***UNCHECKED*** Re: SpamAssassin 3.4.2. - err.h requirement

[Groach]

Thanks Kevin

Both of my installations had stopped updating since 11th September due 
to this.  Now the updates are working again.


From this:

11th Sep

20:00:26.57 Performing Spamassassin Update check...
Update available for channel updates.spamassassin.org: 1840397 -> 1840441
http: (lwp) GET http://spamassassin.apache.org/updates/MIRRORED.BY, 500 
SSL negotiation failed:

Update failed, exiting with code 4

to this:

20:00:35.98 Performing Spamassassin Update check...
Update available for channel updates.spamassassin.org: 1840397 -> 1841055
http: (lwp) GEThttp://spamassassin.apache.org/updates/MIRRORED.BY, 200 OK
http: (lwp) GEThttp://sa-update.verein-clean.net/1841055.tar.gz, 200 OK
http: (lwp) GEThttp://sa-update.verein-clean.net/1841055.tar.gz.sha1, 200 OK
Update was available, and was downloaded and installed successfully

Im sure many others would have been suffering too.

Thanks again.



On 18/09/2018 18:24, Kevin A. McGrail wrote:
Thanks.  Had to add the path but now 
http://spamassassin.apache.org/updates/MIRRORED.BY is exempted from 
SSL redirection.  This will help with older clients.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Tue, Sep 18, 2018 at 8:22 AM Henrik K > wrote:



On Tue, Sep 18, 2018 at 07:41:09AM -0400, Kevin A. McGrail wrote:
> Hi Bill, I think it might be an older wget or LWP or what not
that can't
> deal with MIRRORED.BY  being https.  Michael
from linuxmagic also
> reported a similar issue.
>
> Can anyone help with a .htaccess that exempts the MIRRORED.BY
?
>
> Current lines:
>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} 80

Add here
RewriteCond %{REQUEST_URI} !^/MIRRORED\.BY$

> RewriteRule ^(.*)$ https://spamassassin.apache.org/$1 [R,L]

Re: Non-ascii subjects with images

[Groach]

I receive emails containing these emojis in subjects regularly. I often found 
them annoying and common in spam and wondered about catching then just as the 
original poster requested.  But then I looked further and see them often used 
in genuine emails also.  Famously twitter uses these emojis as do some sites 
such as easy jet airline and photo printing sites such as bonusprint. 

So perhaps catching them might help but only when used in conjunction with 
other filters. 

Or will they? If another filter is needed to determine whether an emoji in a 
subject is *part* of a spam message (as opposed to being honestly used in a 
genuine email) then perhaps they are no good at all. (Like checking if a 
message has a full stop as well as some spam markers).

[Entered by mobile. Excuse my spelling.] 


On 4 September 2018 08:51:52 BST, Pedro David Marco  
wrote:
>
>On Monday, September 3, 2018, 6:52:25 PM GMT+2, Antony Stone
> wrote:  
>>It still sounds like a strange way of identifying spam to me:
>>1. surely there are far stronger indicators in the Received headers
>and/or the body itself
>>2. people are going to be using glyphs such as this more and more
>commonly in non-spam emails
>>There may be an argument for "every little helps", but that sounds
>like 
>something better left to Bayes to me.
>
>Basically i agree with you Antony but as you stated,  "every little
>detail" counts... so why not to have a brain storming to dig out emojis
>detection...
>PedroD
>
>  

Re: Line breaks in X-Spam-Report

[Groach]

https://github.com/hmailserver/hmailserver/issues/115

(Fyi Your question put to the hmailserver forum would have answered this for 
you.) 



On 27 July 2018 10:08:22 BST, Admin  wrote:
>OK. That explains why I've seen it that way in some examples online.  
>I'm running hmailserver. Thanks.
>
>
>From: Reindl Harald 
>Sent: Friday, July 27, 2018 4:33 AM
>To: users@spamassassin.apache.org; ad...@123.dynu.com
>Subject: Re: Line breaks in X-Spam-Report
>
>> they are there
>>
>> let me guess you use dbmail?
>> blame gmime at message reconstrcut time
>>
>> Am 27.07.2018 um 00:44 schrieb Admin:
>>> Hello. I was wondering if there is a setting to force line breaks in
>>> X-Spam-Report. It’s kind of a trivial issue, but it would be so
>much
>>> easier to read. Like below as an example (that I manually altered).
>Many
>>> thanks.
>>

Re: problem with spamassassin for WIndows

[Groach]

Keysteal, you will get your help for that on the hmailserver forum (where you 
are following the guide from).

This mail list is strictly spamassassin and not for the bespoke configuration 
you are trying with mysql.

(And  we have already seen that some Linux snobs will refuse you your right to 
use an os different to theirs and ask for help). 

Do not pursue this particular question on here. 

On 18 February 2018 16:23:22 GMT+00:00, Gianluca Furnarotto 
<keyst...@libero.it> wrote:
>Thanks Groach, and all guys that answered to me. This was very helpful.
>Next step for me is using Mysql to store learning spam. I followed a
>guide, but when I start sa-learn I have a strange windows error : "The
>program can't start because libmysql__.dll is missing from your
>computer. Try reinstalling
>the program to fix this problem"
>I find the .dll inside a perl folder, and I tried to copy everywhere,
>but nothing has changed.
>
>--  
>Gianluca Furnarotto  
>
>Da: Groach
><groachmail-stopspammin...@yahoo.com>(mailto:groachmail-stopspammin...@yahoo.com)
>Rispondi: Groach
><groachmail-stopspammin...@yahoo.com>(mailto:groachmail-stopspammin...@yahoo.com)
>Data: 18 febbraio 2018 at 11:57:44
>A: users@spamassassin.apache.org
><users@spamassassin.apache.org>(mailto:users@spamassassin.apache.org)
>Oggetto: Re: problem with spamassassin for WIndows
>
>> Gianluca
>>  
>> 1, Your .PRE files are (by default) in:
>>  
>> %ProgramFiles(x86)%\JAM Software\SpamAssassin for
>Windows\etc\spamassassin
>>  
>> You will find the 'AutoLearnThreshold' plugin you need in v310.pre.
>> You will find the BAYES and SHORTCIRCUIT plugins you need in v320.pre
>(they may already be enabled - but if not just removed the #)
>>  
>> Then remove the loading of them from your Local.cf.
>>  
>> 2,
>> To make them useful, your LOCAL.CF should read something like:
>>  
>> (Example)
>>  
>> > ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
>> >  
>> > # default: strongly-whitelisted mails are *really* whitelisted now,
>if the
>> > # shortcircuiting plugin is active, causing early exit to save CPU
>load.
>> > # Uncomment to turn this on
>> > #
>> > shortcircuit USER_IN_WHITELIST on
>> > shortcircuit USER_IN_DEF_WHITELIST on
>> >  
>> > endif # Mail::SpamAssassin::Plugin::Shortcircuit
>>  
>>  
>>  
>>  
>> On 18/02/2018 01:21, John Hardin wrote:
>> > On Sun, 18 Feb 2018, Gianluca Furnarotto wrote:
>> >  
>> > > I’ve done this modifications in local.cf:
>> > >  
>> > > # ifplugin
>> > >  
>> > > loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
>> > > loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
>> > > loadplugin Mail::SpamAssassin::Plugin::Bayes
>> > >  
>> > > #ok_languages en it
>> > >  
>> > > ok_locales en
>> > >  
>> > > # endif
>> > >  
>> > > And command spamassassin —lint doesn’t show any errors. Tomorrow
>I will continue
>> > > the debugging. It seems it doesn’t agree ifplugin-endif and also
>ok_languages
>> >  
>> > Three points:
>> >  
>> > (1) the syntax for "ifplugin" is:
>> >  
>> > ifplugin Mail::SpamAssassin::Plugin::whatever
>> >  
>> > It's a test to see whether that plugin is loaded, so that you can
>write plugin-dependent rules without generating lint errors when the
>plugin isn't loaded.
>> >  
>> > (2) "ifplugin" only accepts one plugin name.
>> >  
>> > (3) "loadplugin" commands should be in your v340.pre file, so that
>they get loaded before any rules.
>> >  
>> >  
>> > If you added that "ifplugin" block to your config file, what
>exactly were you trying to achieve with that block?
>> >  
>> >  
>>  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: problem with spamassassin for WIndows

[Groach]

Gianluca

1,  Your .PRE files are (by default) in:

%ProgramFiles(x86)%\JAM Software\SpamAssassin for Windows\etc\spamassassin

You will find the 'AutoLearnThreshold' plugin you need in v310.pre.
You will find the BAYES and SHORTCIRCUIT plugins you need in v320.pre  
(they may already be enabled - but if not just removed the #)


Then remove the loading of them from your Local.cf.

2,
To make them useful, your LOCAL.CF should read something like:

(Example)

   ifplugin Mail::SpamAssassin::Plugin::Shortcircuit

   #   default: strongly-whitelisted mails are *really* whitelisted
   now, if the
   #   shortcircuiting plugin is active, causing early exit to save CPU
   load.
   #   Uncomment to turn this on
   #
 shortcircuit USER_IN_WHITELIST   on
 shortcircuit USER_IN_DEF_WHITELIST   on

   endif # Mail::SpamAssassin::Plugin::Shortcircuit





On 18/02/2018 01:21, John Hardin wrote:

On Sun, 18 Feb 2018, Gianluca Furnarotto wrote:


I’ve done this modifications in local.cf:

#  ifplugin

loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::Bayes

#ok_languages en it

ok_locales en

#   endif

And command spamassassin —lint doesn’t show any errors. Tomorrow I 
will continue
the debugging. It seems it doesn’t agree ifplugin-endif and also 
ok_languages


Three points:

(1) the syntax for "ifplugin" is:

ifplugin Mail::SpamAssassin::Plugin::whatever

It's a test to see whether that plugin is loaded, so that you can 
write plugin-dependent rules without generating lint errors when the 
plugin isn't loaded.


(2) "ifplugin" only accepts one plugin name.

(3) "loadplugin" commands should be in your v340.pre file, so that 
they get loaded before any rules.



If you added that "ifplugin" block to your config file, what exactly 
were you trying to achieve with that block?

Re: problem with spamassassin for WIndows

[Groach]

 Thanks for your non contribution again harald. On point as ever.  Hope you 
feel better now that you have again broadcast your irrelevant thoughts. (Your 
opinion of windows servers does not represent the world nor does it help the 
poster with his problem).

(Did I say "on point"? Oops, it seems I can talk sh1t too).

Helpful responses only please, team. 

On 15 February 2018 22:22:01 GMT+00:00, Reindl Harald <h.rei...@thelounge.net> 
wrote:
>nobody seriously cares ablut windows if it comes to servers - it's that
>
>easy - period
>
>Am 15.02.2018 um 23:17 schrieb Groach:
>> I originally guided Gianluca you this list for help because as a user
>i 
>> know that the jam port of spamassassin makes an almost identical 
>> function of the software which, as you know, operates mainly on these
>
>> plug ins. Everything you do in Linux you also do in the Windows
>version. 
>> I also know that as a user I personally don't have the problem he is 
>> reporting. This problem he has is with a plug in. (Perl is non
>platform 
>> specific usually).
>> 
>> Every time I had a problem in the past and reported it to Jam support
>
>> for help, it was ALWAYS due to something (bugs) existing in base 
>> spamassassin and not platform specific.
>> 
>> Therefore i ask the readers to consider this report generally and
>ignore 
>> the platform it is run on.
>> 
>> Can any one offer more help please.
>> 
>> On 15 February 2018 21:37:05 GMT+00:00, "Kevin A. McGrail" 
>> 

Re: problem with spamassassin for WIndows

[Groach]

I originally guided Gianluca you this list for help because as a user i know 
that the jam port of spamassassin makes an almost identical function of the 
software which, as you know, operates mainly on these plug ins. Everything you 
do in Linux you also do in the Windows version.  I also know that as a user I 
personally don't have the problem he is reporting.  This problem he has is with 
a plug in. (Perl is non platform specific usually).

Every time I had a problem in the past and reported it to Jam support for help, 
it was ALWAYS  due to something (bugs) existing in base spamassassin and not 
platform specific. 

Therefore i ask the readers to consider this report generally and ignore the 
platform it is run on. 

Can any one offer more help please.

On 15 February 2018 21:37:05 GMT+00:00, "Kevin A. McGrail" 
 wrote:
>On 2/15/2018 3:33 PM, Gianluca Furnarotto wrote:
>> I am trying to use Bayes with spamassassin, now it seems stop to 
>> learn, and
>> when I use a command as "sa-learn --dump magic", or "sa-learn
>--sync", 
>> or other sa-learn commands,
>> it appears this error:
>> "Use of uninitialized value $_[1] in hash element at 
>> Mail/SpamAssassin/Conf/Parser.pm line 571."
>>
>> Line 571 is this:
>> " } "
>> inside these lines.
>> " elsif ($type == $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST) {
>> $cmd->{code} = \_addrlist_value;
>> }" <--- line 571
>>
>> I'm not a perl programmer, so I need help to understand what is
>wrong.
>> Thanks.
>>
>> p.s.: this is the Jam Software Spamassassin version for Windows
>>
>You should likely ask JAM Software if they don't respond on list.
>
>
>Regards,
>KAM

Re: Email filtering theory and the definition of spam

[Groach]

On 12/02/2018 06:54, Rupert Gallagher wrote:
A "standard" "obsoleted" by a "proposed standard" or a "draft 
standard" is nonsense. A standard is obsoleted by a new standard, not 
a draft or a proposal. RFC 821-822 are still the standard, until their 
obsoleting drafts and proposals become the new standard, and 
are clearly identified as such.


Sent from ProtonMail Mobile




As ever, though, whilst technically correct by definition, things are 
not so black and white (humans tend to wander off the binary path that 
logic tends to define and takes a short cut until a new path appears):


https://tools.ietf.org/html/rfc7127#page-2

   Initially it was intended that most IETF technical specifications
   would progress through a series of maturity stages starting with
   Proposed Standard, then progressing to Draft Standard, then finally
   to Internet Standard (seeSection 6 of RFC 2026 
).  For a number of
   reasons this progression is not common.  Many Proposed Standards are
   actually deployed on the Internet and used extensively, as stable
   protocols.  This proves the point that the community often deems it
   unnecessary to upgrade a specification to Internet Standard.  Actual
   practice has been that full progression through the sequence of
   standards levels is typically quite rare, and most popular IETF
   protocols remain at Proposed Standard.



(Not sure why you guys are still discussing RFCs, though, my definition 
of Spam (as in the thread title) is what I choose to define it for my 
business or personal likes - I dont need any RFC telling me what I find 
annoying or unwanted or will be binned/filtered).

Re: Mailsploit

[Groach]

Noted.  In fact, after looking through it in the short term I personally 
have opted to just take the MAILSPLOIT rules section. Should be pretty 
static I think.



On 13/12/2017 22:24, sha...@shanew.net wrote:

Note that after enabling KAM.cf, you'll want to watch more closely for
false positives and possibly adjust scores as necessary.  I think it's
a great addition to the default rules, but it's primarily tuned to
Kevin's environment (though he's open to improvements) and some of the
rules/scores may not be appropriate for your environment.

Re: Mailsploit

[Groach]

On 13/12/2017 21:38, Reindl Harald wrote:



Am 13.12.2017 um 21:59 schrieb Groach:

Is there any suggestions on a rule or procedure to implement that will
help defend against the MAILSPLOIT type of spoofing?
Seehttps://marc.info/?l=spamassassin-users=151265708616825=2 and 
follow-

ups?


Thanks for that.

I followed the thread you mentioned:  I see that 'Kevin' says he has 
a rule in his personal KAM.cf and that there isnt anything published 
in base spamassassin scores.  (Or am I missing something)?


So how does one:

a,  obtain KAM.cf  or
b,  decipher the mechanism to which Kevin uses in order we can apply 
similar in our own local.cf


and where is the problem copy the few lines to local.cf

header__KAM_MAILSPLOIT1 From =~ /[\0]/
describe  __KAM_MAILSPLOIT1 RFC2047 Exploit 
https://www.mailsploit.com/index

header__KAM_MAILSPLOIT2 From =~ /[\n]/
describe  __KAM_MAILSPLOIT2 RFC2047 Exploit 
https://www.mailsploit.com/index

tflags__KAM_MAILSPLOIT2 multiple maxhits=2
meta  KAM_MAILSPLOIT(__KAM_MAILSPLOIT1 || 
(__KAM_MAILSPLOIT2 >= 2))
describe  KAM_MAILSPLOITMail triggers known exploits per 
mailsploit.com

score KAM_MAILSPLOIT6.0


No problem.  Of course I can do that but wanted to ask for other methods 
too in case there was a more reliable way to check and update when Keven 
updates his rules (to benefit from his other offerings).

Re: Mailsploit

[Groach]

On 13/12/2017 20:48, Antony Stone wrote:

On Wednesday 13 December 2017 at 21:41:04, Groach wrote:


Is there any suggestions on a rule or procedure to implement that will
help defend against the MAILSPLOIT type of spoofing?

See https://marc.info/?l=spamassassin-users=151265708616825=2 and follow-
ups?


Thanks for that.

I followed the thread you mentioned:  I see that 'Kevin' says he has a 
rule in his personal KAM.cf and that there isnt anything published in 
base spamassassin scores.  (Or am I missing something)?


So how does one:

a,  obtain KAM.cf  or
b,  decipher the mechanism to which Kevin uses in order we can apply 
similar in our own local.cf


(All help appreciated)

Mailsploit

[Groach]

Is there any suggestions on a rule or procedure to implement that will 
help defend against the MAILSPLOIT type of spoofing?


Full details of it here: https://www.mailsploit.com/index

I was thinking if there is a way to have a rule that checks for encoding 
in the FROM header.  OR better, maybe it could be expanded to only react 
if the decoded FROM header translates to a domain that is not a match to 
the domain in the raw data


eg (from the mailsploit webpage example)

|=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com|

translates to 'FROM: po...@whitehouse.com' even though the raw line 
clearly says "@mailsplot.com.


Sadly, it is obvious to most that the translating of the encoded from 
data is dependant on the email client but Mozilla (Thunderbird) refuse 
to acknowledge this and claim it to be the responsibility of the server 
(as stated in the info web page). Therefore a rule in spamassassin that 
can independently see these attempts of tom-foolery and stop it at 
server level would remove the risk of the email clients being fooled.


(p.s  I performed the test from the webpage to my server and email 
client and confirm that Thunderbird does get fooled by the exploit).

||

Re: freshdesk.com and spamassassin mailing list

[Groach]

Im concerned they have done it deliberately to harvest email addresses.



On 21/10/2017 19:20, Kevin A. McGrail wrote:

On 10/21/2017 11:57 AM, Bill Cole wrote:
It would be a good idea to figure out what subscribed address is 
causing these and unsubscribe that address (and ban it) from the list. 


Agreed.  I'm just saying it's not time to raise the panic flag :-)

freshdesk.com and spamassassin mailing list

[Groach]

Yesterday I replied to the spamassassin mailinglist (I actually replied 
twice - with 2 different sender addresses by mistake).


Can anyone tell me why I then received 2x emails from 'freshdesk.com' 
claiming to have created an account for those two addresses (see quote 
below)?


Ive written to this list before and never had such nonsense and want to 
know why my email addresses have ended up with this organisation.


Whats going on?

Help and info welcome.

Thanks



---  begin quote text  ---

Date: Fri, 20 Oct 2017 18:07:46 + (UTC)

From: Catch all <catch...@freshdesk.com>
Reply-To: Catch all <catch...@freshdesk.com>

Subject: Activate your account at Freshdesk Support Portal

Hello Groach,

A new account has been created for you in our Freshdesk Support Portal.

To get started with using our Support Portal, you will have to activate 
your account.


Activation lets you participate in our Forums, browse our Knowledge Base 
and view and respond to your tickets.

__

Activate your account by clicking on the link below.

https://support.freshdesk.com/register/.
__

If the above URL doesn’t work, copy and paste it into your browser.


In case you are stuck, please write to us for assistance and one of our 
agents would be happy to help.


Regards,

Freshdesk Support

--- end text  ---

Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]

[Groach]

 Here you go:  
https://www.google.co.uk/search?q=what+is+esq+after+a+lawyer%27s+name

On 20 October 2017 18:44:15 BST, Antony Stone 
 wrote:
>On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
>I'm intrigued as to what the "Esq." in your From address indicates?
>
>Please feel free to reply offlist if appropriate.
>
>Thanks,
>
>
>Antony.
>
>-- 
>90% of networking problems are routing problems.
>9 of the remaining 10% are routing problems in the other direction.
>The remaining 1% might be something else, but check the routing anyway.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]

[Groach]

Usually Esquire a title used in American Law.

 (I'm sure Google has more details.)

On 20 October 2017 18:44:15 BST, Antony Stone 
 wrote:
>On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
>
>> Anne P. Mitchell,
>> Attorney at Law
>
>I'm intrigued as to what the "Esq." in your From address indicates?
>
>Please feel free to reply offlist if appropriate.
>
>Thanks,
>
>
>Antony.
>
>-- 
>90% of networking problems are routing problems.
>9 of the remaining 10% are routing problems in the other direction.
>The remaining 1% might be something else, but check the routing anyway.

Re: OT - Hotmail/Outlook.com marking most of our email as Junk

[Groach]

On 26/09/2017 20:08, David Jones wrote:
There is the possibility that Hotmail doesn't like our IP address 
because it is a consumer/ADSL/end-user IP - although I've removed it 
from the Spamhaus PBL database. I guess Hotmail must be using an 
internal database


I would put money on this being the cause.  If you are on a domestic 
line then you have no chance on being seen and accepted by Hotmail 
without problems.  (Im surprised some of the other big players dont 
cause you problems too).


Also, Hotmail use symantec as part of their spam checking: 
http://ipremoval.sms.symantec.com/lookup/ FYI check your ip on that.

Re: Yahoo - Can't figure out a server is down?

[Groach]

For info: http://nolisting.org/



On 05/03/2017 14:41, Matus UHLAR - fantomas wrote:


Oops, seems I mistook nolisting with other MX-related anti-spam technique
postscreen (and many others) uses.

Re: Yahoo - Can't figure out a server is down?

[Groach]

On 05/03/2017 14:15, Matus UHLAR - fantomas wrote:

does the mx0 has highest preference (lowest priority)?

If not, there's little point in using it - nolisting is supposed to catch
spambots trying to connect to your backup MXes, not to primaries. 


No its not.  Nolisting is to catch spambots that are firing off and 
cannot wait or handle the idea of MX sequences properly due to their 
'fire-and-forget' attitude.  Most genuine mail servers would try the 
highest preference (lowest priority) first and if not available/timeout, 
drop to the next highest (a backup MX) and so on.  Spambots dont want to 
wait for the timeout of the first attempt to then lookup and try the 
next on the list and intead just just bail out (time isnt on their 
side).  Occasionally there might be one that simply tries the last on 
the list (the idea that it is a backup MX and often with less 
protection) - and thats why its a good idea to put a dummy MX also in 
this position (just like the first one).


I suspect the OP understands this and this is why he has it set as 
such.  The problem (if it exists) that Yahoo is not following protocol 
to retry the next MX on the list is geniune and is one of the reasons 
why some would say implementing Nolisting is dangerous (as in the risk 
of genuine mail servers not configured and performing correctly and 
simply returning mail back to sender).  I must say I am VERY surprised 
to find it is Yahoo though - and especially that it seems to be only 
some of their servers.  I doubt they know they have the problem and 
perhaps should be reported to them.

Re: Yahoo - Can't figure out a server is down?

[Groach]

Its called "NOLISTING" - but does it work?

An experiment was carried out on a small throughput server.  Here is the 
conclusion: https://www.hmailserver.com/forum/viewtopic.php?p=185262#p185262


(You'll be surprised).


On 05/03/2017 06:32, Rob Gunther wrote:
We have run our servers with a decoy, our MX records have been like 
this for 10+ years:


mx0.example.com 
mx1.example.com 
mx2.example.com 

mx1 & mx2 are real servers.  mx0 is nothing, it points to an IP 
address that is controlled by us but there is no server.


The concept being that some spammers attempt that server, get nothing 
and don't bother trying any other server.


This has been fine for a decade.

Re: New type of monstrosity

[Groach]

https://imgs.xkcd.com/comics/duty_calls.png

Come on chaps and chapesses.  Nothing is going to be concluded between 
you too.  And having the last word doesnt make one better than the 
others (and it still doesnt make you right).


Just agree that neither of you is going to convince the other or leave 
them happy.


Life is shortand this is silly.


On 09/02/2017 15:26, Dianne Skoll wrote:

Ruga  wrote:


RFC-822 is the e-mail standard, without "group addresses". What we do
complies with the standard.

You are wrong.  Wrong, wrong, wrong, wrong.

Take a look at RFC-822: https://www.ietf.org/rfc/rfc0822.txt

Go to Section 6. ADDRESS SPECIFICATION.  Look at Section 6.1.

Here's a copy/paste:

  address =  mailbox  ; one addressee
  /  group; named list

  group   =  phrase ":" [#mailbox] ";"


Oh look!  The group address specification!  In RFC 822!  Amazing!

Ruga, my dear fellow, (or lady... I can't tell), stop digging yourself
in deeper.

Regards,

Dianne.

Re: T_DKIM_INVALID from yahoo.com

[Groach]

I have just done a test and do not get the same results as you.  My 
yahoo incoming emails pass ok:



Return-Path: stopspammin...@yahoo.net
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mailserver
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=3.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_MOSTLY,

RCVD_IN_DNSWL_NONE,RCVD_IN_HOSTKARMA_YE,RCVD_IN_MSPIKE_H2,TVD_SPACE_RATIO
shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:
*  0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list 
(varies)
*  [212.82.97.159 listed in hostkarma.junkemailfilter.net]
*  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail 
provider
*  (groachmail-stopspammingme[at]yahoo.net)
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
*  [212.82.97.159 listed in wl.mailspike.co]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, 
no
*  trust
*  [212.82.97.159 listed in list.dnswl.org]
*  0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
*  [score: 0.4608]
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
author's
*   domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
*  0.0 TVD_SPACE_RATIO No description available.
*
Received: from nm38-vm9.bullet.mail.ir2.yahoo.net 
(nm38-vm9.bullet.mail.ir2.yahoo.net [212.82.97.159])
by mydomain.net with ESMTP
; Sat, 24 Dec 2016 16:25:16 +
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.net; s=s2048; 
t=1482596721; bh=ATY/rpmzVtt0ixEE+qh8r6sPMhEpXyjNG2QGr7N0zAY=; 
h=To:From:Subject:Date:From:Subject; 
b=Wt2qUdnnO1CE7zTLuVlVvOdNKn6mIhHd+P+mbrstu2RW0VTlAa2mUDoDDRn65t/a1V/zytTWzT9xmT+xe0TY3xx0blesGJtUuz5F/CwEJD4Jj2w9kcqGXs21ys77kLUmW1GmIEU0623eRUk/vvNF0FrnjQ9NLL/vc/ykDEMkJOy5ePscDRVlhmkYtvNIeX7dzWK4oBGbopKnDSZxrKKW/5qFud+OHQmGL3l0ebJ4JYZqzyM+7260GbpOnPsmr6/PovZksZx7ni7Qmfyqm95Eh6R7E1k2uMKg7zxgla0UDV/vhCsvICsd/bk0NBogn4Sedw8zsx2VWyiYZkuUDVOSRA==
Received: from [212.82.98.56] by nm38.bullet.mail.ir2.yahoo.net with NNFMP; 24 
Dec 2016 16:25:21 -

This might explain it: 
http://spamassassin.1065346.n5.nabble.com/I-m-getting-T-DKIM-INVALID-from-gmail-td109464.html 
(And you are not the first: 
https://www.google.co.uk/search?q=T_DKIM_INVALID)




On 24/12/2016 16:05, Ian Zimmerman wrote:

All mail I get from yahoo customers [1] scores on T_DKIM_INVALID, and
always has.  Why?

Maybe I can prepare a spample, but it will take some work to find a
privacy friendly specimen, since it obviously can't be altered.

[1] same for hotmail, while other big domains get DKIM_VALID.

Re: Spam by IP-address? Spamassassin with geoiplookup?

[Groach]

On 20/09/2016 20:31, RW wrote:

On Tue, 20 Sep 2016 18:56:47 +0100
Groach wrote:


This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your
spamassasin ETC directory, and uncomment the countries you wish to
block.  Full details in the post.
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500

It's not a plugin, it's a just a list of dns rules based on
zz.countries.nerd.dk.
Sorry, the word 'plugin' was incorrectly used.  I did mean it as the 
completed NERD.CF file containing the predefined rules.



Is the RelayCountry plugin not usable on Windows for some reason?


Windows spamassassin is more-or-less no different from linux version 
(3.4.2) so Im sure it can use it yes.  (I dont know about this plugin 
myself.  Got details?)

Re: Spam by IP-address? Spamassassin with geoiplookup?

[Groach]

On 20/09/2016 11:53, Thomas Barth wrote:

Hello,

is it possible to use geoiplookup with Spamassassin? I want to reject 
all mails as spam not send in my country or another second country, 
but accept whitelisted mailing list addresses. Any chance to use 
geoiplookup for this? I want to exclude Spammer Countries e.g. China, 
Thaiwan, India, etc...





On 20/09/2016 18:56, Groach wrote:

This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your 
spamassasin ETC directory, and uncomment the countries you wish to 
block.  Full details in the post. 
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500





It seems others have taken this approach as a proven effective solution 
too: http://vdhout.nl/2015/07/block-email-from-foreign-countries

Re: Spam by IP-address? Spamassassin with geoiplookup?

[Groach]

This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your 
spamassasin ETC directory, and uncomment the countries you wish to 
block.  Full details in the post. 
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500



On 20/09/2016 11:53, Thomas Barth wrote:

Hello,

is it possible to use geoiplookup with Spamassassin? I want to reject 
all mails as spam not send in my country or another second country, 
but accept whitelisted mailing list addresses. Any chance to use 
geoiplookup for this? I want to exclude Spammer Countries e.g. China, 
Thaiwan, India, etc...

Re: sa-update errors

[Groach]

On 31/08/2016 10:32, Axb wrote:

I get no errors with  spamassassin --lint

Nor me.  All ok.

Re: New Install - Tons of Spam Getting Through

[Groach]

On 19/08/2016 11:58, Axb wrote:

Question:

Does it also support adding 3rd party (native Perl) plugins?
or are you tied to the precomplied collection delivered by JAM?

Jams product runs with Perl - so any perl plugins provided for 
Spamassassin should work on the windows versions too.  FYI:  if you have 
a windows environment available, why not download the free version: 
http://www.jam-software.com/spamassassin/download.shtml, install and 
take a look around.  (The free version is SA as we know it without Jam's 
'special' tailoring that the paying users get).



Many subscribers just don't have the patience and *instead of just 
ignoring the thread*, display a tendency to preach or worse, overwhelm 
the beginner with info they can't process.


Yeah, and thats the problem.  "Instead of ignoring the thread" they feel 
it necessary to waste their, and everyone elses time with non-relevant 
and sometimes hostile drivvle.  People should just turn off, have a 
drink, take 5 or unsubscribe if they dont like what they read.  Not 
everyone will have the same opinion and no one has THE only opinion in 
the world.


Back to topic

Re: New Install - Tons of Spam Getting Through

[Groach]

FYI

I and many others use Jam's windows port of Spamassassin.  It is exactly 
the same as the linux version in what it can and cant do. Users can 
modify with plugins, rules, scoring overrides etc just the same as you 
do on linux.  Spamd, spamc, spamassassin... all the same.  The only 
thing that is different are (obviously) program paths and how you refer 
to them 9but as a windows user you would come to know that and learn you 
way around it when reading linux-orientated manuals).


On 18/08/2016 20:10, Jerry Malcolm wrote:
Thanks for the quick response.  I'll try to reply with what I know.  
But I purchased a package "SpamAssassin In A Box" from JAM Software.  
I ran the installer, and that's it.  I'm sorry that I don't know 
more.  But I don't know much about the inner workings. I was just 
hoping it would work.


Spamassassin doesn't 'just work' *sufficiently* straight after install.  
You will need to tweak (turn off and turn on) things to make it optimum.


As a purchasers of Jams paid product, you can contact Jam support 
directly and they will help advise you on what you need to do to "get it 
working".  The have been useful to me and others.


(You will also get more direct help instead of having to endure the 
constant incessant bickering and sniping and the _"Im right, he's 
wrong"_ chest-beating that this mailing list tends to to be populated 
with especially between the users that assume that those who are asking 
the questions for help because they have a lack of knowledge dont have 
the right to ask the basic because they are not knowledgable enough.)

Re: disable X-originating-ip check

[Groach]

wong fook loong wrote:

hi all

is there anyway  to   disable check the X-Originating-IP in
spamassassin  ?

Why do you want to do that?


Looks like someone just trying to have a cheeky joke and broadcasting a 
naughty name to me.  (An old joke.  Is he really that good as a lover?)

Re: Anyone else just blocking the ".top" TLD?

[Groach]

Correction: Sorry I was wrong.  Or accountant uses ".accountants"  (I 
just checked).


When I first read the list of TLDs being blocked by default my first 
thought was "Yeah, quite right too".  Ive never like the idea of these 
new TLD's when they were introduced and think they would only ever be 
used for non-genuine use as genuine businesses would never use them.  
(Thats why I was surprised out account chose to move to one).


But that said, in fairness, of all the spam we do receive, from what I 
can tell, is already handled and dealt with by the usual DNSBL, SURBLs 
and spamassassin (with SPF and DKIM checking encompassed).  Ive never 
had to use/block these TLDs and, in fact, I cant actually say that I 
have every seen one, genuine or otherwise (other than our accountant of 
course).






On 09/07/2016 17:15, jaso...@mail-central.com wrote:

On Sat, Jul 9, 2016, at 07:52 AM, Groach wrote:

Our accountants are actually using '.account' TLD and they are a very reputable 
business. A surprise when they changed to it, maybe, but change to it they did.

My stats provide all the 'evidence' I need.  So far, it seems I'm not auto-blocking 
"*.account" ...

And, like I said, "YMMV".

Personally, I find that holding people to account for their actions & decisions 
in 'email-land' is a pretty good strategy.  That includes 'reputable businesses' 
choosing to move  into a 'bad neighborhood', particularly if they haven't done 
their homework first.

SA plus SPF/DKIM/DMARC, and a good set of DNSBLs helps immensely.  Add to that some 
"This is obviously a sewer" heuristic decisions about TLDs, and my spam 
leak-thru rate is miniscule.

Then again, I can choose to do that, as I'm not an ISP providing freemail with 
more holes than a colander to the unwashed ...

Re: Anyone else just blocking the ".top" TLD?

[Groach]

Our accountants are actually using '.account' TLD and they are a very reputable 
business. A surprise when they changed to it, maybe, but change to it they did.

On 9 July 2016 16:32:51 CEST, jaso...@mail-central.com wrote:
>
>
>On Sat, Jul 9, 2016, at 07:14 AM, Chip M. wrote:
>> Thanks for all the lists and references, everyone! :)
>
>Fwiw, atm I block all of the following TLDs
>
>   accountant, accountants, adult, aero, agency, apartments, app, asia,
>associates, audio, baby, bargains, bid, bike, bingo, blog, boutique,
>builders, business, cab, cafe, cam, camera, camp, capital, cards, care,
>careers, cash, casino, catering, center, charity, chat, cheap, church,
>city, claims, cleaning, click, clinic, clothing, club, coach, codes,
>coffee, community, company, computer, condos, construction,
>contractors, cool, country, coupons, credit, creditcard, cricket,
>cruises, date, dating, deals, delivery, dental, diamonds, digital,
>direct, directory, discount, dog, domains, dot, download, email,
>energy, engineering, enterprises, equipment, estate, events, exchange,
>expert, exposed, express, fail, faith, farm, finance, financial, fish,
>fitness, flights, florist, football, foundation, fund, furniture, fyi,
>gallery, game, games, gifts, glass, gmbh, gold, golf, gq, graphics,
>gratis, gripe, group, guide, guru, healthcare, hockey, holdings,
>holiday, host, hotel, house, immo, industries, institute, insure,
>international, investments, jewelry, kim, kitchen, la, land, lease,
>legal, lgbt, life, lighting, limited, limo, link, loan, loans, ltd,
>maison, management, marketing, mba, media, memorial, men, mobi, money,
>movie, museum, music, network, news, ninja, online, partners, parts,
>party, photography, photos, pictures, pizza, place, plumbing, plus,
>porn, pro, productions, properties, pw, racing, realestate, recipes,
>reise, reisen, rentals, repair, report, restaurant, review, rocks,
>rodeo, rugby, run, salon, sarl, school, schule, science, search,
>services, sexy, shoes, shop, shop, shopping, show, singles, soccer,
>solar, solutions, space, sport, stream, style, sucks, supplies, supply,
>support, surgery, systems, tax, taxi, team, tech, technology, tennis,
>theater, tienda, tips, tires, today, tools, top, tours, town, toys,
>trade, training, tv, uno, vacations, ventures, viajes, villas, vin,
>vision, voyage, watch, webcam, website, win, wine, work, works, world,
>wtf, xxx, xyz, zip
>
>That list is auto-generated.  Any & all TLDs that have sent > 100
>messages within the last year *AND* have a spam/reject rate >= 99% get
>blocked by TLD, never get past by mail server's 'edge', and don't
>impose any further load on my server.
>
>Afaict, I've *never* seen a legitimate &/or opted-in email from any of
>them.
>
>Couldn't be happier!
>
>YMMV.

Re: whitelist issues with sprintpcs.com

[Groach]

On 03/07/2016 23:29, Reindl Harald wrote:
sorry, but when i see Benny after 5 years experience on several lists 
i just have enough, mouth wide often but technical still a noob

http://geekologie.com/2011/08/08/mad-on-the-internet-cut.jpg

Re: whitelist issues with sprintpcs.com

[Groach]

On 03/07/2016 22:43, Sidney Markowitz wrote:

whitelist_from *@pm.sprintpcs.com

does not work.. Why?

It's because the mail has a Resent-From which overrides any other from type
header.

 From the documentation Mail::SpamAssassin::Conf

"The headers checked for whitelist addresses are as follows: if Resent-From is
set, use that; otherwise check all addresses taken from the following set of
headers:

 Envelope-Sender
 Resent-Sender
 X-Envelope-From
 From

In addition, the ``envelope sender'' data, taken from the SMTP envelope data
where this is available, is looked up."

  Sidney


And look:  not a single impolite, bad mannered, offensive expletive 
or swear word in sight.


What a pleasant surprise  - to see an answer that ISNT accusing, 
squabbling or swearing at someone.  (Sometimes I often forget this is a 
PUBLIC mailing list I am watching.  It just gets embarassing.)

Re: Spamassassin default SHORT_URI list obsolete/outdated

[Groach]

On 01/07/2016 09:56, Axb wrote:


I then informed him that SA alreadyhas a URL_SHORTENER checking rule 
found

in 72_ACTIVE.CF.  I was currently using this as a META rule thus:

meta MY_URI_URLSHORT __URL_SHORTENER  # defined in 72_active.cf


ATM it seems there is no such rule - pls verify the name after running 
sa-update


As quoted, it is   "  __URL_SHORTENER  "

The entry reads as follows:

uri __URL_SHORTENER 
/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}\/?/


and is used in other META rules such as MONEY_FRAUD_5 (you see it is 
preceeded with "__" )



URL shorteners aren't bad per se so it makes little sense to waste 
cycles processing a long list which may or not be abused. Many of 
these sites won't be around in 6 months, some  have zero abuse some 
may even be NXDOMAIN


You can see from 72_ACTIVE that the idea of using a url shortener isnt 
bad by itself and that SA rules do use it in conjunction with other 
'more likely' postive matching (such as MONEY_FRAUD_5)


Such rules are best mantained/provided by interested third parties 
which may or not commit to keep them up to date.
SA devs don't really have the time to chase sites/domains and to load 
the default rule set with extra bloat doesn't sound very wise.


Why not make this YOUR project?


Ok, well, I will leave it as HIS project ;-)  (the guy who has already 
applied his research to provided this surbl lookup).  He also has stated 
that many of these sites come and go (as you imply).


Thanks

Re: Catching well directed spear phishing messages

[Groach]

On 28/06/2016 16:13, David Jones wrote:

David Jones wrote on 29/06/16 12:46 AM:

No, technology can help. The IT department sets up the mail client
that the CEO uses when out of the office so that it sends mail using
the company mail server with SSL/TLS and user authentication. Or it
uses the company's ISP's mail server. Or send domain mail using GMail
for business. There are a number of choices that are as easy for the
CEO to use as any personal email method is, but will restrict email
sent from the company domain to being sent through one of a known set
of mail servers. Then the company's receiving mail server blocks any
mail that pretends to be from a company domain sender address that
was not sent through one of the known valid mail servers. That can be
a local SpamAssassin rule or something run even earlier in the
process.

You are right that social engineering can't be stopped by technology.
The company should have procedures in place that provide the
flexibility that CEO seems to need but will still prevent the fraud
even in the face of successful social engineering. But there is no
reason the mail setup has to allow spoofed headers From the company
domain.


Am I missing something here:

An email comes in from the CEO of the business - seemingly from the 
company, and has a Spam score of 7.5



Content analysis details:   (7.5 points, 5.5 required)

 pts rule name  description
 -- 
--

 0.0 TVD_RCVD_SPACE_BRACKET No description available.
 0.1 HK_RANDOM_FROM From username looks random
-0.1 CUST_DNSWL_5_ORG_NTRBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
-0.1 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 
chars

-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in 
score.senderscore.com]

-0.0 RCVD_IN_MSPIKE_WL  Mailspike good senders
 1.2 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
 1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)


Content analysis details:   (13.9 points, 5.5 required)



How many INTERNAL EMAILS will have a score of 7.5???  Or even 3?  Or 1?

In fact, if it came in through the INTERNAL_NETWORK ip range then it 
wouldnt even be scanned (seen as trusted).  So any email coming "from 
the CEO" that has a SPAM score is definitely dodgy!


How hard can it be to say "if FROM = 'a company address' and a SPAM 
SCORE EXISTS then treat with rubber gloves.


So ensure all company emails are pupt through the company email servers 
and set the INTERNAL_NETWORK parameters.


Whats wrong with this?

Re: how to write body rules to match 'tortured html' variations of text phrases?

[Groach]

On 15/06/2016 22:42, Dianne Skoll wrote:

On Wed, 15 Jun 2016 13:40:25 -0700 (PDT)
John Hardin  wrote:


That's (more or less) "Quoted Printable" encoding.

AFAIK, SpamAssassin "body" rules are applied after the
Content-Transfer-Encoding: has been decoded.  So the QP equal signs
are a red herring.

Regards,

Dianne.

Yes, I thought that too.

I have written my own rules occasionally and being a total novice I just 
set about it using trial and error without understanding all this 
encoding stuff.  And in so doing I found that 'line-wrapped' words 
(delimited with the equals sign) are deciphered and applied to the rule 
accordingly.


Here is a real example:

body __MY_PHISH_CIRCUMVENT_ATTEMPT3 
/((?!account)(\xD0\xB0|a)(\xD1\x81|c){2}(\xD0\xBE|o)u(\xD5\xB8|n)t|(?!customer)(\xE1\xB4\x84|c)u(\xD1\x95|S)t(\xD0\xBE|o)mer|(?!verif(y|i))ver(\xD1\x96|i)f((\xD1\x83|y)|

(\xD1\x96|i)))/i

(effectively looking for sneaky encrypted characters to look-like real 
letters to make words such as "account", "customer" and 
"verify"/"verifi") - definitely phishing and dodgy if this exists).


And this is REAL body text from an email:

-- SNIP ---
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

.
.
.
rgb(102,102,1=
02); PADDING-BOTTOM: 15px; PADDING-TOP: 15px; PADDING-LEFT: 0px; 
PADDING-RIG=
HT: 0px" width=3D471 align=3Dleft>Hetica, s=

ans-serif">de...@mycompany.com- =D0=85=D0=B5=D1=81=
ur=D1=96t=D1=83 m=D0=B5=D0=B0=D1=95ur=D0=B5=D1=95 h=D0=B0=D1=95 b=D0=B5=D0=
=B5n =D0=B0=D1=80=D1=80=D3=8F=D1=96=D0=B5d t=D0=BE =D1=83=D0=BEur =D0=B0=D1=
=81=D1=81=D0=BEu=D5=B8t.
-


I can tell you that the very last word/sequence of characters:

=D0=B0=D1=
=81=D1=81=D0=BEu=D5=B8t


get caught despite being separated and line-wrapped with an equals sign 
(FYI they look like "ассоuոt." - account).

Re: how to write body rules to match 'tortured html' variations of text phrases?

[Groach]

On 15/06/2016 22:42, Dianne Skoll wrote:

On Wed, 15 Jun 2016 13:40:25 -0700 (PDT)
John Hardin  wrote:


That's (more or less) "Quoted Printable" encoding.

AFAIK, SpamAssassin "body" rules are applied after the
Content-Transfer-Encoding: has been decoded.  So the QP equal signs
are a red herring.

Regards,

Dianne.

Yes, I thought that too.

I have written my own rules occasionally and being a total novice I just 
set about it using trial and error without understanding all this 
encoding stuff.  And in so doing I found that 'line-wrapped' words 
(delimited with the equals sign) are deciphered and applied to the rule 
accordingly.


Here is a real example:

body __MY_PHISH_CIRCUMVENT_ATTEMPT3 
/((?!account)(\xD0\xB0|a)(\xD1\x81|c){2}(\xD0\xBE|o)u(\xD5\xB8|n)t|(?!customer)(\xE1\xB4\x84|c)u(\xD1\x95|S)t(\xD0\xBE|o)mer|(?!verif(y|i))ver(\xD1\x96|i)f((\xD1\x83|y)|

(\xD1\x96|i)))/i

(effectively looking for sneaky encrypted characters to look-like real 
letters to make words such as "account", "customer" and 
"verify"/"verifi") - definitely phishing and dodgy if this exists).


And this is REAL body text from an email:

-- SNIP ---
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

.
.
.
da...@decrofloor.co.uk- =D0=85=D0=B5=D1=81=
ur=D1=96t=D1=83 m=D0=B5=D0=B0=D1=95ur=D0=B5=D1=95 h=D0=B0=D1=95 b=D0=B5=D0=
=B5n =D0=B0=D1=80=D1=80=D3=8F=D1=96=D0=B5d t=D0=BE =D1=83=D0=BEur =D0=B0=D1=
=81=D1=81=D0=BEu=D5=B8t.
-


I can tell you that the very last word/sequence of characters:

=D0=B0=D1=
=81=D1=81=D0=BEu=D5=B8t


get caught despite being separated and line-wrapped with an equals sign 
(FYI they look like "ассоuոt." - account).

Re: Where to find DETAIL for spamassassin default RULES

[Groach]

On 12/06/2016 21:14, Bill Cole wrote:
but can you explain why the world needs yet another new mail server 
implementation?


As an example of why I ask this, consider that Microsoft rewrote the 
SMTP implementation in Exchange 2013 and did it wrong,


A question and answer all in one.  I like it.

(p.s no one ever said anything about my project being a NEW mail server)

Re: Where to find DETAIL for spamassassin default RULES

[Groach]

On 12/06/2016 21:14, Bill Cole wrote:


I was not at all confused, but sometimes when people are Wrong On The 
Internet in special ways I cannot resist the urge to respond with a 
paraphrased geek meme...


Look up Jamie Zawinski's famous "2 problems" quote regarding regular 
expressions. It is a perfect fit for the application of regular 
expressions to address validation



It is actually for another software project (a mail server)


Please don't take this as derogatory, because I DO NOT mean it to be, 
but can you explain why the world needs yet another new mail server 
implementation?


As an example of why I ask this, consider that Microsoft rewrote the 
SMTP implementation in Exchange 2013 and did it wrong, breaking 
multi-recipient message handling. I guess they had some reason, but 
the point is that new code means new bugs, even when you have an 
elaborate QA organization in place to prevent that.



that, being a mail server, must ensure email addresses are valid.


Not really. It needs to make sure that it never generates invalid 
addresses and it probably should check addresses in its inputs for 
types of invalidity that your later code will assume not to be 
present, but those are both far from a need to validate addresses 
perfectly (or even near-perfectly) to the RFC specification. Having a 
logical set of addresses that you'd never generate but will still 
blindly and harmlessly work with, some of which may not fit the RFC 
specs, is a NON-PROBLEM.


Even if you wanted to draw a RFC-perfect boundary between valid and 
invalid addresses, complex regular expressions are a poor tool for 
that because the logic of REs don't align to that of the ABNF used in 
RFCs. A single regular expression CANNOT precisely match the whole  
RFC822/2822/5322 address space. The closest approximation in Perl RE 
is huge, indecipherable, and machine-generated. It also cannot deal 
with nested comments, a valid albeit pathological address structure 
under the ABNF definition. In POSIX RE the problems are MUCH worse.


On the other hand, you COULD use very simple REs to serially and 
recursively decompose addresses into the constructs defined by the 
ABNF spec, using the same logic as the spec to validate addresses. 
This is not as interesting a "problem" as writing the One True RFC822 
RE, but it is a fairly trivial coding exercise and would run more 
efficiently than a single RE with the benefit of being more readable 
and debuggable.


I quoted the regexp in context of showing my point about how 
'squiggly' they can be and that I am able to read them.to a 
point. (I was proud because 'googling' around for a regex email 
address validator string shows some VERY suspicious and 
extortionately,seemingly unnecessarily, long offerings. So I had a go 
myself).


And just like a hilariously long list of predecessors, came up with a 
RE which fails to precisely reproduce the ABNF definition of a valid 
address for message headers. This is why you now have 2 problems:


1. The one you invented of needing to precisely validate email 
addresses to a RFC specification that is not a perfect match for the 
addressing supported by any coherent package of production-grade mail 
software.


2. A regular expression that is absurdly complex which you incorrectly 
believe solves (1) while in fact it does not. It is maybe good enough, 
but maybe not. It's an untestable approximation of its design goal, 
which is an intrinsic problem for software.





...AND relax!

Re: Where to find DETAIL for spamassassin default RULES

[Groach]

On 11/06/2016 05:09, Bill Cole wrote:
So, you thought validating email addresses was a problem demanding a 
solution? And you "solved" it with a regular expression?


Congratulations on now having 2 problems. They should be very happy 
together.


The regex I quoted was out of context to the problem and completely 
unrelated (sorry if you feel so confused with that).  It is actually for 
another software project (a mail server) that, being a mail server, must 
ensure email addresses are valid.  I quoted the regexp in context of 
showing my point about how 'squiggly' they can be and that I am able to 
read them.to a point. (I was proud because 'googling' around for a 
regex email address validator string shows some VERY suspicious and 
extortionately,seemingly unnecessarily, long offerings. So I had a go 
myself).