouch, I figured as much
MY_XM_RANDOM -1.154
Which, again, doesn't help anyone outside his company.
IMHO you shouldn't be scanning internal-only email anyway.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB
with -, = and _ obfuscations, which I haven't
seen myself yet.
Thanks!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
e spamples to improve them. Feel free to zip up any
bitcoin extortion spams you get and send them to me by private email at
any time.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E
for their internal mail, but not to anyone else they send mail
to.
I am adding an exception for that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
; the problem? Since this is the name of our company are there
any chances to keep it without catching the rule?
The chances are very good now that you've reported the FP. I will add an
exception. It will take a day or two to be published.
Thank you!
--
John Hardin KA7OHZh
from
address)
Are you using the abusive sendgrid user plugin or my download-based rule
generator?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Tue, 23 Feb 2021, Dan Malm wrote:
On 2021-02-23 16:29, John Hardin wrote:
On Tue, 23 Feb 2021, Dan Malm wrote:
On 2021-02-19 16:13, John Hardin wrote:
On Fri, 19 Feb 2021, Dan Malm wrote:
I have a system that received mail from a webmail product that adds a
X-Originating-IP header
On Tue, 23 Feb 2021, Dan Malm wrote:
On 2021-02-19 16:13, John Hardin wrote:
uOn Fri, 19 Feb 2021, Dan Malm wrote:
I have a system that received mail from a webmail product that adds a
X-Originating-IP header with the IP of the webmail user.
Since Spamassassin for some reason considers
On Mon, 22 Feb 2021, RW wrote:
On Sun, 21 Feb 2021 16:32:01 -0800 (PST)
John Hardin wrote:
On Sun, 21 Feb 2021, John Hardin wrote:
On Sun, 21 Feb 2021, Dominic Raferd wrote:
Michael's suggestion is interesting. There is a github project
allowing Levenshtein numbers to be calculated
On Sun, 21 Feb 2021, John Hardin wrote:
On Sun, 21 Feb 2021, Dominic Raferd wrote:
On 21/02/2021 20:09, Benny Pedersen wrote:
On 2021-02-21 19:44, Dominic Raferd wrote:
Presumably interfacefm.com has been hacked, but not to the extent that
they can intercept incoming replies.
I stand
Levenshtein numbers so most of the heavy lifting is already done.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
the
RDNS_NONE rule (only IP is added in the header) which I currently have
set to 0 due to this.
Could you post a sample of the headers from such? Obfuscate as you like,
I'm just wondering about the order in which they appear.
--
John Hardin KA7OHZhttp://www.impsec.org
On Fri, 19 Feb 2021, Giovanni Bechis wrote:
On 2/19/21 1:09 AM, John Hardin wrote:
On Thu, 18 Feb 2021, Giovanni Bechis wrote:
On 2/18/21 6:37 PM, Ricky Boone wrote:
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa
here - there's also a google.com/url
redir rule in my sandbox, and they may be overlapping.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
, examples could just be pasted into the body of your
post (as you did) or in a .txt attachment.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
On Tue, 16 Feb 2021, Ricky Boone wrote:
On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote:
OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
If they don't perform well in masscheck you can always grab them out of my
sandbox for your local rules.
Masscheck results:
https
On Sun, 14 Feb 2021, Ricky Boone wrote:
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
How often do you see (over)stock and space obfuscated?
So far, 4 times and once, respectively
OK, I added FUZZY_OVERSTOCK as well, we'll see what happens.
If they don't perform well in masscheck
to be fairly commonB.
How often do you see (over)stock and space obfuscated?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
t an embedded PNG
graphic. An interesting solution to the problem of rich text portability.
...for certain values of "interesting". I hate images of text - you can't
copy the text and do useful things with it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhard
sendgrid.net envelope
senders :(
Try the script generator I posted, it isn't domain-specific.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
to / can't use the plugin.
https://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
with the URLs encoded in Morse.
I see two ways to block this: 1) MUAs should ignore code in HTML. 2) A
malware scanner like ClamAV should watch for this kind of stuff.
You're missing the simplest one: double extensions like that are hostile
and should be rejected.
--
John Hardin KA7OHZ
HS_HEADER_1509,
line 1.
Make sure that if you have rules containing @sometext, the @ is escaped:
\@sometext
\@g
\@mail
...etc
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Tue, 2 Feb 2021, John Hardin wrote:
On Tue, 2 Feb 2021, RW wrote:
On Tue, 2 Feb 2021 10:47:49 +0100
Valentijn Sessink wrote:
On-list: the only thing in the last QR-code phishing mail I received
that actually makes it a phishing mail is the following part:
<=
DEFANGED_IMG alt=3D"
3D"184">
So the QR code is remote. If you fetch it could look like the recipient
read the email, encouraging more spam to that account.
Not if they are retrieving it by bouncing off DDG (or Gargle, or Imgur,
or...)
--
John Hardin KA7OHZ
On Tue, 2 Feb 2021, Valentijn Sessink wrote:
On 02-02-2021 03:37, Kevin A. McGrail wrote:
Nothing I'm aware of. Contact me off-list if you have any spamples.
I have. I hope it passes your filter :-)
I'd appreciate a spample too.
--
John Hardin KA7OHZhttp
On Sat, 30 Jan 2021, RW wrote:
On Sat, 30 Jan 2021 14:41:42 -0800 (PST) John Hardin wrote:
I'd also like to know how to submit these MTAs for inclusion in one
of the Spamhaus DNSBLs.
I don't think there's an existing Spamhaus list that's relevant.
SBL has listed open relays in the past
, then I add the MTA that send the backscatter to my MTA's "access
denied" list with a message about the backscatter.
I'd also like to know how to submit these MTAs for inclusion in one of the
Spamhaus DNSBLs.
--
John Hardin KA7OHZhttp://www.
es: [...] To: y...@gushi.org"
PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F5
On Wed, 27 Jan 2021, Matus UHLAR - fantomas wrote:
On Wed, 27 Jan 2021, Benny Pedersen wrote:
http://multirbl.valli.org/lookup/2a01%3A4f9%3Ac010%3A567c%3A%3A1.html
i dont know how to handle this :=)
On 26.01.21 17:43, John Hardin wrote:
Only one lists it:
https://matrix.spfbl.net/en
On Wed, 27 Jan 2021, Benny Pedersen wrote:
Have you opened an infra ticket?
no, can i do this ?
You need an Apache account. I have one ready to go, I was just waiting for
your answer. ...created.
https://issues.apache.org/jira/browse/INFRA-21351
--
John Hardin KA7OHZ
?
but forward to infra so its solved
Yeah, it seems SPFBL will ignore contact from anyone other than the domain
admin, so it will have to be infra that contacts them.
Have you opened an infra ticket?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
.
Are you using Amavis by any chance? Try restarting that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
edited headers of one such message in
private email I'll test exclusions for it. Note: any changes you make to
that will potentially interfere with the accuracy of the exclusion.
Thanks!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
gt;<blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
In short: it tries to match a sequence of 5 characters.
don't match <ab..
match something like :a::a
match something like :aa:a
match something l
etter-punct in the message subject.
Spammers have used punctuation to obfuscate "trigger words" in subjects,
like:
:B:U:Y: :Y:O:U:R: :C:H:E:A:P: :V:I:A:G:R:A: :H:E:R:E: :T:O:D:A:Y:
in an attempt to bypass naïve text matching filters. These rules are
intended to detect that.
--
Jo
On Wed, 6 Jan 2021, Giovanni Bechis wrote:
On 1/6/21 2:40 PM, RW wrote:
On Tue, 5 Jan 2021 10:14:45 -0800 (PST)
John Hardin wrote:
On Tue, 5 Jan 2021, Dave Funk wrote:
On Tue, 5 Jan 2021, John Hardin wrote:
subjprefix FROM_ME [From Me]
Does this work if you're using a milter
On Tue, 5 Jan 2021, Dave Funk wrote:
On Tue, 5 Jan 2021, John Hardin wrote:
On Tue, 5 Jan 2021, Giovanni Bechis wrote:
On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote:
I'm pretty sure SA only allows setting the subject tag by language, not
based on rule hits.
Starting from
On Tue, 5 Jan 2021, Giovanni Bechis wrote:
On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote:
I'm pretty sure SA only allows setting the subject tag by language, not
based on rule hits.
Starting from 3.4.3 you can add a prefix to the email subject like that:
header FROM_ME
using?
I'm pretty sure SA only allows setting the subject tag by language, not
based on rule hits. You may beable to modify the subject in the MTA/glue
at the same point you do the extra delivery.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Mon, 28 Dec 2020, RW wrote:
On Sun, 27 Dec 2020 10:17:15 -0800 (PST)
John Hardin wrote:
To catch those you'd need to check for the address in a Received:
header, assuming your MTA adds the envelope recipient to the
Received: header it generates.
You might do:
header ABUSED_PLUS
he-de.apache.org
[95.216.194.37])
by ga.impsec.org (8.14.7/8.14.7) with ESMTP id 0BRHZ0H5027977
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=FAIL)
for ; Sun, 27 Dec 2020 11:35:11 -0600
You might do:
header ABUSED_PLUS Received =~ /\bfor
/i
--
Jo
y
maintaining all the rules.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-
On Wed, 23 Dec 2020, Grant Taylor wrote:
On 12/23/20 9:55 PM, John Hardin wrote:
Did you see my mention of this earlier?
Yes, I did see it.
That's a bit more invasive of a change than I was hoping to do for this task.
I had been waiting to reply to your earlier message to test some things
On Wed, 23 Dec 2020, Grant Taylor wrote:
On 12/23/20 2:15 PM, John Hardin wrote:
spamass-milter has a -u flag for a username to pass to SA. If these are
single-recipient messages that may be enough to reliably tie into per-user
config to disable the RBL check.
It seems as if spamass-milter
On Wed, 23 Dec 2020, Grant Taylor wrote:
That's all considerably more complicated than I'm comfortable with at the
moment.
Did you see my mention of this earlier?
https://milter-manager.osdn.jp/reference/introduction.html
--
John Hardin KA7OHZhttp://www.impsec.org
On Wed, 23 Dec 2020, Richard Ozer wrote:
In the headers of every message from the mailing list:
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
, last
released in September 2019.
That last option sounds to me like the first one you should explore.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Wed, 23 Dec 2020, Axb wrote:
I misunderstood.. domain wise they are distinct users.
Server_wise, they share servers except yahoo.co.jp which runs their own
Ok. Thanks!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
asn't as
simple as yours, though - perhaps I'm allowing for too many
syntactically-valid cases to try to avoid trivial avoidance by spam?
Of course that is a pretty heavy rule
It would be lighter if you didn't look for the tag closing. Is there a
reason you care about the closing f
On Thu, 17 Dec 2020, John Hardin wrote:
On Thu, 17 Dec 2020, @lbutlr wrote:
On 16 Dec 2020, at 23:21, Loren Wilton wrote:
I just got a batch of spams containing
Interesting. I remember in the early days of html spam there were various
rules to tag messages as spam when they had content
On Mon, 21 Dec 2020, Axb wrote:
On 12/21/20 7:19 PM, John Hardin wrote:
Quick question for anyone who knows:
Are the email addresses in the various domains in the yahoo family (e.g.
yahoo.com, yahoo.com.hk, yahoo.com.my, yahoo.com.sg, yahoo.com.vn,
yahoo.co.jp, yahoo.co.nz, yahoo.co.th
doesn't matter)?
Or is a mailbox/account separate and distinct from
?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
a subscription for an alternate address,
for example "john@host.domain", just add a hyphen and your
address (with '=' instead of '@') after the command word:
Many thanks for your help.
On 2020-12-20 15:26, John Hardin wrote:
On Sat, 19 Dec 2020, Alan wrote:
The reason for asking is that I w
a given set, easy. Characteristics about that string? complicated. A
rule like that might potentially hit on legitimate (for values of
"legitimate") tracking analysis URIs or caching URIs, unless there is some
kind of uncommon pattern to it that you can discern and look for in the
away.
213.171.44.75 550 5.7.1 Open relay - email worms - go away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
that specific form of "invisible text".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 13
he IPs all seem to be Google's (within
CIDR 209.85.128.0/17). I'm going to add a couple of points scoring to
anything from trix.bounces.google.com.
I'll add a rule for that to my sandbox and we'll see what happens.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
On Fri, 11 Dec 2020, Benoit Branciard wrote:
Le 10/12/2020 à 17:08, John Hardin a écrit :
...okay, I found the problem. None of my tests had a username with a
period. Fixing.
Good !
I cherry-picked your regex fix from
https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin
:
header __PDS_FROM_2_EMAILS From =~
/(?:\W|^)([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
The "(?!\1)" is intended to prevent that.
...okay, I found the problem. None of my tests had a username with a
period. Fixing.
--
John Hardin KA7O
-only combos in the masscheck corpus.
I've added some new rules for masscheck eval based on it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Tue, 8 Dec 2020, Loren Wilton wrote:
That probably should have hit at least one scored base rule:
https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
Nope. I think my rules are up to date, but maybe not.
Feel free to pastebin it and I'll take a look.
--
John Hardin KA7OHZ
:
https://ruleqa.spamassassin.org/?rule=%2FFROM_2_
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
that.
Based on the sample that was posted, it looks to me like abuse of a
web-based feedback form - post a spammy feedback using the email address
of your victim and you spam the victim via the confirmation (and the
domain hosting the feedback form at the same time).
--
John Hardin KA7OHZ
be handy, but data
collection and maintenance seems problematic. I don't think one currently
exists.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Fri, 20 Nov 2020, AJ Weber wrote:
I think you should keep politics out of this.
+1
*PLEASE*
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Thu, 12 Nov 2020, Darrell Budic wrote:
On Nov 12, 2020, at 12:31 PM, John Hardin wrote:
I'd have to see a spample to tell whether that would hit your particular case,
though. Can you upload an example to pastebin for us?
Sure, it’s at https://paste.centos.org/view/045312a7
The line
On Thu, 12 Nov 2020, Darrell Budic wrote:
On Nov 12, 2020, at 11:54 AM, John Hardin wrote:
On Thu, 12 Nov 2020, Darrell Budic wrote:
Got a few of these 411 google form spams recently and was wondering why they
weren’t getting caught by SA. Looks like the Return-Path: is triggering
ELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B
merica.com
whitelist_auth *@*.bankofamerica.com
blacklist_from *@*.bankofamerica.com
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Sat, 7 Nov 2020, RW wrote:
On Sat, 7 Nov 2020 10:05:21 -0800 (PST)
John Hardin wrote:
On Sat, 7 Nov 2020, RW wrote:
On Fri, 6 Nov 2020 16:10:18 +
RW wrote:
However, I can't get an up-to-date Firefox to add .com, so the
feature may already be obsolete.
I take that back, it does
On Sat, 7 Nov 2020, RW wrote:
On Fri, 6 Nov 2020 16:10:18 +
RW wrote:
However, I can't get an up-to-date Firefox to add .com, so the feature
may already be obsolete.
It take that back, it does.
What does it do for the example at hand, http://www.ch ?
--
John Hardin KA7OHZ
;-)
But that's another story
Have a good weekend
i followed this thread, it was mentioned it was firefox that try to help
usefull domain name ?
but i lost how this went over to a bug in spamassassin ?
The bug was to implement the same (mis)behavior in SA URI parsing.
--
John Hardin KA7OHZ
d probably be a
good idea. By default, for all domains, not so much.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Thu, 5 Nov 2020, Axb wrote:
On 11/5/20 4:31 AM, John Hardin wrote:
On Thu, 5 Nov 2020, RW wrote:
On Wed, 04 Nov 2020 18:48:48 -0500
Bill Cole wrote:
On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
* 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
no X-MimeOLE
In addition
quests to ISP's nameservers" part...
For small environments like this, the DNS resolver that you use for SA
needs to do all the queries itself rather than passing them off to be
aggregated by the ISP's nameservers, and hit the DNSBL free use limits due
to that aggregation.
Thanks all!
--
the exception.
AXB - any comments??
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
longer than a word or two.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
gt;]{0,99}>[^<]{500}'si
(Caveat: not tested, just off-the-cuff. There's room for improvement in
the style spec as well.)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8
101 - 200 of 3243 matches
Mail list logo