Re: MISSING_SUBJECT

2018-06-17 Thread John Hardin
test for the MIME type and is intended for use in metas. ENCRYPTED_MESSAGE is what score to apply to that, potentially with FP (or in this case spam) avoidance filters. Generally those are added by seeing what else hits in the masscheck results. -- John Hardin KA7OHZ

Re: MISSING_SUBJECT

2018-06-13 Thread John Hardin
hitting MISSING_SUBJECT is spam - how much of mails hitting MISSING_SUBJECT is ham. if the percentage is very different in there two cases, the rule gets high positive (or negative) score. S/O = .826 http://ruleqa.spamassassin.org/20180613-r1833448-n/MISSING_SUBJECT/detail -- John Hardin KA7OHZ

Re: MISSING_SUBJECT

2018-06-13 Thread John Hardin
to be a text body part. What was the MIME type of that part? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: More outlook phish

2018-06-09 Thread John Hardin
sing To: header >Remember that e-mail is mail after all. The To: header may not exist in Outlook if all recipients where in BCC and the original To: is company internal... Pedro Sigh. MSFT can't even get "To: Undisclosed Recipients" correct. -- John Hardin KA7OHZht

Re: More outlook phish

2018-06-08 Thread John Hardin
. Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ---

Re: More outlook phish

2018-06-08 Thread John Hardin
incomplete coverage if it's not possible to express it correctly in both directions. See for example __SUBJ_HAS_FROM_1 in my sandbox. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79

Re: List From and Reply-To

2018-05-31 Thread John Hardin
failing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 6 days

Re: Garbage string emails

2018-05-31 Thread John Hardin
On Thu, 31 May 2018, Palvelin Postmaster wrote: On 31 May 2018, at 17:39, John Hardin wrote: On Thu, 31 May 2018, Palvelin Postmaster wrote: What’s the purpose of emails like this? Potentially: delivery probes. That sounds like a very plausible theory. Either

Re: Garbage string emails

2018-05-31 Thread John Hardin
On Thu, 31 May 2018, Palvelin Postmaster wrote: What’s the purpose of emails like this? Potentially: delivery probes. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: Invalid argumenty warning when trying to use Bayes with Redis

2018-05-28 Thread John Hardin
On Mon, 28 May 2018, Palvelin Postmaster wrote: On 27 May 2018, at 23:59, John Hardin <jhar...@impsec.org> wrote: On Sun, 27 May 2018, Palvelin Postmaster wrote: On 27 May 2018, at 21:43, John Hardin <jhar...@impsec.org> wrote: # Use Redis for Bayes backend bayes_

Re: Invalid argumenty warning when trying to use Bayes with Redis

2018-05-27 Thread John Hardin
On Sun, 27 May 2018, Palvelin Postmaster wrote: On 27 May 2018, at 21:43, John Hardin <jhar...@impsec.org> wrote: # Use Redis for Bayes backend bayes_store_module Mail::SpamAssassin::BayesStore::Redis bayes_sql_dsn server=127.0.0.1:6379,database=0 f

Re: Invalid argumenty warning when trying to use Bayes with Redis

2018-05-27 Thread John Hardin
On Sun, 27 May 2018, Reio Remma wrote: On 27.05.2018 21:43, John Hardin wrote: On Sun, 27 May 2018, Palvelin Postmaster wrote: Can anyone offer suggestions as to why I get these invalid argument warnings when I run spamassassin —lint —debug: warn: plugin: eval failed: bayes: Redis failed

Re: Invalid argumenty warning when trying to use Bayes with Redis

2018-05-27 Thread John Hardin
ollows the common format and uses semicolon as a delimiter. Try: server=127.0.0.1:6379;database=0 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D82

Re: What rule am I missing?

2018-05-20 Thread John Hardin
eserver and do not focus only on the "caching" part. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: Invoice phish

2018-05-16 Thread John Hardin
that "https://euphqobeofnetwork . com/example.survey/question/login.php" ) Perhaps a "login.php" link should inherently be worth a point. Perhaps more if received from O365? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALah

Re: training bayes database

2018-05-10 Thread John Hardin
Don't forget to *turn off forwarding*. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default.  i always assumed my dns was working correctly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174

Re: Invoice phish

2018-05-09 Thread John Hardin
he "Subject:" part... Does your test message have a inline attachment? Are you sure it's properly-formed? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8

Re: training bayes database

2018-05-09 Thread John Hardin
On Wed, 9 May 2018, Reio Remma wrote: On 9 May 2018, at 18:33, John Hardin <jhar...@impsec.org> wrote: Also: On Wed, 9 May 2018, Matthew Broadhead wrote: your message has X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 Setting the threshold higher will result in mor

Re: training bayes database

2018-05-09 Thread John Hardin
that the threshold is set to 5.0 Is there some specific reason you set the threshold higher than 5.0? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: training bayes database

2018-05-09 Thread John Hardin
aining corpus You may be able to recruit some clueful, responsible users to help with the training, but make sure you review what they submit unless you *really* trust their judgement. On 08/05/18 21:08, John Hardin wrote: On Tue, 8 May 2018, Matthew Broadhead wrote: system setup centos-rel

Re: Invoice phish

2018-05-08 Thread John Hardin
ce" + no actual attachments? A download URL ain't an attachment... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: training bayes database

2018-05-08 Thread John Hardin
On Tue, 8 May 2018, Reio Remma wrote: On 08.05.2018 22:08, John Hardin wrote: On Tue, 8 May 2018, Matthew Broadhead wrote: system setup centos-release-7-4.1708.el7.centos.x86_64, spamassassin-3.4.0-2.el7.x86_64, amavisd-new-2.11.0-3.el7.noarch /etc/mail/spamassassin/local.cf: required_hits

Re: training bayes database

2018-05-08 Thread John Hardin
the rails for some reason. If you're not auto-learning, auto-expire is not needed. If you *are*, it's recommended to expire from a scheduled job rather than take the hit from spamd. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic

Re: OFF-TOPIC: Re: Just to lighten your day?

2018-05-02 Thread John Hardin
final ultimate termination... As in "I'm not dead yet!" from Spamalot? :) Or maybe "He's still moving towards the keyboard! LART him again!" It is, after all, supposedly from IT... Regrads (dammti...), Dianne. -- John Hardin KA7OHZhttp://www.

Re: Just to lighten your day?

2018-05-02 Thread John Hardin
Email Administrator All Right Reversed 2018.(c)" - Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. You need your humor detector recalibrated. -- John Hardin KA7OHZhttp://www.impsec.org/~jhar

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-29 Thread John Hardin
On Sun, 29 Apr 2018, Sebastian Arcus wrote: On 27/04/18 16:22, John Hardin wrote: On Fri, 27 Apr 2018, Sebastian Arcus wrote: On 27/04/18 10:49, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173

Re: regexp dealing with display name don't work

2018-04-27 Thread John Hardin
der FROM_NAME_PREFIX_ATSIGN From:name =~ /^\@/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: regexp dealing with display name don't work

2018-04-27 Thread John Hardin
On Fri, 27 Apr 2018, Joëlle Pfeffer wrote: Hi David, Thank you for your answer. I don't think I have to escape the @ character. You do. It is recognized without being escaped since when my rule is : From:name =~ /@.b/i The period is changing the interpretation of the @ sign. -- John

Re: regexp dealing with display name don't work

2018-04-27 Thread John Hardin
On Fri, 27 Apr 2018, David B Funk wrote: (note the trailing 'i' makes the regex be case-insenstive so /\@A/i doesn't make sense). ...it makes precisely as much sense as /\@a/i does... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: regexp dealing with display name don't work

2018-04-27 Thread John Hardin
n: (Global symbol "@I" requires explicit package name (did you forget to declare "my @I"?) at /home/jhardin/develop/spamassassin/testing/test.cf, rule __FROM_NAME_TEST, line 1.) Try this: header REGLE_HF002 From:name =~ /\@A/i -- John Hardin KA7OHZ

Re: regexp dealing with display name don't work

2018-04-27 Thread John Hardin
but if my rule is header REGLE_HF002 From:name =~ /@.b/i e-mails containing From: "@Ab" < jopfef...@free.fr > or From: "@ABc" < jopfef...@free.fr > are blocked Are you specifically looking for from name that has an @-sign in it? Please provide a complete exa

Re: dropping other's email(s) as a "best practice" for hosted email?

2018-04-27 Thread John Hardin
(though notifying them isn't guaranteed if there are problems delivering to them...). If a given user wants emails to be dropped at the border I echo the request that you stop misusing the term "dropped" when you mean "rejected". -- John Hardin KA7OHZ

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread John Hardin
t; got hit: "https://mybill.dhl.com; my{mumble}.mumble.com is targeted. I'll think about that one; the rule isn't scored highly and I could see that helping out to detect DHL phishing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread John Hardin
xception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. Fixed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 3

Re: regexp dealing with display name don't work

2018-04-26 Thread John Hardin
. Is it possible that your RE and the actual header display name you want to match differ in case? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread John Hardin
On Fri, 20 Apr 2018, Bill Cole wrote: On 20 Apr 2018, at 14:50 (-0400), John Hardin wrote: Given your findings, I kinda suspect *all* of the tflags=multiple rules are misbehaving from time to time under 3.3.1 - the compiled code may be getting into an infinite loop somehow if the number

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread John Hardin
rule exceeds some value - I note there were 17 hits on "your business" there. In any case, here without Rule2XBody I am able to operate until I can get 3.4.x deployed. Please let us know whether that improves your *overall* memory/cpu hogging and timeout problems. -- Jo

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread John Hardin
n Centos7 SA 3.4.0-2 bundled SA rpm, it works correctly. Yeah, because 3.4.x implements maxhits. So, should I disable the __GENERATE_LEADS family for < 3.4.0? I suspect it would be prudent, but I am surprised the other tflags=multiple rules aren't also problematic in the same manner...

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread John Hardin
s? Are the SA 3.3.1 sources different between the C6 and C7 packages? Upgrade is my option, clearly. Thanks, Chris -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C

Re: spamc --reporttype= not working and curious log message.

2018-04-20 Thread John Hardin
^ spamc/libspamc.c: In function 'libspamc_log': spamc/libspamc.c:2239:9: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result] (void) write (2, buf, len); ^ make[1]: Leaving dir

Re: SpamAssassin 3.4.2.

2018-04-17 Thread John Hardin
suspect (3) is not practical unless we get some volunteers who are strongly familiar with the various distros and are willing to do package management. Any others? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse

Re: SpamAssassin 3.4.2.

2018-04-17 Thread John Hardin
update. :) RHEL 7 / CentOS 7 core is still on SA 3.4.0 - I had to manually roll my own SA 3.4.1 RPMs from Fedora SRPMs. Anybody here from RH that can commit to packaging SA 3.4.2 for a RHEL 7 core update or explain why it's behind? -- John Hardin KA7OHZhttp://www.impsec.org

Re: Differing scores on spamassassin checks

2018-04-17 Thread John Hardin
On Tue, 17 Apr 2018, John Hardin wrote: On Tue, 17 Apr 2018, Computer Bob wrote: In this way, any user can move a mail to their .SpamLearn folder and it will get learned. It is a very bad idea to do that without review unless you *strongly* trust the judgement and responsibility of your

Re: Differing scores on spamassassin checks

2018-04-17 Thread John Hardin
raining, and (2) you can easily rebuild Bayes from scratch if it goes off the rails. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: Differing scores on spamassassin checks

2018-04-16 Thread John Hardin
On Mon, 16 Apr 2018, Computer Bob wrote: Why should sa-learn not be run as root ? That's a general safe practice. Do as little as root as you possibly can. Why risk a root crack from an unknown bug in sa-learn that somebody has discovered and figured out how to exploit via email? -- John

Re: Differing scores on spamassassin checks

2018-04-15 Thread John Hardin
On Sun, 15 Apr 2018, John Hardin wrote: On Sun, 15 Apr 2018, Matus UHLAR - fantomas wrote: On 15.04.18 11:55, Computer Bob wrote: Here is a root scan:  https://pastebin.com/qdXMRzKb X-Spam-Status: Yes, score=10.2 required=4.0 tests=HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK

Re: Differing scores on spamassassin checks

2018-04-15 Thread John Hardin
root's database is being trained. Define a shared Bayes database that all users can read and use that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: Google redirect with url shortener and undisclosed-recips

2018-04-14 Thread John Hardin
the google redirect URI, perhaps because it's in data-saferedirecturl= rather than href= ... Do we need to make the SA HTML parser aware of data-saferedirecturl= ? That appears to be a gmail-ism that SA *should* probably be aware of, if it can be used to hide spam signs. -- John Hardin KA7OHZ

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

2018-04-13 Thread John Hardin
anywhere locally. That's in SVN (the SA source code). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

2018-04-13 Thread John Hardin
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

2018-04-13 Thread John Hardin
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

2018-04-13 Thread John Hardin
it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora. I'll take a look at that rule, I don't remember offhand what I intended it for. -- John Hardin KA7OHZhtt

Re: Google redirect with url shortener and undisclosed-recips

2018-04-12 Thread John Hardin
it to my sandbox. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: [OT] Re: Check for valid MX of sender and rspamd testing

2018-04-10 Thread John Hardin
Sebastian Arcus > wrote: >> Hence why I have to have a local whitelist and skip verification for >> all MX's of the form *.outlook.com (which include Microsoft cloud >> hosted domains) @open-t.co.uk> @open-t.co.uk> Sigmonster agree... -- John Hardin KA7OHZ

Re: how to remove T_RP_MATCHES_RCVD

2018-04-07 Thread John Hardin
On Fri, 6 Apr 2018, Matus UHLAR - fantomas wrote: It's also useless duplicate of __RP_MATCHES_RCVD header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() Cleaned that up. -- John Hardin KA7OHZ

Re: how to remove T_RP_MATCHES_RCVD

2018-04-06 Thread John Hardin
of anyone will try pushing any of these to SA. On 05.04.18 09:32, John Hardin wrote: The best way to disable it without breaking any meta-rules that may be using it is to set its score to 0.001 in your local config file. meta rules are supposed to use __RP_MATCHES_RCVD - this is what

Re: how to remove T_RP_MATCHES_RCVD

2018-04-05 Thread John Hardin
be due to its use as a suppressor in some metas, but absent the full spam we can't check for that. Thanks, On 04/05/2018 09:32 AM, John Hardin wrote: On Thu, 5 Apr 2018, Motty Cruz wrote: Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past through. Is there a way to disable

Re: how to remove T_RP_MATCHES_RCVD

2018-04-05 Thread John Hardin
for you? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread John Hardin
surprised the Dr Oz rule hit *that*. I'll review it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --

Re: Spam from addresses where full name mirrors left-hand side of address

2018-04-03 Thread John Hardin
On Tue, 3 Apr 2018, RW wrote: On Mon, 2 Apr 2018 11:33:27 -0700 (PDT) John Hardin wrote: On Mon, 2 Apr 2018, Amir Caspi wrote: many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. So require a minimum length

Re: Spam from addresses where full name mirrors left-hand side of address

2018-04-02 Thread John Hardin
\1[-._]\2[-._]\3\@/ Potentially lots of backtracking there, though. Fortunately the string is not apt to be very long. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411

Re: BODY custom rule not working if text and html parts are different?

2018-04-02 Thread John Hardin
--debug area=all,rules,rules-all < $MSG ) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2

Re: BODY custom rule not working if text and html parts are different?

2018-04-01 Thread John Hardin
On Sun, 1 Apr 2018, John Hardin wrote: On Sun, 1 Apr 2018, Matus UHLAR - fantomas wrote: On 01.04.18 05:47, Pedro David Marco wrote: This is a problem i see oftenly... what if the URL is only in the TEXT part  and not in the HTML?  many email aplications show those URLs as clickable

Re: BODY custom rule not working if text and html parts are different?

2018-04-01 Thread John Hardin
they are not... in this case, body rule matches, but uri does not. I think there are hueristics to pull (non-obfuscated) URIs out of body text. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key

Re: BODY custom rule not working if text and html parts are different?

2018-03-31 Thread John Hardin
probably be using a "uri" rule. There are heuristics to pull those out of the body text, as well out of HTML tags. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: Lots of money, score of 0??

2018-03-29 Thread John Hardin
seen other types too, e.g. https://example.com/?f=a37688909bc4f6 £20 M voucher *that* is a bit unexpected... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507

Re: Lots of money, score of 0??

2018-03-27 Thread John Hardin
think it's justified in the default rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: Dealing with links to malicious documents

2018-03-13 Thread John Hardin
On Tue, 13 Mar 2018, Bill Cole wrote: On 13 Mar 2018, at 14:21 (-0400), John Hardin wrote: d) Don't accept emails from outside your organization that link to hosted documents. The document needs to be attached, so that it can be scanned. Unfortunately this is not feasible if you're

Re: Dealing with links to malicious documents

2018-03-13 Thread John Hardin
On Tue, 13 Mar 2018, Alex wrote: Hi, On Tue, Mar 13, 2018 at 2:21 PM, John Hardin <jhar...@impsec.org> wrote: On Tue, 13 Mar 2018, Olivier Coutu wrote: In the last few months, we have seen an increase of generic emails (e.g. regarding unpaid invoices) being sent with links to in

Re: Dealing with links to malicious documents

2018-03-13 Thread John Hardin
web access, then add such URLs to that proxy's blocklist until the contents can be scanned, or so that the proxy does the redirect-through-AV automatically (not sure if that will work, though). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: APOSTROPHE_TOCC score

2018-03-06 Thread John Hardin
On Tue, 6 Mar 2018, David Jones wrote: On 03/06/2018 12:54 PM, John Hardin wrote: On Tue, 6 Mar 2018, RW wrote: On Tue, 6 Mar 2018 08:47:35 -0800 (PST) John Hardin wrote: On Tue, 6 Mar 2018, David Jones wrote: In this case these were really bad spam so the APOSTROPHE_TOCC is just riding

Re: APOSTROPHE_TOCC score

2018-03-06 Thread John Hardin
On Tue, 6 Mar 2018, RW wrote: On Tue, 6 Mar 2018 08:47:35 -0800 (PST) John Hardin wrote: On Tue, 6 Mar 2018, David Jones wrote: In this case these were really bad spam so the APOSTROPHE_TOCC is just riding on the back of other rules, BLs, and high Bayes scores. What I generally look

Re: APOSTROPHE_TOCC score

2018-03-06 Thread John Hardin
On Tue, 6 Mar 2018, David Jones wrote: On 03/05/2018 06:57 PM, John Hardin wrote: On Mon, 5 Mar 2018, Alex wrote: Hi, On Mon, Mar 5, 2018 at 5:59 PM, John Hardin <jhar...@impsec.org> wrote: On Mon, 5 Mar 2018, Alex wrote: To: =?utf-8?Q?DermotO=27reilly?= <Sean.O'rei...@ex

Re: Spam from compromised accounts scoring just under block threshold

2018-03-06 Thread John Hardin
On Mon, 5 Mar 2018, Amir Caspi wrote: On Mar 5, 2018, at 11:13 PM, John Hardin <jhar...@impsec.org> wrote: *before* the @ sign. It may be perfectly valid to do that, but if it happens more often in spam than in legitimate mail it is useful to us. I’m seeing a lot of spam

Re: Spam from compromised accounts scoring just under block threshold

2018-03-05 Thread John Hardin
:-) *before* the @ sign. It may be perfectly valid to do that, but if it happens more often in spam than in legitimate mail it is useful to us. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key

Re: APOSTROPHE_TOCC score

2018-03-05 Thread John Hardin
On Mon, 5 Mar 2018, Alex wrote: Hi, On Mon, Mar 5, 2018 at 5:59 PM, John Hardin <jhar...@impsec.org> wrote: On Mon, 5 Mar 2018, Alex wrote: To: =?utf-8?Q?DermotO=27reilly?= <Sean.O'rei...@example.com> * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe

Re: APOSTROPHE_TOCC score

2018-03-05 Thread John Hardin
On Mon, 5 Mar 2018, Alex wrote: To: =?utf-8?Q?DermotO=27reilly?= <Sean.O'rei...@example.com> * 2.6 APOSTROPHE_TOCC To or CC address contains an apostrophe 2.6 points for this is just unreasonable. This was a completely legitimate email. Is such an address even deliverable? -- John

Re: APOSTROPHE_TOCC score

2018-03-05 Thread John Hardin
On Mon, 5 Mar 2018, Alex wrote: 2.6 points for this is just unreasonable. This was a completely legitimate email. What is the S/O in masscheck? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-03-03 Thread John Hardin
is probably a waste of time, just score 5.0 and be done with it. +1 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: IADB whitelist - again

2018-03-02 Thread John Hardin
On Sat, 3 Mar 2018, Noel Butler wrote: On 03/03/2018 04:40, John Hardin wrote: On Fri, 2 Mar 2018, Sebastian Arcus wrote: -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record [199.127.240.84 listed in iadb.isipp.com] -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes

Re: IADB whitelist - again

2018-03-02 Thread John Hardin
companies to stuff my Inbox full of junk. -0.6 points makes the difference? Perhaps the default scores need to be reviewed, but simply having the rules isn't problematic. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk

Re: Can't Get Removed From List

2018-03-01 Thread John Hardin
at all* if javascript is disabled for that site? That's what I hate about the web these days, there's too much crap surrounding the useful content. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org

Re: IADB whitelist - again

2018-03-01 Thread John Hardin
than "we confirmed you actually want to receive our garbage" ("double opt-in"). The scores appear hardcoded (50_scores.cf) vs. from masscheck (72_scores.cf) so they may be *very* stale. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: ENCRYPTED_MESSAGE rule

2018-02-22 Thread John Hardin
On Thu, 22 Feb 2018, David Jones wrote: On 02/22/2018 04:40 PM, John Hardin wrote: On Thu, 22 Feb 2018, David Jones wrote: On 02/22/2018 03:49 PM, John Hardin wrote: On Thu, 22 Feb 2018, David Jones wrote: My SA filters just received 45 unsolicited junk emails from Office 365 that hit

Re: ENCRYPTED_MESSAGE rule

2018-02-22 Thread John Hardin
On Thu, 22 Feb 2018, David Jones wrote: On 02/22/2018 03:49 PM, John Hardin wrote: On Thu, 22 Feb 2018, David Jones wrote: My SA filters just received 45 unsolicited junk emails from Office 365 that hit ENCRYPTED_MESSAGE which subtracted a point.  Looking at 72_active.cf, the description

Re: ENCRYPTED_MESSAGE rule

2018-02-22 Thread John Hardin
L_BULK_SIG to score 2.88. ...e.g. ENCRYPTED_MESSAGE && (DCC_CHECK || PYZOR_CHECK || FSL_BULK_SIG) as bulk encrypted mail seems unlikely ...or possibly ENCRYPTED_MESSAGE && FREEMAIL_FROM -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin
On Mon, 19 Feb 2018, Alex wrote: Hi, On Mon, Feb 19, 2018 at 3:20 PM, John Hardin <jhar...@impsec.org> wrote: On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps jus

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin
On Mon, 19 Feb 2018, Kenneth Porter wrote: On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7

Re: Blacklist for reply-to?

2018-02-19 Thread John Hardin
On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps just bump the score for that locally? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar

Re: problem with spamassassin for WIndows

2018-02-17 Thread John Hardin
ore any rules. If you added that "ifplugin" block to your config file, what exactly were you trying to achieve with that block? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8

Re: From:name spoofing

2018-02-16 Thread John Hardin
d{8,13}\.201[78]\d{5,11}\@\1>/m and the message-id and the boundary. I am doing this since May last year. Not necessarily safe. If your MTA receives a message without a Message-ID, it is supposed to generate one. And if it does so, it will probably do so using your (recipient) domain...

Re: URIBL_BLOCKED

2018-02-14 Thread John Hardin
a local NON-FORWARDING resolver. If you set up a local resolver and it just forwards requests to your ISP's DNS servers, you have not materially changed the problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar

RE: Train SA with e-mails 100% proven spams and next time it should be marked as spam

2018-02-13 Thread John Hardin
o train that as ham. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 -

Re: Train SA with e-mails 100% proven spams and next time it should be marked as spam

2018-02-13 Thread John Hardin
On Tue, 13 Feb 2018, David Jones wrote: Properly training your Bayes and increasing the score for BAYES_80, BAYES_95, and BAYES_99 and BAYES_999 is the best bet on this one. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174

Re: Train SA with e-mails 100% proven spams and next time it should be marked as spam

2018-02-13 Thread John Hardin
*no* BAYES hits at all (not even BAYES_50) suggests your SA is *not* using the database whose statistics you reported above. First: verify which Bayes database your SA install is using, and that it is the one you're training into and getting those stats from. -- John Hardin KA7OHZ

Re: prevent spamassassin from repeating previous tests

2018-02-06 Thread John Hardin
nal result. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ---

Re: Matching To in Subject

2018-02-05 Thread John Hardin
enough signs on their own. I'm also thinking the From with just the domain is a variation of what we saw a few weeks ago with the attempt to confuse the sender. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -

Re: Tone of emails with subject: 'hey'

2018-02-05 Thread John Hardin
nabled and are you training it? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87

Re: Body rules hit on Subject

2018-02-03 Thread John Hardin
ength() if you can, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D

Re: Body rules hit on Subject

2018-02-02 Thread John Hardin
to add a tflag to disable this behavior. Globally, or per-rule? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

  1   2   3   4   5   6   7   8   9   10   >