Re: EMERGENCY RULE: porntube redirect
I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: That's the wrong way round, seriously. Do not restart SA after changes, unless --lint comes out clean. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: EMERGENCY RULE: porntube redirect
On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote: I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: That's the wrong way round, seriously. Do not restart SA after changes, unless --lint comes out clean. guenther Hmm, I've always understood that SA needs to be restarted to get any new rules added read, though you may be right, sa-update runs a --lint before stopping and starting SA. -- Chris KeyID 0xE372A7DA98E6705C pgpsdm5Wf5rh5.pgp Description: PGP signature
Re: EMERGENCY RULE: porntube redirect
On Fri, 2008-06-20 at 17:53 -0500, Chris wrote: On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote: That's the wrong way round, seriously. Do not restart SA after changes, unless --lint comes out clean. Hmm, I've always understood that SA needs to be restarted to get any new rules added read, though you may be right, sa-update runs a --lint before stopping and starting SA. Yes, this is true when using spamd, or any other daemonized third party tool using the SA API directly, like amavis. This is *not* true, when calling 'spamassassin' directly, which you do for linting. In this case a new SA process is being started, reading all config files from disk, entirely unrelated to a possibly running spamd. So, while your daemonized spamd is running, you can edit the cf files without harming the precious, busy spamd, lint your changes, and even test them using 'spamassassin'. Only when you're happy with your changes, restart the daemon to make it pick up the freshly changed (and hopefully linted ;) rules. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
EMERGENCY RULE: porntube redirect
Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect scoreGMD_R_DOT_HTML 3.5 Note: making it an uri rule doesn't hit them all. enjoy
Re: EMERGENCY RULE: porntube redirect
On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote: Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect scoreGMD_R_DOT_HTML 3.5 Note: making it an uri rule doesn't hit them all. enjoy It and video.exe are Storm. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: EMERGENCY RULE: porntube redirect
Jeff Chan writes: On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote: Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect scoreGMD_R_DOT_HTML 3.5 Note: making it an uri rule doesn't hit them all. if you can find a case where the uri rule doesn't match but the rawbody does, and the URL works, please open a bug! enjoy It and video.exe are Storm. yeah, I was thinking it looked familiar. BAD_ENC_HEADER hits them all btw, on the Subject line's encoding. and there's some interesting regularity in the Message-ID: Message-id: Q0150625piByoZfn/[EMAIL PROTECTED] Message-id: N7556814WYcmtrMl/[EMAIL PROTECTED] Message-id: P5195955SYbtbcft/[EMAIL PROTECTED] Message-id: P2384398XFKSgzjs/[EMAIL PROTECTED] also, odd spaces: Date: Thu, 19 Jun 2008 17:04:32 +0200 Date: Thu, 19 Jun 2008 18:03:54 +0300 Date: Thu, 19 Jun 2008 17:03:49 +0200 Date: Thu, 19 Jun 2008 10:02:50 -0500 --j.
Re: EMERGENCY RULE: porntube redirect
Hi! Message-id: Q0150625piByoZfn/[EMAIL PROTECTED] Message-id: N7556814WYcmtrMl/[EMAIL PROTECTED] Message-id: P5195955SYbtbcft/[EMAIL PROTECTED] Message-id: P2384398XFKSgzjs/[EMAIL PROTECTED] also, odd spaces: Date: Thu, 19 Jun 2008 17:04:32 +0200 Date: Thu, 19 Jun 2008 18:03:54 +0300 Date: Thu, 19 Jun 2008 17:03:49 +0200 Date: Thu, 19 Jun 2008 10:02:50 -0500 Yups... hits SPACED_DATE also ;) Bye, Raymond.
Re: EMERGENCY RULE: porntube redirect
On Thursday 19 June 2008 9:33 am, Yet Another Ninja wrote: Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect score GMD_R_DOT_HTML 3.5 Note: making it an uri rule doesn't hit them all. enjoy I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: [EMAIL PROTECTED] ~]$ spamassassin --lint [25034] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: score GMD_R_DOT_HTML 3.5 [25034] warn: config: warning: description exists for non-existent rule GMD_R_DOT_HTML [25034] warn: lint: 2 issues detected, please rerun with debug enabled for more information I know it can't be that hard to c/p a rule, though it seems I either messed something up or SA didn't like the rule. -- Chris KeyID 0xE372A7DA98E6705C pgp2gZfCUVttl.pgp Description: PGP signature
Re: EMERGENCY RULE: porntube redirect
Chris [EMAIL PROTECTED] wrote: On Thursday 19 June 2008 9:33 am, Yet Another Ninja wrote: Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect scoreGMD_R_DOT_HTML 3.5 Note: making it an uri rule doesn't hit them all. enjoy I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: [...] I know it can't be that hard to c/p a rule, though it seems I either messed something up or SA didn't like the rule. I think something went awry with your whitespace during the cutpaste. Try editing the local.cf in vim, delete what appear to be spaces in the GMD rules, re-insert them, and then --lint again. -- Sahil Tandon [EMAIL PROTECTED]
Re: EMERGENCY RULE: porntube redirect
On Thursday 19 June 2008 7:50 pm, Sahil Tandon wrote: Chris [EMAIL PROTECTED] wrote: On Thursday 19 June 2008 9:33 am, Yet Another Ninja wrote: Guys, you're being hit with hacked web site URIs showing up in a heavy spam flood. I see Uribl.com got most of them, but in case: rawbody GMD_R_DOT_HTML /\/r\.html$/ describe GMD_R_DOT_HTML Possible hacked site with porntube redirect score GMD_R_DOT_HTML 3.5 I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: I know it can't be that hard to c/p a rule, though it seems I either messed something up or SA didn't like the rule. I think something went awry with your whitespace during the cutpaste. Try editing the local.cf in vim, delete what appear to be spaces in the GMD rules, re-insert them, and then --lint again. That did the trick, I should have learned from prior experience and typed it in manually in the first place. Thanks Chris -- Chris KeyID 0xE372A7DA98E6705C pgpe3pN3wFhas.pgp Description: PGP signature