Re: Why single periods in regex in spamassassin rules?

On 4/23/21 2:52 PM, David B Funk wrote: On Fri, 23 Apr 2021, Steve Dondley wrote: I'm looking at KAM.cf. There is this rule: body    __KAM_WEB2  /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used instead of somethi

Re: Very strange SA result!

On 12/3/2015 9:23 AM, Jari Fredriksson wrote: On 3.12.2015 16.11, Kevin A. McGrail wrote: You are using KAM.cf which isn't a project ruleset. Please report the issue and a spample at https://raptor.pccc.com/raptor.cgim?template=report_problem We can likely look at it quickly and adjust. Howev

Re: Trying to understand how bayes works.

On 12/11/2015 1:24 PM, Reindl Harald wrote: Am 11.12.2015 um 19:12 schrieb Axb: On 12/11/2015 06:51 PM, Reindl Harald wrote: well, how many of you trained chistmas spam this year while my bayes did know it from last year? I like my Bayes fresh like bread out of the oven, new guitar strings

Re: More on T_SPF_PERMERROR

On 12/14/2015 1:47 PM, Alex wrote: Hi, I'm seeing quite a few T_SPF_PERMERROR entries in my logs and not sure if it's a problem, or a misunderstanding, or perhaps I've just started to notice it more often since I started looking for it... I'm seeing T_SPF_PERMERROR entries in my logs for sites

Re: More on T_SPF_PERMERROR

On 12/15/2015 7:19 AM, Martin Gregorie wrote: On Mon, 2015-12-14 at 21:42 -0500, Alex wrote: Many times the domain actually has something wrong with SPF, but other times openspf.org/why and kittermans say there's nothing wrong with the domain. Other domains that fail, such as gmail.com and well

Re: Google redirects

On 12/17/2015 1:34 PM, Alex wrote: Hi, Can someone explain why spamassassin is allowing apparent google redirects? Cryptolocker :-( This one's blocked now. https://www.google.com/url?q=http://www.mediafire.com/download/izdqjzml6dz68t3/1Z4566W50325036.ups.doc_.wsf08137322366IlRiZxJtpLvPq78WySF33

Re: Google redirects

On 12/18/2015 11:32 AM, John Hardin wrote: On Fri, 18 Dec 2015, Mark Martinec wrote: On 2015-12-18 16:29, Axb wrote: On 12/18/2015 04:17 PM, Mark Martinec wrote: > On 2015-12-17 22:41, Axb wrote: > > could you make a version using redirector_pattern so the redirected > > target can be lo

Re: AWL ?

On 12/23/2015 10:53 AM, Olivier CALVANO wrote: Hi i have installed a new server on Centos with Postfix/Amavisd and SpamAssassin my problems, 90% of mail are tagged spam: X-Spam-Flag: YES X-Spam-Score: 22.876 X-Spam-Level: ** X-Spam-Status: Yes, score=22.876 required=5.0 t

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

On 1/4/2016 3:39 PM, Quanah Gibson-Mount wrote: --On Monday, January 04, 2016 8:28 PM + Chris J wrote: Before I raise this on Bugzilla, I just want to run this past people as I'm quite happy that I've failed to configure something, but can't see what. In short, RBL blacklists haven't bee

Re: My new method for blocking spam - REVEALED!

On 1/20/2016 3:20 PM, Dianne Skoll wrote: On Wed, 20 Jan 2016 12:11:02 -0800 Marc Perkel wrote: Again - it's not about matching as Bayes does. It's about not matching. It's not about not matching. It's about a preprocessing step that discards tokens that don't have extreme probabilities. I

Re: Continuing - Re: How do I actually add these descriptions then...

On 3/7/2016 1:05 PM, RW wrote: On Mon, 7 Mar 2016 15:12:25 + Robert Chalmers wrote: I?ve added descriptions, grabbing the actual RULE name with awk, and creating the list that way. { a=$12; print "describe " a " Spam check applied."; } The result is like this. describe L

Re: Regex problem

On 3/28/2016 9:55 AM, RW wrote: Am I missing something? With the test message printf 'Subject: x 555$ x\n\n ' I get a match on "$ " and "$" with Subject =~ /\$ / Subject =~ /\$/ but no match with Subject =~ /\$\b/ There's no word boundary between the $ and the ' ' because th

Re: Regex problem

On 3/28/2016 11:59 AM, RW wrote: On Mon, 28 Mar 2016 09:58:23 -0400 Joe Quinn wrote: On 3/28/2016 9:55 AM, RW wrote: Subject =~ /\$\b/ There's no word boundary between the $ and the ' ' because they're both in \W. Thanks, I'd forgotten what the definition of a

Re: Anyone else just blocking the ".top" TLD?

On 3/28/2016 3:02 PM, Vincent Fox wrote: From:whoswho REJECT This is the one that really annoys me. KAM.cf has a 5.0-scored rule named exactly that, and there's an entire Wikipedia article on the subject! https://en.wikipedia.org/wiki/Who's_Who_scam. It really makes ICANN look like they do no

Re: How does SpamAssassin processing languages other than English

On 4/12/2016 1:16 PM, Reindl Harald wrote: Am 12.04.2016 um 18:44 schrieb Yu Qian: SpamAssassin used Bayes as classier, this is typical and efficient for English. But how does it processing languages like Asian language? Can anyone introduce that or anyone can show the code where SpamAssassin

Re: Is this spam?

On 4/18/2016 1:23 PM, Alex wrote: Hi all, I'm curious as to whether you think this email is spam? http://pastebin.com/bFVSgwnR It looks like your typical unsolicited "Buyers Guide" junk, but I've heard of actonsoftware before, and this email appears to have a legitimate unsubscribe link. It al

Re: Is this spam?

On 4/18/2016 10:52 PM, Alex wrote: Hi, I'm curious as to whether you think this email is spam? http://pastebin.com/bFVSgwnR It looks like your typical unsolicited "Buyers Guide" junk, but I've heard of actonsoftware before, and this email appears to have a legitimate unsubscribe link. It also

Re: understanding HELO_DYNAMIC_IPADDR

SA uses IP-in-name as a machine-decidable definition of a dynamic IP, since you can't really automate it otherwise. This heuristic holds in the vast majority of cases, and is effective against a huge class of spam that comes from public ISPs who don't block port 25. An ISP's customers are gene

Re: Reporting gmail spam to Google

On 5/18/2016 11:10 AM, Alarig Le Lay wrote: On Thu May 19 00:00:31 2016, Byung-Hee HWANG (황병희) wrote: As far as i know, they are doing those best to reduce spam by DMARC. DMARC is used to prevent incomming spam, not outgoing. Well to be more specific, DMARC allows forgeries to be aggressively

Re: Accidental Spam Forward

On 5/31/2016 12:06 PM, Anthony Hoppe wrote: All, I accidentally forwarded some spam to this list. Autocomplete got the best of me and I chose "spamassassin" instead of "spamcop" in the "TO" field of the message. I haven't received the message myself (not sure if I will), but wanted to apolo

Re: Bayes filter marking everything as ham

On 6/1/2016 3:06 AM, Reindl Harald wrote: Am 01.06.2016 um 02:38 schrieb David Jones: From: Reindl Harald Sent: Tuesday, May 31, 2016 6:27 PM To: users@spamassassin.apache.org Subject: Re: Bayes filter marking everything as ham Am 31.05.2016 um 23:58 schrieb Peter Carlson: May 30 09:0

Re: SPF_TEMPERROR now firing

On 6/5/2016 3:38 AM, Chalmers wrote: SPF_TEMPERROR now firing now scoring 1. Good. As I am still learning I now know something I didn't previously. Interesting responses here. It's worth noting that the rule may have a good S/O for you but it's still not a good idea to score it. Those rules only

Re: SA 3.4.1 on FC22/sendmail with a .procmailrc not triiggering spamc

On 6/8/2016 12:39 PM, Kris Deugau wrote: kud...@netzero.com wrote: We're running SA 3.4.1 with sendmail on Fedora Core 22. Every users has a .procmailrc upon creation of the user but we have some legacy users being inundated. If I just create a /etc/procmailrc will SA look at that first? Usua

Re: Email with attachment caused 100% CPU usage.

On 6/8/2016 1:20 PM, John Hardin wrote: On Wed, 8 Jun 2016, Mark London wrote: Hi - We received an email with several large postscript attachments, and the content type was "text/plain". This caused our spamassassin server to use up 100% CPU, parsing the attachments as text. I temporaril

Re: Where to find DETAIL for spamassassin default RULES

On 6/9/2016 7:55 AM, jimimaseye wrote: Once upon a time the include rules for spamassassin was published in its wiki (example here: http://spamassassin.apache.org/tests_3_3_x.html) which in turn gave a link to an 'explanation' detail of the individual rules. However, as you know, these wiki ages

Re: SPF should always hit?

On 6/9/2016 11:23 AM, Robert Fitzpatrick wrote: Excuse me if this is too lame a question, but I have the SPF plugin enabled and it hits a lot. Should SPF_ something hit on every message if the domain has an SPF record in DNS? Furthermore, a message found as Google phishing did not get a hit on

Re: How SA reactes to a bunch of garbage characters

On 6/14/2016 8:33 AM, Matus UHLAR - fantomas wrote: that is just what I would like to know: If OCR produces results good enough for BAYES and other rules. I don't think there's difference between bayes and other rules. It's also possible that BAYES would have better results with misread charact

Re: Catching well directed spear phishing messages

On 6/29/2016 11:12 AM, Dianne Skoll wrote: On Wed, 29 Jun 2016 15:04:04 + David Jones wrote: If everyone (really Microsoft) had some sense, they will start showing the full display name with the email address to help users see the incorrect domain and possibly help users notice the wrong ad

Re: Corpus of Spam/Ham headers(Source IP) for research

On 6/29/2016 11:50 AM, Shivram Krishnan wrote: Hello Antony, We will be getting headers from our University. The only reason why we want other list is that we are tailoring Blacklists for specific networks, to see how these blacklists perform. The idea being , your network may not be seeing t

Re: USER_IN_WHITELIST

On 7/6/2016 11:42 PM, Bill Cole wrote: On 6 Jul 2016, at 23:10, lorenzo wrote: [...] The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I

Re: Spoofed Domain

That's a very good warning indeed! Perhaps blocking .doc files with a zip-like file structure is in order? I can't think of a legitimate reason to use the old extension on the new file format. On 8/10/2016 9:28 AM, Larry Starr wrote: On Tuesday, August 09, 2016 18:01:57 Rob McEwen wrote: > O

Re: Spoofed Domain

on ( I don't care if these are Macro enabled or not, there is no legitimate reason to rename them ). On Wednesday, August 10, 2016 09:31:21 Joe Quinn wrote: That's a very good warning indeed! Perhaps blocking .doc files with a zip-like file structure is in order? I can'

Re: google spamming ?

On 8/15/2016 8:01 AM, Benny Pedersen wrote: X-Spamd-Result: default: False [-10.25 / 15.00] WHITELIST_DMARC(-7.00)[google.com] WHITELIST_SPF_DKIM(-3.00)[google.com] SUSPICIOUS_RECIPS(1.50)[] CLAMAV_VIRUS_CLEAN(-2.00)[] DMARC_POLICY_ALLOW(-0.25)[google.com] MIME_GOOD(-0.10)[multipart/alterna

Re: google spamming ?

On 8/15/2016 8:37 AM, Benny Pedersen wrote: On 2016-08-15 14:21, Joe Quinn wrote: This is not the mailing list for rspamd or dnswl. How is SA involved in this issue? :( i give up ! Have you tried asking on either the rspamd or dnswl mailing lists?

Re: google spamming ?

On 8/15/2016 9:21 AM, Benny Pedersen wrote: On 2016-08-15 15:16, Joe Quinn wrote: Have you tried asking on either the rspamd or dnswl mailing lists? why should i waste my time with it ? i have reported spam to dnswl If you reported it already, why are you still asking how? how to report

Re: Fwd: Re: New domain blacklist options available.

On 8/18/2016 10:03 AM, Benny Pedersen wrote: no point in spamming freee maillists so ? Original Message Subject: Re: New domain blacklist options available. Date: 2016-08-18 15:46 From: "Benjamin E. Nichols" To: Benny Pedersen Because we dont work for free bonehead. To pu

Re: Fwd: Re: New domain blacklist options available.

message-- *From: *Joe Quinn *Date: *Thu, Aug 18, 2016 9:15 AM *To: *users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>; *Cc: * *Subject:*Re: Fwd: Re: New domain blacklist options available. On 8/18/2016 10:03 AM, Benny Pedersen wrote:> no point in spamm

Re: Unsubscribe

On 8/18/2016 10:57 AM, Benjamin E. Nichols wrote: Benjamin E. Nichols http://www.squidblacklist.org 1-405-397-1360 Documentation on how to unsubscribe from the list can be found on apache.org or in the notification you received when you first subscribed.

Re: New Install - Tons of Spam Getting Through

On 8/18/2016 2:27 PM, Jerry Malcolm wrote: I haven't figured out a way to get Thunderbird to allow me to copy/paste the headers. But I did look at all of the headers. There are no headers in the email with names like you mentioned. There is only the X-Spam-Status header and X-Spam-Flag header

Re: Matching infinite sets

On 8/21/2016 5:55 PM, Sidney Markowitz wrote: Dianne Skoll wrote on 22/08/16 8:56 AM: And... why can't a set contain itself? It can't in standard modern set theory (ZFC), through the foundation axioms, also known as the axiom of regularity https://en.wikipedia.org/wiki/Axiom_of_regularity w

Re: Matching infinite sets

On 8/22/2016 8:54 AM, Michael Orlitzky wrote: On 08/21/2016 03:22 PM, Damian wrote: There is no such set B, as it would contain itself. The empty set contains itself. That's an easy mistake to make. The empty set is {}, the set that contains only the empty set is {{}}. Sets are discrete elemen

Re: Tuning recommendations?

On 9/13/2016 1:55 AM, John Hardin wrote: On Mon, 12 Sep 2016, thomas cameron wrote: Keep the tips coming, I appreciate learning from you! Here's another: there's some anecdotal evidence that publishing your own SPF record reduces the likelihood you'll be joe-jobbed. I'm not sure whether tha

Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...

On 9/16/2016 12:59 PM, li...@rhsoft.net wrote: ... in case you have postscreen or something else which does proper rbl-scoring in front of the content-scanners it's no problem because only a small part of spam attempts are mahing it to SA may depend on the amount of ham which can be also mit

Re: How to reject mails with special message-id (Debian, Amavis, Spamassassin)

On 9/20/2016 9:46 AM, Thomas Barth wrote: Am 20.09.2016 um 15:27 schrieb Bowie Bailey: X-Spam-Status: Yes, score=14.009 tag=2 tag2=6.31 kill=6.31 tests=[HTML_MESSAGE=0.001, MESSAGEID_LOCAL=8, MIME_HTML_ONLY=1.105, PYZOR_CHECK=1.985, RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274]

Re: HTTPS_HTTP_MISMATCH and explanation

On 9/25/2016 9:25 PM, Sean Greenslade wrote: On Sun, Sep 25, 2016 at 07:57:37PM -0400, Alex wrote: I think the rule still has a use, perhaps in a meta or something. I believe (though don't quote me on this) that a zero-weight rule will still be checked if it's used as part of a metarule. --Sea

Re: HTTPS_HTTP_MISMATCH and explanation

On 9/26/2016 8:54 AM, RW wrote: Informational rules do that, but IIRC __RULES are simply a special case. Hmm, you're probably right on that point. I can't find anything in the source that behaves that way, but the documentation claims that's how it works and I also don't see anything to suppor

Re: Greymail and marketing junk

On 9/30/2016 5:35 AM, Robert Schetterer wrote: Am 30.09.2016 um 02:28 schrieb Alex: Hi all, Has anyone given any thought to special rules or methods designed to catch greymail? That is, mail that perhaps may be opt-in, but abusive, like marketing mailing lists or newsletters? This might includ

Re: Persistent phishing attacks with word/pdf macros

On 10/3/2016 4:30 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: On 10/03/2016 09:03 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: > On 10/03/2016 07:46 PM, Alex wrote: > > Hi, > > > > These are a real concern. If you receive any kind of real mail > > volume, > > you

Re: Persistent phishing attacks with word/pdf macros

On 10/4/2016 12:37 PM, Alex wrote: Hi Joe, do you recall more specifically the subject or location of this conversation regarding using perl and mimedefang to deal with word macros? I recall something from Feb 2015, but I don't know how to parlay that into something usable with amavis and perl..

Re: How to create a URIBL

On 10/18/2016 6:21 PM, Alex wrote: Hi, I've collected a bunch of URIs that I'd like to incorporate into my rulebase. I know how to create a DNSBL, but I don't specifically know how to create a URIBL. Can I use rbldnsd for this? Or would I have to extract the IP or hostname from the URL, then als

Re: uceprotect issue

On 11/2/2016 2:46 PM, Marc Stürmer wrote: Zitat von Marco : Sorry, I know this is not uceprotect list, but I don't know how to contact uceprotect, their contact form is unavailable. It seems the problem starts on 30 october. Did you have noticed too something about? UCE Protect has a very

Re: uceprotect issue

On 11/4/2016 11:03 AM, Dianne Skoll wrote: On Fri, 4 Nov 2016 12:23:16 +0100 Holger Schramm wrote: If you don't like them, don't use their services. It is really that easy. It's not that easy. If you provide email services to a large number of people and someone they are trying to correspond

Re: Bayes scoring and role accounts

On 11/21/2016 11:27 AM, Karl Denninger wrote: On 11/21/2016 10:12, Karl Denninger wrote: I'm using SpamAssassin on a system that uses Postfix for MTA and Dovecot for handling final delivery. Spamassassin is being called via Postfix through spamd with: # # Spam Assassin bayesian filter updat

Re: how to enable autolearn?

On 1/9/2017 6:01 PM, Linda Walsh wrote: John Hardin wrote: On Mon, 9 Jan 2017, L A Walsh wrote: I have: bayes_auto_learn_threshold_nonspam -5.0 bayes_auto_learn_threshold_spam 10.0 in my user_prefs. When I get a message though, I see autolearn being set to 'no': X-Spam-Status: Yes, sco

Re: Asynchronous plugin skeleton needed

On 1/18/2017 7:08 AM, Kiwi User wrote: On Wed, 2017-01-18 at 11:36 +, Pedro David Marco wrote: I would like to write a simple plugin to check some local Databases (cannot use rbldnsd) that takes long so making it asynchronous seems the best idea.. If possible, can anyone provide any skeleton

Re: Asynchronous plugin skeleton needed

On 1/19/2017 1:48 AM, Pedro David Marco wrote: >You should be able to use the other asynchronous plugins as a reference > >as well. Thanks... but i cannot find documentation about thinks like "register_async_rule_start()" for example... can anyone point to me where is it documented, please?

Re: Ignore third-party SA headers

On 1/23/2017 5:43 PM, Ruga wrote: spam that already includes SA headers is getting through without local SA filtering. Is it posible to tell the local SA to always add its own headers, possibly taking note of the existence of former SA headers while rewriting them out of the way? SA never sho

Re: Ignore third-party SA headers

On 1/25/2017 10:48 AM, Ruga wrote: SA runs as follows. master.cf, last line of section smtp: > -o content_filter=spamcheck spamcheck unix - n n - 10 pipe flags=Rq user=spamd argv=/usr/sbin/spamc --dest=127.0.0.1 --port=783 --filter-ret

Re: List of trusted senders

On 1/25/2017 11:03 AM, Benny Pedersen wrote: Kevin A. McGrail skrev den 2017-01-25 16:46: On 1/25/2017 9:10 AM, David Jones wrote: Could we build a tool like masscheck to help extend these entries for trusted senders that are known to maintain proper SPF, DKIM, DMARC with valid opt-out processi

Re: Custom rule problem

On 1/31/2017 3:22 PM, Zinski, Steve wrote: Sorry for the trouble, everyone… I had been forwarding the spam through my personal IMAP account (to test my rule) which was apparently blocking it. I forwarded it using my gmail account and my new rule fired. I feel like an idiot. Steve I suggest yo

Re: RFC compliance pedantry (was Re: New type of monstrosity)

On 2/8/2017 1:36 PM, Philip Prindeville wrote: Having been through the process of authoring 2 RFC’s, perhaps I can shed some light on the process for you. All proposed standards started life as draft RFC’s (this was before the days of IDEA’s but after the days of IEN’s). If it were validated

Re: Uninitialized values in URIDNSBL

On 2/8/2017 2:58 PM, Kevin A. McGrail wrote: On February 8, 2017 2:27:56 PM EST, Alex wrote: Hi, On Wed, Feb 8, 2017 at 2:08 PM, Kevin A. McGrail wrote: On 2/8/2017 1:22 PM, Philip Prindeville wrote: While we’re waiting for that, can I just grab Util.pm

Re: Custom rule not applied when running Postfix + SA

On 2/20/2017 6:54 AM, aquilinux wrote: Hi all, i noticed that a custom rule i created (in /etc/spamassassin/local.cf ) is not applied in the regular postfix + spamassassin flow but it is when i pipe the mail to spamc or spamassassin. 1) normal flow with postfix spamassassin

Re: List of legit mass mailers

On 3/8/2017 9:39 AM, @lbutlr wrote: On 2017-03-08 (07:23 MST), Ruga wrote: This is spamassassin... We are against mass mailers. That’s absurd. No one with any sense at all is against mass mailers. If you measure "mass mailer" by volume of distribution, apache.org easily qualifies.

Re: SpamAssassin score

On 3/20/2017 6:37 AM, Bernard wrote: Thanks for that information. After ~1750 messages having been digested, still no improvement: 0.000 0 3 0 non-token data: bayes db version 0.000 0 23 0 non-token data: nspam 0.000 0 1729

Re: Strange audio spam

On 5/5/2017 8:53 PM, do...@mail.com wrote: I received this very unusual email a few days ago. It (or another email), timed out my spamassassin check (which is a first). I'm including the full text of the spam below along with all of the headers. I'm interested if this mail is legit, or if it's

Re: EX_IOERR

On 5/28/2017 2:11 AM, Cecil Westerhof wrote: When executing: spamc -L spam It looks like EX_IOERR simply refers to the fact that some process exited with status 74. Restart spamd with the -D option so you get debugging output, and it should be easier to narrow it down to a specific cause.

Re: EX_IOERR

On 5/28/2017 10:59 AM, Cecil Westerhof wrote: On Sunday 28 May 2017 14:50 CEST, Joe Quinn wrote: On 5/28/2017 2:11 AM, Cecil Westerhof wrote: When executing: spamc -L spam It looks like EX_IOERR simply refers to the fact that some process exited with status 74. Restart spamd with the -D

Get count of URLs in message

The file 10_hasbase.cf has the following rule: uri __HAS_URI /./ Is there a similar rule anywhere (or a way to write one), which could match against emails containing many URIs? I have searched for "__HAS_.*_URIS" to see if the concept exists, and I cannot think of any combination of

Detecting very recently registered domain names

We are noticing a lot of spam coming from domains that are less than two months old. Is there a good way to detect this automatically? We've thought about whois, but do not want to get blocked for looking like we are harvesting information. Regards, JMQ

Re: Detecting very recently registered domain names

t. I might have to chalk this one up as "not worth the effort". :( On 12/19/2013 10:13 AM, Alex wrote: Hi, On Thu, Dec 19, 2013 at 10:02 AM, Joe Quinn wrote: Isn't that where Kevin works too? Couldn't you just walk down the hall and ask him? lol We are noticing a lot of spa

Automatically extracting AOL scomp attachments

We semi-frequently get notified of spam in the form of AOL's notorious abuse reports. The actual spam is an attachment of mime type message/rfc822, which we have to extract by hand to make them easier to organize. We would like to have a tool that operates on all of these messages in one keystr

Re: Automatically extracting AOL scomp attachments

Magnificent! Thanks for the quick reply. I will try this out when I get a chance. Do I have permission to copy your code below, with attribution of course? On 12/31/2013 10:57 AM, Kris Deugau wrote: Joe Quinn wrote: We semi-frequently get notified of spam in the form of AOL's noto

Re: Help with a regex to catch spam with gibberish html tags

On 1/29/2014 11:53 AM, Andy Jezierski wrote: I've been noticing a lot of spam getting through with the same traits, a bunch of random words within brackets. They all seem to come after the or the tag. Anyone much more knowledgeable than me care to assist with a rule to detect them? Thanks

Odd email pattern

I've attached a munged example of a strange pattern we've just started getting. It consists of BODY_8BITS, plus an empty text/plain, nearly empty text/html, and some other office attachment. Is there a good way to match for the empty plain and html parts? The __KAM_BODY_LENGTH_LT_XXX rules a

Re: Odd email pattern

On 2/10/2014 12:14 PM, Axb wrote: On 02/10/2014 05:16 PM, Joe Quinn wrote: I've attached a munged example of a strange pattern we've just started getting. It consists of BODY_8BITS, plus an empty text/plain, nearly empty text/html, and some other office attachment. Is there a g

Spam Pattern

This pattern has been showing up in a good 80% of spam I have looked at in the past month. Spammers take a few paragraphs out of a large body of text and put it at the end of their email. My favorite is one that had the scene where Daisy first meets Jay Gatsby. Sometimes they add some mungin

Re: Spam Pattern

On 2/12/2014 3:15 PM, John Hardin wrote: On Wed, 12 Feb 2014, Joe Quinn wrote: This pattern has been showing up in a good 80% of spam I have looked at in the past month. Spammers take a few paragraphs out of a large body of text and put it at the end of their email. My favorite is one that

Re: regex help

On 2/18/2014 12:22 PM, Marc Perkel wrote: Trying to do something complex and not sure how it's done. What I'm looking for is to combine 2 conditions in a single regular expression so that both have to be true for a match. Yes - I know I can make 2 SA rules and combine them but I bet there's a w

Re: bit.ly and Spamhaus DBL

On 3/5/2014 7:18 AM, Ben wrote: On 05/03/2014 05:47, Benny Pedersen wrote: On 2014-03-04 18:52, Ben wrote: Just for my reference, is there a way to affect the score rather than skip completely ? score FOO (1) (1) (1) (1) add one point to FOO rule it also works with negative scores that wi

Re: bit.ly and Spamhaus DBL

On 3/5/2014 9:57 AM, Neil Schwartzman wrote: On Mar 5, 2014, at 10:40 PM, Neil Schwartzman wrote: Yeah. An abused, and abusive redirector. They only deal with abuse Monday-Friday, 9:00-17:00.* They never break links, but put an interstitial in between the victim and the payload. Gee thanks.

Re: KAM_BODY_URIBL_PCCC and KAM_FROM_URIBL_PCCC

On 3/20/2014 4:25 PM, Kevin Miller wrote: KAM_BODY_URIBL_PCCC and KAM_FROM_URIBL_PCCC are clobbering a lot of legitimate mail. I'd like to drop the score. Can I just put score KAM_BODY_URIBL_PCCC1.0 score KAM_FROM_URIBL_PCCC1.0 in local.cf? Since KAM.cf changes frequen

Re: How the rules __TO_EQ_FROM_1 __TO_EQ_FROM_2 work?

On 3/27/2014 12:34 PM, Marcin Mirosław wrote: W dniu 24.02.2014 16:24, John Hardin pisze: Hi! On Mon, 24 Feb 2014, Marcin Mirosław wrote: Sorry for silly question. I'd like to know if mentioned rules catches all email address or only user part? It's not a silly question. All of the TO_EQ_FRO

Re: Capture vs non-capture groups

On 5/28/2014 12:46 PM, Kevin A. McGrail wrote: On 5/28/2014 12:44 PM, Arthur Glennie wrote: Specific to spamassassin, are capture groups ever useful, or should I always use non-capture groups? Eg. (lit) vs. (?:lit) I believe ?: will always be ever so slightly more efficient. He's asking if the

Re: Capture vs non-capture groups

On 5/28/2014 2:10 PM, Arthur Glennie wrote: [quote] The only place I've found backreferences useful is when writing a header rule that is looking for the same string in multiple headers. Other than that, captures are very rare. If SA had a way to capture a match from rule1 and use that in rule2 y

Re: Spam score range and distribution statistics?

On 6/9/2014 11:34 AM, Bowie Bailey wrote: On 6/9/2014 3:47 AM, Ben Stover wrote: As far as I found out SpamAssassin calculates the spam score and puts the value into the email header. What is the maximum range of the score? -10,,+10 or other? There are no limits on the score. The high

Spam Rule Slowness

We received a report that our published ruleset is slow on large emails (http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf) After doing our own profiling (using "Finding slow rules" under http://wiki.apache.org/spamassassin/FasterPerformance), we have not been able to reproduce anythin

Re: Spam Rule Slowness

On 6/12/2014 10:57 AM, Axb wrote: On 06/12/2014 03:11 PM, Joe Quinn wrote: We received a report that our published ruleset is slow on large emails (http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf) After doing our own profiling (using "Finding slow rules" under http://wiki.

Re: Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, near "s/... //r"

On 6/12/2014 10:27 PM, Tom Robinson wrote: Hi, Sorry to bother you with this. As referenced on the ApacheSpamAssassin Wiki for AutoWhiteList (https://wiki.apache.org/spamassassin/AutoWhitelist) I downloaded the Truxoft version of the sa-heatu utility (http://truxoft.com/resources/sa-heatu.v4.0

Re: sa-update NOT updating.

On 6/16/2014 9:42 AM, Dave Pooser wrote: On 5/30/14 11:11 AM, "Kevin A. McGrail" wrote: Good time for an update to the users list about the issue. The box that processed the updates at the ASF collo failed catastrophically during a power surge that took down some other boxes as ell. Unfortuna

No SPF/DKIM/DMARC rule

Something we have noticed is that Google blocks email from servers that use IPv6 but do not have an SPF record. Is there any value to implementing a similar rule for SA with a relatively small score? If your domain does not use SPF, DKIM, or DMARC, you're not even trying to prevent forgeries.

Re: No SPF/DKIM/DMARC rule

On 7/25/2014 1:18 PM, David F. Skoll wrote: On Fri, 25 Jul 2014 13:07:34 -0400 Joe Quinn wrote: Something we have noticed is that Google blocks email from servers that use IPv6 but do not have an SPF record. Really? We have not noticed that. We have a number of customers using us for

Re: duplicate key value violates unique constraint "awl_pkey"

On 7/30/2014 10:47 AM, Benny Pedersen wrote: On July 30, 2014 12:28:44 PM ML mail wrote: It looks like SpamAssassin tries to INSERT an entry (e-mail address) which already exists. Shouldn't SpamAssassin AWL code first check if an entry exists or not and use UPDATE instead of INSERT if an entr

Re: spamassassin at 100 percent CPU

On 7/31/2014 3:19 PM, Noah wrote: Hi there, what are some things to check with spamassassin commonly running at 100 percent? I used apt-get to reinstall of spamassassin 3.3.2-2ubuntu1 and no cure. nothing in the syslog that seems relevant. Ubuntu 12.04 Linux 3.15.4-x86_64 Cheers, It depen

Re: rule for repeated tracking numbers

On 8/5/2014 1:08 PM, Andy Balholm wrote: The last few days, I’ve been getting a lot of spams that have a similar pattern. They are plain-text messages, and each one ends with a paragraph from a restaurant review (apparently to confuse bayesian filters), with some numbers inserted. There is an

Re: spamassassin at 100 percent CPU

additional rules? Cheers, Noah On 7/31/14 12:27 PM, Joe Quinn wrote: On 7/31/2014 3:19 PM, Noah wrote: Hi there, what are some things to check with spamassassin commonly running at 100 percent? I used apt-get to reinstall of spamassassin 3.3.2-2ubuntu1 and no cure. nothing in the syslog

Re: FPs on KAM_BODY_URIBL_PCCC

On 8/13/2014 12:24 AM, Kevin A. McGrail wrote: Both of those are recent, I believe and both have reasons to blacklist. Reporting here is fine. Joe will look at moving them to our marketing list but in the end you might have to consider a custom score because we consider places with convicted sp

Re: Second step with SA

On 8/15/2014 10:14 AM, Bowie Bailey wrote: On 8/15/2014 7:05 AM, Timothy Murphy wrote: Having got SA working at last on my CentOS-7 home server, I'm thinking of improving its use for me (no-one else). It's finding about 65% of my spam, and I'd like to increase that to 80%. The best way to quic

Re: Bogus SPF +all (was Re: dnssec / dane)

On 8/15/2014 1:50 PM, David F. Skoll wrote: On Fri, 15 Aug 2014 10:39:03 -0700 (PDT) John Hardin wrote: On Fri, 15 Aug 2014, David F. Skoll wrote: SPF is so easy ("v=spf1 +all") Doing *that* should be worth a point or two by itself. Yes. I even through about implementing it, but there are

Re: KAM rules keep me giggling

On 8/20/2014 3:34 PM, Jari Fredriksson wrote: What poison pills are they ;) Someone suggested using kam and I'm happy now. I figure they are not with SA spirit that no one rule should make that happen but... yeah. One helluva rules! :) We're always curious how our rules work for other people

  1   2   >