documentation (I can hardly believe there is
no such possibility in SA).
change:
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop',
'bl.spamcop.net.', '(?i:spamcop)')
to:
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop-lastexternal',
'bl.spamcop.net.', '(?i:spamcop)')
--
Daniel J
a mailscanner bug... There has been some discussion on
this list about this in the past...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
I notice that me.com (Apple's mobile me) is now offering a free 60
day trial for their mail solution. About half the mail from me.com has
been spam here lately, so I've added it to my local list of freemail
domains. Anyone seen anything similar?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
will need
to restart it to load the new rules
The commands I used are:
[...]
sa-update --channelfile sa-update-channels.txt --gpgkeyfile
sa-update-keys.txt
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
(or in the middle, if you follow up your
sa-update with an sa-compile). Just watch out for the two spaces in the
cut command `cut -d\ -f1-3`
I never would have thought of doing it that way.
cut is one of my favorite tools.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
RCVD_IN_BACKSCATTER_RELAY 1.30
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
fixed. Don't you know how to use bugzilla?
http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460r2=891459pathrev=891460
The new scores will come out in 3.3.0, RC1 is very soon...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
On Fri, 2009-12-18 at 12:53 +, Christian Brel wrote:
On Fri, 18 Dec 2009 06:49:41 -0600
Daniel J McDonald dan.mcdon...@austinenergy.com wrote:
On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote:
On Fri, 18 Dec 2009 03:44:32 -0500
Daryl C. W. O'Shea spamassas...@dostech.ca
On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote:
On 12/14/2009 10:55 PM, Daniel J McDonald wrote:
I'd love to have the clamav unofficial signature families scored. I
have a fine guess as to how relevant they are, but it is just that - a
guess.
someone, somewhere is alreay
Source1:
ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz.asc
Kai
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
to yourself.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
effectiveness
of the various lists isn't tested.
I'd love to have the clamav unofficial signature families scored. I
have a fine guess as to how relevant they are, but it is just that - a
guess. I'd hate to have to guess for everyone's whitelist...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
RCVD_IN_BACKSCATTER_RELAY had been triggered. (the total
score was only about 4.6, IIRC).
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
@b.email.onestopplus.com
1 @arbys.fbmta.com
1 @americangirl-email.com
1 @agoravip.com
1 @actionnetwork.org
1 @1800petmeds.com
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
functionality.
Anyway, our customer isn't delisted from this CloudMark blacklist,
even though all of the RBL checkers on the Internet I can find claim
that their IP address isn't spamming. I cannot find any delist request
on their website either.
Have you tried a razor-revoke?
--
Daniel J
On Wed, 2009-10-21 at 18:59 +0200, Lars Ebeling wrote:
I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA.
http://pastebin.com/m612529a7
The interface is configured in master.cf
It's 42K, so check that you don't have a size limit.
When I scan it I get:
X-Spam-Report:
On Fri, 2009-10-16 at 16:25 -0400, Adam Katz wrote:
My own proposal to fixing this is to bring back Blue Security's
do-not-email list, which is to say a freely available index of secure
hashes representing email addresses that have opted out of bulk email.
(Recall that the controversial
-be.html
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
AE_DETAILS_WITH_MONEY Has form and mentions much money
metaAE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
score AE_DETAILS_WITH_MONEY 2.0
score AE_DETAILS_WITH_EMAIL 2.5
--
Daniel J McDonald
On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
It's catching on :-)
this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...
How about:
body__MED_OB
On Wed, 2009-07-22 at 18:05 -0400, MySQL Student wrote:
Please use pastebin.
Yes, will do, thanks.
It hit BAYES_99, but that's it. Are there any rules that pertain to
'loan' or this type of mail that can somehow block these?
FreeMail.pm and the SOUGHT_FRAUD rules.
Some time ago you
On Mon, 2009-03-30 at 14:23 -0400, RWS* wrote:
Thanks very much.
Bad assumption (on my part too) !
spamassassin --version
SpamAssassin version 3.2.4
Gawk
ls -l /var/lib/spamassassin
drwxr-xr-x 3 4096 Oct 16 18:27 compiled/3.002004 ...
does not contain any .cf
to
amavisd-new status. just let postfix do its job as usual.
Everything in the queue tempfails when amavisd-new is restarted, since
it can't reach the filter. There is less impact to the customers if I
do a flush immediately after reloading amavisd
--
Daniel J McDonald, CCIE #2495, CISSP
From:addr example.com
header __OUR_DOMAIN_ENVELOPEEnvelopeFrom:addr example.com
meta OUR_DOMAIN (__OUR_DOMAIN_FROM || __OUR_DOMAIN_ENVELOPE) SPF_FAIL
describe OUR_DOMAIN claims to be from our domain but fails SPF
score OUR_DOMAIN 2.5
--
Daniel J McDonald, CCIE #2495
of these down:
uri AE_ASM /\/[[:alpha:]]{28,40}$/
describe AE_ASM long gibberish path used by ASM Marketing
score AE_ASM1
Highly unusual to have a url like that in ham...
I'm running a meta to bump up the score...
--
Daniel J McDonald, CCIE
On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote:
Rasmus Haslund wrote:
After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet Plugin.
Is this something that can be used with the SA in Icewarp Merak?
Because Rasmus
/004348a.html
--
Daniel J McDonald [EMAIL PROTECTED]
--
Daniel J McDonald - CCIE #2495, CISSP # 78281, CNX
cronus.intersessions.com) (74.220.16.65)
As far as I can tell 'cronus.intersessions.com' has reverse setup and it
matches 74.220.16.65.
What am I missing?
74/8 was removed from the Bogon list in 2005, but maybe the recipient
hasn't updated their bogon acl in bind...
--
Daniel J McDonald, CCIE #2495, CISSP
SPF.
Could of, but underscores are not a legal character in domain names.
And now BIND 9.4 supports the SPF RR type, so we just have to wait a
decade or two until everyone still running bind 4.0 has a chance to
upgrade ;-)
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http
might be slightly worse for zen, since I had a couple of
multiple-zen hits:
$ grep -c -P BRBL.+[PSX]BL.+[PSX]BL /var/log/mail/info
3
I'm currently scoring it a 1.00, if it really is accurate I would like
to increase it.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http
On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
On Mon, 22 Sep 2008, Daniel J McDonald wrote:
On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
We're trying it today.
Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail
from them? What is the RBL
I don't track the number of connections dropped by greylisting,
so that might be masking anything anomalous.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
to test
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
,
SARE_EN_A_6XX_1=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
URIBL_BLACK=1.961, URIBL_JP_SURBL=2.857, URIBL_OB_SURBL=2.132],
autolearn=disabled, quarantine XTaDjzHYEhiO (spam-quarantine)
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
On Fri, 2007-12-07 at 08:38 -0500, Matt Kettler wrote:
Stefan Jakobs wrote:
Let's assume you running a mailrelay for a university and your users are
from
different countries. Lets assume further on you have no Swedish people at
your university (and you get a lot of spam from Sweden).
local domains
Thanks in advance!
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
/modules/by-module/Mail/Mail-SpamAssassin-2.63.tar.gz
http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.62.tar.gz
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
their SPF record, I might use amavisd-new's
soft-whitelisting to trim a couple of points, or I tell them to pound
sand. Usually I can convince people to fix one or the other.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
are missing rules at certain points of
the cycle
I know this is going to be a
bit much for some folks on here to handle, but I had to get on with
life at some point!
true, but you could just find the real problem (permissions) and fix it.
--
Daniel J McDonald, CCIE #2495, CISSP #78281
instead.
Possibly even have this as as:
warn_conffile_maxsize (speced in KB, default 1024)
Users that want to use absurdly large files can just raise the number..
+1
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
should be forwarded to another email address not on
the same server
http://www.postfix.org/postconf.5.html#always_bcc
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
:
use_bayes_rules 0 (if you want it to attempt to continue to update the
bayes database)
thanks
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Tue, 2007-09-25 at 12:15 -0700, feral wrote:
Hmmm... deepest thread here w/ John Hardin somehow got
broken... nabble hiccup?
So I am posting response here:
Daniel McDonald wrote:
basically, ensure it can resolve DNS. You can force it with
dns_available yes
[...]
Where is
Corporate Server 4.0, perl 5.8.7,
called from amavisd-new 2.5.2) and still see zero scores from plugins
displayed:
Bug 5519. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5519
Ah, there it is. Guess we'll wait for 3.2.3 and see if they disappear
then
guenther
--
Daniel J
will be read as a rules file.
If you are just a user, not a sysadmin, you may be able to create rules
in ~/.spamassassin/user_prefs, but that depends on a lot of variables
that your sysadmin will be able to tell you about.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http
with the same
command I saw the following messages:
t/spamc_optCNot found: reported spam = Message
Bug 5510
At the follow error I've stop all.
Which is it the problem? Lack some library? Can You suggest how can
solve it?
Don't compile it as root.
--
Daniel J McDonald, CCIE
PROTECTED]
Then your message will only score 1.5, and it will be below the fellow's
ridiculously low scoring threshold.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
to the server.
works like a champ for me:
[EMAIL PROTECTED] ~]$ sudo grep -o -P POSTCARD.*?= /var/log/mail/info |
sort | uniq -c
444 POSTCARD_01=
That's in just 2 hours...
Thanks!
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
, RDNS_DYNAMIC=0.1, UNWANTED_LANGUAGE_BODY=2.8],
autolearn=disabled
That's out of
[EMAIL PROTECTED] ~]$ sudo grep -o -P GMD_PDF.+?= /var/log/mail/info | sort
| uniq -c
684 GMD_PDF_BAD_FUZZY=
43 GMD_PDF_HORIZ=
67 GMD_PDF_STOX=
24 GMD_PDF_VERT=
--
Daniel J McDonald, CCIE # 2495
created: 2006-08-10 expires: never usage:
E
[ unknown] (1). Daryl C. W. O'Shea [EMAIL PROTECTED]
So, it should be in my trustdb, but that doesn't mean that sa-update
will use it...
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
--
Daniel J McDonald, CCIE
(BOTNET_CLIENT+BOTNET_BADDNS
+BOTNET_NORDNS) 0
score BOTNET_OTHER 0.5
I'm still getting a trickle of false positives, but that seems to be
much more realistic than 5 for everything.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
it for the world, and I
only briefly thought about writing a plugin to call it.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
now.
Of course, that's what the botnet plugin does.
But if you are looking for known ham sources, that's bonded sender or
some such. They at least have a financial incentive to not send spam.
For anyone else it's just a matter of when they get pwn3d next.
--
Daniel J McDonald, CCIE # 2495, CISSP
for end users
to read.
And I've been catching actual customers and vendors right-and-left with
the botnet plugin. Too many false positives, even combining it with
p0f, for me to feel very good about it.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Wed, 2007-06-20 at 12:04 +0100, Peter Farrell wrote:
Having problems re-installing SA.
Blew away my previous installation cat'ing the .packlist to xargs rm.
As root, start perl -MCPAN -e shell and 'install SpamAssassin'
All of the errors in t/logs/* relate to either one of three things:
encodings.
In 3.1.x, just set ok_locales en
in 3.2.x, set ok_locales and also enable the Textcat plugin.
Details in
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#language_options
Mike
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http
= ;
if ($query = $resolver-query($ip, 'PTR', 'IN')) {
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Fri, 2007-06-15 at 15:27 -0700, Bill Landry wrote:
Daniel J McDonald wrote the following on 6/15/2007 2:54 PM -0800:
On Fri, 2007-06-15 at 22:08 +0100, Randal, Phil wrote:
And a few others... Might as well be completely consistent. Try this
patch:
--- Botnet.pm.orig 2007-06-15
trained by at least 100 messages.
Will
Spamassassin dump a message if it fits the spam characteristcs from bayes?
Like everything else, it is a factor, but not always a deciding factor.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
, and didn't
see anything in the release notes, or the bugs that I read, telling me
that I would need to make major changes, so I'm flummoxed.
-Original Message-
From: Daniel J McDonald [mailto:[EMAIL PROTECTED]
Sent: Monday, June 11, 2007 6:35 PM
To: users@spamassassin.apache.org
On Tue, 2007-06-12 at 12:45 +0100, Justin Mason wrote:
Daniel J McDonald writes:
On Mon, 2007-06-11 at 21:09 -0400, Rose, Bobby wrote:
I'm seeing the same kind of messages mentioned after compiling from
source on Redhat ES4 and running make test.
I'm wondering if this is the reason
SpamAssassin (like spamd, or amavisd-new)
you will need to restart the daemon after running sa-update.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Tue, 2007-06-12 at 16:07 -0400, Rosenbaum, Larry M. wrote:
From: Duncan Hill [mailto:[EMAIL PROTECTED]
On Tue, June 12, 2007 13:33, Justin Mason wrote:
Daniel J McDonald writes:
So, you can't build the RPM as root.
Very interesting, but I ran into this problem on a Solaris
: *** [test_dynamic] Error 255
error: Bad exit status from /var/tmp/rpm-tmp.45769 (%check)
Any thoughts?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
attack.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
, and a confident
demeanor?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
,__SARE_HTML_HAS_DIV,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_P,__SARE_HTML_HAS_TITLE,__SARE_URI_ANY,__SARE_WHITE_BG_COLOR,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS
Debug says URIBL BLACK matched, and it is scored.
--
Daniel J
On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote:
On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote:
Ok, here's one that does fail:
under 3.2.0:
[16543] dbg: uridnsbl: domain theauthenticmemento.com listed
(URIBL_RHS_URIBL_BLACK): 127.0.0.2
[...]
Under 3.1.8
On Wed, 2007-05-30 at 11:57 -0500, Daniel J McDonald wrote:
On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote:
On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote:
Ok, here's one that does fail:
Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit
When I run sa-compile, it breaks while trying to run make:
[EMAIL PROTECTED] ~]$ sudo sa-compile
[32101] info: generic: base extraction starting. this can take a while...
[32101] info: generic: extracting from rules of type body_0
100% [===] 36.75 rules/sec
71 matches
Mail list logo