Hi,
to read this in other words: while certain analysts (and definitlely microsoft
marketing)
claim that about 50 % of all servers is running windows, these figures tend to
say that
real mail servers (those that deliver the ham part of mail) rarely ever run XP
but that this OS is the best
Mark Martinec wrote:
The most interesting part in my view is not the IP distance, but the
type of OS, illustrated by the following table (derived from the same
data as fig2):
p0f OS guessham : spam
-
Windows-XP0.7 % : 99.3 %
Windows-2000
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kai Schaetzl wrote:
I just saw that a normal Ebay outbid notice hit two high-score rules. One
is from sare-spoof and I already contacted the maintainer. But one is in
the default 3.1.1 ruleset and I think this rule should get completely
removed
to read this in other words: while certain analysts (and definitlely
microsoft marketing)
claim that about 50 % of all servers is running windows, these figures
tend to say that
real mail servers (those that deliver the ham part of mail) rarely ever
run XP
but that this OS is the best
David B Funk dbfunk at engineering.uiowa.edu writes:
Exactly so.
Usually you can find the related message by matching the time-stamp
from your maillog to your spamd log. You can also do some detective work,
eliminate maillog entries that have an incoming msgid (IE one from the
sending MTA)
Wolfgang, Loren,
real mail servers (those that deliver the ham part of mail) rarely ever
run XP but that this OS is the best candidate for creating a spam zombie
Not completely unreasonable. XP is targeted within MS as a personal or
very small company OS. The equivalent of a linux/unix
Mark Martinec wrote:
I guess Windows Server 2003 is reported as Windows 2000, but I don't know.
Certainly a couple of very large sites are seen as Windows 2000.
In the UNKNOWN category there must be a mix of Windows and Unix hosts,
not sure what is unusual about them.
Mark
Hmm... FWIW:
On Donnerstag, 13. April 2006 13:35 Mark Martinec wrote:
Agreed, this rule is completely inappropriate, it penalizes valid
encoding according to RFC 2047 and fires on any lengthier Subject
line in non-English language. It should disappear or have a
much reduced default score.
The problem
I see a fair amount of spam using TEXTAREA style=visibility: hidden to
hide bayes poison. Shouldn't a rule against that, or CSS-hidden text in
general, be worthwile? I couldn't find any in the default 3.1.1 ruleset, nor
at SARE.
--
Magnus Holmgren
pgpVmoewWW2XX.pgp
Description: PGP
Magnus Holmgren wrote:
I see a fair amount of spam using TEXTAREA style=visibility: hidden to
hide bayes poison. Shouldn't a rule against that, or CSS-hidden text in
general, be worthwile? I couldn't find any in the default 3.1.1 ruleset, nor
at SARE.
It certainly seems worth testing.
So, what exactly is bayes poison?
Best regards,
JD Smith
-Original Message-
From: Magnus Holmgren [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 13, 2006 8:58 AM
To: users@spamassassin.apache.org
Subject: TEXTAREA style=visibility: hidden
I see a fair amount of spam using TEXTAREA
JD Smith wrote:
So, what exactly is bayes poison?
Bayes poison is a collection of random words or text selections that
have nothing to do with the email subject and are only there in an
attempt to confuse the Bayes database. This doesn't really work the
way the spammers would like to think it
On Thu, Apr 13, 2006 at 01:35:19PM +0200, Mark Martinec wrote:
Agreed, this rule is completely inappropriate, it penalizes valid
encoding according to RFC 2047 and fires on any lengthier Subject
line in non-English language. It should disappear or have a
much reduced default score.
Says you.
http://ajax.apache.org/%7ejefft/ :
Bugzilla is moving to a new host, and is temporarily down while the
database synchs. Apologies for the inconvenience.
--j.
Bowie Bailey wrote:
JD Smith wrote:
So, what exactly is bayes poison?
Bayes poison is a collection of random words or text selections that
have nothing to do with the email subject and are only there in an
attempt to confuse the Bayes database. This doesn't really work the
way the
Matt Kettler wrote:
Magnus Holmgren wrote:
I see a fair amount of spam using TEXTAREA style=visibility: hidden to
hide bayes poison. Shouldn't a rule against that, or CSS-hidden text in
general, be worthwile? I couldn't find any in the default 3.1.1 ruleset, nor
at SARE.
It
I have received several copies of a spam message that is in Russian (I think
it's Russian). I get maybe 1 or 2 a week. I wish I could block all Russian
messages, but we are a University and could easily have Russian students. I am
unable to read this message and therefore have no ideas on
On Thu, Apr 13, 2006 at 03:58:01PM +0200, Magnus Holmgren wrote:
I see a fair amount of spam using TEXTAREA style=visibility: hidden to
hide bayes poison. Shouldn't a rule against that, or CSS-hidden text in
general, be worthwile? I couldn't find any in the default 3.1.1 ruleset, nor
at
I've been having some difficulty with the user_prefs and the whitelist_*
fucntions. I read the examples etc, and I believe these are correct,
but clearly certain email is still being tagged (see below). I wonder
if someone can help clarify what I'm doing wrong here.
First, here are the
Matthias Keller wrote:
Matt Kettler wrote:
Magnus Holmgren wrote:
I see a fair amount of spam using TEXTAREA style=visibility:
hidden to hide bayes poison. Shouldn't a rule against that, or
CSS-hidden text in general, be worthwile? I couldn't find any in the
default 3.1.1 ruleset, nor at
Matt Kettler wrote:
Matthias Keller wrote:
Matt Kettler wrote:
Magnus Holmgren wrote:
I see a fair amount of spam using TEXTAREA style=visibility:
hidden to hide bayes poison. Shouldn't a rule against that, or
CSS-hidden text in general, be worthwile? I couldn't find any in
Michael Monnerie wrote:
Sorry for x-posting, but that's a program useful to postfix and/or SA
users.
http://www.benzedrine.cx/relaydb.html
Does anybody use or know about this program with tarpitting? It sounds
very interesting, and for the author it seems to work, but I'd like to
know if
On Apr 13, 2006, at 12:12 AM, Loren Wilton wrote:
I'd like to venture the suggestion that the percentage of spam from XP
isn't
necessarily an indication of inherent buggyness. It is more an
indication
that it is an OS for Clueless Noobs who haven't a clue about
maintaining a
system,
On Donnerstag, 13. April 2006 18:15 mouss wrote:
pfff. just reading the two first paragraphs is enough to look
elsewhere. some people seem to redefine what a false positive is.
I didn't mean that, I meant the tarpitting approach. Of course you have
to set some (much) harder policy on which
Guys,
Any idea how this one got through?
body BRIAN_PHONE_NUMBERS
/2.0.6.9.8.4.2.3.2.7|2.0.6.3.3.3.0.0.5.1|2.0.6.9.8.4.0.1.0.6|3.3.8.3.5.7.9|2.0.6.3.3.8.6.0.6.1|2.0.6
.2.0.2.2.0.3.3/
describe BRIAN_PHONE_NUMBERS Phone number or address pulled from spam
scoreBRIAN_PHONE_NUMBERS
Matthias Keller wrote:
In my opinion you shouldn't limit it to textareas as I've seen them on
DIVs and others too...
So to me, any visibility:hidden or display:none is suspect as I dont see
any legitimate use in emails
Hmm... The main uses I can think of for display:none and
Kelson wrote:
(3) Scripting that will show and hide sections in response to time or
user interaction.
...
#3 shouldn't even be a consideration, since HTML-capable email clients
should have scripting disabled for safety reasons.
s/Scripting/CSS :hover/ is perfectly reasonable, though:
On Thu, Apr 13, 2006 at 10:39:29AM -0600, wrote:
Any idea how this one got through?
body BRIAN_PHONE_NUMBERS
/2.0.6.9.8.4.2.3.2.7|2.0.6.3.3.3.0.0.5.1|2.0.6.9.8.4.0.1.0.6|3.3.8.3.5.7.9|2.0.6.3.3.8.6.0.6.1|2.0.6
.2.0.2.2.0.3.3/
A Gen_uine Coll`ege Deg.ree in 2 weeks Cal_l us
Please start a new thread instead of replying to an unrelated message.
Thursday 13 April 2006 18:39 wrote:
Any idea how this one got through?
body BRIAN_PHONE_NUMBERS
/2.0.6.9.8.4.2.3.2.7|2.0.6.3.3.3.0.0.5.1|2.0.6.9.8.4.0.1.0.6|3.3.8.3.5.7.9|
2.0.6.3.3.8.6.0.6.1|2.0.6 .2.0.2.2.0.3.3/
Theo Van Dinter wrote:
On Thu, Apr 13, 2006 at 10:39:29AM -0600, wrote:
Any idea how this one got through?
body BRIAN_PHONE_NUMBERS
/2.0.6.9.8.4.2.3.2.7|2.0.6.3.3.3.0.0.5.1|2.0.6.9.8.4.0.1.0.6|3.3.8.3.5.7
.9|2.0.6.3.3.8.6.0.6.1|2.0.6
.2.0.2.2.0.3.3/
A Gen_uine Coll`ege Deg.ree
John Rudd wrote:
While I don't disagree with your assessment of XP systems, I have a
different hunch about why such a large percentage of the mail coming
from XP systems is spam, and a smaller percentage of mail coming from
the other systems is spam:
a) In general, XP systems are not
Good afternoon, Michael,
On Thu, 13 Apr 2006, Michael Monnerie wrote:
Hi, I just received some new bayes poison attempt. I never had one so
large, maybe that could start to be a bit of problem?
To the best of my knowledge, it isn't. Temporarily you get more
hapaxes (tokens seen just once)
On Thursday 13 April 2006 11:55, [EMAIL PROTECTED] wrote:
Theo Van Dinter wrote:
On Thu, Apr 13, 2006 at 10:39:29AM -0600, wrote:
Any idea how this one got through?
body BRIAN_PHONE_NUMBERS
/2.0.6.9.8.4.2.3.2.7|2.0.6.3.3.3.0.0.5.1|2.0.6.9.8.4.0.1.0.6|3.3.8.3.5.7
[EMAIL PROTECTED] wrote:
The spammer used the Yahoo! webmail infrastructure (probably via an
automated HTTP client) to send his spam.
I've been reporting spam with good DK signatures to the mail provider:
http://add.yahoo.com/fast/help/us/mail/cgi_spam
On Thu, Apr 13, 2006 at 09:45:13AM -0700, Kelson wrote:
Nope. No legit uses in email that I can think of.
Just because you can't think of a use doesn't mean people don't use them.
I see a lot of:
div ... style=...; visibility: hidden; ...
input ... style=display: none ...
div ...
On Thu, Apr 13, 2006 at 09:55:59AM -0700, [EMAIL PROTECTED] wrote:
2*0*6*984-2327
/2.?0.?6.?9.?8.?4.?2.?3.?2.?7|2.?0.?6.?3.?3.?3.?0.?0.?5.?1|2.?0.?6.?9.?8
.?4.?0.?1.?0.?6|3.?3.?8.?3.?5.?7.?9|2.?0.?6.?3.?3.?8.?6.?0.?6.?1|2.?0.?6
.?2.?0.?2.?2.?0.?3.?3/
Or, perhaps, better:
On Apr 13, 2006, at 9:56 AM, mouss wrote:
I am also seing many legit mail trigering some SA rules (*_exess,
no_real_name, x_library, ...). when I see this, I check the rule, and
if I can't find a justification, I disable it.
I wouldn't do that.
Just because legitimate mail triggers
!Sure, the pattern doesn't match. . means there has to be some (any)
!character between the numbers. 984 has no characters between the
!numbers.
DOH!!!
Thanks. your right...
Michael Monnerie wrote:
On Donnerstag, 13. April 2006 18:15 mouss wrote:
pfff. just reading the two first paragraphs is enough to look
elsewhere. some people seem to redefine what a false positive is.
I didn't mean that, I meant the tarpitting approach. Of course you have
to set some (much)
[EMAIL PROTECTED] wrote:
s/Scripting/CSS :hover/ is perfectly reasonable, though:
http://www.meyerweb.com/eric/css/edge/menus/demo.html
(doesn't work in IE 6, but works fine in Firefox, Safari, IE 7b2pr...)
D'oh!
I blame the coffee. There wasn't enough of it when I wrote my last post.
On
Mysql:
SHOW VARIABLES LIKE character%
Variable_name Value
character_set_clientutf8
character_set_connectionutf8
character_set_database latin1
character_set_results utf8
character_set_serverutf8
character_set_systemutf8
character_sets_dir /usr/share/mysql/charsets/
mouss wrote:
I also understand that US guys may get less encoded subjects, but at least in
.fr, we have that all the time (because of our accented letters, and because
many companies still use software that predates mime). and if I find a
legitimate IP in a dnsbl used by SA, then I just
I want to use SA for a lot of users which don't have home directory.
There mails are in /var/mail. The spammed mails are send to the
recipient in his file /var/mail/user with the addition of SA.
The bayes and auto-whitelist database will be comun to anybody.
I use spamassassin 3.0.3
It's better with a subject :(
I want to use SA for a lot of users which don't have home directory.
There mails are in /var/mail. The spammed mails are send to the
recipient in his file /var/mail/user with the addition of SA.
The bayes and auto-whitelist database will be commun to
Matt Kettler wrote:
mouss wrote:
I also understand that US guys may get less encoded subjects, but at least in .fr, we have that all the time (because of our accented letters, and because many companies still use software that predates mime). and if I find a legitimate IP in a dnsbl used by SA,
Daniel Madaoui wrote:
snip
So I restart the spamd daemon whith this options
/usr/local/bin/spamd -d -m10 -u spamassassin ( spamassassin in an user
with its directory /home/spamassassin/.spamassassin )
He try to use the .spamassassin directory who belong to root
(/root/.spamssassin/ )
On Thu, Apr 13, 2006 at 08:40:30PM +0200, Ruben Cardenal wrote:
header __ID1 /regexp1/
header __ID2 /regexp2/
header __ID3 /regexp3/
meta MYID ((__ID1 + __ID2 + __ID3) 1)
When a message triggers MYID, is there any way in the X-Spam-Report of
showing which individual parts of the
mouss wrote:
However, it is true that the vast majority of the corpus currently
comes from
folks who speak English (King's or Yankee) as a primary language, and
that's a
bit of a problem as it creates considerable bias in the rules.
And even us US folks do have encoding issues. After all,
On Apr 13, 2006, at 11:40 AM, mouss wrote:
Matt Kettler wrote:
And even us US folks do have encoding issues. After all, English is
not our
official language here in the US,
what do you mean here? what would be your official language?
The US doesn't have an official language.
By
Ruben Cardenal wrote:
Hi,
Let's say I have:
header __ID1 /regexp1/
header __ID2 /regexp2/
header __ID3 /regexp3/
meta MYID ((__ID1 + __ID2 + __ID3) 1)
score MYID 1
When a message triggers MYID, is there any way in the X-Spam-Report of
showing which individual parts of
On Donnerstag, 13. April 2006 19:05 Justin Mason wrote:
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs
some mails 0.0 DK_POLICY_TESTING Domain Keys: policy says domain
is testing DK 0.0 DK_SIGNED Domain Keys: message has a
signature -0.0 DK_VERIFIED
Justin Mason wrote:
http://ajax.apache.org/%7ejefft/ :
Bugzilla is moving to a new host, and is temporarily down while the
database synchs. Apologies for the inconvenience.
--j.
Yay, it doesn't seem excruciatingly slow anymore.
On Thu, Apr 13, 2006 at 11:45:07PM +0200, Michael Monnerie wrote:
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs
some mails 0.0 DK_POLICY_TESTING Domain Keys: policy says domain
is testing DK 0.0 DK_SIGNED Domain Keys: message has a
signature -0.0
Forrest Aldrich wrote:
I've been having some difficulty with the user_prefs and the whitelist_*
fucntions. I read the examples etc, and I believe these are correct,
but clearly certain email is still being tagged (see below). I wonder
if someone can help clarify what I'm doing wrong here.
Daryl C. W. O'Shea wrote:
Your whitelist entries don't match
[EMAIL PROTECTED].
This should work (note the *@):
whitelist_from_rcvd [EMAIL PROTECTED] hermes.apache.org
This would work, but would be trivially forged:
whitelist_from [EMAIL PROTECTED]
If you use the SPF plugin,
Fixed the problem. Backed up the bayes tables with sa-learn --backup, and save
the userpref and awl tables with mysqldump. Then deleted out the entire
database, set everything to utf8 in my.cnf, recreated the database and tables
using utf8 as the default character set. Then restored from
This appeared in my logs. Running 3.1.1 on Linux FC3 (x86_64) with
Sendmail 8.13.1 and Mimedefang 2.56:
Apr 13 16:57:05 mail sendmail[23371]: NOQUEUE: connect from
lists-outbound.sourceforge.net [66.35.250.225]
Apr 13 16:57:05 mail sendmail[23371]: k3DMv5s4023371: Milter
(mimdefang): init
Philip Prindeville wrote:
Apr 13 16:57:06 mail mimedefang-multiplexor[11341]: Slave 8 stderr:
Premature padding of base64 data at
snip
Any ideas? Didn't see any mention of it in previous postings...
Looks like someone screwed up their base-64 encoding. Base64 encodes into
quartets,
states like California where it could matter (reducing costs in govt
overhead by eliminating multiple languages and the requirement for
multilingual workers), the English as state language supporters are
afraid of what almost happened in Florida.
Considering that at last census a minority of
Loren Wilton wrote:
I predict that the US will be the first country in the 21th century to
abandon English as the national language, while almost all other countries
seem to be mandating that their citizens learn English.
Loren
The problem with the US is that we are linguistic idiots
On Thursday, April 13, 2006 10:32 PM -0600 Paul R. Ganci
[EMAIL PROTECTED] wrote:
Unfortunately I am still a linguistic idiot and only speak English ... a
Buffalo, NY version at that! My grand parents came over from Italy in
1920 and promptly stopped speaking Italian around my parents. It
61 matches
Mail list logo