After turning on TxRep I get these lines in my /var/log/spamd.log file.
Wed Mar 16 08:21:55 2016 [16629] warn: Use of uninitialized value
$msgscore in addition (+) at /etc/spamassassin/TxRep.pm line 1414.
Wed Mar 16 08:21:55 2016 [16629] warn: Use of uninitialized value
$msgscore in
I've enabled outgoing white listing using the TxRep plugin is there a
way to find out if outbound emails are actually being white listed? A
log somewhere... a file being updated?
--
Phil
I've added TxRep to spamassassin and set in my local.cf. Following the
instructions:
http://truxoft.com/resources/txrep.htm
# TXTREP
use_txrep 1
Is there a way to test that it's actually working?
Phil
So lately I'm getting LOTS of emails coming directly though the filters
so most likely time to investigate how to create one.
The subject is always 'hey'
Subject: hey
Date: Mon, 29 Jan 2018 09:07:40 +0300
From: Darya Message-ID: <8f35b00fb4e07d18ce82448ec9747...@112it4u.ro>
X-Mailer:
How do you load custom rules... is it as simple as dropping the .cf file
in the spamassassin directory and restart?
I'm looking at these: https://wiki.apache.org/spamassassin/CustomRulesets
Phil
Hi there,
Providers like Linode assign a single IPv6 address from a /64. I had to
request my own block of /64 to use on my server as my IP neighbors were
always getting the /64 blocked... since I've had my own I've been all
good. Before this my IPv6 IP was getting blocked daily because of
Morning List,
Lately I'm getting a bunch of emails that are showing up with two email
addresses in the From: field.
From: "Persons Name "
When you look in your mail client (Outlook, Thunderbird) it's showing
only "Persons Name "
Is there a way I can mark From: that has 2 email addresses
How do I white list this mailing list for some reason all the messages
are now going to spam.
I upgraded from FC8 to FC9 recently, and spamassassin could no longer
find TVD.pm after I deprecated the old Perl install.
Where does TVD.pm currently live?
Thanks,
-Philip
was a conversation we had way back in 2006 about SA 3.1 and bug
4255. There was a TVD.pm in discussion, so I assume that's the plugin
in question.
It appears to have become HTTPSMismatch.pm, already included as a
standard plugin in SA 3.2 and beyond. :)
On Sun, May 31, 2009 at 2:03 PM, Philip
everyone else made their peace with this?
Thanks,
-Philip
, Perl 5.10.0, and
Sendmail 8.14.3)
Thanks,
-Philip
On 11/23/2009 12:10 PM, Michael Scheidell wrote:
Philip Prindeville wrote:
Hi.
I want to block all messages that I'm getting that have:
To: undisclosed recipients: ;
with no Cc: line.
I went round and round with this a while back.
SA 3.25 has a problem with perl null vs 0
On 11/23/2009 12:18 PM, Michael Scheidell wrote:
Philip Prindeville wrote:
but as you say, if it can't tell the difference between and undef,
then that's an issue.
use header ALL to check for a \nCC
(which could be blank)
or just use your MTA to reject it at SMTPtime
On 11/23/2009 05:11 PM, LuKreme wrote:
On Nov 23, 2009, at 12:05, Philip Prindeville
philipp_s...@redfish-solutions.com
wrote:
I want to block all messages that I'm getting that have:
To: undisclosed recipients: ;
with no Cc: line.
What's Cc: have to do
On 11/23/2009 05:11 PM, LuKreme wrote:
On Nov 23, 2009, at 12:05, Philip Prindeville
philipp_s...@redfish-solutions.com
wrote:
I want to block all messages that I'm getting that have:
To: undisclosed recipients: ;
with no Cc: line.
What's Cc: have to do
John Hardin wrote:
On Mon, 23 Nov 2009, LuKreme wrote:
On Nov 23, 2009, at 12:05, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
I want to block all messages that I'm getting that have:
To: undisclosed recipients: ;
undisclosed recipients is used for Bcc: mail
I used
John Hardin wrote:
On Fri, 27 Nov 2009, Philip A. Prindeville wrote:
header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
Just how do I go about figuring out what the To:raw value is (for
example)?
header __TO_RAW To:raw =~ /.+/
If you're analyzing something that may
On 11/30/2009 03:15 AM, Matus UHLAR - fantomas wrote:
On 27.11.09 14:04, Philip A. Prindeville wrote:
for the ruleset:
header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
just FYI, sendmail can be configured to do different things when To: is
missing
see how it goes, and I'll try to keep the list current.
Keep your fingers crossed.
-Philip
;
}
doesn't contain a terminating ';', i.e.:
eval require $thing; instead?
Thanks,
-Philip
On 01/30/2010 12:24 PM, Karsten Bräckelmann wrote:
On Sat, 2010-01-30 at 12:16 -0800, Philip A. Prindeville wrote:
I ran yum update on my FC11 machine a couple of days ago, and now I'm
getting nightly cron errors:
Would be nice and maybe even helpful to know, what command(s
On 02/01/2010 05:35 AM, Mark Martinec wrote:
On Saturday January 30 2010 21:16:01 Philip A. Prindeville wrote:
Also, how come the eval block:
unless (eval require $thing) {...}
doesn't contain a terminating ';', i.e.:
eval require $thing; instead?
It is not needed. It is an 'eval
Between the truly clueless administrator, and those that feign ignorance
to cover up their implicit approval of spammers...
What do you do in the case where someone is filtering deliveries to
their abuse mailbox? (Like 99% of mail sent there isn't going to
score positively...)
Sigh.
Steven Kurylo wrote:
Philip Prindeville wrote:
Between the truly clueless administrator, and those that feign
ignorance to cover up their implicit approval of spammers...
What do you do in the case where someone is filtering deliveries to
their abuse mailbox? (Like 99% of mail sent
John D. Hardin wrote:
On Mon, 5 Nov 2007, Steven Kurylo wrote:
Philip Prindeville wrote:
Between the truly clueless administrator, and those that feign
ignorance to cover up their implicit approval of spammers...
What do you do in the case where someone is filtering deliveries
. Others lack them
or don't enforce them.
When these countries put some teeth into the enforcement of their laws,
then they will stop being blacklisted.
-Philip
specious argument.
-Philip
, and then if it bounced, mail to the OrgTech mailbox
instead... because that's too much wasted time... So you To: the abuse
mailbox on the odd chance that it exists, and you Bcc: the noc mailbox
(or the hostmaster or whatever) as a fallback address.
-Philip
Thread-Index: AcfzukOHakkCi8HDRJ2nEhvQOY8RZgACopXw
References: [EMAIL PROTECTED]
From: John Doe [EMAIL PROTECTED]
To: Philip Prindeville [EMAIL PROTECTED]
X-OriginalArrivalTime: 10 Sep 2007 16:10:40.0158 (UTC)
FILETIME=[219FDBE0:01C7F3C5]
Could they have just *deleted* the Received: lines
, or copyright reform, etc) come
from Washington D.C. Perhaps in 50 years they'll finally have a handle
on it.
But I dared to hope...
-Philip
ones you're now using. ;-)
-Philip
Kim Hurlbutt wrote:
Wondering if you can point me in the right direction on how to make
our spam scores lower. How can I get information on how to make edits
to our pages to lower our scores? We currently use Kintera to send
our email newsletters. Please
.
What should I do? Just block their domain? I don't want to deal with their
misconfiguration issues.
-Philip
Received: from localhost (localhost)
by mail.redfish-solutions.com (8.14.1/8.14.1) id m1H2M5XP027602;
Sat, 16 Feb 2008 19:22:05 -0700
Date: Sat, 16 Feb 2008
Karsten Bräckelmann wrote:
Please, do not paste a gigantic blob of multipart MIME messages. Put it
up somewhere, raw, and simply provide a link.
On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote:
Anyway, I have no idea why I'm seeing some of these scores. URL matches
when
Matt Kettler wrote:
Philip Prindeville wrote:
Karsten Bräckelmann wrote:
Please, do not paste a gigantic blob of multipart MIME messages. Put it
up somewhere, raw, and simply provide a link.
On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote:
Anyway, I have no idea why I'm seeing
a protocol name (ftp:, http:, tftp:, etc.), a domain name, and a path
name (even if it's just slash).
Or at the very least, to score complete URL's higher than just domain
names alone.
-Philip
Matt Kettler wrote:
Philip Prindeville wrote:
Matt Kettler wrote:
Philip Prindeville wrote:
Depends on whether you equate bare domains with URL's, I suppose.
If MUA's equate them with URLs, spammers will use this, and
SpamAssassin will use it.
There is only so much braindeath in UA's
Matt Kettler wrote:
Philip Prindeville wrote:
Matt Kettler wrote:
Philip Prindeville wrote:
Matt Kettler wrote:
Philip Prindeville wrote:
Depends on whether you equate bare domains with URL's, I suppose.
If MUA's equate them with URLs, spammers will use this, and
SpamAssassin will use
Daryl C. W. O'Shea wrote:
Philip Prindeville wrote:
There is an RFC that defines what a URL looks like. A bare domain
doesn't cut it.
You want to forbid bare domains in email? Go ahead. You can forbid
anything you like.
I don't, and I doubt Matt wants to either.
But don't
?
How do you name him to the various RBL's?
I suppose I could sign up for spamcop.net... Which S/X/RBL would be most
effective in this case?
Thanks,
-Philip
Is there a blacklist of phone numbers?
A lot of diploma spam I get has totally different message bodies,
except they list the same phone number to call.
' they probably entered
the text and their HTML editor escaped it, not figuring it was
raw HTML being entered directly...
-Philip
to
document them.
-Philip
Screaming Eagle wrote:
I getting this type of spam:
Return-Path: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
X-Spam-Virus: No
X-Spam-Status: No, score=1.4 required=8.0 tests=BAYES_50,HTML_30_40,
HTML_MESSAGE autolearn=no version
. that at a minimum the host portions of the URL and the
label for the link would have to match...
If the sender REALLY needs to have the link reside somewhere else,
they could always have the published address send a Location: response
that redirects you to the eventual resting place.
-Philip
hosts a lot of the lists that I read...
-Philip
Michael Scheidell wrote:
-Original Message-
From: Philip Prindeville [mailto:[EMAIL PROTECTED]
Sent: Saturday, June 24, 2006 2:10 PM
To: users@spamassassin.apache.org
Subject: On bichromatic GIF stock spam
I get a lot of spam that looks like:
http://pastebin.com/729105
on the alsa
required.
Loren
Yup. Exactly.
-Philip
John D. Hardin wrote:
On Sat, 24 Jun 2006, Philip Prindeville wrote:
the text and the images. The spammers send multipart/alternative
because they want the text/plain section to confuse the Bayes
filters, since they know it won't be rendered...
It seems to me that right
. Will need some additional conditions to make it more usable.
Loren
What Perl modules are there that can process (decode, perform certain
inspections and histogram analysis, etc) of GIF files?
I'd like to throw something together...
-Philip
Does SpamAssassin support SPF record checking?
Or is this something I have to patch into my incoming SMTP server?
What are the steps to whitelist email sent from (i.e. Postmaster
when bouncing mail) or [EMAIL PROTECTED]
Thanks,
-Philip
reject the message as it's being sent, then the sender is the spammer,
and he will know he is failing.
With any luck, he might even remove you from the list of addresses
that he will try to spam in the future.
-Philip
Well, I have the following issue. When I report abuse to [EMAIL PROTECTED],
they send me back an auto-generated email ticket with a broken Date: on
it (honestly, people, how hard is it to correctly format the date???).
They do this as for the sending address.
How does one go about writing a
Hmm Maybe if I post with a more obvious subject line
What is the notation for writing a whitelist_from or whitelist_from_rcvd
when the sender is ? (As in MAIL FROM: )
Thanks,
-Philip
Philip Prindeville wrote:
Well, I have the following issue. When I report abuse to [EMAIL
John D. Hardin wrote:
On Wed, 23 Aug 2006, Philip Prindeville wrote:
Hmm Maybe if I post with a more obvious subject line
What is the notation for writing a whitelist_from or
whitelist_from_rcvd when the sender is ? (As in MAIL FROM:
)
Are you sure you want to use
Matt Kettler wrote:
Philip Prindeville wrote:
Well, yes, especially since the IP address of the sender is reserved for
a machine that does ticketing and auto-replies exclusively (I was going
to use whitelist_from_rcvd and not just whitelist_from).
At that point, you should
Matt Kettler wrote:
Philip Prindeville wrote:
There's no way to whitelist just the empty address then? Rather than
everything?
-Philip
Not given the simple file-glob format of the whitelist commands. You'd
need a regular expression and negation.
You could do it with a rule
Matt Kettler wrote:
Philip Prindeville wrote:
There's no way to whitelist just the empty address then? Rather than
everything?
-Philip
Not given the simple file-glob format of the whitelist commands. You'd
need a regular expression and negation.
You could do it with a rule
Matt Kettler wrote:
Philip Prindeville wrote:
Matt Kettler wrote:
Philip Prindeville wrote:
There's no way to whitelist just the empty address then? Rather than
everything?
-Philip
Not given the simple file-glob format of the whitelist
On 5/26/10 11:06 AM, Mikael Syska wrote:
Hi,
On Wed, May 26, 2010 at 6:59 PM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
Anyone else seeing the following in their cron logs:
http: GEThttp://yerp.org:8080/rules/stage/330948267.tar.gz request failed:
500 Can't connect
On 10/29/10 9:18 AM, Michael Scheidell wrote:
On 10/29/10 12:11 PM, Mark Martinec wrote:
Sure, go ahead, can't hurt. The patch is now in the SA trunk.
Is it worth opening a ticket and putting it into the 3.3 branch too?
Mark
looks like Freebsd ports has an older version, so it should be
On 11/2/10 7:35 PM, Mark Martinec wrote:
One suggestion: currently it is not possible to store 0 and 1
as a data item associated with each net, because a 0 is treated
the same as undef and replaced by the key.
And the AF_NET6 argument to new() needs to be documented in a POD.
Thanks for your
On 11/7/10 9:19 PM, Philip Prindeville wrote:
Try the following patch. If it works for you, I'll rerelease as 1.19:
Actually, I released it as Net-Patricia-1.18_01
/Public/Bug/Display.html?id=32362
and represents a defect in Socket6. The work-around is to include Socket
before Socket6.
-Philip
On 11/8/10 5:58 PM, Mark Martinec wrote:
Philip,
Thanks for your off-list reply. Unfortunately I cannot
reply, as your mailer is refusing connections:
$ host -t mx redfish-solutions.com
redfish-solutions.com mail is handled by 10 mail.redfish-solutions.com.
$ telnet -s mail4.ijs.si
:21 PST
if (/ via HTTP$//^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) {
$ip = $1; $by = $2; goto enough;
}
(I note that HTTP$ seldom matches, by the way, since all of my examples have via
HTTP;date instead.)
Is it worth having an explicit rule for this?
Thanks,
-Philip
On 11/10/10 11:39 AM, John Williams wrote:
No on my server I have a hard requirement to run SELinux. I cannot turn that
off. I find that when i enable SA with SELinux turned on, my CPU rate sky
rockets eventually forcing my system to stop responding. I've seen this thread
several times
recourse if we need to).
I figured out that:
ird.yahoo.com = Ireland
tp2.yahoo.com = Taipei
sp2.yahoo.com = Spain
Anyone know what the entirety of domains are for Yahoo?
Thanks,
-Philip
detection system, that watches for bursty outbound traffic patterns,
like a sudden spike in outbound SMTP or HTTP connections to a wide spread of
addresses.
-Philip
It's been released for F13 and F14. And of course, it's upstream on CPAN.
It's the promotion of the development version 1.18_81 to production.
.
Is Aruba.it so poorly reputed?
g
I can't speak for their reputation, but when an entire ISP's CIDR blocks get
blacklisted (like we did with iWeb.ca) it's usually because they aren't very
responsive in dealing with issues when they occur and not proactive about
trying to prevent them.
-Philip
the '@' to a '.' as is the format still used in SOA
records.
Not just SOA records, but the MB records were supposed to use this as well.
They just never caught on.
-Philip
587 forces a
different rule than 25 does.
This can't be forged.
-Philip
On 2/7/11 1:28 AM, Matus UHLAR - fantomas wrote:
On Tue, 1 Feb 2011 09:49:36 -0500
Michael Scheidellmichael.scheid...@secnap.com wrote:
because HELO doesn't match RDNS.
On 01.02.11 09:54, David F. Skoll wrote:
Rejecting on that basis would also cause tons of false-positives.
It's also
it would be ideal for doing
approximate matches.
http://search.cpan.org/~jhi/String-Approx-3.26/Approx.pm
-Philip
and there are no headers in it.
What am I misunderstanding or what have I overlooked?
Thanks.
Philip
Thanks, Karsten, for your explanation. That makes sense and I'll have to
see whether the lack of headers is going to cause problems going forwards
or if looking in syslog will suffice.
Regards
Philip
On 26 September 2013 16:33, Karsten Bräckelmann guent...@rudersport.dewrote:
On Thu, 2013
I'm trying to write a rule that gives some spamminess score to messages
received from any host that resolves to protection.outlook.com.
I tried to use _REMOTEHOSTNAME_ to do this, but I think I got the header syntax
wrong.
Can someone set me straight?
Thanks,
-Philip
On Oct 19, 2013, at 5:28 PM, Karsten Bräckelmann guent...@rudersport.de wrote:
On Fri, 2013-10-18 at 18:34 -0600, Philip Prindeville wrote:
I'm trying to write a rule that gives some spamminess score to messages
received from any host that resolves to protection.outlook.com.
I tried to use
,
whereas GIF images are routinely 4, 6, or 8 bits long.
Does anyone have a handle on what Perl modules to use for
dissecting GIF objects?
Thanks,
-Philip
-SpamAssassin-3.1.7-1.x86_64.rpm
error: Failed dependencies:
perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed)
spamassassin-3.1.5-1.x86_64
any ideas why this is happening and what the fix is?
-Philip
Jim Maul wrote:
Philip Prindeville wrote:
Hi.
I'm running FC3 on an AMD64 platform for my mail server,
and I had last installed SpamAssassin 3.1.5. Well, I grabbed the
tarball for 3.1.7, and did a rpmbuild -tb ... of the tarball.
Worked fine.
Then I tried to upgrade via RPM:
# rpm -v -U
and DNS_FROM_RFC_POST correspond to?
Where do I get the descriptions of these tests, why some sites get
tagged with them, etc?
-Philip
Matt Kettler wrote:
Philip Prindeville wrote:
I recently saw an email get bounced that was legitimately coming
from Microsoft:
Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com
(131.107.115.212) said helo smtp.microsoft.com
Nov 13 14:59:26 mail sendmail[21067
SM wrote:
At 18:56 13-11-2006, Philip Prindeville wrote:
I recently saw an email get bounced that was legitimately coming
from Microsoft:
[snip]
I've put into my spamassassin/sa-mimedefang.cf file:
whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com
What am I
SM wrote:
At 11:49 14-11-2006, Philip Prindeville wrote:
The problem with this is that the DNS returns the response (of the multiple
PTR records) in no particular order, so looking up the rDNS can return
one of three different names...
# nslookup
set type=any
server ns4.msft.net
John D. Hardin wrote:
On Tue, 14 Nov 2006, Daryl C. W. O'Shea wrote:
Philip Prindeville wrote:
whitelist_from_rcvd [EMAIL PROTECTED] mail1.microsoft.com
whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com
whitelist_from_rcvd [EMAIL PROTECTED] maila.microsoft.com
is out-of-date and requires a fix.
-Philip
Robert Nicholson wrote:
so what is the conclusion to this issue?
why when I set ok_locales to it th en does it allow any Charset with
Windows in the name
to bypass that setting?
Why is it that is_charset_ok_for_locales written to give exceptions
sub
You'd think, wouldn't you
-Philip
Robert Nicholson wrote:
This is Japanese
# Japanese: Peter Evans writes: iso-2022-jp = rfc approved, rfc 1468,
created
# by Jun Murai in 1993 back when he didnt have white hair! rfc
approved.
# (rfc 2237) -- by M$.
'ja' = 'EUCJP
-rendering character, like the non-break space,
that says, glue these two together as a ligature. It would waste
a lot less of an already limited encoding space, too.
-Philip
I'll ask again... Can someone who handles a fair mix of
email content (i.e. not just western European languages)
do a triage (individually) of the rules below for ham versus
spam?
I'd suspect that very little genuine ham contains IBM852
or Unicode or CP12[0-8] these days.
Thanks,
-Philip
.
Excluding words with pounds and yen in the Subject line might be
a good thing, however...
-Philip
, specifying =?iso-8859-1?Q? is not necessary.
The test SUBJECT_EXCESS_QP seems to handle this (at least the Subject:
part). I'd like to crank it up to 3.5 or higher.
Any intuitive reasons why this wouldn't work? Are there any
valid mailers that are braindead?
Thanks,
-Philip
unknown correspondents would be more effective.
-Philip
.]
It just boggles my mind why anyone would go through that much trouble
to deliberately damage a header line, rather than just delete it.
Well, maybe they'll get a whiff of the errs of their ways in the
Hall of Spam Shame...
-Philip
Don't they? I thought the recommended retry time was 2 minutes,
doubling on each failure, and maxing out at 2 hours.
That's what sendmail does (unless it's retry time has been explicitly
set to more than 2 hours, of course).
-Philip
Richard Frovarp wrote:
I don't think the RFCs specify any
Jonas Eckerman wrote:
Philip Prindeville wrote:
Received: (private information removed)
It just boggles my mind why anyone would go through that much trouble
to deliberately damage a header line, rather than just delete it.
The only reason I can think
ratware writer? Who on this list runs Exchange?
Why is this bouncing back to me, and not the envelope sender,
which was:
Return-Path: [EMAIL PROTECTED]
-Philip
---BeginMessage---
Subject of the message: Redundant QP encoding of Subject/From fields...
Recipient of the message: SpamAssassin
hear the New York Times isn't too picky about who they hire.
Someone could create an army of ghost writers and sit back and
collect the paychecks.
-Philip
Given that spammers read this list to figure out how to defeat us...
Why don't we just secure a copy of ratware and engineer a retro-virus
for it?
-Philip
Justin Mason wrote:
there was a very interesting project described in CEAS which did
just this -- engaged 419ers and other spammers
1 - 100 of 385 matches
Mail list logo