On 4/12/2024 1:20 PM, Bill Cole wrote:
In my opinion, this is an indication that the default welcomelist entries in
the official SpamAssassin rules for '*@*.microsoft.com' are inappropriate. Note
that there is an entry for '*@accountprotection.microsoft.com' which is still
justified as far
rved an increase in the blocking of IPs belonging to
Microsoft Corporation by the SpamCop blacklist since November 2023,
with a notable spike in activity during February and March 2024.
Yes, you are correct. I see there is a spat between Microsoft and
SpamHaus also. Poor, poor Microsoft.
T
I've several customers whose accounts were used to send spam as a result
of Microsoft's infrastructure breech.
Curiously, NOBODY has received any breach notifications from Microsoft,
despite personal information being compromised.
What has anyone else experienced?
Thanks,
-- Jared Hall
On 3/12/2024 4:04 PM, Benny Pedersen wrote:
Jared Hall via users skrev den 2024-03-12 20:37:
Is there a use case for emailing .shtml files, or can these just be
simply discarded?
i have seen .html attachment
only reason i think its tryed was to skip url testing in spamassassin
might be same
Is there a use case for emailing .shtml files, or can these just be
simply discarded?
Thanks,
-- Jared Hall
Content-Transfer-Encoding: base64
I can hit on the Content-Disposition header regex fine, but tflags/multiple
doesn't seem to work here. I'm not sure if this is a problem (1) with the
Mimeheader plugin, (2) working as designed, (3) or a fault in my system.
Any suggestions?
Thanks,
-- Jared Hall
, SPF/DKIM/DMARC Auth-neutral will become the
new "bad".
I apologize this isn't strictly SA related, I am just hoping someone
can give me advice or provide I link to follow on how to make this work.
package: opendkim + access to your managed domain's DNS records.
$0.02,
-- Jared Hall
u can read more information about this function here:
https://metacpan.org/pod/Mail::SpamAssassin::Conf#CAPTURING-TAGS-USING-REGEX-NAMED-CAPTURE-GROUPS
-- Jared Hall
ditions. This actual
comment in SA 3.4.2's DNSEval.pm module says it all:
"# Very hacky stuff and direct rbl_evals usage for now, TODO rewrite
everything"
An upgrade is in order.
-- Jared Hall
On 9/28/2023 8:39 AM, Andy Smith wrote:
Hello,
On Thu, Sep 28, 2023 at 06:48:54AM -0400, Jared Hall wrote:
Do you mind if I redirect the below back onto the spamassassin list
and respond to it there?
Well I was going to do that, but fair enough!
On Thu, Sep 28, 2023 at 12:02:47AM -0400
, Sep 28, 2023 at 12:02:47AM -0400, Jared Hall wrote:
On 9/27/2023 5:42 PM, Andy Smith wrote:
> Hi Jared,
> > > Just under that paragraph I mentioned that the supplier hosts public
> mailing lists where their employees end others use addresses that I
> can't predict, so I think t
d --create-prefs --max-children 5
--helper-home-dir --syslog-socket=native
CPAN will put stuff in the /usr/local/bin folder. Compare
/usr/sbin/spamd -V to /usr/local/bin/spamd -V
Also, check the values in /etc/init.d/spamassassin
-- Jared Hall
.
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9
Still, anything blocking MS Store is pretty egregious, especially since
it's both Address and Body URL. A score of 9 for each?
-- Jared Hall
.
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9
Still, anything blocking MS Store is pretty egregious, especially since
it's both Address and Body URL. A score of 9 for each?
-- Jared Hall
\xAEPayroll_stubs\.Htm)([";']?|$)/
The more native (raw) formatted rule works even without specifying
"Content-Disposition:raw":
mimeheader __JR_EXPLOIT_ATT_UTF Content-Disposition =~
/(%C2%AEPayroll_stubs\.Htm)([";']?|$)/
How does SA handle UTF-8 filenames?
-- Jared Hall
and
Unicode::UTF8 modules (something like "instmodsh" option "l").
Just another great mystery; like Bigfoot, Pyramids, UFOs, Crop Circles,
Plains of Nazca, and Microsoft Fax Server.
-- Jared Hall
message and EVERY time it
said it examined a message it also said it "learned" 1 token.
I believe the default format is Maildir. You mention a single file w/
multiple emails which suggests you might be running MBox format? If so,
try the --mbox command line switch.
-- Jared Hall
at the top, but usually this is the responsibility of the
Milter. What Milter/content_filter are you using?
-- Jared Hall
ixed since then.
I would upgrade SA to 3.4.6.
-- Jared Hall
(ENA_SUBJ_LONG_WORD && DKIM_VALID)
score DMARC_OFFSET -2.2
Yes, for sure, ALL Microsoft DMARC messages hit ENA_SUBJ_LONG_WORD.
dokomo.ne.jp also hits (32 chars). In the near-miss category, mail.ru
comes in OK at 29 characters.
-- Jared Hall
as you wish. But IMHO, it is probably not a good idea to go looking for
trouble that doesn't exist.
-- Jared Hall
ive wildly different BAYES scores.
Try rattling off another Gmail message, but this time switch the two
Email addresses on the "To:" line around. Maybe a case where only the
first Email address is looked at by SA?
Thanks,
Jared Hall
erl/5.26.1/Mail /lib/Mail
Or, if you have to be more specific (say, /lib/Mail exists already),
something like:
ln -s /usr/lib/perl5/vendor_perl/5.26.1/Mail/SpamAssassin
/lib/Mail/SpamAssassin
etc...
--Jared Hall
-- Jared Hall
On 1/8/2023 12:57 AM, Brian Conry wrote:
...
Third, to expand on something I alluded to briefly, the emails in
question are generated by a security appliance on our customer's
network, in accordance with their security policy and posture. The
warnings we're getting when our mail server
On 12/15/2022 7:03 AM, Pedro David Marco via users wrote:
HI,
Situation:
i have 2 twin servers running exactly the same OS, and SA. (3.4.4)
i have an email with the word 'dog' inside.
i have this rule:
body __ANIMALS /cat|mouse|bird|dog/i
Problem:
Rule __ANIMALS its in one server, but
SA: 3.4.6
The Header ToCc test doesn't seem to accept :name and :addr modifiers.
Is that how this function operates?
Thanks,
-- Jared Hall
On 8/14/2022 2:55 PM, John Hardin wrote:
On Sat, 13 Aug 2022, joe a wrote:
Why waste your own system resources to help a scoundrel? Drop them
and be done.
I personally perfer to TCP tarpit repeat offenders.
+1
-- Jared Hall
/sa-update.verein-clean.net/1900065.tar.gz.sha256, FAILED, status:
exit 22
-- Jared Hall
t possible to match
on them.
Maybe rewrite the Subject on the upstream server to something unique and
trigger on that. Beware that KAM rules (eg. KAM_MARKSPAM) might detect
most "standard" methods of Subject rewriting and add more points to the
message.
$0.02,
-- Jared Hall
format by expressing the Emoji in its 3
hexadecimal bytes:
header PP001 Subject =~ /\xE2\x9C\x85 Dein Paket/
Regards,
-- Jared Hall
11 Pin Lo Chens on staff, and 5 guests by that name. Can you be more
specific?"
I just sat down and ordered breakfast when the "real" Pin Lo Chen found me.
First thing he says is, "Why didn't you call me?"
-- Jared Hall
ITIZE USER INPUT. Instead,
their careless attitude presents a security threat to us all.
-- Jared Hall
ecific, Jared. Why that one?" she queried.
I chuckled, "Because then I could hook up with any other character and
make a great Emoji"
Happy Friday,
-- Jared Hall
On 11/4/2021 10:44 AM, Bill Cole wrote:
On 2021-11-04 at 08:45:02 UTC-0400 (Thu, 4 Nov 2021 08:45:02 -0400)
Jared Hall
is rumored to have said:
[...]
2) Beware of using somebody else's source code :)
That's the really significant warning...
Agreed. Does one need to write a paper
Defang, or in your case, Fuglu).
-- Jared Hall
<https://metacpan.org/pod/Mail::DKIM::AuthorDomainPolicy>
:
https://www.pccc.com/
2) AppRiver is well-known. They emerged from MIME-Defang/Roaring
Penquin: https://appriver.com/
Regards,
-- Jared Hall
-- Jared Hall
-Original Message-----
From: Jared Hall
Sent: Friday, 1 October 2021 06:51
To: users@spamassassin.apache.org
Subject: SA/MAD Interfacing
Considering that my Linode can't deep-learn anything or become any more
intelligent than it already is, it seems reasonable tha
-learning systems
communicate with Email hosts?
Thanks,
-- Jared Hall
pamd --socketmode=0660"
thanks
1) Make sure spamd is running:
netstat -an
2) Make sure firewall rules allow the connection.
-- Jared Hall
On 9/27/2021 4:37 PM, Lucas Rolff wrote:
So is FISA702.
True that. But that is a harder sell (to my clients).
-- Jared Hall
Even Cloudflare can only go so far with signature detection. They do
have the advantage of scale. Others, like many here, have the advantage
of responsiveness.
Thanks,
-- Jared Hall
e can talk about it on the MIMEDefang ml
(https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org)
or you can send me an email
about it.
Giovanni
Grazie per l'aiuto. Alex dovrebbe essere felice.
:)
-- Jared Hall
what you want.
Thanks,
Alex
Good Luck,
-- Jared Hall
a while() or a foreach() loop.
:)
-- Jared Hall
On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
Jared, looks to me like an FP in Pyzor.
No doubt. The 4.608 points for a single aberration seems reasonable.
-- Jared Hall
&& !__RCD_RDNS_SMTP_MESSY
DCC_CHECK = 0
RAZOR2_CHECK = 0
PYZOR_CHECK = 1
__FSL_HAS_LIST_UNSUB = 0
__UNSUB_LINK = 0
__RCVD_IN_DNSWL = 0
__JM_REACTOR_DATE = 0
__RCD_RDNS_SMTP_MESSY = 0
It does not appear that the actual rule matches the spirit of the rule.
Thoughts?
-- Jared Hall
) becomes Cascading Garbage Out.
Disable autolearn, wipe your Bayes store, and manually train from hand
classified ham and spam.
1000% Correct, IMO. If you must run Bayes, train it once and leave it
be. Repeat as needed.
Regards, KAM
-- Jared Hall
*
*
Be advised of spam from .sbs top-level-domains.
FWIW,
-- Jared Hall
on Ubuntu, /var/log/syslog and/or
/var/log/kern.log on Debian.
FWIW,
-- Jared Hall
Kevin,
Thanks. NBD. Replied OL.
Benny Pedersen wrote:
is this now your newspaper to post all kind of evil numbers ?, if all
rule set updates would be aswell we all loose, do your good homework,
but dont make ads out it here
if its just me, sorry
Yes, you are right. There's too much traffic on this list.
More EvilNumbers from Maria Louise, one of Norton's GMail accounts.
Lucky for me my record was credited and not my actual account :)
Payment for renewal of service has been credited to your record.
*Order Number : JSRT-002349*
*Date: Sep 02, 2021*
Details:-
with a PDF
attachment called: "Norton Service Invoice PDF.pdf"
The PDF listed the phone number, highlighted and bolded, four times in
two slightly different variants:
+1855 552 2963
1855 552 2963
Blimey,
-- jared Hall
LFORMED=0.1
0.1. Seriously? Could we at least get a 0.1 for the CC address also?
Aargh,
-- Jared Hall
ld've been modified to check versions and load the correct
DecodeShortURLs.pm module. Say, what does happen if two plugins
register the same Eval rule? Anybody know?
2) OTOH, what's the point of sa-update doing versioning if nobody uses it?
-- Jared Hall
after that.
Another Thought,
-- Jared Hall
have a lot of Unicode sprinkled throughout; the SA normalize_charset
conundrum.
A Thought,
-- Jared Hall
omes a TLD :)
*Maybe* a little more refinement could prevent it picking up .hidden
folders that have a BAD_TLD name.
/[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i
$0.02,
-- Jared Hall
bout. I adapted, made changes and came out better and wiser. My
respect for these people increased 100 fold. That's how I roll.
But if you're going to sit on the sidelines and complain, I have bad
news for you. There's no shortage of stuff I can shove into /dev/null.
$0.02,
-- Jared Hall
gory =~ /(SPAM|PHISHING)/
X-AES-Category =~ /(SPAM|PHISHING)/
These are produced by something external with an obviously KNOWN
pattern. How many of those would you expect in a message? That'd be
another problem entirely. SA syntax is PERLish-only and has does it's
own internal sanity-checks and conversions.
$0.02,
-- Jared Hall
Henrik K wrote:
On Tue, Jul 20, 2021 at 10:44:43PM -0400, Jared Hall wrote:
I went out in the garage this morning and pulled out an old Dell PowerEdge
that had CentOs 6 on it.
Ever heard of virtual machines, or even perlbrew? :-)
I've been swamped. Didn't really have the time to fire up
ad CentOs 6 on it. Unfortunately it didn't
recognize the drives; SCSI RAID controller probably. So please let me
know if it works OK on PERL 5.16.
Sincere Thanks,
-- Jared Hall
Could be worse, like 3.4.4 on Ubuntu. Surprisingly, CPAN update worked great
and put everthing in the right spots, symlinks and all!
9 out of 10 cavemen prefer Ubuntu with their Brontosaurus burgers. *Sigh*
-- Jared Hall
Sent from my T-Mobile 4G LTE Device
Get Outlook for Android<ht
elecom2k3/CHAOS/wiki/CHANGELOG#notes>Notes
There are no configuration file changes needed in this release.
Enjoy,
-- Jared Hall
using SeaMonkey for a few months now.
It never sent any User-Agent header until Monday. Very Strange. "Looks
like I picked the wrong week to quit sniffing glue".
-- Jared Hall
Defender Firewall Protection
+1, 888, 313, 1366
Thank you, kind Sir
-- Jared Hall
Sent from my 4G LTE Device
Get Outlook for Android<https://aka.ms/AAb9ysg>
a User-Agent field.
It's not a Mozilla MSGID.
Only question I'd have is on MSGID.
$0.02,
-- Jared Hall
: USD 311.06
Order ID : AKSF-624F
Payment Mode :Auto-Debit
If you have any issues regarding this order,
Connect with us: +1(867)768-0009.
Thanks and Regards,
+1(867)768-0009.
FWIW,
-- Jared Hall
t-Transfer-Encoding: quoted-printable
(w/ my document anyway).
I'm curious as to what HornetSecurity saw in their E-mail MIME header.
It DOES make a difference, at least regarding plugin scanning. But a
.doc file is a .doc file as far as Word is concerned.
I put forth a query to them. I'll le
nut in New Jersey would've stopped the
whole thing. We'll never know. We anti-spam folks are forced to sit on
the bench, waiting for another billion dollars in damages.
$0.02,
-- Jared Hall
e CHAOS.pm module has an eval: from_no_vowels that may do the job as
well. Like most of the stuff in there it has internationalization so
that vowels in other language character sets are taken into account.
This looks at the From Name field.
$0.02,
-- Jared Hall
\)\s889\-3387)\b/i
FWIW,
-- Jared Hall
ng threads on a computer.
The status quo is not sustainable. Just from a national/homeland
security perspective it would be a noble project; perhaps worthy of your
foundation - belly of the beast and all that.
$0.02,
-- Jared Hall
dary="_c23d8b80-2b40-49d4-8897-08b0026dddfb_"
I called my customer to see if they opened it as it was in their Junk
mailbox. They didn't recognize the sender so no, they didn't.
Interesting, indeed.
-- Jared Hall
ways named "request.zip". Probably
IcedID or Konni malware.
Just FYI,
-- Jared Hall
From the project page at: https://github.com/telecom2k3/CHAOS here's
what's transpired since my last CHAOS module SA-User's post:
Version 1.2.0
Date: June 21, 2021
*
New Eval, check_reference_doms() controls how many @domain.tld
references can appear in a Reference header.
*
:Auto
Wish to upgarde/ cancel the plan,
Reach out us AT +1 (850) 254-0627
Regards,
+1 (850) 254-0627
-- Jared Hall
+1\-866\-785\-0325)\b/i
As per Loren and Martin, these rules are best used in a meta rule.
Loren's rule is solid. I had one message that did not contain the word
"order" in the subject and one other that had "Order Status" in the
From:Name field.
I also use these in conjunction with FreeMail rules. Good Luck.
My $0.02,
-- Jared Hall
One thing is certain, if
this matter is NOT addressed by the mail admins on this list, it WILL BE
addressed by the US Department of Commerce.
What started out as an interesting project has become a National
Security risk.
-- Jared Hall
will also help you with Unicode Character spoofs, via its
UniBabble rulesets:
ᴀмαzσи ᴘ픯픦픪ё
혼픪픞혻홤혯 혾혶혴황홤혮혦혳 홎픢혳홫혪혤픢
Amαzoɴ Priⅿë
퐀퐦퐚퐳퐨퐧 퐍퐨퐭퐢퐜퐞
...
...
CHAOS will run on PERL 5.18 and later.
-- Jared Hall
R_PART:", "Dear Esteemed $USER_PART", etc.) let me know.
Thanks.
-- Jared Hall
e you guys at Invaluement
tracking in that area? I saw some esp stuff on Github.
-- Jared Hall
I do kind of like Tom Hendrikx idea of putting cloning the folder into
somewhere in /usr/local/etc and putting a modified pre file in
/etc/spamassassin/. But it's true it's not perfect.
Yes. Tom's idea is correctish; perhaps a more "true" solution for some.
ZERO-TRUST. SpamAssassin is
/telecom2k3/CHAOS
May your days be long and without bifurcation.
-- Jared Hall
3:59:59
Looks like your Email is the zombie offspring of Scriptkiddie meets
Spamkiddie :)
Hope this helps!
-- Jared Hall
/Messages rule.
* New Admin Fraud messages added.
-- Jared Hall
.
Thank you, John. "You do that voodoo that you do so well".
-- Jared Hall
company! ;)
I see that JH and the SpamAssassin crew will address your problem. In
the meantime, it won't
hurt to add a local rule like:
header MY_XM_RANDOM X-Mailer =~ /Qboxmail Webmail/
score MY_XM_RANDOM -1.154
-- Jared Hall
On 2/16/2021 2:06 PM, RW wrote:
That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or better still into
template tags, so that they can be reused in multiple rules.
Agreed, RW. Most of the stuff in there originated from
On 2/14/2021 9:58 PM, Ricky Boone wrote:
On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote:
On Sun, 14 Feb 2021, Ricky Boone wrote:
What are the community's thoughts on handling spam/phishing that utilize
homoglyphs to obfuscate the brands they're targeting? Are there any
plugins that are
Hope this is useful. Good enough for Noobs, but interesting enough for
Pros; a little module with a whole lot of 'tude!
Standard boilerplate introduction:
Mail::SpamAssassin::Plugin::CHAOS
A self-scoring cornucopia of spam-fighting utilities
Created by: Jared Hall
Contact: https
On 2/4/2021 9:30 AM, Kevin A. McGrail wrote:
On 2/4/2021 8:59 AM, Jared Hall wrote:
I ported my physical server to a Linode instance and have been trying
to get Microsoft to de-list my IP address from their blacklist for
four weeks now; ticket SRX1517586366ID. Four freakin' weeks.
Does
I ported my physical server to a Linode instance and have been trying to
get Microsoft to de-list my IP address from their blacklist for four
weeks now; ticket SRX1517586366ID. Four freakin' weeks.
Does anybody here have a better method to get removed from their blacklist?
Thanks,
Jared
On 2/2/2021 11:34 AM, John Hardin wrote:
On Tue, 2 Feb 2021, John Hardin wrote:
On Tue, 2 Feb 2021, RW wrote:
On Tue, 2 Feb 2021 10:47:49 +0100
Valentijn Sessink wrote:
On-list: the only thing in the last QR-code phishing mail I received
that actually makes it a phishing mail is the
On 1/31/2021 6:58 AM, Axb wrote:
Happy Sunday !!!
Cisco forgot to renew spamcop.net
Registry Expiry Date: 2022-01-30T05:00:00Z
Better disable till it's fixed
score RCVD_IN_BL_SPAMCOP_NET 0
Stay safe!
OK. Thanks.
On 1/26/2021 5:04 PM, Joe Acquisto-j4 wrote:
running version 3.42.
I added a rule in local.cf and restarted spamd. (systemctl restart
spamd.service) It hit. Changed the score on it and an existing rule and did a
restart and they it but neither score changed.
Ran lint (spamassassin -D
Anybody else getting this this morning?
strings.
Regards,
Jared Hall
or otherwise?
Regards,
Jared Hall
1 - 100 of 129 matches
Mail list logo
