We've had a report from a user about a false positive involving
KHOP_BIG_TO_CC which has a score of 3.4. This seems like an excessive
penalty for perfectly reasonable behaviour.
header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,25},){10}/
describe KHOP_BIG_TO_CC Sent to 10+ recipients
sa-update for version 3.3 is usually very quiet - last update 4 July;
previous one 12 June. We have been getting daily updates since Saturday
morning. Is this expected?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR
On Wed, 8 Sep 2010, John Hardin wrote:
It's expected and very welcome. It means the age-limited nightly masscheck
corpora have once again gotten large enough that the score generator can
safely publish updated rules and scores on a regular basis.
Ah, good news :-)
Tony.
--
f.anthony.n.finch
On Fri, 3 Jul 2009, RW wrote:
I understand that Spamhaus doesn't recommend this, because dynamic IP
addresses can be reassigned from a spambot to another user, but I added
my own rule it does seem to work. In my mail it hits about 9% of my
spam, with zero false-positives.
You will get false
On Sun, 26 Aug 2007, Dave Pooser wrote:
Except that I can verify addresses after checking blacklists, RDNS and other
checks to make dictionary attacks harder on the spammers. It may be possible
to put ACLs on VRFY in Exim, but I haven't looked into it.
I don't believe dictionary attacks are a
On Sat, 25 Aug 2007, Dave Pooser wrote:
So do you run your servers with VRFY enabled?
Yes. If you are verifying addresses at RCPT time, which you must to avoid
spam blowback, then there's no point disabling VRFY.
Tony.
--
f.a.n.finch [EMAIL PROTECTED] http://dotat.at/
IRISH SEA: SOUTHERLY,
On Thu, 12 Apr 2007, Suhas Ingale wrote:
Following is my ACL list from exim conf. I want to add DNS checks for hosts
so that connections from blacklisted IP addresses are blocked at MTA level.
http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch40.html#SECTmorednslists
Tony.
--
On Thu, 12 Apr 2007, Suhas Ingale wrote:
I followed those links but could not make it working. Exim started rejecting
all the messages saying IP is listed in RBL. Where exactly should I add the
deny dnslists?
There's an example at
On Tue, 27 Feb 2007, #Ronan McGlue wrote:
I am looking to move to peruser scanning, so I would need to change only one
line of the above to
spam = $local_part:true
which will use the local part of the email address as the username.
This won't work because there may be multiple
On Tue, 27 Feb 2007, #Ronan McGlue wrote:
what information is available during the DATA_ACL eg to perform lookups on to
get the username to use for SA?
The only thing that Exim provides is the list of all recipients,
$recipients (plural). What I would recommend that you do is use an ACL
On Thu, 11 Jan 2007, Michael Scheidell wrote:
I don't think I see any sudden drop, was the worlds #1 spammer in that
hut in fluga that got bombed last night?
I haven't seen any drop recently either. For my systems (daily legit
volume 300,000 and spam 10x that) the spam peak was in the first
On Tue, 21 Nov 2006, Evan Platt wrote:
So used to be mail from Richard Smith, subject Me again Richard. Now
they're using the last name, ie Me again Smith
Their fake Received: line is still the same.
Tony.
--
f.a.n.finch [EMAIL PROTECTED] http://dotat.at/
BAILEY: CYCLONIC BECOMING
On Wed, 22 Nov 2006, Steve [Spamassasin] wrote:
2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00
Received:from sjc2bat08.sjc.ebay.com (sjc2bat08.sjc.ebay.com
They have a forged Received: line which has a by field containing the
domain of the recipient address, a for field which matches the From:
header, and an id field of the form XX-XX-XX (similar to Exim's
queue IDs, though Exim IDs are always 1X-0X-XX).
Received: from
On Fri, 10 Nov 2006, Steve Lake wrote:
Ok, remember that Name Wrote: :) emails? They've completely
changed. Now it's hi username instead. Joy, oh joy. Can anyone find any
common elements in these emails because whoever this putz is, they're adapting
a lot.
On Sat, 4 Nov 2006, Michael Scheidell wrote:
So? Build something better. Its open source. Don't use the RFCI scores,
drop them, stop bithing about somehting YOU can change.
Well, I've added a -2 for email from Amazon, but I thought other people
might like a warning. No need to flame someone
Amazon.co.uk was listed by RFC-Ignorant at the start of this week, and it
is now scoring more than 5: DNS_FROM_RFC_DSN 2.87, DNS_FROM_RFC_POST 1.44,
FROM_EXCESS_BASE64 1.05.
Tony.
--
f.a.n.finch [EMAIL PROTECTED] http://dotat.at/
IRISH SEA: VARIABLE 3 OR LESS, BECOMING WESTERLY 4 OR 5 LATER.
On Fri, 3 Nov 2006, Ralf Hildebrandt wrote:
* Tony Finch [EMAIL PROTECTED]:
Amazon.co.uk was listed by RFC-Ignorant at the start of this week, and it
is now scoring more than 5: DNS_FROM_RFC_DSN 2.87, DNS_FROM_RFC_POST 1.44,
FROM_EXCESS_BASE64 1.05.
Amazon.co.uk is not listed:
http
On Fri, 3 Nov 2006, Michael Scheidell wrote:
Not a false positive if their servers are broken.
True from the RFCI point of view, but NOT true from the SpamAssassin point
of view. These messages are wanted by their recipients so should not be
scored as spam by SpamAssassin.
Tony.
--
On Thu, 12 Oct 2006, alex wrote:
just got a bunch of bounced mails that have my ip in the header,
but I checked my mail logs and don't see any relaying.
does that mean the header is forged?
I've seen lots of this over the last couple of months. It seems to be
related to malware activity,
On Tue, 15 Aug 2006, Guy Waugh wrote:
Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root):
localhost.fabulous.com. config error: mail loops back to me (MX problem?)
Do people actively combat this somehow?
Exim has a feature ignore_target_hosts which causes it to strip
On Mon, 7 Aug 2006, Hamish wrote:
Yeah, Right... And Verisign never wildcarded domains either did they? Duh!
right back at you.
RFC 1123 section 2.1:
The syntax of a legal Internet host name was specified in RFC-952
Hostname vs DomainName
The domain name system itself doesn't have
On Mon, 7 Aug 2006, Sietse van Zanen wrote:
Caring about 'legitimate' e-mail coming from these domains would be like
caring about the 'legitimate' claims of Bush saying he is a true
christian...
All-numeric domains are popular in China because they are easier for
people to deal with than
On Mon, 7 Aug 2006, Hamish Marson wrote:
The RFC's actually state that a domain MUST start with a letter, and
be any letter or digit or hyphen after. So according to the RFC's
purely numberic domains are illegal.
No! Wrong! Totally wrong! If they were illegal they would never have been
The reason that message submission is done with SMTP is because of the
number of SMTP extensions that the MUA will want to use, in particular
DSNs, deliver-by, deliver-after, message tracking, and whatever else may
be invented in the future. If you want to make message submission a part
of IMAP
On Mon, 15 May 2006, John Rudd wrote:
Technically, that doesn't make it a standard. That means it's on the track to
becoming a standard.
It doesn't even mean that. There are many RFCs which are not standards-
track, including this one which is experimental. Note that all the MARID
RFCs haave
The following headers come from a legitimate message - I have obscured the
sender's name, but that's all. The SlipStream SP Server seems to have
appended the client username and IP address to the message-ID, causing the
FP. See also:
On Sun, 19 Feb 2006, Terry Miller wrote:
I looked this up and can't see where I'm doing anything wrong, but the
subject is not being rewritten.
You should probably ask this question on the exim-users list. I suspect
(but I am not certain) that exiscan doesn't support the message rewrite
parts
Brian Leyton wrote:
What it comes down to is that I have a Linux machine at the front-end,
running MimeDefang, Spamassassin, etc., which passes everything it hasn't
rejected on to an old Exchange Server. I can't turn off the bounce messages
at the Exchange Server (for various stupid reasons
On Wed, 21 Dec 2005, [EMAIL PROTECTED] wrote:
You see, it does not allow me to unsubscribe.
It's ezmlm, so you can just reject all messages from the list and it will
unsubscribe you :-)
Tony.
--
f.a.n.finch [EMAIL PROTECTED] http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4.
On Wed, 18 May 2005, Jeffrey N. Miller wrote:
I want to setup a SMTP relay filtering SPAM and viruses. The relay will
relay the mail to my Exchange server. Is there well documented HOWTOs
on setting this up using Exim, Spamassassin, Mimedefang and a good virus
scanning software? I see
On Mon, 2 May 2005, Justin Mason wrote:
It might be worthwhile maintaining some kind of spammer tactics
knowledge base, on the wiki maybe?
There's http://www.jgc.org/tsc/ but it's more focussed on textual
obfuscation than low-level tactics.
Tony.
--
f.a.n.finch [EMAIL PROTECTED]
On Wed, 2 Mar 2005, Justin Mason wrote:
Shane Williams writes:
I noticed the HELO_DYNAMIC_* thread and the conclusion that IMP adding
a Received header may be a source of problems.
I think the problem is being caused by IMP being too good at
generating a Received header that looks like a
On Mon, 31 Jan 2005, Ole Nomann Thomsen wrote:
So I don't feel able to bugzilla this one - any takers?
It isn't a bug in SpamAssassin.
Tony.
--
f.a.n.finch [EMAIL PROTECTED] http://dotat.at/
FAEROES: NORTHWEST 5 TO 7, OCCASIONALLY VARIABLE 3 OR 4 FOR A TIME. RAIN AT
TIMES. MODERATE OR GOOD.
On Fri, 28 Jan 2005, Matt Kettler wrote:
The order and spacing of the items after the from keyword is wrong. The
specification for Received: lines is in RFC 2821. A correctly formatted
line would be something like
Received: from hotmail.com (bay22-dav1.bay22.hotmail.com
On Fri, 28 Jan 2005, Ole Nomann Thomsen wrote:
Hi, it seems that HELO_DYNAMIC_IPADDR fires wrongly on this header:
Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
Anti-Virus for Internet Mail
Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
Anti-Virus for Internet Mail 6.41.149 Release) with SMTP; Wed, 19 Jan
2005 19:41:14 -
F-Secure Anti-Virus for Internet Mail is
On Wed, 12 Jan 2005, Menno van Bennekom wrote:
I noticed that FORGED_MUA_OUTLOOK falsely triggers with this hotmail-email
that is sent from Outlook-Express via the http-hotmailserver.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4065
Tony.
--
f.a.n.finch [EMAIL PROTECTED]
On Wed, 12 Jan 2005, Martin Hepworth wrote:
you guys running that rule live at cam.ac.uk?
I haven't actually finished testing it properly yet, because it has got
muddled up in the upgrade to SA 3.0.2 which I keep forgetting to finish
:-)
Tony.
--
f.a.n.finch [EMAIL PROTECTED]
On Wed, 15 Dec 2004, David B Funk wrote:
On Wed, 15 Dec 2004, Christopher X. Candreva wrote:
Depoly SPF, use the submission port to talk to your own mail server, problem
solved.
Although that allows you to support roaming users, SPF still breaks mail
forwarding. It's usable as a
On Tue, 14 Dec 2004, Clarke Brunt wrote:
it seems to me that a 'fail' result is a perfectly good reason to reject
a message outright, which is what I do (without it even being passed to
SpamAssassin).
How many users do you have? Do none of them have vanity addresses?
Tony.
--
f.a.n.finch
If the top level domain of the HELO name exists (it has NS records or a
SOA record) but the second and third (if present) level domains do not,
the check triggers.
You have to allow for missing top level domains because of private
addresses, and you have to check both the 2LD and 3LD because some
On Tue, 28 Sep 2004, Kris Deugau wrote:
I did this for a while, but somewhere along the line some of those
unassigned netblocks got assigned. I didn't discover this until about 6
months after one corporate customer suddenly couldn't send mail to one
of their suppliers. Fortunately I had
43 matches
Mail list logo
