Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

Here's mine, had it running as a regular cron job for a few days now. On Wed, 26 Aug 2020 at 04:08, Rob McEwen wrote: > On 8/25/2020 11:04 PM, John Hardin wrote: > > I just wrote something similar to generate a rule, in case for some > > reason you don't want to use a plugin. Let me know if ther

Re: dbip-country-lite database

On Sun, 15 Nov 2020, 18:27 Philip Prindeville, < philipp_s...@redfish-solutions.com> wrote: > Is anyone else using this database? > > I’ve been using it with xt_geoip and Mimedefang and Plugin::URILocalBL to > block countries since Maxmind retired support for GeoIP on RHEL. > > But I keep running

Re: google and spam

On 14/12/2020 11:01, Iulian Stan wrote: Hi all, First of all i am writing this email from yahoo because from my own domain it seems it's not working because i have DMARC setup and apparently something(maybe ezml) is messing up with the headers. If you have any ideea to whom should i address i

Re: Protection.Outlook.Com

You can check the ip status by registering it at Microsoft’s Smart Network Data Service (you probably did this already). You might have to contact your VPS provider to get /*them*/ to escalate any problem (as it is their ip space), and th

Catch subtly-different Reply-To domain

Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing email sent yesterday: From: "Karen Howard" Reply-To: "Karen Howard" I realise that other elements of the address can be different with

Re: Catch subtly-different Reply-To domain

On 21/02/2021 13:56, RW wrote: On Sun, 21 Feb 2021 11:28:51 +0100 Michael Storz wrote: Am 2021-02-20 08:58, schrieb Dominic Raferd: Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing

Re: Catch subtly-different Reply-To domain

On 21/02/2021 16:20, Benny Pedersen wrote: On 2021-02-21 17:00, RW wrote: On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: On 21/02/2021 13:56, RW wrote: >>> From: "Karen Howard" >>> Reply-To: "Karen Howard" Yes this mail passed DMARC

Re: Catch subtly-different Reply-To domain

On 21/02/2021 17:37, RW wrote: On Sun, 21 Feb 2021 17:00:32 + Dominic Raferd wrote: On 21/02/2021 16:20, Benny Pedersen wrote: On 2021-02-21 17:00, RW wrote: On Sun, 21 Feb 2021 14:04:20 + Dominic Raferd wrote: On 21/02/2021 13:56, RW wrote: From: "Karen Howard"

Re: Catch subtly-different Reply-To domain

On 21/02/2021 20:09, Benny Pedersen wrote: On 2021-02-21 19:44, Dominic Raferd wrote: Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies. I stand corrected; but as they specify p=none, the mail must still pass. in what way should it

Re: Catch subtly-different Reply-To domain

On 22/02/2021 15:05, RW wrote: On Sun, 21 Feb 2021 16:32:01 -0800 (PST) John Hardin wrote: On Sun, 21 Feb 2021, John Hardin wrote: On Sun, 21 Feb 2021, Dominic Raferd wrote: Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculate

Re: Catch subtly-different Reply-To domain

On 22/02/2021 15:45, Dominic Raferd wrote: On 22/02/2021 15:05, RW wrote: On Sun, 21 Feb 2021, Dominic Raferd wrote: Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculated and used in SA, I will see if there is a way to apply it in

Re: OT: is sorbs.net sleeping ?

On 09/04/2021 15:57, Rob McEwen wrote: On 4/9/2021 10:34 AM, Benny Pedersen wrote: above ip is not listed yet, with inho is sign of no maintain at all anymore So I noticed that this IP you mentioned is a heavily-listed IP

Re: pyzor

On 21/04/2021 16:15, Steve Dondley wrote: On 2021-04-21 11:00 AM, Eric Broch wrote: Does anyone one have a solution to this: spamd[]: pyzor: check failed: internal error, python traceback seen in response I have this in my local.cf #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor I don't

Re: My 10 years old domain have a bad TLD

On 03/05/2021 08:15, Denis Chenu wrote: Hi, I own and manage sondages.pro domain since more than 10 years now. Since some week now, my spamassassin score is lower than before. Seems some version give a -2 score. Maybe since a debian update. I never send any spam email. When looking at spam rec

Re: My 10 years old domain have a bad TLD

On 05/05/2021 11:23, Antony Stone wrote: On Wednesday 05 May 2021 at 12:15:41, Denis Chenu wrote: Hi Dominic, Le 03/05/2021 à 09:28, Dominic Raferd a écrit : I have another personal rule which adds +6 for 'unusual' domains - including .pro - so your chance of getting an email thr

Re: spamass.sock - No such file or directory

endmarc.sock > > > > systemctl restart spamass-milter spamassassin postfix > > > > postfix/smtpd[15586]: warning: connect to Milter service > unix:spamass/spamass.sock: Connection refused > > > > > > > > *Von:* Dominic Raferd > *Gesendet:* Samst

Re: spamass.sock - No such file or directory

Try unix:/run/spamass/spamass.sock On Sun, 27 Jun 2021, 18:28 , wrote: > Still the same > > Jun 27 19:21:03 nmail postfix/smtps/smtpd[4946]: warning: connect to Milter > service unix:spamass/spamass.sock: No such file or directory > Jun 27 19:25:37 nmail postfix/smtps/smtpd[5552]: warning: c

Re: Email Phishing and Zloader: Such a Disappointment

On 12/07/2021 07:40, Dave Funk wrote: On Sun, 11 Jul 2021, Kevin A. McGrail wrote: On 7/11/2021 5:11 PM, John Hardin wrote: "The other parts contain an application/vnd.ms-officetheme and an application/x-mso file. Which (in addition to the text/xml files) are used by Microsoft Word to load th

Managing long welcome_senders list

I have a score-reducing algorithm for SA based on known 'good' senders. From a simple one-address-per-line file (which can easily be manually or automatically edited) is built a local_welcoming.cf file which is used by SA - with lines like this: score LOCAL_WELCOMING_4 -4 header LOCAL_WELCOMIN

Re: Managing long welcome_senders list

On 02/12/2021 16:26, Martin Gregorie wrote: On Thu, 2021-12-02 at 13:42 +, Dominic Raferd wrote: I have a score-reducing algorithm for SA based on known 'good' senders.  From a simple one-address-per-line file (which can easily be manually or automatically edited)

Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback

On 15/12/2021 20:00, Riccardo Alfieri wrote: We’d like to say a big “thank you” to all of you who have been testing the beta version of the Spamhaus Domain Blocklist (DBL) with hostnames. How are you getting on with it? Have you encountered issues? Are you noticing a reduction in false positives

Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback

On 04/01/2022 13:51, Riccardo Alfieri wrote: On 04/01/22 13:38, Dominic Raferd wrote: reject_rhsbl_sender redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_reverse_client redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_helo redacted.dbl

Re: Regex error in most recent update

On 18/02/2022 09:51, Bert Van de Poel wrote: Hi everyone, I just noticed we had two email servers complain last night after running sa-update about a regex problem: /etc/cron.daily/spamassassin: config: invalid regexp for __URI_TRY_3LD 'm,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|sa

Re: OT - Hotmail/Outlook.com marking most of our email as Junk

On Sat, 19 Feb 2022, 01:10 Cian, wrote: > I am also having a world of trouble getting my emails to Outlook users. > For reference, my work domain has one user (me). I have had the account > for about 9 months and I have not yet sent 100 emails. I typically send an > email to a single recipient,

Re: Whitelist or add negative values for score

On 20/12/2022 23:59, Joey J wrote: Thanks to Bill and Matus for your responses. Basically, the client is talking about real money transactions, airplanes, paypal etc, but he is a legit sender with these often flagged topics. Sometimes the message goes through, but by the time you reply 2 or 3

Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO

On Sun, 29 Jul 2018 at 18:33, RW wrote: > On Sun, 29 Jul 2018 12:28:08 +0200 > Antony Stone wrote: > > > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another > > email that's guaranteed to fail DMARC with a reject when posted > > through a mailing list, and consequently I didn't

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

On Fri, 17 Aug 2018 at 17:34, Chris wrote: > I noticed last night while updating to 18.04.1 that there were warnings > about SA Compile. I tried to copy to the clipboard however that > didn't work. I did manage to capture this: > > installed sa-compile package post-installation script subproc

Re: DNS and RBL problems

On 15/09/2018 02:44, Alex wrote: On Fri, Sep 14, 2018 at 4:24 PM Daniel J. Luke wrote: On Sep 14, 2018, at 3:26 PM, Kevin A. McGrail wrote: On 9/14/2018 3:22 PM, Alex wrote: I wish it were that easy. /etc/resolv.conf is set up to use 127.0.0.1, which is bind configured as a my local cachi

Re: KAM_RAPTOR and other dependencies...

On Tue, 23 Oct 2018 at 14:22, Kevin A. McGrail wrote: > It means I forgot to encapsulate that rule in a plugin check. Download > the latest KAM.cf and you'll be good. > > On Mon, Oct 22, 2018 at 4:40 PM Peter L. Berghold > wrote: > >> I've seen the following message and others similar: >> spamd

Re: Cannot install SpamAssassin on Ubuntu 18.04.1 (gpg not found?)

On Thu, 25 Oct 2018 at 15:16, RW wrote: > On Thu, 25 Oct 2018 16:07:02 +0200 > Matus UHLAR - fantomas wrote: > > > >On Thu, 25 Oct 2018 08:37:45 -0400 Alexander Lieflander wrote: > > >> As a side-note, it seems like the error message returned by dpkg > > >> (and thus SpamAssassin, I guess) is inc

Re: Version 3.4.2, Debian Stretch

On Thu, 25 Oct 2018 at 15:12, Vitali Quiering wrote: > sorry if this has been asked before. I am new to this list and couldn’t > find a solution I liked. :-) > Is there a spamassassin 3.4.2 package available for Debian Stretch? I need > the the RelayCountryPlugin with GeoIP2. Only in sid and bu

Re: Version 3.4.2, Debian Stretch

On Thu, 25 Oct 2018 at 21:16, Vitali Quiering wrote: > Is not compatible with debian stretch or just not available as a package? > Is it tested and considered stable? > > Regards, > Vitali > > Am 25.10.2018 um 16:26 schrieb Dominic Raferd : > > On Thu, 25 Oct 201

Re: KAM_RAPTOR and other dependencies...

On Thu, 25 Oct 2018 at 22:44, Kevin A. McGrail wrote: > On 10/25/2018 1:07 AM, Dominic Raferd wrote: > > On Tue, 23 Oct 2018 at 14:22, Kevin A. McGrail > wrote: > >> It means I forgot to encapsulate that rule in a plugin check. Download >> the latest KAM.cf and y

Re: Forgery with SPF/DKIM/DMARC

On Fri, 16 Nov 2018 at 13:45, Robert Fitzpatrick wrote: > > We're having an issue with spam coming from the same company even though > SPF and DKIM is setup with DMARC to reject. Take this forwarded email > for instances > > > Original message > > From: User > > Date: 11/15/

Re: Forgery with SPF/DKIM/DMARC

On Fri, 16 Nov 2018 at 15:54, Robert Fitzpatrick wrote: > > Dominic Raferd wrote on 11/16/2018 8:50 AM> > > Please clarify what you mean by 'even though SPF and DKIM is setup > > with DMARC to reject'? I presume that 'company.com' does not have a >

Re: spoofing mail

On Wed, 28 Nov 2018 at 01:57, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 16:22, David Jones () > escribió: > > > > > Can you send a copy of the original email lightly redacted via pastebin > > so I can run it through my filters to give some pointers? > > > > -- > > David Jones > > Hi Dav

Re: X-Relay-Countries not working

On Wed, 28 Nov 2018 at 06:15, Brent Clark wrote: > Thanks for replying > > I did as you asked, here is the pastebin > > https://pastebin.com/XqSXndpW > > I could not see anything like you describe (i.e "I've found that the > plugin will fallback to the 'fast' version ...") > > It looks like KR is

Re: X-Relay-Countries not working

On Wed, 28 Nov 2018 at 10:36, Brent Clark wrote: > Sorry if I can just add, maybe the documentation can be updated? > > https://wiki.apache.org/spamassassin/RelayCountryPlugin I think the documentation is fine, the example with the hat/circumflex has describe text 'First untrusted relay is...'.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

On Wed, 13 Mar 2019 at 10:33, Mike Marynowski wrote: > For those of us who are not SA experts can you give an example of how to use your helpful new lookup facility (i.e. lines to add in local.cf)? Thanks

Re: Spam rule for HTTP/HTTPS request to sender's root domain

On Wed, 13 Mar 2019 at 13:04, RW wrote: > > On Wed, 13 Mar 2019 10:53:06 +0000 > Dominic Raferd wrote: > > > On Wed, 13 Mar 2019 at 10:33, Mike Marynowski > > wrote: > > > > > > > For those of us who are not SA experts can you give an example of ho

Re: No longer just embedded =9D characters in blackmail emails.

On Wed, 20 Mar 2019 at 13:14, piecka wrote: > > Hello > > We've encountered a high false positive rate with MIXED_ES rule for emails > written in Czech language. Czech naturally uses all of the e,ě and é. > > The situation is similar for Slovak language, which includes e and é. > > It seems the sa

Re: amavisd 100% cpu load - 470 queued messages...

On Fri, 28 Jun 2019 at 09:56, hg user wrote: > Messages reported by mailq decreased to about 370 and then, in a few > seconds, to 0... from 370 to 0 in a few seconds... > > > > On Fri, Jun 28, 2019 at 10:49 AM hg user wrote: > >> I'm not able to lower cpu usage of amavisd. >> 4 cpus are used 100

Re: How to block mails from unknown ip addresses?

On Sun, 25 Aug 2019 at 20:16, wrote: > Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas: > > > I don't think you should download geoip postgres modules when what you > > really need is apparently more recent database. > > > > Debian SA package suggests installing libgeo-ip-perl which further >

Re: Something much BETTER that Setting Threshold

On Sat, 28 Sep 2019 at 06:11, Ramon F Herrera wrote: > I was going to start a new thread about the following, but this is a good > point to interject. > What I need is simply to remove all traffic coming from the domains: icu, > info, etc. That simple step would go a long way to solving my SPAM

Re: SpamAssassin 18th anniversary article

On Thu, 24 Oct 2019 at 16:29, Dave Wreski wrote: > Hi all, > > LinuxSecurity just posted an article on the history of SpamAssassin and > its recent 18th anniversary, some of the new features coming in v4, and > speaks with some of the lead developers. > > > https://linuxsecurity.com/features/feat

Re: DMARC_REJECT?

On Thu, 14 Nov 2019 at 05:49, Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 14 Nov 2019, at 0:14, Amir Caspi wrote: > > > DMARC_REJECT > > Is not the name of any rule currently distributed by the Apache > SpamAssassin project... > This comes from an update to KAM.cf in the last

Re: DMARC_REJECT?

On Fri, 15 Nov 2019 at 21:17, Kevin A. McGrail wrote: > Good idea. This is done. > > On 11/15/2019 11:49 AM, David Jones wrote: > > Perhaps it needs to be named KAM_DMARC_REJECT to make it obvious that it > > came from the KAM.cf and have a default score of 0.001? > I believe only the renaming

Re: URIBL_SBL_A - Spamhaus false positive..

On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin wrote: > Hi, > > It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL > lookup: > > * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL > * blocklist > * [URIs: fluent.ltd.uk] > * 2.1 URIBL_SBL Contai

Re: New Spamhaus zone and updates to the plugin

On Thu, 30 Apr 2020 at 09:51, Riccardo Alfieri wrote: > Hello, > > I'm happy to announce to the SpamAssassin community that Spamhaus has > released an updated version of our plugin that solves minor issues and, > more importantly, adds support for a new dataset we just released. > > The new zone

Re: HTTP checks on sending IP

On Wed, 13 May 2020 at 06:27, Pedro David Marco wrote: > > Not a long time ago, there was an very interesting thread post about the idea > of reverse > check of the website content of sending IP... > > To my remember even a "spamassassiner" wrote a plugin for that. > > Honouring my terrible (lack

Re: generate rule, wrong?

On Fri, 22 May 2020 at 10:28, Maurizio Caloro wrote: > > Hello > After generating this rule rawbody, spam mail like this words still appear, > possible mistake from my syntax? > > >required_score 5 > >use_pyzor 1 > >use_razor2 1 > >rawbody BECAUSE_OPTIN > >/(geschiedene|sexuellen|beziehungen|sin

Re: dcc-servers.net seems to have gone away

On Sat, 23 May 2020 at 09:55, hospice admin wrote: > > Hi Gang, > > Looks like DCC/Rhyolite has stopped working. First noticed problems around > 19:30 last night UK time. > > Problem seems to be that DNS for dcc-servers.net has gone away. Have checked > with the likes of mxtoolbox and intoDNS an

Re: handling spam from gmail.

On Thu, 11 Jun 2020 at 09:20, Marc Roos wrote: > > > I am sick of this gmail spam. Does anyone know a solution where I can do > something like this: > > 1. received email from adcpni...@gmail.com > 2. system recognizes this email address has been 'whitelisted', continue > with 7. > 3. system reco