Re: FPs on RCVD_IN_SORBS_WEB

On 09/03/17 13:26, Kevin A. McGrail wrote: > On 3/9/2017 8:22 AM, Cedric Knight wrote: >> I've reduced the score on my installation to 0.5. Would this kind of >> thing be prevented by more people contributing to the mass checks? Or >> could it be adjusted downwards as A

FPs on RCVD_IN_SORBS_WEB

On 11/09/16 22:10, Alex wrote: >> COMMIT/trunk/rules/50_scores.cf >> >> Committed revision 1760066. >> >> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 >> >> should show up after next SA update > > Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's > hitting a lot more ham than spam here,

MIME header false positives (was Rule to score word documents)

On 30/03/16 21:11, @lbutlr wrote: > On Wed Mar 30 2016 13:34:23 Alex said: >> >> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/ >> REJECT > >

Re: freemail spam

On 25/03/16 00:55, Alex wrote: > Hi, > > First, I'm wondering why parking.ru isn't among the freemail domains? Probably because the FreeMail plugin is designed to detect the right-hand side of email addresses for providers like Gmail and AOL, and parking.ru looks like a general-purpose web host.

Re: new(ish) malware: RTF with MIME payload

On 18/03/16 08:39, Cedric Knight wrote: > On 17/03/16 19:31, Chip M. wrote: >> Starting about two hours ago, more than 80% of my real-time >> honeypot spam is a new malware campaign. >> >> Full spample (with redacted/munged email addresses and >> Message-ID): &

Re: new(ish) malware: RTF with MIME payload

On 17/03/16 19:31, Chip M. wrote: > Starting about two hours ago, more than 80% of my real-time > honeypot spam is a new malware campaign. > > Full spample (with redacted/munged email addresses and > Message-ID): > http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt [snips] > So far,

Re: PatioDeals@****** how to get high score

On 14/08/15 02:19, Alex wrote: in the .cf file I addes blacklist_from *.review blacklist_from *.work blacklist_from *.date I would use the following: blacklist_uri_host review blacklist_uri_host work blacklist_uri_host date you want both: a bad sender using the domain as well a URI

Re: spameatingmonkey.net down?

On 25/01/13 13:12, Cedric Knight wrote: Does anyone have any more information on spameatingmonkey.net, which doesn't seem to have been resolving since UTC today (20120125) ? It looks like ns1.urmombl.com is down. Spam Eating Monkey provides or provided RBL, RHSBL and iXhash of what

spameatingmonkey.net down?

, and particularly RHSBLs of domains less than 15 days old. It probably only affects a few SA users, those who have included it manually, and was removed from SA sandboxes last year. -- All best wishes, Cedric Knight GreenNet

Re: spameatingmonkey.net down?

On 25/01/13 13:20, Tom Kinghorn wrote: On 25/01/2013 15:12, Cedric Knight wrote: Does anyone have any more information on spameatingmonkey.net, which doesn't seem to have been resolving since UTC today (20120125) ? It looks like ns1.urmombl.com is down. Spam Eating Monkey provides

Re: HEADS UP: DBSL.org is returning positive replies

Enjoy the support case party! https://twitter.com/#!/search/?q=DSBLsrc=typd Axb -- All best wishes, Cedric Knight

Re: lots of freemail spam

On 30/12/10 19:15, Lawrence @ Rogers wrote: Lately, I notice we are getting a fair amount (10-12 per day per client) of spam coming from freemail users (FREEMAIL_FROM triggers). Usually the Subject is non-existent or empty, and the message is always just an URL I see a fair amount matching

Re: DNSBL for email addresses?

On 15/12/10 00:43, RW wrote: On Tue, 14 Dec 2010 15:52:28 -0800 (PST) John Hardin jhar...@impsec.org wrote: On Tue, 14 Dec 2010, Cedric Knight wrote: So a hash is best, Agreed. and I'd suggest SHA1 over MD5. Just out of curiosity, why? An MD5 hash is shorter than an SHA hash

Re: DNSBL for email addresses?

On 14/12/10 14:28, Marc Perkel wrote: Are there any DNSBLs out there based on email addresses? Since you can't use an @ in a DNS lookup Actually, you can use '@' in a lookup. You just can't use it in a hostname. Or you could convert the '@' to a '.' as is the format still used in SOA records.

Two newish RBLs; NXDOMAIN question

There seem to be an abundance of DNSBLs out there nowadays. Here are my observations on two, and an implementation question. The Good, the Bad and the Ugly: GBUdb.com's truncated list (http://www.gbudb.com/truncate/) went public in May and seems to work very well, catching a lot of things

Re: Two newish RBLs; NXDOMAIN question

On 13/12/10 15:06, Karsten Bräckelmann wrote: [...] is a recent project of Julian Haight, creator of Spam Cop. SpamCop. Assassin. Oh no, did I type that? Dratted absent-minded fingers. Apologies. C

Re: Two newish RBLs; NXDOMAIN question

On 13/12/10 15:44, RW wrote: On Mon, 13 Dec 2010 13:47:14 + Cedric Knight ced...@gn.apc.org wrote: ... header RCVD_IN_GBUDB_TRUNC eval:check_rbl('trunc-firsttrusted', 'truncate.gbudb.net.') That should be -lastexternal - assuming that the list contains a lot of dynamic addresses

HELO_DYNAMIC false positives on a UK web host

|fixip|srvlist\.ukfast\.net)/i -- All best wishes, Cedric Knight GreenNet GreenNet supports and promotes groups and individuals working for peace, human rights and the environment through the use of information and communication technologies. GreenNet, Development House, 56-64 Leonard Street

Re: Odd yahoo spam

On 09/12/10 14:33, Randy Ramsdell wrote: I have been receiving bounces to my yahoo account for email I did not send. From the pastebin, you see the email did originate from the yahoo servers but is not in my sent directory. This is an interesting case and I cannot determine how this happened.

Re: HELO_DYNAMIC false positives on a UK web host

On 09/12/10 20:30, Karsten Bräckelmann wrote: On Thu, 2010-12-09 at 20:18 +, Cedric Knight wrote: I noticed some bad false positives on email sent from certain web servers that haven't (yet) been properly configured. For example, a trusted header line starting: Ah, so

Re: HELO_DYNAMIC false positives on a UK web host

On 09/12/10 22:43, John Hardin wrote: On Thu, 9 Dec 2010, Cedric Knight wrote: It appears that a client can easily set up hosting using cPanel or something without ever setting the rDNS or hostname to anything other than the numeric default. Is there anything in the headers that indicates

Re: Full circle DNS test?

On 30/10/10 07:42, Henrik K wrote: On Fri, Oct 29, 2010 at 10:02:56PM -0400, dar...@chaosreigns.com wrote: I see there's a RDNS_NONE rule for when the sending IP address has no DNS PTR (reverse DNS) record. But no rule for when that PTR record doesn't have a matching A (forward DNS) record

Re: rule for To: undisclosed-recipients:;

On 25/10/10 04:21, Dennis German wrote: Is there? should there be a rule for a header like: To: undisclosed-recipients:; There was a rule UNDISC_RECIPS in version 3.1, and it scored about 0.8 points. I don't know why it was removed; presumably it hit too much ham. It used to go: header

Profiling rules with DProf problems

Hello I'm trying to get some performance data on a customised ruleset using the instructions at http://wiki.apache.org/spamassassin/ProfilingRulesWithDprof and have two problems. Firstly, I'm not actually getting any *_body_test or *_head_test data in tmon.out. Instead, after running dprofpp,

Re: Fwd: Indispensables pour vos vadrouilles…

On 11/07/10 16:04, Karsten Bräckelmann wrote: On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote: [nothing but 3 spam samples attached] Uhm, dude!? I hope that was an accidental address auto-completion. Do NOT send spam samples to the list. Grovelling apologies. It was Thunderbird

Re: SA checking of authenticated users' messages

On 07/07/10 23:26, Greg Troxel wrote: Louis Guillaume lo...@zabrico.com writes: I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? My users are getting restless. Everytime their ISP changes their IP address

Re: 0.001 rules - why?

Henrik K wrote: On Tue, Aug 11, 2009 at 04:31:32AM +0100, RW wrote: On Sun, 09 Aug 2009 11:33:29 +0100 Cedric Knight ced...@gn.apc.org wrote: header FH_HELO_EQ_D_D_D_DX-Spam-Relays-Untrusted =~ /^[^\]]+ ... header HELO_MISC_IPX-Spam-Relays-Untrusted =~ /^[^\]]+ Possibly

Re: Mailbox for auto learning

Luis Daniel Lucio Quiroz wrote: Le lundi 10 août 2009 19:15:15, Cedric Knight a écrit : Stefan wrote: [...] You have to forward the message as an attachment un unpack it after receiving. Have a look at: https://po2.uni-stuttgart.de/~rusjako/sal-wrapper Yes, I find this approach works well

Re: 0.001 rules - why?

Matus UHLAR - fantomas wrote: On 09.08.09 11:33, Cedric Knight wrote: I'm using Bayes and network tests, and have found a few rules with a good ratio of ham to spam, but that score only 0.001 in the default rules. apparently there's no use for them alone and the score isn't 0 just because

Re: Mailbox for auto learning

Stefan wrote: Am Sonntag, 9. August 2009 07:36:54 schrieb Luis Daniel Lucio Quiroz: Hi SAs, Well, after reading this link http://spamassassin.apache.org/full/3.2.x/doc/sa-learn.html I'm still looking for an easy-way to let my mortal users to train our antispam. I was thinking a mailbox

0.001 rules - why?

I'm using Bayes and network tests, and have found a few rules with a good ratio of ham to spam, but that score only 0.001 in the default rules. In some cases, it is presumably because they overlap with other rules or are detected by remote tests, and so would score double because a particular

Re: Again AWL confusion

a...@exys.org wrote: exactly. The point is that scores below 2 are never spam, so i avoid greylisting. Thats my whitelist (you usually need for greylisting) at the same time, since i whitelist some hosts in SA. Interesting set-up, although I don't think it would be suitable for a high-volume

Re: Speeding up SC Ham

Chris wrote: I decided last week to finally give the short circuit plug-in a try to see how much it sped up detection. Its working great on spam: but not so well with ham: Aug 4 14:22:48 localhost spamd[1023]: spamd: result: . -10 -

Re: forward mails as spam

neroxyr wrote: I have configured our domain mail to forward messages to a gmail account. I did a test sending an email from my gmail account to my domain mail; I receive the message sent from my gmail account, but immediately this message has to be sent to gmail. Mail Delivery Subsystem

Re: [NEW SPAM FLOOD] www.shopXX.net

Chris Owen wrote: On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote: To answer your next post, I don't use '\b' because the next 'trick' coming will likely be something looking like Xwww herenn comX... :) At that point it can be dealt with. Well, they're getting close. I'm seeing

Re: forward mails as spam

neroxyr wrote: Hope this is the log you wanted http://www.nabble.com/file/p24471425/block.jpg It's not possible to see from this whether the first log line that you have highlighted is necessarily related to the second and third highlights (the message IDs are different), but I'll assume they

Re: OT: Website protection

schmero...@gmail.com wrote: One of our client's websites gets hacked frequently - 1x per month - usually with some kind of phishing scam. I understand their first line of defense is to make sure security is tight and systems are up to date, however, it seems to me that there must be some

Re: OT: Website protection

schmero...@gmail.com wrote: So, if our client was google, the utility would search all files on the site looking for domains. If it found microsoft.com within one of the pages and email would be sent to the administrator who could delete the page and look for other evidence of being hacked or

Re: [NEW SPAM FLOOD] www.shopXX.net

McDonald, Dan wrote: I'm considering a low-scoring rule like: body AE_MEDS37 /\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/ describe AE_MEDS37 rule to catch the next wave of spaced domains scoreAE_MEDS37 1.0 oops. Doesn't compile. should be: body AE_MEDS37

Re: [NEW SPAM FLOOD] www.shopXX.net

Cedric Knight wrote: full NONLINK_SHORT /^Content-Type:\s*text([^\n]+\n){0,30}\n.{0,300}\b(?:H\s*T\s*T\s*P\s*[:;](?!http:)\W{0,10}|W\s{0,10}W\s{0,10}W\s{0,10}(?:[.,\'`]\s{0,10})(?!www\.)\s{0,10})[a-z0-9\-]{3,13}\s{0,10}(?:[.,\'`]\s{0,10})?(?:net|c\s{0,10}o\s{0,10}m|org)\b/msi

Re: A difficult one to weed out?

Jeremy Morton wrote: OK, so I just got one of those www medsXX com spams, and even though it hit my rule and got 2.0 added to it, it still didn't even get over 3 points. Looks like it was sent from quite a legit host. What rules do other people get matching for this e-mail?

Re: more mainsleeze spam

Michael Scheidell wrote: Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some with and some without knowledge and adherence to the US Federal CAN-SPAM laws. Maybe I am stuck in 1994 when (most) people respected the net. Maybe I react badly when one of these main-sleaze

Re: New image spam

Jeremy Morton wrote: Recently I've been receiving some new image spams, subtly different from the one this rule is designed to mark: http://markmail.org/message/zio642mxs5p42kxa ... in that it actually does have a blank text MIME part. Here's an example of one such spam:

Re: Intermediate Relay checked against RBL

Oliver Welter [EMAIL PROTECTED] wrote: 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?82.113.121.16] 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server

Re: Bayes - one database per user or one for everybody?

Hi I've a possibly related enquiry to an old one below, and would be grateful for advice or pointers. We haven't actually *needed* Bayes thanks to greylisting, remote URI lookups and lots of custom rules. While a few users are interested in a filter they can manually train, most wouldn't