Re: some problem with spam
Hi thenx i try in this ruleset W dniu 12.12.2023 o 14:59, Jimmy pisze: These rules should matched rawbody __DOUBLE_HTML /<\/a>\s*/ uri __LONG_LINK_URL /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i On Tue, Dec 12, 2023 at 8:44 PM natan wrote: Hi Thenx but link is random too like: https://paste.debian.net/1300874/ W dniu 12.12.2023 o 12:21, Jimmy pisze: uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID / wrote: Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? -- -- --
Re: some problem with spam
These rules should matched rawbody __DOUBLE_HTML /<\/a>\s*/ uri __LONG_LINK_URL /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i On Tue, Dec 12, 2023 at 8:44 PM natan wrote: > Hi > Thenx but link is random too like: > > https://paste.debian.net/1300874/ > > > W dniu 12.12.2023 o 12:21, Jimmy pisze: > > > uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ > rawbody __IMG_SRC_CID / > meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID > describe ADB_CPN_ABUSE Possible malware link > score ADB_CPN_ABUSE 2.5000 > > Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be > false positive. Since I don't have visibility into all headers, consider > create rules based on specific headers or other rule that match these. > Append these rules to the meta-rule and boost the overall score accordingly. > > Jimmy > > > On Tue, Dec 12, 2023 at 5:53 PM natan wrote: > >> Hi >> I have a SpamAssassin version 3.4.6 >> >> And I try resolv two problem >> >> 1)I put eml with spam and learn SA like: >> sa-learn --spam /root/spamik/ >> >> In /root/spamik/ is 4 e-mail >> Worsk great but after 7 day i must learn agin like SA forgot what he >> learned >> >> 2)I have a problem with one type a spam like: >> https://paste.debian.net/1300865/ >> beacuse: >> contents - random >> from - random >> IP - random >> >> The construction is only somewhat similar like base64 + html and png >> All wass signed by DKIM >> >> And I had to work around it in the following way but it is not a solution >> >> rawbody EMAIL_20231207/(necessary to delete the message >> completely|email message and any attachments are intended|automatically >> archived by Mimecast|sender and take the steps necessary)/i >> describe EMAIL_20231207Spam fake IQ password >> scoreEMAIL_202312072 >> >> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ >> scoreEMAIL_20231207_1 0.1 >> rawbody EMAIL_20231207_2 >> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ >> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && >> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY >> scoreEMAIL_20231207_ALL 2 >> >> Any idea ? >> >> >> >> -- >> > > > > -- >
Re: some problem with spam
Hi Thenx but link is random too like: https://paste.debian.net/1300874/ W dniu 12.12.2023 o 12:21, Jimmy pisze: uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID /Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be false positive. Since I don't have visibility into all headers, consider create rules based on specific headers or other rule that match these. Append these rules to the meta-rule and boost the overall score accordingly. Jimmy On Tue, Dec 12, 2023 at 5:53 PM natan wrote: Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? -- --
Re: some problem with spam
uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID / wrote: > Hi > I have a SpamAssassin version 3.4.6 > > And I try resolv two problem > > 1)I put eml with spam and learn SA like: > sa-learn --spam /root/spamik/ > > In /root/spamik/ is 4 e-mail > Worsk great but after 7 day i must learn agin like SA forgot what he > learned > > 2)I have a problem with one type a spam like: > https://paste.debian.net/1300865/ > beacuse: > contents - random > from - random > IP - random > > The construction is only somewhat similar like base64 + html and png > All wass signed by DKIM > > And I had to work around it in the following way but it is not a solution > > rawbody EMAIL_20231207/(necessary to delete the message > completely|email message and any attachments are intended|automatically > archived by Mimecast|sender and take the steps necessary)/i > describe EMAIL_20231207Spam fake IQ password > scoreEMAIL_202312072 > > rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ > scoreEMAIL_20231207_1 0.1 > rawbody EMAIL_20231207_2 > /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ > meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && > KAM_HTML_FONT_INVALID && MIME_HTML_ONLY > scoreEMAIL_20231207_ALL 2 > > Any idea ? > > > > -- >
some problem with spam
Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? --