e old entries otherwise kept forever.
I also have some thoughts about discarding "hammers" at the end of that
document.
Any feedback on this would be welcome.
Dennis German
On 3/3/11 8:06 PM, Karsten Bräckelmann wrote:
On Fri, 2011-03-04 at 01:53 +0100, Mikael Syska wrote:
I get the following hits:
Content analysis details: (19.1 points, 5.0 required)
Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
Yes, I can tell this from the scores. :)
On 3/3/11 10:09 PM, Karsten Bräckelmann wrote:
On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
Could we please make an official project statement that 3.2.x is
unsupported and people should really update to 3.3.x?
That s
Can someone comment on the low score assigned to the email located at
http://www.cccu.us/hundredThousand.txt
X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
MILLION_USD=1.528
Is my bayes "broken"?
On Oct 23, 2010, at 12:31 PM, Royce Williams wrote:
> On Sat, Oct 23, 2010 at 7:31 AM, Per Jessen wrote:
>> Royce Williams wrote:
>>
>>> On Fri, Oct 22, 2010 at 5:19 AM, Michael Scheidell
>>> wrote:
On 10/21/10 8:50 PM, dar...@chaosreigns.com wrote:
>
> I'd like to try collecting
Is there? should there be a rule for a header like:
To: undisclosed-recipients:;
On Oct 19, 2010, at 5:56 PM, Karsten Bräckelmann wrote:
> On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
>> On 19/10/10 22:34, Dennis German wrote:
>>> I am surprised this plain text spam did not trip for US$350,000
>>> sa 3.2.4
>
> Uhm, a generic amount o
I am surprised this plain text spam did not trip for US$350,000
sa 3.2.4
http://www.Real-World-Systems.com/mail/spam.un
There is at least one problem with my script, NOT spamassassin.
I did not expect the results to be in different order.
The grep -A14 'pts rule name' may not display all the errors.
Sorry 'bout that.
Dennis
.oo
grep X-Spam $1.oo
grep -A13 "pts rule name" $1.oo |grep -v "\-\-\-\-"
where user_prefs.rptonly contains
add_header all report _REPORT_
add_header all testscores _TESTSSCORES(,)_
I run the script multiple times and get unpredictable results regarding the
appearance of M
after
complaints of BLs and before HTML issues.
Has anyone seen this behavior?
Thank you,
Dennis German
Hello world, goodnight moon
On Sep 15, 2010, at 1:42 PM, RW wrote:
> On Wed, 15 Sep 2010 11:18:20 -0400
> Dennis German wrote:
>
>> On Aug 26, 2010, at 10:11 AM, Grant Peel wrote:
>> ...
>> ~/.spamassassin/bayes* files had grown to 1.5 GB
>>> I have put:
>>> use_bayes 0
>&g
t file,
entry by entry and
output to a new file. This will not copy deleted entries and the output will be
significantly smaller.
I don't know of any program, but if there is interest I might write one.
Dennis German
In the last several weeks I have been receiving a lot of spam with email
addresses of the form:
learningmadeeasy.???...@??.yourseemlost.net
learningmadeeasy.???...@??.hisoftenusing.net
learningmadeeasy.???...@??.wheatdrinkcontrol.net
learningmadeeasy....@??.actbookfelt.net
lea
eems to be "stuck" on SpamAssassin 3.2.4 (2008-01-01)
I request they upgrade last year and they weren't interested.
I request this last week and they are still evaluating it.
Thank you,
Dennis German
On Wed, 2010-04-28 at 12:38 -0400, Carlos Mennens wrote:
> I checked /etc/mail/spamassassin/local.cf just now and found only the
> following:
>
> required_hits 5
> report_safe 0
> rewrite_header Subject [SPAM]
>
> However I don't know if Amavisd-new is looking at local.cf because I
> show para
sts=[BAYES_50=0.8, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
> HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
> RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]
> autolearn=no
>
This particular message scored a 2.808 so it's not high or low enough
for bayes to know which way it should learn the message.
--Dennis
ou are not worried about performance or memory you could give
each VM 128 MB of RAM and only be using 1 GB or so total...
--Dennis
rn from its mistakes as easily.
--Dennis
ke.
I use postfix as my MTA right now, but am not completely opposed to
using something else if necessary to use a specific quarantine system.
Thanks,
--Dennis
he AWL count is low (maybe
3 or 4).
--Dennis
led?
Is there a way to have the AWL rule only triggered if there is a minimum
number of messages seen by that sender?
--Dennis
On Fri, 2010-03-26 at 11:35 -0400, Michael Scheidell wrote:
>
> On 3/26/10 10:41 AM, Dennis B. Hopp wrote:
> > I received the following e-mail
> >
> > http://pastebin.com/JXr9buxi
> >
> > It had a total score of 4.973 (blocked at 5). Among other rules i
? Is there a way to report FP to KHOP?
Thanks,
--Dennis
able version of
maia-mailguard does not work correctly with 3.3.0. There is a patch in
the svn for maia that fixes the issue.
--Dennis
uot; which leads me to
believe you are using amavisd-new. Are both servers using
amavisd-new?
--Dennis
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote:
>
> > The problem with this is that the !__FORGED_YH2 matches
> > when there is *NO* Reply-To header at all!
> >
> > You need something like this:
> >
> > header __FORGED_YH2 Reply-To =~ /\
oo.com and the reply-to does
not.
>
> However, keep in mind that the headers for *this* mailing list would
> trigger your rule. So you will also need to meta this with a rule that
> tests for yahoo mail server being the sending SMTP client
>
Good point. I didn't think about that..
--Dennis
iggered on a message with the following header
http://pastebin.com/qs18DpYn
My best guess is it is using the "In-Reply-To" header...is there a way
to differentiate "In-Reply-To" and "Reply-To" ?
Thanks,
--Dennis
> ...and I suppose the same would apply to social networks. I don't use
> either, so am somewhat clueless about what goodies are available if you
> can access their accounts.
>
I have some free e-mail accounts that I use as throw away accounts.
When a site just HAS to have a valid e-mail so you
his
address book (which is why many of my users got the same message).
Sadly, we have had this happen a couple of times with hotmail and yahoo
addresses.
What can I say, some of our clients aren't exactly the most tech savvy.
--Dennis
rule:
>
> describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to
> header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i
> header __FF2 Reply-to ~= /\.jp/i
> meta FORGED_FROM (__FF1 && __FF2)
> scoreFORGED_FROM 5.0
Thanks Martin. This is actually far simpler then I was thinking it
would be.
--Dennis
on this class of spam... if you can get enough samples to
> build a complete enough set of phrase rules.
I'm going to look at what Martin suggested and compare it to what
samples I have.
Thanks,
--Dennis
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote:
> On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
>
> > Obviously we just have to tell the clients that they need to deal with
> > the various e-mail providers, but is there an effective way that I can
> &g
hanks
--Dennis
Quoting Kai Schaetzl :
Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600:
Obviously I have something going on with my bayes, but that's a
separate issue
Indeed. But it's an important issue. If it is that biased for other
spam as well
youa re better off to not use
thinking that when referring to US Dollars it wouldn't be. Now
that I think about it I can understand why my original thought was
wrong.
I guess it doesn't really matter since the message was actually
hitting another rule (T_LOTS_OF_MONEY) that I somehow missed.
--Dennis
Nevermind...it was also hitting
T_LOTS_OF_MONEY
and once I expired old bayes tokens it no longer hit BAYES_00. Now I
just have to figure out whats up with my bayes db.
--Dennis
Quoting "Dennis B. Hopp" :
I have been seeing a few spam mails slip past that talk about being
a
issue
Thanks,
--Dennis
t; m > .out inorder to
see the X-Spam-report (which is Not included in ham !)
My userprefs is always available at
http:/www.Real-World-Systems.com/mail/user_prefs.html
I have not manually trained bayes.
Thanks
John Hardin wrote:
On Tue, 25 Aug 2009, Dennis German w
sa-learn --dump magic
config: could not find site rules directory
0.000 0 3 0 non-token data: bayes db version
0.000 0 262297 0 non-token data: nspam
0.000 0 24621 0 non-token data: nham
0.000 0 142776
email with this content:
CONGRATULATION YOUR EMAIL ADDRESS HAS WON YOU THE 2010 FIFA WORLDCUP LOTTER=
Y OPEN THE ATTACHMENT AND VIEW THE PROFILE OF YOUR WINNING FUND=2C ALSO CON=
TACT YOUR CLAIM AGENT
received these scores
X-Spam-testscores: BAYES_00=-2.599,HTML_MESSAGE=0.001,MISSING_HEADERS=5.
opy a message or two (with full headers) to pastebin so we
can have a look?
--Dennis
Is Backscatter.org <http://www.backscatterer.org/index.php> used by any
rules?
I looked but did not find any.
Dennis G German
Summary:
Problem:
Observing "scatter" from many different sites coming to vari...@mydomain.com
.
These are NDRs (Non delivery Responses) to messages sent from
the forger or infected system :
59.184.51.13 aka triband-mum-59.184.51.13.mtnl.net.in
Is already blacklisted on many Realtime B
I have received many emails in the last hour which were undeliverable,
NOT sent by me.
It seems someone is forging usernames in my domain Real-World-Systems.com
as the "from:" and the "return-path:" .
Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
I have sent a message to ab...@mn
Quoting Karsten Bräckelmann :
If I'm reading that correctly less then 50% of mail is actually
being filtered (seems like it should be higher then that). Those stats
Actually, the numbers you gave for the "last couple days" are even
lower. About one third, <15k out of 45k do have a BAYES_xx hit
Quoting Karsten Bräckelmann :
On Fri, 2009-07-31 at 06:07 -0700, John Hardin wrote:
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
> I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has
> triggered 4510 times, BAYES_99 2366 times and BAYES_50 1568 (all the
Quoting John Hardin :
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has triggered 4510 times, BAYES_99 2366 times and BAYES_50
1568 (all the other BAYES_XX are less then 1000 times).
Do they all add up to about 45,000
to make the auto learn a little better. I
thought maybe I just didn't have enough rules (both negative and
positive scoring) to trigger the auto learn often enough.
Thanks,
--Dennis
Quoting LuKreme :
On Jul 30, 2009, at 18:12, "Dennis B. Hopp" wrote:
Yeah I knew that. I have a few negative scoring rules but not many
(outside of what might be in the misc rules sets I have). What is
a good threshold for ham then?
5.0 is the score SA us designed for. I
Wes
Try putting the header on a site like www.pastebin.com and then put
the link in your e-mail rather then the actual header.
--Dennis
w negative scoring rules but not many
(outside of what might be in the misc rules sets I have). What is a
good threshold for ham then?
--Dennis
some of my problems.
Thanks,
--Dennis
How 'bout a link from HEAT ( Heuristic Email Address Tracking )
Matus UHLAR - fantomas wrote:
On Mittwoch 27 Mai 2009 LuKreme wroteNo, you are confused. This is common, lots of people are confused
about this. This is why many people think the name needs to be
changed to "Averaged Weigh
Do you see any x-Spam headers in the emails ?
Is this on a shared server (cPanel)?
hateSpam wrote:
I have spamassassin installed in my server but I have never had an email wht
[SPAM] in the subject. I get lots of spam. I think it is not checking
properly.
anybody know how to solve the probl
Sahil Tandon wrote:
On Sun, 17 May 2009, Dennis German wrote:
Could someone discuss or add a wiki page about?
SPF_SOFTFAIL
http://www.openspf.org/RFC_4408#op-result-softfail
SPF_NEUTRAL
http://www.openspf.org/RFC_4408#op-result-neutral
Could someone discuss or add a wiki page about?
SPF_SOFTFAIL
SPF_NEUTRAL
am-Report:
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 12 FUZZY_OCR BODY: Mail contains an image with common spam text insi
de
* [Words found:]
["viagra" in 5 lines]
["profit" in 1 lines]
[(9 w
ccounts.
...of course the phishers are now sending out form URLs to
be completed:
http://jotform.com/form/91140758246
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
d.h.da...@bath.ac.uk Phone: +44 1225 386101
There are a group of rules that begin with TDV_ like
TVD_PH_SUBJ_ACCOUNTS_POST, TVD_QUAL_MEDS, TVD_RCVD_SINGLE
What does TDV stand for?
I have had
required_score 3.97
since 4/1/09 but spamassassin email says
X-Spam-Report:
...
Content analysis details: (18.4 points, 4.0 required)
also MISSING_DATE 3.0 should be 2.97 and
MISSING_MID 3.0 should be 2.97
I had these values several days ago!
Any i
> spamassassin --version
SpamAssassin version 3.2.4
> ls -l /var/lib/spamassassin
drwxr-xr-x 3 4096 Oct 16 18:27 compiled/3.002004 ...
The ONLY directory under /var/lib/spamassassin
is
compiled
and it does not contain any .cf files,
nor do any of the subdirectories
PS
Sorry
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
> sa-update
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
There is no /etc/mail directory available. (I believe the /etc directory I
can view is artifical)
I cannot make a mail directory.
I suspect this is another cPanel (shared host) problem.
Is there a way I can d
?
Thanks,
Dennis German
0) Michael, thanks
1) what are the various zero columns??
for example in 0.000 0 3 0 non-token data: bayes db version
2) Is this good? not too good? bad? trouble?
On Mar 16, 2009, at 14:03, Michael Scheidell wrote:
Is there a document regarding the interpretation o
Is there a document regarding the interpretation of
> sa-learn --dump magic
config: could not find site rules directory
0.000 03 0 non-token data: bayes db
version
0.000 0 261451 0 non-token data: nspam
0.000 018530
Attempting to see how spamassassin would score a message
I tried
spamassassin < lottery.msg
[32179] warn: config: could not find site rules directory
check: no loaded plugin implements 'check_main': cannot scan! at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMs
Updated, Thought you all might be interested ( see updates)
My intention is to observe false negatives (i.e. spam seen as ham) and
increase the score of one or more of the tests in an effort to cause
additional spam to be detected.
I am using a hosting service where spamassassin configura
Is there a utility to display auto-whitelist ?
Modify entries? remove entries?
My intention is to observe false negatives ( i.e. spam seen as ham) and
increase the score of one or more of the tests in an effort to cause
additional spam to be detected.
I am using a hosting service where spamassassin configuration is
updatable by the cPanel system.
I can also modify ~/.
My intention is to observe false negatives ( i.e. spam seen as ham) and
increase the score of one or more of the tests in an effort to cause
additional spam to be detected.
I am using a hosting service where spamassassin configuration is
updatable by the cPanel system.
I can also modify ~/.
Yes, it has been a problem as there are so many domains used. However..I
took everyone's earlier suggestions, including training Bayes against FN
snowshoe spam and adding the Barracuda RBL (BRBL), and this appears to
almost completely take care of the problem!! So far I have been able to
rem
Everyone has given very helpful feedback! At present it definitely sounds
like I should tweak my rules and train my bayes. I will try taking steps
here and see how it goes.
Thank you all so very much!
--
View this message in context:
http://www.nabble.com/please-help%2C-getting-hammered-wit
> your BAYES is misfiring. Ths difference between BAYES_05 and BAYES_99 is
4.6
> so you could have score of 5.7 if you'd have well-trained BAYES.
Yes, that would be great. I will look at trying this. I do get tens of
thousands of e-mails a day through this system though so it is hard to do
manu
> Can you repost that with full headers?
Yes, I have to wait for more to come through though as I have gotten into
the habit of just deleting the FNs.
> No DNSBL hits on the URI domain?
No, the domains change too quickly, so I almost never get DNSBL hits for
these. I have DNSBL greylisting fro
> I've been using this rule to knock some of these down:
> [...]
> Highly unusual to have a url like that in ham...
> I'm running a meta to bump up the score...
Yes, I've actually been doing the very same thing (URI detection and metas,
and then string matching in the tail part of the e-mail) !
> Is this spam for snowshoes or some "spam term"?
"Like a snowshoe spreads the load of a traveler across a wide area of snow,
some spammers use many frequently-changing IP addresses and domains to
spread out the spam load in order to dilute recipient reputation metrics and
evade filters."
see ht
> why are those scores low? What gives them negative score?
> those rules have quite high score...
Here is an example (without my rules): http://pastebin.com/m4400a74d
The ones that get through are relatively short and simple, and many are very
"clean". This example is just one that focuses on
Hi, I'm getting hammered by snowshoe spam :-( I've added rules to try to
catch common formats of included URLs in the spam, but I'm wary of scoring
these rules too high because of the potential for false positives. It's
hard to come up with other rules as the spam e-mail content is so generic.
> How about:
>/:\/\/[^.\/]+\.[^\.\/]+\//
Hi John, sweet, this seems to work! Could you help me with how to add a
list of "com|net|info|biz|etc" before the closing "/", so it will match
against a list of known TLDs?
Many thanks, you are awesome :-)
.dh
--
View this message in context:
h
Hi, I was hoping someone on this list could help me with a custom rule for
SpamAssassin. I'm not an expert at perl regexps by at all, and spent a lot
of time trying to come up with a working match, all to no avail...
What I would like to match on is URLs that do _not_ start with a third level
do
ific users
who are being badly affected.
Usual caveats apply: I've no idea how difficult it would
be for you to install and I've never used it myself.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
Using Spamassassin 3.1.8. I haven't updated SA in about six months. Ran
SA-update -D using the default channel of updates.spamassassin.org, received
error "new version is 585884, skipped channel".
What exactly is going wrong here. Has the sa update default channel been
changed?
i think we all need to read the TMDA FAQ ! :-)
On 6/1/07, Rick Macdougall <[EMAIL PROTECTED]> wrote:
jdow wrote:
> From: "Rick Macdougall" <[EMAIL PROTECTED]>
>
>> Dennis Kavadas wrote:
>>> if i had never meet you before and if i asked you to kn
if i had never meet you before and if i asked you to knock on my door before
barging in, would you believe that was to much to ask of you ?
On 6/1/07, jdow <[EMAIL PROTECTED]> wrote:
From: "Per Jessen" <[EMAIL PROTECTED]>
Dennis Kavadas wrote:
> guys, even tho
most, if not all spam have spoofed addresses headers that do not resolve to
a valid account on any host, that said, how is it a problem ?
On 5/31/07, Matt Kettler <[EMAIL PROTECTED]> wrote:
John Rudd wrote:
> Per Jessen wrote:
>> Dennis Kavadas wrote:
>>
>>> g
why ?
On 5/31/07, John Rudd <[EMAIL PROTECTED]> wrote:
Per Jessen wrote:
> Dennis Kavadas wrote:
>
>> guys, even though we use SA for tagging... the real short to long term
>> solution is TMDA
>
> I remember one of my friends saying just that - about 5 year
why isn't it useful in a business context ?
there sender gets a challange once ! ...how is that a problem ?
On 5/31/07, Per Jessen <[EMAIL PROTECTED]> wrote:
Dennis Kavadas wrote:
> guys, even though we use SA for tagging... the real short to long term
> solution is TMDA
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
just my 2c worth
On 5/31/07, jdow <[EMAIL PROTECTED]> wrote:
From: "John D. Hardin" <[EMAIL PROTECTED]>
> On Wed, 30 May 2007, John D. Hardin wrote:
>
>> Take a look at the spamassassin procmail ruleset a
he has just updated the download script on the main
site (www.sanesecurity.com). Blog additions are coming, but might
not make it until tomorrow.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
shows DCC hitting it, but that's
> about it. Doesn't help that Halifax don't publish SPF records.
In particular the Sanesecurity additions to ClamAV detect this as:
Html.Phishing.Bank.Sanesecurity.06030604
We've detected (and rejected) over 1300 copies of this particular
ph
I keep getting this error - Cant locate object method 'new' via package
"IO::Zlib" at /usr/bin/sa-update line 671 - when attempting to run sa-update.
It worked fine when I ran it about 10 months ago (im way behind).
Using SA version 3.1.3 on Fedora.
ith esmtpa (Exim 4.52)
> id 1HUjCF-0005Fo-62; Fri, 23 Mar 2007 12:48:43 +
So have a look at exim's wikki. This specific case is covered in:
http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0710
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
Doh, it's easier with some examples, didn't think of posting a link
until I saw another do it in the archives. (sorry for being a newbie :s)
http://www.hp23c.dk/~d/strangespam/
Notice how 3 of the lines stays exactly the same, while 2 are random.
Regards,
Dennis
l this, if not to try and confuse filters, or
something like that? It's probably nothing, just want make sure that we
know about this, just in case the bastards found a hole.
Regards,
Dennis Du Krøger
smime.p7s
Description: S/MIME cryptographic signature
1 - 100 of 128 matches
Mail list logo