BAYES_99 score
Should I set the BAYES_99 score high enough to trigger as spam? I get plenty of spam getting through which does not get caught because BAYES_99 is the only rule which fires and it is not set to score at or above the threshold.
Re: Very spammy messages yield BAYES_00 (-1.9)
Dumb question: How can I set the autolearn thresholds? On Aug 15, 2012, at 15 2:18 PM, John Hardin wrote: > Setting the ham default threshold to -3 or even -5 seems prudent (_much_ > better than the current 0.1)
RCVD_IN_DNSWL_BLOCKED
How can I disable the DNSWL rule/plugin or whatever. Not just give it a low/zero score but disable it completely. I am tired of seeing RCVD_IN_DNSWL_BLOCKED in my headers.
Re: Large image spam
Hmm... can you explain further? > sha256 checksum and add to local clamav (.hb?) file? On May 29, 2012, at 12:47 PM, Michael Scheidell wrote: > On 5/29/12 2:44 PM, JP Kelly wrote: >> I've been getting a fair amount of spam which contains a large image which >> causes SA to bypass scanning due to the large file size. >> Has anyone found a way to combat these types of spam? >> JP Kelly > sha256 checksum and add to local clamav (.hb?) file? > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > >*| *SECNAP Network Security Corporation > > * Best Mobile Solutions Product of 2011 > * Best Intrusion Prevention Product > * Hot Company Finalist 2011 > * Best Email Security Product > * Certified SNORT Integrator > > __ > This email has been scanned and certified safe by SpammerTrap(r). For > Information please see http://www.spammertrap.com/ > __
Large image spam
I've been getting a fair amount of spam which contains a large image which causes SA to bypass scanning due to the large file size. Has anyone found a way to combat these types of spam? JP Kelly
Re: White text on white background
I tried escaping both the # and the " but no joy. jp On Feb 16, 2012, at 10:44 PM, Benny Pedersen wrote: > Den 2012-02-17 06:53, JP Kelly skrev: >> No didn't work. >> with --lint I got: >> warn: config: invalid regexp for rule HTML_TEXT_WHITE_SHORT: >> /style=\"color: missing or invalid delimiters > ^^ > >> >> On Feb 16, 2012, at 7:53 PM, Benny Pedersen wrote: >> >>> Den 2012-02-17 02:12, JP Kelly skrev: >>> >>>> How do I implement this? >>> >>>>> rawbody HTML_TEXT_WHITE_SHORT /style="color#FFF;/ > ^^ >>> >>> add it to local.cf or user_prefs, its not tested here so it might not work >>> at all >>> >>> it will score default 1.0 if no score is set > > > rawbody HTML_TEXT_WHITE_SHORT /style=\"color#FFF;/ > describe HTML_TEXT_WHITE_SHORT rawbody: /style="color#FFF;/ > score HTML_TEXT_WHITE_SHORT 0.1 > >
Re: White text on white background
No didn't work. with --lint I got: warn: config: invalid regexp for rule HTML_TEXT_WHITE_SHORT: /style=\"color: missing or invalid delimiters On Feb 16, 2012, at 7:53 PM, Benny Pedersen wrote: > Den 2012-02-17 02:12, JP Kelly skrev: > >> How do I implement this? > >>> rawbody HTML_TEXT_WHITE_SHORT /style="color#FFF;/ > > add it to local.cf or user_prefs, its not tested here so it might not work at > all > > it will score default 1.0 if no score is set
Re: White text on white background
ok I'm a dummy. How do I implement this? On Feb 16, 2012, at 5:03 PM, John Hardin wrote: > rawbody HTML_TEXT_WHITE_SHORT /style="color#FFF;/
Re: AWL scoring positive?
I'm not familiar enough to tell if an address is forged or not.
Here is the scoring from one of the spam messages from autoconf...@amazon.com
which I suspect tainted AWL:
Content analysis details: (29.4 points, 5.0 required)
pts rule name description
-- --
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bestcomputerized.com]
3.5 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: bestcomputerized.com]
4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
2.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
0.4 HTML_MESSAGE BODY: HTML included in message
1.5 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[95.134.111.12 listed in zen.spamhaus.org]
4.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
3.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: bestcomputerized.com]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[URIs: bestcomputerized.com]
[Blocked - see <http://www.spamcop.net/bl.shtml?95.134.111.12>]
1.5 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
--- and the headers:
Received: (qmail 25679 invoked from network); 22 Aug 2010 06:47:56 -0600
Received: from 12-111-134-95.pool.ukrtel.net (95.134.111.12)
by mail.smallgod.net with SMTP; 22 Aug 2010 06:47:55 -0600
Received-SPF: unknown (mail.smallgod.net: domain at spf.smallgod.net does not
designate permitted sender hosts)
Received: from mm-notify-out-209-84.amazon.com (mm-notify-out-209-84.amazon.com
[72.21.209.84])
by server94.appriver.com with asmtp
id 8064CA-0003F6-18;
for ; Sun, 22 Aug 2010 15:47:34 +0200
Date: Sun, 22 Aug 2010 15:47:34 +0200
From: "auto-conf...@amazon.com"
To:
Message-ID:
<000d01cb41f8$31007700$6400a8c0.javamail.corre...@na-mm-relay.amazon.com>
Subject: Your Order with Amazon.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_Part_9404548_33090959.9063490075401"
Bounces-to: da5f1995b875ded4537402d6b10da455cf04fa500aa...@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
On Mar 6, 2011, at 12:33 PM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 11:39 -0800, JP Kelly wrote:
>> Yeah that sender's email address had been forged for a bunch of spam I
>> received.
>
> Without reading the following paragraph, I'd immediately suspect a
> cracked account, not address forgery. The AWL is limited by address and
> originating net-block (default /16, configurable since 3.3), thus it is
> rather unlikely, spam with that address forged is sent from a nearby
> address...
>
>> I used spamasassin --remove-addr-from-whitelist for that address
>> Also I did not have internal_networks and trusted_networks lines in my
>> local.cf, which I added. Hopefully that will help. Thanks!
>
> Bad internal and trusted networks settings would also explain this,
> though.
>
> If those are missing a forwarding / relay system, that one will be
> considered the handing-over machine -- which renders most DNSBLs as well
> as a lot of rules useless. Plus, as far as AWL is concerned, the
> net-block constraint effectively is disabled.
>
>
> Kind of wonder though, why that Amazon outgoing SMTP cluster should be
> part of your internal network. Or, how a forged address ended up being
> sent through it...
>
>>>> -4.0 RCVD_IN_DNSWL_MEDRBL: Sender listed at http://www.dnswl.org/,
>>>> medium trust
>>>> [72.21.212.35 listed in list.dnswl.org]
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
Re: AWL scoring positive?
Yeah that sender's email address had been forged for a bunch of spam I received.
I used spamasassin --remove-addr-from-whitelist for that address
Also I did not have internal_networks and trusted_networks lines in my
local.cf, which I added.
Hopefully that will help.
Thanks!
On Mar 6, 2011, at 11:33 AM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
>> I just found an incoming message which is ham but marked as spam.
>> It received a score of 14 because it is in the auto white-list.
>> Shouldn't it receive a negative score?
>
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
> Despite its name, the AWL is a score averager, based on the sender's
> history (limited by net-block).
>
>
> Given the rather high AWL score, this sender previously scored even much
> higher. You (or the sender) didn't happen to use it for sending some
> "test spam", checking SA is working?
>
> As a quick fix, I'd remove the AWL record for that address. Also see the
> spamassassin-run man-page.
>
> spamasassin --remove-addr-from-whitelist=u...@example.net
>
>
>> Content analysis details: (7.1 points, 5.0 required)
>>
>> pts rule name description
>> --
>> --
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
>> medium
>>trust
>> [72.21.212.35 listed in list.dnswl.org]
>> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
>> [score: 0.]
>> 14 AWLAWL: From: address is in the auto white-list
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
AWL scoring positive?
I just found an incoming message which is ham but marked as spam. It received a score of 14 because it is in the auto white-list. Shouldn't it receive a negative score? Content analysis details: (7.1 points, 5.0 required) pts rule name description -- -- -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [72.21.212.35 listed in list.dnswl.org] -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 14 AWLAWL: From: address is in the auto white-list
Re: typo in 20_vbounce.cf?
doh! I guess if I read the subject line that would have helped. On May 7, 2008, at 11:15 AM, JP Kelly wrote: where is this line found? On May 6, 2008, at 3:01 PM, Robert Müller wrote: So for testing purposes I modified the line old: header __BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon| majordomo|postmaster|virus|scanner|devnull|automated-response| SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@| <>)/i to new: header __BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon| majordomo|postmaster|virus|scanner|devnull|automated-response| SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@| <>)/i
Re: typo in 20_vbounce.cf?
where is this line found? On May 6, 2008, at 3:01 PM, Robert Müller wrote: So for testing purposes I modified the line old: header __BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon|majordomo| postmaster|virus|scanner|devnull|automated-response|SMTP.gateway| mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i to new: header __BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon|majordomo| postmaster|virus|scanner|devnull|automated-response|SMTP.gateway| mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
Re: vbounce false positive on CommuniGate group message
nevermind. i replaced the subroutine in VBounce.pm with the modified one on https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5884 hopefully this will work. thanks. jp On May 5, 2008, at 12:52 PM, JP Kelly wrote: Pardon my ignorance, but can someone explain how to implement the fix for this? JP Kelly On May 2, 2008, at 9:37 AM, Jesse Stroik wrote: Stefan, Fantastic. This works. Thanks for pointing me in the right direction. Best, Jesse Stefan Jakobs wrote: On Friday 02 May 2008 17:24, Jesse Stroik wrote: SA-Users, I'm running spamassassin rules 648641 for 3.2.4 fetched by sa- update. I've run into two issues with my current setup. First, group messages sent through my MTA (CommuniGate) are getting classified with BOUNCE_MESSAGE by vbounce. Below is one such message. Secondly, even if the message is sent using our MTA, it is not whitelisted properly by whitelist_bounce_relays. My whitelist_bounce_relays include both my domain as well as the A and CNAME records. A second message is also included below. Can anyone shed some light on why the messages destined for groups are being flagged as bounces and how I can fix the whitelist_bounce_relays issue? Email addresses have been stripped from the headers of each message. I'm not sure, but it looks like a already reported bug. See: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5884 Best, Jesse Stroik Greetings Stefan
Re: vbounce false positive on CommuniGate group message
Pardon my ignorance, but can someone explain how to implement the fix for this? JP Kelly On May 2, 2008, at 9:37 AM, Jesse Stroik wrote: Stefan, Fantastic. This works. Thanks for pointing me in the right direction. Best, Jesse Stefan Jakobs wrote: On Friday 02 May 2008 17:24, Jesse Stroik wrote: SA-Users, I'm running spamassassin rules 648641 for 3.2.4 fetched by sa- update. I've run into two issues with my current setup. First, group messages sent through my MTA (CommuniGate) are getting classified with BOUNCE_MESSAGE by vbounce. Below is one such message. Secondly, even if the message is sent using our MTA, it is not whitelisted properly by whitelist_bounce_relays. My whitelist_bounce_relays include both my domain as well as the A and CNAME records. A second message is also included below. Can anyone shed some light on why the messages destined for groups are being flagged as bounces and how I can fix the whitelist_bounce_relays issue? Email addresses have been stripped from the headers of each message. I'm not sure, but it looks like a already reported bug. See: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5884 Best, Jesse Stroik Greetings Stefan
vbounce
yay i finally had the pleasure of getting joe jobbed! so i am looking at vbounce. i think it is working but when i intentionally bounce to myself the by sending to a non existent address, whitelist_bounce_relays does not seem to trigger. searching the archives i noticed that this may have been a bug but i did not see if it was fixed. any ideas? jpk
blogspot, etc
i keep getting spam with low scores from what seems to be the same or similar sources. they all have a bunch of random words and a link to a throwaway domain (currently blogspot) also they always seem to be from an address at yahoo.co.uk anyone else having trouble with these? any possible solutions? 3 samples below -- From: [EMAIL PROTECTED] Subject: Your login is "appositeness" Don.t wait to use it to the full! Date: March 6, 2008 6:09:38 PM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,J_CHICKENPOX_31 autolearn=no version=3.2.4 Received: (qmail 13659 invoked by uid 110); 6 Mar 2008 18:11:56 -0800 Received: (qmail 13639 invoked from network); 6 Mar 2008 18:11:56 -0800 Received: from n16.bullet.mail.mud.yahoo.com (68.142.201.239) by mail.jpkvideo.net with SMTP; 6 Mar 2008 18:11:55 -0800 Received: from [68.142.200.221] by n16.bullet.mail.mud.yahoo.com with NNFMP; 07 Mar 2008 02:09:38 - Received: from [68.142.201.241] by t9.bullet.mud.yahoo.com with NNFMP; 07 Mar 2008 02:09:38 - Received: from [127.0.0.1] by omp402.mail.mud.yahoo.com with NNFMP; 07 Mar 2008 02:09:38 - Received: (qmail 26278 invoked from network); 7 Mar 2008 02:09:38 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp125.plus.mail.sp1.yahoo.com with SMTP; 7 Mar 2008 02:09:36 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:MIME-Version:Content-Type:Content- transfer-encoding; b=r72Lvm83CCli7RJVyrFTSinZQs3r4hxvxYTg2axDjgeW52vbvZ2rGgjPfevPKj8Y9mI +iMhma7JqkxdOEHiBp2v9mdJvTUQhbeG7DUL4Gf1TdPDmlX3dAg/n1mA+P2vzlJUC/l +6zzdbBgaKsc51RqkOaV9IRGiM+3KQQYDpGJ8= ; X-Ymail-Osg: bEtZRawVM1nFEgj.hKtpXqYXcIMPoCLk1BS.KEmOvKnbpZfzKr24AHznD706cuXVAvmy55o- X-Yahoo-Newman-Property:ymail-5 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Buenos tardes! Set about: http://marleneriggangt.blogspot.com chronodeiktrinucleate cardiopneumatic loyalties guillotine experimentist preluders exhibitionistskreighs venisonlike stuffmicrocytosis infecting habited decoloring precompensatecomparison -- From: [EMAIL PROTECTED] Subject:Having fun with her honey pot! granulating Date: March 6, 2008 11:53:27 PM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50 autolearn=ham version=3.2.4 Received: (qmail 13941 invoked by uid 110); 6 Mar 2008 23:55:39 -0800 Received: (qmail 13926 invoked from network); 6 Mar 2008 23:55:38 -0800 Received: from n20.bullet.mail.mud.yahoo.com (68.142.200.47) by mail.jpkvideo.net with SMTP; 6 Mar 2008 23:55:38 -0800 Received: from [209.191.108.96] by n20.bullet.mail.mud.yahoo.com with NNFMP; 07 Mar 2008 07:53:27 - Received: from [68.142.201.64] by t3.bullet.mud.yahoo.com with NNFMP; 07 Mar 2008 07:53:27 - rejudgedconcentrators lith demastsdockers brougham See everything yourself now at: http://rosemarypenneykf.blogspot.com permutatevesicoabdominal corruptest mullioningplutonomist townsboy flagrantesalicylism putouts Received: from [127.0.0.1] by omp416.mail.mud.yahoo.com with NNFMP; 07 Mar 2008 07:53:27 - Received: (qmail 55471 invoked from network); 7 Mar 2008 07:53:27 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp118.plus.mail.mud.yahoo.com with SMTP; 7 Mar 2008 07:53:26 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:MIME-Version:Content-Type:Content- transfer-encoding; b=G9N2e4iacXaZX2LJlH8JYMoRqZ9QSS4A6/iQiRKOiIfv+LvX
Re: giberish
thanks for the rule ,looks like a good one.
can you point me to jennifer's rules?
thanks.
jp
On Mar 3, 2008, at 2:56 PM, Loren Wilton wrote:
body LW_WORDLIST_15P /(?:\b(?!(?:from|that|have|this|were|with)\b)
[a-z]{4,12}\s+){15}/
describe LW_WORDLIST_15P string of 15+ random words
score LW_WORDLIST_15P 5
Ignoring the blogspot comments, something along the lines of the
above rule will catch this sort of stuff. It looks like there are
only 13 random words in your case, so you would need to cut the
number of words down, and the score down.
Some of Jennifer's rules would also catch this sort of thing, but I
don't recall which rules. She had some that checked for unusual
letter sequences that can't happen in English. That doesn't help if
your main mail is Slovak, but if it is English it might be useful.
Loren
giberish
does anyone know of a rule that might catch this kind of spam which contains a lot of non words a grammar checking rule or plugin would be nice too since many spams contain a lot of nonsense. -- message -- From: [EMAIL PROTECTED] Subject:"nonzonal" Don.t hesitate to start surfing right now! Date: March 3, 2008 8:07:57 AM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_50 autolearn=ham version=3.2.4 Received: (qmail 3615 invoked by uid 110); 3 Mar 2008 08:08:02 -0800 Received: (qmail 3526 invoked from network); 3 Mar 2008 08:07:58 -0800 Received: from n2.bullet.mail.re4.yahoo.com (206.190.56.21) by mail.jpkvideo.net with SMTP; 3 Mar 2008 08:07:57 -0800 Received: from [68.142.237.88] by n2.bullet.re4.yahoo.com with NNFMP; 03 Mar 2008 16:07:57 - Received: from [66.196.97.156] by t4.bullet.re3.yahoo.com with NNFMP; 03 Mar 2008 16:07:57 - Received: from [127.0.0.1] by omp209.mail.re3.yahoo.com with NNFMP; 03 Mar 2008 16:07:57 - Received: (qmail 90542 invoked from network); 3 Mar 2008 16:07:57 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp111.plus.mail.re1.yahoo.com with SMTP; 3 Mar 2008 16:07:55 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:MIME-Version:Content-Type:Content- transfer-encoding; b=Fci6v6cAn5jCWzYsTvVg1Ej/oa/ DJLQb5LDvE6fn3JyFSVkTMAQC4hfAx1H5nwnOm96ISbDeYSRaMHQVtMSJRbobR/ 9lqmjcJZISS8Ud8AoUCPIB7l1/LJ2l/y5h7pDt2DY6K9gMpINWeKQVeT2s9sHrBeNU4/ x3EDVCbzakSb0= ; X-Ymail-Osg: O92CgIUVM1nZIh3Uqs.nch7sKrHtE5hIfc2DwtUh9iZsCtqAYa_U22K79n_23Rn4I4TiCzs- X-Yahoo-Newman-Property:ymail-5 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Howdy! Go to get further directions: http://jennakilroytm.blogspot.com misbrandingmegadyne delightable underbodice undergore fica orchidist miamiforrad commiserates denominablebronteum architectonically capsulogenous disfigured unteemsimulated
Re: China TLD links
thank you guenther! On Feb 29, 2008, at 5:39 AM, Karsten Bräckelmann wrote: While I understood this comment more generally, aiming at some rules to catch the provided spample -- if you actually are after an RE to score on China TLDs, here you go. That much should be easy: uri TLD_CHINA m,https?://([-\w]+\.)+cn(/|$), guenther
China TLD links
any takers on this? On Feb 27, 2008, at 2:31 PM, Chip M. wrote: The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :)
yahoo.co.uk
everyday i get 2 or three of these coming through. it seems like they could/should be caught but they often have very low scores. they all have yahoo.co.uk in the from address ---example1--- --- headers --- From: [EMAIL PROTECTED] Subject:dear tnv Schoolgirls q. Date: February 27, 2008 5:05:53 AM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_50, RCVD_IN_BL_SPAMCOP_NET ,SARE_SCHLGRL,TW_JF,TW_JK,TW_KD,TW_QW,TW_TN,TW_WP,TW_WV, TW_YW autolearn=no version=3.2.4 Received: (qmail 32723 invoked by uid 110); 27 Feb 2008 04:53:05 -0800 Received: (qmail 32714 invoked from network); 27 Feb 2008 04:53:05 -0800 Received: from n2.bullet.mail.re4.yahoo.com (206.190.56.21) by mail.jpkvideo.net with SMTP; 27 Feb 2008 04:53:04 -0800 Received: from [68.142.230.29] by n2.bullet.re4.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: from [69.147.75.182] by t2.bullet.re2.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: from [127.0.0.1] by omp103.mail.re1.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: (qmail 56157 invoked from network); 27 Feb 2008 12:50:47 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp108.plus.mail.re1.yahoo.com with SMTP; 27 Feb 2008 12:50:46 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:Date:MIME-Version:Content- type:Content-transfer-encoding; b=ZCQu4SyaoBJDYdMVj6lzxZMWp2rNH +Wt4gw3baN3qcGIudadCvR/ R4e5BViYvwywNh6x0WeKRTWJ8XXzzOonPMhv0NJ7dz1Wd84Epw3ZmcZMiR6swzoFcPcjnRckaVpYzLQoi /0ls8LR22X52aLL06XgduZEZEds5U72EYNYmMI= ; X-Ymail-Osg: R1BUWHwVM1mOafE4j9EzDgzCnkd2r0k6r5y2xhxB6Q63z_kS48BZ8OmP83S_N5FKG8uFnXPaukheeCbN2uo0TnqdAYnIXaI0rtYpCqwAJepHpgTHKx6E5FLi .E5QiXXamQ-- X-Yahoo-Newman-Property:ymail-5 Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit --- body --- r, top ywp j Whore jfft http://www.uastvideofs.cn chb wvr sq oo i. fa vmi h qwdcs elbjj. das imoum x izo yw pkwh, wppi jkdq x yrop. ---example2--- --- headers --- From: [EMAIL PROTECTED] Subject:sexual v Whore v. Date: February 26, 2008 2:06:24 PM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,TW_BD,TW_DJ,TW_DZ, TW_JB,TW_JF,TW_KJ,TW_QL,TW_QW,TW_SV,TW_WB,TW_WR,TW_ZQ autolearn=no version=3.2.4 Received: (qmail 14144 invoked by uid 110); 26 Feb 2008 13:57:02 -0800 Received: (qmail 14118 invoked from network); 26 Feb 2008 13:57:01 -0800 Received: from n2d.bullet.mail.ac4.yahoo.com (76.13.13.86) by mail.jpkvideo.net with SMTP; 26 Feb 2008 13:57:01 -0800 Received: from [76.13.13.26] by n2.bullet.mail.ac4.yahoo.com with NNFMP; 26 Feb 2008 13:55:07 - Received: from [68.142.194.243] by t3.bullet.mail.ac4.yahoo.com with NNFMP; 26 Feb 2008 21:57:00 - Received: from [68.142.237.88] by t1.bullet.mud.yahoo.com with NNFMP; 26 Feb 2008 21:57:00 - Received: from [66.196.97.153] by t4.bullet.re3.yahoo.com with NNFMP; 26 Feb 2008 21:56:59 - Received: from [127.0.0.1] by omp206.mail.re3.yahoo.com with NNFMP; 26 Feb 2008 21:56:59 - Received: (qmail 13807 invoked from network); 26 Feb 2008 21:51:21 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp101.plus.mail.re1.yahoo.com with SMTP; 26 Feb 2008 21:51:20 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:Date:MIME-Version:Content- type:Content-transfer-encoding; b = x6Ax7P5tAakcsTqW
Re: google spams
On Jan 21, 2008, at 9:26 AM, mouss wrote: JP Kelly wrote: Enough is enough! SA has been working so well for me all these years I guess I am spoiled. I woke up this morning and had 5 Google spams and one legit email and I've had it. I noticed a somewhat lengthy discussion on the subject here. I am not able to write my own rules or regex. Is there a quick and dirty way to give these spams a higher score? I am using SA 3.2.3 and these message typically score around 4.5. show samples. Otherwise, it's hard to know that everybody is talking about the same spam. here is a typical example: -- headers: -- From: [EMAIL PROTECTED] Subject:She'll Beg for More.. Date: January 21, 2008 10:34:15 AM PST To: [EMAIL PROTECTED] Return-Path:<[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MISSING_MID, RCVD_IN_PBL,RDNS_DYNAMIC autolearn=no version=3.2.3 Received: (qmail 8030 invoked by uid 110); 21 Jan 2008 08:35:21 -0800 Received: (qmail 7999 invoked from network); 21 Jan 2008 08:35:20 -0800 Received: from 190.75-207-15.dyn.dsl.cantv.net (HELO equipo05.cantv.net) (190.75.207.15) by smallgod.com with SMTP; 21 Jan 2008 08:35:19 -0800 Received-Spf: none (smallgod.com: domain at bloggingstocks.com does not designate permitted sender hosts) Content-Transfer-Encoding: 7bit body: -- Mon, 21 Jan 2008 17:34:15 -0100 http://google.com//search?hl=en&q=inurl:rhtawy.com%2BVPXL%2BMade%2BEasy&btnI=79547
google spams
Enough is enough! SA has been working so well for me all these years I guess I am spoiled. I woke up this morning and had 5 Google spams and one legit email and I've had it. I noticed a somewhat lengthy discussion on the subject here. I am not able to write my own rules or regex. Is there a quick and dirty way to give these spams a higher score? I am using SA 3.2.3 and these message typically score around 4.5. Thanks.
Re: Top spam hosters, how to decline email mentioning them
this looks interesting to me as well
i am a little confused about how to use/install it
on the page you provided a link to it says under "USAGE" to "add the
following to your local.cf file"
loadplugin Mail::SpamAssassin::Plugin::URICountry
uricountry URICOUNTRY_XX XX
header URICOUNTRY_XX eval:check_uricountry('URICOUNTRY_XX')
describeURICOUNTRY_XX Contains a URI hosted in XX
tflags URICOUNTRY_XX net
score URICOUNTRY_XX 2.0
Where XX is replaced with the 2 character country code of your
choice. (e.g. CN, KR, RO, RU, IN etc.)
that makes sense to me but after that it says "THE CODE" followed by
a bunch of code.
i am unclear on what needs to be done with this code.
any light shed on this will be greatly appreciated.
jp kelly
On Oct 20, 2007, at 10:10 PM, Bill Landry wrote:
Take a look at the URICountry plugin:
http://wiki.apache.org/spamassassin/URICountryPlugin
That should do what you want.
Bill
plugins
What is the best way to check what plugins SA is using?
Re: Stop delivery of mail with certain points
Id like to be able to say, if this message has over 5 points dont deliver it at all. With procmail installed you can do it. http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam? highlight=%28delete%29%7C%28spam%29 here is a way to have all spam forward to another mailbox but the procmail script can be modified to trigger on a certain level of spam. http://atomicrocketturtle.com/forum/viewtopic.php?t=1502
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
poof!
SpamAssassin and Horde (still)
Ok so since I am at the mercy of my hosting provider (Media Temple) to upgrade SA, we are at 3.0.6, I attempted to apply the patch in bugzilla to Received.pm. it looks like the patch for SquirrelMail has already been applied so I just added the lines for the 'Ignores Received header inserted by IMP' and 'Extend IMP-Patch to IMP and Horde3' patches. Bug#:3236 http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3236 I'm pretty new at this bugzilla thing so I hope I am doing this right. (I added the lines with the plus signs in front of them and deleted the plus signs) I restarted SA. Everything seems to be ok. Spawned Child process But the Horde mail is still tagged as spam. Is restarting SA enough to make the changes effective? I am on CentOS with Plesk/Qmail ---this is from the log: Feb 21 21:51:48 as spamd[32197]: processing message <[EMAIL PROTECTED]> for [EMAIL PROTECTED]:110. Feb 21 21:51:49 as spamd[32197]: identified spam (6.0/5.0) for [EMAIL PROTECTED]:110 in 0.7 seconds, 876 bytes. Feb 21 21:51:49 as spamd[32197]: result: Y 6 - AWL,BAYES_00,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR,NO_R EAL_NAME scantime=0.7,size=876,mid=<[EMAIL PROTECTED] god.com>,bayes=5.55111512312578e-17,autolearn=no --Here are the headers from the tagged email: Content analysis details: (6.0 points, 5.0 required) pts rule name description -- -- 2.0 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 2.5 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 1.5 NO_REAL_NAME From: does not include a real name 2.5 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.1 AWLAWL: From: address is in the auto white- list Received: (qmail 7369 invoked by uid 110); 21 Feb 2007 22:01:50 -0800 Delivered-To: [EMAIL PROTECTED] Received: (qmail 7345 invoked from network); 21 Feb 2007 22:01:45 -0800 Received: from localhost (127.0.0.1) by localhost with SMTP; 21 Feb 2007 22:01:45 -0800 Received: from adsl-63-198-201-222.dsl.snfc21.pacbell.net (adsl-63-198-201-222.dsl.snfc21.pacbell.net [63.198.201.222]) by webmail.smallgod.com (Horde MIME library) with HTTP; Wed, 21 Feb 2007 22:01:45 -0800 Message-ID: <[EMAIL PROTECTED]> Date: Wed, 21 Feb 2007 22:01:45 -0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ddd MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) Funny thing is I am on a static IP so i believe the DYNAMIC_DHCP rule shouldn't apply. But then again maybe it has nothing to do with the my IP Thanks for your help. JP Kelly On Feb 21, 2007, at 1:53 AM, Justin Mason wrote: yeah, it should be all versions *since* 3.1.0 (note that the original mail was sent 2 years ago). If you have a more recent mail that falls foul of the rule, open a bug in the bugzilla and *attach* a sample message that demonstrates the problem. --j. JP Kelly writes: regarding the problem where mail from horde gets hit with HELO_DYNAMIC_DHCP rule due to sender's IP address. see below... do you mean SA 3.1? On Apr 14, 2005, at 3:08 PM, Justin Mason wrote: check the bugzilla -- I'm pretty sure this is fixed for 3.1.0. - --j. This is the IP from the computer the user was using to send mail. Some thing is very wrong here. Why IMP 4.x takes user ip and send it as Helo?? This does no happens with imp 3.x. I guess i have two options one hack imp code to send localhost in helo or make spamassasin igonore imp headers.
Re: SpamAssassin and Horde
regarding the problem where mail from horde gets hit with HELO_DYNAMIC_DHCP rule due to sender's IP address. see below... do you mean SA 3.1? On Apr 14, 2005, at 3:08 PM, Justin Mason wrote: check the bugzilla -- I'm pretty sure this is fixed for 3.1.0. - --j. This is the IP from the computer the user was using to send mail. Some thing is very wrong here. Why IMP 4.x takes user ip and send it as Helo?? This does no happens with imp 3.x. I guess i have two options one hack imp code to send localhost in helo or make spamassasin igonore imp headers.
AOL X-Spam-Flag: NO
AOL in their infinite wisdom has decided to add the header X-Spam-Flag: NO to their outgoing messages.Due to the way I have Spamassassin set up with exim this causes any message from AOL to be considered spam.Is there a way to strip the X-Spam-Flag: NO on RCPT before any other processing is done?
re: your good crpdt
re: your good crpdt
SA not using SARE rules?
It seems SA is not using the SARE rulesets for me? I see no mention of SARE in any of my tagged spam. I have been using rules_du_jour and downloading current rulesets. Any ideas why SA would not be using SARE rulesets?
wrist watch spam getting old
I am getting a lot of wrist watch spam with links to web pages which have malodorous scripts embedded in them a typical spam looks like this: From: [EMAIL PROTECTED] Subject: FW: Because you deserve something special watch-jewelry Date: December 12, 2005 7:41:01 AM PST To: [EMAIL PROTECTED] Received: from exim by mail2.jpkvideo.net with spam-tagged (Exim 4.60) (envelope-from <[EMAIL PROTECTED]>) id IRHNZV-000DE1-3O for [EMAIL PROTECTED]; Wed, 14 Dec 2005 04:57:32 -0800 Received: from [69.59.174.108] (helo=mail.jpkvideo.net) by mail2.jpkvideo.net with esmtp (Exim 4.60) (envelope-from <[EMAIL PROTECTED]>) id IRHNZU-000DDX-PE; Wed, 14 Dec 2005 04:57:30 -0800 Received: from [59.40.216.127] (helo=phat.co.nz) by mail.jpkvideo.net with smtp (Exim 4.20) id IRHNZT-000B8V-J3; Wed, 14 Dec 2005 04:57:30 -0800 Message-Id: <[EMAIL PROTECTED]> User-Agent: AspMail 4.0 4.03 (SMT470603F) X-Accept-Language: en-us Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on crabtree X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_50,DATE_IN_PAST_24_48 autolearn=no version=3.0.4 Jai, I am thinking you will love this. Jagger ---Original Message--- From: Milissa [mailto:[EMAIL PROTECTED] Sent: Sunday, December 04, 2005 9:41 AM To: Jagger Subject: Sweet Jagger, Here is a excellent gift for you. I saw you looking at these excellent rep lica watches and I know you love it. It is not often that you ask for anything, but I have looked at these rep lica-watches, and I see why you want so much one. So get it. Don't worry about safe mailing service. They have the tracking system. http://in.geocities.com/johnie_keeley/ Pick up the gift box too. With my most sincere love, Rosaleen received, as chief, a certain emerge shelter proportion of feather the witch-doctor's returned to those behind. Tarzan could hear the words. The scout was telling the order other members of the tribe that building the Ivan coast was eyes like stylist an Italian. Then too he is the oily most delightful company possible
3.1 on cpan
is SA 3.1 available through cpan yet? If not will it be?
Re: no dbs present
Yes I see that during regular spam scanning the bayes_db is working. Thanks for all your effort! SpamAssassin ROCKS! On 25 Sep 2004, at 6:42 PM, Theo Van Dinter wrote: That's the debug output from the initial "get everything going" internal message run. Don't worry about it. :) - Jon-Paul Kelly A11 SA TEX [EMAIL PROTECTED] web hosting http://www.jpkvideo.net
no dbs present
when starting spamd i get an error in the log: spamd[1290]: debug: bayes: no dbs present, cannot tie DB R/O: /tmp/spamd-1290-init/.spamassassin/bayes_toks I have tried rebuilding the bayes db with sa-learn --sync but I still get the error any ideas?
