Re: Malformed spam email gets through.

> Also, can anyone suggest a nicely written rule, that triggers when an html > tag's text contains both upper and lower case letters?  Thanks. - Mark Hi Mark and happy new year! For small tags a simple rule, uggly but very cheap, may work:  /Src|sRc|srC|.. and son on   number of

Re: Malformed spam email gets through.

On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. I have not seen such behavior in the past 20 years... Intentionally re-using another site's MIDs is so wrong that I'd happily

Re: Malformed spam email gets through.

On 1 Jan 2018, at 10:33 (-0500), David Jones wrote: On 01/01/2018 09:29 AM, Bill Cole wrote: On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. I have not seen such behavior in

Question about BAYES_999

I just had a spam message hit BAYES_999 but not BAYES_99.  Based on BAYES_999 default score of 0.2, I thought that it was always supposed to complement the BAYES_99 rule and both would trigger when BAYES_999 hit. https://pastebin.com/QsVgXwdC If they are independent, then it would seem

Re: Malformed spam email gets through.

On 01/01/2018 01:30 PM, Alan Hodgson wrote: I've had good success junking anything with one of my domains in the message-id, where I know the mail isn't actually from someone in that domain. That's a pretty solid spam signature. are you sure it's not your mailservers adding Message-Id to the

Re: Question about BAYES_999

On 01/01/2018 06:52 PM, David Jones wrote: On 01/01/2018 06:47 PM, Reindl Harald wrote: Am 02.01.2018 um 01:18 schrieb David Jones: I just had a spam message hit BAYES_999 but not BAYES_99.  Based on BAYES_999 default score of 0.2, I thought that it was always supposed to complement the

Re: Question about BAYES_999

On 01/01/2018 06:47 PM, Reindl Harald wrote: Am 02.01.2018 um 01:18 schrieb David Jones: I just had a spam message hit BAYES_999 but not BAYES_99.  Based on BAYES_999 default score of 0.2, I thought that it was always supposed to complement the BAYES_99 rule and both would trigger when

Re: Malformed spam email gets through.

On 1 Jan 2018, at 12:47 (-0500), Matus UHLAR - fantomas wrote: On 1 Jan 2018, at 11:41 (-0500), Matus UHLAR - fantomas wrote: the gross format in RFCs 822,2822 and 5322 describes message-id consisting of local and domain part, thus is must contain "@". On 01.01.18 12:17, Bill Cole wrote:

Re: Malformed spam email gets through.

On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote: > On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: > > > I think some mail systems will keep the same message-ID per email  > > thread so your system must reject some replies. > > I have not seen such behavior in the past 20 years... > >

Re: Malformed spam email gets through.

On 01/01/2018 01:30 PM, Alan Hodgson wrote: On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote: On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. I have not seen such

Re: Malformed spam email gets through.

On 1 Jan 2018, at 14:30 (-0500), Alan Hodgson wrote: On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote: [...] HOWEVER, the idea of enforcing any standard on MIDs beyond gross format  (e.g.: <[[:ascii:]]{3,996}>) on a system where the admin isn't the sole  user is ludicrous. I've had good

Re: Question about BAYES_999

On 01/01/2018 07:08 PM, Reindl Harald wrote: Am 02.01.2018 um 01:59 schrieb David Jones: On 01/01/2018 06:52 PM, David Jones wrote: On 01/01/2018 06:47 PM, Reindl Harald wrote: Am 02.01.2018 um 01:18 schrieb David Jones: I just had a spam message hit BAYES_999 but not BAYES_99.  Based on

Re: Malformed spam email gets through.

On 1 Jan 2018, at 11:41 (-0500), Matus UHLAR - fantomas wrote: the gross format in RFCs 822,2822 and 5322 describes message-id consisting of local and domain part, thus is must contain "@". No, it does not. Re-read the cited sections. From RFC5322, the ABNF definition: msg-id

Re: Malformed spam email gets through.

On 01/01/2018 09:29 AM, Bill Cole wrote: On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. I have not seen such behavior in the past 20 years... Ok. I stand corrected then.

Re: Malformed spam email gets through.

David Jones skrev den 2018-01-01 15:59: There is no way that most of us on this mailing list can be as strict or our customers would complain constantly about missing email. postfix add rfc message-id on mails that dont follow rfcs, so first mta (postfix here) hiddes mua's fault not

Re: Malformed spam email gets through.

On 1 Jan 2018, at 3:54 (-0500), Rupert Gallagher wrote: We reject anything whose mid does not include the fqdn or address literal of their sending server. We do this because the RFC says explicitly that the mid *MUST* have those features. This is a blatant falsehood. Relevant RFCs:

Re: Malformed spam email gets through.

On 01/01/2018 09:33 AM, David Jones wrote: On 01/01/2018 09:29 AM, Bill Cole wrote: On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. I have not seen such behavior in the past

Re: Malformed spam email gets through.

On 01/01/2018 02:54 AM, Rupert Gallagher wrote: We reject anything whose mid does not include the fqdn or address literal of their sending server. We do this because the RFC says explicitly that the mid *MUST* have those features. We write exceptions for those few senders who are legitimate

Re: Malformed spam email gets through.

On 1 Jan 2018, at 9:59 (-0500), David Jones wrote: I think some mail systems will keep the same message-ID per email thread so your system must reject some replies. On 01.01.18 10:29, Bill Cole wrote: I have not seen such behavior in the past 20 years... Intentionally re-using another

Re: Malformed spam email gets through.

On 1 Jan 2018, at 09:41, Matus UHLAR - fantomas wrote: > the gross format in RFCs 822,2822 and 5322 describes message-id consisting > of local and domain part, You are misreading the RFC. The Message-ID itself is a *should* and there is no MUST un any of the description of

Re: Malformed spam email gets through.

We reject anything whose mid does not include the fqdn or address literal of their sending server. We do this because the RFC says explicitly that the mid *MUST* have those features. We write exceptions for those few senders who are legitimate but have lazy and incompetent sysadmins. On Mon,

Re: Malformed spam email gets through.

On 1 Jan 2018, at 11:41 (-0500), Matus UHLAR - fantomas wrote: the gross format in RFCs 822,2822 and 5322 describes message-id consisting of local and domain part, thus is must contain "@". On 01.01.18 12:17, Bill Cole wrote: No, it does not. Re-read the cited sections. From RFC5322, the ABNF