Hi Scott
>
> On Fri, 23 Jan 2004 12:30:13 -0500, Chris Santerre
> <[EMAIL PROTECTED]> writes:
>
> > I received a report of an FP in bigevil. The domain was
> > playaudiomessage.com. A quick google shows tons of hits in
> > news.admin.net-abuse.sightings. It had been my hope the bigevil
> > would
My bad. I just posted a change to body rule with the set, but it has to
be rawbody. I realized this as soon as I hit send. (oops) Now... I
dont know if rawbody looks at the headers... ?? If that doesn't fix
it, I wouldn't know how to miss that. Maybe someone else will know.
Jennifer
>
> Lo
Hi Matthew,
>
> Looks like Backhair is triggering on my X-Face header. At least that's
the
> only thing I can see that might be it. See the following email (BH ==
> BackHair):
I changed the rule from full to body. Could you dl and test the current
set to see if it misses now? It should, being t
>
> Hey guys.
>
> How can I change the points of the rules included in spamassassin?
> I'm trying to increase the points from the HTML_IMAGE_ONLY_02 BODY
rule.
>
> Thanks in advance,
>
> Thorsten Schacht
You can override default scores in your local.cf
score HTML_IMAGE_ONLY_02 4.0
(restart
Hi Erik
i assume you sent this over the weekend when the file was bad. I sent one
this weekend that just showed up on the list this morning! If that isn't
the case, grab the new version from my site. I believe it's 1.14.
http://www.emtinc.net/spamhammers.htm
Jennifer
> Hi Jennifer,
>
> When
Sorry for any problems this caused you guys. I had the wrong version on
my server when I linted that change. ...Fixed now. Thanks for letting
me know, Arpi.
Jennifer
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference
I have a strange request. I was wondering if some of you who speak a
language other than English, or if you know someone who does, could
write me (offlist) an email full of contractions in that language. Also
please tell me what the language is. :) It would be very helpful. Say
whatever you li
Added another more obscure tag. Thanks Kelson. Version 1.3
Jennifer
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anahe
> > this change more clear. I left Popcorn on there for now, but like I
> > said, if you use Backhair version 1.1 (just posted it) you no longer
> > (sniff sniff...) need Popcorn...
>
> So if I grab Jennifer's backhair I don't need any popcorn? There must
> be some hidden meaning there.
As hair
my
file. Try downloading again and see if you still get errors.
>
>
> Thanks,
> Jason
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Jennifer
> Wheeler
> Sent: Wednesday, January 21, 2004 11:10 AM
>
Jason
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Jennifer
> Wheeler
> Sent: Wednesday, January 21, 2004 9:40 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Popcorn & Backhair have been combined into 1 Set
&
OY! That set had the original testing scores. Fixed now. Sorry
Haste = Bad
> said, if you use Backhair version 1.1 (just posted it) you no longer
>
> http://www.emtinc.net/spamhammers.htm
>
> Jennifer <-- 44 on new Backhair set ;) ...oooh the urge to say
it!
> B..(cough cough) (cough coug
Hello spam peeps
Well I was going to hold off posting this until I had the time to edit
the page explaining the Rule Sets, but I got a spam this morning, tagged
only by this updated Backhair Set. I was irked enough (thinking these
spams might be getting through on other machines) that I will go ah
> Hi,
>
> > Correct. The only set going through frequent revisions right now is
> > "Chickenpox". I think I'm about to post a revision on
Backhair/Popcorn,
> > but that will be the first change in months. Still, they will not
go
>
> i've found a major problem with blachhair set today: it catch
(Didn't mean to go offlist with my reply. Here it is again)
> On Sat, 17 Jan 2004, Jonathan Nichols wrote:
> > rules_du_jour is kind of neat, but I hope it's not going to drive up
> > Chris & Jennifer's bandwidth bills or som 'em over a quota. :P
>
> A thought, and a suggestion:
>
> Thought: So
> Link in sig, it's late and I'm tired. If you don't know where to find
them
> by now, you must be under a rock (Or a Colts Fan ;) Go Pats!
...okaynow that hurt! We'll talk tomorrow.
J.
---
The SF.Net email is sponsored by EclipseCon
>
> rules_du_jour is kind of neat, but I hope it's not going to drive up
> Chris & Jennifer's bandwidth bills or som 'em over a quota. :P
>
> Would it be possible to add a mirror or two? I've got a fairly empty
T1
> that could help out..
I think mine _should_ be okay, especially if it's staggere
Hi Jennifer! ...a link would be _helpful_!
Thanks!
http://www.emtinc.net/spamhammers.htm
apologies,
Jennifer
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Jennifer Wheeler
> Sent: Thursday, January 15, 2004 8:55 PM
Adam has gone through the set and 'graded my paper'.
- the "'" was missing in rules ending in {2}
- added "d" to higher up rules ending in {1} (proper names...doh)
- he pointed out some extraneous 'code'
- on an earlier edit (not announced) he explained the need for speed
using ?: in the capturing
the sets per request. I
set them all to 1.0 even though they've gone through several edits thus
far. Sorry for the confusion.
Jennifer
Woo... do a grep for sorry will ya! I'll shhsh
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROT
Oy... I'm having a really bad day. :) either you will get three of
these update notices, or the good people who moderate will see that I
keep posting from the wrong account and pull those. Third time is a
charm, and I've changed my default email. Sincere apologies!!
Newest Chickenpox vaccinat
Edited Chickenpox Set is now available. Please read the notes on the
site before using the set! I love the set, but I have them scored
higher than you might like. I would set the scores lower to test and
then score them per your tastes/spam threshold. If you would like to
wait for testing resul
http://www.emtinc.net/spamhammers.htm
i'll probably have an update to the chickenpox set by the end of the week.
and i see someone already pointed you to chris' site. There is also the
wiki, i believe there is a link from rulesemporium.
jennifer
> On Wed, 7 Jan 2004, Kurt Buff wrote:
>
>> Seve
I got several of those in December, but none recently. None of them
were tagged. I probably wrote a simple rule for it. Seems I remember
something about ev2 in the headers??
Jennifer
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of C
> On 12/31/03, Casper Gasper wrote:
> >
> >Things like, '4 consonants in a row are not an English word'.
>
> Shortstop? Matchstick? :)
>
> Seriously, though, looking for patterns is an interesting idea. For
> instance, English simply does not allow you to begin a word with "vt"
or
> "bs". Loo
; From: Brian Sneddon [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 31, 2003 12:14 PM
> To: 'Jennifer Wheeler'; 'Chris Santerre'
> Cc: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] Rule to block Paris Hilton spam
>
> Wont that \n at the end of th
Eureka! :) believe this works, yes?? At least I think this is what
you are going for? Sorry for the wrap.
rawbody hilton_b64
/(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk
NvbWUgY2hlY2sgb3V0|\n)/
describe hilton_b64 Base 64 encoded paris hilton spam
score hilton_b
I added several filename extensions and fixed oversights in 3 rules.
Thanks Scott for the input!
http://www.emtinc.net/includes/chickenpox.cf
Jennifer
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or ju
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Bob George
> Sent: Monday, December 29, 2003 4:20 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Re: False positives
>
> John Beamon <[EMAIL PROTECTED]> wrote:
> > [...] (I particularly
> > btw 42??? what did you mean by that. that was very
> > creepy to see,
> > because i've tried to convince my brother from an early
> age, that the
> > number 42 *haunts* me and turns up *everywhere*! that'll
> either be a
> > very good year for me, or that's the year i'll buy the farm
Hello there Rubin
>
> The ruleset name _was_ her idea 8^)
>
> I can see that my post could seem a little odd taken out of
> context, so let me clarify: Jenn's Backhair *ruleset* will
> help with the bogus html tags. I know nothing about Jenn's
> backhair. I must confess that I do, however, oc
Hi Barry,
This will also snag a few of those if you want to use them. You could
write them to hit the body as well if you wanted, i just use a subject
rule for now.
describe J_PARISobfu paris
header J_PARISSubject =~
/[EMAIL PROTECTED]|1\!][sz5\$](? -Original Message-
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Evan Platt
> Sent: Tuesday, December 23, 2003 6:26 PM
> To: Rubin Bennett
> Cc: SpamAssassin
> Subject: RE: [SAtalk] sa-learn from Exchange 2000
>
>
> --On Tuesday, December 23, 2003 5:56 PM -050
king the set, in essence, additive. (though maybe not in the
common meaning of the word "additive" in the world of programming...i'm
not a programmer so I could be talking out of my bum here)
More below...
>
> From: "Jennifer Wheeler" <[EMAIL PROT
Hi Sam,
>
> Probably haven't look hard enough, but has anyone
> used a rule to detect (real or pseudo) HTML tags
> embedded in text. Ostensibly they're there to
> throw off bayes and other pattern matchers.
>
> I just put up:
>
> rawbody TAG_IN_TEXT /[a-zA-Z0-9]+\<\/*[a-zA-Z0-9]*\>[a-zA-Z0-
Helloo.
FP Notice.
FP forwarded to me this morning on an ebay "Bid Confirmed" notice.
BigEvilList_133 contains "pics.ebaystatic.com" which is in the source of
the "bid confirmed" emails from ebay auctions. It pushed it to 8.34; we
tag at 7.0. Other custom rules contributed 0.7 to the score, d
Helleau all
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of mikea
> Sent: Wednesday, December 03, 2003 8:14 PM
> To: 'SA List'
> Subject: Re: [SAtalk] BIG HUGE EVIL RULE NEWS
>
> On Wed, Dec 03, 2003 at 07:17:28PM -0500, Rick Macdo
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Chris Santerre
> Sent: Wednesday, December 03, 2003 1:08 PM
> To: Spamassassin-Talk (E-mail)
> Subject: [SAtalk] Bigevil domain hat-check help
>
> I've got a domain listed in Bigevil tha
> You could always lower the score. Only 178 to change :)
> (Hey that is nothing compared to how many times I had to hit ' | ,
DELETE,
> END ' because I was in a hurry to get done!)
Hi Chris,
You should grab multiedit. Rockage. You can do your edits with little
macros.
Jennifer
>
> --Chris Sa
HI there
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Chris Thielen
> Sent: Wednesday, December 03, 2003 12:26 PM
> To: Spamassassin-Talk
> Cc: Idan Lerer
> Subject: Re: [SAtalk] Spammer with dot in the mail from header
>
> Idan Ler
Chris Santerre. I genuflect! Thanks for the effort. I must
decline the hockey game; I live in the middle of basketball country and
would have to make quite a pilgrimage to get to a game of any caliber.
Would you settle for my switching from cokes to hot chocolates with
coffee mate for a week
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of McWhirter,Julia
> Sent: Wednesday, November 26, 2003 9:46 AM
> To: Gilson, Larry; Marvin Raab
> Cc: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] New to Spamassassin
>
> Yes so I found out,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
Bunce
Sent: Tuesday, November 25, 2003 1:23 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Ideas
I have been seeing lots of spam like this getting through recently
Anyone have any ideas how to reduce thi
Hi Ian
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of ian douglas
> Sent: Monday, November 24, 2003 8:42 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] paris hilton
>
> > Haven't seen the spam but one of these should work if your
Backhair set modification similar to the last popcorn update. (a
waxing??) More flexible in the hidden tag to include more garbage.
http://spamhammers.nxtek.net
Jennifer
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in L
> On 11 Nov 2003, at 13:52, Jennifer Wheeler wrote:
>> Popcorn Only - http://spamhammers.nxtek.net/popcorn.cf
>> Backhair Only - http://spamhammers.nxtek.net/backhair.cf
>> Weeds Only - http://spamhammers.nxtek.net/weeds.cf
>
> Why "Popcorn", "Backhair&
er 11, 2003 4:14 PM
> To: Jennifer Wheeler
> Cc: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] [RD] Updated Corn
>
>
> > > > http://spamhammers.nxtek.net
> > >
> > > How are those files organized on that site? I couldn't find a link
to
&g
Hi Guenther,
> > Fresh popcorn if you would like some. I had one come through today
> > (which I actually had anticipated, just had to figure out how to
write
> > the rule.) If you use this set, I'd update. It catches quite a lot
more
> > in the tag.
>
> Thanks for the update. :)
My Pleasure!
Hi Rajdeep,
> I have successfully installed the SA. but I am not able to filer the
> content. Any stuff which I want to filter in there in the rules
directory
> but not getting filter. What I have to do with this?
> For e.g I have to filter the vulgar stuff. But it does not filterit.
My
> local.c
>I scored them super high in a fit of rage.
...that makes me smile. I can picture you leaning back in your chair,
watching the next one come through with a score of 790, laughing
maniacally and flutter kicking your feet in the air. :)
/My dog is very promiscuous\./
...while enigmatic, this co
Hi Scott
I was going to post a change, but you beat me out of the gates. Last
night the topiary king showed me a way to do that pruning. If you would
like, you can write those this way.
/\&\#(?:0*(?:65|97)|x0*[46]1);/i
I made the changes on the site if you want to grab them
http://spamhammers.
Hi Jeremy
http://spamhammers.nxtek.net
The rules are also on Chris Santerre's site along with many other goodies.
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
in the popcorn link
Jennifer
> Hi,
>
> Is there anyway to have spamassasin check for this kind of HTML garbage.
> If
ngamabobber.
Jennifer
>
> -Chris
>
> Jennifer Wheeler said:
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>> [mailto:spamassassin-
>>> [EMAIL PROTECTED] On Behalf Of Chris Thielen
>>> Sent: Thursday, Octo
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Chris Thielen
> Sent: Thursday, October 30, 2003 4:22 PM
> To: Spamassassin-Talk
> Subject: RE: [SAtalk] [RD] Open source is Naughty!!!
>
> I figure now might be a decent time to mention
Someone suggested a range to me awhile back when I asked about this,
sorry I cant give props to whoever it was.
/\bp[e3]n[\xCC-\xCF\xEC-\xEF][sz52]\b/i
Jennifer
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Martin Radford
> Sent:
> Do you really want to match punctuation and whitespace,
> because both of those will match [^aeiouy]?
Nope he doesn't... that was my big bad. Wasn't thinking. Thx
Jennifer
---
This SF.net email is sponsored by: SF.net Giveback Program.
> Yes, this would be possible.
>
> describe MY_RBDY_EXSV_TAGMY: Excessive HTML Tags
> rawbody MY_RBDY_EXSV_TAG/<[bi]><\/[bi]>/i
> scoreMY_RBDY_EXSV_TAG4.0
>
> Backhair did not hit because the number of characters within the tag
is
> fewer than 6. Creating rules to match fewer
Hi Larry
> I have had some very good success with a rawbody and subject test
which
> looks for
>
> 4 or more consonants
> followed by 1 or 2 vowels
> followed by 3 or more consonants or digits
>
> This is the match:
>
/[0-9bcdfghjklmnpqrstvwxz]{4,}[aeiouy]{1,2}[0-9bcdfghjklmnpqrstvwxz]{3,}
> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sorry for the OT personal comment (sort of), but that *has* to be the
best email address I've ever seen! Thanks for the smile.
Jennifer
---
This SF.net email is sponsored by: SF.net Giveba
I just noticed something else Chris :) ...sorry! I believe you have
the rules on your site as they stood before Keith took out the garbage.
They still work as you have them... so don't panic! I used them that
way for about a month. The Tidied up version are still on
http://spamhammers.nxtek.n
Mike S
> -Original Message-
> From: Jennifer Wheeler [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 15, 2003 11:45 AM
> To: 'Larry Gilson'; [EMAIL PROTECTED]
> Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds
>
>
> Ok, now I am in the light. I
Ok, now I am in the light. I think we are looking at this test from
different perspectives.
This is what I'm replying to here...
>"My original goal was to shorten the tests into fewer tests but I think
I >found a way to shorten the tests into one test - bonus. :)"
I am not in favor of reducing
Congrats! :) ...I'm thinking now he wishes he hadn't written you the
Love Letter. Your EEEee-vil rules are strong!
Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Chris Santerre
Sent: Tuesday, October 14, 2003 2:01 PM
To: Spamassassin-Talk (E-
Yes :) http://spamhammers.nxtek.net
They will be here until Chris does his site update, and then you can
find them on his Rule Emporium site.
Jennifer
-Original Message-
From: Terry Shows [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 11:59 AM
To: Jennifer Wheeler
How much bandwidth / month does it average??
Jennifer
>I don't have ftp running on the server. I was actually going to see if
>anyone wanted to mirror my site, or just the files. I think
distributing >the lists to another site is a good idea. Any takers for
mirroring?
--Chris
> -Original Me
I'm glad you like. :) I'm still a little taken aback by them. They've
been almost too good to be true. I'm working on a couple rules to fill
the holes. I've already noticed a few changes they've made to their
technique (to no avail so far), and they seem to be working as I told
Larry. I'll le
Hi Keith,
Au contraire. That is exactly it. That explanation was beautiful! ( I
long for your brain. :) ) Thank you for taking the time to make that so
clear!
The rules actually work, but I suspected they were filled with garbage.
Thanks for cleaning them up! I'll put your shorn version on
I don't mind at all that you're scrutinizing the rules :) i would love
it if someone wants to improve them.
>> Each of the words use \w{#}? So if you have \w{5}? You would be saying
either 0 or 5 occurrences of [a-zA-Z0-9_].
>From what I understand, placing a ? after {n} does not mean match 0 o
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Wagner
Sent: Thursday, October 09, 2003 9:15 AM
To: Spamassassin-Talk (E-mail)
Subject: [SAtalk] Catching Lots of Remarks in HTML Messages
We seem to be getting more messages like:
GIRLS THAT RE
Chris S. is going to be posting these on his site when he gets time, and
I believe he was also waiting on my tweaks. I have tweaked to the best
of my ability, which is scarce. :) I will post these now since there
was some discussion on catching tidal waves of hidden tags obscuring
known spam wor
Summoning the hermit out of her cave huh? ;) yeah I'll give a hand.
-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 9:40 AM
To: 'VonEssen, John'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] Phrases I have modified
I have some notes o
Wednesday, September 17, 2003 11:35 AM
To: Jennifer Wheeler
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Help Unblacklisting RBL
Nope -- it's got nothing to do with SpamAssassin at all, so no amount of
whitelisting it in SA will help you. You need to whitelist it in the
software that's
>> what am i doing wrong here? I am trying to unblacklist an address
>> getting tagged by Infinite-Monkeys.
***
>1. "unblacklist_from" is used to de-blacklist a SpamAssassin blacklist
> (which is defined using the "blacklist_from" option)
I understand this now. Thank you.
>2. If you don'
I completely agree with your opinion about the open proxy biz. I'll see
if we can get them to take care of that on their end. In the meantime,
I've been asked to get these particular emails through to us without a
spam tag :) I'm just having trouble accomplishing that. (and have had
to fight to
what am i doing wrong here? I am trying to unblacklist an address
getting tagged by Infinite-Monkeys.
using spamassassin 2.55
i put the following line in /etc/mail/spamassassin/local.cf with all my
other rules and whitelisted addresses (all work fine) but this will not
work...
unblacklist_from
this is exactly what I was looking for. Thank you for pointing me in
the right direction! However, I'm still unable to make it work. When
you pointed out the hex representation to me, it turned on the light and
now I know I can paste those characters in multi edit and look at it in
hex mode if I
Thanks for the suggestion David, but we can't allow only English. We're
running this on a server with international clients. Guess I should
have mentioned that. :)
-Original Message-
Subject: Re: [SAtalk] Hebrew "i" ?? male organ spam
>
> And "í" is the only character that won't work
tist [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 29, 2003 11:53 AM
To: Jennifer Wheeler
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Hebrew "i" ?? male organ spam
On Tue, 29 Jul 2003, Jennifer Wheeler wrote:
> Has anyone made a rule using what appears to be a Hebrew letter &q
Has anyone made a rule using what appears to be a Hebrew letter "I"?
"í"
I wanted to add it to my "male organ" rule, but spamassassin doesn't
seem to recognize it. I did a search in the /spamassassin/languages
file and didn't see "í" in there. i would have thought it would have
been with
0 he.is
79 matches
Mail list logo
