Thanks Kevin,
I did a similar rule to detect it but with higher score (3) since we are seeing
a huge LinkedIn Phishing campaign using this technique, that on purpose or by
mistake is evading most SA rules...
I agree that Thunderbird may be doing it wrong. Outlook seems to do it right.
>I
Correction:
Some Outlook versions do show the email just as Thunderbird does.. so most
users can see the email but SA...
From: Pedro David Marco <pedrod_ma...@yahoo.com>
To: Kevin A. McGrail <kmcgr...@pccc.com>; SA Mailing List
<users@spamassassin.apache.org>
Sent:
Hi!
i have noticed that when an email contains this (wrong) headers:
Content-Type: text/html; charset="utf-8"Content-Transfer-Encoding: base64
as SMTP headers, not MIME headers, and the email body is not base64 enconded,
email clients as Thunderbird show the content correctly butSpamAssasin body
Hi everybody...
Is it possible to have an asynchronous plugin for something not DNS/RBL related?
I would like to write a simple plugin to check some local Databases (cannot use
rbldnsd) that takes long so making it asynchronous seems the best idea..
If possible, can anyone provide any skeleton,
>You should be able to use the other asynchronous plugins as a reference>
>as well.
Thanks... but i cannot find documentation about thinks like
"register_async_rule_start()" for example... can anyone point to me where is
it documented, please?
Thanks!Pedro.
Hi!
I am using "Local tests only" mode of SA to prevent any network checks, but
there is one URIBL i would like to use (as an exception).. is it possible to do
this???
I have added this rule lo local.cf:
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK
users@spamassassin.apache.org
Sent: Saturday, September 3, 2016 1:57 PM
Subject: Re: Local mode with some URI checks. Possible??
On 03.09.16 09:32, Pedro David Marco wrote:
>Thans Axb, I already did it, but i could not found any reasonable way to
>disable all networks checks but one.
>
To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>
Sent: Sunday, September 4, 2016 9:52 PM
Subject: Re: Local mode with some URI checks. Possible??
On 3 Sep 2016, at 5:32, Pedro David Marco wrote:
> there is a Flag to indicate when a rule is net related or not
s-20150...@billmail.scconsult.com> To:
> "users@spamassassin.apache.org" <users@spamassassin.apache.org> Sent:
> Sunday, September 4, 2016 9:52 PM Subject: Re: Local mode with some
> URI checks. Possible??
>
> On 3 Sep 2016, at 5:32, Pedro David Marco wrote:
>
>
only mode.
From: Axb <axb.li...@gmail.com>
To: users@spamassassin.apache.org
Sent: Saturday, September 3, 2016 11:06 AM
Subject: Re: Local mode with some URI checks. Possible??
On 09/03/2016 08:45 AM, Pedro David Marco wrote:
> Hi!
>
> I am using "Local tests only&qu
.
From: Martin Gregorie <mar...@gregorie.org>
To: users@spamassassin.apache.org
Sent: Saturday, September 10, 2016 3:33 PM
Subject: Re: Plugin development help needed...
On Sat, 2016-09-10 at 13:09 +, Pedro David Marco wrote:
> Hi there...
> i am not an expert OO devel
?
---PedroD
From: Martin <ma...@ntlworld.com>
To: users@spamassassin.apache.org
Sent: Saturday, September 10, 2016 10:56 AM
Subject: RE: trusted_networks question...
From: Pedro David Marco [mailto:pedrod_ma...@yahoo.com]
Sent: Saturday, Septem
Hi there...
i am not an expert OO developer so i am somehow flying blind in here and need
your help please
Basically i want to write my own plugin and i have some repeated calculations
in each and every plugin method that i would like to reduce to just one, but i
am not sure on how to do it...
i receive tons of Ransonware from Google and MS Office365 IPs..
---PedroD
From: Bowie Bailey
To: users@spamassassin.apache.org
Sent: Friday, September 9, 2016 3:35 PM
Subject: Re: RCVD_IN_SORBS_SPAM and google IPs
On 9/9/2016 9:24 AM, li...@rhsoft.net
Hi there...
i have this in my local.cf:
trusted_networks 88.2.890.3
when i run SA in debug mode i see this:
[17721] dbg: received-header: relay 88.2.890.3 trusted? no internal? no msa? no
there is no error or warns anywhere...
is this normal?
Thanks!
---PedroD
Hi,
When SA 3.4.1 analyzes emails with large random URIs... like this:
AM
Subject: Re: Define new variables in local.cf
On 08.11.16 04:39, Pedro David Marco wrote:
>When you the same string repeated many times in a .cf file is it possible
> to use any kind of user-defined variable or constant to avoid repetition
> and make it easier to maintain?
any
Hi!
When you the same string repeated many times in a .cf file is it possible to
use any kind of user-defined variable or constant to avoid repetition and make
it easier to maintain?
thanks!
-Pedro
Something like that must be John...
I will check my scripts once more...
Thanks!
>No problem, sometimes the obvious is overlooked.
>
>Perhaps the compile failed and SA is using the last good results?
>I'm assuming that you *are* recompiling the rules and restarting
>spamd/Amavis after you make changes to the rules?
sure, forgot to mention, sorry...
Great!
Thanks!
Pedro.
From: RW <rwmailli...@googlemail.com>
To: users@spamassassin.apache.org
Sent: Tuesday, November 8, 2016 7:15 PM
Subject: Re: Define new variables in local.cf
On Tue, 8 Nov 2016 04:39:55 + (UTC)
Pedro David Marco wrote:
> Hi!
> When
Hi!
I have a doubt about compiled rules with sa-compile:
Precedence between a "rule" and its compiled version is automatic so as long as
the rule is not modified, the compiled rule will take precedence, am i right?I
have noticed that sometimes (only sometimes) if i modify the rule, spamassassin
-20150...@billmail.scconsult.com>
To: SA Mailing List <users@spamassassin.apache.org>
Sent: Wednesday, October 19, 2016 6:04 AM
Subject: Re: PYZOR_CHECK always have zero score, why?
On 18 Oct 2016, at 23:22, Pedro David Marco wrote:
> So Pyzor seems to be OK!... the problem is somehow related to
Hi!
It seems PYZOR_CHECK rule is not being used in my SA Just installed SA and
Pyzor in a Debian and executed "pyzor discover."In Debian pyzor is enabled by
default so nothing to add in local.cf. Command "pyzor check < emailfile.eml"
works ok.
.. now i try to test SA in debug mode like
ssassin_org/regression_tests.cf"
for included file
only 50_scores.cf contains string PYZOR_CHECK
--Pedro
From: John Hardin <jhar...@impsec.org>
To: SA Mailing List <users@spamassassin.apache.org>
Sent: Wednesday, October 19, 2016 6:41 AM
Subject: Re: PYZOR_CHECK a
ets score 0?
i am stuck...
-Pedro
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: users@spamassassin.apache.org
Sent: Wednesday, October 19, 2016 9:42 AM
Subject: Re: PYZOR_CHECK always have zero score, why?
On 19.10.16 04:28, Pedro David Marco wrote:
>i already d
>Hmmm... Relevant context of those lines is lost with grep, but they
>confirm something odd is going on.
Bill, your remark is welcome, what lines/info should i pay attention to or
event post here?
Pedro
Thanks in any case Bill...
Really appreciate all your help and time... Bill, John, Matus...
Pedro
From: Bill Cole <sausers-20150...@billmail.scconsult.com>
To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>
Cc: Pedro David Marco <pedr
Thanks Bill...
tested...
>1. Add to local.cf, along with the other PYZOR_CHECK_2 lines you had:>>
>tflags PYZOR_CHECK_2 net>>Does that change whether the rule is hit?>>>2.
>Change the PYZOR_CHECK score line in 50_scores.cf to:>> score PYZOR_CHECK
>0.001 1.985 0.001 1.392>>Does that quiet
I have tested it in a new Debian box and as expected PYZOR_CHECK worked. So it
is obvious that i have something odd in my Debibox.
Thanks to all who helped me gently!!
This takes me to and old question: How does SA know which are network rules and
which are not? because it does itright even if
Thanks!
>The 'net' tflag exists to allow SA to know what tests to disable when it
>is told to run only local tests. That is usually done when messages are
>being checked well after their arrival, because network-dependent tests
>are generally dynamic. There are also places where policy or
Hi!
can anyone, please, tell me what is the correct way to write a rule that
matches text with accents when i do not know the enconding??
shall i write a rule for utf-8,another one for iso-8859-1, etc?? i hope no...
Thanks!
-Pedro
>If you set "normalize_charset 1" you can just test UTF-8
Thanks a lot RW
fool me! it was on the docs and i skimmed it through.. please accept my
apologizes...
thanks again and have a nice weekned!
--Pedro.
>IIRC I've seen this warning on meta rule dependencies with a non-zero
>scores. Unless you have a better reason to think Pyzor isn't working,
I>'d just ignore it.
Well... you are right, in fact i have no problem in ignoring it, but i do not
like tohave unresolved issues in something that is
Hi,
i have spam emails with a Received line like this:
Received: by 9-30-239-23.uocdn.net (Postfix) with ESMTPSA id 693A0C56B with
(unknown [158.69.130.12]) ; Sun, 20 Nov 2016 21:06:55 -0300
there is no parsing perl code for lines like this in Received.pm module so the
relay 158.69.130.12 is
of course that would be very interesting!
---Pedro.
Just wondering if anyone has - or in interested in - a list of legit
mass mailing sources?
There are many domains that remail/deliver for other domains that are
95%+ good email. And they are not perfect and sometimes they get scammed
Hi everybody...
When an email has a MIME part with no Content-Type header, is there any way to
force SA "guess" the format based on other criteria... file extension, for
example?
Example:
Content-Disposition: attachment;
filename="details.pdf"Content-Transfer-Encoding: base64
Thanks!
!
PedroD
From: Paul Stead <paul.st...@zeninternet.co.uk>
To: Pedro David Marco <pedrod_ma...@yahoo.com>;
"users@spamassassin.apache.org" <users@spamassassin.apache.org>
Sent: Thursday, August 17, 2017 1:17 AM
Subject: Re: Attachments with
>Also, setup the KAM.cf rules and extra signatures for ClamAV from
>Sanesecurity. These often help with new spam campaigns. I can post
>which signature DBs I am using if that would be helpful.
>--
>Dave
Hi Dave...
i have had problems in the past with the script to download Sanesecurity
>Concur. We often use linux boxes in front of exchange boxes for any type of
>mail manipulation.
> had to respond because I loved the term "Whimsical modification". I shall
> use that here out. >BTW, for those interested, work continues on masscheck.
> I spent Friday restoring two
Hi everybody!
According to Microsoft
https://technet.microsoft.com/en-us/library/aa996806(v=exchg.141).aspx
Exchange 2010 only rewirte some headers BUT... i am seeing it modifying any
header in a whimsicallyway...
Headers starting by X- are deleted every other day, and today i am seeing
>Yes, once the mail has been touched by exchange its not useful anymore for
>writing spam rules. Not only headers are changed/removed/reordered also
>he html body is rewritten.
>Also for testing and training the reordered received headers are very
>annoying.
Thanks Merijn..
how funny! let's party
Hi,
sorry if discussed before and i missed it but,
the rule FORGED_HOTMAIL_RCVD2 triggers when a hotmail email does not come from
hotmail or msn servers, but actually they come oftenly from outlook.com
regards,
-PedroD
>Actually xn--example.com doesn't decode to example.com because in the
>absence of a "-" separator "example" would be treated as encoded
>non-ascii characters.
>
>This means that it's impossible to encode an ASCII domain as an IDN
>because each decoded label has to encode back to the
Thanks Paul,
but your plugin uses find_parts() that turns it pointless if there is no
Content-Type mime header...
PedroD
>The magic number or file signature can be helpful in determining the
filetype: >https://en.wikipedia.org/wiki/List_of_file_signatures >I make
use of
Hi David...
I agree with you... but some functions like find_parts() do not work if there
are not Content-Type Headers... making impossible the analysis of some
attachments...
i am writing a plugin to detect suspicious PDFs...
Maybe there's a better way to analyze attachments that using
Thanks a lot Kevin... Thanks a lot David
--PedroD
From: Kevin A. McGrail
To: Spamassassin ; SpamAssassin Devel List
Sent: Sunday, May 14, 2017 4:11 PM
Subject: Rule Update Servers Coming Back!
Hi everybody...
just bothering you to share this:
We are detecting Petya2 inside attached PDFs... (not detected by many AV)
has anyone seen it into any MS OFFICE attachment? or maybe any .js dropper?
good hunting!
---PedroD
Alex, not the answer you are looking for, but have you tried with quotemeta ???
maybe scaping all the text may help...
-PedroD
>maybe they are processing mail and will exit after it's done...
Thanks Fantomas, this is what i would expect and it seems what happens...
spamd childs get the SIGNAL and act accordingly, but for some reason, sometimes
they IGNORE the SIGNAL... :-(
--PedroD
Hello everybody...
For some time i am noticing that when spamd is restarted or reloaded because
there a new rules, not all child processes are correctly restarted or reloaded
and they remain workingwith the old file set (and hence old rules). It looks
like an orhpan childs issue... So when
It has just happened now again... :-(
There are 2 spamd child processes in 'S' state...
i run spamc -R
I understand that may be many blocking situations... buts SIGNALS are for
that! the process must attend the signal sooner or later... even if it has to
wait untilthe end of the blocking situation...
Yes, the blocking situation may unfortunatelly last for ever, but this is not
the case since
>Well, F. W. Nietzsche never had kids
But almost never so many people have had the same father... :-p
Now serious: Maybe you can add some more rules to deduce it may be a german
email and score the RANDOM accordingly...
---PedroD.
Hi Gary,
Try this.. (you are wrongly anchoring with ^)
header HS_BAD_DOMAIN From =~
/\.(top|study|click|party|link|stream|info|trade|bid|xxx)$/i
describe HS_BAD_DOMAIN Contains one of the bad domains that commonly spams
score HS_BAD_DOMAIN 0.1 0.1 0.1 0.1
Pedro
Hi!
Is anyboy scoring emails coming via sendgrid.net ??? i get tons os spam
relayed through them !!
Thanks!
Pedro
> Of course that should be:
>
> describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type
> header SCC_MIME_BOGUSCT1 Content-Type =~ /^(? score SCC_MIME_BOGUSCT1 2
>Hmmm... For some reason I do not understand, the anchor doesn't work,
>so:
Bill the negative lookbehind does not
>Hi Pedro, yes but I do not have the ability to share it but I've bcc'd someone
>who does to see if they can mail it to the list.
>Since the rule I made target effectively all of the mailsploit exploits and
>it's already public, it should be safe. But I don't know if he used domains
>he
>The tests are not working because of aws send limits. Unlikely to work.
>Regards,
>KAM
You are right Kevin... fool me..
is there any pastebin sample???
PedroD
You can get tests here...
https://www.mailsploit.com/index#demo
---PedroD.
Mark you are right: mix of upper and lower letters + huge div height (500px) +
HTML email with no HTML tag + suspicious URLs + suspicious (to me) mailer (i
cannot find much in google about moonray mailer)...
i wish SA had a rule to test only the HTML tags... (rawbody - body)... maybe
this
>Perhaps a smaller step that would be useful would be to have the parser
>require the second-level domain name have > 1 character.
>How often would we see a valid registered domain name like "x.info" for
>example?
maybe the best way to know whether it is a URI or not is to ask the DNS...
wow... depending on your geolocation, the phishing text changes and, at least
in Spanish, it is totally correct!!
sometimes i have to take my hat off...
-PedroD
AJ,
i cannot see anything with sense... is the pastebin correct?
-PedroD
Out of curiosity...
"account is deactivated due to inactive,"
is this correct in english? shouldn't it be "inactivity"?
Pedro
>For the most part, I agree, but the client here has also contracted
>with Wombat and they managed to detect this email as "Probably Phish".
>We're missing something with spamassassin.
Any security system, Antiviruses, Sandboxes, etc... that can be tested in
advance can be bypassed... it is
ber 24, 2017 11:12 PM
Subject: Re: Bank fraud phish
On Tue, 24 Oct 2017, Pedro David Marco wrote:
> Out of curiosity...
>
> "account is deactivated due to inactive,"
>
> is this correct in english? shouldn't it be "inactivity"?
It isn't good English,
Probably it would be a good idea to have a list of potential "phishing-able"
important companies... just as there is one for freemailers..
very greedy, i know... :-)
---Pedro
Hi everybody...
is there any way to avoid duplicated matches when tflag is set to "multiple"?
Thanks!
---Pedro
This is getting worse
it seems that some spamd childs keep some data strucutures from one scan to the
next and results are mangled over time what a "funny" mess!!! :-(
I have found that this only happens in Debian versions under 8.8, Debian 8.8
and 9.x seem to work nicely.
is there anyone from Greece in the list, please?
i need some help about some greek emails..
Thanks..
--PedroD
>> Define two classes of recipients:
>> class A == all users who want everything
>> class B == all users who want "standard" filtering
Be aware of Class A users... once they click on where they should not, then as
if by magic it was your fault and the s--t hits the fun... (of course
David Jones wrote:>It's not only compromised well-established accounts. Based
on the odd
>domain names I have seen, I am pretty sure that Microsoft allows trials
>of O365 so spammers are signing up and blasting out junk/phishing emails
>until they are discovered. These spammers can spoof
I agree with David Jones that DKIM is helpful in here BUT i see oftently MS
switching the order of headers whimsically...
Pedro
>On Saturday, June 9, 2018, 11:05:51 PM GMT+2, Grant Taylor
wrote: >>I don't think the order of the headers
matters as long as the contents
>of the header aren't changed.
Grant, you are right, please excuse me... i have checked some samples and O365
DKIM DOES NOT sign Receiveds
>On Saturday, June 9, 2018, 8:03:31 AM GMT+2, Rupert Gallagher
wrote:
>On Fri, Jun 8, 2018 at 23:05, David Jones wrote:
> 2.2 MISSING_HEADERS Missing To: header
>The fillowing is all one needs.
>5.0 MISSING_HEADERS Missing To: header
>Remember that e-mail is mail after
>On Thursday, May 31, 2018, 6:24:06 PM GMT+2, Reindl Harald
> wrote:
>>Am 31.05.2018 um 18:17 schrieb Pedro David Marco:
> No not discard they are botnet commands!!>
>and why yould you not want do discard / reject them then?
>WTF!
:-DD of course! So
No not discard they are botnet commands!!
-Pedro
Reviewing May reports i see a huge spam increment in mid-May that lasted 5 days
aprox...
Has someone noticed this as well? maybe a new active bot-net?
Pedro
>Do you have any examples? I have had a quiet past 2 weeks with almost
>zero reports of junk by my users. So either my rules are currently
>tuned well to block the current spam/phishing campaigns or something. I
>assumed a botnet had been take down. I usually have to deal with a few
>Can you provide a concrete example of *why* you would want to set "tflags
>multiple" in the first place if you do not want duplicate/multiple
>matches for that rule?
Actually multiple counts the sum of matches in text and html parts. So a value
of 2 (for example) means either that a match is
>The rsync script uses SSH access from the master to the slaves with a
>passphraseless key so it's very simple to rsync and even run commands on
>the slaves to restart SA/MailScanner/Clamd when a change is detected on
>the slaves. Disclaimer, a passphraseless SSH key can be risky so make
... there are also "one time links", that vanish once visisted/downloaded.
PedroD
Out of curiosity... how is SUBRL in terms of false positives?? is it a worthy
IOC DDBB??
Thanks.
---PedroD
Hi,
What is, in your opinion, the maximum URL acceptable length?
I am not speaking about RFCs or defacto browsers limits, etc i am just
asking you for personal opinions, please...
Many browsers do not bookmark over 300 octets (aprox), and do not show in
address-bar over 2500 octets (aprox).
Hi,
FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:') triggers
for valid hotmail messages... (SA 3.4.1)
This small change solves the problem but i do not know whether it is the
correct way... maybe "hotmail" string should be changed widelly to
"outlook|hotmail"...
Do not forget that accounts in valid servers are hacked oftenly...
---PedroD
Thanks/ Grazie mile Giovanni...
PedroD
On Monday, January 29, 2018, 8:27:01 AM GMT+1, Giovanni Bechis
wrote:
On 01/29/18 06:00, Alex wrote:
> Hi,
>
>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>> triggers for valid hotmail
Is there any "relativelly easy" way to add a new IP found in a non-standard
header to the IPs checks (e.g. DNSRBL)??? plugin is the only way?
Thanks.
--PedroD
>Are you using the --round-robin option in spamd? If so try running
>without it.
>A long time ago the child management code was substantially updated,
>but the legacy code with left in and accessed through that option.
Thanks a lot RW... i am not using --round-robin option... but i have
> Also, can anyone suggest a nicely written rule, that triggers when an html
> tag's text contains both upper and lower case letters? Thanks. - Mark
Hi Mark and happy new year!
For small tags a simple rule, uggly but very cheap, may work:
/Src|sRc|srC|.. and son on number of
Async dns lookups work nice... but it would be great to run asynchronously
checks for Atachments content for example..
On Saturday, August 4, 2018, 3:41:24 PM GMT+2, Benny Pedersen
wrote:
Pedro David Marco skrev den 2018-08-04 11:15:
> I would like to run asynchronous checks
I would like to run asynchronous checks via AsyncLoop... does anyone know of
any plugin, or sort of code, or framework that uses AsyncLoop for no DNS
related checks?
Thanks...
PedroD
XPS is a ZIP compressed document format. I may be wrong but Is
any serious software/company using .XPS for invoices? to me, PDF is the facto
standard for invoices...
maybe you can score the mix of .XPS + "due invoice" text
-PedroD
>On Tuesday, August 7, 2018, 8:10:08 PM
Not exactly a SA question but...
i am planning to run my own RBL with a nameserver, that when queried for an IP
that is not in its database, does some calculations with that IP and replies
accordingly (caching the results)...
Please, does anyone know of any nameserver that can do that? To my
On Tuesday, July 24, 2018, 12:07:52 AM GMT+2, David B Funk
wrote:
>What kind of 'calculations with that IP' ?
Thanks Dave... calculations are complex and done with a an external script that
reads some files parsing them...
-PedroD
>On Tuesday, July 24, 2018, 1:38:59 AM GMT+2, Nick Bright
wrote:
>So I ask: what is the best practice for learning submissions when using
>site-wide bayes?
Nick, do all your users use the same MUA? There are some user level "plug-ins"
that may be configured to send out the sample to
On Tuesday, July 24, 2018, 6:50:13 AM GMT+2, Bill Cole
wrote:
> Learning ham is harder
Totally agree Bill, unless you use Microsoft technics...: send everything to
spam folder and if moved to inbox by user then... it is ham!
-PedroD
On Tuesday, July 24, 2018, 12:04:57 AM GMT+2, Kris Deugau
wrote:
>IIRC PowerDNS can be set up to run Lua code fragments of some kind on DNS
>requests.
Thanks! i did not know it. i have checked it and Lus cannot exec
eternanl commands to get a possible "answer"...
> To
On Wednesday, July 18, 2018, 6:58:54 AM GMT+2, Bill Cole
wrote:
>> 3. Pure numeric TLDs appear to be non existent (so far!)
>I expect that this will hold true for a long time.
Bill, do not speak loud! truth is stranger than fiction :-(
---PedroD
1 - 100 of 247 matches
Mail list logo