RE: New rules..
On Tue, 3 Nov 2015, Richard Mealing wrote: From: John Hardin [mailto:jhar...@impsec.org] So, to generalize the pattern: *your* (the recipient) domain is (somewhere) in the username part of the From email address? Hi John - Yup! From address is - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... It's not actually that, but similar. We are seeing this quite a bit and This sounds like a fairly minor variation of the __TO_EQ_FROM and __PDS_TO_EQ_FROM_NAME rules in my sandbox. Catching the case where the From header is after the To or (if your Received headers include the recipient address) Received header(s) is fairly simple, but if the From header is first that's a lot more difficult - there's no clear way to know *how much* of the From address to capture to match to the recipient domain. Can you post the full headers from such a message to pastebin? (...or, if you would want to keep the email addresses private, zip one up and send it to me rather than mangling it - you'd be mangling stuff the rule's looking for.) I wondered if anyone else was. I guess not? I haven't noticed such, but my email volume isn't that large. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you are "fighting for social justice," then you are defining yourself as someone who considers regular old everyday *equal* justice to be something you don't want. -- GOF at TSM --- 8 days until Veterans Day
RE: New rules..
-Original Message- From: John Hardin [mailto:jhar...@impsec.org] Sent: 03 November 2015 17:18 To: users@spamassassin.apache.org Subject: RE: New rules.. On Tue, 3 Nov 2015, Richard Mealing wrote: > So I'm looking for something that would block this - > > fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... > > I was thinking of just creating a rule to sort this out with something > like - ^fastnet\.co\.uk.\d+..*@ > > header FROM_IS_FAKE_FASTNET From =~ /^fastnet\.co\.uk.\d+..*@/i > score FROM_IS_FAKE_FASTNET 1.0 > describe FROM_IS_FAKE_FASTNET from contains fastnet.co.uk_something_@ > > But I wondered if there was a better way to do it. Would this work do > you think? Obviously this would only catch the items on my own domain, > so it's not a brilliant solution. I was wondering if anyone wrote > something better. So, to generalize the pattern: *your* (the recipient) domain is (somewhere) in the username part of the From email address? Hi John - Yup! >From address is - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... It's not actually that, but similar. We are seeing this quite a bit and I wondered if anyone else was. I guess not? Thanks, Rich
RE: New rules..
On Tue, 3 Nov 2015, Richard Mealing wrote: So I'm looking for something that would block this - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... I was thinking of just creating a rule to sort this out with something like - ^fastnet\.co\.uk.\d+..*@ header FROM_IS_FAKE_FASTNET From =~ /^fastnet\.co\.uk.\d+..*@/i score FROM_IS_FAKE_FASTNET 1.0 describe FROM_IS_FAKE_FASTNET from contains fastnet.co.uk_something_@ But I wondered if there was a better way to do it. Would this work do you think? Obviously this would only catch the items on my own domain, so it's not a brilliant solution. I was wondering if anyone wrote something better. So, to generalize the pattern: *your* (the recipient) domain is (somewhere) in the username part of the From email address? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where are my space habitats? Where is my flying car? It's 2010 and all I got from the SF books of my youth is the lousy dystopian government. -- perlhaqr --- 8 days until Veterans Day
RE: New rules..
From: Joe Quinn [mailto:jqu...@pccc.com] Sent: 02 November 2015 17:13 To: users@spamassassin.apache.org Subject: Re: New rules.. On 11/2/2015 12:00 PM, Richard Mealing wrote: Hi there, Would this be the best list to talk about new rules for spamassassin? I'm new here.. Thanks, Rich This would be an excellent place, yes. The more technical discussion for things like bugs in eval rules will generally happen in dev@ but there can be some overlap. So I'm looking for something that would block this - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... I was thinking of just creating a rule to sort this out with something like - ^fastnet\.co\.uk.\d+..*@ header FROM_IS_FAKE_FASTNET From =~ /^fastnet\.co\.uk.\d+..*@/i score FROM_IS_FAKE_FASTNET 1.0 describe FROM_IS_FAKE_FASTNET from contains fastnet.co.uk_something_@ But I wondered if there was a better way to do it. Would this work do you think? Obviously this would only catch the items on my own domain, so it's not a brilliant solution. I was wondering if anyone wrote something better. Thanks, Rich
Re: New rules..
On Mon, 2 Nov 2015, Joe Quinn wrote: On 11/2/2015 12:00 PM, Richard Mealing wrote: Would this be the best list to talk about new rules for spamassassin? This would be an excellent place, yes. Additionally: make sure you take a look at the rules sandboxes in SVN. There may already be a rule there for what you want, it just may not be performing well enough against the masscheck corpora to be promoted and published. http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Drugs will always be around. Politicians are therefore making an active decision to distribute them through violent gangs. --twitter --- 9 days until Veterans Day
Re: New rules..
On 11/2/2015 12:00 PM, Richard Mealing wrote: Hi there, Would this be the best list to talk about new rules for spamassassin? I'm new here.. Thanks, Rich This would be an excellent place, yes. The more technical discussion for things like bugs in eval rules will generally happen in dev@ but there can be some overlap.
Re: New rules..
On 11/2/2015 12:00 PM, Richard Mealing wrote: Hi there, Would this be the best list to talk about new rules for spamassassin? I’m new here.. Thanks, Rich Sure though if you are writing rules and want feedback, dev@ might be a better list!
Re: new rules - where do i activate them?
Well, it's finally working! Thanks again everyone. It was probably a combination of things, but after I got the rules working it wasn't scanning the emails because of an LDAP attribute and settings that needed to be put in for SA to work with Sun Messaging. Again, Thank you. -- View this message in context: http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31068232.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On Thu, 2011-03-03 at 09:55 -0800, an anonymous Nabble user wrote:
> > Even worse, you outright ignored my post explaining this. Despite the
> > fact, you actually replied to it. And quoted it in full below.
>
> Quite the opposite, I took your advice - even though it might look to you as
> if I didn't.
OK, my apologies then.
However, I still believe disabled network tests is your main issue, and
should be fixed. That will help tremendously.
> 1) I uploaded an email to the server to test. Not what I was doing before.
> 2) You said not to use the -L option and I didn't.
> 3) turn skip_rbl_checks 1 ... I tried looking for this option and couldn't
> find the file that had this option.
> 4) I made sure DNS was available using the -D option.
>
> Those were all your suggestions that I followed and totally opposite of what
> you thought. As for #3, I just couldn't find, and when I tested it and saw
> the rules come up I thought I was in the right track.
You can use the following to find your site-config directory. That's
where your site-wide settings are.
spamassassin -D --lint 2>&1 | grep "site rules"
> > Also, I seriously doubt you tested your rules "with a real email" as you
> > said. Notice the NO_RELAYS rule hit for an example. The sample was
> > either severely damaged, or a very bad copy-n-paste from a source that
> > just does not resemble a raw mail.
>
> Like I said I uploaded an email file. I don't know if that counts as a real
> email...
What is an "email file", and how did you "upload" it? What you need for
testing is a raw email, including all headers. How you get that depends
on your server and storage backend. And/or your MUA. However, if it is a
real spam you received, NO_RELAYS must not trigger.
> > That just is not how SA works. It does not reject spam. It does not
> > block it, dump it, or otherwise prevent mail from "going through".
>
> I'm not saying it should block it (i didn't make this clear), but the
> Subject line isn't changing. From what I've read, it should change the
> subject line to SPAM*, but it's not doing that. It doesn't seem
> like SA is scanning the mail. I've already looked at the sun messaging logs
> and there's no indication of SA scanning the emails.
[...]
> Again, I'm not ignoring your suggestions or anyone else's. I'm extremely
> new to SA and to Sun/Oracle messaging services. I'm trying to understand
> and researching...
So all this might also depend on on that Sun/Oracle messaging services.
Ultimately, *how* is SA being called?
I don't know, cause I don't know that server. But similar to Amavis, it
might have configuration of its own, actually overriding the vanilla SA
configuration.
Again, enabling network tests should be your main goal for now. With
real incoming spam, you then should see rules fire like RCVD_IN_*,
URIBL_BACK and SURBL_*.
> It may be easy and obvious to you, but I'm here because
> i'm starting from scratch. I probably know less than a percent of what you
> know about SA. I'm trying to learn and get advice. If my newbie behavior
> annoys or frustrate you, I apologize, but as much as I appreciate that you
> are helping, but a little understanding of how new I am to this would be
> greatly appreciated. And if I still annoy or frustrate you, just ignore my
> post, helping is voluntary.
Crucial first point: Outline your OS, mail system, and how SA gets
called.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: new rules - where do i activate them?
On Thu, 2011-03-03 at 09:55 -0800, tr_ust wrote: > I've already looked at the sun messaging logs > and there's no indication of SA scanning the emails. > On my Linux system spamd logs summaries of each scan to /var/log/maillog by default. Spamassassin doesn't seem to do this. Martin
Re: new rules - where do i activate them?
On Thu, 3 Mar 2011, tr_ust wrote: Also, I seriously doubt you tested your rules "with a real email" as you said. Notice the NO_RELAYS rule hit for an example. The sample was either severely damaged, or a very bad copy-n-paste from a source that just does not resemble a raw mail. Like I said I uploaded an email file. I don't know if that counts as a real email... It might, it might not, depending on how it was produced. Exporting a message from many email clients may not produce a correct RFC-2822-format file with all headers intact. The canonical request we have when asked to help someone troubleshoot something is this: Please post the entire message, with _all_ headers intact, to something like pastebin.com or a plain text file on a website you host and send the URL for it to the list, so that we can see exactly when SA is being asked to analyze. Please _do not_ send the message itself to the list. Being this is a spam, there shouldn't be anything sensitive present, but if you want to obscure private email addresses or hosts, the best way to do that is to change the domain name to "example.com" and make no other changes. Specifically, don't mangle email address, host names or IP addresses so that they don't look like email addresses or host names or IP addresses, as doing that will affect SA's analysis. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say "I don't want the government to do X", do not automatically assume that means I don't want X to happen. --- 10 days until Albert Einstein's 132nd Birthday
Re: new rules - where do i activate them?
>You are *still* running with network tests disabled. Again, there's
>almost certainly no need for these custom rules and playing whack-a-mole
>with new URIs, if you enable network tests. URIBL and SURBL will do a
>better job at catching them early than you ever could do on your own.
It's not "whack-a-mole", I'm getting the list of URIs from
http://aper.svn.sourceforge.net/, some of these sites are not listed in the
uribl list.
>Even worse, you outright ignored my post explaining this. Despite the
>fact, you actually replied to it. And quoted it in full below.
Quite the opposite, I took your advice - even though it might look to you as
if I didn't.
1) I uploaded an email to the server to test. Not what I was doing before.
2) You said not to use the -L option and I didn't.
3) turn skip_rbl_checks 1 ... I tried looking for this option and couldn't
find the file that had this option.
4) I made sure DNS was available using the -D option.
Those were all your suggestions that I followed and totally opposite of what
you thought. As for #3, I just couldn't find, and when I tested it and saw
the rules come up I thought I was in the right track.
>Also, I seriously doubt you tested your rules "with a real email" as you
>said. Notice the NO_RELAYS rule hit for an example. The sample was
>either severely damaged, or a very bad copy-n-paste from a source that
>just does not resemble a raw mail.
Like I said I uploaded an email file. I don't know if that counts as a real
email...
> I told you before to read some basic docs.
I have read some docs - but they weren't helping with what I was trying to
do. Thats why I'm here hoping someone could help.
>That just is not how SA works. It does not reject spam. It does not
>block it, dump it, or otherwise prevent mail from "going through".
I'm not saying it should block it (i didn't make this clear), but the
Subject line isn't changing. From what I've read, it should change the
subject line to SPAM*, but it's not doing that. It doesn't seem
like SA is scanning the mail. I've already looked at the sun messaging logs
and there's no indication of SA scanning the emails.
Useless full-quote snipped. Please go back in the thread and read my
explanation again, carefully.
> I'm new to this forum, I hit reply and that's what it gave me.
>If you want us to help, you should stop ignoring our advice. It might
>surprise you, but there may be better solutions to your obvious problem.
>Better than maintaining a list of bad uri rules on your own...
Again, I'm not ignoring your suggestions or anyone else's. I'm extremely
new to SA and to Sun/Oracle messaging services. I'm trying to understand
and researching...It may be easy and obvious to you, but I'm here because
i'm starting from scratch. I probably know less than a percent of what you
know about SA. I'm trying to learn and get advice. If my newbie behavior
annoys or frustrate you, I apologize, but as much as I appreciate that you
are helping, but a little understanding of how new I am to this would be
greatly appreciated. And if I still annoy or frustrate you, just ignore my
post, helping is voluntary.
--
char
*t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
--
View this message in context:
http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31061099.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On Thu, 2011-03-03 at 07:59 -0800, an anonymous Nabble user wrote:
> For the first time I finally feel like I'm getting closer to getting this
> thing to work - THANKS EVERYONE FOR ALL THE HELP! I did a test with a real
> email this time that included a blocked uri and the it actually scored it!
Congrats. So you managed to write some correct uri rules based on this
already rather extensive thread. However...
You are *still* running with network tests disabled. Again, there's
almost certainly no need for these custom rules and playing whack-a-mole
with new URIs, if you enable network tests. URIBL and SURBL will do a
better job at catching them early than you ever could do on your own.
Even worse, you outright ignored my post explaining this. Despite the
fact, you actually replied to it. And quoted it in full below.
Also, I seriously doubt you tested your rules "with a real email" as you
said. Notice the NO_RELAYS rule hit for an example. The sample was
either severely damaged, or a very bad copy-n-paste from a source that
just does not resemble a raw mail.
> -0.0 NO_RELAYS Informational: message was not relayed via SMTP
> 0.9 MISSING_HEADERSMissing To: header
> 20 LOCAL_URI_EXAMPLE_13 URI: LOCAL_URI_EXAMPLE_13
> I'm not there just yet though...is there a spamassassin log file? Although
> it looks to be working from the test, I just sent the same message that was
> scanned from an outside email and it went through.
I told you before to read some basic docs.
That just is not how SA works. It does not reject spam. It does not
block it, dump it, or otherwise prevent mail from "going through".
SA classifies mail. Any action whatsoever based on this assessment (the
overall score and binary ham/spam classification) is the duty of other
tools in your mail processing chain. They need to take action, and do
whatever you tell 'em to do with spam.
Useless full-quote snipped. Please go back in the thread and read my
explanation again, carefully.
If you want us to help, you should stop ignoring our advice. It might
surprise you, but there may be better solutions to your obvious problem.
Better than maintaining a list of bad uri rules on your own...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: new rules - where do i activate them?
For the first time I finally feel like I'm getting closer to getting this
thing to work - THANKS EVERYONE FOR ALL THE HELP! I did a test with a real
email this time that included a blocked uri and the it actually scored it!
Content analysis details: (24.7 points, 5.0 required)
pts rule name description
--
--
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
0.9 MISSING_HEADERSMissing To: header
20 LOCAL_URI_EXAMPLE_13 URI: LOCAL_URI_EXAMPLE_13
0.5 NULL_IN_BODY FULL: Message has NUL (ASCII 0) byte in message
0.6 MISSING_MIDMissing Message-Id: header
0.0 MISSING_SUBJECTMissing Subject: header
-0.0 NO_RECEIVEDInformational: message has no Received headers
2.7 MISSING_DATE Missing Date: header
0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
headers
I'm not there just yet though...is there a spamassassin log file? Although
it looks to be working from the test, I just sent the same message that was
scanned from an outside email and it went through.
Karsten Bräckelmann-2 wrote:
>
> On Wed, 2011-03-02 at 13:59 -0800, an anonymous Nabble user wrote:
>> Thanks Martin, for your help and time. As you can see, I'm really new to
>> SA.
>> I do see that the rules are there from the install and the the DNS module
>> is
>> there. However, when I send a test email it doesn't score for the bl
>> uri.
>> I created a test message that the only thing it has is 9hz.com, which is
>> a
>> bl site, and this is how it scores it.
>
>> 0.9 MISSING_HEADERSMissing To: header
>
>>From your scores I can tell you are using SA 3.3.x, and score-set 0.
> That is, both Bayes AND network tests disabled. You will need to enable
> network tests. Or rather, not disable them, since they are enabled by
> default.
>
> Hint: The option 'skip_rbl_checks 1' does NOT enable them, despite the
> positive 1 argument.
>
> Likewise, make sure skip_uribl_checks is not set to 1, either. And do
> not use the -L, --local option with 'spamassassin' (for ad-hoc testing)
> or 'spamd', since this explicitly disables network tests.
>
> Also, do make sure DNS works on that machine. That is, specifically the
> first nameserver entry in /etc/resolv.conf must work.
>
> The -D debug output will tell you if DNS is available, though not with
> the --lint option, which disables network tests. Feed it a mail instead.
>
>
>> No points for the uri rule.
>
> User support is all about being psychic -- or crystal balls. ;)
>
> (More serious, this is the classic of not just answering a particular
> user question, but to understand -- and have the user articulate --
> their actual issue, not what they think might solve it...)
>
>> >>> On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote:
>>
>> Point being, this domain and likely most (if not all) others in the
>> list
>> you're basing off, are listed in URI DNSBLs. This particular one is
>> listed in URIBL and SURBL JP and PH. With network test enabled, SA
>> will
>> score them high already.
>>
>> So what is the point in this static, and likely huge, list of uri
>> rules?
>
> --
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>
>
--
View this message in context:
http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31059962.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On Wed, 2011-03-02 at 13:59 -0800, an anonymous Nabble user wrote:
> Thanks Martin, for your help and time. As you can see, I'm really new to SA.
> I do see that the rules are there from the install and the the DNS module is
> there. However, when I send a test email it doesn't score for the bl uri.
> I created a test message that the only thing it has is 9hz.com, which is a
> bl site, and this is how it scores it.
> 0.9 MISSING_HEADERSMissing To: header
>From your scores I can tell you are using SA 3.3.x, and score-set 0.
That is, both Bayes AND network tests disabled. You will need to enable
network tests. Or rather, not disable them, since they are enabled by
default.
Hint: The option 'skip_rbl_checks 1' does NOT enable them, despite the
positive 1 argument.
Likewise, make sure skip_uribl_checks is not set to 1, either. And do
not use the -L, --local option with 'spamassassin' (for ad-hoc testing)
or 'spamd', since this explicitly disables network tests.
Also, do make sure DNS works on that machine. That is, specifically the
first nameserver entry in /etc/resolv.conf must work.
The -D debug output will tell you if DNS is available, though not with
the --lint option, which disables network tests. Feed it a mail instead.
> No points for the uri rule.
User support is all about being psychic -- or crystal balls. ;)
(More serious, this is the classic of not just answering a particular
user question, but to understand -- and have the user articulate --
their actual issue, not what they think might solve it...)
> >>> On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote:
>
> Point being, this domain and likely most (if not all) others in the list
> you're basing off, are listed in URI DNSBLs. This particular one is
> listed in URIBL and SURBL JP and PH. With network test enabled, SA will
> score them high already.
>
> So what is the point in this static, and likely huge, list of uri
> rules?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: new rules - where do i activate them?
On Wed, 2 Mar 2011, tr_ust wrote: Thanks Martin, for your help and time. As you can see, I'm really new to SA. I do see that the rules are there from the install and the the DNS module is there. However, when I send a test email it doesn't score for the bl uri. I created a test message that the only thing it has is 9hz.com, which is a bl site, and this is how it scores it. Content analysis details: (6.4 points, 5.0 required) pts rule name description -- -- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.9 MISSING_HEADERSMissing To: header 0.6 MISSING_MIDMissing Message-Id: header 0.0 MISSING_SUBJECTMissing Subject: header 2.2 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text -0.0 NO_RECEIVEDInformational: message has no Received headers 2.7 MISSING_DATE Missing Date: header 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers No points for the uri rule. Your test message appears poorly-formed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 11 days until Albert Einstein's 132nd Birthday
Re: new rules - where do i activate them?
Thanks Martin, for your help and time. As you can see, I'm really new to SA.
I do see that the rules are there from the install and the the DNS module is
there. However, when I send a test email it doesn't score for the bl uri.
I created a test message that the only thing it has is 9hz.com, which is a
bl site, and this is how it scores it.
Content analysis details: (6.4 points, 5.0 required)
pts rule name description
--
--
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
0.9 MISSING_HEADERSMissing To: header
0.6 MISSING_MIDMissing Message-Id: header
0.0 MISSING_SUBJECTMissing Subject: header
2.2 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text
-0.0 NO_RECEIVEDInformational: message has no Received headers
2.7 MISSING_DATE Missing Date: header
0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
headers
No points for the uri rule.
Martin Hepworth-2 wrote:
>
> Those rules are already in the default spamassassin install, just make
> sure you've got the perl dns modules installed and theyll run
> automatically
>
> Martin.
>
> Run "spamassassin -D -lint" and you'll see if u have the perl modules
> etc installed
>
> On Wednesday, 2 March 2011, tr_ust wrote:
>>
>> All you had to do is add these lines to a cf file?
>>
>> urirhssub URIBL_BLACK multi.uribl.com. A 2
>> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
>> describe URIBL_BLACK Contains an URL listed in the URIBL
>> blacklist
>> tflags URIBL_BLACK net
>> score URIBL_BLACK 3.0
>>
>> urirhssub URIBL_GREY multi.uribl.com. A 4
>> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
>> describe URIBL_GREY Contains an URL listed in the URIBL greylist
>> tflags URIBL_GREY net
>> score URIBL_GREY 0.25
>>
>>
>>
>>
>> RGB Camera wrote:
>>>
>>> I can't comment about the particular URIs mentioned in this
>>> discussion, but we do run some URI rules that are redundant with URIBL
>>> listings.
>>>
>>> The reason we do this is because URIBL listings will sometimes
>>> time-out and be removed. So we will list some domain names in our
>>> rules in case they are dropped by URIBL et al later.
>>>
>>>
>>>
>>> On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote:
Point being, this domain and likely most (if not all) others in the
list
you're basing off, are listed in URI DNSBLs. This particular one is
listed in URIBL and SURBL JP and PH. With network test enabled, SA will
score them high already.
So what is the point in this static, and likely huge, list of uri
rules?
>>>
>>>
>>
>> --
>> View this message in context:
>> http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31053506.html
>> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>>
>>
>
> --
> --
> Martin Hepworth
> Oxford, UK
>
>
--
View this message in context:
http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31054217.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
Those rules are already in the default spamassassin install, just make
sure you've got the perl dns modules installed and theyll run
automatically
Martin.
Run "spamassassin -D -lint" and you'll see if u have the perl modules
etc installed
On Wednesday, 2 March 2011, tr_ust wrote:
>
> All you had to do is add these lines to a cf file?
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
>
>
>
> RGB Camera wrote:
>>
>> I can't comment about the particular URIs mentioned in this
>> discussion, but we do run some URI rules that are redundant with URIBL
>> listings.
>>
>> The reason we do this is because URIBL listings will sometimes
>> time-out and be removed. So we will list some domain names in our
>> rules in case they are dropped by URIBL et al later.
>>
>>
>>
>> On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote:
>>>
>>> Point being, this domain and likely most (if not all) others in the list
>>> you're basing off, are listed in URI DNSBLs. This particular one is
>>> listed in URIBL and SURBL JP and PH. With network test enabled, SA will
>>> score them high already.
>>>
>>> So what is the point in this static, and likely huge, list of uri rules?
>>>
>>>
>>
>>
>
> --
> View this message in context:
> http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31053506.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
--
--
Martin Hepworth
Oxford, UK
Re: new rules - where do i activate them?
All you had to do is add these lines to a cf file?
urirhssub URIBL_BLACK multi.uribl.com.A 2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com.A 4
bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
RGB Camera wrote:
>
> I can't comment about the particular URIs mentioned in this
> discussion, but we do run some URI rules that are redundant with URIBL
> listings.
>
> The reason we do this is because URIBL listings will sometimes
> time-out and be removed. So we will list some domain names in our
> rules in case they are dropped by URIBL et al later.
>
>
>
> On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote:
>>
>> Point being, this domain and likely most (if not all) others in the list
>> you're basing off, are listed in URI DNSBLs. This particular one is
>> listed in URIBL and SURBL JP and PH. With network test enabled, SA will
>> score them high already.
>>
>> So what is the point in this static, and likely huge, list of uri rules?
>>
>>
>
>
--
View this message in context:
http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31053506.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
I can't comment about the particular URIs mentioned in this discussion, but we do run some URI rules that are redundant with URIBL listings. The reason we do this is because URIBL listings will sometimes time-out and be removed. So we will list some domain names in our rules in case they are dropped by URIBL et al later. On 3/2/2011 8:49 AM, Karsten Bräckelmann wrote: > > Point being, this domain and likely most (if not all) others in the list > you're basing off, are listed in URI DNSBLs. This particular one is > listed in URIBL and SURBL JP and PH. With network test enabled, SA will > score them high already. > > So what is the point in this static, and likely huge, list of uri rules? > >
Re: new rules - where do i activate them?
On Wed, 2011-03-02 at 07:46 -0800, an anonymous Nabble user wrote:
> I'm sorry - there's only one line in the sample of how to write a uri rule.
I strongly suggest to read the SA docs, at the very least some intro
style rule writing guide. Depending solely on a brief third-party usage
example without any knowledge about SA rules is unlikely to work out.
> Are you saying that for each line I need to create a unique
> "LOCAL_URI_EXAMPLE" line? In other words it should look more like this?
If I where to guess, I'd say that rule name is an *example* and not
meant to be used literally...
> uri LOCAL_URI_EXAMPLE_1 /03ysl.9hz.com/
> core LOCAL_URI_EXAMPLE_1 20
As others already have answered -- yes, the rule names must be unique.
Also, lint checking your custom rules would be very advisable.
However, maybe this whole exercise was futile anyway. What do you really
want to accomplish?
Point being, this domain and likely most (if not all) others in the list
you're basing off, are listed in URI DNSBLs. This particular one is
listed in URIBL and SURBL JP and PH. With network test enabled, SA will
score them high already.
So what is the point in this static, and likely huge, list of uri rules?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: new rules - where do i activate them?
On 3/2/2011 11:43 AM, John Hardin wrote: > On Wed, 2 Mar 2011, Bowie Bailey wrote: > >> On 3/2/2011 11:16 AM, Jeff Mincy wrote: >>> Also, the rules could be combined into a single rule (untested) using >>> regexp (?:index|nana|ontokoros|tbt|webadmin) >>> >>> uri LOCAL_URI_EXAMPLE >>> /zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/ >> >> Or, if you want to catch any of the forms, you could use this: >> >> uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1.html/ >> >> (also escaped the period, as that means "any character" in a Perl regex) > > ...almost... > > uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1\.html/ Ok, so I missed a period Already corrected in my last post. :) -- Bowie
Re: new rules - where do i activate them?
On 3/2/2011 11:32 AM, Bowie Bailey wrote: > On 3/2/2011 11:16 AM, Jeff Mincy wrote: >> Also, the rules could be combined into a single rule (untested) using >> regexp (?:index|nana|ontokoros|tbt|webadmin) >> >> uri LOCAL_URI_EXAMPLE >> /zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/ > Or, if you want to catch any of the forms, you could use this: > > uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1.html/ > > (also escaped the period, as that means "any character" in a Perl regex) Also, you can avoid all the extra backslashes by quoting the regex a bit differently: uri LOCAL_URI_EXAMPLE m'zynetsw\.com/forms/use/.*/form1\.html' Now the only things that need quoting are the periods. -- Bowie
Re: new rules - where do i activate them?
On Wed, 2 Mar 2011, Bowie Bailey wrote: On 3/2/2011 11:16 AM, Jeff Mincy wrote: Also, the rules could be combined into a single rule (untested) using regexp (?:index|nana|ontokoros|tbt|webadmin) uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/ Or, if you want to catch any of the forms, you could use this: uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1.html/ (also escaped the period, as that means "any character" in a Perl regex) ...almost... uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1\.html/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Phobias should not be the basis for laws. --- 11 days until Albert Einstein's 132nd Birthday
Re: new rules - where do i activate them?
On 3/2/2011 11:16 AM, Jeff Mincy wrote: > Also, the rules could be combined into a single rule (untested) using > regexp (?:index|nana|ontokoros|tbt|webadmin) > > uri LOCAL_URI_EXAMPLE > /zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/ Or, if you want to catch any of the forms, you could use this: uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/.*\/form1.html/ (also escaped the period, as that means "any character" in a Perl regex) -- Bowie
Re: new rules - where do i activate them?
On Wed, 2011-03-02 at 07:46 -0800, tr_ust wrote:
> I'm sorry - there's only one line in the sample of how to write a uri rule.
>
> Are you saying that for each line I need to create a unique
> "LOCAL_URI_EXAMPLE" line? In other words it should look more like this?
>
> uri LOCAL_URI_EXAMPLE /03ysl.9hz.com/
> core LOCAL_URI_EXAMPLE 20
>
> uri LOCAL_URI_EXAMPLE_1 /03ysl.9hz.com/
> core LOCAL_URI_EXAMPLE_1 20
>
> uri LOCAL_URI_EXAMPLE_2 /03ysl.9hz.com/
> core LOCAL_URI_EXAMPLE_2 20
>
> Would that be correct?
>
Short answer, yes.
Reason: every rule needs a unique name.
Longer answers:
(a)You can combine rules by using a more complex regular expression
(aka regex):
describe MULTI_MATCH Example rule to match several URIs
uri MULTI_MATCH /(03ysl.1ab.com|03ysl.5zz.com|03ysl.9ml.com)/
scoreMULTI_MATCH 20
and if the regex extends over more than one line you can use
meta-rules to OR them together.
(b) I use a number of large regexes (25 terms on average, min 2 terms,
max over 200 terms) and wrote a script, portmanteau, that assembles
a rule from a file containing a list of terms. Its a bash script
wrapper round an awk/gawk script.
If that sounds useful, you can find the portmanteau script here:
http://www.libelle-systems.com/free/
You don't need to know Perl to write good Spamassassin rules but you do
need to be able to read and create Perl regular expressions.
Martin
>
> Karsten Bräckelmann-2 wrote:
> >
> > On Tue, 2011-03-01 at 13:11 -0500, Bowie Bailey wrote:
> >> On 3/1/2011 12:39 PM, tr_ust wrote:
> >> > Thanks...I could really use the help!
> >
> > [...]
> >> > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\//
> >> > score LOCAL_URI_EXAMPLE 20
> >> > uri LOCAL_URI_EXAMPLE /040jk.9hz.com\//
> >> > score LOCAL_URI_EXAMPLE 20
> >> > uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\//
> >> > score LOCAL_URI_EXAMPLE 20
> >> >
> >> > I'm using the per user option right now for spamassassin, so I test it
> >> by
> >> > sending the user an email with one of these links...and it's still
> >> going
> >> > through.
> >>
> >> You are aware that these rules are specifying that there MUST be a slash
> >> after .com in order to match, right?
> >>
> >> Other than that, I don't see any obvious problem. Send an example email
> >> through your system and put the resulting email (with headers) into a
> >> pastebin so I can look at it.
> >
> > Uhm... There is only ONE rule. Repeatedly overwriting the previous rule
> > definition. Last one is defined, everything prior to that is effectively
> > non-existent.
> >
> > Does that count as obvious problem? ;)
> >
> >
> > --
> > char
> > *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i > c<<=1:
> > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> > }}}
> >
> >
> >
>
Re: new rules - where do i activate them?
From: John Hardin Date: Wed, 2 Mar 2011 07:50:38 -0800 (PST) On Wed, 2 Mar 2011, tr_ust wrote: > This is what my rules look like now: > > uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/index\/form1.html/ > score LOCAL_URI_EXAMPLE 200 > uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/nana\/form1.html/ > score LOCAL_URI_EXAMPLE 100 > uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/ontokoros\/form1.html/ > score LOCAL_URI_EXAMPLE 100 > uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/tbt\/form1.html/ > score LOCAL_URI_EXAMPLE 200 > uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/webadmin\/form1.html/ > score LOCAL_URI_EXAMPLE 200 > > I took out the last "/" as you suggested...thanks. You may also want to escape the periods so they are literal matches rather then "match any single character": uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/webadmin\/form1\.html/ Also, you only have one rule there. Every time you put in another "uri LOCAL_URI_EXAMPLE" you overwrite the previous definition. Change the name of each rule, for example by appending _00 _01 _02, etc. Also, the rules could be combined into a single rule (untested) using regexp (?:index|nana|ontokoros|tbt|webadmin) uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/ -jeff
Re: new rules - where do i activate them?
On 3/2/11 9:46 AM, "tr_ust" wrote: > > I'm sorry - there's only one line in the sample of how to write a uri rule. > > Are you saying that for each line I need to create a unique > "LOCAL_URI_EXAMPLE" line? In other words it should look more like this? Yes, although score is usually spelled with a leading "s"... > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com/ > core LOCAL_URI_EXAMPLE 20 > > uri LOCAL_URI_EXAMPLE_1 /03ysl.9hz.com/ > core LOCAL_URI_EXAMPLE_1 20 > > uri LOCAL_URI_EXAMPLE_2 /03ysl.9hz.com/ > core LOCAL_URI_EXAMPLE_2 20 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: new rules - where do i activate them?
On Wed, 2 Mar 2011, tr_ust wrote: This is what my rules look like now: uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/index\/form1.html/ score LOCAL_URI_EXAMPLE 200 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/nana\/form1.html/ score LOCAL_URI_EXAMPLE 100 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/ontokoros\/form1.html/ score LOCAL_URI_EXAMPLE 100 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/tbt\/form1.html/ score LOCAL_URI_EXAMPLE 200 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/webadmin\/form1.html/ score LOCAL_URI_EXAMPLE 200 I took out the last "/" as you suggested...thanks. You may also want to escape the periods so they are literal matches rather then "match any single character": uri LOCAL_URI_EXAMPLE /zynetsw\.com\/forms\/use\/webadmin\/form1\.html/ Also, you only have one rule there. Every time you put in another "uri LOCAL_URI_EXAMPLE" you overwrite the previous definition. Change the name of each rule, for example by appending _00 _01 _02, etc. There's nothing in the header of the emails that indicates it went through spamassassin - is there a way to use a spamassassin command to test out the rules? Yes: spamassassin -L -t < your_test_message More info cam be obtained by doing something like: spamassassin -L -t --debug area=rules < your_test_message -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 11 days until Albert Einstein's 132nd Birthday
Re: new rules - where do i activate them?
I'm sorry - there's only one line in the sample of how to write a uri rule.
Are you saying that for each line I need to create a unique
"LOCAL_URI_EXAMPLE" line? In other words it should look more like this?
uri LOCAL_URI_EXAMPLE /03ysl.9hz.com/
core LOCAL_URI_EXAMPLE 20
uri LOCAL_URI_EXAMPLE_1 /03ysl.9hz.com/
core LOCAL_URI_EXAMPLE_1 20
uri LOCAL_URI_EXAMPLE_2 /03ysl.9hz.com/
core LOCAL_URI_EXAMPLE_2 20
Would that be correct?
Karsten Bräckelmann-2 wrote:
>
> On Tue, 2011-03-01 at 13:11 -0500, Bowie Bailey wrote:
>> On 3/1/2011 12:39 PM, tr_ust wrote:
>> > Thanks...I could really use the help!
>
> [...]
>> > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\//
>> > score LOCAL_URI_EXAMPLE 20
>> > uri LOCAL_URI_EXAMPLE /040jk.9hz.com\//
>> > score LOCAL_URI_EXAMPLE 20
>> > uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\//
>> > score LOCAL_URI_EXAMPLE 20
>> >
>> > I'm using the per user option right now for spamassassin, so I test it
>> by
>> > sending the user an email with one of these links...and it's still
>> going
>> > through.
>>
>> You are aware that these rules are specifying that there MUST be a slash
>> after .com in order to match, right?
>>
>> Other than that, I don't see any obvious problem. Send an example email
>> through your system and put the resulting email (with headers) into a
>> pastebin so I can look at it.
>
> Uhm... There is only ONE rule. Repeatedly overwriting the previous rule
> definition. Last one is defined, everything prior to that is effectively
> non-existent.
>
> Does that count as obvious problem? ;)
>
>
> --
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>
>
--
View this message in context:
http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31050552.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
This is what my rules look like now: uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/index\/form1.html/ score LOCAL_URI_EXAMPLE 200 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/nana\/form1.html/ score LOCAL_URI_EXAMPLE 100 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/ontokoros\/form1.html/ score LOCAL_URI_EXAMPLE 100 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/tbt\/form1.html/ score LOCAL_URI_EXAMPLE 200 uri LOCAL_URI_EXAMPLE /zynetsw.com\/forms\/use\/webadmin\/form1.html/ score LOCAL_URI_EXAMPLE 200 I took out the last "/" as you suggested...thanks. There's nothing in the header of the emails that indicates it went through spamassassin - is there a way to use a spamassassin command to test out the rules? Thanks again for your help. Bowie Bailey wrote: > > On 3/1/2011 12:39 PM, tr_ust wrote: >> Thanks...I could really use the help! >> >> basically - I'm getting the list of phishing links of aper >> (https://aper.svn.sourceforge.net/svnroot/aper/) and creating a rule for >> it. >> >> Here's a snippet of my rule - >> >> uri LOCAL_URI_EXAMPLE /-la2u.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> uri LOCAL_URI_EXAMPLE /0-vgj.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> uri LOCAL_URI_EXAMPLE /007vt.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> uri LOCAL_URI_EXAMPLE /02khw.9hz.com\// >> score LOCAL_URI_EXAMPLE 10 >> uri LOCAL_URI_EXAMPLE /03l6c.9hz.com\// >> score LOCAL_URI_EXAMPLE 50 >> uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> uri LOCAL_URI_EXAMPLE /040jk.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\// >> score LOCAL_URI_EXAMPLE 20 >> >> >> I'm using the per user option right now for spamassassin, so I test it by >> sending the user an email with one of these links...and it's still going >> through. > > You are aware that these rules are specifying that there MUST be a slash > after .com in order to match, right? > > Other than that, I don't see any obvious problem. Send an example email > through your system and put the resulting email (with headers) into a > pastebin so I can look at it. > > -- > Bowie > > -- View this message in context: http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31050515.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On 3/1/2011 1:36 PM, Karsten Bräckelmann wrote: > On Tue, 2011-03-01 at 13:11 -0500, Bowie Bailey wrote: >> On 3/1/2011 12:39 PM, tr_ust wrote: >>> Thanks...I could really use the help! > [...] >>> uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\// >>> score LOCAL_URI_EXAMPLE 20 >>> uri LOCAL_URI_EXAMPLE /040jk.9hz.com\// >>> score LOCAL_URI_EXAMPLE 20 >>> uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\// >>> score LOCAL_URI_EXAMPLE 20 >>> >>> I'm using the per user option right now for spamassassin, so I test it by >>> sending the user an email with one of these links...and it's still going >>> through. >> You are aware that these rules are specifying that there MUST be a slash >> after .com in order to match, right? >> >> Other than that, I don't see any obvious problem. Send an example email >> through your system and put the resulting email (with headers) into a >> pastebin so I can look at it. > Uhm... There is only ONE rule. Repeatedly overwriting the previous rule > definition. Last one is defined, everything prior to that is effectively > non-existent. > > Does that count as obvious problem? ;) Yea, that counts. :) -- Bowie
Re: new rules - where do i activate them?
On Tue, 2011-03-01 at 13:11 -0500, Bowie Bailey wrote:
> On 3/1/2011 12:39 PM, tr_ust wrote:
> > Thanks...I could really use the help!
[...]
> > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\//
> > score LOCAL_URI_EXAMPLE 20
> > uri LOCAL_URI_EXAMPLE /040jk.9hz.com\//
> > score LOCAL_URI_EXAMPLE 20
> > uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\//
> > score LOCAL_URI_EXAMPLE 20
> >
> > I'm using the per user option right now for spamassassin, so I test it by
> > sending the user an email with one of these links...and it's still going
> > through.
>
> You are aware that these rules are specifying that there MUST be a slash
> after .com in order to match, right?
>
> Other than that, I don't see any obvious problem. Send an example email
> through your system and put the resulting email (with headers) into a
> pastebin so I can look at it.
Uhm... There is only ONE rule. Repeatedly overwriting the previous rule
definition. Last one is defined, everything prior to that is effectively
non-existent.
Does that count as obvious problem? ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: new rules - where do i activate them?
On 3/1/2011 12:39 PM, tr_ust wrote: > Thanks...I could really use the help! > > basically - I'm getting the list of phishing links of aper > (https://aper.svn.sourceforge.net/svnroot/aper/) and creating a rule for it. > > Here's a snippet of my rule - > > uri LOCAL_URI_EXAMPLE /-la2u.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /0-vgj.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /007vt.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /02khw.9hz.com\// > score LOCAL_URI_EXAMPLE 10 > uri LOCAL_URI_EXAMPLE /03l6c.9hz.com\// > score LOCAL_URI_EXAMPLE 50 > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /040jk.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > > > I'm using the per user option right now for spamassassin, so I test it by > sending the user an email with one of these links...and it's still going > through. You are aware that these rules are specifying that there MUST be a slash after .com in order to match, right? Other than that, I don't see any obvious problem. Send an example email through your system and put the resulting email (with headers) into a pastebin so I can look at it. -- Bowie
Re: new rules - where do i activate them?
Thanks...I could really use the help! basically - I'm getting the list of phishing links of aper (https://aper.svn.sourceforge.net/svnroot/aper/) and creating a rule for it. Here's a snippet of my rule - uri LOCAL_URI_EXAMPLE /-la2u.9hz.com\// score LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE /0-vgj.9hz.com\// score LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE /007vt.9hz.com\// score LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE /02khw.9hz.com\// score LOCAL_URI_EXAMPLE 10 uri LOCAL_URI_EXAMPLE /03l6c.9hz.com\// score LOCAL_URI_EXAMPLE 50 uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\// score LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE /040jk.9hz.com\// score LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\// score LOCAL_URI_EXAMPLE 20 I'm using the per user option right now for spamassassin, so I test it by sending the user an email with one of these links...and it's still going through. Thanks for any input you may have. Bowie Bailey wrote: > > On 3/1/2011 11:02 AM, tr_ust wrote: >> thanks I found the directory and placed the file there...it's not working >> but >> at least I'm putting it in the right place. > > Show us the rule. We can help you debug it. > > -- > Bowie > > -- View this message in context: http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31042476.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On Tue, 1 Mar 2011 08:02:23 -0800 (PST), tr_ust wrote: > thanks I found the directory and placed the file there...it's not working > but at least I'm putting it in the right place. foo.cf works foo wont load make sure you named it something that ends in .cf 00_something.cf loads before 99_ssomethin.cf dont place loadplugin in a cf file custom plugins that is NOT part of standard spamassassin can use 00_something.pre for the dependice of plugins, just dont add standard plugins there
Re: new rules - where do i activate them?
On 3/1/2011 11:02 AM, tr_ust wrote: > thanks I found the directory and placed the file there...it's not working but > at least I'm putting it in the right place. Show us the rule. We can help you debug it. -- Bowie
Re: new rules - where do i activate them?
thanks I found the directory and placed the file there...it's not working but at least I'm putting it in the right place. Bowie Bailey wrote: > > On 2/24/2011 5:04 PM, tr_ust wrote: >> Hi Everyone, sorry I'm a super Newbie on Spamassassin...my stupid >> question is >> this: >> >> I've created a rule for a blocked URIs - where do I tell spamassassin to >> use >> that rule? The only thing I see in the documenation is to not put the cf >> file in a certain directory because it will be overwritten during an >> upgrade. >> >> I'm using this on a Solaris 10, with Sun Messaging. I installed SA using >> the blastwave repository. > > I don't know exactly where Solaris puts the local rules. Generally, > they will be in either /etc/spamassassin or /etc/mail/spamassassin. > Find the local.cf file and put your rules in there. > > You should be able to find it with this command: > > spamassassin -D config --lint 2>&1 | grep "site rules" > > -- > Bowie > > -- View this message in context: http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31040457.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules - where do i activate them?
On Thu, 2011-02-24 at 14:04 -0800, tr_ust wrote: > I've created a rule for a blocked URIs - where do I tell spamassassin to use > that rule? The only thing I see in the documenation is to not put the cf > file in a certain directory because it will be overwritten during an > upgrade. > Put it in the same directory as local.cf - usually this is /etc/mail/spamassassin but Solaris may use a different location. Martin
Re: new rules - where do i activate them?
On 2/24/2011 5:04 PM, tr_ust wrote: > Hi Everyone, sorry I'm a super Newbie on Spamassassin...my stupid question is > this: > > I've created a rule for a blocked URIs - where do I tell spamassassin to use > that rule? The only thing I see in the documenation is to not put the cf > file in a certain directory because it will be overwritten during an > upgrade. > > I'm using this on a Solaris 10, with Sun Messaging. I installed SA using > the blastwave repository. I don't know exactly where Solaris puts the local rules. Generally, they will be in either /etc/spamassassin or /etc/mail/spamassassin. Find the local.cf file and put your rules in there. You should be able to find it with this command: spamassassin -D config --lint 2>&1 | grep "site rules" -- Bowie
Re: new rules - where do i activate them?
Hi You create a file.cf with your rules and you place it in spamassassin folder and restart spamassassin Regards Hi Everyone, sorry I'm a super Newbie on Spamassassin...my stupid question is this: I've created a rule for a blocked URIs - where do I tell spamassassin to use that rule? The only thing I see in the documenation is to not put the cf file in a certain directory because it will be overwritten during an upgrade. I'm using this on a Solaris 10, with Sun Messaging. I installed SA using the blastwave repository. Thanks for any help. -- View this message in context: http://old.nabble.com/new-rules---where-do-i-activate-them--tp31008400p31008400.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new rules for stock spam?
> Bill Randle wrote: >> Does anyone have any rules to squash the recent spate of stock alert >> spam that I've been seeing? The messages are coming from multiple >> sources, although some can be traced back to IPs belonging to >> kornet.net. There are no URLs in the message body. Bayes is probably >> the best bet, but on my global db it's scoring only BAYES_50. >> >> The last batch had scores like this: >> >> X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 >> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL >> X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 >> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL >> X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, >> FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE >> > > The FSR_MASKED_FINANCIAL rule (from here > http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well > trained bayes takes care of most stock spams. You could expand the rule > to include pr*fit, auth*rity and l*w. Also see the > 72_sare_bml_post25x.cf rule from SARE. > > Also since you have a lot of these spams, use them train the bayes db. Thanks for the pointer to FSR_MASKED_FINANCIAL. I do use 72_sare_bml_post25x.cf, but it doesn't seem to hit very many of them. -Bill --
Re: new rules for stock spam?
Bill Randle wrote: Does anyone have any rules to squash the recent spate of stock alert spam that I've been seeing? The messages are coming from multiple sources, although some can be traced back to IPs belonging to kornet.net. There are no URLs in the message body. Bayes is probably the best bet, but on my global db it's scoring only BAYES_50. The last batch had scores like this: X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE The FSR_MASKED_FINANCIAL rule (from here http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well trained bayes takes care of most stock spams. You could expand the rule to include pr*fit, auth*rity and l*w. Also see the 72_sare_bml_post25x.cf rule from SARE. Also since you have a lot of these spams, use them train the bayes db. - dhawal
Re: New rules
Hello Matthew, Tuesday, December 7, 2004, 7:32:22 AM, you wrote: MN> Hello, MN> I've recently installed SA 3.0.1, and found some junk was MN> getting through with scores too low for my liking, especially before the MN> URLs made it into SURBL. I've put together a few rules to match some MN> of these that you might find interesting. My mass-check results on your rules: Section 3 -- Frequencies Log (First numeric frequencies, followed by percentage frequencies) OVERALLSPAM HAM S/ORANK SCORE NAME 9512059679354410.627 0.00 0.00 (all messages) 2231 223101.000 1.00 0.50 UOLCC_ROLEX_SUB1 3331 333010.999 0.90 0.50 UOLCC_ROLEX_BODY1 470 47001.000 0.86 2.00 UOLCC_WATCH_BODY 19 1901.000 0.45 1.50 UOLCC_ROLEX_BODY2 0000.500 0.31 3.50 UOLCC_HTM_HTML_URL 0000.500 0.31 1.50 UOLCC_ROLEX_SUB2 66 37 290.431 0.10 0.10 UOLCC_CAPWORD_TEST 136 51 850.263 0.00 2.00 UOLCC_BBONE OVERALL% SPAM% HAM% S/ORANK SCORE NAME 9512059679354410.627 0.000.00 (all messages) 100.000 62.7407 37.25930.627 0.000.00 (all messages as %) 2.345 3.7383 0.1.000 1.000.50 UOLCC_ROLEX_SUB1 3.502 5.5799 0.00280.999 0.900.50 UOLCC_ROLEX_BODY1 0.494 0.7875 0.1.000 0.862.00 UOLCC_WATCH_BODY 0.020 0.0318 0.1.000 0.451.50 UOLCC_ROLEX_BODY2 0.000 0. 0.0.500 0.313.50 UOLCC_HTM_HTML_URL 0.000 0. 0.0.500 0.311.50 UOLCC_ROLEX_SUB2 0.069 0.0620 0.08180.431 0.100.10 UOLCC_CAPWORD_TEST 0.143 0.0855 0.23980.263 0.002.00 UOLCC_BBONE The single words Rolex in subject and/or body are the best hitters, but then nobody in my domains discusses buying Rolex watches as birthday or anniversary presents. Bob Menschel
Re: New rules
> Getting off topic here, but the all caps is probably a holdover from > the old SABRE airline reservation system which used a 6-bit codeset > to reduce the transmission time on their (at the time) slow data links. Actually it was because the SABRE machines also used a 5-bit code set (and still largely do). (Assuming of course SABRE was the Sperry rather than IBM reservation system; I forget which was which.) Loren
Re: New rules
Matthew Newton wrote:
On Wed, Dec 08, 2004 at 02:22:07PM +0100, Alex Broens wrote:
Matthew Newton wrote:
I've recently installed SA 3.0.1, and found some junk was
getting through with scores too low for my liking, especially before the
URLs made it into SURBL. I've put together a few rules to match some
of these that you might find interesting.
They are:
Finally, a string of words (more than 15 here) that all begin with a
capital letter, and no punctuation (I'm only testing this one at the
moment, hence the low score):
body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
describe UOLCC_CAPWORD_TEST String of words that all begin with caps
letter
score UOLCC_CAPWORD_TEST 0.1
Hope these are of use to someone. If anyone can show me that they are
likely to pick up false positives, I'd be most grateful.
This will likely trigger on several airline ticket confirmation messages
which, for some unknown highly scientific reason, are always sent all caps.
Do they send out e-mails with Each Word Starting With A Capital Letter
with no punctuation between 15 words and all words longer than 3
letters?
I would expect perhaps everything in capitals, but not the above?
Yep... all in capitals, not starting only.
goofed it.
Alex
Re: New rules
On Wed, 2004-12-08 at 05:22, Alex Broens wrote:
> Matthew Newton wrote:
> > Hello,
> >
> > I've recently installed SA 3.0.1, and found some junk was
> > getting through with scores too low for my liking, especially before the
> > URLs made it into SURBL. I've put together a few rules to match some
> > of these that you might find interesting.
> >
> > They are:
> >
> > Finally, a string of words (more than 15 here) that all begin with a
> > capital letter, and no punctuation (I'm only testing this one at the
> > moment, hence the low score):
> >
> > body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
> > describe UOLCC_CAPWORD_TEST String of words that all begin with caps letter
> > score UOLCC_CAPWORD_TEST 0.1
> >
> >
> > Hope these are of use to someone. If anyone can show me that they are
> > likely to pick up false positives, I'd be most grateful.
>
> This will likely trigger on several airline ticket confirmation messages
> which, for some unknown highly scientific reason, are always sent all caps.
Getting off topic here, but the all caps is probably a holdover from
the old SABRE airline reservation system which used a 6-bit codeset
to reduce the transmission time on their (at the time) slow data links.
-Bill
Re: New rules
On Wed, Dec 08, 2004 at 02:22:07PM +0100, Alex Broens wrote:
> Matthew Newton wrote:
> >
> >I've recently installed SA 3.0.1, and found some junk was
> >getting through with scores too low for my liking, especially before the
> >URLs made it into SURBL. I've put together a few rules to match some
> >of these that you might find interesting.
> >
> >They are:
> >
> >Finally, a string of words (more than 15 here) that all begin with a
> >capital letter, and no punctuation (I'm only testing this one at the
> >moment, hence the low score):
> >
> >body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
> >describe UOLCC_CAPWORD_TEST String of words that all begin with caps
> >letter
> >score UOLCC_CAPWORD_TEST 0.1
> >
> >
> >Hope these are of use to someone. If anyone can show me that they are
> >likely to pick up false positives, I'd be most grateful.
>
> This will likely trigger on several airline ticket confirmation messages
> which, for some unknown highly scientific reason, are always sent all caps.
Do they send out e-mails with Each Word Starting With A Capital Letter
with no punctuation between 15 words and all words longer than 3
letters?
I would expect perhaps everything in capitals, but not the above?
Thanks
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: New rules
Matthew Newton wrote:
Hello,
I've recently installed SA 3.0.1, and found some junk was
getting through with scores too low for my liking, especially before the
URLs made it into SURBL. I've put together a few rules to match some
of these that you might find interesting.
They are:
Finally, a string of words (more than 15 here) that all begin with a
capital letter, and no punctuation (I'm only testing this one at the
moment, hence the low score):
body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
describe UOLCC_CAPWORD_TEST String of words that all begin with caps letter
score UOLCC_CAPWORD_TEST 0.1
Hope these are of use to someone. If anyone can show me that they are
likely to pick up false positives, I'd be most grateful.
This will likely trigger on several airline ticket confirmation messages
which, for some unknown highly scientific reason, are always sent all caps.
Alex
Re: New Rules
At 06:43 PM 9/13/2004, Thompson´s Mail wrote: Do You know where I can download a new rules for SpamAssassin ? I would like a simple URL, where I can use a wget command, or some like this. For the primary ruleset, the only practical means up update is full-version upgrade. It's not possible or practical to simply refresh the ruleset with a new version. http://wiki.apache.org/spamassassin/VirusScannerTypeUpdates However, several people do publish add-on rulesets for SA: http://wiki.apache.org/spamassassin/CustomRulesets So if you want to add rules for specific problems, those can be of help.
