On Tue, 17 Jun 2008, John Hardin wrote:
There is your problem right there. Bayes will not start classifying
messages until you have taught at least 100 each of ham and spam.
Make that 200. D'oh!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED
it is interfering with authenticated external connections, then
you need to ask the qmail list why that is happening. Authenticated
connections should *not* be affected by the blacklists you use.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic
On Tue, 2008-06-17 at 21:28 -0500, Chris wrote:
On Tuesday 17 June 2008 10:29 am, John Hardin wrote:
On Tue, 17 Jun 2008, ram wrote:
2.8 L_NOTVALID_GMAIL L_NOTVALID_GMAIL
What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ?
They're related to DKIM. Google
mail client can probably support a rule that will move
tagged messages to a different folder, or delete them.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
On Wed, 2008-06-18 at 07:45 -0700, almaren wrote:
John Hardin wrote:
Tell us what does delivery (e.g. procmail) in your environment and
someone may be able to tell you how to configure delivery of spammy
messages to a spam folder.
I'm running qmail as MTA and courier-imap
\])
by arran\.svcolo\.com (/
score XX -5
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 2008-06-19 at 20:54 -0700, John Hardin wrote:
header XX Received =~ /from \S+\.svcolo\.com (\S+ \[10\.\d\.\d\.\d\]) by
arran\.svcolo\.com (/
score XX -5
Oops. Need some plusses in there...
/from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com
(/
--
John
On Fri, 20 Jun 2008, mouss wrote:
John Hardin wrote:
On Thu, 2008-06-19 at 20:54 -0700, John Hardin wrote:
header XX Received =~ /from \S+\.svcolo\.com (\S+ \[10\.\d\.\d\.\d\])
by arran\.svcolo\.com (/
score XX -5
Oops. Need some plusses in there...
/from \S+\.svcolo\.com (\S
to 6.2? All of the stock rules
are tuned for 5.0, increasing the required score will increase your FN
rate.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
On Fri, 20 Jun 2008, Jo Rhett wrote:
On Jun 19, 2008, at 9:21 PM, John Hardin wrote:
/from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com (/
You actually need some backslashes too, but I figured it out. Thanks.
D'oh!
See my other note about trusted_hosts breaking all
On Fri, 20 Jun 2008, Jo Rhett wrote:
On Jun 20, 2008, at 11:49 AM, John Hardin wrote:
10.x is (supposedly) not routable on the public internet. If you see 10.x
(or other RFC-1918) traffic coming in from the world, your ISP is broken.
You don't run packet sniffers on your hosts much, do you
On Mon, 23 Jun 2008, McDonald, Dan wrote:
But I'm not convinced that twiddling with fake MX records will reduce
your spam level any.
Cue Mr. Perkel... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL
that Justin can probably help you with.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
happening, why worry?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
should set JM_SOUGHT_3_ADJ to -1.8 if you want to get a net score of 2.2
for SOUGHT ruleset #3.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
On Tue, 24 Jun 2008, Theo Van Dinter wrote:
Has anyone thought to ask JM to make sure that 3 rules are always generated,
even if the third one is empty ala:
meta JM_SOUGHT_3 0
thereby skipping all of the kluging suggestions to work around it?
No. Kludging is fun.
--
John Hardin KA7OHZ
administrative stuff to their
systems.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 26 Jun 2008, Florian Lindner wrote:
Am 26.06.2008 um 18:26 schrieb John Hardin:
On Thu, 26 Jun 2008, Florian Lindner wrote:
Hello,
I use (honestly: I plan) the following procedure to filter my spam using
SA:
All mails are piped through spamc. (emails for my family and me
family I want to leave it as it is.
Fair enough.
Can I use two different bayes DBs? One for my family without training (just
the auto train functions) and one for me that is trained?
...that I don't know. Others may be able to comment.
--
John Hardin KA7OHZhttp
On Fri, 27 Jun 2008, Jason Marshall wrote:
Is there a way to determine how far along in the initial 200-spam+200-ham
training a given user is? Everyone has their own Bayes databases.
Have that user run sa-learn --dump magic
--
John Hardin KA7OHZhttp://www.impsec.org
is invoked.
Another alternative if you're using sendmail is to use milter-regex to
look for that IP in a Received: header and reject the message with a 550
at SMTP time.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk
think it would be harder to add other offending IPs in
the future.
Not at all ...
You can even drop the IP with a route command.
Do: route add -host ip reject
Not if the IP address you want to block is several MTA relay hops
removed from you.
--
John Hardin KA7OHZ
this check against whois, but that's likely to
be considered abusive. Look under here:
http://www.impsec.org/~jhardin/antispam/
I'm not currently maintaining it, and the evil registrar list is stale
and certainly not comprehensive.
--
John Hardin KA7OHZhttp
from.
But it may tell you something useful about URIs within the message.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Wed, 2 Jul 2008, Marc Perkel wrote:
John Hardin wrote:
On Wed, 2 Jul 2008, Marc Perkel wrote:
Is there an easy way to detect the registrar of a domain through DNS?
For example - can I easilly figure out if an email I'm processing is
hosted by GoDaddy or Tucows?
Registrar
name
doesn't get infected with a smapbot?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 2008-07-03 at 05:59 +0300, Henrik K wrote:
On Wed, Jul 02, 2008 at 12:08:43PM -0700, John Hardin wrote:
On Wed, 2 Jul 2008, Marc Perkel wrote:
Again - it's not to figure out where spam comes from. It's figuring out
where non-spam comes from. I think there are registrars out
On Mon, 2008-07-07 at 07:58 +, Tobias Eichner wrote:
From John Hardin:
Wild-ass guess: do you have autolearn enabled, and a reboot script that
clears the Bayes database?
Yes, autolearn is enabled, but I just did the standard installation via
CPAN... not sure if this included
and the message is not already
BAYES_00 or the score is high and the message is not already BAYES_99.
However, this would be cloning users' mail (even if only temporarily),
and you should obtain their consent before doing this.
--
John Hardin KA7OHZhttp://www.impsec.org
not getting picked up.
Are you sure you're checking the correct config file?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
I'm editing.
That's the sitewide config file, though, and the debug output explicitly
says [EMAIL PROTECTED] is not in user's
WHITELIST_FROM_SPF.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key
. That won't require all users
to use IMAP, with the resulting storage requirements on the server.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
a look in http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 22 Feb 2010, RW wrote:
Why does T_FROM_MISSPACED score 0.0, when it's score isn't defined?
Rounding. The actual defined score is 0.01, so it rounds down when
reported.
X-Spam-Report:
...
* 0.0 T_FROM_MISSPACED From: missing whitespace
--
John Hardin KA7OHZ
On Mon, 22 Feb 2010, RW wrote:
On Mon, 22 Feb 2010 08:05:10 -0800 (PST)
John Hardin jhar...@impsec.org wrote:
On Mon, 22 Feb 2010, RW wrote:
Why does T_FROM_MISSPACED score 0.0, when it's score isn't defined?
Rounding. The actual defined score is 0.01, so it rounds down when
reported
On Mon, 22 Feb 2010, RW wrote:
I'm aware of __* rules, but I'd not noticed T_* rules before. And
looking back through my spam I don't see any hits until a couple of
weeks ago, so presumably something has changed.
Wait, you're seeing this in a live SA install?
--
John Hardin KA7OHZ
On Mon, 22 Feb 2010, Art Greenberg wrote:
On Mon, 22 Feb 2010, John Hardin wrote:
On Mon, 22 Feb 2010, RW wrote:
I'm aware of __* rules, but I'd not noticed T_* rules before. And
looking back through my spam I don't see any hits until a couple of
weeks ago, so presumably something
On Wed, 24 Feb 2010, Chip M. wrote:
Note that an IP-based exception must be made for Paypal (the From
domain is always different for user transactions).
I'd wager whitelist_auth is a better way to do that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
On Wed, 24 Feb 2010, Dennis B. Hopp wrote:
I guess it doesn't really matter since the message was actually hitting
another rule (T_LOTS_OF_MONEY) that I somehow missed.
It also hits some of the testing ADVANCE_FEE_NEW rules. I hope to bring
those live soon...
--
John Hardin KA7OHZ
On Thu, 25 Feb 2010, ram wrote:
http://pastebin.com/6c9sEEn9
i still see lot of junk mail coming with different charecters, i do not
even read them clearly
how can i stop those kind of emails
Reject languages you can't read at SMTP time?
--
John Hardin KA7OHZhttp
On Thu, 25 Feb 2010, Dennis B. Hopp wrote:
What is the HK_MUCHMONEY rule that you have? Is that part of the base
SA installation?
It's a sandbox rule that got promoted. I'm working on a set of money rules
that will supercede it.
--
John Hardin KA7OHZhttp
On Thu, 25 Feb 2010, Jason Bertoch wrote:
On 2/25/2010 6:26 PM, Karsten Bräckelmann wrote:
Please, guys, let it go. If you *know* this ain't the right place,
stop it.
+1
+1
Please take it to alt.advocacy.spf.headdesk.headdesk.headdesk
--
John Hardin KA7OHZhttp
it tiresome, bothersome, pointless, or all of
the above. ...
/out
The forward issue is definitely an annoyance. But SPF has a problem in
that as the supporters admit, it doesn't block spam, ...
Followups-To: alt.advocacy.spf.headdesk.headdesk.headdesk.headdesk.headdesk
--
John Hardin KA7OHZ
On Sat, 27 Feb 2010, Michael Dilworth wrote:
style
garbage...
/style
If you're looking for nonsense STYLE content, take a look in my sandbox.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
respectfully suggest this may no longer be a reasonable
position, at least for plain text and HTML attachments...
Please correct me if I've misunderstood.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
On Mon, 1 Mar 2010, Benny Pedersen wrote:
On man 01 mar 2010 02:37:37 CET, John Hardin wrote
I've suggested this before, but the current position appears to be if the
MUA doesn't display it automatically, why should we scan it?
same goes for just enter this url when the sender was tired
well in a meta rule with certain buzz phrases from
the text portions of the e-mail.
...or look into the TextExtract plugin as Benny suggested.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
||
OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH)
describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
endif
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
On Tue, 2 Mar 2010, John Hardin wrote:
Would you be willing to test this and see how well it does in practice?
{grumble} reply-to {grumble}
Sorry for spamming the list with this, it was meant just for Chip.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
}/\..(?!/);
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 8 Mar 2010, Ned Slider wrote:
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6
scheduled at a time when your imbound email volume is low.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
you post the original headers.
It looks like a simple matter of a very short spam with a URI that wasn't
broadly recognized as bad the first time you saw it. Train your bayes with
it, and consider adding greylisting to give the URIBLs a chance to get
updated with new spam domains.
--
John
On Wed, 10 Mar 2010, Stephen Carville wrote:
On Wed, Mar 10, 2010 at 9:14 AM, John Hardin jhar...@impsec.org wrote:
It looks like a simple matter of a very short spam with a URI that
wasn't broadly recognized as bad the first time you saw it. Train your
bayes with it, and consider adding
On Mon, 8 Mar 2010, Ned Slider wrote:
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the
sequence ../. which stops the rule triggering on multiple relative
paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6
options won't work.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
who have authenticated against your MTA. Please check the list
archives and the Wiki.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
On Tue, 16 Mar 2010, Ron wrote:
On 3/16/2010 12:51 AM, John Hardin wrote:
Are you authenticating your users in any way? There are ways to
whitelist users who have authenticated against your MTA. Please check
the list archives and the Wiki.
yes i am using vchkpw to auth users. are you
in the
first place.
regards
Ron
On 3/16/2010 11:16 PM, John Hardin wrote:
On Tue, 16 Mar 2010, Ron wrote:
On 3/16/2010 12:51 AM, John Hardin wrote:
Are you authenticating your users in any way? There are ways to
whitelist users who have authenticated against your MTA. Please check
On Tue, 16 Mar 2010, John Hardin wrote:
header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by
mail\.pinoyonthego\.net/
Watch the line wrap on that...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
72_active.cf.
I'll look into it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 18 Mar 2010, John Hardin wrote:
On Fri, 19 Mar 2010, Mark Martinec wrote:
On Thursday March 18 2010 23:18:56 Justin Mason wrote:
that's CPU-bound, no system calls = regexp matching. body, rawbody
or full rules.
Yes, it's terrible, takes 4 minutes here (SA 3.3, perl 5.10.1
Save another version of your rules encoded in windows-1251?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Thu, 18 Mar 2010, John Hardin wrote:
On Thu, 18 Mar 2010, John Hardin wrote:
On Fri, 19 Mar 2010, Mark Martinec wrote:
The offending rule is FILL_THIS_FORM_LONG from 72_active.cf.
I'll look into it.
Fix is in local masscheck testing.
Fix committed.
--
John Hardin KA7OHZ
out, rpm -e {fileglob} doesn't work because the
fileglob returns filenames, _not_ package names.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
to
whitelist them and offset legitimate results like those above.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
.
What else hit on that message?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 22 Mar 2010, Jason Bertoch wrote:
On 2010/03/22 12:26 PM, John Hardin wrote:
On Mon, 22 Mar 2010, Jason Bertoch wrote:
Should FREEMAIL_REPLY really be looking in attachments
Sure. Just looking at the presence of freemail domains, there's nothing
to distinguish the mail you got
the mail from
a suspicious IP address is legitimate and wanted.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 22 Mar 2010, weirdbeardmt wrote:
What else can I try?
Running it on a *NIX box like God intended?
GDR... :)
To be serious, have you considered setting up a Linux VM that is dedicated
to hosting spamd?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
On Mon, 22 Mar 2010, weirdbeardmt wrote:
John Hardin wrote:
To be serious, have you considered setting up a Linux VM that is
dedicated to hosting spamd?
If only it was that simple. SA is actually required as a component of a
bigger system which actually has NO business being near a Windows
- and 12 hours of bayes data
isn't that many rows.
My first response to those symptoms as a DBA is to ask, is there a missing
(or disabled) index? It sounds like full table scans rather than proper
indexed lookups.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
received.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
and then. Ahh but the learning db might be an issue
oh well just a thought.
A second VM hosting the bayes DB on MYSQL or Postgres. That way you can
drop-in upgrade the SA vm without destabilizing the bayes DB VM.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
of bots.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
a user is actually waiting on.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
sufficiently
restricted that unlimited globs can't affect SA's performance?
URIs are already restricted to the URI itself so you don't need to worry.
You might want to do them anyway for consistency's sake, and to help
develop the habit.
--
John Hardin KA7OHZhttp
for the IP spaces
you trust and add some negative points.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
deliver the message unscanned, or return it to the queue to
try again later.
I have to ask, is your mail really so time-critical that you're not
willing to wait two minutes for spamd do to its job?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Tue, 6 Apr 2010, Ned Slider wrote:
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
--
John Hardin KA7OHZ
On Tue, 6 Apr 2010, Ned Slider wrote:
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
uriLOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describe LOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want
...
I'll throw it in the sandbox and see what likely combinations present
themselves. It'll take a couple of days.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Watch
On Thu, 8 Apr 2010, ram wrote:
On Thu, Apr 8, 2010 at 12:27 AM, John Hardin jhar...@impsec.org wrote:
On Wed, 7 Apr 2010, ram wrote:
i need to created seperate user for this like s...@domain.com, is this
correct.
No, you don't _need_ a special user in your domain to catch spam
...?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
of the mail server? If they are connecting to the
_public_ IP address then the fact that they are using a VPN is probably
irrelevant as traffic isn't traversing the VPN.
I suspect this is a VPN configuration issue, not a SA issue.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
On Tue, 13 Apr 2010, Christer Boräng wrote:
__TO_EQ_FROM_1 and _2 in 72_matching.cf triggers on emails where To:
isn't the same as From: in certain conditions.
Thanks, I'll take a look at those.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
the last character of the addr-spec. If that character exists
in the last of the two headers, the rule will match.
Fix committed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
On Wed, 14 Apr 2010, Jari Fredriksson wrote:
Please do not post spammy mail to the list (it poisons our Bayes with
spammy tokens with hammy score).
If you're running SA list emails through SA you deserve what you get. :)
--
John Hardin KA7OHZhttp://www.impsec.org
. All messages from the SA list should be hammy.
A mailing list about spam detection shouldn't discuss actual samples of
spam to detect?
The primary reason for posting samples to pastebin et all is to prevent
the mangling that sending them through the mail will inevitably cause.
--
John Hardin
On Fri, 16 Apr 2010, Benny Pedersen wrote:
On ons 14 apr 2010 23:28:38 CEST, John Hardin wrote
Please do not post spammy mail to the list (it poisons our Bayes with
spammy tokens with hammy score).
If you're running SA list emails through SA you deserve what you get. :)
for sa 3.3.2
On Sat, 17 Apr 2010, Alex wrote:
I'm hoping someone can help me with a rule to catch URI spam variation
from freemail domains:
http://pastebin.com/SkrKykYj
You might want to look into the old Chickenpox rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
that Chicken pox has recently are primarily due to
non-English languages. If your mail stream includes non-English text, you
might look into the FP rate and consider a meta with the charset or some
other language indicator to reduce the score for it on non-English
messages.
--
John Hardin KA7OHZ
On Sat, 17 Apr 2010, Benny Pedersen wrote:
meta SPF_FULL_PASS (SPF_PASS SPF_HELO_PASS)
if one of the corpus maintainers like to add it into there rule set, then
please do, John ?
Checked into my sandbox as __SPF_FULL_PASS
It should appear on ruleqa in a couple of days.
--
John Hardin
dependice, why care ?
You're kidding, right, Benny?
Why care that the ISP providing my IP addresses can't be bothered to
properly manage it?
Are you saying that freemail services or ISP-provided mail accounts are
all anyone needs?
--
John Hardin KA7OHZhttp
is generating.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
publishing valid SPF records for their sources and thus
whitelisting themselves to you?
Whitelisting on SPF Pass + specific trusted domains is reasonable, and
the place to do that is in your MTA.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
is reasonable, and
the place to do that is in your MTA.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
?
MIME_BASE64_BLANKS - verify that your body parts are being encoded into
base64 properly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
legitimate mailer daemon
notifications as ham so that it will learn the difference.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
501 - 600 of 3242 matches
Mail list logo