:-)
Sounds like a somewhat reasonable proposal to me.
Better still, the tinyurl-esque services should vet the URLs people
submit against SURBL...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
On Thu, 28 May 2009, hateSpam wrote:
I am getting email from myself to my self all Pills adverts and it is
spam. Is there any way to solve the problem. I get about 6 every day.
Did you happen to whitelist_from your own domain?
--
John Hardin KA7OHZhttp://www.impsec.org
On Thu, 28 May 2009, Jim Knuth wrote:
am 28.05.2009 15:33 Uhr schrieb John Hardin jhar...@impsec.org:
On Thu, 28 May 2009, hateSpam wrote:
I am getting email from myself to my self all Pills adverts and it is
spam. Is there any way to solve the problem. I get about 6 every day.
Did you
(typically
/etc/mail/spamassassin/*.cf) for lines containing whitelist_
If you have any that are whitelist_from *...@your.domain then that will
cause problems.
Thanks
hateSpam
John Hardin wrote:
On Thu, 28 May 2009, hateSpam wrote:
I am getting email from myself to my self all Pills adverts
is to register your domain and IPs at EmailReg.org.
{etc.}
It might be less confusing if that ad was presented *after* you've
completed the traditional unlisting request...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
=~
/application\/octet-stream/i
meta MIME_BINARY_ONLY (__CTYPE_MULTIPART_MXD __UNSPEC_BINARY_ATTACH
!__ANY_TEXT_ATTACH)
scoreMIME_BINARY_ONLY 2.00
describe MIME_BINARY_ONLY Unspecified binary body part but no text body parts
--
John Hardin KA7OHZhttp://www.impsec.org
On Mon, 1 Jun 2009, Bob Proulx wrote:
However playing wack-a-mole with each new type isn't productive. Perhaps
this following, completely untested, would be the better way to go.
Just look for any multipart message that doesn't have any text parts.
That actually sounds best to me.
--
John
message with
all headers intact, we may be able to suggest more precisely. Please don't
post messages to the list; post them on pastebin or a webserver you
control, and send the URL to the list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Mon, 1 Jun 2009, Ernie Dunbar wrote:
We have a cron job that runs every day to update the spamassassin rules,
but there have been no new updates since March 30.
That's because there haven't been any updates recently. There's no firm
schedule for releases of updates.
--
John Hardin
On Mon, 1 Jun 2009, Ernie Dunbar wrote:
John Hardin wrote:
On Mon, 1 Jun 2009, Ernie Dunbar wrote:
We have a cron job that runs every day to update the spamassassin rules,
but there have been no new updates since March 30.
That's because there haven't been any updates recently. There's
on how to proceed greatly appreciated.
Primarily I'd suggest you exclude locally-generated emails from SA
completely. If you'd post the Received: headers from such a message and
the procmail stanza where you pass messages to SA for scoring I could
suggest something.
--
John Hardin KA7OHZ
On Mon, 1 Jun 2009, Rich Shepard wrote:
On Mon, 1 Jun 2009, John Hardin wrote:
If these are system-generated messages, something is improperly training
SA that they are spam. Do you use autolearn?
John,
No. Once a week or so I run sa-learn specifying spam on the spam-uncaught
mbox file
On Mon, 1 Jun 2009, Rich Shepard wrote:
On Mon, 1 Jun 2009, John Hardin wrote:
Have you kept your spam and ham corpa?
I'm not sure. The spam comes from the spam-uncaught file which is
cleared each time it's run.
Pity. If you're manually training it's a very good idea to retain your
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
Can you post a sample somewhere for us?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
On Tue, 2 Jun 2009, Dave Walker wrote:
John Hardin wrote:
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite
word attachment?
Can you post a sample somewhere for us?
Hi,
I assume he means the recent surge in rtf attachment
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
Yep, the rules below will hit on that message.
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 11:18 AM
To: SpamAssassin Users List
Subject: Re
email. Score accordingly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
): Interrupted system call
At that point, is spamd still running?
If it is not, is there anything in the log indicating why spamd died?
Does restarting spamd make it start working again?
Does it die again after a few minutes?
--
John Hardin KA7OHZhttp://www.impsec.org
that you have access to that's not served by the
MTA you're troubleshooting. The error message they are seeing will be
helpful in figuring out what is going on.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
the spamd system have?
Has spamassassin _ever_ worked reliably for you? In other words, is this
the first time you've used SA 3.2.5 and it's always had this problem, or
was SA 3.2.5 working well for a long time and then it started failing?
--
John Hardin KA7OHZhttp
On Wed, 3 Jun 2009, Jari Fredriksson wrote:
Hah. The CPU does not even have a cooler on it! All there is PSU fan.
Such a machine can not waste energy, at least it does not generate
heat..
I'd think that in Finland that would be a drawback rather than a
benefit... :)
--
John Hardin
failing?
We have recently installed S.A
OK. This means it may not have been installed correctly.
I am not familiar with qmail or simscan. Perhaps someone else on the list
will offer some advice.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
North
processes.
Are you using any DNSBLs to reduce load within qmail at SMTP time, before
the messages get passed off to SA for scoring?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
3
It's a bad idea to blindly reduce that. All of the base rules are assigned
scores with the assumption that spam is at 5 points.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
?
Especially if it's all on the same box with only 1GB of RAM?
That box is beginning to sound memory starved. I bet it's hitting swap.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
other record type. It resolves locally without using DNS; see
your /etc/hosts file. Similarly, 1.0.0.127.in-addr.arpa. has no PTR
record indicating it should be called localhost.
I think what Matus was saying is:
181.188.252.222.in-addr.arpa - localhost - 127.0.0.1 = FAIL.
--
John Hardin KA7OHZ
On Thu, 4 Jun 2009, Adam Katz wrote:
John Hardin wrote:
I think what Matus was saying is:
181.188.252.222.in-addr.arpa - localhost - 127.0.0.1 = FAIL.
And what I'm saying is that the second step of that:
localhost - 127.0.0.1
doesn't work since localhost has no A record.
So that data comes
On Thu, 4 Jun 2009, Adam Katz wrote:
John Hardin wrote:
So that data comes from /etc/hosts. How does that materially affect the
FCrDNS sanity test?
By definition, FCrDNS uses DNS lookups. Unless you're using dnsmasq,
the entries in /etc/hosts are ignored during DNS lookups. Unless I'm
On Thu, 4 Jun 2009, Karsten Br?ckelmann wrote:
(a) Do you scan *all* messages, regardless of their size? Don't do that,
but skip scanning for messages larger than about 500 kByte.
If I remember his spamc options correctly, it was limited to 200kB.
--
John Hardin KA7OHZ
On Fri, 5 Jun 2009, Lists wrote:
John Hardin wrote:
On Wed, 3 Jun 2009, Lists wrote:
I am trying to trouble shoot why a particular server cannot send
into our email system. There is no reference in the logs to this
server ever trying to connect.
Are users of that system getting
On Thu, 4 Jun 2009, Luis campo wrote:
yes, we have configured the SA to 20 children
Try setting it to 5.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Fri, 5 Jun 2009, Jeremy Morton wrote:
I've suddenly started getting a new slew of spams that are making their
way through my SpamAssassin filter. Here's an example of one:
http://pastebin.com/m586e296c
Look for the MIME_NO_TEXT ruleset I posted a few days ago.
--
John Hardin KA7OHZ
On Tue, 2 Jun 2009, Yet Another Ninja wrote:
On 6/2/2009 7:55 PM, John Hardin wrote:
Oh, sorry, I got that backwards checking for _not_ PHP... Never mind
those last rules.
The mailer is going to be easy to change (even randomly) in a spam tool.
I'd suggest that it's not valid to check
All:
Sorry that the last iteration of the MIME_NO_TEXT rules (see the word doc
spam message I just resent) didn't get sent to the list - it should have
gone to the list but I didn't notice the discussion had gone off-list.
--
John Hardin KA7OHZhttp://www.impsec.org
want to run it using a config that's customized to fake mail (i.e. with
scores adjusted to reduce the effect of header tests like does the
sending hostname look evil?, but it's absolutely technically doable.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
. Is there any way you
can upgrade to 3.2.5?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
to SA! Many thanks.
Don't hold your breath. I'm still new to this, there may be a lot of delay
that I'm not aware of before those new rules get added to the 3.2.5 base.
John Hardin wrote:
Does hostmonster run sa-update at all?
So if I understand correctly: currently there is no standard
-hosting environment. You
don't want to risk someone malicious adding a denial-of-service rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
listings) I know how to aggregate the
data, just want a clue offered as to how to call them from SA.
Two ways:
(1) Set up an internal DNS zone and do a negative-scoring DNSBL lookup,
or
(2) Do it at the MTA level and bypass SA for those IPs completely.
--
John Hardin KA7OHZ
-administered hosted VM in order to get full
control of SA?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
.
Is it truly *that* onerous to produce a 0.9 tarball that includes the
patch, either as a standalone file or applied to the sources?
As a plus, that would create a dist file with a newer date to reassure
people that it's still an active development project.
--
John Hardin KA7OHZ
indicator of what the quality of your contributions
to list discussions will be, go back to lurking. Please.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
On Sun, 14 Jun 2009, Res wrote:
It's the weekend and I was bored :)
This list does not exist to provide you amusement.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C
be:
header MSGIDIP Message-Id =~ /\...@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/
Refine that just a tiny bit:
header MSGIDIP Message-Id =~
/\...@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Individual
see any error messages it generates when it
crashes.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 15 Jun 2009, Res wrote:
On Sat, 13 Jun 2009, John Hardin wrote:
On Sun, 14 Jun 2009, Res wrote:
It's the weekend and I was bored :)
This list does not exist to provide you amusement.
Last time I looked, Justin ran this list, not you.
That's true. Fair enough, comment
On Tue, 16 Jun 2009, McDonald, Dan wrote:
/\b(?:teens?|girls?|boys?...
doesn't the first ?: negate that whole part of the test?
No, that means don't capture the match, not this is optional.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
://www.nerdnetworks.org/spam/spam5
http://www.nerdnetworks.org/spam/spam6
Have you tried the Sought-Fraud ruleset? How about the SARE fraud ruleset?
I use both and, with bayes, get only rare leakers - mostly very short
ones.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
upgrade to 3.2.5?
Have you ever run sa-update?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
.
That said, I'm getting really poor scores on those from my 3.2.5 testbed
(which does not have a trained bayes), so upgrading might not help much...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
from the internet, but I am not a postfix guru.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
them will help to. Are they actually in the message?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
I've just noticed missing 'i' switch for your rule regexp. Is it a bug
or a feature? :)
That depends
On Sat, 20 Jun 2009, Jeremy Morton wrote:
John Hardin wrote:
D'oh, /me checks pastebins from first message...
Also, body rules match cleaned-up text with runs of spaces collapsed,
so you don't need to use + or {1,...}
Try this:
/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s
reject list.
Benny Pedersen wrote:
On Sun, June 21, 2009 12:04, Jeremy Morton wrote:
http://pastebin.com/m3b9629b6
http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
On Sun, 2009-06-21 at 23:21 +0200, mouss wrote:
John Hardin a écrit :
/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
you can replace meds by (meds|shop) to catch the www shop95 net
variants.
body URI_OBFU_MEDSHOP /\(\s?w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|
org)\s?\)/
--
John
a bad idea to pass SA list email through SA...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Mon, 22 Jun 2009, Jeremy Morton wrote:
John Hardin wrote:
On Sun, 21 Jun 2009, Jeremy Morton wrote:
My SpamAssassin apparently isn't checking this blocklist; how do I get
it to?
Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org,
which includes the cbl feed
On Mon, 22 Jun 2009, Jeremy Morton wrote:
All together now,
3... 2... 1...
WOOHOOO!!!
EXPN?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
that net back onto the previous line.
Is there an existing SA function to normalize HTML content before
doing matches?
Yeah. body rules.
untested:
body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
--
John Hardin KA7OHZhttp
On Mon, 22 Jun 2009, Cerebus wrote:
The zip file contains a file with the name:
document.pdf .exe
(note the long run of spaces)
My security sanitizer would quarantine that.
http://www.impsec.org/email-tools/procmail-security.html
--
John
On Tue, 23 Jun 2009, Kenneth Porter wrote:
--On Monday, June 22, 2009 5:59 PM -0700 John Hardin jhar...@impsec.org
wrote:
On Mon, 22 Jun 2009, Cerebus wrote:
The zip file contains a file with the name:
document.pdf .exe
(note the long
too much about it. Try running a real message through SA with
debugging turned on and see what it says:
spamassassin -L -t --debug area=all,rules spam.msg result 21
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar
?cn=vmwarecc=wwwst=1adv=0bn_uf=VMware_Site_appliances_dirbn_if=VMware_Site_appliances_dirq=spamassassin
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
Is anybody else getting bounces on mail they send to the list from
cas...@snigelpost.org?
If so, can we get him unsubscribed?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
On Thu, 25 Jun 2009, Benny Pedersen wrote:
On Thu, June 25, 2009 19:09, John Hardin wrote:
Is anybody else getting bounces on mail they send to the list from
cas...@snigelpost.org?
If so, can we get him unsubscribed?
here i have seen 25 of this bouncers, i have added his sender ip
point out that I've had legitimate reason in the past to resend messages
to the SA list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
for the latest incarnation of that spam, it means www.
pill22. com.
{sung to the tune of Peter Gabriel's Kiss That Frog} Whack that mole!
/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
--
John Hardin KA7OHZhttp://www.impsec.org
On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:
Dnia 2009-06-26, pią o godzinie 14:15 -0700, John Hardin pisze:
On Fri, 26 Jun 2009, Pawe~B T~Ycza wrote:
Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:
body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m
.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
False
/trunk/sandbox/jhardin/20_fillform.cf
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
. Do you really want to
use the whole bunch of SA's URI tests against sentences like:
... looking at the www peter got an impression of ...
(- www.peter.got?)
TLDs are limited and prevent FPs of that particular nature.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
On Tue, 30 Jun 2009, John Wilcock wrote:
Le 30/06/2009 17:16, John Hardin a écrit :
... looking at the www peter got an impression of ...
(- www.peter.got?)
TLDs are limited and prevent FPs of that particular nature.
Sure, but there are lots of ccTLDs that could be confused
server is full of it) of
DNS checks but ZEN does not work...
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
On Wed, 1 Jul 2009, Michelle Konzack wrote:
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why
a loose X-Mailer-looks-like-a-domain-name rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
On Wed, 1 Jul 2009, Karsten Br?ckelmann wrote:
On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
On Wed, 1 Jul 2009, Benny Pedersen wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check
harness is different but I verified that the RE
is the same.
Can you post the original raw message to a pastebin, please?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
a
5xx that says I will never accept any mail from you.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
USMC Rules
;) Now I catch also www. ca35.
net. spam. www. c3. net. flood should be caught in the future too.
It would probably be a good idea to extend it in the other direction a bit
as well...
\w{1,15}\d{1,10}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
.
I announced it on the list last week:
http://www.nabble.com/forum/ViewPost.jtp?post=24248244framed=y
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
On Sun, 5 Jul 2009, John Hardin wrote:
On Sun, 5 Jul 2009, MySQL Student wrote:
Hi,
I'm receiving a lot of spam that I can't catch containing fields where the
recipient is supposed to enter their contact details, like this:
Full Legal Name :
Address :
City :
State :
Zip code
with. Also consider
meta-ing (FILL_THIS_FORM_LONG || FILL_THIS_FORM_ML) with other rules
rather than simply increasing _LONG directly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
a bug and attach the message as evidence.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
carriage return in the following
received line:
Received: from outbound-mail-324.bluehost.com
(outbound-mail-324.bluehost.com [67.222.55.5])
d'oh! Never mind the bugzilla recommendation.
Where'd my eyedrops go...?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar
://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
installation. So perhaps I just need
to tweak some rules.
Could you add a procmail rule near the top to log the X-Spam-Status
header? That will make troubleshooting easier.
:0
* ^\/X-Spam-Status: .*
{
LOG=$MATCH
}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin
to for body rules:
body ALL_BODY /.+/
You also need a m flag. :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
troubleshooting rule I suggested for test use.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
inserting line breaks would be a trivial way
to avoid many SA rules.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
text inline or at the end, so that it reads
like a conversation. That's been Best Practice for decades.
google top posting considered harmful.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
On Tue, 7 Jul 2009, Mark Martinec wrote:
It is not the DNS query that is a problem here.
Eddy:
What happens when you run the test using -L (no network tests)? Does it
still take as long?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Wed, 8 Jul 2009, Terry Carmen wrote:
SpamAssassin version 3.1.9
That's *way* old. Is there any chance you can upgrade to 3.2.5?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
with the configuration.
Well, if the problem _does_ migrate, you're more likely to get help
troubleshooting it running 3.2.5 than you are running 3.1.9... :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key
time; you can't mix CPAN and distro packages and tarball, things will get
confused. I suspect that's what happened here.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
}
{
if (act == copy)
{ print }
}
' $f temp.txt
mv temp.txt $f
done
...wouldn't that mangle wrapped X-Spam headers?
--
John Hardin KA7OHZ
dependencies and I
believe that's exactly what happened.
That comment only applies to SA itself, not the various CPAN libraries
(e.g. Net::DNS) that it depends on. I personally have not had problems
using CPAN to install non-SA modules with a distro-installed SA package.
--
John Hardin KA7OHZ
1 - 100 of 3242 matches
Mail list logo
