How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

Hi - I created a FULL rule that works fine with html in plain text. However, if the html is base64 encoded, FULL rules don't appear to work. A RAWBODY rule doesn't work either, because it doesn't ignore line breaks. Any ideas? Thanks. - Mark

Re: How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

/s didn't appear to work for rawbody in version 3.1.8 But I just tried it on a different system running 3.2.5, and it works there. Sorry about posting my question before testing my problem on a newer version! - Mark Karsten Bräckelmann wrote: On Sun, 2010-02-28 at 12:00 -0500, Mark London

False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR

Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418 for [EMAIL PROTECTED]; Tue, 18 Oct 2005 18:07:52 -0400 Received: from

Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR

-xx.dsl.pltn13.pacbell.netWhy? Mark At 7:29 PM -0400 10/18/05, Matt Kettler wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id

Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR

Mark London wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418 for [EMAIL PROTECTED]; Tue, 18 Oct 2005 18

Re: Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR

Thanks for the info! Daryl C. W. O'Shea wrote: Mark London wrote: Mark London wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: This causes spamassassin to flag it with: HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR Received

Howto skip empty lines in a body test?

I use the body command to tests for phrases. This was working great, until a spammer started to use double spacing in his email, and the phrases were split up by empty lines. Is there any way around this? I've tried everything, including using full and rawbody, but I still can't find a way to

Re: Howto skip empty lines in a body test?

Loren Wilton lwilton at earthlink.net writes: It might be impossible on full, if the message is encoded, since full will see the encoded text. It may or may not be impossible on body, depending on the version you are running and a handful of other things. Sometimes body gets broken up into

Re: What's does m{} do ?

Sorry, I wasn't clear about my question, which is why is m{} used in that test rather than simply //, or are they identical? (There are only a couple of tests which use m{} in Spamassassin).

What's the difference between the T_SMF_FM_FORGED_REPLYTO rule and the FREEMAIL_FORGED_REPLYTO rule?

The T_SMF_FM_FORGED_REPLYTO rule was recently added I think, and it looks identical to FREEMAIL_FORGED_REPLYTO. A mistake, or is there a reason for both? - Mark

Re: Spamassasin not as effective anymore

that increases the spam scores, for emails from these and other domains, that are now popular with spammers. Mark London

Re: Spamassasin not as effective anymore

On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-help@spamassassin.apache.orgwrote: From: Lorenzo Thurman lore...@thethurmans.com Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so

OFF TOPIC: A cartoon spam joke.

OFF TOPIC: I was amazed to see this cartoon, since so many people probably won't get the joke! http://bizarro.com/comics/november-15-2014/ - Mark

Email with attachment caused 100% CPU usage.

Hi - We received an email with several large postscript attachments, and the content type was "text/plain". This caused our spamassassin server to use up 100% CPU, parsing the attachments as text. I temporarily disabled spam scanning to allow the message to go through. How can I prevent

Re: Re: Email with attachment caused 100% CPU usage.

On 6/8/2016 1:20 PM, John Hardin wrote: On Wed, 8 Jun 2016, Mark London wrote: Hi - We received an email with several large postscript attachments, and the content type was "text/plain". This caused our spamassassin server to use up 100% CPU, parsing the attachments as

Re: SpamAssassin does not scan consistently

yed for too long a time period. Mark London Natick, May

Spam URLs based on my email address!

This was a email message sent to my markrlon...@gmail.com account. Note the hostname of markrlondon23474.seksizlex.co! - Mark SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/460142604-11776440226-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/NZV~VJM"

Re: Anyone seeing URIBL_BLOCKED?

I'm not using dns forwarding. Sent from my iPhone > On Dec 6, 2016, at 5:13 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > > get rid of dns forwarding and use dns servers with *real* recursion, that > topic makes people sick after so many years > >> Am 06.12

Anyone seeing URIBL_BLOCKED?

Hi - Around 7PM yesterday (US eastern time), I started seeing URIBL_BLOCKED, and it didn't go away after midnight. I tried switching to one of our other local name servers, and that didn't help. I've been using this service for many years. Do you know if their policy has changed? Thanks.

Spam with tons of lines with garbage characters, preceded by

Hi - Sorry if this has been discussed before. I'm seeing a lot of html spam with a few links, followed by a line that just contains

Re: FROM header with two email addresses

Hi - I received a spam message with the following double From address: From: struth...@psfc.mit.edu, "Lorraine M." But neither of the 2 previously suggested rules were triggered by it. I'm sure a simple modification to the rules will cause it to trigger. Can

Why doesn't HK_RANDOM_FROM trigger on this email address?

FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email address like this: mqsjkeqgy...@sina.com But it doesn't. Yet it does trigger on this: dxn...@sina.com Curious. - Mark

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

Sent from my iPhone > On Nov 18, 2017, at 5:29 PM, RW <rwmailli...@googlemail.com> wrote: > > On Sat, 18 Nov 2017 15:46:16 -0500 > Mark London wrote: > >> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email >> address like t

Flakey spam email. How to filter?

I'm getting a lot of flakey spam messages, that don't trigger any significant spamassassin rules, even though it obviously looks really bogus. Here's an example. Any suggestions? https://pastebin.com/bZUt0ThS These spams are being sent to my gmail account, and then forwarded to my work

Re: Flakey spam email. How to filter?

On 12/11/2017 10:59 AM, Reindl Harald wrote: Am 11.12.2017 um 16:44 schrieb Mark London: I'm getting a lot of flakey spam messages, that don't trigger any significant spamassassin rules, even though it obviously looks really bogus. Here's an example. Any suggestions? https://pastebin.com

Re: Re: HTML_IMAGE_ONLY_* generating too many FP's

On 12/5/2017 5:28 AM, Sebastian Arcus wrote: On 02/12/17 18:45, David Jones wrote: On 12/02/2017 11:22 AM, Sebastian Arcus wrote: On 02/12/17 13:06, Matus UHLAR - fantomas wrote: On 12/01/2017 11:17 AM, Sebastian Arcus wrote: -0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

Using UTF-8 characters to avoid spam filter rules.

Hi - Some of the words in the spam email below, are using UTF-8 characters, to avoid spam detection. I.e. the phrase "bitcoin wallet address", are not the simple ASCII characters that they appear to be. View the source of my email, to understand what I'm talking about. Is there any rule I

Malformed spam email gets through.

Hi - I previously mentioned that I was getting emails with hand created html tags, that had both uppercase and lowercase letters. I created a crude rawbody rule to test for them. It worked, until the spammer accidentally added the line "Content-Transfer-Encoding: base64", even though the body

Re: Using UTF-8 characters to avoid spam filter rules.

On 6/28/2018 1:46 PM, users-digest-h...@spamassassin.apache.org wrote: Subject: Re: Using UTF-8 characters to avoid spam filter rules. From: RW Date: 6/26/2018 12:12 PM To: users@spamassassin.apache.org On Tue, 26 Jun 2018 00:33:11 -0400 Mark London wrote: Hi - Some of the words

Small talk.

I started getting very short emails, such as "How are you?" or "please. can we talk please?" Ok, maybe the latter one is a bit suspicious. But in any event, has anyone encountered "small talk" spam emails like this before? I have this big desire to respond and say "No, I'm not fine, and

Re: Another form of obfuscation email.

On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https

Re: Another form of obfuscation email.

Sorry, I cut off the full URL. It should have been: https://pastebin.com/5ASMFahi On 12/12/2018 12:16 PM, Mark London wrote: On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote

Another form of obfuscation email.

Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why the message got a high spam rating. By default though, that

BITCOIN_PAY_ME and new type of blackmail, non porn.

This email hit the new (to me) BITCOIN_PAY_ME rule. Never ending fun.  Begin forwarded message: > From: "Broaddus Walther" > Date: December 17, 2018 at 1:49:04 PM EST > To: m...@psfc.mit.edu > Subject: You should definitely go through this before something negative can > happen 17.12.2018

Re: BITCOIN_PAY_ME and new type of blackmail, non porn.

However, I think the BITCOIN_PAY_ME rule need a bit of fine tuning, to catch other emails. Like the one below, which escaped triggering the rule. A constant battle between spam rules, and bad English grammar. Maybe I should say the hell with it, and simply block any email sent to me, with

How to block email with multiple addresses in From:

Hi - What's the best rule to catch email with multiple addresses in the From: line? I realize thatrfc2822allows it. But the only email we've ever received with multiple addresses, were spam, and even GMAIL.COM doesn't allow it: <<< 550-5.7.1 Messages with multiple addresses in From: <<< 550

Re: How to block email with multiple addresses in From: IGNORE ME.

+\@psfc.mit.edu,/i And that works. although I don't know why I need the \W*. But, whatever! Never mind. - Mark On 12/20/2018 12:30 PM, Mark London wrote: Hi - What's the best rule to catch email with multiple addresses in the From: line? I realize thatrfc2822allows it. But the only email we've ever

No longer just embedded =9D characters in blackmail emails.

No longer just embedded =9D characters. From: =?utf-8?B?bmlnaHRt0LByZQ==?= To: Subject: You are my victim. Date: Tue, 4 Dec 2018 15:56:36 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="a0d0993ce53319101c19af03d5311b0976b26b" X-Scanned-By: MIMEDefang 2.79 on

Re: No longer just embedded =9D characters in blackmail emails.

The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe it needs updating? - Mark On 12/5/2018 11:19 AM, Mark London wrote: No longer just embedded =9D characters. From: =?utf-8?B?bmlnaHRt0LByZQ==?= To: Subject: You are my victim. Date: Tue, 4 Dec 2018 15:56:36 -0800 MIME

Re:: 9D character used in words to avoid detection

On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote: I ran it as-is, and it scored poorly. After I manually de-borked the headers, and retested, it hit SA's "OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests. OBFU_BITCOIN was hit because the =9D

9D character used in words to avoid detection.

I just received a spam email with the 9D character placed inside of words, that prevented my custom BODY rules from being hit. I.e.: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready change=9Dd it. Is there a way to define BODY rules, so that they will be triggered?

Re:: 9D character used in words to avoid detection

Forwarded Message Subject:[OFF-list] 9D character used in words to avoid detection Date: Sat, 17 Nov 2018 15:42:08 -0600 From: Chip M. To: Mark London Mark, could you post a full spample to the SA list? Thanks in advance! "Ch

Re: 9D character used in words to avoid detection.

ttps://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Nov 16, 2018 at 7:37 PM John Hardin <mailto:jhar...@impsec.org>> wrote: On Fri, 16 Nov 2018, Mark London wrote: > I just received a spam email with the 9D character placed inside of words, > that prevented my cus

How to test for this suspicious From address?

Hi - I'm getting spam with From that contain 2 different From addresses, that I would like to try and detect: From: " x " I created a crude rule that was properly being triggered when I manually ran spamassassin on the email itself. But when it arrives (via Mimedefang), the rule is

Another form of obfuscation email.

Does anyone have any rules that can catch this type of obfuscated spam? https://pastebin.com/qi8dsREW Thanks. - Mark

PDS_NO_HELO_DNS is not helpful at all.

I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS is mostly hittng real emails at my site 1168 real emails versus 219 spam mls. Luckily, the score is not high, to be making any difference. FWIW. - Mark

Re: How do I filter emails that have only special characters in them.

3.798.0171 > > >> On Tue, Jul 2, 2019 at 8:17 AM Mark London wrote: >> Hi - I'm trying to filter emails that have only special characters in >> them. Like the text of the following email. Thanks. - Mark >> >> - =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87

How do I filter emails that have only special characters in them.

Hi - I'm trying to filter emails that have only special characters in them. Like the text of the following email. Thanks. - Mark - =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1= =B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1=

Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Hi - We got several hours of spam from the IP address 103.136.41.36 in India.When I did a Multi-RBL check, the ip address was in the following databases: bl.emailbasura.org dnsbl.sorbs.net dns.spfbl.net spam.spamrats.com truncate.gbudb.net I think sorbs.net is a paid for service. At

Is PDS_TONAME_EQ_TOLOCAL_SHORT new?

Is PDS_TONAME_EQ_TOLOCAL_SHORT new? I see it hitting real emails here, but hitting no spam emails. Thanks. - Mark Sent from my iPhone

False positives due to __BITCOIN_ID

It seems to me that the rule for detecting a BITCOIN in an email, is incorrect. See below: body __BITCOIN_ID /\b(?Why is there a \s in this rule?I didn't think that a BITCOIN id has a space. This rule is triggered, on a simple line like this, because of the fact that the line has a

__BITCOIN_ID doesn't test for SegWit addresses that start with bc1

Hi - I just got a BITCOIN blackmail spam that avoided detection, because it used a SegWit bitcoin address, that starts with a bc1: bc1q0q7u8a7735za93um20yk5ynphdnpvenj0k0ufn This format is explained here: https://changelly.com/blog/bitcoin-addresses-types-and-meaning/ I guess the definition

Why is SENDGRID_REDIR score so high?

Hi - I receive email from spiceworks.com help desk, which are sent via sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score, which is 3.4 ? Thanks. - Mark Terms and Conditions:

Sendgrid Under Siege from Hacked Accounts

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ - Mark

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK

Can we start a separate mailing list for people to discuss this issue elsewhere?

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

The proposed name changes were proposed for many years in the software community.   For example in 2014, Drupal opted to use "primary/replica" instead, and Django followed suit the same year with "leader/follower".    In 2018, there apparently was a renewed interest in changing the names by

Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

Spamassassin is not alone. https://www.google.com/search?q=whitelist+blacklist=1C1CHBD_enUS893US893=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351=lnms=nws=X=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw=1008=5900

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

"As programmers, our day to day work doesn’t typically present us with opportunities to take a stand against racism. Situations like this are opportunities to be the change we want to see. When you get that opportunity and you don’t act, or even worse, you defend the status quo." That quote

Re: Maybe it's time to revive EvilNumbers?

Loren - Unfortunately, the fake amazon shipment email that we received, doesn't contain the word Amazon in it's From or Subject headers. Or even the word amazon in the text of the message!  Just the Amazon logo. And they've removed all the URLs, so the links don't work at the bottom.   And

Re: Maybe it's time to revive EvilNumbers?

Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my email, because there is no List-Id.   The email actually came from a microsoft account.  - Mark header  __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/ header  __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/ header 

Maybe it's time to revive EvilNumbers?

My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark

Re: Mysterious bogus DKIM hits (was: Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575)

On 9/29/2023 1:47 PM, Reindl Harald (gmail) wrote: Am 29.09.23 um 19:37 schrieb Bill Cole: Strangely, if I run spamassassin from the command line on the message, DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6 Oh. So you've let a piece of security software go most of year after

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

Hi - Can anyone tell me why the following email header triggered DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? Strangely, if I run spamassassin from the command line on the message, DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6 (Note, I truncated the

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

Sorry, I didn't change the subject line when I posted this. On 9/29/2023 12:41 PM, Mark London wrote: Hi - Can anyone tell me why the following email header triggered DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? Strangely, if I run spamassassin from the command line

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

Marc - You are correct.  All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name.   That will solve my problem.  Thanks! - Mark On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

he number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct.  All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name.   That will solve my problem.  Than

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

Unfortunately most of the ip addresses do have reverse lookups. On the other hand, I do see that some have common domains.   So I could use block by domain using sendmail. Heck, maybe I should just block the whole country.  :) On 11/9/2023 12:38 PM, Marc wrote: The spam is coming from many

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

I’ve never seen a false positive with USER_IN_DEF_SPF_WL. > On Mar 20, 2023, at 1:48 PM, Reindl Harald wrote: > >  > >> Am 20.03.23 um 18:44 schrieb Mark London: >> It seems like it too high a negative score. > > then adjust it in local.cf > > the poin

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

It seems like it too high a negative score. On 3/20/2023 1:24 PM, Reindl Harald wrote: Am 20.03.23 um 18:17 schrieb Mark London: Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL? Or put it another way. Why wasn't it detected as a phishing email

Dropbox invoice phishing

Dropbox now has an invoice feature, that allows you to create a customized invoice. So what this person did was to create an invoice that looks like it’s coming from PayPal. Except for the fact that the From address shows it is coming from Dropbox. Months ago I saw a similar problem with

Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL? Or put it another way. Why wasn't it detected as a phishing email? Thanks. Received: from a39-208.smtp-out.amazonses.com (a39-208.smtp-out.amazonses.com [54.240.39.208]) by PSFCMAIL.MIT.EDU

Anybody else getting bombarded with "I RECORDED YOU" spam?

In the last couple of days, the number of "I RECORDED YOU" spams that my server has been receiving, has gone way up. Well over a thousand a day.  And the spam is only being sent to about 20 of my users.  We had been receiving these for the last month, but nothing at all like rate it's now