On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
For some seconds I have goten this spam, which has passed my spmassassin
but was hit by a seperated ZEN rule in procmail:
Return-Path: soria.h.steven...@gmail.com
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
Anshul Chauhan wrote:
we have to copy KAM.cf to /usr/share/spamassassin only for its
integration with spamassassin or something else is to done
I'm using spamassassin-3.2.5-1.el4.rf on Centos4.7
Any add-on rules should be placed in the same directory as your local.cf
(ie:
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
For some seconds I have goten this spam, which has passed my spmassassin
but was hit by a seperated ZEN rule in procmail:
Return-Path: soria.h.steven...@gmail.com
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
Anshul Chauhan wrote:
we have to copy KAM.cf to /usr/share/spamassassin only for its
integration with spamassassin or something else is to done
I'm using spamassassin-3.2.5-1.el4.rf on Centos4.7
On 30.06.09 02:11, Matt Kettler wrote:
Any add-on rules should be placed in the same
Jason Haar schrieb:
All this talk about trying to catch urls that contain spaces/etc got me
thinking: why isn't this a standard SA feature? i.e if SA sees
www(whitespace|comma|period)-combo(therest), then rewrite it as the
url and process.
How would you distinguish between
... go to WWW
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.
And what about URLs that don't start with WWW, like
http://
Martin Gregorie schrieb:
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.
Maybe I was not clear: The last one is NOT an url.
Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:
How would you distinguish between
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
to prevent SA trying to look up www.he.saw?
Is SAW a valid TOPLEVEL domain?
SA could use a list of
Am 2009-06-30 11:58:20, schrieb Martin Gregorie:
http:// meds spammer org
That should be scored positive too, for the same reason.
And in my org this should no happen...
my.org is a valid domain FOR SALE.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Michelle Konzack wrote:
Is SAW a valid TOPLEVEL domain?
SA could use a list of valid TLD's.
Ok, let's change that (do not forget that there's more than .com)
the www seems to become the primary source of information these days
(-www.seems.to?)
And I think we agree, that it would
On 6/30/2009 1:18 PM, Michelle Konzack wrote:
Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:
How would you distinguish between
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
to prevent SA trying to look up www.he.saw?
Is SAW a valid
On Tue, 2009-06-30 at 13:14 +0200, Jan P. Kessler wrote:
Martin Gregorie schrieb:
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs
Martin Gregorie schrieb:
What makes you think I'm using URI tests or that any of these would be
recognised as a URI? My tests are simple body tests with {1,n} limits on
repetitions to keep things under control.
So you want obfuscated urls to be recognised as urls but not treated as
urls?
So you want obfuscated urls to be recognised as urls but not treated as
urls?
Of course. Its spam.
If this is just for a few own pcre body rules, I'd suggest you to
handle those de-obfuscations in your rules.
Guess what I'm doing.
You can also publish your own plugin, if you think that it
On Tue, 30 Jun 2009, Jan P. Kessler wrote:
Martin Gregorie schrieb:
... digging through the WWW HE SAW this link ...
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.
Maybe I was not clear: The last one is NOT an url.
Le 30/06/2009 17:16, John Hardin a écrit :
... looking at the www peter got an impression of ...
(- www.peter.got?)
TLDs are limited and prevent FPs of that particular nature.
Sure, but there are lots of ccTLDs that could be confused with English
words, never mind other languages.
John Wilcock wrote:
... looking at the www peter got an impression of ...
(- www.peter.got?)
TLDs are limited and prevent FPs of that particular nature.
Sure, but there are lots of ccTLDs that could be confused with English
words, never mind other languages.
Do you really want
On Tue, 30 Jun 2009, John Wilcock wrote:
Le 30/06/2009 17:16, John Hardin a écrit :
... looking at the www peter got an impression of ...
(- www.peter.got?)
TLDs are limited and prevent FPs of that particular nature.
Sure, but there are lots of ccTLDs that could be confused with
Am 2009-06-30 13:50:09, schrieb Yet Another Ninja:
See RegistrarBoundaries.pm in SA source and
http://www.rulesemporium.com/rules/90_2tld.cf
I know this list, but these are only domains, where you can get a
3rd Level Domain like on free.fr as
http://tamay.dogan.free.fr/
which was
On Tue, 30 Jun 2009 09:10:36 +0200
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
On 30.06.09 07:06, rich...@buzzhost.co.uk wrote:
Are you saying that ZEN caught it after SA processed it? Why are
you not using ZEN in SA or at the SMTP stage?
She apparently does not have control over
Am 2009-06-30 04:33:57, schrieb Benny Pedersen:
what ip ?
[michelle.konz...@michelle1:~] host 224.118.146.174.zen.spamhaus.org
224.118.146.174.zen.spamhaus.org has address 127.0.0.11
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
Are you saying that ZEN caught it after SA processed it? Why are you
not
using ZEN in SA or at the SMTP stage?
Because it does not work...
My Mailserver does tonns (the syslog of my DNS server is full of it) of
DNS checks but ZEN does
Hello,
Using SA 3.2.5 I read in the Mail::SpamAssassin::Conf man page that:
report_safe ( 0 | 1 | 2 ) (default: 1)
...
If this option is set to 0, incoming spam is only modified
by adding some X-Spam- headers and no changes will be made
to the body. In
On Tue, 30 Jun 2009, Michelle Konzack wrote:
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
Are you saying that ZEN caught it after SA processed it? Why are you
not using ZEN in SA or at the SMTP stage?
Because it does not work...
My Mailserver does tonns (the syslog of my DNS
On Tue, 2009-06-30 at 21:57 +0100, John Horne wrote:
I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:
clear_report_template
report Score=_SCORE_ tests=_TESTS_ autolearn=_AUTOLEARN_
The report option does not
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why ZEN is never executed. If you know more
Hi,
I've started seeing spam email containing an X-Mailer header which is
the domain name of the From header. Eg:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
--
Mike Cardwell - IT Consultant
X-spam-report: Score=-6.9
tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
That is not a standard SA header. Actually, there's quite a lot fishy
about that.
First of all, SA is incapable of adding it -- all SA generated headers
start with X-Spam- (note the uppercase S,
On Wed, July 1, 2009 01:23, Mike Cardwell wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
impossible without a pluging, would be faster to reject sender in mta
--
xpoint
On Wed, 1 Jul 2009, Michelle Konzack wrote:
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why
On Wed, 1 Jul 2009, Benny Pedersen wrote:
On Wed, July 1, 2009 01:23, Mike Cardwell wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
impossible without a pluging
...unless you just do a
On Wed, 2009-07-01 at 00:23 +0100, Mike Cardwell wrote:
I've started seeing spam email containing an X-Mailer header which is
the domain name of the From header. Eg:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
The *first* question should be, how are
On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
On Wed, 1 Jul 2009, Benny Pedersen wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
impossible without a pluging
Meep. Wrong!
On Wed, 2009-07-01 at 01:26 +0200, Mark Martinec wrote:
X-spam-report: Score=-6.9
tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
That is not a standard SA header. Actually, there's quite a lot fishy
about that.
First of all, SA is incapable of adding it -- all
On Wed, 1 Jul 2009, Karsten Br?ckelmann wrote:
On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
On Wed, 1 Jul 2009, Benny Pedersen wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
On Wed, 1 Jul 2009 01:15:56 +0200
Michelle Konzack linux4miche...@tamay-dogan.net wrote:
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not
work on your MTA? Or did we misinterpret your original post?
In Debian, the network related
Both of you. ;)
Mea culpa. I _never_ think of header ALL rules.
See my RATWARE_OUTLOOK rule. ;)
Reminds me of an important bit I meant to add, but forgot. It's pretty
important to properly anchor matches and limit wildcard matching with
multi-line RE's -- otherwise they can easily bog down
On 30-Jun-2009, at 14:57, John Horne wrote:
I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:
Raising the required score is clearly a mistake. Setting report safe
to 0 is generally user-hostile. Setting it to one is the
On 29-Jun-2009, at 10:53, Kevin Parris wrote:
It is folly to underestimate the stupidity and/or gullibility of
humans. Just because the link won't work as-is in the message
does NOT mean people out there won't retype it, corrected, into
their browser address box. It is my opinion that if
On Tue, 2009-06-30 at 18:36 -0600, LuKreme wrote:
On 30-Jun-2009, at 14:57, John Horne wrote:
I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:
Raising the required score is clearly a mistake. Setting report safe
to 0
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I
41 matches
Mail list logo
