config change for pyzor_path and dcc_path?
After upgrading spamassassin 3.1.0a-2 -> 3.1.1-1 (Debian Packages) I get the following lint errors: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor SpamAssassin failed to parse line, "/usr/bin/dccproc" is not valid for "dcc_path", skipping: dcc_path /usr/bin/dccproc I've got these two lines in my local.cf: pyzor_path /usr/bin/pyzor dcc_path /usr/bin/dccproc If that's not valid, what is? I can't find anything about this in the docs. Thanks, Andy. -- "security is an exercise in applied paranoia" -- Unknown
RE: config change for pyzor_path and dcc_path?
Pyzor and DCC are separate tools, they are not included in SA. Do you have them installed? If not, disable the lines in your config. Or install them. DCC can be found at: http://www.rhyolite.com/anti-spam/dcc/ Pyzor at: http://pyzor.sourceforge.net -Sietse From: Andy Spiegl [mailto:[EMAIL PROTECTED] Sent: Thu 18-May-06 9:53 To: users@spamassassin.apache.org Subject: config change for pyzor_path and dcc_path? After upgrading spamassassin 3.1.0a-2 -> 3.1.1-1 (Debian Packages) I get the following lint errors: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor SpamAssassin failed to parse line, "/usr/bin/dccproc" is not valid for "dcc_path", skipping: dcc_path /usr/bin/dccproc I've got these two lines in my local.cf: pyzor_path /usr/bin/pyzor dcc_path /usr/bin/dccproc If that's not valid, what is? I can't find anything about this in the docs. Thanks, Andy. -- "security is an exercise in applied paranoia" -- Unknown
Re: config change for pyzor_path and dcc_path?
> Do you have them installed? Ups, you are right. They weren't installed on that machine. Thanks, Andy. -- Politics: Poli=Many, Tics=Blood sucking parasites
RE: config change for pyzor_path and dcc_path?
Thanks, Andy. -- Politics: Poli=Many, Tics=Blood sucking parasites .. That is a daring (but true) statement for somebody from Germ-many. :-p
RE: Re[2]: problem with using SARE rules, names longer than 22 chars
-Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: Thursday, May 18, 2006 12:22 AM To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re[2]: problem with using SARE rules, names longer than 22 chars Hello James, Wednesday, May 17, 2006, 6:09:51 AM, you wrote: JEP> I had the same probllem with sa 3.04 JEP> Anyhow, i solved it by changing the trusted ruleset entry JEP> "SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com, JEP> and all works fine now. Either you misread the web page, or we really weren't clear about that. If you use any of the HEADER rules at all, you should be using HEADER0. HEADER0 is designed to hit spam and only spam -- never hit any ham (a single ham hit removes the rule from that file). Header X31 contains those rules which have been incorporated into SA 3.1.x; if you're on 3.0, then you ALSO want header X31, but you should not be removing Header0. The invalid (overly long) rule name lint error has been fixed. Bob Menschel Thanks Bob - I didn't actually remove the ruleset file 0 itself, so I understood that part ok - I just took it out of rules_du_jour config file (because of the errors) - I'll add it back and try again now - (I'm upgrading/replacing the relay with a new install of SA latest soon, so) Also,,, HUGE Thanks to all of you SARE Ninjas!! :) Regards, Jamie
A lot of these going around
May 18 11:50:22 d_baron spamc[5797]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Seems harmless though annoying. Fix?
Proposal: First URI black list, how about email address black lists?
URI based black lists have been extremely effected in identifying spam. I propose another kind of black list. A list of email addresses embedded in the message body as replies to nigerian type spam and other spam where you are instructed to reply to the email address in the message body. One thing about all spam is that the spammer wants you to do something. And it's what the spammer wants you to do that is the key to identifying spam. Most spam wants you to click on a link. So the URI black lists work well because it catches the sites that spammers link to. But - a lot of spam - like nigerian spam - wants you to reply to an email address in the message body in order to do what the spammer wants. So if there were a blacklist of email addresses that spammers use as the place to reply then that would cut into the remaining spam significantly. If we can block email based on a real time list of email addresses within the body a whole new class of spam can be blocked with very high accuracy. Who likes this idea?
RE: Proposal: First URI black list, how about email address black lists?
> -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 18, 2006 9:24 AM > To: SpamAssassin Users > Subject: Proposal: First URI black list, how about email > address black lists? > > URI based black lists have been extremely effected in > identifying spam. > I propose another kind of black list. A list of email > addresses embedded in the message body as replies to nigerian > type spam and other spam where you are instructed to reply to > the email address in the message body. > > One thing about all spam is that the spammer wants you to do > something. > And it's what the spammer wants you to do that is the key to > identifying spam. Most spam wants you to click on a link. So > the URI black lists work well because it catches the sites > that spammers link to. > > But - a lot of spam - like nigerian spam - wants you to reply > to an email address in the message body in order to do what > the spammer wants. > So if there were a blacklist of email addresses that spammers > use as the place to reply then that would cut into the > remaining spam significantly. If we can block email based on > a real time list of email addresses within the body a whole > new class of spam can be blocked with very high accuracy. > > Who likes this idea? > This has been discussed many times, even on this list. I'd recommend searching the archives and reading the thread on it first. The only problem I have with it is that it would be very manual, and address rotation per msg would be very easy to defeat this. Dallas
Re: Filtering windows-1252 charset
Jonathan Armitage wrote: >I see some spam with "windows-1252" or other unwanted character sets at >the start of the subject. I reject them via an Exim ACL, so SA doesn't >even have to scan them. > > Which brings up the subject... How legitimate is email sent as windows-1252? I see absolutely no reason to send it, since it offers no advantage over iso-8859-1 or utf-8, and the RFC's are pretty clear about using the "smallest" encoding that will fit a message, i.e. usascii => iso-8859-1 => utf-8 (in that order). Further, if you're in the Unix world (or more broadly, not in the Windows world), why would you want to use vendor-specific encodings for no reason other than they're the broken defaults Microsoft chose to use? -Philip
Re: Delete spam or move to a folder?
Couldn't find a thread like this hence this new one. Just wondering what strategy people are using when it comes to dealing with email that gets enough points to be considered as spam. Eg. being deleted and quarantined, or delivered and quarantined etc. I'm using store and deliver - is that the general concept out there with everyone? At work we reject any mail tagged as spam (5 points +) during the SMTP session. This has the benefit of sending notification to the true sender rather than having my server try to delivery a NDR after the fact. I haven't had a report of a false positive from any of my users in the last year. Still get some false negatives (mostly 419'er stuff), but overall my users are happy. This set up obviously won't work for all organizations, but as a school we find our user base and email content to be rather homogenous. At home, since I'm using fetchmail, I sort all mail tagged as spam into a subfolder of each users Maildir. Steven --- Steven Dickenson <[EMAIL PROTECTED]> http://www.mrchuckles.net
Re: Proposal: First URI black list, how about email address black lists?
Dallas L. Engelken wrote: The only problem I have with it is that it would be very manual, and address rotation per msg would be very easy to defeat this. Dallas Even if they used a lot of email addresses in the body they would all have to be good addresses that got the response back to the sender. So there would be a lot of spam for each one. This information could be used by YAHOO and GOOGLE and others to shut down spammers accounts.
Re: Delete spam or move to a folder?
Steven Dickenson wrote: Couldn't find a thread like this hence this new one. Just wondering what strategy people are using when it comes to dealing with email that gets enough points to be considered as spam. Eg. being deleted and quarantined, or delivered and quarantined etc. I'm using store and deliver - is that the general concept out there with everyone? I have 4 different things I do with spam depending on the spam. If the spam scores from 5-15 points I add a header tag and pass it on. If the user is on my system and has a folder named spam-low I delivr it there. If the spam scores 15-30 points I generate a bounce message and blackhole the spam. If the user has a spam-high folder they get a copy in there. If the score is over 30 points I blackhold the spam, no bounce message. If the user has a spam-veryhigh folder they get a copy there. If I can ID the spam at SMTP time I just DENY it and the user never sees it.
Re: Proposal: First URI black list, how about email address black lists?
From: "Marc Perkel" <[EMAIL PROTECTED]>
URI based black lists have been extremely effected in identifying spam.
I propose another kind of black list. A list of email addresses embedded
in the message body as replies to nigerian type spam and other spam
where you are instructed to reply to the email address in the message body.
One thing about all spam is that the spammer wants you to do something.
And it's what the spammer wants you to do that is the key to identifying
spam. Most spam wants you to click on a link. So the URI black lists
work well because it catches the sites that spammers link to.
But - a lot of spam - like nigerian spam - wants you to reply to an
email address in the message body in order to do what the spammer wants.
So if there were a blacklist of email addresses that spammers use as the
place to reply then that would cut into the remaining spam
significantly. If we can block email based on a real time list of email
addresses within the body a whole new class of spam can be blocked with
very high accuracy.
Well, Blue had something of an idea. It was simply carried too far.
As you observe every spam email contains at least one URL that is
important. It should be possible to cull the one URLs that are
important to the spammer from a list of other URLs. (A list of known
good sites would help this.) Then you use a tool that mimics browser
behavior to connect to each of these sites. If the spammer gets
paid by detected traffic on the actual advertisers web site then
this will generate a lot of spurious income for the spammer and
"detected fraud". This should pretty much cut off the spammer's
income source, except for the vertical market spammers like Leo.
Instead of freezing them out pull Google Click Fraud on them.
{^_^}
Re: Proposal: First URI black list, how about email address black lists?
From: "Dallas L. Engelken" <[EMAIL PROTECTED]>
-Original Message-
From: Marc Perkel [mailto:[EMAIL PROTECTED]
URI based black lists have been extremely effected in
identifying spam.
I propose another kind of black list. A list of email
addresses embedded in the message body as replies to nigerian
type spam and other spam where you are instructed to reply to
the email address in the message body.
One thing about all spam is that the spammer wants you to do
something.
And it's what the spammer wants you to do that is the key to
identifying spam. Most spam wants you to click on a link. So
the URI black lists work well because it catches the sites
that spammers link to.
But - a lot of spam - like nigerian spam - wants you to reply
to an email address in the message body in order to do what
the spammer wants.
So if there were a blacklist of email addresses that spammers
use as the place to reply then that would cut into the
remaining spam significantly. If we can block email based on
a real time list of email addresses within the body a whole
new class of spam can be blocked with very high accuracy.
Who likes this idea?
This has been discussed many times, even on this list. I'd recommend
searching the archives and reading the thread on it first. The only
problem I have with it is that it would be very manual, and address
rotation per msg would be very easy to defeat this.
Dallas
<> Directly answering his question - it is not infrequent these
days for the "answer" site to be part of a botnet, I understand. So a
blacklist would have to be bigevil.cf in size and then some.
It'd be easier to simply click fraud the sites until the vendors who
commission the spam catch on and turn off the money up front.
{^_^}
Re: Proposal: First URI black list, how about email address blacklists?
> > problem I have with it is that it would be very manual, and address > > rotation per msg would be very easy to defeat this. I'm in favor of this because, despite what Dallas said, (1) Many who are really serious about quality filtering could get much use out of this before it even "hits the radar". It might take years for such a list to be used by enough ISPs and spam filter providers for this to attract attention. For one, this wouldn't be something for which you could take a standard mail software package and type in a server address (as can be done for RBL-based blocking)... this has to be custom programed and implemented. (2) If the spammer resorted to use setting up multiple free e-mail accounts, at least that is more work for the spammer... this also increases the chance that they'd just prefer to be blocked by 20% of the spam filters on that one e-mail address and just pursue the 80% that isn't catching them with that one account rather than setting up multiple accounts. (3) For those who did set up multiple accounts... couldn't this potentially trigger "red flags" which might provide an additional tool for the free mail providers to catch these guys early in the process and wouldn't they be all the more frustrated if/when we started quickly listing ALL of their multiple accounts. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Why Different?
My client messages at a different score then on the server On my client:X-Spam-Status: No, hits=4.984 tagged_above=-999 required=5 tests=DIET_1, HTML_40_50, HTML_MESSAGE, UNPARSEABLE_RELAY, UPPERCASE_25_50On The server:spamassassin -t < 4391.Content analysis details: (14.6 points, 5.0 required) pts rule name description -- -- 0.5 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.5 HTML_40_50 BODY: Message is 40% to 50% HTML 3.5 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [222.52.10.129 listed in combined.njabl.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: aboummile.com] 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: aboummile.com] 0.0 UPPERCASE_25_50 message body is 25-50% uppercaselocal.cfbayes_auto_learn 1bayes_file_mode 0777bayes_path /var/mail/spamassassin/bayesbayes_auto_expire 1# Safe Reportingreport_safe 1use_dcc 0dcc_timeout 10use_razor2 0use_pyzor 1rewrite_header Subject SPAM# Rewrite the Subjectskip_rbl_checks 0# Use Bayesian Filteringuse_bayes 1use_bayes_rules 1bayes_learn_during_report 1# OK localsok_locales enI give it a config location with spamdI'm trying to figure out why the server would display something different then the messages coming in.Any ideas? -Ben
Re: Proposal: First URI black list, how about email address black lists?
jdow said: >It'd be easier to simply click fraud the sites until the vendors who >commission the spam catch on and turn off the money up front. I think you've misunderstood Marc's proposal. He is talking about identity theft schemes via Nigeria "419" scams where there is only an e-mail address in the body of the message. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Proposal: First URI black list, how about email address black lists?
jdow wrote:
From: "Dallas L. Engelken" <[EMAIL PROTECTED]>
Dallas
<> Directly answering his question - it is not infrequent these
days for the "answer" site to be part of a botnet, I understand. So a
blacklist would have to be bigevil.cf in size and then some.
It'd be easier to simply click fraud the sites until the vendors who
commission the spam catch on and turn off the money up front.
{^_^}
OK - you guys are missing part of the idea. The idea is that there is
some central database that is maintained for lookups sort of like razor
and pyzor or spamcop, or the URI lists, etc. and you make a call to the
central database to see if the email address in question is listed in
it. If it is, then you have a spammer.
Re: Proposal: First URI black list, how about email address blacklists?
Rob McEwen (PowerView Systems) wrote: problem I have with it is that it would be very manual, and address rotation per msg would be very easy to defeat this. I'm in favor of this because, despite what Dallas said, (1) Many who are really serious about quality filtering could get much use out of this before it even "hits the radar". It might take years for such a list to be used by enough ISPs and spam filter providers for this to attract attention. For one, this wouldn't be something for which you could take a standard mail software package and type in a server address (as can be done for RBL-based blocking)... this has to be custom programed and implemented. (2) If the spammer resorted to use setting up multiple free e-mail accounts, at least that is more work for the spammer... this also increases the chance that they'd just prefer to be blocked by 20% of the spam filters on that one e-mail address and just pursue the 80% that isn't catching them with that one account rather than setting up multiple accounts. (3) For those who did set up multiple accounts... couldn't this potentially trigger "red flags" which might provide an additional tool for the free mail providers to catch these guys early in the process and wouldn't they be all the more frustrated if/when we started quickly listing ALL of their multiple accounts. Rob McEwen PowerView Systems [EMAIL PROTECTED] I'm not sure it would take years. If someone created a centralized database and SA had a rule to talk to it then it would be just part of SA and ISPs would automatically addopt it as part of the standard SA package.
Re: Proposal: First URI black list, how about email address black lists?
Rob McEwen (PowerView Systems) wrote: jdow said: It'd be easier to simply click fraud the sites until the vendors who commission the spam catch on and turn off the money up front. I think you've misunderstood Marc's proposal. He is talking about identity theft schemes via Nigeria "419" scams where there is only an e-mail address in the body of the message. Yes Rob, that's exactly it. Just like the URIBL catches spam that links to spam sites the email address would catch email addresses used as th reply address to 419 scams. That would leave onle the stock market scams as yet to be solved. :)
RE: Proposal: First URI black list, how about email address black lists?
> -Original Message- > From: Dallas L. Engelken [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 18, 2006 9:34 AM > To: SpamAssassin Users > Subject: RE: Proposal: First URI black list, how about email > address black lists? > > > -Original Message- > > From: Marc Perkel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 18, 2006 9:24 AM > > To: SpamAssassin Users > > Subject: Proposal: First URI black list, how about email > address black > > lists? > > > > URI based black lists have been extremely effected in identifying > > spam. > > I propose another kind of black list. A list of email addresses > > embedded in the message body as replies to nigerian type spam and > > other spam where you are instructed to reply to the email > address in > > the message body. > > > > One thing about all spam is that the spammer wants you to do > > something. > > And it's what the spammer wants you to do that is the key to > > identifying spam. Most spam wants you to click on a link. > So the URI > > black lists work well because it catches the sites that > spammers link > > to. > > > > But - a lot of spam - like nigerian spam - wants you to reply to an > > email address in the message body in order to do what the spammer > > wants. > > So if there were a blacklist of email addresses that > spammers use as > > the place to reply then that would cut into the remaining spam > > significantly. If we can block email based on a real time list of > > email addresses within the body a whole new class of spam can be > > blocked with very high accuracy. > > > > Who likes this idea? > > > > This has been discussed many times, even on this list. I'd > recommend searching the archives and reading the thread on it > first. The only problem I have with it is that it would be > very manual, and address rotation per msg would be very easy > to defeat this. > Well, the only thread on sa-users I found about this was from Dec 2005. http://www.nabble.com/A-thought-about-phone-numbers-and-URIBLs-t716464.h tml We had a thread on uribl staff list about this last July which we cross-posted to sare where loren brought up some good points. After a good discussion on it, it dropped off the radar as something that would take to much time and have very little impact. If anyone plans to move forward with this, I'd be willing to share our threads on it. Dallas
Re: Proposal: First URI black list, how about email address blacklists?
I agree this is a great idea. If Dallas and Chris don't desire to host the infrastructure for something like this, I can help out in terms of a Master or slave server.
RE: Filtering windows-1252 charset
> Which brings up the subject... How legitimate is email sent as > windows-1252? > > I see absolutely no reason to send it, since it offers no > advantage over > iso-8859-1 > or utf-8, and the RFC's are pretty clear about using the "smallest" > encoding that > will fit a message, i.e. usascii => iso-8859-1 => utf-8 (in > that order). > > Further, if you're in the Unix world (or more broadly, not in the > Windows world), > why would you want to use vendor-specific encodings for no > reason other than > they're the broken defaults Microsoft chose to use? I don't sending a specific character set is a choice most users make. I have 84 messages in my inbox with windows-1252 character set. A lot of those are personal messages sent by friends that are clueless as far as their computers are concerned. So, unless you can get Microsoft to configure their clients so they don't send that character set by default, or unless you don't have any friends with Windows, you might research it a bit more before you block. Bret
Re: Filtering windows-1252 charset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: > Jonathan Armitage wrote: > >> I see some spam with "windows-1252" or other unwanted character sets at >> the start of the subject. I reject them via an Exim ACL, so SA doesn't >> even have to scan them. >> >> > > Which brings up the subject... How legitimate is email sent as > windows-1252? I have a bunch of stuff from paypal and ebay, and much more, which include this charset. I'm not attempting to answer the philosophical question, just the statistical one. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbJwCMDDagS2VwJ4RAgcdAJ0bIf+EPRmsGEFhqeamY6W5dWBwVgCeLbPf dALIAlLZans4C6EM6R17nyU= =IUJJ -END PGP SIGNATURE-
Re: Why Different?
Benjamin Adams wrote: On my client: X-Spam-Status: No, hits=4.984 tagged_above=-999 required=5 tests=DIET_1, > HTML_40_50, HTML_MESSAGE, UNPARSEABLE_RELAY, UPPERCASE_25_50 ... On The server: ... 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [222.52.10.129 listed in combined.njabl.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: aboummile.com] 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: aboummile.com] As a guess, I'd say that your client (do you mean your actual mail client, or do you mean something that adds this header as the message arrives?) isn't running Bayes or network tests, but your server is. If you're running SA through amavisd-new, check the config there and make sure it's not set to run only local tests. That should bring in 3.5 points from RCVD_IN_NJABL_DUL and URIBL_SBL. Also, see if Amavisd-new has problems with rules added from sa-update. I'm not familiar with Amavisd, but MIMEDefang had to add support for those rules. IIRC, URIBL_BLACK isn't in the base distribution yet, but is in the sa-update set.
RE: Proposal: First URI black list, how about email address black lists?
Title: RE: Proposal: First URI black list, how about email address black lists?
> -Original Message-
> From: Marc Perkel [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 18, 2006 11:09 AM
> To: jdow
> Cc: users@spamassassin.apache.org
> Subject: Re: Proposal: First URI black list, how about email address
> black lists?
>
>
>
>
> jdow wrote:
> > From: "Dallas L. Engelken" <[EMAIL PROTECTED]>
> >
> > Dallas
> > <> Directly answering his question - it is not
> infrequent these
> > days for the "answer" site to be part of a botnet, I
> understand. So a
> > blacklist would have to be bigevil.cf in size and then some.
> >
> > It'd be easier to simply click fraud the sites until the vendors who
> > commission the spam catch on and turn off the money up front.
> > {^_^}
> >
>
> OK - you guys are missing part of the idea. The idea is that there is
> some central database that is maintained for lookups sort of
> like razor
> and pyzor or spamcop, or the URI lists, etc. and you make a
> call to the
> central database to see if the email address in question is listed in
> it. If it is, then you have a spammer.
We have a hard enough time with tons of new domains in URIBL. Those cost money and IMHO a bit more steps to go thru to setup then an email address. I can't imagine trying to keep up with it. They would expire within hours.
Its a good thought, and ike Dallas has said, its been talked about. But sooo much work.
Also LOL @ jdow. "bigevil" is now an adjective ;)
--Chris
LOCAL_RCVD
Spamassassin 2.63-1/amavisd-new-20030616-p8 I am trying to configure spamassassin such that any email originating from my domain is not spam tagged. I have tried in local.cf both these syntaxes. header LOCAL_RCVD Received =~ /.*\(\S+\.myhost\.mydom\.edu\s+\[.*\]\)/ header LOCAL_RCVD Received =~ /\S+\.myhost\.mydom\.edu\s+\(.*\[.*\]\)/ In each case only one rule will work for one particular received from header. I have these two styles(one from mozilla, and one from webmail) Received: from [192.168.1.10] (myhost.mydom.edu [192.168.1.10]) Received: from webmail.mydom.edu (localhost.localdomain [127.0.0.1]) Is there a rule which will work for both, or is there a simpler way to achieve this result, ie, to not filter locallly originating mail? Shelley Waltz
Re: LOCAL_RCVD
Shelley Waltz writes: > Spamassassin 2.63-1/amavisd-new-20030616-p8 > > I am trying to configure spamassassin such that any email originating > from my domain is not spam tagged. I have tried in local.cf > > both these syntaxes. > > header LOCAL_RCVD Received =~ /.*\(\S+\.myhost\.mydom\.edu\s+\[.*\]\)/ > header LOCAL_RCVD Received =~ /\S+\.myhost\.mydom\.edu\s+\(.*\[.*\]\)/ > > > In each case only one rule will work for one particular received from > header. I have these two styles(one from mozilla, and one from webmail) > > Received: from [192.168.1.10] (myhost.mydom.edu [192.168.1.10]) > > Received: from webmail.mydom.edu (localhost.localdomain [127.0.0.1]) > > Is there a rule which will work for both, or is there a simpler way to > achieve this result, ie, to not filter locallly originating mail? use trusted_networks; this is what ALL_TRUSTED is for. --j.
SA 3.1.0, postfix and amavis-new questions
I have SA 3.1.0 with postfix and amavis-new. When I look in the logs i see both SA and amavis scanning email for spam. They get wildly different scores. Are they both supposed to be scanning? Also, is there any way I can have SA scores written to the header instead of amavis? Thanks. Gene
Re: Proposal: First URI black list, how about email address black lists?
Title: RE: Proposal: First URI black list, how about email address black lists? Chris Santerre wrote: We have a hard enough time with tons of new domains in URIBL. Those cost money and IMHO a bit more steps to go thru to setup then an email address. I can't imagine trying to keep up with it. They would expire within hours. Remember we're not talking about the From address but the address within the message that they want you to reply to. That address isn't going to expire very fast because that's how the spammer gets the money. I would say however that these email addresses could be expired over a few weeks perhaps. I also think that these lists could be used for a check of outgoing email to see of people (suckers) are responding and to perhaps intercept the email and warn the sender that they are replying to a known scammer. Just a thought.
Re: A lot of these going around
David Baron wrote: > May 18 11:50:22 d_baron spamc[5797]: connect(AF_INET) to spamd at 127.0.0.1 > failed, retrying (#1 of 3): Connection refused > > Seems harmless though annoying. > Fix? Is spamd running?
Re: Proposal: First URI black list, how about email address blacklists?
It could actually be a benefit if/when the e-mail address account was terminated because this could keep the overall size of the list smaller. I wonder if there is some automated way to check this getting in trouble for spamming or abusing the free hosting service? Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Proposal: First URI black list, how about email address black lists?
RE: Proposal: First URI black list, how about email address black lists?>Remember we're not talking about the From address but the address within the message that they want you to >reply to. That address isn't going to expire very fast because that's how the spammer gets the money. I would say >however that these email addresses could be expired over a few weeks perhaps. >I also think that these lists could be used for a check of outgoing email to >see of people (suckers) are responding >and to perhaps intercept the email and warn the sender that they are replying to a known scammer. Just a thought. Here's a good example: Hello Good Fellows, I know it's hard to find a true real and honest money making on the net because I had alsoexperienced and onced tired of always started some new opportunities until i met this one of its kind online business that catches my interest and attention. Coz' I can even say "Your Search Is Over !" So stop searching and give this a try. Just Email Me at [EMAIL PROTECTED] Put "" Register me for a free Membership"" in the subject, Be sure to include: 1. First name: 2. Last name: 3. Email Address: 4. Country: That's All there is to it. We Will confirm your position and send you a special report as soon as possible, and also Your free membership ID#. My best regards, Pablito Ed Tabar [EMAIL PROTECTED] Note: p.s. This is one time email. If you wish to remove. Kindly email to : [EMAIL PROTECTED] with the subject of your email "Remove Me"
Re: Proposal: First URI black list, how about email address black lists?
RE: Proposal: First URI black list, how about email address black lists?>Remember we're not talking about the From address but the address within the message that they want you to >reply to. That address isn't going to expire very fast because that's how the spammer gets the money. I would say >however that these email addresses could be expired over a few weeks perhaps. >I also think that these lists could be used for a check of outgoing email to >see of people (suckers) are responding >and to perhaps intercept the email and warn the sender that they are replying to a known scammer. Just a thought. Here's a good example: Hello Good Fellows, I know it's hard to find a true real and honest money making on the net because I had alsoexperienced and onced tired of always started some new opportunities until i met this one of its kind online business that catches my interest and attention. Coz' I can even say "Your Search Is Over !" So stop searching and give this a try. Just Email Me at [EMAIL PROTECTED] Put "" Register me for a free Membership"" in the subject, Be sure to include: 1. First name: 2. Last name: 3. Email Address: 4. Country: That's All there is to it. We Will confirm your position and send you a special report as soon as possible, and also Your free membership ID#. My best regards, Pablito Ed Tabar [EMAIL PROTECTED] Note: p.s. This is one time email. If you wish to remove. Kindly email to : [EMAIL PROTECTED] with the subject of your email "Remove Me"
Re: Proposal: First URI black list, how about email address blacklists?
Rob McEwen (PowerView Systems) wrote: It could actually be a benefit if/when the e-mail address account was terminated because this could keep the overall size of the list smaller. I wonder if there is some automated way to check this getting in trouble for spamming or abusing the free hosting service? Rob McEwen PowerView Systems [EMAIL PROTECTED] I'm just going to throw this out there having not thought this through but if the spammer moves on to a different account then compaints against that email address will cease. I say that if and email address hasn't receives a complaint in a few days then you can purge it. You don't want to purge it the moment the email account is closed because there may still be spam bots out there sending spam with that email address in it. I also envision some sort of reporting to the ISP so they can quickly shut down the accounts.
Re: Proposal: First URI black list, how about email address blacklists?
Marc Perkel wrote: > > I'm just going to throw this out there having not thought this through > but if the spammer moves on to a different account then compaints > against that email address will cease. I say that if and email address > hasn't receives a complaint in a few days then you can purge it. You > don't want to purge it the moment the email account is closed because > there may still be spam bots out there sending spam with that email > address in it. > > I also envision some sort of reporting to the ISP so they can quickly > shut down the accounts. You mean like spamcop?
Re: Proposal: First URI black list, how about email address blacklists?
Matt Kettler wrote: Marc Perkel wrote: I'm just going to throw this out there having not thought this through but if the spammer moves on to a different account then compaints against that email address will cease. I say that if and email address hasn't receives a complaint in a few days then you can purge it. You don't want to purge it the moment the email account is closed because there may still be spam bots out there sending spam with that email address in it. I also envision some sort of reporting to the ISP so they can quickly shut down the accounts. You mean like spamcop? Yes - like spamcop - but instead of spamcop just having a URI list they have a list of email addresses used as the reply address of 419 scammers.
Re: Proposal: First URI black list, how about email address blacklists?
Marc Perkel wrote: > > > Matt Kettler wrote: >> Marc Perkel wrote: >> >> >>> I'm just going to throw this out there having not thought this through >>> but if the spammer moves on to a different account then compaints >>> against that email address will cease. I say that if and email address >>> hasn't receives a complaint in a few days then you can purge it. You >>> don't want to purge it the moment the email account is closed because >>> there may still be spam bots out there sending spam with that email >>> address in it. >>> >>> I also envision some sort of reporting to the ISP so they can quickly >>> shut down the accounts. >>> >> >> You mean like spamcop? >> > Yes - like spamcop - but instead of spamcop just having a URI list they have > a list of email addresses used as the reply address of 419 scammers. Spamcop itself is not just URIs, that the SURBL list based on spamcop data.. Spamcop, the whole system, does a lot of reporting. Generation of the URI list is incidental to their generating reports that get sent to the ISPs of webhosts that are spamvertized.
Re: A lot of these going around
On Thursday 18 May 2006 20:40, Matt Kettler wrote: > David Baron wrote: > > May 18 11:50:22 d_baron spamc[5797]: connect(AF_INET) to spamd at > > 127.0.0.1 failed, retrying (#1 of 3): Connection refused > > > > Seems harmless though annoying. > > Fix? > > Is spamd running? Of course.
RE: Proposal: First URI black list, how about email address black lists?
Title: RE: Proposal: First URI black list, how about email address blacklists? > -Original Message- > From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 18, 2006 1:48 PM > To: users@spamassassin.apache.org > Subject: Re: Proposal: First URI black list, how about email address > blacklists? > > > It could actually be a benefit if/when the e-mail address > account was terminated because this could keep the overall > size of the list smaller. I wonder if there is some automated > way to check this getting in trouble for spamming or abusing > the free hosting service? And when the spammers use a joe jobbed email address, what will you do? How will you know if it really is a drop box, or someones real email address being Joe Jobbed to mess up your list? Believe me, the spammer will feed false info to give your list a bad name. A URL can be checked. A private email account can't be. And if its one thing spammers have a lot of, its legit email addresses to joe job with. I'm honestly not trying to be a little black rain cloud. I just hope you look at all the possibilities. --Chris
Re: A lot of these going around
David Baron wrote: > On Thursday 18 May 2006 20:40, Matt Kettler wrote: >> David Baron wrote: >>> May 18 11:50:22 d_baron spamc[5797]: connect(AF_INET) to spamd at >>> 127.0.0.1 failed, retrying (#1 of 3): Connection refused >>> >>> Seems harmless though annoying. >>> Fix? >> Is spamd running? > > Of course. > Is spamd configured to allow connections from 127.0.0.1? (ie: what are you passing after the -A parameter to spamd?)
RE: Proposal: First URI black list, how about email address blacklists?
> And when the spammers use a joe jobbed email address, what will you do? How > will you know if it really is a drop box, or someones real email address > being Joe Jobbed to mess up your list? Believe me, the spammer will feed > false info to give your list a bad name. Chris, that is a really good point. I have three answers: (1) I'm hoping that being below the radar might prevent some of what you are talking about... at least a while. And I don't think that the nigeria spammers are the type of spammers who'd frequent this list, for example, as much much as other spammers do, but I could be wrong about that. (2) Messages caught by an e-mal based dnsbl probably shouldn't, by themselves, score high enough to cause a message to be outright blocked. In fact, I often catch these scam messages in my rules based filtering... only to find that, sometimes, they scored just below the threshold of being placed in the spam folder. A dnsbl service like this could put those particular messages "over the top" without harming a mislisted address, if used as I've described. (3) Chances are, a single randomly picked e-mail address that was joe-jobbed would have just about 0% chance of showing up in a particular server that happened to use this service. Especially give the incredibly low percentage of servers which might potentially use this anytime in the next months or years. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Filtering windows-1252 charset
Philip Prindeville wrote on Thu, 18 May 2006 08:47:48 -0600: > How legitimate is email sent as > windows-1252? Very, because broken Windows clients use it. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Minimizing spamd's memory footprint
On Donnerstag, 18. Mai 2006 01:31 Kai Schaetzl wrote: > > That list would most definetly ... get your cat pregnant! > Hm, quite powerful medicine then, hm? ;-) Probably he shouldn't filter those DRUGS spam then and buy some of these. I'm sure some sell anti baby pills for cats. *g* mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgph5hvPypF9s.pgp Description: PGP signature
Re: Delete spam or move to a folder?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will Nordmeyer wrote: > Craig, > > How do you have procmail set up to deliver to the spam vs. likely spam > folders? Use the "X-Spam-Level" marker. Anything with < 10 stars and a "X-Spam-Status" of "Yes" gets put in a 'likely-spam' folder. Anything else goes to 'spam'. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbOizMDDagS2VwJ4RAhmQAJ9jzjQCSdnH+HgZul/5KptDsSLhBwCg9vPc 0Ga2XQi7nrNQL1lJaeQmtUw= =ails -END PGP SIGNATURE-
Re: Proposal: First URI black list, how about email address black lists?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas L. Engelken wrote: > > Well, the only thread on sa-users I found about this was from Dec 2005. > http://www.nabble.com/A-thought-about-phone-numbers-and-URIBLs-t716464.h > tml > > We had a thread on uribl staff list about this last July which we > cross-posted to sare where loren brought up some good points. After a > good discussion on it, it dropped off the radar as something that would > take to much time and have very little impact. > > If anyone plans to move forward with this, I'd be willing to share our > threads on it. > > Dallas Actually, after some off-list chat with Rob Skedgell I recently finished a first attempt at a plugin for a dnsbl for phone numbers[1], having put together a monstrous, by-country static ruleset based on international dialing codes[2]. It's met with reasonable success here against 419 and associated check-fraud spam using harvested data[3], but will need some serious thought, testing, tweaking and infrastructure before it can be used in production... I'd be intrigued to read any other comments and discussion that have happened... Thanks, C. [1] http://fukka.co.uk/sa-rules/local/PhoneBL.pm [2] http://fukka.co.uk/sa-rules/local/phone.cf [3] http://fukka.co.uk/sa-rules/local/evilnumbers.db - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbO81MDDagS2VwJ4RAnrcAJ9VkTH6Py8SYqeqFuPKdhqiFJkZHACgrm8M qUy8K2/4EIZUZh2bQuoQACY= =OKu+ -END PGP SIGNATURE-
Re: Proposal: First URI black list, how about email address black lists?
I believe that using email addresses that are embedded in 419 type spams as a spam fingerprint will be as effective against 419 typre spam as URIBL is for identifying spam that has links in it. All spam has one thing in common. Spam wants you to DO something. And what it wants you to do is either click on something or send an email somewhere. If we focus on identifying spam on what it wants us to do then we have the fingerprint.
URL-encoded hostnames in email links
Re: http://isc.sans.org/diary.php?storyid=1342 (1) Are there any rules currently in SA or SARE that will trigger on encoded characters in the hostname part of a URL? (2) Does the URL extractor for SURBL checks properly deal with URL-encoded hostnames? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem is when people look at Yahoo, slashdot, or groklaw and jump from obvious and correct observations like "Oh my God, this place is teeming with utter morons" to incorrect conclusions like "there's nothing of value here".-- Al Petrofsky, in Y! SCOX ---
list of rules
Hi there, I've just installed spam assassin and it's working okay, but some spam is still getting in, I only have like 3 rules at the moment that I added in, is there a list of pretty safe rules out there that I could just copy into my local.cf SA file?
Re: list of rules
Paul Matthews wrote:
> Hi there,
>
> I've just installed spam assassin and it's working okay, but some spam is
> still getting in, I only have like 3 rules at the moment that I added in,
Care to specify which ones?
> is there a list of pretty safe rules out there that I could just copy into
> my local.cf SA file?
Well, I usually don't copy rules into my local.cf, I copy whole rulefiles at a
time. (SA will parse all the .cf files in /etc/mail/spamassassin, not just
local.cf. So all you need to do is download the .cf files).
In general, I would suggest not adding on ANY rules to start with. Only use the
default set for a little bit, to get a feel for what works for you,
Also, make sure you've got Net::DNS installed. The SA default ruleset has a LOT
of very powerful rules that depend on DNS.
As for add-ons' I get good results from the following rulesets from SARE. After
running a bit with the default set, these would be good add-ons to start with.
70_sare_adult.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_html0.cf
70_sare_obfu0.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_stocks.cf
70_sare_uri0.cf
99_FVGT_Tripwire.cf
99_sare_fraud_post25x.cf
I strongly suggest not using sa-blacklist.cf or sa-blacklist-uri.cf unless you
have a LOT (more than 4GB) of ram. Both of these are SEVERE memory hogs.
I also make use of a modified version of the rules for uribl.com's add-on uribl:
urirhssub URIBL_BLACK multi.uribl.com.A 2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 1.5
# note: grey is an informational rule. It OFTEN matches nonspam.
# in fact, it tends to match more nonspam than spam. (S/O's are
# in the 0.55-0.30 range)
urirhssub URIBL_GREY multi.uribl.com.A 4
bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.001
>
>
Re: URL-encoded hostnames in email links
John D. Hardin wrote: > Re: http://isc.sans.org/diary.php?storyid=1342 > > (1) Are there any rules currently in SA or SARE that will trigger on > encoded characters in the hostname part of a URL? > > (2) Does the URL extractor for SURBL checks properly deal with > URL-encoded hostnames? Yes, SA in general deals with most forms of URI encoding. The surbl checks are not confused by the use of ".%63%6f%6d" instead of ".com". The general SA architecture decodes these long before the surbl rules see it. I also don't understand why this is a new thing to the ISC handler's diary. Spammers have been using that trick for a LOONG time. It's more common in phishing than spam, but it's still common in both.
Re: REMOVE and Don't Send These Emails
Please cease and desist sending me automated backscatter in response to postings regarding spamassassin-talk list. Either unsubscribe yourself from the list, or stop generating backscatter. Further backscatter will be reported to spamcop as such. [EMAIL PROTECTED] wrote: > You are emailing from or for a product we aren't interested in > from any domain ending in hex coded .C0M > > You are sending unsolicited and unwanted SPAM. > > Cease and desist and remove all email addresses with the words > ourfam or ourldsfamily from your databases. > > Stop sending emails without a workable option to unsubscribe > before we're forced to take legal action in accordance with > US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B). > > In accordance with the above laws, violation of our privacy with advertising > or SPAM may result in a MINIMUM of $500 damages/incident, $1500 for repeats. > > >
[OT] Re: REMOVE and Don't Send These Emails
Matt Kettler wrote: Please cease and desist sending me automated backscatter in response to postings regarding spamassassin-talk list. Either unsubscribe yourself from the list, or stop generating backscatter. Further backscatter will be reported to spamcop as such. [EMAIL PROTECTED] wrote: You are emailing from or for a product we aren't interested in from any domain ending in hex coded .C0M You are sending unsolicited and unwanted SPAM. Cease and desist and remove all email addresses with the words ourfam or ourldsfamily from your databases. Stop sending emails without a workable option to unsubscribe before we're forced to take legal action in accordance with US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B). In accordance with the above laws, violation of our privacy with advertising or SPAM may result in a MINIMUM of $500 damages/incident, $1500 for repeats. Our LDS Family ? Strange.
Re: [OT] Re: REMOVE and Don't Send These Emails
On Thu, May 18, 2006 4:25 pm, Rick Macdougall wrote: > Our LDS Family ? > > Strange. LDS = Latter Day Saints (Mormons).
Re: [OT] Re: REMOVE and Don't Send These Emails
Evan Platt wrote: On Thu, May 18, 2006 4:25 pm, Rick Macdougall wrote: Our LDS Family ? Strange. LDS = Latter Day Saints (Mormons). Ja, I know what is is, I just found the url strange. *Shrug* but what do I know.
Re: Re: [OT] Re: REMOVE and Don't Send These Emails
Probably need a couple of extra wives to explain it to you ;-D On Thu, 18 May 2006 19:30:56 -0400, Rick Macdougall <[EMAIL PROTECTED]> wrote: >Evan Platt wrote: >> On Thu, May 18, 2006 4:25 pm, Rick Macdougall wrote: >>> Our LDS Family ? >>> >>> Strange. >> >> LDS = Latter Day Saints (Mormons). >> > >Ja, I know what is is, I just found the url strange. > >*Shrug* but what do I know. >
Re: list of rules
On Thu, May 18, 2006 at 06:52:23PM -0400, Matt Kettler wrote: > > is there a list of pretty safe rules out there that I could just copy into > > my local.cf SA file? Are you using sa-update? > I also make use of a modified version of the rules for uribl.com's add-on > uribl: Is there a reason to not just use the uribl.com rules that are already included with the stock SA? -- Randomly Generated Tagline: "They were printing out the damn bible ... Jesus Christ!" - Matt pgp9BRR3sCm5I.pgp Description: PGP signature
Re: list of rules
> Are you using sa-update? i'm not sure, how do i know if i am, but i did a locate sa-update and i came up with nothing so i have to guess that i'm not. Although, i've found the website http://www.sa-blacklist.stearns.org/sa-blacklist/ and i've add the following information into a script and set it to run as a cron job once a week. wget http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.cf wget http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf wget http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf Has anyone out there used this website? is it any good? does it work?
Re: list of rules
Paul Matthews wrote: >> Are you using sa-update? >> > > i'm not sure, how do i know if i am, but i did a locate sa-update and i > came up with nothing so i have to guess that i'm not. > What version of SA are you using? If older than 3.1.1, consider upgrading to the current version before adding on extra rulesets. > Although, i've found the website > > http://www.sa-blacklist.stearns.org/sa-blacklist/ > > and i've add the following information into a script and set it to run as > a cron job once a week. > > wget http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.cf > wget > http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf > wget http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf > > Has anyone out there used this website? is it any good? does it work? > DO NOT use the sa-blackset rules. Either of them. 1) sa-blacklist is based on email addresses. This is not a very effective tactic for fighting spam. 2) sa-blacklist is a nearly 2meg file, which will increase your spamd size by about 100 megs per-instance. This massive memory increase will grind most boxes to a halt. 3) sa-blacklist-uri is superseded by the URIBL test URIBL_WS_SURBL. This test is more accurate (it's a live query to DNS, thus rapidly updated) and uses much less memory. However, it does require use of DNS.
Re: list of rules
> What version of SA are you using? If older than 3.1.1, consider > upgrading to the current version before adding on extra rulesets. i'm running RHEL4 with spamassassin-3.0.5-3.el4 I don't want to upgrade because I manage all my packages with redhat's up2date program and a new version of SA hasn't been release with RHEL4 yet. > 1) sa-blacklist is based on email addresses. This is not a very > effective tactic for fighting spam. Fair enough, removes file > 2) sa-blacklist is a nearly 2meg file, which will increase your spamd > size by about 100 megs per-instance. This massive memory increase will > grind most boxes to a halt. it's accually a 13 mg file and your right, i did notice a big drop in preformance > 3) sa-blacklist-uri is superseded by the URIBL test URIBL_WS_SURBL. > This test is more accurate (it's a live query to DNS, thus rapidly > updated) and uses much less memory. However, it does require use of DNS. I've removed all the files that I got from that website, but i'm still looked for a self updating soluation for SA. Any idea's? -- Paul Matthews Junior Network Technician | The Cathedral School Ph (07) 47222 194 | Fax (07) 47222 111 PO Box 944 Aitkenvale Q 4814 E: [EMAIL PROTECTED] W: www.cathedral.qld.edu.au Anglican coeducation | Day and Boarding | Early Childhood to Year 12 Educating for life-long success *** IMPORTANT NOTICE REGARDING CONFIDENTIALITY This electronic email message is intended only for the addressee and may contain confidential information. If you are not the addressee, you are notified that any transmission, distribution or photocopying of this email is strictly prohibited. The confidentiality attached to this email is not waived, lost or destroyed by reasons of a mistaken delivery to you.
Re[2]: Negative lookaround?
Hello Matt, Wednesday, May 17, 2006, 4:04:39 PM, you wrote: MK> Some of the shorter results are: MK> body SARE_OBFU_BACK_NUM m'(?!BACK)\bb\d?a\d?c\d?k\b'i MK> body SARE_OBFU_SAVE_NUM m'(?!save)\bs\d?a\d?v\d?e\b'i MK> body SARE_OBFU_SAVINGS_NUM m'(?!savings)\bs\d?a\d?v\d?i\d?n\d?g\d?s\b'i MK> body SARE_OBFU_NUM_YOUR m'(?!YOUR)\bY\d?O\d?U\d?R\b'i MK> (why the author used m' instead of / is beyond me, as it serves no purpose in MK> these rules.. but a lot of SARE rules have really weird style so I'll chalk it MK> up to weird style.) Many obfu rules need to test for letter substitutions, such as \/ for V. Those rules need a lot of quoting unless you use a construct like m'regex' to eliminate that need. After several passes of "gosh, that's another one that needs quoting," I got into the habit of always using m'regex' for any/all obfu rules. Bob Menschel
Re: URL-encoded hostnames in email links
On Thu, 18 May 2006, Matt Kettler wrote: > John D. Hardin wrote: > > Re: http://isc.sans.org/diary.php?storyid=1342 > > > > (1) Are there any rules currently in SA or SARE that will trigger on > > encoded characters in the hostname part of a URL? > > > > (2) Does the URL extractor for SURBL checks properly deal with > > URL-encoded hostnames? > > Yes, SA in general deals with most forms of URI encoding. > > The surbl checks are not confused by the use of ".%63%6f%6d" instead of > ".com". > The general SA architecture decodes these long before the surbl rules see it. Does encoding plain text ([A-Za-z0-9._]) in a URL add any points? > I also don't understand why this is a new thing to the ISC > handler's diary. Spammers have been using that trick for a > LOONG time. It's more common in phishing than spam, but it's > still common in both. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem is when people look at Yahoo, slashdot, or groklaw and jump from obvious and correct observations like "Oh my God, this place is teeming with utter morons" to incorrect conclusions like "there's nothing of value here".-- Al Petrofsky, in Y! SCOX ---
Re: list of rules
Paul Matthews wrote: >> What version of SA are you using? If older than 3.1.1, consider >> upgrading to the current version before adding on extra rulesets. >> > > i'm running RHEL4 with spamassassin-3.0.5-3.el4 > > I don't want to upgrade because I manage all my packages with redhat's > up2date program and a new version of SA hasn't been release with RHEL4 > yet. > > I've removed all the files that I got from that website, but i'm still > looked for a self updating soluation for SA. > > Any idea's? Your best bet, given that you've tied yourself to the slow release process that redhat uses, is to use RulesDuJour. However, this only works for add-on rulesets. The updates to the stock ruleset only run from sa-update, and that only works with 3.1.1 or higher.
RE: A lot of these going around
Or maybe some "rejecting connection due to high load" messages in je system logs? From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thu 18-May-06 21:50 To: David Baron Cc: users@spamassassin.apache.org Subject: Re: A lot of these going around David Baron wrote: > On Thursday 18 May 2006 20:40, Matt Kettler wrote: >> David Baron wrote: >>> May 18 11:50:22 d_baron spamc[5797]: connect(AF_INET) to spamd at >>> 127.0.0.1 failed, retrying (#1 of 3): Connection refused >>> >>> Seems harmless though annoying. >>> Fix? >> Is spamd running? > > Of course. > Is spamd configured to allow connections from 127.0.0.1? (ie: what are you passing after the -A parameter to spamd?)
Autolearn=failed
Using FC5, SA 3.1.0, calling SA with spampd. Every message that meets the autolearn threshold (spaminess>~30 <1) results in an autolearn=failed result. Checked permissions and made sure bayesian and whitelist were r/w for user mail. Log shows locking errors on whitelist. using -D --lint reports all good.
