Wouldn't it be more efficient to write all the single-letter matches
like (?:s|z)? as [sz]? or does it end up not making a difference
when the regex is actually processed?
--
Kelson Vibber
SpeedGate Communications www.speed.net
), in which case BAYES_99 will be scored at 0.
--
Kelson Vibber
SpeedGate Communications www.speed.net
does check URLs as well. It's one of the signature
types. Type 8, I think.
--
Kelson Vibber
SpeedGate Communications www.speed.net
the list and not a question or comment.
--
Kelson Vibber
SpeedGate Communications www.speed.net
, you won't hear back from them. If not,
and they start sending you spam, they have no business contacting an
address that you used to UNsubscribe.) Wait.
The bottom line: be patient. It may take several weeks for them to
bite, but once they do, they won't let go.
--
Kelson Vibber
SpeedGate
further classifications.
--
Kelson Vibber
SpeedGate Communications www.speed.net
that need to be split up.
--
Kelson Vibber
SpeedGate Communications www.speed.net
-pass/
--
Kelson Vibber
SpeedGate Communications www.speed.net
false positives through whitelisting.
It was nice to see a sender that had learned to not make that mistake.
--
Kelson Vibber
SpeedGate Communications www.speed.net
. Please do
not enter any personal or financial information into this website.
So apparently email1.paypal.com in some manner is NOT part of paypal.com!
I wonder how they managed that.
*blink* *blink*
Great. Now *that's* encouraging.
--
Kelson Vibber
SpeedGate Communications www.speed.net
to a mix of real and bogus addresses. It could be
worth blocking them from hitting any real addresses after they've hit a
couple of spamtraps.
--
Kelson Vibber
SpeedGate Communications www.speed.net
mouss wrote:
Kelson wrote:
Rob Sterenborg wrote:
SM wrote:
The spam content shouldn't even be getting through as the recipient
address is invalid.
Unless you don't know who your recipients are, which may be the case
when operating a mailrelay. (I'm not saying that such situation is
optimal
efficient than the
other. They're looking at different data.
--
Kelson Vibber
SpeedGate Communications www.speed.net
with them.
MIMEDefang, also. And you can set up procmail rules to delete or
redirect mail based on the headers that SpamAssassin adds.
--
Kelson Vibber
SpeedGate Communications www.speed.net
that get hit
repeatedly and temporarily activating them, or even turning on a
catch-all for 20 seconds or so, to capture some of the messages and see
whether you're dealing with a botnet or backscatter.
--
Kelson Vibber
SpeedGate Communications www.speed.net
to an IP-based whitelist
because the unauthenticated header proved unreliable.
They changed their business model YEARS ago.
--
Kelson Vibber
SpeedGate Communications www.speed.net
in their email signatures.
We do still score blogspot URIs --- but we only add 1 point for it.
Scoring at 5 would block legit mail.
--
Kelson Vibber
SpeedGate Communications www.speed.net
MX so that it can still query that
information if/when the primary is unavailable.
Looking through the MIMEDefang mailing list archives is left as an
exercise for the reader.
--
Kelson Vibber
SpeedGate Communications www.speed.net
.
http://mimedefang.org/node.php?id=64
--
Kelson Vibber
SpeedGate Communications www.speed.net
header __SUBOFFICE Subject =~/\boffice\b/i
--
Kelson Vibber
SpeedGate Communications www.speed.net
you put the zeroed-out scores in
your local config dir (i.e. /etc/mail/spamassassin or the like) so that
they won't be overwritten the next time you upgrade and/or run sa-update.
--
Kelson Vibber
SpeedGate Communications www.speed.net
anything about spam from an authorized source? The problem
*being discussed* is spam with a forged sender address, causing bounce
notices to go to an innocent third party.
--
Kelson Vibber
SpeedGate Communications www.speed.net
listed IP
addresses (which is already in the default rule, RCVD_IN_DSBL).
--
Kelson Vibber
SpeedGate Communications www.speed.net
Rick Macdougall wrote:
I'm an ISP and we use 5 to mark and 10 to reject at smtp time (not
bounce, smtp reject 551).
Same here. Dropping below 5 would cause way too many false positives.
--
Kelson Vibber
SpeedGate Communications www.speed.net
a disconnect here.
I assume everyone here has heard the joke about the difference between
theory and practice?
--
Kelson Vibber
SpeedGate Communications www.speed.net
this helps.
--
Kelson Vibber
SpeedGate Communications www.speed.net
.
--
Kelson Vibber
SpeedGate Communications www.speed.net
/chech.html
Let's remember that these essays are matters of individual opinion, not
statements of indisputable truth handed down from on high.
--
Kelson Vibber
SpeedGate Communications www.speed.net
it regularly for web
browsing. I just set up email on my copy of Opera 9.5 (the latest
release), and hit Compose to see what would happen.
The text you're seeing is the default signature.
--
Kelson Vibber
SpeedGate Communications www.speed.net
company, we need to add it to the list because it isn't a free email
service?
I don't think that's going to save much effort.
--
Kelson Vibber
SpeedGate Communications www.speed.net
server has been down for a few days.
--
Kelson Vibber
SpeedGate Communications www.speed.net
on the server.
--
Kelson Vibber
SpeedGate Communications www.speed.net
, but you have no control over how long it'll
really take for them to try again.
--
Kelson Vibber
SpeedGate Communications www.speed.net
be (assuming you haven't done these already):
Run sa-update
Turn on Razor2 and Bayes
Grab the sare_specific ruleset
Run sa-learn on the messages.
--
Kelson Vibber
SpeedGate Communications www.speed.net
frequently, and I
know there are programs that will work with Postfix and other mail
servers that will do the same kind of thing.
We've used MIMEDefang www.mimedefang.org quite successfully for
several years, and I'd definitely recommend it.
--
Kelson Vibber
SpeedGate Communications
Logan Shaw wrote:
For what it's worth, I haven't added my own rules (yet), but
I believe those are done in a separate place, so the fact that
one set is substituted for another shouldn't cause problems.
Yes, local rules go in their own directory, usually /etc/mail/spamassassin
--
Kelson
John D. Hardin wrote:
On Tue, 27 Jun 2006, Kelson wrote:
Until something
comes along that (a) handles all the formatting that people want to be
able to do, including adding silly backgrounds, changing the font or
color for no reason,
Why in the world do we need to support/encourage
This line from the article:
Image spam can also tax e-mail systems because each message is about
7.5 times larger than regular spam, Sprosts said.
...reminds me of an old(ish) saying I once read:
A picture had better be worth a thousand words -- it takes up a lot
more disk space!
--
Kelson
of your trusted networks area.
check_uridnsbl* tests look the domain names in URLs that appear in the
body of the message -- in other words, they look at links.
P.S. in the future, please start a new thread instead of replying to an
old one with a completely different topic.
--
Kelson Vibber
to be supported for several years, unlike Red Hat 9,
which lost official support two years ago and will likely lose the
unofficial support from Fedora Legacy within the next 6 months to a year.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Loren Wilton wrote:
If this web form isn't high volume, you could format the form input as a
mail message and pipe it to spamassassin, then check the result.
Also, if the web form is written in Perl, you could access the
SpamAssassin Perl modules directly.
--
Kelson Vibber
SpeedGate
of
$country. The body is just the 2-line signature applied by the free
email provider.
--
Kelson Vibber
SpeedGate Communications www.speed.net
a las dos y media. is Spanish, it only
cares whether it's seen the words Necesito, ir, casa, etc. more
often in ham or in spam.
--
Kelson Vibber
SpeedGate Communications www.speed.net
appropriately and thoroughly. In fact the scammer's end was quite
cathartic.
So this story would fall under the category of Science fiction that you
wish would be fact, right?
--
Kelson Vibber
SpeedGate Communications www.speed.net
on it will (a) throw this warning and (b) assume a
value of false for that condition.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Evan Platt wrote:
I'm getting hammered with short spams. Basically one line, a URI, then
about 2 more lines.
...
Any rules that would help these?
Enable network tests. URIBL rules were basically invented for this type
of spam, and they tend to work quite well.
--
Kelson Vibber
SpeedGate
Yeah. A link to a blank hostname. *That's* gonna work.
More quotes at http://tinyurl.com/prv8z if anyone's interested.
--
Kelson Vibber
SpeedGate Communications www.speed.net
in perspective, there are plenty of people who would
say the exact same thing, except substituting US for UN and George
W. Bush for Kofi Annan. Even the comparison to Palpatine.
Now, back on the subject of actually fighting spam...
--
Kelson Vibber
SpeedGate Communications www.speed.net
it to a keystroke logger and
capture the password that way.
--
Kelson Vibber
SpeedGate Communications www.speed.net
for both incoming and outgoing
mail, it's a bit trickier. You have to set up your system to either not
run SpamAssassin on submitted mail, or run SA with a different config.
--
Kelson Vibber
SpeedGate Communications www.speed.net
I received a stock spam this morning. The randomly generated sender
name was, and I kid you not...
Bagle variant
Somehow, that wouldn't surprise me at all!
--
Kelson Vibber
SpeedGate Communications www.speed.net
there somewhere...
--
Kelson Vibber
SpeedGate Communications www.speed.net
Mathias Homann wrote:
Kelson Vibber schrieb:
Simple answer: don't whitelist your own address. Some spammers will do this
deliberately, hoping it will get them past filters.
I understood as much, but how exactly do i do that, in terms of mysql-stored
spamassassin user
preferences? if i use
Daryl C. W. O'Shea wrote:
Actually spelled correctly but I picked the wrong synonym. So it was a
case of synonymitis. (Yeah, I admit I am prone to neologisms.)
{^_-}
Nope. righting isn't a synonym for writing. :p
Homophonitis, perhaps?
--
Kelson Vibber
SpeedGate Communications
through zombies, the spammer isn't
using their own CPU time, they're using some random person's home CPU.
They can send the same amount of spam in the same amount of time *and*
add the hashcash signatures just by using a bigger botnet.
--
Kelson Vibber
SpeedGate Communications www.speed.net
decoder wrote:
This would slow spammers down by a factor of 10-100 or more per
compromised machine (depending on whether the messages sent are sent
individually or to many users at once).
So they get a bigger botnet. There's no shortage of compromised
machines out there.
--
Kelson Vibber
at spamassassin.apache.org
--
Kelson Vibber
SpeedGate Communications www.speed.net
jdow wrote:
Somebody who write the rule had a sense of humor, I suspect.
...
2.6 ALL_NATURAL BODY: Spam is 100% natural?!
I wonder if it dates back to the time of the original PURE_PROFIT rule,
which was described as something like, Profit is dirty, not pure
--
Kelson Vibber
SpeedGate
the outside or other untrusted mail.
* Dialup/Dynamic IP RBLs misfiring for properly relayed mail.
* Dialup/Dynamic IP RBLs not catching direct-delivered mail.
* whitelist_from_rcvd fails to match.
* SPF tests misfiring (failing when they should pass and vice versa)
--
Kelson Vibber
SpeedGate
structure but no content in either
part. Scored an easy 6.1, and not without justification, as no legit
mailer would deliberately send this sort of message. (Accidentally, on
the other hand...)
I've been meaning to report the error to them.
--
Kelson Vibber
SpeedGate Communications www.speed.net
from one installation method to another, you should
completely uninstall the older version first.
--
Kelson Vibber
SpeedGate Communications www.speed.net
is:
score NAME_OF_RULE 0
--
Kelson Vibber
SpeedGate Communications www.speed.net
a native mail client (because
generally speaking, it doesn't), but that it does email more
*conveniently*. Zero install, minimal configuration, virtually infinite
portability, and you can let someone else worry about your backups.
--
Kelson Vibber
SpeedGate Communications www.speed.net
!
--
Kelson Vibber
SpeedGate Communications www.speed.net
conditions, and exposing the mail server to potential
malware, there are plenty of URLs which perform actions that the user
might want to have some say in, such as:
- Unsubscribe links
- Web bugs
- Survey results
- Moderation decisions (click URL A to accept, URL B to reject)
and so on.
--
Kelson
. The link could be to a
redirect script, or to a download script that provides a
content-disposition header:
http://server/path/to/evil/but/innocuous/looking/file
--
Kelson Vibber
SpeedGate Communications www.speed.net
, such that the server will execute the EXE and output
HTML, not offer the EXE for download.
.com will, of course, be a challenge.
--
Kelson Vibber
SpeedGate Communications www.speed.net
duplicates.
--
Kelson Vibber
SpeedGate Communications www.speed.net
to consider moving to something a bit
more...well, supported than Red Hat 9. Even Fedora Legacy is dropping
it at the end of the year. Centos 3 www.centos.org is a good bet,
since it's based on RHEL 3, which is based on RH9, and will continue to
get security updates through 2010.)
--
Kelson Vibber
)
1.7 MSGID_DOLLARS Message-Id has pattern used in spam
1.9 RATWARE_MS_HASHBulk email fingerprint (msgid ms hash) found
--
Kelson Vibber
SpeedGate Communications www.speed.net
-in function, action_replace_with_url, which
does exactly what you want.
--
Kelson Vibber
SpeedGate Communications www.speed.net
/spamassassin/FuzzyOcrPlugin
Drawback: it needs lots of CPU and extra time per message (more
precisely, per message with attached images). YMMV.
--
Kelson Vibber
SpeedGate Communications www.speed.net
attack.
--
Kelson Vibber
SpeedGate Communications www.speed.net
38,500 pixels?
--
Kelson Vibber
SpeedGate Communications www.speed.net
anyway, *after* verifying it.
--
Kelson Vibber
SpeedGate Communications www.speed.net
made to local.cf, none of them had
anything to do with RDJ.
--
Kelson Vibber
SpeedGate Communications www.speed.net
,
or /etc/sysconfig/rulesdujour depending on what fits best with your
system layout.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Giampaolo Tomassoni wrote:
Any suggestion to spread a spamtrap e-mail address?
Subscribe it to some mailing lists. Make a few posts, preferably using
the address in your signature. Unsubscribe it. Then wait for spammers
to crawl the list archives.
--
Kelson Vibber
SpeedGate
your money (at least, not directly) --
they're phishers trying to get your eBay login and password.
--
Kelson Vibber
SpeedGate Communications www.speed.net
to gracefully handle these conditions, and
no one seems to have picked it up to patch it.
--
Kelson Vibber
SpeedGate Communications www.speed.net
on how you use it.
--
Kelson Vibber
SpeedGate Communications www.speed.net
.
--
Kelson Vibber
SpeedGate Communications www.speed.net
thoroughly. They just made sure that the city, state and zip code
matched. Strangely, they had a lot of users living in Beverly Hills, 90210.
--
Kelson Vibber
SpeedGate Communications www.speed.net
generally, I don't think it's our place to decide what users can
and can't do without among email that they've actually requested. False
positives are one thing. *Deliberately* blocking something on the
grounds that it's not necessary? That's something else.
--
Kelson Vibber
SpeedGate
your programs or
manually search through 20 levels of RPM hell just to install one program.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Mike Woods wrote:
The ultimate windows security accessory, A pair of scissors to cut the
power cable :D
A truly shocking idea!
--
Kelson Vibber
SpeedGate Communications www.speed.net
Jon D. Slater wrote:
What rule set do you suggest for the spoof Paypal and eBay spam (and
assorted fake links to assorted banks and credit unions).
70_sare_spoof will catch some of them.
--
Kelson Vibber
SpeedGate Communications www.speed.net
. Last I remember
reading, he said he was looking into another way to do it.
--
Kelson Vibber
SpeedGate Communications www.speed.net
, scores sets are:
0 - no bayes, no network
1 - no bayes, network
2 - bayes, no network
3 - bayes, network
This does mean that the score used for autolearn isn't quite the same as
just taking the real score and subtracting/adding the bayes score.
--
Kelson Vibber
SpeedGate Communications www.speed.net
of spam that
simulates real mail more effectively, or that manages to get
auto-learned in the initial SA process (if you have auto-learn enabled).
--
Kelson Vibber
SpeedGate Communications www.speed.net
Razor, DCC, and Bayes have been catching these handily here, with
occasional header tests. They've all hit in the 5.5-10 range.
I think this is the next stage of the So-and-so wrote: spams, which
would explain where my Bayes DB got the data.
--
Kelson Vibber
SpeedGate Communications
list is more likely to be able to answer your question.
--
Kelson Vibber
SpeedGate Communications www.speed.net
, and those haven't been run through SA in the first place.
I've concluded the subject line is a trap. They make it so consistent
that it just begs to be targeted, then they change it to another
consistent rule just to yank our chains and keep us busy.
--
Kelson Vibber
SpeedGate Communications
. Also, keep in
mind that sa-update puts new rules in /var/lib/spamassassin rather than
/usr/share/spamassassin.
For now, I'd suggest uninstalling the spamassassin RPM and any dependent
RPMs, wiping /usr/share/spamassassin, and reinstalling the RPM using yum.
--
Kelson Vibber
SpeedGate
is the email address itself.
--
Kelson Vibber
SpeedGate Communications www.speed.net
using action_bounce as the command to reject a message, and the
log info matches that.
AFAIK it hasn't been renamed for the same reason that SpamAssassin's
auto-whitelist hasn't been renamed.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Matthias Haegele wrote:
iirc: local.cf would be a good place since it overwrites other rules
(which might get updated and your changes overwritten) ...
I think he meant where to submit it as a suggested change to the actual
ruleset...
--
Kelson Vibber
SpeedGate Communications www.speed.net
.
--
Kelson Vibber
SpeedGate Communications www.speed.net
at the phrase, Make it huge with
nanotechnology. Part of it is the huge/nano contrast, but make it
huge sounds more typical of another category of spam entirely...)
--
Kelson Vibber
SpeedGate Communications www.speed.net
to a certain
recipient and from .
--
Kelson Vibber
SpeedGate Communications www.speed.net
1 - 100 of 341 matches
Mail list logo
