Am 10.01.2015 um 15:23 schrieb Steve:
I have a domain for which (for historic reasons) I want a catch-all rule
to accept email. Until recently, Spamassassin has done a great job of
separating the ham from the spam. Recently, I've been receiving a large
number of spam emails which have been
From: Steve spamassassin_st...@shic.co.uk
Date: Sat, 10 Jan 2015 14:23:36 +
I have a domain for which (for historic reasons) I want a catch-all rule
to accept email. Until recently, Spamassassin has done a great job of
separating the ham from the spam. Recently, I've
On 10/01/2015 14:35, Jeff Mincy wrote:
use blacklist_to bogus_us...@mydomain.com ... This will lead to hits on
USER_IN_BLACKLIST_TO
That works perfectly to blacklist 'completely bogus' To addresses.
Many thanks.
On 10/01/2015 14:36, Reindl Harald wrote:
it can work like below by let add
On Sat, 2015-01-10 at 15:36 +0100, Reindl Harald wrote:
headerCUST_LESS_SPAM_TO X-Local-Envelope-To =~
/^(\h\.reindl\@thelounge\.net\|\UnwantedRubbish\@mydomain\.com\)$/i
score CUST_LESS_SPAM_TO 4.0
describe CUST_LESS_SPAM_TO Custom Scoring
That is pretty much what I'd do,
Steve skrev den 2015-01-10 15:23:
If I were to have a list of a few dozen email addresses of the form:
bogus_us...@mydomain.com
onlyspample...@mydomain.com
...
unwantedrubb...@mydomain.com
blacklist_from *@mydomain.com
blacklist_to *@mydomain.com
unblacklist_to
Am 10.01.2015 um 17:39 schrieb Martin Gregorie:
On Sat, 2015-01-10 at 15:36 +0100, Reindl Harald wrote:
headerCUST_LESS_SPAM_TO X-Local-Envelope-To =~
/^(\h\.reindl\@thelounge\.net\|\UnwantedRubbish\@mydomain\.com\)$/i
score CUST_LESS_SPAM_TO 4.0
describe CUST_LESS_SPAM_TO Custom
Am 10.01.2015 um 18:14 schrieb Steve:
On 10/01/2015 14:35, Jeff Mincy wrote:
use blacklist_to bogus_us...@mydomain.com ... This will lead to hits
on USER_IN_BLACKLIST_TO
That works perfectly to blacklist 'completely bogus' To addresses.
Many thanks.
On 10/01/2015 14:36, Reindl Harald wrote:
Ran these against my corpus. Here are the worst performers (lots in
common with RW's complaints):
*SPAM% HAM%S/O NAME*
0.013 0.153 0.080 __RULEGEN_PHISH_BLR6YY
0.006 0.286 0.022 __RULEGEN_PHISH_0ATBRI
0.008 0.334 0.023 __RULEGEN_PHISH_L3I0Z5
0.002 0.300 0.006
On 01/09/2015 01:23 AM, Adam Katz wrote:
Ran these against my corpus. Here are the worst performers (lots in
common with RW's complaints):
*SPAM% HAM%S/O NAME*
0.013 0.153 0.080 __RULEGEN_PHISH_BLR6YY
0.006 0.286 0.022 __RULEGEN_PHISH_0ATBRI
0.008 0.334 0.023
On Sat, 20 Dec 2014 12:35:04 +0100
Axb wrote:
On 12/18/2014 06:27 PM, RW wrote:
Unless there's a bug, the fact that those disclaimer phrases got
through suggests that these rules are either intended to be very
much more aggressive than the SOUGHT rules, or the ham corpus
isn't good
On 12/18/2014 06:27 PM, RW wrote:
On Tue, 16 Dec 2014 13:10:05 +0100
Axb wrote:
https://sourceforge.net/projects/sare/files/
replaces any older version.
leech while it lasts
adjust scores if needed..
There are some rules that shouldn't be there. (I only tested a few that
looked the
On Tue, 16 Dec 2014 13:10:05 +0100
Axb wrote:
https://sourceforge.net/projects/sare/files/
replaces any older version.
leech while it lasts
adjust scores if needed..
There are some rules that shouldn't be there. (I only tested a few that
looked the most dubious)
The first is a
On Thu, 18 Dec 2014, RW wrote:
Unless there's a bug, the fact that those disclaimer phrases got through
suggests that these rules are either intended to be very much more
aggressive than the SOUGHT rules, or the ham corpus isn't good enough.
Probably the latter.
--
John Hardin KA7OHZ
On 2014.12.16 07.10, Axb wrote:
https://sourceforge.net/projects/sare/files/
thanks for this. it's particularly timely for us, as we've just
recently been pretty badly phished.
is there a method which can be used to measure/report on the efficacy of
these particular rules?
-ben
On 12/17/2014 04:08 PM, btb wrote:
On 2014.12.16 07.10, Axb wrote:
https://sourceforge.net/projects/sare/files/
thanks for this. it's particularly timely for us, as we've just
recently been pretty badly phished.
is there a method which can be used to measure/report on the efficacy of
these
On Wed, 10 Sep 2014, Philip Prindeville wrote:
I ask because I’m trying to address this comment:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060#c10
This might be better on the dev list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
On 2014-08-23 11:59, Jeff wrote:
I recently started getting hammered by spam and nearly all of the spam
emails have one thing in common. The return-path header contains the
email address that the spam is being sent to.
Below is a sample header:
...
Return-Path:
On Sat, 2014-08-23 at 14:59 -0400, Jeff wrote:
I recently started getting hammered by spam and nearly all of the spam
emails have one thing in common. The return-path header contains the
email address that the spam is being sent to.
Below is a sample header:
...
Return-Path:
On Mon, Aug 11, 2014 at 5:46 PM, Karsten Bräckelmann guent...@rudersport.de
wrote:
On Mon, 2014-08-11 at 15:48 -0400, Karl Johnson wrote:
Is there any rule to score an email with only 1 URL and very few text?
It could trigger only text formatted email because they usually aren't
in HTML.
On Tue, 2014-08-12 at 11:42 -0400, Karl Johnson wrote:
Thanks for the rule Karsten. I've already searched the archive to find
this kind of rule and found few topic but I haven't been able to make
it works yet. I will try this one and see how it goes.
Searching is much easier, if you know some
11.08.2014, 22:48, Karl Johnson kirjoitti:
Hello all,
I've recently installed Spamassassin (v3.3.1) + Amavis on a SMTP MTA
server which is only used for outgoing email. I had to install SA to
deal with compromised accounts that are used to send spam. It works
pretty good for now however spam
On Mon, 2014-08-11 at 15:48 -0400, Karl Johnson wrote:
Is there any rule to score an email with only 1 URL and very few text?
It could trigger only text formatted email because they usually aren't
in HTML.
Identify very short (raw)bodies.
rawbody __RB_GT_200 /^.{201}/s
meta
On Mon, 2014-08-11 at 22:57 +0300, Jari Fredriksson wrote:
* 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
* and suggests discarding the rest
This is a corner case. I got it tagged, but probably just because I
tested it later and URIBL has it now.
This particular spammer just re-did the format of their emails, probably to get
around the rules that we’re working on. Do they read the spamassassin-users
list? (I can tell it’s the same spammer, since the return address in Dundrum,
Ireland, is the same as some of the earlier ones, and the
On Aug 6, 2014, at 11:20 PM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014, at 1:23 PM, Paul Stead paul.st...@zeninternet.co.uk wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
uri_block_cidr will still defeat this, at least until he’s forced to switch
hosting providers.
On Aug 7, 2014, at 10:43 AM, Andy Balholm a...@balholm.com wrote:
This particular spammer just re-did the format of their emails, probably to
get around the rules that we’re working on. Do they
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014, at 11:20 PM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014, at 1:23 PM, Paul Stead paul.st...@zeninternet.co.uk wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh
On Aug 7, 2014, at 11:00 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014, at 11:20 PM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014, at 1:23 PM, Paul Stead
-Original Message-
From: Philip Prindeville [mailto:philipp_s...@redfish-solutions.com]
Sent: 07 August 2014 06:01
To: Paul Stead
Cc: users@spamassassin.apache.org
Subject: Re: rule for repeated tracking numbers
On Aug 6, 2014, at 1:23 PM, Paul Stead paul.st...@zeninternet.co.uk
On 08/07/2014 07:06 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:00 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014, at 11:20 PM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014,
On Aug 7, 2014, at 11:13 AM, emailitis.com i...@emailitis.com wrote:
-Original Message-
From: Philip Prindeville [mailto:philipp_s...@redfish-solutions.com]
Sent: 07 August 2014 06:01
To: Paul Stead
Cc: users@spamassassin.apache.org
Subject: Re: rule for repeated tracking numbers
On Aug 7, 2014, at 11:14 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:06 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:00 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014, at 11:20 PM, Axb axb.li...@gmail.com wrote:
On
On Aug 7, 2014, at 10:28 AM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
(1) putting that many domains on a single host is just begging for that host
to have a catastrophic failure (as opposed to putting that many domains on a
local (re)director which servers as a proxy, a
On Aug 7, 2014, at 11:28 AM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
Okay, I thought you were saying that the posted configuration would block the
entire CIDR range. It won’t.
So they have a lot of VirtualHost definitions: a couple of comments on that.
(1)
On 08/07/2014 07:28 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:14 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 07:06 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:00 AM, Axb axb.li...@gmail.com wrote:
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014,
I've been having a play with the two rules mentioned, this seems to work
for me:
header __LOC_DIGITS_FROM From:name =~ /\.\d{7,8}$/
body __LOC_DIGITS_CONFUSER / (\d){7,8} .{1,250} ([0-9a-f]{32})
.{1,250}[\g1|\g2].{1,250}[\g1|\g2]/
Joining these together in a meta rule seems to be picking up
--On Wednesday, August 06, 2014 4:37 PM +0100 Paul Stead
paul.st...@zeninternet.co.uk wrote:
I've been having a play with the two rules mentioned, this seems to work
for me:
header __LOC_DIGITS_FROM From:name =~ /\.\d{7,8}$/
body __LOC_DIGITS_CONFUSER / (\d){7,8} .{1,250} ([0-9a-f]{32})
06/08/14 16:28, Quanah Gibson-Mount wrote:
Would you be willing to share your full finalized ruleset? This spam is really
obnoxious.
Sure...
A little adjustment as I noticed the brackets around the first number match was
wrong:
header __LOC_DIGITS_FROM From:name =~ /\.\d{7,8}$/
body
I must put a disclaimer that this is possibly not the most efficient regex in
the world either - though I'm not sure what else could be done to refine it so
it still matches in the way we want. 250 character limit should help though?
Paul
On 06/08/14 18:32, Paul Stead wrote:
06/08/14 16:28,
--On Wednesday, August 06, 2014 7:32 PM +0100 Paul Stead
paul.st...@zeninternet.co.uk wrote:
06/08/14 16:28, Quanah Gibson-Mount wrote:
Would you be willing to share your full finalized ruleset? This spam is
really obnoxious.
Sure...
A little adjustment as I noticed the brackets around
On Wed, Aug 6, 2014 at 1:32 PM, Paul Stead paul.st...@zeninternet.co.uk
wrote:
06/08/14 16:28, Quanah Gibson-Mount wrote:
Would you be willing to share your full finalized ruleset? This spam is
really obnoxious.
Sure...
A little adjustment as I noticed the brackets around the first
On 8/6/2014 2:39 PM, Alex wrote:
On Wed, Aug 6, 2014 at 1:32 PM, Paul Stead
paul.st...@zeninternet.co.uk mailto:paul.st...@zeninternet.co.uk
wrote:
06/08/14 16:28, Quanah Gibson-Mount wrote:
Would you be willing to share your full finalized ruleset? This
spam is really
On 06/08/14 19:39, Alex wrote:
body __LOC_DIGITS_CONFUSER / (\d{7,8}) .{1,250} ([0-9a-f]{32})
.{1,250}[\g1|\g2] .{1,250}[\g1|\g2]/
This doesn't pass lint:
Oops! copy/pasta fail to the max - I noticed this didn't work previously
- the following is correct
body __LOC_DIGITS_CONFUSER /
On 06/08/14 19:50, Paul Stead wrote:
body __LOC_DIGITS_CONFUSER / (\d{7,8}) .{1,250} ([0-9a-f]{32})
.{1,250}[\g1].{1,250}\g2/
Hmmm.. line breakage... \s instead of spaces?
body __LOC_DIGITS_CONFUSER
/\s(\d{7,8})\s.{1,250}\s([0-9a-f]{32})\s.{1,250}\g1.{1,250}\g2/
Note that \g denotes a
On Tue, 5 Aug 2014, Andy Balholm wrote:
On Aug 5, 2014, at 11:16 AM, John Hardin jhar...@impsec.org wrote:
It can hit on embedded phone numbers, which are, strictly speaking, valid
hexadecimal strings...
I suspect it's hitting on all those dates as well, and needs some more
tightening.
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
http://pastebin.com/DYx1ap31
:)
--
Paul Stead
Systems Engineer
Zen Internet
On 08/06/2014 09:23 PM, Paul Stead wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
http://pastebin.com/DYx1ap31
a simple URI rule gets rid of this type without headbanging RE
On 08/06/2014 09:23 PM, Paul Stead wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
http://pastebin.com/DYx1ap31
btw.. you munged rcpt, but the spammer confirmed or listwashed you using
Assuming I didn't change those too :)
Guess what the MD5 of redac...@example.commailto:redac...@example.com is?
On 06/08/14 21:03, Axb wrote:
btw.. you munged rcpt, but the spammer confirmed or listwashed you using the
unmunged Msg-ID and the num code in the From: (which is also a nice trait)
On 08/06/2014 10:17 PM, Paul Stead wrote:
Assuming I didn't change those too :)
Guess what the MD5 of redac...@example.commailto:redac...@example.com is?
On 06/08/14 21:03, Axb wrote:
btw.. you munged rcpt, but the spammer confirmed or listwashed you using
the unmunged Msg-ID and the num code
On Aug 6, 2014, at 12:00 PM, John Hardin jhar...@impsec.org wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/DWiTYmPN is my complete collection of 24 spams with this
pattern received this week. Collect them all!
On 06/08/14 21:03, Axb wrote:
the unmunged Msg-ID and the num code in the From: (which is also a nice trait)
.-)
How would you test for such a trait? Where the same num code appears throughout
the email in specific places? I guess this is plugin territory?
--
Paul Stead
Systems Engineer
Zen
On 08/06/2014 10:34 PM, Paul Stead wrote:
On 06/08/14 21:03, Axb wrote:
the unmunged Msg-ID and the num code in the From: (which is also a nice
trait) .-)
How would you test for such a trait? Where the same num code appears
throughout the email in specific places? I guess this is plugin
On 08/06/2014 10:32 PM, Andy Balholm wrote:
On Aug 6, 2014, at 12:00 PM, John Hardin jhar...@impsec.org wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/DWiTYmPN is my complete collection of 24 spams with this
pattern received this week. Collect them all!
You're
On Aug 6, 2014, at 2:00 PM, Axb axb.li...@gmail.com wrote:
Suggest you use a local DNS resolver instead of some third party which is
getting in your way.
Good idea. I installed unbound, and configured it to not use Google’s
nameservers (which were the ones that were blocked). Now uribl
On Wed, 6 Aug 2014, Paul Stead wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http: //pastebin.com/yHiT2s3t
http: //pastebin.com/DpxpJhtA
http: //pastebin.com/DYx1ap31
:)
Thanks.
They've substantially reduced the number of repetitions since
On Aug 6, 2014, at 1:23 PM, Paul Stead paul.st...@zeninternet.co.uk wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
http://pastebin.com/DYx1ap31
:)
Uh… the hostname in all of these
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014, at 1:23 PM, Paul Stead paul.st...@zeninternet.co.uk wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
On 8/5/2014 1:08 PM, Andy Balholm wrote:
The last few days, I’ve been getting a lot of spams that have a similar
pattern. They are plain-text messages, and each one ends with a paragraph from
a restaurant review (apparently to confuse bayesian filters), with some numbers
inserted. There is an
On Tue, 5 Aug 2014, Andy Balholm wrote:
The last few days, I’ve been getting a lot of spams that have a similar
pattern. They are plain-text messages, and each one ends with a paragraph from
a restaurant review (apparently to confuse bayesian filters), with some numbers
inserted. There is an
On Aug 5, 2014, at 10:31 AM, John Hardin jhar...@impsec.org wrote:
There's already a rule for this sort of thing in the sandbox.
http://ruleqa.spamassassin.org/20140804-r1615505-n/HEXHASH_WORD/detail
How do I find the actual rule that the page is about?
On Tue, 5 Aug 2014, Andy Balholm wrote:
On Aug 5, 2014, at 10:31 AM, John Hardin jhar...@impsec.org wrote:
There's already a rule for this sort of thing in the sandbox.
http://ruleqa.spamassassin.org/20140804-r1615505-n/HEXHASH_WORD/detail
How do I find the actual rule that the page is
On Aug 5, 2014, at 10:48 AM, John Hardin jhar...@impsec.org wrote:
Unfortunately the masscheck pages' links to SVN got broken in the recent
rebuild.
That rule lives here:
https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?view=log
It should be
On Tue, 5 Aug 2014, Andy Balholm wrote:
On Aug 5, 2014, at 10:48 AM, John Hardin jhar...@impsec.org wrote:
Unfortunately the masscheck pages' links to SVN got broken in the recent
rebuild.
That rule lives here:
On Aug 5, 2014, at 11:16 AM, John Hardin jhar...@impsec.org wrote:
It can hit on embedded phone numbers, which are, strictly speaking, valid
hexadecimal strings...
I suspect it's hitting on all those dates as well, and needs some more
tightening.
In the spams I’m looking at, all the hex
On 8/5/2014 1:48 PM, John Hardin wrote:
On Tue, 5 Aug 2014, Andy Balholm wrote:
On Aug 5, 2014, at 10:31 AM, John Hardin jhar...@impsec.org wrote:
There's already a rule for this sort of thing in the sandbox.
http://ruleqa.spamassassin.org/20140804-r1615505-n/HEXHASH_WORD/detail
How do I
On Tue, 5 Aug 2014, Kevin A. McGrail wrote:
On 8/5/2014 1:48 PM, John Hardin wrote:
On Tue, 5 Aug 2014, Andy Balholm wrote:
On Aug 5, 2014, at 10:31 AM, John Hardin jhar...@impsec.org wrote:
There's already a rule for this sort of thing in the sandbox.
On 5/28/2014 9:19 AM, Rejaine Monteiro wrote:
Hi
I need a rule to block spam contains
Subject or Body contains words 'or.*amento' or 'planilha' or 'urgente'
AND URI contains links to orcamento or panilha (php or pdf)
So, I doing this:
header __ORCAMENTO_H Subject =~
In fact, there was this error, even after fixing it still didn't work.
I believe that the problem was occurring because the message had a HMTL
attached and in turn had a link to the file. I decided to change and do
as follows:
header __ORCAMENTO_H Subject =~ /or.*amento|planilha|urgente/i
On 5/28/2014 11:14 AM, Martin Gregorie wrote:
On Wed, 2014-05-28 at 10:19 -0300, Rejaine Monteiro wrote:
So, I doing this:
header __ORCAMENTO_H Subject =~ /or.*amento|planilha|urgente/i
body __ORCAMENTO_B /or.*amento|planilha|urgente/i
uri __ORCAMENTO_U
On Wed, 28 May 2014, Rejaine Monteiro wrote:
So, I doing this:
header __ORCAMENTO_H Subject =~ /or.*amento|planilha|urgente/i
body __ORCAMENTO_B /or.*amento|planilha|urgente/i
...is redundant. The subject text is included in body rules.
--
John Hardin KA7OHZ
On 5/22/2014 9:04 AM, Tom Hendrikx wrote:
After checking the results of sa-update and doing some manual dns
queries, it seems that last rule updates were done more than a month
ago. This used to be an almost daily process, even when there were only
score changes due to masschecks.
Any specific
On 05/22/2014 03:36 PM, Kevin A. McGrail wrote:
On 5/22/2014 9:04 AM, Tom Hendrikx wrote:
After checking the results of sa-update and doing some manual dns
queries, it seems that last rule updates were done more than a month
ago. This used to be an almost daily process, even when there were
On Wed, 21 May 2014 08:42:21 -0300
M. Rodrigo Monteiro wrote:
Hi.
How to create a rule to tag e-mails from *@word.*.com.br?
This is what I tested:
header TEST From =~ /.*\@word\..*\.com\.br/i
Firstly using From:addr will just match the email address and not the
whole header
Secondly you
On Wed, 2014-05-21 at 08:42 -0300, M. Rodrigo Monteiro wrote:
How to create a rule to tag e-mails from *@word.*.com.br?
This is what I tested:
header TEST From =~ /.*\@word\..*\.com\.br/i
RW already pointed out important improvements. Besides that...
Your test rule does what you asked for.
On 1/16/2014 11:26 PM, Chip M. wrote:
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
customers.
One was from Marriott Rewards with
On 01/17/2014 04:17 PM, Kevin A. McGrail wrote:
On 1/16/2014 11:26 PM, Chip M. wrote:
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
On Fri, 17 Jan 2014, Axb wrote:
pillz with
List-Unsubscribe: mailto:unsubscribe-%rndhex:10-20%@%to_host%
Hrm. Botched spammer tokenizing.
I think that rule could be salvaged if you add a [^@\s]+% onto the end to
catch the closing % delimiter, which a valid % email address won't have...
On 01/16/2014 11:03 PM, Brian Bebeau wrote:
We're having a problem with the FH_RANDOM_SURE rule causing false positives.
It has a subrule __ALL_RANDOM, which is:
header __ALL_RANDOM ALL =~
/(?:[%\#\[\$]R?A?NDO?M?|\%(?:CUSTOM|FROM|PROXY|X?MESSA|MAKE_TXT|FROM_USER))/i
We have a user
On 1/16/2014 5:20 PM, Axb wrote:
On 01/16/2014 11:03 PM, Brian Bebeau wrote:
We're having a problem with the FH_RANDOM_SURE rule causing false
positives.
It has a subrule __ALL_RANDOM, which is:
header __ALL_RANDOM ALL =~
On 01/17/2014 12:16 AM, Kevin A. McGrail wrote:
On 1/16/2014 5:20 PM, Axb wrote:
On 01/16/2014 11:03 PM, Brian Bebeau wrote:
We're having a problem with the FH_RANDOM_SURE rule causing false
positives.
It has a subrule __ALL_RANDOM, which is:
header __ALL_RANDOM ALL =~
On 1/16/2014 6:20 PM, Axb wrote:
latest 72_scores.cf
score FH_RANDOM_SURE1.999 2.920 1.999 2.920
I'd say 0.5 pushes it very low. - can we agree on 1.5?
Is it hitting on anything in your corpora?
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
customers.
One was from Marriott Rewards with terse SA report:
score=0.9
Please keep mailing-list threads on-list. Do not reply personally.
On Sat, 2013-11-09 at 09:02 -0600, Sergio wrote:
Thank you for your kind answers.
Well, I am using cpanel with MailScanner and added this rule to my MCP
set of rules, that are the same as SpamAssassin, the score is because
On Fri, 8 Nov 2013 00:10:01 -0600
Sergio wrote:
Hi all,
I tried this rule to stop emails with an empty subject, but it didn't
work:
header SUBJECT_EMPTY SUBJECT =~ /^$/i
describe SUBJECT_EMPTY EMPTY SUBJECT
scoreSUBJECT_EMPTY 11
Any hint on what is wrong?
I pasted
On Fri, 2013-11-08 at 00:10 -0600, Sergio wrote:
I tried this rule to stop emails with an empty subject, but it didn't
work:
The rule is fine, though the score is a tiiiny bit excessive.
You'll have to elaborate on trying and doesn't work.
--
char
Kevin A. McGrail wrote
A rule that solely checks for a domain ending in a digit cannot have a
3.5 score. It's far too high.
I'm adding a score of 1.0 to the rulesrc which should add a ceiling of
1.0 to this for masschecks.
Kevin,
I fear this didn't really take hold, switched back or
On 7/15/2013 12:08 PM, Scott Witte wrote:
Kevin A. McGrail wrote
A rule that solely checks for a domain ending in a digit cannot have a
3.5 score. It's far too high.
I'm adding a score of 1.0 to the rulesrc which should add a ceiling of
1.0 to this for masschecks.
Kevin,
I fear this didn't
On 05/31/2013 05:51 PM, Andrew Talbot wrote:
Hey all -
I'm trying to set up a custom rule that scores HTML attachments.
The problem I'm running across is that using a rule like this one:
mimeheader HTML_ATTACH Content-Type =~ /^text\/html/i
Will flag all messages that come in as HTML (vs.
On Fri, 2013-05-31 at 11:51 -0400, Andrew Talbot wrote:
I'm trying to set up a custom rule that scores HTML attachments.
..snippage..
I found this :
header HTML_ATTACH_RULE_2 Content-Disposition =~
/^filename\=\[a-z]{2}\.html\/i
Don't anchor it to the start of the line, i.e. try this:
That didn't work :(
On Fri, May 31, 2013 at 12:40 PM, Martin Gregorie mar...@gregorie.orgwrote:
On Fri, 2013-05-31 at 11:51 -0400, Andrew Talbot wrote:
I'm trying to set up a custom rule that scores HTML attachments.
..snippage..
I found this :
header HTML_ATTACH_RULE_2
Didn't work with mime_header (or mimeheader) with either rule.
On Fri, May 31, 2013 at 12:23 PM, Axb axb.li...@gmail.com wrote:
On 05/31/2013 05:51 PM, Andrew Talbot wrote:
Hey all -
I'm trying to set up a custom rule that scores HTML attachments.
The problem I'm running across is that
On Fri, 31 May 2013 14:10:36 -0400
Andrew Talbot andrew.talbot.ownweb...@gmail.com wrote:
That didn't work :(
What didn't work? Oh... you top-posted.
Anyway... you might need a full rule, which can be expensive.
Something like:
full HTML_RULE
On Fri, 2013-05-31 at 14:10 -0400, Andrew Talbot wrote:
That didn't work :(
Can you post one or two examples of actual MIME attachment headers that
you're trying to get the rule to fire on?
Obvious question, but have you enabled the MIME header module?
I'm using MimeMagic and enabling it
That's what I was afraid of. We generally avoid those kinds of rules since
we are scanning millions of messages a day.
-Original Message-
From: David F. Skoll [mailto:d...@roaringpenguin.com]
Sent: Friday, May 31, 2013 2:22 PM
To: users@spamassassin.apache.org
Subject: Re: Rule
attached.
-Original Message-
From: Martin Gregorie [mailto:mar...@gregorie.org]
Sent: Friday, May 31, 2013 2:35 PM
To: users@spamassassin.apache.org
Subject: Re: Rule to scan for .html attachments?
On Fri, 2013-05-31 at 14:10 -0400, Andrew Talbot wrote:
That didn't work :(
Can you
On Fri, 31 May 2013 14:43:27 -0400
Andrew Talbot andrew.talbot.ownweb...@gmail.com wrote:
That's what I was afraid of. We generally avoid those kinds of rules
since we are scanning millions of messages a day.
Well, a few rules won't hurt. We peak at around 6 million messages/day,
though we
On Fri, 2013-05-31 at 14:45 -0400, Andrew Talbot wrote:
I need it to fire on any HTML attachment. The modules are enabled. I
can get it to pick up text/html, remember, but the problem is that it
detects messages sent as HTML when it's set up like that. It doesn't
detect plain-text messages,
@spamassassin.apache.org
Subject: Re: Rule to scan for .html attachments?
On Fri, 2013-05-31 at 14:10 -0400, Andrew Talbot wrote:
That didn't work :(
Can you post one or two examples of actual MIME attachment headers that
you're trying to get the rule to fire on?
Obvious question, but have you enabled the MIME header
On Fri, 2013-05-31 at 11:51 -0400, Andrew Talbot wrote:
header HTML_ATTACH_RULE_2
You will need a mimeheader [1] rule. A header rule matches the mail
headers only.
Content-Disposition =~ /^filename\=\[a-z]{2}\.html\/i
That is not matching an
201 - 300 of 928 matches
Mail list logo