On Thu, 3 Mar 2011, tr_ust wrote:
Also, I seriously doubt you tested your rules "with a real email" as you
said. Notice the NO_RELAYS rule hit for an example. The sample was
either severely damaged, or a very bad copy-n-paste from a source that
just does not resemble a raw mail.
Like I said I uploaded an email file. I don't know if that counts as a real
email...
It might, it might not, depending on how it was produced. Exporting a
message from many email clients may not produce a correct RFC-2822-format
file with all headers intact.
The canonical request we have when asked to help someone troubleshoot
something is this: Please post the entire message, with _all_ headers
intact, to something like pastebin.com or a plain text file on a website
you host and send the URL for it to the list, so that we can see exactly
when SA is being asked to analyze. Please _do not_ send the message itself
to the list.
Being this is a spam, there shouldn't be anything sensitive present, but
if you want to obscure private email addresses or hosts, the best way to
do that is to change the domain name to "example.com" and make no other
changes. Specifically, don't mangle email address, host names or IP
addresses so that they don't look like email addresses or host names or IP
addresses, as doing that will affect SA's analysis.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
10 days until Albert Einstein's 132nd Birthday
