her wrote:
> >
> > Do you have an SA rule for it?
>
> Do you have any sample, Rupert?
Of course I do.
Would you care to show us?
Antony.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.o
On Fri, 31 Aug 2018, John Hardin wrote:
None of the masscheck corpora that hit __HDR_ORDER_FTSDMC also hit
ALL_TRUSTED (or at least the portion is so small it falls off the bottom of
the report) so I don't feel too worried about adding either !ALL_TRUSTED or
__ANY_EXTERNAL (or potentially
On Fri, 31 Aug 2018, John Hardin wrote:
On Fri, 31 Aug 2018, Matus UHLAR - fantomas wrote:
On Thu, 30 Aug 2018, Matus UHLAR - fantomas wrote:
That further causes hitting HDR_ORDER_FTSDMCXX_DIRECT and
HDR_ORDER_FTSDMCXX_NORDNS in cases where client uses the mail client on
local network
(which may be
quite common in some organizations).
On 30.08.18 16:57, John Hardin wrote:
Are you experiencing this yourself, so that you can do some testing?
Yes.
Thanks!
If you do have a repro env, can you check whether that internal network is
listed as such in the SA config?
Would you
http://spamassassin.1065346.n5.nabble.com/Problem-with-new-rules-td152105.html
I'd say the problems aren't. That's because the ESP was relaying mail and
not reporting *any* details of the internal handoff, so it looked to the
recipient like the MSA was a mail client.
rDNS wasn't an issue the
ers give the rest a bad name.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B
s/36B649E7-77A2-20FE-FC19-80636F6E6148.odttf
266980 Defl:N 107750 60% 01-01-1980 00:00 3e418bc1
Resources/71CF76BB-7E19-70D9-3161-0E48B6763460.odttf
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse
On Fri, 17 Aug 2018, Chris wrote:
On Fri, 2018-08-17 at 14:46 -0700, John Hardin wrote:
On Fri, 17 Aug 2018, Chris wrote:
Early on
when SA-Compile was run I did manage to capture this:
Running sa-compile (may take a long time)
Unescaped left brace in regex is deprecated here
appear to be a stock rule. Do you know where it came from?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87
On Tue, 14 Aug 2018, micah anderson wrote:
John Hardin writes:
On Tue, 14 Aug 2018, RW wrote:
On Tue, 14 Aug 2018 13:24:47 -0700 (PDT)
John Hardin wrote:
On Tue, 14 Aug 2018, micah anderson wrote:
I searched my pile of mail that I have from two ice ages ago, and I
did find 6 messages
l can scan it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
On Wed, 15 Aug 2018, RW wrote:
On Tue, 14 Aug 2018 18:43:52 -0700 (PDT)
John Hardin wrote:
On Tue, 14 Aug 2018, RW wrote:
I don't know that this is particularly specific to mobile, lots of
people send emails with an empty subject.
It sounds like the main cause would be a signature
On Tue, 14 Aug 2018, micah anderson wrote:
John Hardin writes:
On Tue, 14 Aug 2018, micah anderson wrote:
John Hardin writes:
On Tue, 14 Aug 2018, micah anderson wrote:
OK, I can see about adding some mobile MUA exclusions. Any FP headers you
can provide (directly) will be helpful. Go
On Tue, 14 Aug 2018, RW wrote:
On Tue, 14 Aug 2018 13:24:47 -0700 (PDT)
John Hardin wrote:
On Tue, 14 Aug 2018, micah anderson wrote:
I searched my pile of mail that I have from two ice ages ago, and I
did find 6 messages that were hits of this rule, one of them was
spam, five of them
On Tue, 14 Aug 2018, micah anderson wrote:
John Hardin writes:
On Tue, 14 Aug 2018, micah anderson wrote:
but how can I tell how many messages are part of the corpus?
As RW said, hover over the percentages.
Thanks.
Also, the percentages seem very low: 1.5192% Spam, and .0005%
Ham
other rules.
You also want to look at the score-map section when evaluating a rule.
I don't care when a rule hits a lot of spam scoring 20+ points. I care a
lot if it hits spams that score 1-4 points.
Do you happen to be seeing FPs with this rule?
--
John Hardin KA7OHZ
On Sun, 5 Aug 2018, RW wrote:
On Sat, 4 Aug 2018 16:18:35 -0700 (PDT)
John Hardin wrote:
On Sat, 4 Aug 2018, RW wrote:
On Sat, 4 Aug 2018 17:14:18 + (UTC)
Pedro David Marco wrote:
Async dns lookups work nice... but it would be great to run
asynchronously checks for Atachments content
limited.
Modulo multi-core hardware...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Wed, 1 Aug 2018, John Hardin wrote:
On Wed, 1 Aug 2018, Alex wrote:
Aug 1 19:31:42.962 [3586] dbg: rules: ran header rule __HELO_MISC_IP
==> got hit: "[ ip=50.203.126.142
rdns=50-203-126-142-static.hfc.comcastbusiness.net
helo=50-203-126-142-static.hfc.comcastbusiness.net
b
1 Aug 2018 22:22:37 +
The full (sanitized) headers can be found here:
https://pastebin.com/K6jqMgFg
Ideas for what's going on here would be appreciated.
I'll take a look.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
what I did for Centos 7 and it works jes' fine.
ooo, it looks like they are up to -18; I know what I'm doing this
weekend... :)
https://dl.fedoraproject.org/pub/fedora/linux/releases/28/Everything/source/tree/Packages/s/spamassassin-3.4.1-18.fc28.src.rpm
--
John Hardin KA7OHZ
WLM-specific mitigations. I've not heard anything since. Does
that mean the lower score limit is a sufficient mitigation?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
, or the blacklist
operator needs a review.
-Yves
A third option would be for you to use uridnsbl_skip_domain and don't bother
anymore ;)
As of right now URIBL does not report stackexchange.com as being listed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
e
mail) I will see what I can do to tune it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Tue, 24 Jul 2018, Nick Bright wrote:
On 7/24/2018 9:58 AM, John Hardin wrote:
However, unless you *really* trust the people who are providing training
data, you don't train on the submissions without first reviewing them.
Therefore, forwarding as an RFC-822 attachment isn't a deal-killer
suppose. I find such a solution is
completely unacceptable.
The problem with training unreviewed is: the quality of your corpus is
only as good as your *least responsible* (and least malicious) user.
Having a quality bayes requires a certain level of commitment and effort.
--
John Hardin
the submission and if you approve then save the attachment to
the spam or ham training corpus (assuming your MUA allows you to do that).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
of MariaDB you're using
- the distribution (and version) you've installed this on
- the replication setup you're using between the "master" and the "slaves"
- whether or not you're using Autolearn (I don't want to make any
assumptions)
--
John Hardin KA7OHZ
On Thu, 19 Jul 2018, Nick Bright wrote:
On 7/19/2018 1:22 PM, John Hardin wrote:
Do you happen to have autolearn enabled? If so, turn it off.
In general, or just while trying to run sa-learn?
I think there's consensus that you leave it disabled initially, and do
manual training to a base
have autolearn enabled and you're using flat files, you
could learn into an offline database and when done copy the files over to
the live instance (ideally by directory renaming to minimize the window).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Tue, 17 Jul 2018, John Hardin wrote:
On Tue, 18 Jul 2018, Chip M. wrote:
Here's the SA test stats for 13 of this new morph:
FORGED_MUA_MOZILLA 1
HTML_MESSAGE 13
HTML_MIME_NO_HTML_TAG 13
LOCALPART_IN_SUBJECT 13
MIME_BASE64_TEXT9
1
RDNS_DYNAMIC3
TVD_RCVD_SPACE_BRACKET 6
UNPARSEABLE_RELAY 6
How did the recent bitcoin rules do?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
I get sufficient Ham stats, I'll report back.
That will be difficult to look for but the format is consistent enough
that a simpler comment rule might work.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
=78D8A052C380BCBFF284D754BEBE9730=1dc278553a2445bb88bcc9b73bf4ef85=57=1
]
@steve: could you pastebin a couple of sextortion spamples for me pls?
Thanks.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
in case those are common. I wouldn't
know, I generally get lots of 419 fraud and photo retouching spams
instead... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
On Tue, 26 Jun 2018, J Doe wrote:
On Jun 26, 2018, at 12:13 AM, John Hardin mailto:jhar...@impsec.org>> wrote:
My thinking here is that if this rule ever passes, it should not add a small
value to the score but push the score up to the value
that required_score is set to. Th
re a way to achieve the same
effect that is used by SA rule writers ?
That's called a "poison pill rule", and generally you don't worry about
hitting the required score exactly, you just set it to something large -
like 10 or 100.
--
John Hardin KA7OHZhttp://www.impsec.o
test for the MIME type and is intended
for use in metas.
ENCRYPTED_MESSAGE is what score to apply to that, potentially with FP (or
in this case spam) avoidance filters. Generally those are added by seeing
what else hits in the masscheck results.
--
John Hardin KA7OHZ
hitting MISSING_SUBJECT is spam
- how much of mails hitting MISSING_SUBJECT is ham.
if the percentage is very different in there two cases, the rule gets high
positive (or negative) score.
S/O = .826
http://ruleqa.spamassassin.org/20180613-r1833448-n/MISSING_SUBJECT/detail
--
John Hardin KA7OHZ
to be a text body
part. What was the MIME type of that part?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
sing To: header
>Remember that e-mail is mail after all.
The To: header may not exist in Outlook if all recipients where in BCC and the
original To: is company internal...
Pedro
Sigh. MSFT can't even get "To: Undisclosed Recipients" correct.
--
John Hardin KA7OHZht
.
Thanks!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
incomplete coverage if it's not possible to
express it correctly in both directions.
See for example __SUBJ_HAS_FROM_1 in my sandbox.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
failing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
6 days
On Thu, 31 May 2018, Palvelin Postmaster wrote:
On 31 May 2018, at 17:39, John Hardin wrote:
On Thu, 31 May 2018, Palvelin Postmaster wrote:
What’s the purpose of emails like this?
Potentially: delivery probes.
That sounds like a very plausible theory.
Either
On Thu, 31 May 2018, Palvelin Postmaster wrote:
What’s the purpose of emails like this?
Potentially: delivery probes.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Mon, 28 May 2018, Palvelin Postmaster wrote:
On 27 May 2018, at 23:59, John Hardin <jhar...@impsec.org> wrote:
On Sun, 27 May 2018, Palvelin Postmaster wrote:
On 27 May 2018, at 21:43, John Hardin <jhar...@impsec.org> wrote:
# Use Redis for Bayes backend
bayes_
On Sun, 27 May 2018, Palvelin Postmaster wrote:
On 27 May 2018, at 21:43, John Hardin <jhar...@impsec.org> wrote:
# Use Redis for Bayes backend
bayes_store_module Mail::SpamAssassin::BayesStore::Redis
bayes_sql_dsn server=127.0.0.1:6379,database=0
f
On Sun, 27 May 2018, Reio Remma wrote:
On 27.05.2018 21:43, John Hardin wrote:
On Sun, 27 May 2018, Palvelin Postmaster wrote:
Can anyone offer suggestions as to why I get these invalid argument
warnings when I run spamassassin —lint —debug:
warn: plugin: eval failed: bayes: Redis failed
ollows the common format and uses
semicolon as a delimiter. Try:
server=127.0.0.1:6379;database=0
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D82
eserver and do not
focus only on the "caching" part.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
that "https://euphqobeofnetwork . com/example.survey/question/login.php"
)
Perhaps a "login.php" link should inherently be worth a point. Perhaps
more if received from O365?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALah
Don't forget to *turn off forwarding*.
and to /etc/resolv.conf
nameserver 127.0.0.1
i cannot believe that is not the default. i always assumed my dns was
working correctly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
he "Subject:" part...
Does your test message have a inline attachment? Are you sure it's
properly-formed?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8
On Wed, 9 May 2018, Reio Remma wrote:
On 9 May 2018, at 18:33, John Hardin <jhar...@impsec.org> wrote:
Also:
On Wed, 9 May 2018, Matthew Broadhead wrote:
your message has
X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
Setting the threshold higher will result in mor
that the threshold is set to 5.0
Is there some specific reason you set the threshold higher than 5.0?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
aining corpus
You may be able to recruit some clueful, responsible users to help with
the training, but make sure you review what they submit unless you
*really* trust their judgement.
On 08/05/18 21:08, John Hardin wrote:
On Tue, 8 May 2018, Matthew Broadhead wrote:
system setup centos-rel
ce" + no actual attachments? A download URL ain't an
attachment...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Tue, 8 May 2018, Reio Remma wrote:
On 08.05.2018 22:08, John Hardin wrote:
On Tue, 8 May 2018, Matthew Broadhead wrote:
system setup centos-release-7-4.1708.el7.centos.x86_64,
spamassassin-3.4.0-2.el7.x86_64, amavisd-new-2.11.0-3.el7.noarch
/etc/mail/spamassassin/local.cf:
required_hits
the
rails for some reason.
If you're not auto-learning, auto-expire is not needed. If you *are*, it's
recommended to expire from a scheduled job rather than take the hit from
spamd.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic
final ultimate termination...
As in "I'm not dead yet!" from Spamalot? :)
Or maybe "He's still moving towards the keyboard! LART him again!"
It is, after all, supposedly from IT...
Regrads (dammti...),
Dianne.
--
John Hardin KA7OHZhttp://www.
Email Administrator
All Right Reversed 2018.(c)"
-
Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.
You need your humor detector recalibrated.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhar
On Sun, 29 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 16:22, John Hardin wrote:
On Fri, 27 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in
the body of emails:
Apr 27 10:45:39.330 [32173
der FROM_NAME_PREFIX_ATSIGN From:name =~ /^\@/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Fri, 27 Apr 2018, Joëlle Pfeffer wrote:
Hi David,
Thank you for your answer.
I don't think I have to escape the @ character.
You do.
It is recognized without being escaped since
when my rule is : From:name =~ /@.b/i
The period is changing the interpretation of the @ sign.
--
John
On Fri, 27 Apr 2018, David B Funk wrote:
(note the trailing 'i' makes the regex be case-insenstive so /\@A/i doesn't
make sense).
...it makes precisely as much sense as /\@a/i does... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
n: (Global symbol "@I" requires explicit package name (did you forget to declare
"my @I"?) at /home/jhardin/develop/spamassassin/testing/test.cf, rule __FROM_NAME_TEST,
line 1.)
Try this:
header REGLE_HF002 From:name =~ /\@A/i
--
John Hardin KA7OHZ
but if my rule is
header REGLE_HF002 From:name =~ /@.b/i
e-mails containing
From: "@Ab" < jopfef...@free.fr >
or
From: "@ABc" < jopfef...@free.fr >
are blocked
Are you specifically looking for from name that has an @-sign in it?
Please provide a complete exa
(though notifying them isn't
guaranteed if there are problems delivering to them...).
If a given user wants emails to be dropped at the border
I echo the request that you stop misusing the term "dropped" when you
mean "rejected".
--
John Hardin KA7OHZ
t; got
hit: "https://mybill.dhl.com;
my{mumble}.mumble.com is targeted. I'll think about that one; the rule
isn't scored highly and I could see that helping out to detect DHL
phishing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
xception to this rule - as many legitimate
emails containing invoice attachments in pdf include the above url in the
body.
Fixed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 3
. Is it possible that your
RE and the actual header display name you want to match differ in case?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Fri, 20 Apr 2018, Bill Cole wrote:
On 20 Apr 2018, at 14:50 (-0400), John Hardin wrote:
Given your findings, I kinda suspect *all* of the tflags=multiple rules are
misbehaving from time to time under 3.3.1 - the compiled code may be
getting into an infinite loop somehow if the number
rule exceeds some value - I note there were 17 hits on "your business"
there.
In any case, here without Rule2XBody I am able to operate until I can
get 3.4.x deployed.
Please let us know whether that improves your *overall* memory/cpu hogging
and timeout problems.
--
Jo
n Centos7 SA 3.4.0-2 bundled SA rpm, it works
correctly.
Yeah, because 3.4.x implements maxhits.
So, should I disable the __GENERATE_LEADS family for < 3.4.0? I suspect it
would be prudent, but I am surprised the other tflags=multiple rules
aren't also problematic in the same manner...
s?
Are the SA 3.3.1 sources different between the C6 and C7 packages?
Upgrade is my option, clearly.
Thanks,
Chris
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
^
spamc/libspamc.c: In function 'libspamc_log':
spamc/libspamc.c:2239:9: warning: ignoring return value of 'write',
declared with attribute warn_unused_result [-Wunused-result]
(void) write (2, buf, len);
^
make[1]: Leaving dir
suspect (3) is not practical unless we get some volunteers who are
strongly familiar with the various distros and are willing to do package
management.
Any others?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse
update. :)
RHEL 7 / CentOS 7 core is still on SA 3.4.0 - I had to manually roll my
own SA 3.4.1 RPMs from Fedora SRPMs.
Anybody here from RH that can commit to packaging SA 3.4.2 for a RHEL 7
core update or explain why it's behind?
--
John Hardin KA7OHZhttp://www.impsec.org
On Tue, 17 Apr 2018, John Hardin wrote:
On Tue, 17 Apr 2018, Computer Bob wrote:
In this way, any user can move a mail to their .SpamLearn folder and it
will get learned.
It is a very bad idea to do that without review unless you *strongly* trust
the judgement and responsibility of your
raining, and (2) you can easily
rebuild Bayes from scratch if it goes off the rails.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
On Mon, 16 Apr 2018, Computer Bob wrote:
Why should sa-learn not be run as root ?
That's a general safe practice. Do as little as root as you possibly can.
Why risk a root crack from an unknown bug in sa-learn that somebody has
discovered and figured out how to exploit via email?
--
John
On Sun, 15 Apr 2018, John Hardin wrote:
On Sun, 15 Apr 2018, Matus UHLAR - fantomas wrote:
On 15.04.18 11:55, Computer Bob wrote:
Here is a root scan: https://pastebin.com/qdXMRzKb
X-Spam-Status: Yes, score=10.2 required=4.0 tests=HTML_MESSAGE,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK
root's database is being trained.
Define a shared Bayes database that all users can read and use that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
the google redirect
URI, perhaps because it's in data-saferedirecturl= rather than href= ...
Do we need to make the SA HTML parser aware of data-saferedirecturl= ?
That appears to be a gmail-ism that SA *should* probably be aware of, if
it can be used to hide spam signs.
--
John Hardin KA7OHZ
anywhere locally.
That's in SVN (the SA source code).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B
On Fri, 13 Apr 2018, John Hardin wrote:
On Fri, 13 Apr 2018, John Hardin wrote:
On Fri, 13 Apr 2018, Giovanni Bechis wrote:
On 04/13/18 09:06, Sebastian Arcus wrote:
But when it hits, it still adds 2.0 to the score (and I haven't
customized the score anywhere else). Is this a special
On Fri, 13 Apr 2018, John Hardin wrote:
On Fri, 13 Apr 2018, Giovanni Bechis wrote:
On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / Intuit
with the above rule:
Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD
it's commented out or not present, then the masscheck process can
assign however high a score it likes based on the rule's performance
against the masscheck corpora.
I'll take a look at that rule, I don't remember offhand what I intended it
for.
--
John Hardin KA7OHZhtt
it to my sandbox.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Sebastian Arcus > wrote: >> Hence why I have to have a
local whitelist and skip verification for >> all MX's of the form *.outlook.com (which include Microsoft
cloud >> hosted domains) @open-t.co.uk> @open-t.co.uk>
Sigmonster agree...
--
John Hardin KA7OHZ
On Fri, 6 Apr 2018, Matus UHLAR - fantomas wrote:
It's also useless duplicate of __RP_MATCHES_RCVD
header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
Cleaned that up.
--
John Hardin KA7OHZ
of anyone will try pushing any of these to SA.
On 05.04.18 09:32, John Hardin wrote:
The best way to disable it without breaking any meta-rules that may be
using it is to set its score to 0.001 in your local config file.
meta rules are supposed to use __RP_MATCHES_RCVD - this is what
be due to its use as a suppressor in some metas, but absent the
full spam we can't check for that.
Thanks,
On 04/05/2018 09:32 AM, John Hardin wrote:
On Thu, 5 Apr 2018, Motty Cruz wrote:
Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
through. Is there a way to disable
for you?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
surprised the Dr Oz rule hit *that*. I'll review it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
On Tue, 3 Apr 2018, RW wrote:
On Mon, 2 Apr 2018 11:33:27 -0700 (PDT)
John Hardin wrote:
On Mon, 2 Apr 2018, Amir Caspi wrote:
many organizations -- especially government or other
large orgs -- also use firstname.middleinitial.lastname as their
user part.
So require a minimum length
\1[-._]\2[-._]\3\@/
Potentially lots of backtracking there, though. Fortunately the string is
not apt to be very long.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
--debug area=all,rules,rules-all < $MSG
)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2
On Sun, 1 Apr 2018, John Hardin wrote:
On Sun, 1 Apr 2018, Matus UHLAR - fantomas wrote:
On 01.04.18 05:47, Pedro David Marco wrote:
This is a problem i see oftenly...
what if the URL is only in the TEXT part and not in the HTML? many email
aplications show those URLs as clickable
501 - 600 of 3242 matches
Mail list logo
