Re: some problem with spam
Hi
thenx i try in this ruleset
W dniu 12.12.2023 o 14:59, Jimmy pisze:
These rules should matched
rawbody __DOUBLE_HTML /<\/a>\s*/
uri __LONG_LINK_URL
/https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i
On Tue, Dec 12, 2023 at 8:44 PM natan wrote:
Hi
Thenx but link is random too like:
https://paste.debian.net/1300874/
W dniu 12.12.2023 o 12:21, Jimmy pisze:
uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
rawbody __IMG_SRC_CID / wrote:
Hi
I have a SpamAssassin version 3.4.6
And I try resolv two problem
1)I put eml with spam and learn SA like:
sa-learn --spam /root/spamik/
In /root/spamik/ is 4 e-mail
Worsk great but after 7 day i must learn agin like SA forgot
what he learned
2)I have a problem with one type a spam like:
https://paste.debian.net/1300865/
beacuse:
contents - random
from - random
IP - random
The construction is only somewhat similar like base64 + html
and png
All wass signed by DKIM
And I had to work around it in the following way but it is
not a solution
rawbody EMAIL_20231207 /(necessary to delete the message
completely|email message and any attachments are
intended|automatically archived by Mimecast|sender and take
the steps necessary)/i
describe EMAIL_20231207 Spam fake IQ password
score EMAIL_20231207 2
rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/
score EMAIL_20231207_1 0.1
rawbody EMAIL_20231207_2
/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
score EMAIL_20231207_ALL 2
Any idea ?
--
--
--
Re: some problem with spam
These rules should matched
rawbody __DOUBLE_HTML /<\/a>\s*/
uri __LONG_LINK_URL
/https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i
On Tue, Dec 12, 2023 at 8:44 PM natan wrote:
> Hi
> Thenx but link is random too like:
>
> https://paste.debian.net/1300874/
>
>
> W dniu 12.12.2023 o 12:21, Jimmy pisze:
>
>
> uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
> rawbody __IMG_SRC_CID /
> meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
> describe ADB_CPN_ABUSE Possible malware link
> score ADB_CPN_ABUSE 2.5000
>
> Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be
> false positive. Since I don't have visibility into all headers, consider
> create rules based on specific headers or other rule that match these.
> Append these rules to the meta-rule and boost the overall score accordingly.
>
> Jimmy
>
>
> On Tue, Dec 12, 2023 at 5:53 PM natan wrote:
>
>> Hi
>> I have a SpamAssassin version 3.4.6
>>
>> And I try resolv two problem
>>
>> 1)I put eml with spam and learn SA like:
>> sa-learn --spam /root/spamik/
>>
>> In /root/spamik/ is 4 e-mail
>> Worsk great but after 7 day i must learn agin like SA forgot what he
>> learned
>>
>> 2)I have a problem with one type a spam like:
>> https://paste.debian.net/1300865/
>> beacuse:
>> contents - random
>> from - random
>> IP - random
>>
>> The construction is only somewhat similar like base64 + html and png
>> All wass signed by DKIM
>>
>> And I had to work around it in the following way but it is not a solution
>>
>> rawbody EMAIL_20231207/(necessary to delete the message
>> completely|email message and any attachments are intended|automatically
>> archived by Mimecast|sender and take the steps necessary)/i
>> describe EMAIL_20231207Spam fake IQ password
>> scoreEMAIL_202312072
>>
>> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/
>> scoreEMAIL_20231207_1 0.1
>> rawbody EMAIL_20231207_2
>> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
>> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 &&
>> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
>> scoreEMAIL_20231207_ALL 2
>>
>> Any idea ?
>>
>>
>>
>> --
>>
>
>
>
> --
>
Re: some problem with spam
Hi Thenx but link is random too like: https://paste.debian.net/1300874/ W dniu 12.12.2023 o 12:21, Jimmy pisze: uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID /Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be false positive. Since I don't have visibility into all headers, consider create rules based on specific headers or other rule that match these. Append these rules to the meta-rule and boost the overall score accordingly. Jimmy On Tue, Dec 12, 2023 at 5:53 PM natan wrote: Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? -- --
Re: some problem with spam
uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID / wrote: > Hi > I have a SpamAssassin version 3.4.6 > > And I try resolv two problem > > 1)I put eml with spam and learn SA like: > sa-learn --spam /root/spamik/ > > In /root/spamik/ is 4 e-mail > Worsk great but after 7 day i must learn agin like SA forgot what he > learned > > 2)I have a problem with one type a spam like: > https://paste.debian.net/1300865/ > beacuse: > contents - random > from - random > IP - random > > The construction is only somewhat similar like base64 + html and png > All wass signed by DKIM > > And I had to work around it in the following way but it is not a solution > > rawbody EMAIL_20231207/(necessary to delete the message > completely|email message and any attachments are intended|automatically > archived by Mimecast|sender and take the steps necessary)/i > describe EMAIL_20231207Spam fake IQ password > scoreEMAIL_202312072 > > rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ > scoreEMAIL_20231207_1 0.1 > rawbody EMAIL_20231207_2 > /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ > meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && > KAM_HTML_FONT_INVALID && MIME_HTML_ONLY > scoreEMAIL_20231207_ALL 2 > > Any idea ? > > > > -- >
some problem with spam
Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? --
