Hi everybody...
To my knowledge when SA renders the html part of the email, it just remove HTML
tags and present results.
Ok so far.
But what if there is invisible text inside HTML tags due to its css style?
example to hide the word HOLA
Hkkdelavaca OkkdelavacaLkkdelavaca A
so rendered text is:
Yea Mattus, thanks i know it very well just wondering whether someone
tried it before or not via plugins...
Thanks again!
Pedro.
On Monday, February 19, 2024 at 01:42:46 PM GMT+1, Matus UHLAR - fantomas
wrote:
On 19.02.24 12:37, Pedro David Marco via users wrote:
>Does any
Hi everybody...
Does anyone know of a plugin for content modification? an example, i want to
change the word 'sex' for '---'
Thanks in adavance,
Pedro.
The same happens with other HTML tags...
so, with Giovanni permission, i tighten the nut 1 more turn (limiting to 100
chars to prevent Regex Self-DOS)
rawbody BADHREF /<(a|img|video)[^>]{0,100}\/(src|href)\=/
Pete.
On Thursday, September 14, 2023 at 04:37:15 PM GMT+2,
wrote:
It is like a man that goes to a bookstore and asks: "Do you have books on how
to make friends, you fucking clerk?"
:-
Pedro.
(Sorry for the ugly word)
On Saturday, August 5, 2023 at 08:53:09 PM GMT+2, Kevin A. McGrail
wrote:
Reindl is the definition of something I learned decades
Hi all,
We are receiving tons of Phishing pointing to ncv.microsoft.com/
I have found no MS documentation about what "ncv" is used for??? does anyone
know it, please? what is it?
Pete.
With all respects,
i agree with Bill... but suppose just Bill is wrong... Kam rules are free and
show really huge quality, what is wrong about gently ask for cooperation if
used in a commercial way?
KAM++
Pedro.
On Tuesday, March 21, 2023 at 06:18:38 PM GMT+1, Bill Cole
wrote:
On
Hi,
sorry for the semi-offtopic but we are seeing emails with a header like this:
X-IBL: Fact3Does anyone have any clue about it? Thanks,
Pete.
RBL checks for FQDN not just domains would be a good idea...
Pedro.
>On Sunday, January 15, 2023 at 08:47:59 PM GMT+1, Alex
wrote:
>Hi,
>X-Spam-Status: No, score=1.102 tagged_above=-200 required=5
>tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HI,
Situation:i have 2 twin servers running exactly the same OS, and SA. (3.4.4)
i have an email with the word 'dog' inside.
i have this rule: body __ANIMALS /cat|mouse|bird|dog/i
Problem:Rule __ANIMALS its in one server, but in the other one, does not!
i have noticed that if i
Is it very very common to find VPSs running on PC Motherboards, not server
Mobos... so no ECC
It is also very common in VPSs to overclock RAM, so stability is not its main
virtue..
Ask them Greg, and demand details and proofs of real hw being used.
Pedro.
On Tuesday, November 29, 2022 at
Thanks to all,
it should be much easier and simple. Currently Permsgstatus contains both
visible and invisible rendered html from thre body, What in my modest opinion
should be very usefullwould be to have the same when it comes to anchors from
links.
Reagrds,
Pete.
On Tuesday, August 30,
Hi,
is there any way to make SA ignore hidden text in anchors in URI checks?
(using uri_deatil)
just an example:
https://fakeurl.com;>KeXXXep
SA renders anchor_text as: KeXXXep
but i would like it to be: Keep
Thanks,
Pete.
>On Thursday, June 30, 2022, 09:12:59 AM GMT+2, Benoit Panizzon
wrote: >>All my attempts to reach out to
ab...@serverion.com or any other
>contacts found on their website remained unreplied.
When a company does that they deserve to be sent to /dev/null
--Pedro.
On our side it is a huge list as well... does Serverion send anything clean?
Pedro.
On Wednesday, June 29, 2022, 04:02:05 PM GMT+2, Matus UHLAR - fantomas
wrote:
On 29.06.22 13:14, Marc wrote:
>Today I decided to spend some time getting all the ip's[1] (these are all
> /24 thus you
sorry for the semi off-topic but worths so share...
important unrar bug...
https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/
Regards,
Pedro.
To me it looks like a a DNS cache times issue...
Paul, what resolver are you using?
is your server under heavy load when this happens? if it is Linux, run
netstat -suna and check for any errors in the Udp area. In FreeBSD netstat
-sa
Pedro.
On Saturday, May 7, 2022, 06:36:43 PM
Good question... probably an interesting new feature for SA: dividing and
deal with attached emails (and nested emails that look like a chat) in a one by
one basis...
Pete.
>On Tuesday, April 26, 2022, 02:36:25 PM GMT+2, Matus UHLAR - fantomas
wrote:
>Hello,
>is it possible to match
Sorry for the semi-off-topic...
is there anybody in the list from SpamRats or with any contact in SpamRats,
please?
I am having issues with them and seems impossible to contact them...
Thanks and sorry for bothering!
---Pete.
heads up!!!
Sorry for the semi off-topic... but just in case this may help...
Encripted zip files witth dangerous ofuscated macros inside calling our beloved
powershell...
Pedro
The same with Microsoft365...
A couple of weeks ago tons of M365 IP ranges got into their own RBLs... good
job!!!
Pedreter.
>On Tuesday, November 9, 2021, 01:09:39 PM GMT+1, Peter
wrote: >
>This has been going on for a long time, Google is now one of my top spam
>scources - I
Hi Antony,
please accept my apologizes and excuse my lack of accuracy on asking. i have
knowledge near zero on Amazon, AWS, SES, etc..
My believe is that there are public amazon smtp servers that can be used by
their customers (SES) and servers you have for your own...
Again, please everybody,
Hi!
i have spam with this header:
Received: from a48-115.smtp-out.amazonses.com (HELO
a48-115.smtp-out.amazonses.com) (54.240.48.115)
Is there any way, based on its fqdn, to know whether an Amazon smtp host is
public or dedicated?
Thanks!
Pedreter.
>On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail
wrote:
>If you can get me a spample, I'm sure I can tell you but in general we
>block macros so that's all that's needed. Likely the OLEVBMacro plugin
>and KAM ruleset is blocking all of these already if you have the plugin
On Monday, July 5, 2021, 11:45:42 PM GMT+2, RW
wrote:
>I'm not sure what you are referring to there. If you copy and paste a
>web page into an HTML email, are you not just copying the formatting?
Agree RW, but...
copy and paste from web source to MUA works!
--Pedreter.
>On Thursday, July 1, 2021, 05:03:50 PM GMT+2, RW
wrote:
> What legitimate email uses javascript?
Pretty common! many people copy and paste from webs.. and of course these are
important mails! :-(
Pedreter
Even worse, Adobe make injects several redirections and never offer the PDF so
nothing to scan even if you follow the links
Let's keep thinking on it...
Pedro.
On Saturday, June 5, 2021, 12:48:00 AM GMT+2, Alex
wrote:
>Hi,
>I received what appears to be a legitimate email from
.
On Tuesday, March 2, 2021, 04:44:35 PM GMT+1, Benny Pedersen
wrote:
>On 2021-03-02 16:26, Pedro David Marco wrote:> Correct Kernel UD tunning
>solves the problem!>in verbose this is ?
Tried both and with/without cache...
Pedreter...
On Tuesday, March 2, 2021, 04:46:08 PM GMT+1, Matus UHLAR - fantomas
wrote:
On 02.03.21 15:26, Pedro David Marco wrote:
>Just in case someone has this issue...
>Short version:
>In heavy load environments, SA prod
an
answer and die on timeout.This not only affects final SA result, but
performance.
Correct Kernel UD tunning solves the problem!
---Pedreter.
On Monday, March 1, 2021, 06:06:24 PM GMT+1, Pedro David Marco
wrote:
>Hi all,>When there are several hundreds of lookups, Askdns /
Hi all,
When there are several hundreds of lookups, Askdns / Async abort many of them
randomly even when 100% of queries got an answer.I use local dns cache but
every run of SA produces different number of aborted remaining lookups.
If you dig manually from command line any aborted query,
On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole
wrote:
>Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.)
>brought back some support for JavaScript in mail, but as I understand
>some of them do some defanging of scripts and the advancement of browser
I already did that ... it collects URLs, Email boxes and BTC wallets from QR
(despite the full image is a QR code or the image 'contains' a QR) and injects
them back into SA
If there is interest in the community, maybe i can make it a standalone plugin
and send it to Kevin for
spamcop seems back.. but... we need to be 100% sure that people behind it who
should be
-
Pedreter
On Sunday, January 31, 2021, 08:11:30 PM GMT+1, Axb
wrote:
On 1/31/21 8:04 PM, Bill Cole wrote:
> On 31 Jan 2021, at 6:58, Axb wrote:
>
>> Happy Sunday !!!
>>
>> Cisco forgot to
Hi all...
sorry for the semi off-topic...
Today Emotet is being sent in an encrypted zip with the password embedded into
an anti-ocr image..
watch out!
-Pedrete
Hi !
i am trying to understand firebase URLs.. like this:
https://firebasestorage.googleapis.com/v0/b/hust-28d4c.appspot.com/o/olgen%2Findex2ton.html?alt=media=35970e26-0fe8-44ad-ae93-d38929669e81#i...@susmuelas.com
(handle carefully: real phishing)
is there any doc/info about it? fields
Your freedom ends where my rights start.
Does anyone know how to parse Sendgrid redirection links like this:
Hi everybody...
i have noticed a huge difference in compiling time between SA 3.4.2 and 3.4.4
(3.4.4 is much much faster)but i have not seen anything in the "what_is_new
docs" about it...
make it sense??
Thanks...
---Pedreter
:-( sad news, Kevin... thanks for letting us know...
Rest in peace, Jari...
-Pedreter
On Monday, September 21, 2020, 06:13:11 PM GMT+2, Kevin A. McGrail
wrote:
Definitely. For those who have inquired, that was supposed to read "I
am sorry to announce that Jari Fredriksson
>On Thursday, September 17, 2020, 12:44:52 PM GMT+2, Marc Roos
wrote:
>For what it is worth. I was always under the impression that most of >hose
>companies that are using these networks known for 'harassing'
>here just ignorant. I used to do business with the 'idiots' of
>On Monday, September 14, 2020, 05:23:13 PM GMT+2, John Hardin
wrote:
>I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings
>(e.g. no dots present) from the Internet. That catches a surprising
> percentage of garbage up front.
+1
-Pedreter
Hi everybody!
Sometimes sending HUP signal to the parent spamd daemon, or even restarting it,
do not cause a reload in all spam childs. normally (99% of times) all
childs work with current config as expected but 1% of the times...some childs
work with current config and some childs keep
If they only have some IPs addresses instead of millions of them, for sure
they would care!!
Pedro.
>On Monday, August 17, 2020, 08:52:24 PM GMT+2, @lbutlr
wrote:
>On 17 Aug 2020, at 11:25, Philip Prindeville
> wrote:
> I’ve been calling out phishing from the same
>On Thursday, July 16, 2020, 03:26:08 PM GMT+2, Riccardo Alfieri
wrote:
>Bumping a little the score for shared IPs? Could make sense..
Exactly...
-Pedro
Is there any way to know whether a Sendgrid IP is shared or dedicated?
Thanks in advance!
Pedro
Bill, Shane...
we do that with a plugin becasue exceptions must be considered... for example
to avoid false positives with rewrited URLs (used by some companies)
-Pedro.
Nice Loren
nowadays with uri_detail this is easily solved with something like
uri_detail HTTPS_HTTP_MISMATCH text =~ /^https:\/\//i cleaned
=~ /^http:\/\//iscore HTTPS_HTTP_MISMATCH 0.5describe
HTTPS_HTTP_MISMATCH URL claims to use SSL but
Solved...
forget this please and sorry for bothering...
i need ro rest...
--Pedro.
>On Tuesday, July 14, 2020, 05:47:33 PM GMT+2, Pedro David Marco
wrote:
>Ssometimes (not always) when non-compiled rules do not match compiled ones,
>SA says:
> dbg: zoo
Ssometimes (not always) when non-compiled rules do not match compiled ones, SA
says:
dbg: zoom: skipping rule __PHISH_TEXT_SOLUC18i, code differs in
compiled ruleset
Is there simple way to force the use of non-compiled rules over compiled ones
when there is a mismatch?
Thanks!
i already opened a voting process here Marc...
LET's VOTE...
Would you like to have Apache Spamassassin change "WhiteList" and "BlackList"
terms due to racism sensibilities?
-Pedro
On Tuesday, July 14, 2020, 09:51:29 AM GMT+2, Marc Roos
wrote:
> I never said it was being done
Maybe Apache just need some more figures...
Is there any black lady/gentleman in this list who feels ofended for those
terms? please rise you hand...
LET's VOTE...
Would you like to have Apache Spamassassin change "WhiteList" and "BlackList"
terms due to racism sensibilities?
|
|
|
| | |
>On Friday, July 10, 2020, 10:10:20 AM GMT+2, Axb
wrote:
>so glad to read this... confirms my picture of you.
>now back my pet project: rewrite Tom Sawyer
OK... who starts??? :-)
once Finished we can rewrite "El Quixote" as well...
--Pedro
>On Friday, July 10, 2020, 12:26:59 PM GMT+2, Marc Roos
wrote:
>Hey Pedro, I don't know for sure, I do not want to create a new problem,
>but this yahoo, was this word not used during the railroad building to
>encourage and push slaves to work harder? Would you mind using different
Blacklist means "protection", so it is something positive...
Whielist is for something wrong you cannot solve...
so where is the problem?
this is like the change from SystemV to SystemD plesae stop creating new
problems!
-Pedro
>On Wednesday, July 8, 2020, 12:28:37 AM GMT+2, Martin Gregorie
wrote:
>>I didn't spot the requirement that the URIs must match: I read your
>requirement as being that two matches from a group of URLs within a
>defined set or with the same second level domain would do. My mistake.
>On Tuesday, July 7, 2020, 11:56:22 PM GMT+2, Martin Gregorie
wrote:
> That should be easy enough to do with a metarule:
>uri __SUBRULE1 /(URL alternateslist1)/
>uri __SUBRULE1 /(URL alternateslist2)/
>meta MYMETARULE (__SUBRULE1 && __SUBRULE2)
>score MYMETARULE 6.0
.>..or
>On Tuesday, July 7, 2020, 03:16:34 PM GMT+2, Henrik K wrote:
>Also newer SpamAssassin already has URIDetail plugin which can also do what
>you want:
> uri_detail SYMBOLIC_TEST_NAME key1 =~ /value1/ key2 !~ /value2/ ...
if it uses the same key more than once, then uri_detail joins
>On Tuesday, July 7, 2020, 01:05:36 PM GMT+2, Henrik K wrote:
>What examply do you mean by checking multiple regex on the "same" URL? Give
>an example. Most likely it's already possible without any changes.
for example.. checking if an URL matches Regex1 BUT does NOT matches
>On Tuesday, July 7, 2020, 11:24:10 AM GMT+2, Raymond Dijkxhoorn
wrote:
>Hello Marc,
>I hear you. And dont worry about that ;) rather have a clean inbox and so do
>more people.
>We report abuse to many organisations, including, but not limited to company's
>like sendgrid.
>Raymond
I have written a small simple patch (tested in SA 3.4.2 so far, sorry) to be
able to check up to three regex expressions on the "same" URL. It seems to work
wellbut... any crazy (with all respects) volunteer for checks.. tests... etc?
Disclaimer: I am not a super Perl developer, so the code may
>On Wednesday, May 13, 2020, 10:27:15 AM GMT+2, Matus UHLAR - fantomas
wrote:
>maybe there are some pieces of anti-malware SW that check websites
.>..and maybe they need to be payed for
So they know those website are dangerous and even so they allow them???
>maybe you should use the
Thanks a lot Dominic
-Pedro
On Wednesday, May 13, 2020, 07:58:56 AM GMT+2, Dominic Raferd
wrote:
On Wed, 13 May 2020 at 06:27, Pedro David Marco wrote:
>
> Not a long time ago, there was an very interesting thread post about the idea
> of reverse
> check of
Not a long time ago, there was an very interesting thread post about the idea
of reverse check of the website content of sending IP...
To my remember even a "spamassassiner" wrote a plugin for that.
Honouring my terrible (lack of) brain, i cannot find those posts. Please can
anyone help me to
>On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson
wrote:
>We receive a *huge* amount of phishing attempts from firebasestorage. My
>regular routine is to wake up, and report these to google safebrowsing,
>but it doesn't seem to have much of an effect.
>There *are* occasional,
To my remember, (as Grant, i need my caffeine truck as well) there are some
MS Outlook CVEs related to the wayMS Outlook shows the "From:" information, to
the extent of showing just some "piece" of it...
So this kinf of "From:" may have significant impact on unpatched computers...
I have a very heavy regex rules set that only make sense if a very simple regex
triggers...
i think it would be a good idea to have some kind of TFLAG, for example:
tflags depends_on
to indicate that a rule must run ONLY if a prevoious one was positive
what do you think??
On Friday, February 14, 2020, 7:46:18 PM GMT+1, John Hardin
wrote:
>> I was looking at it in a bit more detail and it looks like there isn't
>> a reader-writer lock, just write locks for the toks and seen
>> files. As scans defer their writes through the journal they are
>> lockless.
>On Friday, February 14, 2020, 1:17:29 PM GMT+1, RW
> wrote:
>That would defeat the object of having a journal file.>>Even if you are right,
>it doesn't really explain anything because it>applies to everyone using
>BDB/DBM/SDBM. >>IIWY I'd be looking at what's different for you.
I basically
>On 13.02.20 12:30, RW wrote:
>>Bayes doesn't write on scans (unless it does an opportunistic sync or
>expiry):
>
>doesn't it record token access times to journal?
i think SA always does an EXclusive lock despite the parameters, probably
because of that, Fantomas
I will try with SDBM...
.
On Wednesday, February 12, 2020, 7:32:42 PM GMT+1, Matus UHLAR - fantomas
wrote:
On 12.02.20 18:03, Pedro David Marco wrote:
>i am getting errors from Byes because it is not able to lock Bayes files...
>Error log is:
> bayes: cannot open bayes databases /etc/spamassassin/bayes/bayes_*
Hi..
i am getting errors from Byes because it is not able to lock Bayes files...
Error log is:
bayes: cannot open bayes databases /etc/spamassassin/bayes/bayes_* R/W: lock
failed: Interrupted system call
SA tries to lock bayes files always in "EXclusive mode", hence when a sa takes
too
Hi Philipe...
try this:
full __L_RECEIVED_SPF /^Received-SPF: \w/mtflags __L_RECEIVED_SPF
multiple maxhits=11
meta L_RECEIVED_SPF (__L_RECEIVED_SPF >= 10)describe L_RECEIVED_SPF
Crazy numbers of Received-SFP headersscore L_RECEIVED_SPF 4
-Pedro.
Thanks Dave,
nice read and congratulations to all the SA Team
thanks for such a wonderfull piece of "sky" thanks for your time...thanks
for your patience..thanks for listening...thanks for your support..
¡Gracias! Grazie! Danke! Merci! Obrigado!...
(Dave... a birthday is not a
+2, Pedro David Marco
wrote:
Hi!
In SA 3.4.2 I have noticed a slight score difference between consecutive SA
executions.
Digging out, i have discovered that in plugin methods that use $body from the
third argument, like in this example:
sub pdf_is_empty_body { my ($self, $pms, $body
Hi!
In SA 3.4.2 I have noticed a slight score difference between consecutive SA
executions.
Digging out, i have discovered that in plugin methods that use $body from the
third argument, like in this example:
sub pdf_is_empty_body { my ($self, $pms, $body, $min) = @_;
the subject is not
Best wishes Rob...
On Monday, August 26, 2019, 3:24:18 AM GMT+2, Rob McEwen
wrote:
announcement about invaluement (or more like a tease?)
https://www.linkedin.com/feed/update/urn:li:activity:6571558988201148416/
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Hi all...
i want to write a plugin that only triggers if a specific rule has triggered
before.
can anyone, please, point to me to any already existing perl code than can help
me or i can reuse?
Thanks!
P.
Thanks a lot, John, Bill, RW... i now see it water clear...
On Thursday, May 16, 2019, 10:59:19 PM GMT+2, RW
wrote:
On Thu, 16 May 2019 13:31:27 + (UTC)
Pedro David Marco wrote:
> Hi!
> I have a Recived like this:
>
> Received: from pafkiet.edu.pk (email.pa
Hi!
I have a Recived like this:
Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) by
I want a rule to match the beginning of a Received:
A rule like this works ok:
header MY_RULE Received =~ /.*from pafkiet.edu.pk/
and in debug mode it shows:
MY_RULE
Hi Kurt,
On the contrary, most spam i see is valid DKIM signed... tons of hacked
sites... tons of emails from free trials of big-cheeses...
Nevertheless...
meta NO_DKIM_SIGNED ! DKIM_SIGNEDscore NO_DKIM_SIGNED
2describe NO_DKIM_SIGNED Email does not have
Sorry, my mistake.. excuse me!
i meant:
The difference between both versions is just "time": latest URLs updates take
up from hours to some daysto go from the the "good" DB to the public DB
Pedro.
I have played long with this and IMMO do not put your expectations too high...
Google has two versions of the SafeBrowsing DB. The public one: the one youcan
download with the Google API and used by Clam as stated by Kevin, and a
secondone, used by Chrome and some security vendors (i guess by
>On Thursday, March 21, 2019, 1:16:31 PM GMT+1, Martin Gregorie
wrote: >When I've seen white text used, its been set via
a tag, i.e,
> .. text ..
>or
> .. text ..
>
>Its easy enough to match either in a body rule.
Thanks Martin,
the problem is that i want to detect
Hi...
Any idea about how to detect white text over white background in HTML?
Thanks.
-PedroD
Hi everybody...
may i ask your opinion about how strong you score links that use HTTPS in the
anchor but really go to HTTP ...
I would love to score them heavily but
I am finding them very oftenly in newsletters and notifications from big
manufacturers (among HTML errros, MIME errors, etc.
Hi all,
Not a long time ago someone in the list mentioned an interesting antiDos
mitigation technique consisting in "playing" with attackers TCP windows
sizes... (as far as i remember)... but i cannot find the post with the name of
the tehcnique :-(
Please, if someone remembers the name of the
how backups and off-site backups can help if the hacker is an insider? an
angry-sysadmin-employee for example? :-( with full-knowledge of the backup
system.
PedroD
>On Thursday, February 14, 2019, 5:37:57 PM GMT+1, Kevin A. McGrail
wrote:
>I agree... in any case, facts like this are sad... :-(
>I blame the hackers so I haven't posted about this when all the articles came
>out because you don't blame the victim. Now that a little time
>https://thehackernews.com/2019/02/vfemail-cyber-attack.html
>Looks like a compromised IP from legit provider.
>94.155.49.9
>daticum.com
>cooolbox.bg
I agree... in any case, facts like this are sad... :-(
FYI
https://thehackernews.com/2019/02/vfemail-cyber-attack.html?utm_source=feedburner_medium=feed_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.1926.ca0ao0c4uu.16rq
-PedroD
Sure, i agree Reindl, thanks.. i just was asking whether this sudden
increase has been seen as well in other places... too sudden!!
PedroD
On Tuesday, January 22, 2019, 6:18:01 PM GMT+1, Reindl Harald
wrote:
Am 22.01.19 um 18:12 schrieb Pedro David Marco:
>
Out of curiosity...
we are noticing a huge spam increase (x10) from the last 2 days... maybe any
reactivated botnet???
is someone noticing it as well?
-PedroD
On Monday, December 24, 2018, 9:49:11 AM GMT+1, Henrik K wrote:
>... so for general file portability this would be even better:
>
>(?:[a\xe1]|\xc3\xa1)
I fully agree with Henrik, but would add a small detail... in some cases i have
found problems using BODY to locate special chars (most
BUF... this is getting beyond a joke There are people paying to many of
the BTC wallets of the scammers, hence acommodating its veracity...
:-(
-PedroD
FYI
Our "friends" of the SCAM_PORNO_BTC campaign are sending scams with wrong
wallets ID, hence the __BITCOIN_ID rule does not trigger...
Be aware of this if you have METAs depending on that rule.
PedroD
$BillCole++ ; # :-)
Thanks Bill.. that was my concern and what i was suspecting...
--Pedro.D
On Saturday, December 8, 2018, 3:59:12 AM GMT+1, Bill Cole
wrote:
On 6 Dec 2018, at 15:25, Pedro David Marco wrote:
> Thanks Bill and John...
> Your words make sense to me. It
en
wrote:
Pedro David Marco skrev den 2018-12-06 21:25:
> header TESTRULE2 ALL =~ /From=.*pedro.*
> To=.*pedro.*/ism
> This is a mistery... :-?
header TESTRULE (From|To) =~ /\.*pedro\.*/ism
dont know if it works, just my silly thinking right now
t it works like a charm if i try a rule like this:
header TESTRULE2 ALL =~ /From=.*pedro.* To=.*pedro.*/ism
This is a mistery... :-?
Thanks to all...
---PedroD
On Thursday, December 6, 2018, 8:32:46 PM GMT+1, Bill Cole
wrote:
On 6 Dec 2018, at 13:36, Pedro David M
Thanks a lot Bill..
i already considered the "multiple" flag and it did not work either... i
mean... the rule works but i only see the first line in Debug mode...
Pedrod
On Thursday, December 6, 2018, 7:21:46 PM GMT+1, Bill Cole
wrote:
On 6 Dec 2018, at 12:52, P
1 - 100 of 247 matches
Mail list logo
