>
> With David's help I have tracked down the problem(s). Version 0.02 is
> up. Would be interested to hear you thoughts - even if just theoretical
> about the affect to the Bayes DB.
Just in theory, i am curious what part of the Bayes filter you hope to
improve? I think you are not adding any *n
or bayes?
It would be interesting to see what a new bayes db would do which is ONLY
trained with your concepts keywords. This would be a very small bayes db i
guess. Curious if it could be effective in any way.
>
> Paul
>
> On 25/05/16 09:02, Merijn van den Kroonenberg wrote:
>>&g
>> On Thu, 2016-06-02 at 12:28 +0200, Matus UHLAR - fantomas wrote:
>> > > Therefore I agree that there could be better way of noticing admins
>> > > of a [URIBL_BLOCKED] issue.
>>
>> create and install a logwatch service that scans /var/log/maillog
>> for lines containing "URIBL_BLOCKED" - this i
> On 9 Jun 2016, at 0:53, Henrik K wrote:
>
>> Garbage text/plain is known problem..
>
> text/html too. From GMail.
>
> Last week I had a *perfectly legitimate* message with a 151KB logical
> single line of HTML (QP encoded of course) freeze up a server scaled for
> 10k users.
> [snip]
Are there p
>
>
> Am 10.06.2016 um 04:49 schrieb Bill Cole:
>> On 9 Jun 2016, at 0:53, Henrik K wrote:
>>
>>> Garbage text/plain is known problem..
>>
>> text/html too. From GMail.
>>
>> Last week I had a *perfectly legitimate* message with a 151KB logical
>> single line of HTML (QP encoded of course) freeze u
> Agreed.
>
> We use sendmail, and check our DNSBL's their, it is much more efficient to
> use them before we ever engage SA. It is extremely rare to find an IP that
> lands on a reputable DNSBL and in those cases we can whitelist. Of course
> most of our traffic is B2B, not sure how effective this
> Hi,
>
> We've been having a problem with phishing attacks by spoofing the
> MAILFROM and From address. [snip]
> The message passes DKIM:
>
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not
> n
> On Tue, 28 Jun 2016 16:10:12 +0200
> Reindl Harald wrote:
>
>> Am 28.06.2016 um 16:00 schrieb RW:
>> > On Mon, 27 Jun 2016 22:15:30 +0200
>> > Reindl Harald wrote:
>> >
>> >> Am 27.06.2016 um 21:27 schrieb Vincent Fox:
>> >>> I saw a reference today in my MxToolbox report, to an RBL named
>> >>>
> On Tue, 9 Aug 2016 08:45:54 +
> Nicola Piazzi wrote:
>
>> whitelist_from_rcvd is intended to legitimate a single somain,
>> specifiing domain by domain
>>
>> I need something that tell me that check all incoming email and say
>> if the originating ip (or class c) is the same of mx record
>>
>
> Hmm. Tagging the message is an option. Though I think I'd rather just
> reject...that seems to make more sense. I'll need to do some research on
> how to reject messages with a from and to domain of my domain that match
> that are being sent from an external network. In theory, these messages
> s
> Hi,
>
> How to setup to give high score for specific domain cannot pass DKIM test?
>
> For example: My own email domain is example.com
>
> Any incoming email from: example.com does not pass DKIM test score 10.0
>
describe__DKIM_REQUIRED Require a valid DKIM signature for these domains
heade
> Besides, can I change the lines as following?
>
> header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i
> header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i
> header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i
> .
> .
>
>
> As I have lots of domain to handle.
You
> On Mon, 29 Aug 2016, Anthony Hoppe wrote:
>
>> I just learned about the sought ruleset via
>> https://wiki.apache.org/spamassassin/ImproveAccuracy. Is this ruleset
>> still actively maintained? I'm considering implementing it in my
>> environment, but want to make sure just in case.
>
> Sadly,
>
> I now realize you asked about SOUGHT while I gave you a bit of SARE
> history .
>
> SOUGHT rules were created by Justin Mason, SA's chief dev/inventor for
> many years.
>
> They were also independent from the Apache SpamAssassin project and when
> he moved on to a new job area, he opted to shu
Actually I am not sure if this is the correct list, as its about plugin
development.. (is that users or dev?)
I have a pluging for detecting attachment file types. It uses
Mail::SpamAssassin::Message::Node get_header method for getting the
content type header (and thus the attachment filename).
H
Hello List,
I decided to publish a SA Plugin we use over here.
The Plugin will check if attachments with a certain file extension are
present in the mail. This can be either directly attached or inside a zip
archive.
It only supports zip and no other archive types (yet).
Its useful to create sco
>> [snip]
>> body HAS_VBS_FILES eval:attachmentpresent_file_count('vbs')
>> describe HAS_VBS_FILES The e-mail has attached vbs files (or inside
>> archives)
>> score HAS_VBS_FILES 2.5
>
> This looks very interesting. The scores you've specified seem to be
> quite high, however. I'd probably make t
> I realized that the rules T_SPF_PERMERROR and T_SPF_TEMPERROR were never
> hitting on my emails even though my Postfix log had multiple instances
> of such errors, e.g. this timeout
Hmm, thats weird, they hit just fine over here...
>
> 2017-01-16 14:03:35-0500 [postfix] 10111.5ms ip=173.37.142.
> On Thu, 20 Apr 2017 10:41:21 -0400
> Lyle Evans wrote:
>
>> I have been getting false positives from Yahoo due to
>> FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo
>> about 3/31/17
>>
>> The X-Mailer line reads:
>>
>> X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windo
> On Thu, 20 Apr 2017, Lyle Evans wrote:
>
>> At 01:00 PM 4/20/2017, John Hardin wrote:
>>> On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote:
>>>
>>> > > On Thu, 20 Apr 2017 10:41:21 -0400
>>> > > Lyle Evans wrote:
>>>
> Hi everyone,
>
> I want to try and detect malicious uri in the body of emails better and
> thought there might be something I could use, since I imagine google have
> a good list of them. I found this link, but it fails to install.
>
> http://search.cpan.org/~danborn/Bundle-SafeBrowsing/lib/Bundl
>> Hi everyone,
>>
>> I want to try and detect malicious uri in the body of emails better and
>> thought there might be something I could use, since I imagine google
>> have
>> a good list of them. I found this link, but it fails to install.
>>
>> http://search.cpan.org/~danborn/Bundle-SafeBrowsing
> On Wed, 3 May 2017, Alex wrote:
>
>> Hi,
>>
>> If you haven't heard, there was a huge Google Docs phishing attack
>> today.
[snip]
>> Have you received any of these? Have you done anything to prevent them
>> next time or from being received this time?
>
> That target domain "g-docs . pro" was reg
Hi,
I want to test in SA if the Envelope From domain is DKIM_VALID.
I do some processing of SA maillogs and they contain the EnvelopeFrom
address (and not the From address) and I would like to know if they are
DKIM_VALID.
Till now I have been using DKIM_VALID_AU, but this information is no good
> Merijn van den Kroonenberg skrev den 2017-05-05 11:37:
>
>> I want to test in SA if the Envelope From domain is DKIM_VALID.
>
> you basicly ask how to use sender-id :(
No, I am not interested in sender-id, which is based on SPF.
I merely want to know if the mail is DKIM sign
> On 05.05.17 11:37, Merijn van den Kroonenberg wrote:
>>I want to test in SA if the Envelope From domain is DKIM_VALID.
>
> the envelope from can't be DKIM-VALID. DKIM validated message content,
> including some of its headers, not envelope from address.
I know. I do n
> Hi Guys!
>
> I've noticed high cpu load in our mail server which was caused by a spam
> message with some unusual content.
> Example of few bad rows. A message had ~11k similar rows
> https://pastebin.com/syPx7kHk
Maybe you can provide a full/complete sample mail so we can run the
message oursel
> On Thu, 15 Jun 2017, Gerald Turner wrote:
>
>> spamd[32137]: rules: meta test FREEMAIL_FORGED_FROMDOMAIN has
>> dependency 'HEADER_FROM_DIFFERENT_DOMAINS' with a zero score
>> [snip]
>> - Is there a bug with the project's sa-update channel / auto-
>>mass-check setup?
>
> That's what it soun
> Hi everybody!
> According to Microsoft
> Â https://technet.microsoft.com/en-us/library/aa996806(v=exchg.141).aspx
> Â Exchange 2010 only rewirte some headers BUT... Â i am seeing it
> modifying any header in a whimsicallyway...
> Headers starting by X- are deleted every other day, and today i am
> Hi
>
> I get the same, who do we report it to
David, who works on these issues will read it here, he follows the list.
>
>
> Michael
>
>
> On 06/07/17 09:06, Rainer Sokoll wrote:
>> Hi,
>>
>> for at least the last 2 days, updates.spamassin.org does not resolve
>> anymore:
>>
>> ~$ host updates.
> Hi Benny,
>
> As Michael pointed out and I emailed you off-list, yes, you are reading
> the header incorrectly.
>
> Focusing on just the tests, you hit URIBL_BLOCKED. Here's the
According to the headers he posted, it is not Benny who hit the
URIBL_BLOCKED but indeed apache infra:
X-Virus-Scann
> I have a script that can take spam/ham messages forwarded as attachments
> from
> Outlook and turn them into rfc822 individual files. It allows external
> users to send me Outlook spam/ham for review. I will in turn feed
> sa-learn
> with those messages once vetted. That part of the process is
> hi
>
> we are constantly getting spam which has the following in the body of the
> email
>
> dear u...@domain.com
>
> where u...@domain.com is the mailto email id ie our customer's email id
>
> is there a way to mark emails containing the mailto email id in the body
> of the email as spam ?
>
> n
> On 08/27/2017 10:24 PM, Rajesh M wrote:
>> hi
>>
>> we are constantly getting spam which has the following in the body of
>> the email
>>
>> dear u...@domain.com
>>
>> where u...@domain.com is the mailto email id ie our customer's email id
>>
>> is there a way to mark emails containing the mailto
> On 15/09/17 11:41, Kevin A. McGrail wrote:
>> On 9/15/2017 6:11 AM, Sebastian Arcus wrote:
>>> I am having problems with false positives for FORGED_MUA_MOZILLA for
>>> Yahoo emails. I see this has been already dealt with here and pushed
>>> to the 3.4 and trunk branches:
>>>
>>> https://bz.apache
> On 9/15/2017 6:54 AM, Sebastian Arcus wrote:
>> Thank you for the reply. Does that mean that no new rules have been
>> pushed to SA installations in the past 5 months - or only some rules
>> get pushed through?
>
> The system has been "down" since March 15 in that everything is working
> but we a
> On 9/15/2017 7:43 AM, Merijn van den Kroonenberg wrote:
>> It sounds a bit like you guys are hitting a wall?
>>
>> Could any help from the community get things going again? If so, what
>> kind
>> of skillset would be useful to tackle this thing?
>
> Yes, he
> On Sep 15, 2017, at 9:46 AM, David Jones wrote:
>> 3. I have narrowed down the problem to the general area of a perl
>> Makefile which builds a custom garescorer.c file which does some
>> statistical analysis to determine the best score for rules in the
>> 72_scores.cf. These 72_scores.cf are e
> On Sep 15, 2017, at 12:24 PM, David Jones wrote:
>> You kinda have to work backwards through the scripts to find what is
>> generating the scores-set0 file and turning it into 72_scores.cf. I am
>> grep'ing through the work dir on the SA server now but it contains a lot
>> of files. I need to
>> at third, the last rule should be rewritten, the {2} does not what you
>> apparently means it does:
>>
>> headerKLMSSPAM_90 X-KLMS-AntiSpam-Rate =~ /^(?:9[0-9]|100)$/
>>
>> should do what you expect.
>
> Unfortunately not...
>
> Same behaviour. Nothing changes...
maybe you can prov
> On 10/16/2017 10:04 AM, John Hardin wrote:
>> On Mon, 16 Oct 2017, David Jones wrote:
>>
>>> I guess this means I am getting more pressure to fix the nightly
>>> masscheck process that has been holding up any rule updates or new
>>> versions of SA code. I have been thinking about a "band-aid" opt
> Hello all, I was the original poster of this topic but was away for a
> couple of days.
> I find it amazing to see the number of suggestions and ideas that have
> come up here.
>
> However none of the constuctions matched "my" From: lines of the form
>
> From: "Firstname Lastname@" sendern...@re
> Hi all, I'm wondering if someone has some ideas to handle bank fraud
> phishing emails, and in particular this one:
>
> https://pastebin.com/wxFtKK16
>
> It doesn't hit bayes99 because we haven't seen one before, and txrep
> subtracts points. It also doesn't hit any blacklists.
>
> Ideas for bloc
>
> This may not be representative but I found that the rest of of the FPs
> could have been avoided with
>
> && (FREEMAIL_FROM || !DKIM_VALID_AU)
>
> the spam rarely hits DKIM_VALID_AU unless it's freemail.
Actually a decent portion of spam is sent with DKIM_VALID_AU, either from
spammer owned
>>
>> Please provide feedback in the next 48 hours -- positive or negative so
>> I know we are good to enable DNS updates again on Sunday.
>>
>
> After installing these rules, I'm seeing one warning in my log during
> spamassassin reload:
>
> Oct 27 09:48:24 myhostname spamd[16256]: rules: failed
> I saw some messages on the list indicating that rule updates were going
> to resume starting about a week ago. I haven't heard anything since and
> still have not seen any updates. What is the current status?
Its a work in progress, there was some feedback and some changes which had
to be ma
46 matches
Mail list logo
