Check out 20_freemail_domains.cf that is part of SpamAssassin. It contains
all the known "freemail" services, so you could work on the assumption that
if it's not one of these, it's "private"
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation L
0 0 0 non-token data: newest atime
0.000 0 0 0 non-token data: last journal
sync atime
0.000 0 0 0 non-token data: last expiry atime
0.000 0 0 0 non-token data: last expire
atime delta
0.000
am? Is that a
"statistics thing", or has something gone wrong with my Bayes?
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ill 3.4.0? Is it
true there were some bugfixes fixed since that corrected some scoring
issues? Pretty sure we'd all like to be running the "current" release
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint:
ia with perfect DNS and SPF records for new
domains. Where's DOB when you need it ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
s still a good concept. Perhaps what we need is a URL RBL - maybe
lowercase-and-base64 dodgy URLs and then make a RBL that points to them?
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
: shouldn't "-L spam"/"-L ham" always make SA re-train
the bayes more explicitly? Or is that really not possible with a single
email message? (ie it's a statistics thing). Just trying to understand
the backend :-)
--
Cheers
Jason Haar
Corporate Information Securi
ore
information
That second-to-last line is all that "-D" generated, so it's not much
help. Any ideas? This is CentOS-6/64bit with
redis-2.6.16-2.el6.art.x86_64. It all seems to be working, but I'm of
course worried this is pointing to something that is broken
--
Cheers
Jason
dropped into an IMAP folder. Still - no excuse for such
heinous behaviour.
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
while we're having a grizzle...
how about the Outlook/MAPI "feature" where if you copy/move an Exchange
mail message onto an IMAP folder, what arrives can barely be described
as a legitimate mail message: it has no "Received:" headers, and it's
To/From lines cons
pe. Bit of a stretch in terms of
WAN latency but it seems to be working really well. I love doing a
"spamc -L spam" against one SA server and then immediately re-scanning
the same message by a different one and seeing the BAYES_99 light up :-)
So far, sooooo good!
--
Cheers
Jason Haar
wrote:
>>> > > seems http://data.iana.org/TLD/tlds-alpha-by-domain.txt has changed a
>>> > > bit...
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
a copr
> for el5/el6:
> http://copr.fedoraproject.org/coprs/kevin/spamassassin-el/ Feedback
> welcome on those packages/repo (Please send directly to me, don't file
> Fedora bugs on it). Hopefully folks find them useful. Thanks, kevin
--
Cheers
Jason Haar
Information Security Manag
No - I don't use amavis. That's why I said "spamc" :-)
On 14/03/14 10:50, John Hardin wrote:
> On Fri, 14 Mar 2014, Jason Haar wrote:
>
>> Just yesterday I manually pushed a piece of spam through spamc and
>> spamassassin and got a different score too. It e
ls.
>
> That's similar to the behavior they're seeing. Much lower URIBL hits
> than when running SA from the command line on the test MX, and the log
> shows problems with pyzor (though the excerpt I saw didn't mention a
> traceback, it just said "no output").
>
- network outages shouldn't cause the Bayes
data to become useless to SA - good
>
> A full network breakdown (or server down) would cause SpamAssassin
> to log warnings for each mail message, but will move on anyway,
> just without Bayes checks.
Yep - that's fine. I thin
twork outages (which will happen) cause
corruption that could impact the others? (eg what if spamd is trying to
upload 3 records to redis and only the first two go through)
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint:
their actual websites and/or applications can reference
LDAP data without having to talk to what Microsoft thinks passes for an
LDAP server (eg try to figure out all the groups a user is a member of,
in a multi-forest AD spread across 5 continents - and do it in <1sec -
go on, I dare ya ;-)
--
all: change /service/smtpd/run to call tcpserver with "-h" instead
of "-H", restart it, and it will then do the required DNS lookups.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
IN_INVITE || __TRMB_LINKEDIN_FROM) && __TRMB_LINKEDIN_BODY)
describeTRMB_LINKEDIN_SPAM Linkedin invite email with
non-linkedin sender
score TRMB_LINKEDIN_SPAM 7.1
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On 26/08/13 20:16, Benny Pedersen wrote:
> Jason Haar skrev den :
>
>> Anyone see anything fundamentally wrong with that? It seems so obvious,
>> I'm thinking I've overlooked something :-)
>
> using domain names in iptables ?
>
> dnswl is based on ips, freem
ist freemail
score UNDO_DNSWL_WHITELIST 2.0
Anyone see anything fundamentally wrong with that? It seems so obvious,
I'm thinking I've overlooked something :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
)
BTW, there is "textcat" support in SA, but it is very old and is for
supporting picking up pre-unicode charsets - which is probably not what
you need
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF
On 17/06/13 16:14, Benny Pedersen wrote:
> Jason Haar skrev den 2013-06-17 00:48:
>
>> That's it - I'm removing SPF...
>
> hardfail is for mta, softfails is for spamassassin, if your mta accept
> hardfail spf, then you self ask for it
>
?? SA scores hardfails as
how much SPF
doesn't work
http://spamassassin.1065346.n5.nabble.com/default-score-for-SPF-HELO-FAIL-too-low-td13894.html
That's it - I'm removing SPF...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407
Yeah but notice "~all" is not "-all". ie they are saying that legitimate
Paypal email comes from those specific sources - except when it doesn't
I don't understand why "~all" exists at all. It's like a "checkbox"
security feature: "oh yeah
On 09/05/13 17:38, Benny Pedersen wrote:
>
> hope its not needed to do same with urls
>
We're received spam with non-.pw headers but .pw urls. I'm blocking (ie
scoring high) anything with .pw/ urls at the moment - it's so bad :-(
--
Cheers
Jason Haar
Information S
I agree. We've seen a huge increase in ".pw" email - 100% spam
I see one antispam vendor is telling its customers to just block
anything containing .pw references - I'm rapidly warming to the idea...
http://www.fortantispam.com/top-level-pw-domain-source-of-spam-outbreak
__MIME_BASE64 to indicate such a problem
http://pastebin.com/673Lbh4a
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Have you enabled TextCat in v310.pre?
IMHO languages really can't be detected in SA. It has a TextCat plugin -
but that's too old and basically hasn't worked since Unicode was
invented (it relied on the old charset definitions)
ie these days, most non-ASCII email is in unicode and cannot be parse
d with SA-3.3.2, pastebin of email http://pastebin.com/mV2E4drU
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
.
> And antiword, the extractor for MS office that it is based on is
> limited for MS office 2003.
>
> Best regards,
>
> Olivier
>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Qmail-Scanner doesn't call SA as "spamc < file" - look to see how it is
called and then run that by hand - you need to compare apples with apples
hint: spamc -f -u email@address
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 81
"encourage" customers to
the Cloud - problem is most move to Google ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
you get spam referring to your own country banks.
However, it appears almost none of the NZ banks have heard of SPF. Of
the first three I could think of, only one had a SPF record - and it
looks like they've outsourced email too (I can't believe any financial
institution would outsource
(which helps ok_locales) so that it can then
dynamic change word boundary definitions/etc for rules. Yuck
Perhaps this should be just classified as a bug in perl and forgotten
about ;-) [does python,etc handle this any better?]
--
Cheers
Jason Haar
Information Security Manager, Trimble Naviga
i.e. would the word boundary definition change under
different localization contexts? Doesn't help solve the problem for you,
but it certainly flags a potential issue with a tonne of the rules in SA...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 81
braincells together and start monitoring the
referrers on their primary webpages (eg logos, terms and conditions) and
return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the
phishing sites? The Referrer header would allow that instantly
They really don't give a damn
sandbox. I suspect that the form is
> really uncommon, though, perhaps just fat fingers by this one spammer,
> so I doubt they will do well in masscheck. We'll see...
>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
06
Anyone know of anything better maintained?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
I know what you mean - see if anyone can figure out what this one was
about! I think they're just screwing with us :-/
(I mean, do they seriously think people are going to reply "excuse me,
did you mean to send this to me?" and take it from there?)
http://pastebin.com/MCwFrP6C
--
a=0 ]
This is SA 3.3.2
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
as to pick up the originating IP? Rewriting that IP into a Received
header pushed the score up by 10 points due to the RBLs it's in
PS: pastebin.com picked both of these as SPAM - what are they doing
right that SA isn't? ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble
ut of step with FF. Don't care if it's "right",
there's no need for any browser to accept crap like that :-(
It's probably "safe" to have a rule to score such urls - except when
they're http://0x12.0x12.com/ or the like!
--
Cheers
Jason Haar
Information
#x27;s the case for the above-mentioned spam too. All the spam has
links to websites that are part of the same domain as the email -
running on webservers in the same subnets. :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ponse here would be to get the links into SURBLs asap,
and force users through AV proxies to stop the malware from downloading
(hmmm, our AV didn't stop this - owch!)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6
; Does anyone know if any mainstream email client can open such a
> file?
> I don't use Outlook, so maybe someone who does could zip up
> something benign, email it to themself, grab the network image,
> hack the CT filename as above, re-inject it, then try opening it.
> - "Chip"
>
>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
s/Datafeed/tabid/95/Default.aspx>
> > http://www.spamhaustech.com<http://www.spamhaustech.com/registration/ma>
> >
> > P.S. If you are already a Spamhaus Datafeed client, thank you we
> truly appreciate your support! However, it would appear that one of
> your servers
This has been gone over before ( see "are there any alternatives to
textcat?")
Summary: textcat is old (doesn't support utf8), unsupported and doesn't
have a large corpus of language data to base decisions on.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navig
an appropriate score for
*one* img link?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On 02/11/2011 09:37 AM, Mark Martinec wrote:
> Yes, the security hole is entirely within the milter,
> independent of the MTA.
>
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation L
ily
not invoke SA on locally-generated email - in fact that's the default
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
DNS domains in
ipv6-land as there are in ipv4-land - in the beginning, obviously)
I know SPF isn't perfect (we still don't do it ourselves), but ipv6 may
change the landscape so much that nothing short of draconian measures
may suffice.
--
Cheers
Jason Haar
Information Security Manager, Tr
suffer from. Yup, life will be tougher for domains - too bad.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
quests from our DMZ mail
servers. Having User-Agent as a config setting would be useful to us
(this is really more of a general SA question than DecodeShortURL)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint:
e
mailserver DNS name instead - that seems to fix that problem
ie
mx 0 mail1
mx 0 mail2
becomes
mx 0 mail
...and "mail" maps to the IPs of mail1 and mail2
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Finge
er linux, "echo alias net-pf-10 off >>
/etc/modprobe.d/blacklist-ipv6.conf; depmod -a" and a reboot will
totally disable ipv6
Also, getting wireshark up first would allow you to check without
guessing. If you see bunches of lookups that timeout - that's
definitely your probl
ke a lot of things into account...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
consuming and a losing battle
It's nasty :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
hrase checks (they keep rewriting the sentences).
I was hoping others are seeing it too, and had come up with some magical
way of stopping it of course ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
se URLs are different too - all over the DNS
spectrum. Even Bayes doesn't seem to help - as all the sentences are
different I guess
I was really just expecting to hear "yeah, me too" responses. :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone
g.
There's really not much to chew on with these messages. How are others
dealing with them? Here's an example - it's already been picked up by
network tests - but it demonstrates the format
http://pastebin.com/W6wXq4RX
--
Cheers
Jason Haar
Information Security Manager, Trimble N
s part of email messages?
e.g "SA_RELAYCOUNTRY_US" for "US" would basically ensure hits on "us"
never gets merged in with the counters/whatever for
"X-Spam-Relay-Countries: US"
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
How much work would it be to create a rule that detects "unsubscribe"
links, and scores it up if it has the same URL as seen elsewhere in the
body? Real messages wouldn't do that...?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax
milar
problem with Greek spam earlier this year too. Not really a fault - my
comment is that the idea is sound - it's just a dead project (from the
sounds of it) and I wish it wasn't.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377
re is
any known alternative that is more capable?
The idea behind TextCat seems sound, but the only alternative I've found
is Google Translator - but sending your emails to it may not be an
option ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 96
Cat
enabled (didn't work for this email) - but I don't think it's used by
the charset stuff anyway?
http://pastebin.com/XyHU2krq
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
formatting.
Yesterday I had some Greek spam come in - UTF8 - didn't trigger for the
same reasons
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Zealand ISP whose DNS
servers returned NXDOMAIN under load - causing email to bounce
Stupid, stupid, stupid
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
x27;t open them - it has to save to disk :-(
Does *anyone* at M$ have a braincell? >:-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
om what we have seen, this is
> almost as big as Nov 2008 when McColo went offline.
>
Well at 5am NZDT (yup - 1600 UTC) we saw the same thing - although this
is on our US-based mail servers (our NZ servers did not see this).
Something has happened...
spam/day
--
Cheers
Jason Haar
Informa
p with a way to fight these? (I've actually added
all the phrases that occur in this image to FuzzyOCR - didn't help)
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ity - that could be
desirable too. It all depends on what you are trying to achieve of
course. Also UDP means forgery is a bigger risk - so IP-based checks are
less reliable.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fin
a (in fact, the only
possible cached-caused data loss would be for duplicate queries from the
same SA instance)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
to deal with anyway
whatever the network mechanism).
e.g. (token == "834ufg754")
spam.1.2.3.4.834ufg754.newrbl.com
ham.5.6.7.8.834ufg754.newrbl.com
ie only the dns logs that contain valid tokens are legitimate
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
aky
tricks it uses. I thought SA had an HTML parser that attempts to
remove some HTML tricks, and so was asking why SA was missing those. If
I edit that message and remove the SPAN-trick, suddenly text-rules
trigger all over the place.
Hopefully that makes more sense :-)
PS: L_TAB_IN_FROM is a ne
sneak straight by SA.
http://pastebin.com/m56d2db96
Is this something SA normally has components in place to catch/parse?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
at.
Packaged products (commercial or otherwise) are in fact for most people.
SA is not for most people (directly).
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
to 5.0, but there were many SPAM emails so I
> decided to lower it to 3.0, which do you recommend?
>
Leave it at 5. That number isn't plucked out of the air. The SA
developers arrange their scoring system so that 5.0 is the tipping point
(based on their database (corpus) of spam and ham)
it was in, I don't trust
the result.
I'm afraid I'm not up to that level of testing yet - a bit early
meethinks ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
clear it
shows limitations in perl's parsing power - so either we get gruntier
boxes - or increase the timeout. We've gone with the latter.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
phase was of concern to me - but I think the RFCs states the
client has to wait around for either 10 or 20 minutes - either way it'd
be fine.
So yup - will do! :-)
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
nvoke spamc and it just goes through the same problem again :-( It's
a pity spamd can't keep a small cache of checksum'ed previous messages
and their scores, so that if it sees the same message again within (say)
10-30 min, it just throws up the cached score?
Jason
On 09/08/2009
t scroll past the first couple of screens to
find the spam). Or a spamd-based "max-runtime" setting?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
cons with ticks and crosses in them :-/)
Hopefully they will do a better job next time - I'd like to see the
results myself
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On 08/05/2009 06:46 AM, Kenneth Porter wrote:
>
> This looks like a good candidate to open a Bugzilla for.
>
Done. Anyone else with any new details should add to the ticket
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6170
--
Cheers
Jason Haar
Information Security Manager
to
7 seconds per email to parse them. you running compiled rules?
Nope.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
nk it's network related but rather CPU: basically these
emails nail SA and it's slow to finish for them?
Any ideas? Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
s just the DNS names - argh!
Is there a way to do SURBL lookups of the IP instead of the FQDN?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
mations?|contact the application desk)\W/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME ||
__TRMB_OTHER_DETAILS) && (__TRMB_YOUR_ADDRESS || __TRMB_YOUR_AGE ||
__TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
---
--
Ch
ot" ends up in their INBOX?
Answer: you bet they do.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
'm assuming all
these "shop" urls this thread has been agonizing about are already in
RBLs of course...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ack onto the previous line.
Is there an existing SA function to "normalize" HTML content before
doing matches?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
stolen PCs, they can just increase the
size of their email formats until antispam tools start to break.
Speaking of image/rtf/word attachment spam; is there any work going on
to standardize this so that the textual output of such attachments could
be fed back into SA?
--
Cheers
Jason Haar
Information
ctive.cf that detects this. That's all Andy was talking about.
There's an existing rule and he proposed an update that would make it
more effective to do *what it is already designed to do*
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377
xisting official rule:
FS_TEEN_BAD
(/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf)
I would add 'f\*\*k' to the rule too...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 040
t; to hang and for the server to hit the max-children setting. I had to
> disable Botnet to get things up and running reliably again.
>
Known bug with Botnet. See:
http://www.mail-archive.com/users@spamassassin.apache.org/msg53371.html
--
Cheers
Jason Haar
Information Security Manager, Tri
;
They actually do. When I was trying to test Jonas URLredirect plugin, it
was actually hard to get tinyurl.com to generate a link for some known
spam URLs. I suspect they are indeed doing SURBL lookups. Hope I didn't
end up blacklisting myself :-}
--
Cheers
Jason Haar
Information Security Mana
course, but why not?
Isn't it true that antispam systems want to check email for known bad
websites? As such that is defined as bad FQDN and bad URLs that would
redirect users to the bad FQDN (ie redirectors).
Just asking :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Na
d still pass all the headers and some of the content... In
the case of this Chinese spam I'm getting, sending the first 500K ended
up with a score of 18 and no sign of broken "mime-iness" - so it looked
fine to me (sample size: 1)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
1 - 100 of 196 matches
Mail list logo