he
number getting blocked, is still huge.
On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:
Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct. All the IP sources of this spam, don't a
valid reverse lookup of the IP address, to an IP name. That will
solve my problem. Than
Marc - You are correct. All the IP sources of this spam, don't a valid
reverse lookup of the IP address, to an IP name. That will solve my
problem. Thanks! - Mark
On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a lot of such
networks.
tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received. This didn't help. I'm curious if anyone is
noticing this spam. Thanks. - Mark
This takes a while (afaik months at least).
high spam,
which these spams have. So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received. This didn't help. I'm curious if anyone is
noticing this spam. Thanks. - Mark
z
Sorry, I didn't change the subject line when I posted this.
On 9/29/2023 12:41 PM, Mark London wrote:
Hi - Can anyone tell me why the following email header triggered
DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line?
Strangely, if I run spamassassin from the command line
On 9/29/2023 1:47 PM, Reindl Harald (gmail) wrote:
Am 29.09.23 um 19:37 schrieb Bill Cole:
Strangely, if I run spamassassin from the command line on the
message, DKIM_SIGNED is not triggered. SpamAssassin version 3.4.6
Oh. So you've let a piece of security software go most of year after
-Level header, as I have some customized
rules.) Thanks. - MARK
Received: from SRV-EXCHANGE.sdis58.local
(static-css-csd-160189.business.bouyguestelecom.com [176.162.160.1
89])
by simplerelay.pulsation.fr (Postfix) with ESMTPS id 644B1203A3E3;
Fri, 29 Sep 2023 04:56:31 +0200
Dropbox now has an invoice feature, that allows you to create a customized
invoice. So what this person did was to create an invoice that looks like it’s
coming from PayPal. Except for the fact that the From address shows it is
coming from Dropbox.
Months ago I saw a similar problem with
I’ve never seen a false positive with USER_IN_DEF_SPF_WL.
> On Mar 20, 2023, at 1:48 PM, Reindl Harald wrote:
>
>
>
>> Am 20.03.23 um 18:44 schrieb Mark London:
>> It seems like it too high a negative score.
>
> then adjust it in local.cf
>
> the poin
It seems like it too high a negative score.
On 3/20/2023 1:24 PM, Reindl Harald wrote:
Am 20.03.23 um 18:17 schrieb Mark London:
Can someone tell me why this paypal phishing email, managed to
trigger USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing email
Can someone tell me why this paypal phishing email, managed to trigger
USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing email? Thanks.
Received: from a39-208.smtp-out.amazonses.com
(a39-208.smtp-out.amazonses.com [54.240.39.208])
by PSFCMAIL.MIT.EDU
Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my
email, because there is no List-Id. The email actually came from a
microsoft account. - Mark
header __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/
header __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/
header
. And they left the postal address of amazon, without the word
amazon.
I hate bogus spam that is so obviously bogus that it avoids filter
rules. :) - Mark
On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org wrote:
Subject:
Re: Maybe it's time to revive EvilNumbers?
From:
"Loren W
My site is getting a lot of spam that is getting past spamassassin.
Because it has a hone number to call, and rather than a link to login
using username and password. Mostly fake amazon purchases. They are
getting past a lot of URL block lists because of that. FWIW. - Mark
Hi - I receive email from spiceworks.com help desk, which are sent via
sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
which is 3.4 ? Thanks. - Mark
Terms and Conditions:
https://u2752257.ct.sendgrid.net/ls/click?upn
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
<https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/>
- Mark
Can we start a separate mailing list for people to discuss this issue elsewhere?
"As programmers, our day to day work doesn’t typically present us with
opportunities to take a stand against racism. Situations like this are
opportunities to be the change we want to see. When you get that
opportunity and you don’t act, or even worse, you defend the status quo."
That quote
n changing the names by many others. For example, I found:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
So this issue is nothing new, and the arguments on this issue, that have
been occurring on this mailing list, have already occurred.
- Mark
On 7/10/2020 7:18 PM, Marc Roos wrote
Spamassassin is not alone.
https://www.google.com/search?q=whitelist+blacklist=1C1CHBD_enUS893US893=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351=lnms=nws=X=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw=1008=5900
of __BITCOIN_ID needs to updated to include this
format. Thanks.
- Mark
uot;1" in it:
For sure figure 1 is convincing that nqR is a good organising
Maybe this rule needs tweaking? Thanks.
- Mark
were receiving, I'm surprised it didn't
show up sooner on the other RBLs.
Thanks. - Mark
Is PDS_TONAME_EQ_TOLOCAL_SHORT new? I see it hitting real emails here, but
hitting no spam emails. Thanks.
- Mark
Sent from my iPhone
I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS
is mostly hittng real emails at my site 1168 real emails versus 219 spam
mls. Luckily, the score is not high, to be making any difference.
FWIW. - Mark
test for short non-html emails that only have utf-8
characters and a single link at the bottom of the email.
Sent from my iPhone
> On Jul 2, 2019, at 8:42 AM, Kevin A. McGrail wrote:
>
> Mark, can you put a sample up on pastebin? That looks like ASCII hex but
> ending up with U
Hi - I'm trying to filter emails that have only special characters in
them. Like the text of the following email. Thanks. - Mark
- =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1=
=B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1=
=B4=87=C9
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
Thanks. - Mark
+\@psfc.mit.edu,/i
And that works. although I don't know why I need the \W*. But,
whatever! Never mind. - Mark
On 12/20/2018 12:30 PM, Mark London wrote:
Hi - What's the best rule to catch email with multiple addresses in the From:
line? I realize thatrfc2822allows it. But the only email we've ever
: \S+\@psfc.mit.edu,/i
It's still not triggered. Any ideas? Thanks. - Mark
, with a bitcoin address in it. :) - Mark
--
I've got a personal webpage that includes all types of products and
services
This email hit the new (to me) BITCOIN_PAY_ME rule. Never ending fun.
Begin forwarded message:
> From: "Broaddus Walther"
> Date: December 17, 2018 at 1:49:04 PM EST
> To: m...@psfc.mit.edu
> Subject: You should definitely go through this before something negative can
> happen 17.12.2018
Sorry, I cut off the full URL. It should have been:
https://pastebin.com/5ASMFahi
On 12/12/2018 12:16 PM, Mark London wrote:
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https
, that rule
is disabled (score = 0). Without that, the email would have gotten
through.
Rule T_MIXED_ES was triggered. But that rule has too many false
positives to be of any use (IMHO, from looking at my spam logs).
Thanks! - Mark
The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe
it needs updating? - Mark
On 12/5/2018 11:19 AM, Mark London wrote:
No longer just embedded =9D characters.
From: =?utf-8?B?bmlnaHRt0LByZQ==?=
To:
Subject: You are my victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME
No longer just embedded =9D characters.
From: =?utf-8?B?bmlnaHRt0LByZQ==?=
To:
Subject: You are my victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="a0d0993ce53319101c19af03d5311b0976b26b"
X-Scanned-By: MIMEDefang 2.79 on
limited right now, to a few (one?) spammer, who
is presently using it in their porn blackmail spam.
- Mark
Forwarded Message
Subject:[OFF-list] 9D character used in words to avoid detection
Date: Sat, 17 Nov 2018 15:42:08 -0600
From: Chip M.
To: Mark London
Mark, could you post a full spample to the SA list?
Thanks in advance!
"Ch
John & Kevin - Thanks for the rules! This tactic was used in a porn
blackmail spam. Considering that we are currently are receiving a
large amount of those types of spams, it might be possible that this
tactic might catch on. Or not! We'll see. - Mark
On 11/17/2018 8:23 AM, u
?
Thanks.
Mark
ond and say "No, I'm not
fine, and we can't talk". But I doubt that will resolve the issue. :)
I'm just curious if anyone else has encountered this. Thanks. - Mark
t;/
header BAD_2FROM_ALLALL =~ /From: \"[\S ]+\<\S+\@\S+\>" \<\S+\@\S+\>/
Here's the full header. Thanks. Mark
Received: from mail.wtf.net (mail.wtf.net [66.202.56.170])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id w8DCLlXe017269
for ; Thu, 13
On 6/28/2018 1:46 PM, users-digest-h...@spamassassin.apache.org wrote:
Subject:
Re: Using UTF-8 characters to avoid spam filter rules.
From:
RW
Date:
6/26/2018 12:12 PM
To:
users@spamassassin.apache.org
On Tue, 26 Jun 2018 00:33:11 -0400
Mark London wrote:
Hi - Some of the words
any rule I canu se, to detect messages that are mostly plain ASCII
characters, but are using enough UTF-8 characters, that obviously have
been put in to avoid spam rules? Thanks. - Mark
Forwarded Message
Subject:GKJ: [x...@mit.edu] 26.06.2018 03:39:27 You can easily ge
se letters? Thanks. - Mark
MIME-Version: 1.0
From: c...@nmlc.com
To: markrlon...@gmail.com
Date: Sun, 31 Dec 2017 18:42:25 CET
Subject: Never Pay For Covered Home Repairs Again-Best deal of the year,
Iimited-Time*Njvt
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
On 12/11/2017 10:59 AM, Reindl Harald wrote:
Am 11.12.2017 um 16:44 schrieb Mark London:
I'm getting a lot of flakey spam messages, that don't trigger any
significant spamassassin rules, even though it obviously looks really
bogus.
Here's an example. Any suggestions?
https://pastebin.com
address I tried stripping off all the forwarding headers, but it
doesn't trigger any RBLs
Thanks for any help.
- Mark
, and I've found
that to be useful. But for some reason, __HTML_IMG_ONLY does not
include HTML_IMAGE_ONLY_32. Is there any reason that this was left out?
- Mark
Sent from my iPhone
> On Nov 18, 2017, at 5:29 PM, RW <rwmailli...@googlemail.com> wrote:
>
> On Sat, 18 Nov 2017 15:46:16 -0500
> Mark London wrote:
>
>> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email
>> address like t
FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email
address like this:
mqsjkeqgy...@sina.com
But it doesn't. Yet it does trigger on this:
dxn...@sina.com
Curious.
- Mark
not sure if all of these are currently in use, but:
txt.voice.google.com
mms.att.net
tmomail.net
vzwpix.com
vtext.com
On 10/24/17 10:09 AM, Marc Perkel wrote:
> Does anyone have a cell phone network list of host names where email
> from cell phones might be coming from? So far I have:
>
>
o trigger.
Can we get an official rule to test for invalid double addresses? Do I
need to open a ticket? - Mark
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF &&am
Hi - Sorry if this has been discussed before. I'm seeing a lot of html
spam with a few links, followed by a line that just contains
yed for too long a time period.
Mark London
Natick, May
I'm not using dns forwarding.
Sent from my iPhone
> On Dec 6, 2016, at 5:13 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
>
> get rid of dns forwarding and use dns servers with *real* recursion, that
> topic makes people sick after so many years
>
>> Am 06.12
. - Mark
This was a email message sent to my markrlon...@gmail.com account. Note
the hostname of markrlondon23474.seksizlex.co! - Mark
SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/460142604-11776440226-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/NZ
ail -f /var/log/amavisd-debug.log | egrep '(TxRep|auto-whitelist): '
Mark
On 6/8/2016 1:20 PM, John Hardin wrote:
On Wed, 8 Jun 2016, Mark London wrote:
Hi - We received an email with several large postscript attachments,
and the content type was "text/plain". This caused our spamassassin
server to use up 100% CPU, parsing the attachments as
I prevent this in the future? I know about the time limit
feature, but this doesn't prevent the server from running 100% of the
time, before the time limit is reached. Any suggestions? Thanks. - Mark
Content-Transfer-Encoding: base64
Content-Type: text/pl
two minutes.
Mark
Btw, the fix for:
"each on reference is experimental at ..."
"keys on reference is experimental at
/usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm"
is at Bug 7208:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7208
Mark
On 2015-12-18 16:29, Axb wrote:
On 12/18/2015 04:17 PM, Mark Martinec wrote:
On 2015-12-17 22:41, Axb wrote:
could you make a version using redirector_pattern so the redirected
target can be looked up via URIBL plugin?
Isn't this already the case? Redirect targets are added
to a list of URIs
On 2015-12-17 22:41, Axb wrote:
could you make a version using redirector_pattern so the redirected
target can be looked up via URIBL plugin?
Isn't this already the case? Redirect targets are added
to a list of URIs and are subject to same rules as
directly collected URIs.
Mark
baddomain
p2 doesn't pick up on baddomain.com
Any thoughts or have I stumbled upon a problem?
Two problems there, one is in your regexp, the other is in
the SpamAssassin logic of dealing with redirects.
The parameter of redirector_pattern is a regular expression,
dots and a question mark have a s
branch
( svn checkout http://svn.apache.org/repos/asf/spamassassin/branches/3.4
spamassassin-3.4 )
or downgrade Net::DNS to a pre-1.* version (i.e. 0.83).
Mark
ght by 1.03
affected SpamAssassin on two fronts, both are due to an
incompoatible API change in Net::DNS: different object class
expected by bgread (which affected a handful of other
Perl modules too), and a change in semantics of "retry" and
"retrans" options, which affected DKIM plugin.
Mark
yway, an ASN test would fail on mailing list mail by google senders.
A DKIM test would also likely but not necessarily fail in such mail,
depending how a mailing list is configured. For example this
SpamAssassin mailing list preserves DKIM signature validity just fine.
Mark
bgread
Reads the answer from a background query (see "bgsend").
The argument is an "IO::Socket" object returned by "bgsend".
To me, this is an incompatible documented change - not something
one would expect in an 1.02 -> 1.03 update.
Mark
35.
There is a CPAN ticket open for this:
https://rt.cpan.org/Public/Bug/Display.html?id=108745
Please stick to Net::DNS 1.02 until this is resolved.
Mark
oIP.dat and GeoIPv6.dat there.
Mark
spammer can't play.
It's not possible to emulate all different behaviours of
various mail reading programs. Still, in the case we have
it would make sense to try also the utf-16le, since this is
a default endianness in Windows.
Mark
UTF-16BE or UTF-16LE, and there is no BOM mark at the
beginning of each textual part, so endianness cannot be
determined. The RFC 2781 says that big-endian encoding
should be assumed in absence of BOM.
See https://en.wikipedia.org/wiki/UTF-16
In the provided message the actual endianness is LE, and
BOM is
flags to spamd:
spamd_enable="YES"
spamd_flags="-s local5"
spamd_command_args="-d -A [2a03:6000:::xxx] -u spamd -x -q -r
${pidfile}"
But after the update the line "spamd_command_args" seems to be ignored.
Put all command line options for spamd in spamd_flags.
Mark
de the patch.
Best regards,
Olivier
Not to forget the fix at:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
which is also needed with Net::DNS 1.01 or later.
Already cherrypicked in the FreeBSD port of SpamAssassin:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
Mark
://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
Mark
=7208
fix in revision 1684653:
https://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URILocalBL.pm?r1=1684653=1684652=1684653
Mark
though a content filter.
Remove it and re-try the command-line spamassassin test in the message.
Mark
Received header field (which is perfectly valid
according to RFC 5321).
Mark
to time by SpamAssassin, or explicit expiration runs, e.g. from
a cron job. With these traditional back-ends the bayes_token_ttl
setting has no effect.
and has spawned a whole subculture of solutions and work-arounds
Indeed. These mostly pre-date the availability of a Redis back-end.
Mark
Jim Barber wrote:
From: Mark Martinec [mailto:mark.martinec...@ijs.si]
Are you using some third-party SpamAssasin plugin that relies on the
deprecated subroutine Mail::SpamAssassin::Util::uri_to_domain ?
I'm getting the same error:
May 15 12:34:41 smtp-syd mimedefang-multiplexor[30108
;
+use Mail::SpamAssassin::Util::RegistrarBoundaries; # deprecated
BEGIN {
===
Mark
of a warning (the 'Undefined subroutine').
Mark
independent issues).
Mark
, and passed to SpamAssassin for use in the DKIM
plugin.
Mark
to the general public.
The requirement for timing can be requested by a application using
the SpamAssassin library. Currently amavisd does turn it on and
the SpamAssassin timing report is included in the amavisd log,
but the spamd does not include the timing report in its log.
Mark
is obtained by calling Unix::Getrusage .
Mark
'
};
amavisd.conf:
$sa_debug = 1;
Is there a way to tighten that to just show TxRep debug messages?
The:
$sa_debug = 'TxRep';
is the equivalent of the above debug='TxRep'.
A comma-separated list of SpamAssassin debug facilities can
be provided and is passed to the 'debug' argument of SA.
Mark
On May 2, 2015 7:08:10 PM Mark Martinec wrote:
May 2 06:45:29 sunshine spamd[22293]: Use of uninitialized value
$hasStructureInfo in numeric eq (==) at (eval 46) line 5520.
This one seems to come from a module Geo::IP, called form a
SpamAssassin plugin URILocalBL.
[...] Try disabling
score should be 0.01
by default. Make sure the sa-update has provided an up-to-date
version of rules.
Mark
be some problem with assigning a score to
such test rule (the 1.0 is a default value if a score line
is missing).
An invalid or unverifiable DKIM signature is supposed to be
treated equivalent to a missing signature.
Mark
running SA just for personal email
on a machine pretty much dedicated to handling email so performance is
not a concern. Centos 6.6 64 bit, Intel E7300 2.66GHz with 4GB RAM and
500GB disk.
No idea. Try disabling loading of a plugin URILocalBL as a start
(in config file v341.pre).
Mark
this before, but I did check for any leftover PID files (none
exist). I also rebooted our system, to no avail.Going to attempt
downgrading to see if that fixes the bug.
spamd --debug
Mark
when spamd was starting, and the initial
failed
test would disable DNS queries permanently. The option is documented in
the Mail::SpamAssassin::Conf POD or man page.
Mark
party.
Btw, the same should apply to addresses ::/128 and ::1/128 .
Mark
In any case, I think that RCVD_ILLEGAL_IP should not be adding
score points if it sees an 0.0.0.0/8 address in a Received header field.
Mark
mostly on misconfigured or misguided sending mailers, not primarily
on spam.
Reindl Harald wrote:
my problem with that rule is that it hits practically no spam
but only ham and so it goes in the wrong direction entirely
Most likely.
Mark
Dianne Skoll wrote:
Mark Martinec mark.martinec...@ijs.si wrote:
I can only conclude that a rule like RCVD_ILLEGAL_IP will hit
mostly on misconfigured or misguided sending mailers, not primarily
on spam.
I disagree. Now that the Microsoft issue has been fixed, well over 95%
of the mail
John Hardin wrote:
I suggest that this rule should treat 0/8 as equivalent to 127/8.
That's essentially what it's reserved for, just local to the LAN vs.
local to the host.
I fully agree.
Mark
1 - 100 of 1055 matches
Mail list logo
