FSL_BULK_SIG still active?
Hi, everyone Pls... Is this still an active spamassassin test? header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe meta FSL_BULK_SIG ((DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB) describe FSL_BULK_SIG Bulk signature with no Unsubscribe Had some odd false positive due to its high score of 1,35... It was a forgot password message... and it scored "Bulk signature with no Unsubscribe". Seems strange as it depends on DCC, Razor, Pyzor, systems that I also see score wrongly. Thanks. Rob
Lots of money, score of 0??
Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob
razor?
Hi, everyone Just wondering, whats your thoughts on Razor? Havent analysed big amount of emails yet, but Ive had a few cases where it causes very strange false positives that make no sense. and adds a lot of points... RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73 It says on their site " Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. " For example those scores were for a totally legit email that had some screenshots embedded in the email... Also, how to report FP? Thanks. Rob
catching a dot in the number of a rule
Hi, masters! I know [1-9]{1,5} spreadsheets catches somnething like 23244 spreadsheets What about 23.244 spreadhseets? How to make the rule consider a dot in the number? Thank you! Rob
Re: Ends with string
Hi! Thanks! I didnt find this info in Writing rules tutorial. I see uri __KAM_SHORT /(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i Seems a bit complicated. It would be to make this rule check that suffixes are at the end of URI. uri __TEST_URLS /\b(\.vn|\.pl|\.my|\.lu|\.vn|\.ar)\b/i I believe this does it, correct? uri __TEST_URLS /\b(\.vn$|\.pl$|\.my$|\.lu$|\.vn$|\.ar$)\b/i Thanks. Rob 2017-09-08 14:03 GMT-03:00 Kevin A. McGrail <kevin.mcgr...@mcgrail.com>: > On 9/8/2017 12:24 PM, Robert Boyl wrote: > >> Hello, everyone! >> >> Is there a way to create a Spamassassin rule that checks for a certain >> URL suffix such as .ru but makes sure it has to be at the end of the URI? >> Ends with string. >> >> Thanks! >> Rob >> > > Yes, it's called an anchor and Shane Williams a long time ago gave me some > advice on that I used in this rule: > > uri __KAM_SHORT /(\/|^|\b)(?:j\.mp|bit\.ly|goo > \.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i > > Regards, > KAM > >
Ends with string
Hello, everyone! Is there a way to create a Spamassassin rule that checks for a certain URL suffix such as .ru but makes sure it has to be at the end of the URI? Ends with string. Thanks! Rob
block attachments via plugin
Hi, guys Recently I saw this. http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/ My idea was to create a rule in the way mentioned in this site, such as, for example, certain attachment file type (such as HTML or ZIP) and a certain subject, score the message. The rule works. But I found that it causes false positives for emails that have HTML in the body and not necessarily attached (internally, I guess its the same, right?). Example --_000_2C3280CB5B1A584F8E4B3E0E263D843251617ACAMBXTB921Cvcarem_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Re: Possible ignore CRLF?
Hi, Thanks for reply. Hehe, sorry :)) Rule describe BRF_TEST123test body BRF_TEST123 \bSe você não deseja mais receber nossos e-mails, cancele\b/i scoreBRF_TEST123 0.1 See here the message that qmail cant catch due to a CRLF in middle of text (right after word "se") but icewarp can catch even with the CR LF. If I remove the CR LF my qmail catches it (SA). http://pastebin.com/gyeDcA3H Thanks Rob 2016-08-26 10:50 GMT-03:00 Axb <axb.li...@gmail.com>: > On 08/26/2016 03:46 PM, Robert Boyl wrote: > >> Hi, everyone! >> >> Just curious if anyone has had this issue before. >> >> We have a customer SA rule that catches certain text "se voce nao deseja >> mais receber..." >> >> We have an icewarp mail server where our rule hits just fine, DESPITE a >> CRLF after word "SE". >> >> See imagem showing that CRLF http://screenpresso.com/=e406e >> >> But our qmail with SA does not hit the rule due to the CRLF. >> >> I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke >> >> Then I got the hit... >> >> So question is, is there a way to make SA ignore CRLF? >> >> Thanks! >> Rob >> >> > And where is the rule you created? > > can you pastebin the sample message? > Tests on a screenshot don't work .-) > > Guys - screenshots are for grannies > Use copy/paste & pastebin!!! >
Possible ignore CRLF?
Hi, everyone! Just curious if anyone has had this issue before. We have a customer SA rule that catches certain text "se voce nao deseja mais receber..." We have an icewarp mail server where our rule hits just fine, DESPITE a CRLF after word "SE". See imagem showing that CRLF http://screenpresso.com/=e406e But our qmail with SA does not hit the rule due to the CRLF. I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke Then I got the hit... So question is, is there a way to make SA ignore CRLF? Thanks! Rob
detect if html attachment without plugin
Hi, everyone Quick question. We have a Spamassassin installation where the mail servers implementation doesnt permit any SA plugins, so I cant use Plugin::MIMEHeader or the such. To be able to detect that an email has an HTML attachment, such as this message: http://pastebin.com/raw/TieFEiZi I tried this, but it didnt work. describe TEST_HTML rawbody TEST_HTML /bContent-Type: text\/html\b/i score TEST_HTML 0.1 Any ideas, how to achieve via rule that scans body (or header)? Tried both. Thanks. Rob
scan an HTML file, possible?
Hi, everyone I have a very nice regex a friend passed me that catches those emails that have an HTML attached with a redirect html command to some malefic website. He has some tool in Exim that scans text in attachments. But I wanted to use a spamassassin rule. Is there some plugin/way in Spamassassin to scan text of an html attachment? Thanks! Rob
eval:check_uridnsbl to check subdomains
Hi, everyone We are trying to query subdomains of a DNSBL in body of message, but learned that the default plugin we use, used by URIBL, caps off subdomains. This is the rule we based ourselves on... it works fine, except for subdomains... it considers the domain part... urirhssub URIBL_GREY multi.uribl.com.A 2 bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY') describeURIBL_GREY Contains an URL listed in the URIBL greylist tflags URIBL_GREY net score URIBL_GREY 0.25 Explained here http://www.gossamer-threads.com/lists/spamassassin/users/194077 How can I make it work with subdomains also? Perhaps adapt the plugin? Or use some other plugin that is able to check subdomains and doesnt cap them off? Thanks a lot, Robert
Re: understanding HELO_DYNAMIC_IPADDR
Thanks a lot for your answer, sorry for confusion. But why add such a high score of 3,24 just before the host that sent my server mail is webmail-201.76.63.163.ig.com.br ? Its considered a dynamic IP? It isnt, its IGs server sending mail to our server. Can I ask Spamassassin folks to improve this? Thanks 2016-05-01 11:06 GMT-03:00 RW <rwmailli...@googlemail.com>: > On Sun, 1 May 2016 10:20:09 -0300 > Robert Boyl wrote: > > > Hi, everyone > > > > Ive seen some discussion in Spamassassin's bugzilla about this > > HELO_DYNAMIC_IPADDR rule, some unanswered over years. > > > > It says in description: # (require an alpha first, as legit > > HELO'ing-as-IP-address is hit otherwise) > > > > Is it talking about the host that first appears, that sent the email > > authenticated to his ISP or the host/ISP that delivers to our server? > > The latter. > > > This is the host that delivered mail to my ISP: > > > > Received: from webmail-201.76.63.163.ig.com.br ( > > webmail-201.76.63.163.ig.com.br [201.76.63.163]) by mx3.myisp.com with > > ESMTP id rDrGtcYe1PdHDBfh; Wed, 06 Apr 2016 09:02:10 -0400 (EDT) > > X-Barracuda-Envelope-From: some-sen...@ig.com.br > > > > > I dont understand, since IMHO it shouldnt matter the host that sent > > mail to its ISP, if its dynamic or not. IMHO what should matter is > > the ISP sending mail to our ISP and in that case, the host does NOT > > start with a number. > > It not about whether it start with number. The comment you quoted is > "require an alpha first", and alpha means a letter. > > > webmail-201.76.63.163.ig.com.br starts with a letter and contains an IP > address. >
Very low score for spam from b2blistappenders.com
Hi, everyone Pls, do you get a good spam score on this? For us, no hits for spamassassin, etc. I checked in test sites such as http://spamcheck.postmarkapp.com/ and also very low score. Strange, as it does seem to have spammy words, etc... no? See: http://pastebin.com/EJH1eddN Thanks! Robert
Regex in case of spaces
Hi, everyone! Sorry, lame with regex. How can I make a rule to catch: Need to buy a product ? And also catch "need to buy a product?" Note the extra spacing. Tried this, didnt work: describe TEST123test body TEST123/\bNeed to buy products *\?\b/i scoreTEST123 0.0 If possible, also make it catch if more than 1 question mark :) Thanks! Robert
Abused accounts
Hi, everyone Please check http://pastebin.com/GUBqpyZ8 Interesting how some spams that abuse some legit account such as this one are hard to detect, how Spamassassin scores almost nothing although there are spammy works, etc. System caught DCC_CHECK 1.10. Some other systems such as isnotspam.com caught some SA rule which doesnt exist anymore in latest SA... AXB_X_FF_SEZ_S=3.10. Any ways to report such spams to spamassassin devels so they can try to create new rules? Any tips how to mark such mails as spam? Thanks! Robert