Re: Another form of obfuscation email.

2018-12-10 Thread John Hardin
corpus. Potentially we should set a fixed override score for it. I've tweaked a couple of other rules that this hit that were either testing-only or filtered out. It should score higher soon. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: Spamassassin using remote rules definition source?

2018-12-10 Thread John Hardin
-update processing (will require managing DNS entries and generating SHA checksums for the rules file) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: Understanding header ALL

2018-12-08 Thread John Hardin
that! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 7 days until

Re: Bayes underperforming, HTML entities?

2018-12-07 Thread John Hardin
On Fri, 7 Dec 2018, Amir Caspi wrote: On Dec 6, 2018, at 12:14 PM, John Hardin wrote: Runaway backtracking that was killing masscheck for several people. Hrm, that is disconcerting. I'm not sure where any backtracking might be occurring... This sort of thing is risky, especially

Re: Bayes underperforming, HTML entities?

2018-12-06 Thread John Hardin
On Tue, 4 Dec 2018, Amir Caspi wrote: On Dec 1, 2018, at 10:31 AM, John Hardin wrote: On Thu, 29 Nov 2018, Amir Caspi wrote: A) Could you sandbox the proposed rule change (AC_HTML_ENTITY_BONANZA_NEW) and see how it performs, including possible FPs? Done. Any preliminary results

Re: Understanding header ALL

2018-12-06 Thread John Hardin
All headers together in one hit header __ALL_HEADERS_ALLALL =~ /(?:.+$)+/sm -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-06 Thread John Hardin
On Wed, 5 Dec 2018, Grant Taylor wrote: On 12/5/18 5:43 PM, John Hardin wrote: Potentially, but it's hard to use something like that in regular rule REs. That sort of smarts would probably need to be in a plugin. Maybe (from my naive point of view) if not probably (from your more

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-05 Thread John Hardin
On Wed, 5 Dec 2018, Grant Taylor wrote: On 12/05/2018 03:27 PM, John Hardin wrote: Take a look at replace_rules in the repo (both standard and sandboxes). Thank you for the reference. replace_rules look very intriguing. Link - Mail::SpamAssassin::Plugin::ReplaceTags - tags for SpamAssassin

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-05 Thread John Hardin
On Wed, 5 Dec 2018, Bill Cole wrote: On 5 Dec 2018, at 16:45, John Hardin wrote: Those aren't zero-width, those are just standard Unicode obfuscations of regular ASCII text. Not precisely. In this case they seem to all be Cyrillic characters which happen to look like Latin characters

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-05 Thread John Hardin
On Wed, 5 Dec 2018, Grant Taylor wrote: On 12/05/2018 02:45 PM, John Hardin wrote: I've added a "too many [ascii][unicode][ascii]" rule based on that but I suspect it will be pretty FP-prone and will be pretty large if we want to avoid whack-a-mole syndrome. For this, normali

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-05 Thread John Hardin
d some of the new phrases from that to the bitcoin extort components. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507

Re: No longer just embedded =9D characters in blackmail emails.

2018-12-05 Thread John Hardin
On Wed, 5 Dec 2018, Mark London wrote: The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe it needs updating? - Mark Will do, I don't have a zero response time as much as I wish I did... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar

Re: Bayes underperforming, HTML entities?

2018-12-04 Thread John Hardin
On Tue, 4 Dec 2018, Amir Caspi wrote: On Dec 1, 2018, at 10:31 AM, John Hardin wrote: On Thu, 29 Nov 2018, Amir Caspi wrote: A) Could you sandbox the proposed rule change (AC_HTML_ENTITY_BONANZA_NEW) and see how it performs, including possible FPs? Done. Any preliminary results

Re: SpamSender with 2 @-signs in the address

2018-12-03 Thread John Hardin
cy, but don't change anything else) it would help writing a rule that actually does match. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: openssl 1.1.1 , FreeBSd 11.2 and spamassassin-3.4.2_2

2018-12-01 Thread John Hardin
of web server error messaging... How difficult would it be to detect that and include it in the logging? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76

Re: Bayes underperforming, HTML entities?

2018-12-01 Thread John Hardin
On Thu, 29 Nov 2018, John Hardin wrote: On Thu, 29 Nov 2018, Amir Caspi wrote: On Nov 29, 2018, at 3:27 PM, John Hardin wrote: I'll see whether those can be incorporated into the existing UNICODE_OBFU_ZW rule (which of course will no longer actually be UNICODE :) ) Great. Maybe rename

Re: spoofing mail

2018-11-30 Thread John Hardin
to reject messages missing a Message-ID during the SMTP phase before it ever touches SA. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: Bayes underperforming, HTML entities?

2018-11-29 Thread John Hardin
On Thu, 29 Nov 2018, Amir Caspi wrote: On Nov 29, 2018, at 3:27 PM, John Hardin wrote: I'll see whether those can be incorporated into the existing UNICODE_OBFU_ZW rule (which of course will no longer actually be UNICODE :) ) Great. Maybe rename the rule. ;-) What are your thoughts

Re: Bayes underperforming, HTML entities?

2018-11-29 Thread John Hardin
those can be incorporated into the existing UNICODE_OBFU_ZW rule (which of course will no longer actually be UNICODE :) ) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F

Re: multiplying in rules

2018-11-23 Thread John Hardin
On Fri, 23 Nov 2018, RW wrote: On Fri, 23 Nov 2018 08:24:07 -0800 (PST) John Hardin wrote: On Fri, 23 Nov 2018, RW wrote: On Fri, 23 Nov 2018 09:49:34 +0100 Matus UHLAR - fantomas wrote: But as I said it's the decimal fractions that cause it to fail and the above rule doesn't need

Re: multiplying in rules

2018-11-23 Thread John Hardin
or all of the *components* of the meta). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C

Re: multiplying in rules

2018-11-23 Thread John Hardin
se rules has "tflags multiple" set (unless with maxhits=1) Actually, that comment applies to *any* mathematical meta threshold logic involving "tflags multiple" rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgF

Re: : 9D character used in words to avoid detection

2018-11-21 Thread John Hardin
On Tue, 20 Nov 2018, RW wrote: On Mon, 19 Nov 2018 13:31:47 -0800 (PST) John Hardin wrote: On Mon, 19 Nov 2018, Joseph Brennan wrote: Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt In windows-1256, the presence of =9D between characters under decimal-128 is suspicious

Re: semi-OT - reporting an organization that ignores unsubscribe requests

2018-11-21 Thread John Hardin
On Wed, 21 Nov 2018, Rupert Gallagher wrote: On Wed, Nov 21, 2018 at 03:41, John Hardin wrote: On Tue, 20 Nov 2018, Rupert Gallagher wrote: The email address is an address, part of your personally identifiable data. I'm not disputing that. I write software that deals with PII in my day

Re: Lost mail during update

2018-11-21 Thread John Hardin
filtering tool with SA hooks such that this failure should be reported to *them*? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: semi-OT - reporting an organization that ignores unsubscribe requests

2018-11-20 Thread John Hardin
l presence outside the US. On Tue, Nov 20, 2018 at 17:03, John Hardin wrote: On Tue, 20 Nov 2018, Rupert Gallagher wrote: Yes, if you are European, and might get some money as compensation. From a US political advocacy group which has no commercial presence in EU? How does GDPR apply in that

Re: multiplying in rules

2018-11-20 Thread John Hardin
do "> 2") -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D82

Re: multiplying in rules

2018-11-20 Thread John Hardin
? Multiply everything by 10:(__rulename * 4) ...etc... > 10 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2

Re: : 9D character used in words to avoid detection

2018-11-20 Thread John Hardin
On Tue, 20 Nov 2018, RW wrote: On Mon, 19 Nov 2018 13:31:47 -0800 (PST) John Hardin wrote: On Mon, 19 Nov 2018, Joseph Brennan wrote: Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt In windows-1256, the presence of =9D between characters under decimal-128 is suspicious

Re: semi-OT - reporting an organization that ignores unsubscribe requests

2018-11-20 Thread John Hardin
as well. While I can just dump their mail, it offends my finely hones sense of propriety, justice and my all around good nature. Besides, it hoses me off. So, is there some "authority" to which I can report these a**holes? that might have an effect? -- John Hardin KA7OHZ

Re: : 9D character used in words to avoid detection

2018-11-19 Thread John Hardin
blackmail spam. ...probably for this reason. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re:: 9D character used in words to avoid detection

2018-11-17 Thread John Hardin
ip" M. --- {snip} -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: Forgery with SPF/DKIM/DMARC

2018-11-17 Thread John Hardin
On Sat, 17 Nov 2018, David Jones wrote: On 11/17/18 9:52 AM, John Hardin wrote: From: John D. Smith To: kdeu...@vianet.ca Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca> Couple of things: 1. Recent discussions on this mailing list showed me that the Message-ID should

Re: Forgery with SPF/DKIM/DMARC

2018-11-17 Thread John Hardin
don't cause a problem blocking a real invoice in the first month or two as you are tuning your rules and scores. Good suggestions. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D

Re: 9D character used in words to avoid detection.

2018-11-16 Thread John Hardin
... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From

Re: Bayes not learning, blacklist not filtering

2018-11-16 Thread John Hardin
, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: Bayes underperforming, HTML entities?

2018-11-15 Thread John Hardin
On Thu, 15 Nov 2018, Amir Caspi wrote: On Nov 15, 2018, at 2:36 PM, John Hardin wrote: It doesn't seem to have a very high score just yet... I'm still getting FNs with the rule hitting (due to those messages hitting BAYES_00/05). Manually train those messages as spam and that should

Re: Bayes underperforming, HTML entities?

2018-11-15 Thread John Hardin
On Thu, 15 Nov 2018, Amir Caspi wrote: On Nov 15, 2018, at 2:36 PM, John Hardin wrote: That and its resistance to FP avoidance. Despite the generality, I don't see a significant FP risk on the general unicode version. I don't see ANY legitimate reason why an email would hard-encode long

Re: Bayes not learning, blacklist not filtering

2018-11-15 Thread John Hardin
common answer to that question is: you're training to a different Bayes database than spamassassin is using during message processing. What is your glue - how is SA hooked into your MTA? What user is SA (typically spamd) running under? What user are you logged in as for training? -- John Hardin

Re: Bayes underperforming, HTML entities?

2018-11-15 Thread John Hardin
On Thu, 15 Nov 2018, Amir Caspi wrote: On Nov 10, 2018, at 11:30 AM, John Hardin wrote: The rawbody rules perform much better (unsurprising), and the ASCII-only one has a better raw S/O: It looks like HTML_ENTITY_ASCII has been rolled out -- did you decide against the more general

Re: URI_HEX fp

2018-11-12 Thread John Hardin
adecimal sequence It's not "is pure hex", it's "contains long hex". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 13

Re: ALL_TRUSTED always shown in X-Spam-Status header

2018-11-11 Thread John Hardin
On Sun, 11 Nov 2018, John Hardin wrote: On Sat, 10 Nov 2018, listsb wrote: what am i misunderstanding? Is there some possibility that you're stripping external Received headers? (grasping at straws here) Heh. Ignore that. I have *got* to learn to catch up *before* replying to stuff

Re: ALL_TRUSTED always shown in X-Spam-Status header

2018-11-11 Thread John Hardin
On Sat, 10 Nov 2018, listsb wrote: On Nov 10, 2018, at 21.01, John Hardin wrote: On Sat, 10 Nov 2018, listsb wrote: i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following

Re: ALL_TRUSTED always shown in X-Spam-Status header

2018-11-10 Thread John Hardin
!= trusted_networks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: Bayes underperforming, HTML entities?

2018-11-10 Thread John Hardin
On Fri, 9 Nov 2018, John Hardin wrote: On Fri, 9 Nov 2018, John Hardin wrote: On Fri, 9 Nov 2018, Amir Caspi wrote: I'd be interested to know if there's a performance difference between my two proposed rules. I suspect the second should run (slightly) faster. It looks that way - only

Re: Bayes underperforming, HTML entities?

2018-11-09 Thread John Hardin
On Fri, 9 Nov 2018, John Hardin wrote: On Fri, 9 Nov 2018, Amir Caspi wrote: I'd be interested to know if there's a performance difference between my two proposed rules. I suspect the second should run (slightly) faster. It looks that way - only .0001s difference on *some* messages. Re

Re: Bayes underperforming, HTML entities?

2018-11-09 Thread John Hardin
On Fri, 9 Nov 2018, Amir Caspi wrote: On Nov 9, 2018, at 8:49 AM, John Hardin wrote: rawbody HTML_ENC_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s*;\s*){10}/i I'll add that too so that we can compare the results. Per my reply a few minutes ago, I t

Re: Bayes underperforming, HTML entities?

2018-11-09 Thread John Hardin
s are <5 points. I think we have a winner. Thanks, Amir (and possibly RW)! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E

Re: Bayes underperforming, HTML entities?

2018-11-09 Thread John Hardin
On Thu, 8 Nov 2018, Bill Cole wrote: On 8 Nov 2018, at 21:55, John Hardin wrote: On Thu, 8 Nov 2018, Amir Caspi wrote: On Nov 8, 2018, at 7:41 PM, John Hardin wrote: Sure, but I't also prefer to have a sample to test on before committing. I'll see if I can get the pastebin to work (i.e

Re: Bayes underperforming, HTML entities?

2018-11-08 Thread John Hardin
On Thu, 8 Nov 2018, Amir Caspi wrote: On Nov 8, 2018, at 7:55 PM, John Hardin wrote: I left it case-sensitive; is there some reason the entities cannot be coded as (e.g.) ? I kinda doubt it, so it should *probably* be case-insensitive to avoid trivial bypass. I think it should

Re: Bayes underperforming, HTML entities?

2018-11-08 Thread John Hardin
On Thu, 8 Nov 2018, Amir Caspi wrote: On Nov 8, 2018, at 7:41 PM, John Hardin wrote: Sure, but I't also prefer to have a sample to test on before committing. I'll see if I can get the pastebin to work (i.e. fix the boundary) I can send you some new spamples via attachment, privately

Re: Bayes underperforming, HTML entities?

2018-11-08 Thread John Hardin
z0-9#]{2,};\s*){20} Either should work, I believe. Cheers. --- Amir -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B

ClamAV - low detection rates on malware attachments lately

2018-11-07 Thread John Hardin
behind like this? Are they suffering from resource shortages (e.g. in the feeds and evaluation teams)? Just curious. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411

Re: config files in spamasassin is unintended tlds :/

2018-11-04 Thread John Hardin
On Sun, 4 Nov 2018, John Hardin wrote: Why is your system doing that? ...never mind, explained in a later post. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411

Re: config files in spamasassin is unintended tlds :/

2018-11-04 Thread John Hardin
blocks my named now, i cant resolve any cf domains with it Why is your system doing that? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: config files in spamasassin is unintended tlds :/

2018-11-04 Thread John Hardin
be considered. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: spamd fails to remove bayes.lock file

2018-10-30 Thread John Hardin
On Tue, 30 Oct 2018, RW wrote: On Tue, 30 Oct 2018 17:27:18 +0200 Jari Fredriksson wrote: John Hardin kirjoitti 24.10.2018 kello 18.10: As was suggested earlier, disable auto-expiry and run a cron job to expire Bayes tokens. I seem to have auto expiry on, but have not seen any problems

Re: Evasion with Unicode format characters

2018-10-30 Thread John Hardin
roblem with this approach is the *presence* of such characters is a pretty strong spam sign. Potentially those tests could be moved to RAWBODY rules, though - I'll investigate that for the ZW rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impse

Re: spamd fails to remove bayes.lock file

2018-10-29 Thread John Hardin
On Mon, 29 Oct 2018, Emanuel Gonzalez wrote: Hi.!! the permits of the directory are correct: ll -d /.spamassassin/ drwxrwxr-x 2 nobody nobody 63 oct 29 08:54 /.spamassassin/ The parameter bayes_auto_learn is set to "0". The advice was for auto *expire*. -- John Har

Re: spamd fails to remove bayes.lock file

2018-10-24 Thread John Hardin
u have any idea how to solve it? As was suggested earlier, disable auto-expiry and run a cron job to expire Bayes tokens. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C

Re: spamd fails to remove bayes.lock file

2018-10-23 Thread John Hardin
bayes_learn_to_journal 1 bayes_auto_learn 0 you may need to set bayes_auto_expire 0 and do your expiry from cron using sa-learn This is best practice, yes. What are the permissions on the files themselves? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: Extreme scores from FRNAME rules.

2018-10-22 Thread John Hardin
changes to reduce the overlap in the FRNAME rules. The reason they are scoring that high even with overlap is those are strong spam signs in the masscheck corpus. And: Bayes and TxRep did exactly what they are supposed to do here. -- John Hardin KA7OHZhttp://www.impsec.org

Bitcoin spams

2018-10-21 Thread John Hardin
that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If stress

Re: LiveJournal password breach

2018-10-20 Thread John Hardin
On Sat, 20 Oct 2018, Kevin A. McGrail wrote: John, check out haveibeenpwned.com and see if this breach is listed. Great site. LJ does not appear to be listed. On Sat, Oct 20, 2018, 13:54 John Hardin wrote: All: This isn't as far as I can tell getting publicitly yet, but I just got

LiveJournal password breach

2018-10-20 Thread John Hardin
immediately. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

Re: URI_WPADMIN fp

2018-10-19 Thread John Hardin
the possibility. Yup. It's only hitting 80 spams and one ham in the current masscheck corpora. If it *is* causing FPs, please report here it as such and I'll reduce the score limit. It was hitting more when it was first created. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin

Re: URI_WPADMIN fp

2018-10-19 Thread John Hardin
says possible phishing, but how would an end-user be in a position to create a public link that involves their WP admin directory in the first place? It's generally a sign of a hacked server. However, 3 points may be extreme given it's hitting only 0.0280% of spam -- John Hardin KA7OHZ

Re: Is fuzzyocr i.e. Image scanning

2018-10-17 Thread John Hardin
be done for attachhed .doc, .pdf files etc. ...which would be much more reliable than OCR. If it was a resource-allocation decision for pulling text from doc/pdf vs. updating OCR, I'd push for the former. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Re: Is fuzzyocr i.e. Image scanning

2018-10-15 Thread John Hardin
technology and method. Thanks in advance. Regards Brent P.s. Here is a pastebin link of what I am seeing. https://pastebin.com/raw/gurvFrZw -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key:

Re: RBL

2018-10-10 Thread John Hardin
archives for Postfix and RBL, there have been discussions and good suggestions for weighted multi-RBL checks before. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411

Re: Scoring question

2018-10-08 Thread John Hardin
SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Mon, Oct 8, 2018 at 11:18 AM John Hardin wrote: On Mon, 8 Oct 2018, Chuck McManis wrote: I have been trying to tune scores to achieve better matches with spam that is getting through. And one test which shows up

Re: Scoring question

2018-10-08 Thread John Hardin
is *very* low in the masscheck corpora - 0.114 - 4% spam hits vs. 31% ham hits. You might want to be careful if you intend to treat that as a poison pill by itself... I'll take a look at whether its performance can be improved. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin

Re: Bitcoin update

2018-10-08 Thread John Hardin
angerous. "*" in a body rule opens you to DoS attacks. I recommend \W{0,10}instead of \W* to reduce that exposure. Also, it's a bit more efficient to not use capturing parens if you're not going to do anything with the match: /\b\W*(?:w\W*e\W*b\W*)?c\W*a\W*m\W*(?:e\W

Re: Bitcoin update

2018-10-06 Thread John Hardin
On Sat, 6 Oct 2018, Pedro David Marco wrote: On Saturday, October 6, 2018, 8:36:11 PM GMT+2, John Hardin wrote: The version of this in my sandbox doesn't have that weakness. I did some  tuning compared to what Steve proposed. John, would it be possible for you to share with us those

Re: Bitcoin update

2018-10-06 Thread John Hardin
s appear to be going to the list multiple times (or is that just me?) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B

Re: Bitcoin update

2018-10-05 Thread John Hardin
On Fri, 5 Oct 2018, Zinski, Steve wrote: Yes, absolutely. OK, cleaned up a bit and checked in. We'll see what masscheck thinks... On 10/5/18, 1:42 PM, "John Hardin" wrote: On Fri, 5 Oct 2018, Zinski, Steve wrote: > Here's how I'm blocking bitcoin emails with Unico

Re: Bitcoin update

2018-10-05 Thread John Hardin
On Fri, 5 Oct 2018, sebast...@debianfan.de wrote: https://pastebin.com/TRD7FzRQ i have a sample here There doesn't appear to be any obfuscation (apart from the email address) in that message... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org

Reporting gmail spam/fraud/phishing

2018-10-05 Thread John Hardin
" Bah. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6

Re: Bitcoin update

2018-10-05 Thread John Hardin
de glyph. It's not bitcoin-specific. With your permission I can add that to my sandbox and see how it does in masscheck. On 10/5/18, 10:54 AM, "John Hardin" wrote: On Fri, 5 Oct 2018, Pedro David Marco wrote: > >On Thursday, October 4, 2018, 9:08:10 PM GMT+2,

Re: Bitcoin update

2018-10-05 Thread John Hardin
x last night... Initial results aren't too promising. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

2018-10-02 Thread John Hardin
p a local, recursive, ***NON-FORWARDING*** DNS server for the use of SA (and likely their MTA). Searching for URIBL_BLOCKED in the mailing list archives will cover it in *excruciating* detail. It's a VFAQ. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@imp

Re: Unexpected error spotted by --lint check

2018-10-01 Thread John Hardin
+ __MG_LOT2 ) > 1.5 ) scoreMG_LOTTO 2.0 This rule has been around and working as expected for several years. Looks like the lint got broken, then, and needs to accept decimal numbers... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaho

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-09-07 Thread John Hardin
On Fri, 7 Sep 2018, Matus UHLAR - fantomas wrote: For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is just what I need to prevent all rules from firing: I think you mean !ALL_TRUSTED, right? Will digest and comment on the rest in a bit. -- John Hardi

Cloudflare

2018-09-04 Thread John Hardin
If anyone here works for Cloudflare or has high-level personal contacts there, could you contact me offlist? Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-09-01 Thread John Hardin
On Sat, 1 Sep 2018, RW wrote: On Fri, 31 Aug 2018 16:16:43 -0700 (PDT) John Hardin wrote: On Fri, 31 Aug 2018, John Hardin wrote: None of the masscheck corpora that hit __HDR_ORDER_FTSDMC also hit ALL_TRUSTED (or at least the portion is so small it falls off the bottom of the report) so

Re: Non-ascii subjects with images

2018-09-01 Thread John Hardin
her wrote: > > > > Do you have an SA rule for it? > > Do you have any sample, Rupert? Of course I do. Would you care to show us? Antony. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.o

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-08-31 Thread John Hardin
On Fri, 31 Aug 2018, John Hardin wrote: None of the masscheck corpora that hit __HDR_ORDER_FTSDMC also hit ALL_TRUSTED (or at least the portion is so small it falls off the bottom of the report) so I don't feel too worried about adding either !ALL_TRUSTED or __ANY_EXTERNAL (or potentially

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-08-31 Thread John Hardin
On Fri, 31 Aug 2018, John Hardin wrote: On Fri, 31 Aug 2018, Matus UHLAR - fantomas wrote: On Thu, 30 Aug 2018, Matus UHLAR - fantomas wrote: That further causes hitting HDR_ORDER_FTSDMCXX_DIRECT and HDR_ORDER_FTSDMCXX_NORDNS in cases where client uses the mail client on local network

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-08-31 Thread John Hardin
(which may be quite common in some organizations). On 30.08.18 16:57, John Hardin wrote: Are you experiencing this yourself, so that you can do some testing? Yes. Thanks! If you do have a repro env, can you check whether that internal network is listed as such in the SA config? Would you

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-08-30 Thread John Hardin
http://spamassassin.1065346.n5.nabble.com/Problem-with-new-rules-td152105.html I'd say the problems aren't. That's because the ESP was relaying mail and not reporting *any* details of the internal handoff, so it looked to the recipient like the MSA was a mail client. rDNS wasn't an issue the

Re: __HDR_ORDER_FTSDMCXXXX hitting windows live mail (and outlook express)

2018-08-30 Thread John Hardin
ers give the rest a bad name. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B

Re: More XPS phish phun

2018-08-19 Thread John Hardin
s/36B649E7-77A2-20FE-FC19-80636F6E6148.odttf 266980 Defl:N 107750 60% 01-01-1980 00:00 3e418bc1 Resources/71CF76BB-7E19-70D9-3161-0E48B6763460.odttf -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impse

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread John Hardin
On Fri, 17 Aug 2018, Chris wrote: On Fri, 2018-08-17 at 14:46 -0700, John Hardin wrote: On Fri, 17 Aug 2018, Chris wrote: Early on when SA-Compile was run I did manage to capture this: Running sa-compile (may take a long time) Unescaped left brace in regex is deprecated here

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread John Hardin
appear to be a stock rule. Do you know where it came from? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B87

Re: Understanding ruleQA results

2018-08-17 Thread John Hardin
On Tue, 14 Aug 2018, micah anderson wrote: John Hardin writes: On Tue, 14 Aug 2018, RW wrote: On Tue, 14 Aug 2018 13:24:47 -0700 (PDT) John Hardin wrote: On Tue, 14 Aug 2018, micah anderson wrote: I searched my pile of mail that I have from two ice ages ago, and I did find 6 messages

RE: False Positive

2018-08-17 Thread John Hardin
l can scan it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ---

Re: Understanding ruleQA results

2018-08-15 Thread John Hardin
On Wed, 15 Aug 2018, RW wrote: On Tue, 14 Aug 2018 18:43:52 -0700 (PDT) John Hardin wrote: On Tue, 14 Aug 2018, RW wrote: I don't know that this is particularly specific to mobile, lots of people send emails with an empty subject. It sounds like the main cause would be a signature

Re: Understanding ruleQA results

2018-08-15 Thread John Hardin
On Tue, 14 Aug 2018, micah anderson wrote: John Hardin writes: On Tue, 14 Aug 2018, micah anderson wrote: John Hardin writes: On Tue, 14 Aug 2018, micah anderson wrote: OK, I can see about adding some mobile MUA exclusions. Any FP headers you can provide (directly) will be helpful. Go

Re: Understanding ruleQA results

2018-08-14 Thread John Hardin
On Tue, 14 Aug 2018, RW wrote: On Tue, 14 Aug 2018 13:24:47 -0700 (PDT) John Hardin wrote: On Tue, 14 Aug 2018, micah anderson wrote: I searched my pile of mail that I have from two ice ages ago, and I did find 6 messages that were hits of this rule, one of them was spam, five of them

Re: Understanding ruleQA results

2018-08-14 Thread John Hardin
On Tue, 14 Aug 2018, micah anderson wrote: John Hardin writes: On Tue, 14 Aug 2018, micah anderson wrote: but how can I tell how many messages are part of the corpus? As RW said, hover over the percentages. Thanks. Also, the percentages seem very low: 1.5192% Spam, and .0005% Ham

  1   2   3   4   5   6   7   8   9   10   >