Re: SA Rule Tester/Checker
On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run spamassassin -t 2>&1 with a prompt for a keyword. Helpful for debugging. Can you elaborate on the macros any? After searching, I'm still having a hard time understanding conventional SA rule checking/debugging methods. I've been going my own route so far, but I would like to have a basic understanding how most folks do it. I'm not finding a much to get me started. (Guides on regression_tests.cf etc.) Without knowing more at this point, do you think there may some usefulness to a tool that responds to keystrokes/keyphrases in real time like satester/rubular do? That is why I found the Rubular site so handy for checking my regex patterns in the first place and was inspired to write satester. For example, as I bang out a new rule, I can vary the sample text very quickly to check the pattern. Add/change/delete a character here or there and see what happens instantly. But with satester just on a larger scale. Sorry, not trying to spam my rule tool but just gain insight on where and if it is truly useful. Anyway, a link or two for (basic|convention|intended) rule checking might be enough to get me started and more familiar with regular methods of checking/debugging. Allen am -at- satester.com
Re: [Announce] SA-Plugins: RedisAWL, RuleTimingRedis
Markus, * Benning, Markus : > Hi Patrik, > > i just pushed Version 1.002 to github and CPAN: > > -- > The following new features have been added: > > - New option: timing_redis_password allows to specifiy a redis > password > > - New option: timing_redis_exclude_re excludes rules from timing > statistics. By default set to '^__' which will exclude all sub-rules > > - New option: timing_redis_database allows to select a non-default > database in redis. (redis SWITCH call) > > - New option: timing_redis_bulk_update will queue timing updates > before sending them to redis and execute them in a bulk via a > single call to a server-side script. By default this option is set > to 50 entries. Set to 0 do disable. Requires redis >= 2.6.0 and a > Redis perl >= 1.954 module. > -- > > I'm currently not using it on a system where the overhead is > relevant for me, but > i tried to reduce the number of redis command executed. > I hope this will reduce the overhead significant. that's great news. Thanks! > Feedback and test results welcome. I will, as soon as I have something to share! p@rick > Am 2015-07-15 23:22, schrieb Patrick Ben Koetter: > >Markus, > > > >are you planning to add 'password' and 'database ID' support for redis > >connects to RuleTimingRedis? > > > >What's your experience regarding Timing overhead? My simple tests > >on the > >commandlne show about 1 second overhead when RuleTimingRedis is added: > > > ># Without RuleTimingRedis > >mail# time spamassassin --lint > > > >real0m1.975s > >user0m1.852s > >sys 0m0.116s > > > ># Enable RuleTimingRedis > >mail# vim /etc/mail/spamassassin/init.pre > > > ># With RuleTimingRedis > >mail# time spamassassin --lint > > > >real0m2.828s > >user0m2.128s > >sys 0m0.392s > > > >p@rick > > > > > > > >* Benning, Markus : > >>Hello, > >> > >>i want to announce the release of the SpamAssassin Plugins: > >> > >>RedisAWL - redis support for spamassassin AWL/TxRep > >>RuleTimingRedis - collect SA rule timings in redis > >> > >>Both can be downloaded from CPAN or GitHub: > >> > >>https://metacpan.org/author/BENNING > >> > >>https://github.com/benningm > >> > >>Timings gathered with the RuleTimingRedis plugin can be used in > >>collectd > >>with the Collectd-Plugins-RedisClient module also available from CPAN. > >> > >> Markus > >> > >>-- > >>Markus Benning, https://markusbenning.de/ > > -- > Markus Benning, https://markusbenning.de/ -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Announce] SA-Plugins: RedisAWL, RuleTimingRedis
Hi Patrik, i just pushed Version 1.002 to github and CPAN: -- The following new features have been added: - New option: timing_redis_password allows to specifiy a redis password - New option: timing_redis_exclude_re excludes rules from timing statistics. By default set to '^__' which will exclude all sub-rules - New option: timing_redis_database allows to select a non-default database in redis. (redis SWITCH call) - New option: timing_redis_bulk_update will queue timing updates before sending them to redis and execute them in a bulk via a single call to a server-side script. By default this option is set to 50 entries. Set to 0 do disable. Requires redis >= 2.6.0 and a Redis perl >= 1.954 module. -- I'm currently not using it on a system where the overhead is relevant for me, but i tried to reduce the number of redis command executed. I hope this will reduce the overhead significant. Feedback and test results welcome. Markus Am 2015-07-15 23:22, schrieb Patrick Ben Koetter: Markus, are you planning to add 'password' and 'database ID' support for redis connects to RuleTimingRedis? What's your experience regarding Timing overhead? My simple tests on the commandlne show about 1 second overhead when RuleTimingRedis is added: # Without RuleTimingRedis mail# time spamassassin --lint real0m1.975s user0m1.852s sys 0m0.116s # Enable RuleTimingRedis mail# vim /etc/mail/spamassassin/init.pre # With RuleTimingRedis mail# time spamassassin --lint real0m2.828s user0m2.128s sys 0m0.392s p@rick * Benning, Markus : Hello, i want to announce the release of the SpamAssassin Plugins: RedisAWL - redis support for spamassassin AWL/TxRep RuleTimingRedis - collect SA rule timings in redis Both can be downloaded from CPAN or GitHub: https://metacpan.org/author/BENNING https://github.com/benningm Timings gathered with the RuleTimingRedis plugin can be used in collectd with the Collectd-Plugins-RedisClient module also available from CPAN. Markus -- Markus Benning, https://markusbenning.de/ -- Markus Benning, https://markusbenning.de/
Re: KAM.cf KAM_COUK
On Thu, 16 Jul 2015 11:20:33 +0200 Benny Pedersen wrote: > sorry if that was not clear from my writing in the first place :( > > and i agre that co.uk is double tld, even if it same registra owned > its silly We've already been through this. It dates back to before any internet TLDs were registered, when all private companies connecting to the JANET network were allocated names under the UK.CO. hierarchy. The two systems co-existed for many years, so it made sense that names could be the same apart from case and endianess. What's so silly about that? > the case in co.dk was also dropped, since no one would pay more for a > dk domain That wouldn't matter if it were not possible to buy .dk domains. Again we've already been though this, direct .uk domains were not available to the public before 2014. A lot of countries have official hierarchical domains. Some allow domains directly on the ccTLD, some don't. Denmark is part of a cluster of European countries that have flat cc domains, it is not representative of the rest of the world. Your particular reasons for penalizing .co.uk are irrational.
Re: Difficulty triggering SPF_FAIL
David B Funk wrote: > Kind'a hard to add TXT records to the .in-addr.arpa zone. Maybe it's > possible > but I've never seen it. It's entirely possible to put any type of record in a .in-addr.arpa zone. It doesn't often make much *sense*, but it's legal syntax; a DNS zone is a DNS zone. -kgd, thinking about the .arpa zones we imported from a bought-out ISP that had MX records...
Re: SPF confusion
On 7/16/2015 4:04 AM, Reindl Harald wrote: Am 15.07.2015 um 23:21 schrieb Bowie Bailey: I still don't understand the query for sr03a.SMTPNA11.rrdesp.com. That is a sending server parsed from one of the Received lines. What is the expected result of checking SPF on a mail server address? http://www.openspf.org/FAQ/Common_mistakes#helo Hmmm... First time I've seen that. I'll have to look into it. Thanks. -- Bowie
Re: SA Rule Tester/Checker
On 2015-07-16 07:32, Axb wrote: header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i header __KAM_MULTIPLE_FROM From =~ /^./ I think I get the first one (if anything exists in X-No-Relay) but I'll have to look deeper to understand why you would trigger on any From address. Anyway I'm having fun, learning a lot, and doing my customers a lot of good by developing rules. Thanks again for your tips and help. did you miss the next line? tflags __KAM_MULTIPLE_FROM multiple,maxhits=2 Understood. I just had a "what the heck is this?" moment. I'm a little excited by the new tool and I can't wait to dig into mutt and spamassassin -t today to see how they work by comparison. Yea, no more Rubular. heh. Allen Marsalis am -at- satester.com
Re: KAM.cf KAM_COUK
On Thu, 16 Jul 2015 07:38:31 -0400 Kevin A. McGrail wrote: > On 7/16/2015 7:35 AM, RW wrote: > > On Thu, 16 Jul 2015 05:02:33 -0400 > > Kevin A. McGrail wrote: > > > >> the co.uk appeared in spam and appeared to have cruddy > >> registration security allowing an influx of throwaway domains > >> likely paid through fraudulent means, etc. > > > > Spammers can't buy .co.uk domains directly from Nominet, they buy > > them through the likes of eNom etc. Is there really any difference > > to .com? > > > there is in my corpora which may not be indicative of others, > especially those in the UK. I meant in terms of "cruddy registration security allowing an influx of throwaway domains likely paid through fraudulent means, etc". I suspect it's mainly because of price, and perhaps the namespace is a bit less mined-out.
Re: SA Rule Tester/Checker
On 7/16/2015 8:28 AM, a...@satester.com wrote: On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run spamassassin -t 2>&1 with a prompt for a keyword. Helpful for debugging. Thank Kevin. I really appreciate your sharing. I will check these out today. I've used regex for years but I'm relatively new to SA rules. I did see something interesting this morning. I pasted KAM.cf in to satester figuring it might overload my script but it worked. However any sample text I type triggers these two rules of yours. header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i header __KAM_MULTIPLE_FROM From =~ /^./ I think I get the first one (if anything exists in X-No-Relay) but I'll have to look deeper to understand why you would trigger on any From address. Anyway I'm having fun, learning a lot, and doing my customers a lot of good by developing rules. Thanks again for your tips and help. The X-No_relay is just a header existence check. The second has this special tflags __KAM_MULTIPLE_FROM multiple,maxhits=2 So it requires multiple hits, stops counting at two and is used for emails that have incorrectly put in two From headers. Regards, KAM
Re: SA Rule Tester/Checker
On 16.07.2015 14:28, a...@satester.com wrote: On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run spamassassin -t 2>&1 with a prompt for a keyword. Helpful for debugging. Thank Kevin. I really appreciate your sharing. I will check these out today. I've used regex for years but I'm relatively new to SA rules. I did see something interesting this morning. I pasted KAM.cf in to satester figuring it might overload my script but it worked. However any sample text I type triggers these two rules of yours. header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i header __KAM_MULTIPLE_FROM From =~ /^./ I think I get the first one (if anything exists in X-No-Relay) but I'll have to look deeper to understand why you would trigger on any From address. Anyway I'm having fun, learning a lot, and doing my customers a lot of good by developing rules. Thanks again for your tips and help. did you miss the next line? tflags __KAM_MULTIPLE_FROM multiple,maxhits=2
Re: SA Rule Tester/Checker
On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run spamassassin -t 2>&1 with a prompt for a keyword. Helpful for debugging. Thank Kevin. I really appreciate your sharing. I will check these out today. I've used regex for years but I'm relatively new to SA rules. I did see something interesting this morning. I pasted KAM.cf in to satester figuring it might overload my script but it worked. However any sample text I type triggers these two rules of yours. header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i header __KAM_MULTIPLE_FROM From =~ /^./ I think I get the first one (if anything exists in X-No-Relay) but I'll have to look deeper to understand why you would trigger on any From address. Anyway I'm having fun, learning a lot, and doing my customers a lot of good by developing rules. Thanks again for your tips and help. Allen Marsalis am -at- satest.com
Re: KAM.cf KAM_COUK
On 7/16/2015 7:35 AM, RW wrote: On Thu, 16 Jul 2015 05:02:33 -0400 Kevin A. McGrail wrote: the co.uk appeared in spam and appeared to have cruddy registration security allowing an influx of throwaway domains likely paid through fraudulent means, etc. Spammers can't buy .co.uk domains directly from Nominet, they buy them through the likes of eNom etc. Is there really any difference to .com? there is in my corpora which may not be indicative of others, especially those in the UK. Regards, KAM
Re: KAM.cf KAM_COUK
Am 16.07.2015 um 13:35 schrieb RW: On Thu, 16 Jul 2015 05:02:33 -0400 Kevin A. McGrail wrote: the co.uk appeared in spam and appeared to have cruddy registration security allowing an influx of throwaway domains likely paid through fraudulent means, etc. Spammers can't buy .co.uk domains directly from Nominet, they buy them through the likes of eNom etc. Is there really any difference to .com? no there isn't and the repeating "this tld" in case of non-gtl's is just annoying - .co.uk is the same as .com and the same applies for co.at where not so long ago people proposed to block the whole domain and i was accused "so why are you working for co.at" by not undertstanding the difference of a registry / registrar and a company signature.asc Description: OpenPGP digital signature
Re: KAM.cf KAM_COUK
On Thu, 16 Jul 2015 05:02:33 -0400 Kevin A. McGrail wrote: > the co.uk appeared in spam and appeared to have cruddy > registration security allowing an influx of throwaway domains likely > paid through fraudulent means, etc. Spammers can't buy .co.uk domains directly from Nominet, they buy them through the likes of eNom etc. Is there really any difference to .com?
Re: Large spam
I don't know if someone can help me on a question about message components naming but if you can I think I know how to defeat this large spam. Before a message gets opened there is I'll call it a tag like make money fast you'll read and this is not on the Subject: line either. It was those tags I filtered on and managed to send lots of it to /dev/null. None of these filters would or could learn from it and eventually those fields started showing foreign characters too. I never did find out the name of that field otherwise I could have written procmail filters for all of it. I hope this helps someone. On Wed, 15 Jul 2015, Ian Zimmerman wrote: Date: Wed, 15 Jul 2015 16:42:28 From: Ian Zimmerman To: users@spamassassin.apache.org Subject: Re: Large spam On 2015-07-15 20:12 +, Zinski, Steve wrote: We're starting to see a lot of spam in the 800KB to 1.2MB size range. I?m running MIMEdefang and it?s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there?s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks! Yes, I see the same thing. I have no doubt at all that it is intentional, to defeat spamc size limit in particular. Moreover, mimedefang won't help because at least some of them are disguised as plain text messages. That is, the outermost message body is an entire MIME message, headers and all. --
Re: SA Rule Tester/Checker
On 7/15/2015 6:41 PM, a...@satester.com wrote: I started writing SA rules about a year ago. Although I am new to this list, I have been lurking for quite a while. I would like to thank Kevin McGrail and others for providing rules and tips that inspires me to write my own custom rules. Today I wrote a little tool that helps me test my SA rules. I was using Rubular.com to check one pattern at a time which was very tedious. With my new tool, I can paste my entire rule.cf file (or just a one rule) and check against any test string to see which rules hit. (operates like a multi-line version of Rubular) I hope some of you find this tool useful. I wrote it because I couldn't find another one like it in google. If there is something better at testing SA rules like this, please let me know so I don't waste any further development efforts. If it is useful, ideas and suggestions will be heartily appreciated. www.satester.com It's a one page site created in one day, so it doesn't look like much right now. We might style it better later on. There is no database and we save nothing entered into the site. It ignores meta, score, and describe at this time (any line without regex in it) Simply paste in a rule and enter some sample text and it automatically highlights the hits. I notice a couple of bugs already. I've seen an odd rule hit on one of our span tags used for highlighting sample results. Also I need to add mimeheader to the list of lines that contain regex to be checked (along with header, body, rawbody, etc.) Excellent idea Allen. I'm sure this will help a lot of people. You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run spamassassin -t 2>&1 with a prompt for a keyword. Helpful for debugging. Regards, KAM
AW: howto do re-scoring of rules with a custom channel?
Hello Kevin, Thanks for your reply. Some tests commit your guess. It's the name. But it's not the name of the actual cf file, it's the name of the channel. Our channel is "saInternalChannel" which means sa-update creates a cf file "saInternalChannel_mydoamin_com.cf" containing the include directives as well as the subfolder containing the actuall rules files. "saInternalChannel" does not evaluate after "updates_spamassassin_org", so the regular SpamAssassin updates overwrite our rescoring. It seems we need to rename our channel to make them being loaded after the regular SpamAssassin update files. (e.g. to "xsaInternalChannel") Best regards, Harald Binkle Von: Kevin A. McGrail [mailto:kmcgr...@pccc.com] Gesendet: Donnerstag, 16. Juli 2015 11:27 An: Support SpamAssassin; users@spamassassin.apache.org Betreff: Re: howto do re-scoring of rules with a custom channel? On 7/16/2015 5:21 AM, Support SpamAssassin wrote: Hi, We created our own internal channel to feed our SpamAssassin installations with some custom rules. Recently tried to re-score a SpamAssassin rule using the channel files, but it does not work. When the channel is updated it correctly downloads the "saInternalChannel_mydoamin_com.cf" containing the include directives as well as the subfolder containing cf files they point to. So the files seem to be at the right place, right beside the usual SpamAssassin update files. Starting spamd in debug mode also shows that the x_saInternal_rescores.cf file containing the re-score config is loaded. But it doesn't apply. If I copy the file to the site-rules folder (beside the local.cf) it works. What do I need to change/do for rescoring SpamAssassin rules in custom channel files? My immediate guess is to rename one of the file with something like 99_ to control the order it's loaded in and see if the loading order gives the desired behavior. regards, KAM JAM Software GmbH Managing Director: Joachim Marder Am Wissenschaftspark 26 * 54296 Trier * Germany Phone: +49 (0)651-145 653 -0 * Fax: +49 (0)651-145 653 -29 Commercial register number HRB 4920 (AG Wittlich) http://www.jam-software.com JAM Software GmbH Gesch?ftsf?hrer: Joachim Marder Am Wissenschaftspark 26 * 54296 Trier * Germany Tel: 0651-145 653 -0 * Fax: 0651-145 653 -29 Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
Re: AW: howto do re-scoring of rules with a custom channel?
On 7/16/2015 5:51 AM, Support SpamAssassin wrote: Hello Kevin, Thanks for your reply. Some tests commit your guess. It’s the name. But it’s not the name of the actual cf file, it’s the name of the channel. Our channel is “saInternalChannel” which means sa-update creates a cf file “saInternalChannel_mydoamin_com.cf” containing the include directives as well as the subfolder containing the actuall rules files. “saInternalChannel” does not evaluate after “updates_spamassassin_org”, so the regular SpamAssassin updates overwrite our rescoring. It seems we need to rename our channel to make them being loaded after the regular SpamAssassin update files. (e.g. to “xsaInternalChannel”) That makes sense, yes. regards, KAM
Re: howto do re-scoring of rules with a custom channel?
On 7/16/2015 5:21 AM, Support SpamAssassin wrote: Hi, We created our own internal channel to feed our SpamAssassin installations with some custom rules. Recently tried to re-score a SpamAssassin rule using the channel files, but it does not work. When the channel is updated it correctly downloads the “saInternalChannel_mydoamin_com.cf” containing the include directives as well as the subfolder containing cf files they point to. So the files seem to be at the right place, right beside the usual SpamAssassin update files. Starting spamd in debug mode also shows that the x_saInternal_rescores.cf file containing the re-score config is loaded. But it doesn’t apply. If I copy the file to the site-rules folder (beside the local.cf) it works. What do I need to change/do for rescoring SpamAssassin rules in custom channel files? My immediate guess is to rename one of the file with something like 99_ to control the order it's loaded in and see if the loading order gives the desired behavior. regards, KAM
Re: KAM.cf KAM_COUK
Reindl Harald skrev den 2015-07-16 11:23: because that is not maintainable in real life when you have more than 2 mailusers? i am a BOFH aswell rsync
howto do re-scoring of rules with a custom channel?
Hi, We created our own internal channel to feed our SpamAssassin installations with some custom rules. Recently tried to re-score a SpamAssassin rule using the channel files, but it does not work. When the channel is updated it correctly downloads the "saInternalChannel_mydoamin_com.cf" containing the include directives as well as the subfolder containing cf files they point to. So the files seem to be at the right place, right beside the usual SpamAssassin update files. Starting spamd in debug mode also shows that the x_saInternal_rescores.cf file containing the re-score config is loaded. But it doesn't apply. If I copy the file to the site-rules folder (beside the local.cf) it works. What do I need to change/do for rescoring SpamAssassin rules in custom channel files? Best regards, Harald JAM Software GmbH Managing Director: Joachim Marder Am Wissenschaftspark 26 * 54296 Trier * Germany Phone: +49 (0)651-145 653 -0 * Fax: +49 (0)651-145 653 -29 Commercial register number HRB 4920 (AG Wittlich) http://www.jam-software.com JAM Software GmbH Gesch?ftsf?hrer: Joachim Marder Am Wissenschaftspark 26 * 54296 Trier * Germany Tel: 0651-145 653 -0 * Fax: 0651-145 653 -29 Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
Re: KAM.cf KAM_COUK
Am 16.07.2015 um 11:20 schrieb Benny Pedersen: Kevin A. McGrail skrev den 2015-07-16 11:02: * 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. In the end, I'd recommend that you score the rule lower for your personal needs or if you have it causing FPs where it scores over a 5.0, let us know. admit it was me that did blacklist_uri_host co.uk # tld scoreing and later sayed whitelist_uri_host example.co.uk ¤ non spamming domain why did you not use that ? because that is not maintainable in real life when you have more than 2 mailusers? signature.asc Description: OpenPGP digital signature
Re: KAM.cf KAM_COUK
Kevin A. McGrail skrev den 2015-07-16 11:02: * 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. In the end, I'd recommend that you score the rule lower for your personal needs or if you have it causing FPs where it scores over a 5.0, let us know. admit it was me that did blacklist_uri_host co.uk # tld scoreing and later sayed whitelist_uri_host example.co.uk ¤ non spamming domain why did you not use that ? my gold is not to create a new rule, but to meotralize score on non spamming domains sorry if that was not clear from my writing in the first place :( and i agre that co.uk is double tld, even if it same registra owned its silly the case in co.dk was also dropped, since no one would pay more for a dk domain thanks for backup and that spamassassin is opensource :=)
Re: KAM.cf KAM_COUK
On 7/16/2015 3:45 AM, Axb wrote: On 16.07.2015 09:38, JK4 Soph wrote: Morning everybody, I noticed this rule scoring co.uk domains higher, and was wondering why businesses in the UK with commercial UK domains are scored this way? Why don't we score .com in the same way? * 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. I'll disaemable this rule because it scores my legitimate il flow a little higher, even if I;ve not seen a false positive, yet. My KAM.cf is dated from the May 12th. probably because the rule maintainer's local mailflow seldom sees legit UK biz traffic and doesn't risk FPs? Actually, we see a lot of UK traffic and don't consider a 1.1 score that high. As mentioned in the description, at the time the rule was implemented, the co.uk appeared in spam and appeared to have cruddy registration security allowing an influx of throwaway domains likely paid through fraudulent means, etc. In the end, I'd recommend that you score the rule lower for your personal needs or if you have it causing FPs where it scores over a 5.0, let us know. regards, KAM
Re: SPF confusion
Am 15.07.2015 um 23:21 schrieb Bowie Bailey: I still don't understand the query for sr03a.SMTPNA11.rrdesp.com. That is a sending server parsed from one of the Received lines. What is the expected result of checking SPF on a mail server address? http://www.openspf.org/FAQ/Common_mistakes#helo signature.asc Description: OpenPGP digital signature
Re: KAM.cf KAM_COUK
On 16.07.2015 09:38, JK4 Soph wrote: Morning everybody, I noticed this rule scoring co.uk domains higher, and was wondering why businesses in the UK with commercial UK domains are scored this way? Why don't we score .com in the same way? * 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. I'll disaemable this rule because it scores my legitimate il flow a little higher, even if I;ve not seen a false positive, yet. My KAM.cf is dated from the May 12th. probably because the rule maintainer's local mailflow seldom sees legit UK biz traffic and doesn't risk FPs?
KAM.cf KAM_COUK
Morning everybody, I noticed this rule scoring co.uk domains higher, and was wondering why businesses in the UK with commercial UK domains are scored this way? Why don't we score .com in the same way? * 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. I'll disaemable this rule because it scores my legitimate il flow a little higher, even if I;ve not seen a false positive, yet. My KAM.cf is dated from the May 12th. Kind regards. Sophie.