Anyone have any good obfuscation rules for p4r1s h1|+0n spam? I'm
getting a ton of these every day...
http://sandgnat.com/cmos/cmos.jsp gave me a good result, but will not match
a plus sign to substitue for a 't' character.
-id
---
This
Haven't seen the spam but one of these should work if your
example text is always the same:
No, it's different... started out being non-obfuscated, but has gradually gotten more
and more l337.
-id
---
This SF.net email is sponsored by:
My rule definition:
rawbody W98_UNSUBSCRIBE4 /prefer not to(?: ) see/i
I want this to catch prefer not to see and prefer not tosee but the
(?: ) doesn't seem to catch whether the space exists or not.
Spam message contains:
If you'd prefer not tosee subsequent offers:
I searched through my
Just my $0.02, but I'd make it this:
color=(?\#?F[0-9A-F]F[0-9A-F]F[0-9A-F]?|?white
FYI, you should also change
color=
to
color(=|=3D)
since I've had some spam slip through because the '=' is converted to =3D in
the raw body.
-id
did you mean:
rawbody W98_UNSUBSCRIBE4 /prefer not to(?: )?see/i
Better yet:
rawbody W98_UNSUBSCRIBE4 /prefer not to[ ]?see/i
or even:
rawbody W98_UNSUBSCRIBE4 /prefer not to ?see/i
Ah, didn't know I needed a trailing ? after the set of parentheses, I
thought the syntax was only
describe MY_RBDY_INVSTXTMY: Invisible text color
rawbody MY_RBDY_INVSTXT/font\s?.*
color=(?\#?F[0-9A-F]?|?white?).*/i
scoreMY_RBDY_INVSTXT2.0
Just my $0.02, but I'd make it this:
color=(?\#?F[0-9A-F]F[0-9A-F]F[0-9A-F]?|?white
.. spammers will use more than just the
to 'pool.com' and/or 'thewizard.net' to solve the problem at the source?
Yes. And without reply...
I had to deal with this on a mailing list of thousands of users. My only
recourse was to write a quick-n-dirty Perl script to run through the
subscriber list and send everyone a very
Anyway, I downloaded the sources, built it, and installed it with no
problems. I rebuilt the Bayes db. When I started it (in debug mode) it
logged this and then exited:
My first install (2.55) was via CPAN, and upgraded (also via CPAN) to 2.60
on RedHat 7.3 and had zero problems.
-id
(sorry, my Email client got all funky on me this morning, yay Microsoft...)
Anything that needs to be watched out for when upgrading from
source install
to CPAN? I usually do source, but figured I would try CPAN for
SA, as it has
worked great for other packages.
I upgraded from a CPAN
err, i'm not sure how you setup your spamassasin but i have
mailscanner going well cos it supports a virus scanner as well.
I second that opinion. MailScanner/ClamAV/SA 2.60, and working great on a
small-volume server:
Spam/Mail Statistics;
Total spamassassin rejected scanner
Now you've got me interested. how did you get those stats?
I can't take credit for it.
I turned on logging in SpamAssassin and MailScanner, and Mike Andrews on the
list here submitted a script a few weeks ago that I tweaked a tiny bit
although his worked fine on its own. My maillogs rotate on
since http://rd.yahoo.com/*http://taint.org works also
Man, how hard would it be for Yahoo to look at an environment setting to
determine which page referred the user's browser to this redirect, and NOT
redirect if the previous page visited was not a Yahoo home page? Geez...
Would stop this
My new mailstats.pl script (matt's script with a few tweaks) is giving me
some grief.
My maillog files are named:
maillog (for today)
maillog.1.gz
maillog.2.gz
etc
maillog.10.gz
etc
When Matt's script does the 'sort', it sorts it as:
maillog
maillog.1.gz
maillog.10.gz
maillog.11.gz
SpamAssassin drinking game:
X sips for How can I get SpamAssassin to delete spams?
X sips for Unsubscribe me please
X sips for Subscribe me please
X sips for Quit reading my e-mail!
For every good, tested rule you create that works, everyone else takes X
sips
my @otherstuff = sort {
(my $numa) = ($a =~ m/\.(\d+)\./);
(my $numb) = ($b =~ m/\.(\d+)\./);
$numa = $numb || $a cmp $b
} @stuff;
you rock, i owe ya a beer ;o)
-id
---
This SF.Net email sponsored by: ApacheCon
seem to catch something 'spamish' in just about any email now.. so my
threshold of 5.5 just doesn't seem practical..
What threshold most of you use out there?
My low threshold is 5.0, and my high was 8.0, but I found even with Bayes_90
set at 6.00, I still get a ton of spam scoring 7.4-7.8,
my $s = grep /is spam/, @wholefile; # spam
My log does have is spam in the log yet the script is returning 0's for me as
well.
Trying to hunt it down. I've even tried other strings from the
MailScanner-generated logs from /var/log/maillog to no avail.
-id
You will need to adjust the search string to match your mail logs.
Here's my maillog snippet:
Oct 30 14:12:40 ns1 MailScanner[3201]: New Batch: Scanning 1 messages, 4214
bytes
Oct 30 14:12:40 ns1 MailScanner[3201]: Archived message h9UMAPR07828 to mbox
file /var/spool/MailScanner/archive
Oct
But the line that contains is spam doesn't seem to increment the counter.
/shrug still looking at that myself.
... because I upgraded to SA 2.60 this week and set MailScanner to log spam
messages via syslog, which wasn't in place for last week.
(slapping self upside the head)
For this week so
Rather than reducing the values of those scores, why don't you:
1) Have outgoing email not get checked by SA (what's the point of that
anyway?)
It keeps your own users in line by dumping any spam before they send it through
your box. Great for trapping any open relay issues as well, I'd think.
http://www.stearns.org/sa-blacklist/sa-blacklist.current
What's the best way to implement this? Add it on to the end of my MailScanner's
pref's file for SA?
-id
---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like
Am I the only one who's received a half dozen copies of this reply from Chris
from the mailing list?
Chris, is your mailer stuck in a loop or something?
-id
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris
Trudeau
Sent: Thursday, October 23,
Right now I have MailScanner configured to delete high scoring spam so it
doesn't end up in my user's mailbox, but what about the 'bounce' option?
I'd *really* like to find a way to spoof a 550 error or a 'user unknown' error
that bounces back, just in case the people on the other end ARE
My primary domain is w98.us, my other domain is wild98.com ... so effectively
you'd cancel out my Email, correct?
-id
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fred
I-IS.COM
Sent: Thursday, October 23, 2003 12:24 PM
To: Spamassassin-Talk
Going from 2.5x to 2.6x should be pretty painless and just work.. the
only problem cases I've seen are when people use spamd with -u root
(2.60's spamd bails out if you try to force it to always run as root).
If we're not using spamd, can a CPAN shell 'install' for SA upgrade without a
If you allow shell access, you therefore effectively allow any user to
meddle with any other user's SA prefs, AWL, and Bayes files if you do
per-user Bayes as well. :/
Not an issue with chroot'd shell access though ;o)
-id
---
This
Altho not thru SA, I created a set of programs that scan my qmail queue for
doublebounces whatnot, scan the headers of normal messages and/or
doublebounces log the IP addresses into a postgresql database.
sendmail has an operative for double bounces to redirect those messages to
another
Charles Gregory wrote:
When we first started using SA, I kept a casual eye on the personal files
in .spamassassin, and did not see anything particularly problematic, but
NOW I see auto-whitelist and 'bayes' files that are exceeding 1MB in size,
each. Is this 'normal'?
Any permission
We are having a problem with our backend server filling up the root mailbox
with NDRs of users that are no longer with the company and I am trying to get
my brain wrapped around the whole SMTP process.
If the postmaster account is filling up with messages about trying to notify the
original
Spammers DDoS'd them off the net. Stop checking their DNSBL and tell
others to stop using it too. monkeys.com is dead.
Okay, thanks.
-id
---
This SF.net email sponsored by: Enterprise Linux Forum Conference Expo
The Event For Linux
Anyone have any information on infinite-monkeys on how to contact them regarding
getting removed from their systems?
When I enable IM in my MailScanner setup for SpamAssassin, all outgoing mail
from my servers gets kicked into la-la land - I scan all outgoing Email -
because it's matching on
Hey folks.
Left the list for a while but re-subscribed 'cause I have a question to ask:
I have MailScanner running SA for me on 2 different servers and got everything
working VERY well about two months ago.
Within the last 3 weeks, both servers, which are secured and protected against
open
I currently have MailScanner set to archive all incoming messages to grab Email
for sa-learn. In the archive, before MY SpamAssassin headers get added, I saw
this message and had to chuckle:
Received: from localhost [127.0.0.1] by quantum.paraphysics.com
with SpamAssassin (2.55
I'm new to spamassassin. I'm using spamassassin and sendmail installed
from redhat 9. I also have Mailscanner installed. It looks like
spamassassin doesn't look at the users user_prefs file. Is there a way
to configure spamassassin to look at the user_prefs file?
The MailScanner.conf file
This can be quickly pulled from a whois lookup.
There's always the catch that the standard 'whois' lookup will only look for
.com, .net and .edu domains. If you get a 2-letter domain like .us or .ca or
.it, etc., you need to use a specialized whois tool. Anyone know of an any more
global whois
Just got this from TopFive's Ruminations collection:
I think spammers are starting to lose it. Just today I received an offer to
lower my mortgage by three inches. - James Smarjesse
Thought it was hilarious and wanted to share it with fellow spam-blocking
enthusiasts!
-id
obligatory
I have some domain mail that is getting tagged as spam that is in my
whitelist.cf. It almost appears the math is getting computed backwards. If
something is getting an auto-whitelist adjustment shouldn't it be a negative
number? Better yet, if something is in the whitelist shouldn't it get
I just got two pieces of Email, and they had these SA headers:
(this one wasn't spam, it was a mailing list with advertisements throughout)
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=5.1, required 6,
CLICK_BELOW 0.00, CONSOLIDATE_DEBT 1.10, LOW_INTEREST 2.29,
NO_FEE
(this one WAS spam, I've since trained and added rules for the content)
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=5.1, required 6,
AWL 0.00, FROM_OFFERS 4.30, OFFERS_ETC 0.37)
Here I suspect the average of emails from this address is nearly zero
(or perhaps your AWL
H, maybe we should make some new rules that test the ratio of
invisible text to visible text?
But if the background is BLACK, white text is perfectly acceptable ...
right?
So defining visible vs invisible is your toughest chore.
-id
X-MailScanner-SpamCheck: spam, SpamAssassin (score=7.4, required 6, AWL
0.00,
BAYES_30 -0.93, HTML_40_50 0.74, HTML_FONT_COLOR_BLUE 0.10,
MIME_HTML_ONLY 0.10)
0.00
+ -0.93
+ 0.74
+ 0.10
+ 0.10
---
does NOT equal 7.4 ... I'm no math genius but my $2000 calculator here
(Side question, what's a good gap class, \A or [-_*/\. ], or... ?)
I see spaces, periods, tildes (~), and short comment markers a lot (!A)
-id
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports,
Hey all,
Got a spam with a whole bunch of !A or !H or some other letter of the
alphabet separating various 'catch' words/phrases.
I'd like to do something like this:
body COMMENT_GAPS_1/\![A-Z]/i
describe COMMENT_GAPS_1!A !B etc
score COMMENT_GAPS_10.1
body
hmm, eval tests for idiots, kinda sounds like loaded shotguns for
idiots, should reduce the idiot count but is that really what is
desired? :)
Oh, I'd be quite happy with less idiots in the world ;o)
Wait, was that out loud?
-id
---
This
But I purposely set one of my rules to awbody instead of
rawbody and --lint didn't catch it.
Which version of SA are you running?
2.55
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports,
a friend blocked all mail from france as a joke once, cos he didn't
like the french and didn't know anyone there
cut down on spam by 95%
I block a lot of Asia Pacific, some European countries, etc., at a firewall
level on port 25 because I don't know anybody there either and the mail
coming
First, run spamassassin -tD sample-spam.txt.. look at the debug
output. Is bayes even enabled? are there enough tokens?
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: using /usr/share/spamassassin for default rules dir
debug: using /etc/mail/spamassassin for site rules dir
debug: debug: Only 86 ham(s) in Bayes DB 200
There's your answer as to why Bayes isn't scoring for you.
Gotcha, thanks.
-id
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals,
When I saw your title I was hoping for a chuckle.
I have a friend that works at Hormel ...I'm sure I could get all kinds of Spam
humor from her.
(Hormel makes the meat they call SPAM)
Like wise we can go on with more consonants:
score MY_CONSONANT_4 0.15
score MY_CONSONANT_5 0.30
I've been putting sa-learn through the gears with many thousands of spam
messages (gotta love web hosting 100+ domains most of which do nothing but
collect spam /sigh).
I'm curious how Bayes is *supposed* to be learning... I find that despite
learning from hundreds of MB of spam that spam is
I've been lurking about reading up on training ham mailboxes but don't
generally keep mail on my Linux servers... unless I start making aliases and
extra mailboxes to keep copies on the server and filter it all by hand.
Can sa-learn read Outlook mailboxes? Or does anyone have any
51 matches
Mail list logo
