Re: New fraud that seems to be slipping through

On Fri, 27 Aug 2004, Loren Wilton wrote: > > >> "I AM MR." > > >> > > >> I mean who the hell says that? > > And more to the point, all in uppercase, including the following word. > The KSR-33 died as a viable internet and mail terminal some years ago. > > Loren No, they just all got shipp

Re: Confused about Whitelist_From_RCVD

On Wed, 11 Aug 2004, LuKreme wrote: > On 10 Aug 2004, at 23:15, David B Funk wrote: > > On Tue, 10 Aug 2004, LuKreme wrote: > >> My mail server does double duty as my secondary MX, so the r-DNS for > >> 64.140.43.68 is ns2.covisp.net instead of mail.covisp.net. Is

Re: false positive with FORGED_OUTLOOK_TAGS and MIME_BASE64_TEXT

On Wed, 11 Aug 2004, Fred W. Bacon wrote: > We got a troubling false positive today. A message from a potential > business partner in Korea was marked as spam because the message matched > the rules FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_TAGS and MIME_BASE64_TEXT. > > We're using spamassassin 2.63 ca

RE: Problem with Bayes.. SA 2.63

On Wed, 11 Aug 2004, Robert Leonard wrote: > I have the following in my local.cf, so I assume I am forcing the path.. > > **bayes_path /bayes/** (without the **'s of course) > > I added the line bayes_file_mode 777 to the local.cf and restarted SA.. But > the log still shows the same error after

Re: [SURBL-Discuss] RE: Pesky Pron Spam

On Wed, 11 Aug 2004, Steven Champeon wrote: > on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote: > > Look at these things they have in common. Need to look at rawbody code. > > > > alt=3d > > =2e(org|gif|htm) #split into 3 > > name=3dgenerator > > ==.HTM > > bgColor=3d > > face=3d > >

Re: Confused about Whitelist_From_RCVD

On Tue, 10 Aug 2004, LuKreme wrote: > On 10 Aug 2004, at 18:32, David B Funk wrote: > > It does have one limitation; the sending mail server needs to have > > a valid R-DNS listing. In this particular case it doesn't so you CANNOT > > use whitelist_from_recvd here. >

Re: Confused about Whitelist_From_RCVD

On Tue, 10 Aug 2004, Matt Kettler wrote: > At 03:53 AM 8/10/2004 -0700, Loren Wilton wrote: > >The second operand matches a received > >header, so I think it would be something along the lines of > > > > whitelist_from_recvd *lovefilm.com merlin.lovefilm.com > > > >Better check that in the wik

Re: Is this Blacklist format wrong?

On Fri, 6 Aug 2004, John Andersen wrote: > > yes. Must be > > > > blacklist_from [EMAIL PROTECTED] > > Ok, but as I mentioned, there is another node in there that > varies, sometimes @email.vikingrivercruises.com, sometimes > @mail.vikingrivercruises.com, etc. They keep changing it. > > So I gue

Re: Spamassassin with spamass-milter

On Sat, 7 Aug 2004, Brett Hales wrote: > I am trying to spamassassin working with spamass-milter (x86 Gentoo). I > included the following line in /etc/mail/sendmail.mc and rebuilt > sendmail.cf. This is what I used for RedHat and it worked. > > INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/s

Re: Spamassassin with spamass-milter

On Sat, 7 Aug 2004, Brett Hales wrote: > I am trying to spamassassin working with spamass-milter (x86 Gentoo). I > included the following line in /etc/mail/sendmail.mc and rebuilt > sendmail.cf. This is what I used for RedHat and it worked. > > INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/s

Re: Score discrepancy

On Thu, 29 Jul 2004, Ryan Thompson wrote: > > Hi all, > > It's rare for mail to slip through the cracks these days, but this one > really got my attention: > X-Spam-Virus-Status: Clean, ClamAV version devel-20040622, > clamav-milter version 0.72a on drizzle.sasknow.net > X-Spam-Status: No,

Re: SURBL DoS possible?

On Thu, 29 Jul 2004, Mariano Absatz wrote: > On Thu, 29 Jul 2004 09:24:31 -0500, Bob Apthorpe > <[EMAIL PROTECTED]> wrote: > > On Thu, 29 Jul 2004 10:40:44 -0300 Mariano Absatz <[EMAIL PROTECTED]> wrote: > > > > > I was wondering... > > [...] > > > What would happen if a spammer intentionally star

RE: Re[4]: Can't tune spamassassin to read User_Prefs

On Tue, 27 Jul 2004, Kang , Joseph S. wrote: > > Sorry, but i'm not using it with amavis-milter... SA is dedicately > > used with sendmail and spamass-milter... So amavis don't > > affect the Spamassassin... > > I see that now. > > > Please just tell me, what i have to do to turn on this feature?

RE: Yahoo forged rules on legit email

On Thu, 22 Jul 2004, Bret Miller wrote: > > Someone at my company received an order inquiry from someone whose > > return address was at a yahoo account, but they must have sent it from > > another account. The message was tagged by several "Forged Yahoo" > > rules and Faked HELO rules. Viewable

RE: SURBL tags Logwatch reports

On Wed, 21 Jul 2004, Kenneth Porter wrote: > --On Wednesday, July 21, 2004 10:23 AM -0400 Chris Santerre > <[EMAIL PROTECTED]> wrote: > > > Maybe have the log emails to an alias the doesn't get scanned? > > I realized that all mail from root should be automated stuff coming from > the box, never s

Re: Catching more phishers - Not Really a SURBL Case

On Mon, 19 Jul 2004, Albert Whale wrote: > OK so the message didn't trigger as SPAM. I need to figure out how to > detect the Phisher, and ALWAYS trigger the SPAM sensor. > > Perhaps it's not the SURBL Test. But as in the following example, the > first half of this http reference is not even cl

Re: Want to save hundreds on software? bdwc (fwd)

On Wed, 14 Jul 2004, Mike Burger wrote: > I'm not sure how this happened. > > As can be seen by the report in the headers, this hits a whole lot of > tests, but the score comes up as "nan" and ^X-SPAM-STATUS comes up as "no" > > This is running SA 2.63. Any ideas on how this scoring happened? Ye

RE: sa-learn

On Wed, 7 Jul 2004, Stephen Gray wrote: > The header of the mailbox says *mbx* and a conversion program I ran on it > identified it as mbox format so I'm not sure. It could of course be in some > intermediate format that only the imap deamon knows about. If the first line of the mailbox is just

RE: sa-learn

On Wed, 7 Jul 2004, Mike Burger wrote: > My experience has been that you need to use "<" to read in the mailbox > file: > > sa-learn --spam --mbox < mailbox_name No, you do not need that shell I/O redirector -if- the mailbox is in standard Unix 'mbox' format. the sa-learn switch '--mbox' declares

Re: spamd kills box

On Wed, 30 Jun 2004, Chris wrote: > Must be because the little message below took 43.6 secs to process, while > the norm now seems to be between 3.5 and 11 seconds. I stil question > though why it seems to take so long to process a 'clean' message as opposed > to a 'spam' message, almost twice as

Re: blacklist brings system to halt

On Tue, 29 Jun 2004, Chris wrote: > Bill and others, I managed to cut my processing time down from an average of > 60 - 80 seconds to between 3 and 18 seconds by removing the large rule > files, disabling auto_learn. Were you doing auto_learn with or without journaling? auto_learn to journal shou

Re: German spam

On Fri, 18 Jun 2004, Thomas Kinghorn wrote: > Hi List. > > I have noticed a drastic increase in German spam being received. > > However, the source of the SPAM is from dynamically assigned IP address > space. Therefore, blocking the range is not an option. > Do you understand that these things ar

Re: Whitelist/Blacklist by IP Address?

On Mon, 14 Jun 2004, Jason Granat wrote: > Hmm, that looks like it could be useful. However, it doesn't allow me to > whitelist the entire from_rcvd domain. Unless I am reading it wrong. From > Mail::SpamAssassin::Conf: > >whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net >

RE: Flooded by spam in German

On Fri, 11 Jun 2004, Pierre Thomson wrote: > It absolutely WILL hit on ham. I gave Message-id =+ /qmail\@/ a score of 2.0 > which seems to help axe the German propaganda without generating FP's. > > So far today we have seen 19 emails hit the qmail@ rule, of which only two > triggered the other

Re: SA score rules for this

On Thu, 10 Jun 2004, Dimitrios wrote: > We get lots of spam which hit absolutely none of the SA score rules. > > They ofcourse get marked as spam because they hit BAYES_99 and some > times, some of the RCVD_IN_... > > Are there any custom rules for this? Here is an example: > > -- CUT > >The hand

Re: Blocking all of China

On Thu, 10 Jun 2004, John Andersen wrote: > How, then, would sould someone running a Tax Accountancy in East > Midlands Texax suffer from blocking all of China? > > I have most of Korea blocked. I can't read a word of Korean. Not everything comming out of China/Korea is in Chinese/Korean. In th

Re: [OT] Interesting Data Points

On Tue, 8 Jun 2004, Jon Trulson wrote: > I think at least some of these spammers see that the secondary (at > least in my case) accepts alot of their spam, so they assume "Ah ha! my > crap is getting through here!". Though in reality, once the secondary > tries to deliver it to the primary

Re: [OT, sorta] spam honeypot with SA & Sendmail

On Wed, 9 Jun 2004, Mike Jackson wrote: > > Sendmail's mailertable should invoke before the local mailer, so if that's > > the case, it could queue mail from the real instance of Sendmail for > > delivery when the real daemon is available, and real mail wouldn't get > > learned. But, your way is s

Re: Handling Identified ***SPAM***

On Wed, 9 Jun 2004, Tech wrote: > Ok. I get it... : -) > > I'm using SA, Spamass-milter and Sendmail and am > still trying to understand how the different pieces > work together. %-} > > I had a spamass-milter argument set to -r 10 which > would only reject mail with a score of 10 or greater > :-(

Re: [OT, sorta] spam honeypot with SA & Sendmail

On Wed, 9 Jun 2004, Fred wrote: > Mike Jackson wrote: > > Sorry for something that's off-topic, but this is the only list I > > read :) > > Setting up a secondary MX server means having a second box, not creating a > second instance on the same server. If you have a hardware failure or > someone

Re: X-UIDL in headers?

On Wed, 9 Jun 2004, Paolo Cravero as2594 wrote: > Hi. > I just received a spam of which I copy here a part of headers. It > slipped though a postfix+SA2.62 installation (basic SA with Bayes). > > > Most of the message text was in a embedded picture, and a lot of CSS. > > > What surprises me is the

Re: rewrite_subject

On Thu, 3 Jun 2004, Michael Jonsson wrote: > I'm using sendmail with spammilter... > > #sendmail.mc > MAILER(smtp)dnl > MAILER(procmail)dnl > INPUT_MAIL_FILTER(`spamassassin', > `S=local:/var/run/spammilter/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl > ##

Re: spam with -2.1 score!

On Tue, 8 Jun 2004, Dimitrios wrote: > I've attached a spam email which got -2.1 score. Quite amazing that > it also passed my baysian database and all tests!! > > Please take a look at it and let me know what you think. Why is that amazing? Based upon the training done at your site, your local B

Re: Interesting malware via eBay phish.

On Mon, 7 Jun 2004, Justin Mason wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Actually, quite a lot of phishing attempt spams *do* link to websites > with serious malware payloads, and even sophisticated target-specific > trojans. I saw a dissection of one online somewhere -- it

Re: Huh?!?!

On Mon, 7 Jun 2004, Scott Rothgaber wrote: > Can someone explain this? Looks like at least half a dozen tests should > have hit it. Furthermore, if the score is 0.0, why wasn't it > autolearned? Thinking that maybe SA was just to busy at the time and > took a break, I ran it through manually. Same

Case InsEnsiTive uri dection?

The uri parser in PerMsgStatus.pm is case senitive. IE it will recognize a uri like: http://bad-site.com/add/garbage.html but not: hTTp://bad-site.com/add/garbage.html Recently found a FN that contained add site references that looked like that. None of my uri rules fired, just editing the sp

Re: spamc-spamd vs spamassassin

On Sat, 5 Jun 2004, Jari Fredriksson wrote: > On Sat, June 5, 2004 3:13, Theo Van Dinter said: > > On Fri, Jun 04, 2004 at 04:00:58PM -0700, Patrick Morris wrote: > >> >Its my understanding that spamd is more than a wrapper. > >> >I understood it to be a C program that does the same thing > >> >as

Re: [sort of OT] Sendmail and RBLs

On Fri, 4 Jun 2004, Carl R. Friend wrote: >I'll second Jeff's comment here. RBLs as implemented in > Sendmail are a binary decision. Either we *accept* this message > or we *do not* (before we even get to the "MAIL FROM:" clause). That used to be the case. With newer sendmail implementation

Re: .spamassasign in outlook imap folders

On Thu, 3 Jun 2004, jdow wrote: > With imap-2001a-18 from RedHat 9 and OutLook the user can see every > file within their user directory. So there's not much to do about it. > The best shot might be to setup a "mail" directory in which all valid > mail folders live. Then pray. > > If somebody does

Re: Tiny Font

On Thu, 3 Jun 2004, Scott Rothgaber wrote: > SA caught this one with the new Bayes poison rule but it missed the tiny > font. I took a peek at 20_html_tests.cf but I'm Perl-impaired. :( Can > anyone suggest a way to catch this: > > Got this from a posting by Bob Menschel some time back: rawbo

Re: Mail with large attachments not being checked by SA

On Wed, 2 Jun 2004, Loren Wilton wrote: > It could probably try to separate the binary from the text and only process > the text, but apparently the devs don't consider this worthwhile. I suspect There is already a tool that will let you do just that, MIMEDefang. Use it to pick apart the message

Re: Explicit Email getting Through SA

On Wed, 2 Jun 2004, Duncan Hill wrote: > On Tuesday 01 June 2004 18:31, Spam Admin might have typed: > > > > What score does Bayes assign? > > > Have you told Bayes that these mails are spam? > > > > It's doubtful I'm using Bayes, as this is simply a "filter and forward" > > server to an internal

Re: [spa] Re: [spa] Re: URI tests

On Wed, 2 Jun 2004, Charles Gregory wrote: > On Tue, 1 Jun 2004, Loren Wilton wrote: > > >Yada, yada, text stuff > > Was there a line break in the url? I seem to remember that urls are not > > supposed to contain line breaks if possible, and there are some 2.63

Re: URI tests

On Tue, 1 Jun 2004, Charles Gregory wrote: > On Tue, 1 Jun 2004, David B Funk wrote: > > > > >uri LOC_DIETSITE /[0-9]{3,6}diet\.biz/i > > If the message was Quoted-Printable encoded with a bastardized variety > > of QP encoding that uses lower-case HEX character

Re: [spa] Re: URI tests

On Tue, 1 Jun 2004, Charles Gregory wrote: > On Tue, 1 Jun 2004, Matt Kettler wrote: > > >Yesterday I set up a test for a URI (in SA 2.60, procmail, RH9): > > >uri LOC_DIETSITE /[0-9]{3,6}diet\.biz/i > > >describe LOC_DIETSITE diet website > > >score LOC_DIETSITE2 > > >To put it anoth

Re: Using spamc with find...

On Fri, 28 May 2004, Joe Emenaker wrote: > David B Funk wrote: > > >Try: > > > >find . -type f -print | xargs -i echo "spamc -r < {}" | sh > > > > > Incidentally, "-print" is implied if you don't use "-exec" (a

Re: Using spamc with find...

On Fri, 28 May 2004, Paul Makepeace wrote: > Je 2004-05-28 22:02:48 +0100, Sean Kennedy skribis: > > Hi folks, I was playing around the other day, and I came up with an > > interesting problem. > > > > What I wanted to do was to run a Maildir directory through spamc. I > > figured the best way to

Re: ? permissions lockfile

On Sun, 23 May 2004, Matt Kettler wrote: > If you're forcing a global bayes database in local.cf you must set up one > of two secenarios: > > The first scenario ensures everyone can read/write/delete and create files > in the directory and that it doesn't matter who owns them: > > 1) the

Re: One that keeps slipping through

On Mon, 24 May 2004, Vermyndax wrote: > Here's one that keeps slipping through daily. This one scored 2.5. > Perhaps one of the rules on rulesemporium should be updated for > "adipren"? Can you use network checks? The sending IP of that message hit 6 different DNSBLs. One of the hosts in a URL i

Re: All Messages BAYES_99

On Thu, 20 May 2004, Scott Rothgaber wrote: > Starting sometime this morning, all messages have been tagged as spam > because of BAYES_99. Any ideas about what would cause this? Try doing a "sa-learn --dump magic" to see the state of your Bayes meta-data. In particular, look at the 'oldest atime

Re: yahoo groups still getting tagged

On Tue, 18 May 2004, Pat Noordsij wrote: > I know that it has been discussed before and I did check the archives > but I guess I'm feeling very dense. I can't get yahoo groups through > without being flagged as spam. If someone has the "perfect" rule out > there could you share it with me (off g

RE: Found a way to avoid spamassassin! How to fix?

On Fri, 14 May 2004, Mark London wrote: > That won't work from our site, because we have people constantly > travelling to different networks, while still sending mail from > @psfc.mit.edu. > > I should be able to automate the process of adding usernames to a the > sendmail access list, at the sam

Re: Lint error

On Thu, 13 May 2004, Jim Knuth wrote: > Hallo und guten Abend Matt, > > danke f|r die Email vom 13.05.2004 um 20:48 > Matt Kettler schrieb - wrote: > > > Offhand I can only think of two causes. A typo, or an ancient version of SA > > that doesn't support whitelist_from_rcvd. > > Failed to parse li

Re: Multiple MX servers using same Bayes DB

On Tue, 11 May 2004, D.J. Harbaugh wrote: > Fortunately, I don't plan on using autolearn. Since I'll be manually > adding the ham/spam, I shouldn't have any file locking problems since the > MX's will only be reading from the DB... forgot about that *small* detail :-) Um, you're overlooking one

Re: honeypots

On Thu, 6 May 2004, Jeff Chan wrote: > On Thursday, May 6, 2004, 9:39:09 PM, Robert Menschel wrote: > > I'm thinking that I should take that URI, cut and paste and modify it in > > my browser, and go to something like: > >> http://rmvs.com/r.asp?123456&[EMAIL PROTECTED]&H > > Note that I modified

Re: ALL_SPAM_TO

On Thu, 6 May 2004, Matt Kettler wrote: > At 11:49 AM 5/6/04 +0400, Sergey Smirnov wrote: > >Unfortunately I'm using SA with sendmail + spamass-milter. > >I can't use common procmail filter because I have to forward messages to > >M$ Exchange and store copy of message locally. > >It's easy for me

This list is censored

HELP! This list is being censored. Every attempt I've made to post a message about a new kind of virus/spam attack has been rejected by this list with an error: ... while talking to mail.apache.org.: >>> DATA <<< 553 Spam or junk mail threshold exceeded. See http://www.flame.org/qmail/spamjunk.h

Re: Opinions on SpamAssassin MIME_BASE64 scoring?

On Wed, 5 May 2004, OpenMacNews wrote: > 0.0 MIME_BASE64_NO_NAME RAW: base64 attachment does not have a file > name > 1.0 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding > > Can anyone comment as to whether it makes sense to simply score these rules > to "20-is

The French Connection Cyborged (spammers & viruses)

Hmm, I -knew- that there was a connection between the spate of new viruses and increasing flood of spam. I didn't know that there was evidence of payola & the mob, see: http://www.theregister.com/2004/04/30/spam_biz/ (But will they make a movie from it? ;) -- Dave Funk

blocking viruses (Re: Semi-OT: Viral social engineering at it's finest..)

On Tue, 30 Mar 2004, Tom Emerson wrote: > well, I wouldn't want to intentionally submit a virus to an e-mail reflector, > now would I? :) That said, here is the content of the message [sans nasty > attachment] for your enjoyment: > > ---the message > Return-Path: <[EMAIL PROTECTED]> >

Re: drk@w123.at: bounce "No such user"

On Mon, 29 Mar 2004, Alex Pleiner wrote: > Well, qmail does per default (i.e. without a patch) accept all messages > for the domains it handles and sends bounces for non-existent users. > While this generates extra load, it is not just dumb to do it this way. Ah, then qmail is a tool that spammer

RE: drk@w123.at: bounce "No such user"

On Mon, 29 Mar 2004, Darren Coleman wrote: > The problem is, SA can only assess the spammyness of an email AFTER the > headers have been received (i.e. From, To, etc) by which point it would > be impossible to return a true 550 error. > > Daz It would seem so but the SMTP protocol allows you to r

Re: Bayes changing files

On Fri, 26 Mar 2004, John Hardin wrote: > On Fri, 2004-03-26 at 13:54, mike wrote: > > Thanks. looks like that is working. > > > > Kris Deugau wrote: > > > > >bayes_file_mode 0777 > > > > > They bayes database files are neither directories nor executables; they > do not need execute permissions.

Re: Rules to count number of occurances

On Fri, 26 Mar 2004, Al Danks wrote: > hbinc.com> writes: > > > 7 occurrences anywhere in the message: > > /(\b(best|most|more|((best|bett|bigg|larg|fast|quick)(er|est)))\b.*){7}/i > > > > > Matt, > > After a bit of testing I've discovered that the rule doesn't trip when there > is > a blank li

Re: Bigevil update with flavor.Adult. And info on tonight.

On Thu, 25 Mar 2004, Bill Randle wrote: > I would volunteer the ISP I manage to host a mirror if this is > implemented. We have plenty of bandwidth. > > -Bill Randle > SysAdmin > OutlawNet, Inc. > [EMAIL PROTECTED] Ditto. -- Dave Funk

RE: Max size checked

On Mon, 22 Mar 2004, Smart,Dan wrote: > PMJI, but... > > I've been wondering where the 250K number comes from, and if it is still a > valid max size? Is message size an indicator of spamminess? Only insofar as spam tends to be small (spammers go for quantity, not quality ;). Scanning large messa

RE: spamd stay-alive script?

On Wed, 24 Mar 2004, John Schneider wrote: > Hi Dave, > > >> high). We use sendmail and I've got it configured with rate > >> limit thresholds to defend spamd from mail-bomb attacks > >> (externally or internally generated ;). Reasonable rate > >> limiting has totally cured our SA from overload de

Re: spamd stay-alive script?

On Mon, 22 Mar 2004, Paolo Cravero as2594 wrote: > Hi. > An exceptionally high load of incoming messages has managed to crash > spamd (Postfix + SpamAssassin 2.62 on a dual Xeon 2G4). > > Is there a crontab script that monitors spamd health and in case > attempts a restart and/or warns a sysadmin?

Re: increased score for multiple blacklist hits

On Mon, 22 Mar 2004, Matt Kettler wrote: > At 03:49 PM 3/22/2004, Chris Barnes wrote: > >I am interested in creating a rule that would give extra points if a > >message appears in multiple blacklists (NABL, SORBS, etc). The idea is > >that if a message gets a hit in 3 of the BL, it is more likely

Re: OT - Easiest *nix to set up

On Mon, 22 Mar 2004, Chris Barnes wrote: > Grant Baxter <[EMAIL PROTECTED]> wrote: [snip..] > > I've used Windows only for the past twenty or so years. I've never > > touched any Unix variant, so I would like some recommendations for the > > easiest Unix variant to set up and get running as a mail

Re: Bigevil Nomination? (Was Re: (I) Can-Spam compliant)

On Sun, 21 Mar 2004, LuKreme wrote: > Well, I went ahead and clicked the remove link and immediately (within > 10 minutes) received several more spams from this outfit. I have > LARTed to their NSP and local-blacklisted the class C. I've got some unique e-mail addresses that I never use except f

Re: Max size checked

On Sat, 20 Mar 2004, Bob Apthorpe wrote: > On Sat, 20 Mar 2004 07:57:55 -0500 "Frank DeChellis" <[EMAIL PROTECTED]> > wrote: > > > We're using Exim 2.63. Is there an option I can enter in local.cf or > > somehwere else to limit the size of email Sa will check or tell it to only > > scan the fors

Re: Wells Fargo spam

On Sat, 20 Mar 2004, jdow wrote: > From: "Kenneth Porter" <[EMAIL PROTECTED]> > > > > Here's an interesting one. I don't recall having a Wells Fargo account, > and > > they sent this to one of my blacklist addresses, which I use when posting > > to newsgroups. > > I received one, too. It's a phish

Re: Would someone check these rules?

On Fri, 19 Mar 2004, Alton Danks wrote: > Hello, > > Would someone give these rules a run and see how much trouble they cause? > There might be some obvious overlap with existing, better, rulesets. If you > feel like pointing them out it would be great. One last thing, on the [snip..] > rawbody C

Re: YO DEVELOPERS! Efficiency idea

On Wed, 17 Mar 2004, Adam D. Lopresto wrote: > On Wed, 17 Mar 2004, Mat Bowen wrote: > > > What about only running the RBLs if the email is below the spam > > threshold? Most of my mail is classified as spam without running them > > so it seems unnecessary to spend time checking them only to push

Re: New rule set

On Wed, 17 Mar 2004, Bob Apthorpe wrote: > Hrm. Does it hurt to change > > /\w\whref=http:/i > > to > > /\w\whref="?https?:/i That would work but didn't seem necessary. I just tossed this together Q&D to hit the targeted spam. > > or even > > /\w\whref="?[a-z]{4,8}:/i As it is a rawbody,

New rule set

Would somebody please mass-check the following rule set and let me know if there's any collateral damage? I whiped them up to deal with a new flavor of spam that I'm seeing more of these days. rawbody L_FAKE_HREF /\w\whref=http:/i describe L_FAKE_HREFFaked href to hide spammer URLs score

Re: How to block brute force mail address scans?

On Mon, 15 Mar 2004, Greg Cirino - Cirelle Enterprises wrote: > An effective way is to send all bad addresses to the bit bucket > without a reject message. > > You won't be cleaning up their database either. If you can spare the bandwidth/CPU, accept it for what it is, free Bayes food. ;) I use a

Re: multiple relay dilutes score

On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: > We have several mail servers for our domain. We have spamassassin > running globally on each, tagging the mail before delivery. > > The problem is this: sometimes mail needs to go from one server to > another before delivery. And sometimes, even tho

Re: Milterfilter with SA?

On Mon, 15 Mar 2004, Jennifer Fountain wrote: > Has anyone had any success getting a milter filter type application to > work with SA? If so, which one and where can I find documentation? I > have been googling but haven't seen any that was revelent. > There are a variety of sendmail anti-spam m

RE: SA 4 Win 's gotta be bugged bad!

On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: > What's worse now is this: > [snip..] > I then changed HOT_NASTY2 to look like this: > > body HOT_NASTY2 Subject: > /\b(?=[dehklnswxy])(?:horny|nasty|hot|wild|young|horniest|nastiest|hottest|w > ildest|youngest|naughty|dirtiest|slutty|kinky|lusty|ext

Re: Habeas worthless?

On Fri, 12 Mar 2004, Mike Smith wrote: > I think I'm going to start applying positive scores to habeas. While I think > the underlying idea is good, I'll have to agree with the others. I have > NEVER received and personal mail with Habaes headers. OK, I did a quick survey of a couple hundred inbo

Re: URL Extractor?

On Fri, 12 Mar 2004, Kirk Ismay wrote: > Just so I don't have to reinvent the wheel, does anyone have a perl script > to extract all URL's from a mailbox/message? I'd like to automatically > generate a blacklist from spamtrap mailboxes and such. The desired output > would be similar to the BigEvi

Re: How did this one get through?

On Fri, 12 Mar 2004, Michael Weber wrote: > I am running a fairly stock 2.63 installation with Postfix, antidrug, > bigevil, chickenpox, weeds_2 rule sets. I would have thought that a > spam with the big-V spelled out, not even mispeled, would have been > flagged for sure. > > Here's some of the

Re: bayes scoring q

On Wed, 10 Mar 2004, Jeff Makey wrote: > Dave Funk wrote: > > 553 5.1.8 <[EMAIL PROTECTED]>... Domain of sender address [EMAIL > > PROTECTED] does not exist > > > >You do a DNS resolvability check on each message that somebody tries to > >hand you, which is dependent upon an arbitratry remote DN

Re: Habeas status?

On Wed, 10 Mar 2004, jdow wrote: > I am ready to run their score up positive 1 or so. On one hand Their > logic is faulty, I believe - unless they are spammers. I know very > few people who are able to manipulate headers in such a manner as > to insert the Habeas headers. Most of my correspondents

Re: Opinions About SPF

On Wed, 10 Mar 2004, Mark C. Langston wrote: > Mark has every clue about how to insert and correctly use a Reply-To: > header. Many MUAs, including many of those on mobile devices, don't > allow the user to insert said header. > > Many more end-users are completely unaware of the existence of thi

Re: bayes scoring q

On Wed, 10 Mar 2004, Glenn Little wrote: > I think the performance hit and reliance on an external > connection for every email processed was at least an > equal concern. > > In practice is that just not a problem? How about > a network timeout situation? How does that end up > working out? Sou

Re: OT: Quick BIND question..

On Wed, 10 Mar 2004, Jonathan Nichols wrote: > "query (cache) denied" > > Is there a channel that I can use to drop the "query (cache) denied" > messages into { null; }? They're annoying and filling up the logfiles. :( That's the "query" module logging to the "security" catagory. Unfortunatly AFA

Re: Question.

On Wed, 10 Mar 2004, nevelsteen wrote: > I am currently working on a project that allows companies to send > invoices to their clients. I have spent ample time trying to reduce > the flags on my mail that mark it as spam. I would like > to inform about the following. > > For the moment I am using

Re: spamc exit codes

On Tue, 9 Mar 2004, Jason Borkowsky wrote: > >Run messages through a default spamc to a temp file, grab the spam > > score, and do with that what you want. Double-scanning is not the > > answer, especially if you've got a busy site. > > Actually, I tried exactly this, and then sent a "normal

Re: Opinions About SPF

On Mon, 8 Mar 2004, Mark C. Langston wrote: > On Mon, Mar 08, 2004 at 04:31:38PM -0600, David B Funk wrote: > > On Mon, 8 Mar 2004, Mark C. Langston wrote: > > > > > I wouldn't go so far as to call it "wonderful". It breaks mailing > > > lists; &g

Re: Opinions About SPF

On Mon, 8 Mar 2004, Mark C. Langston wrote: > I wouldn't go so far as to call it "wonderful". It breaks mailing > lists; No, decent list software sets the envelope-from address to point to itself (check out the headers for this one). The receiving SPF should be looking at the envelope-from not t

Re: They are getting harder to filter out...

On Fri, 5 Mar 2004, Loren Wilton wrote: > This puppy just made it through. Other than feeding it to Bayes (which I > have just done) and some misspellings of common drugz, there doesn';t seem > to be a whole lot to go on here. [snip..] > > --=_NextPart_000_0017_42A8EEC1.D2772C42 > Content-Typ

RE: New grubby med spammer sneeking through

On Fri, 5 Mar 2004, Chris Santerre wrote: > I was the loudest voice screaming for this. SA devs opened a bug on it. > (Wish I could find it again!) Then I realised the 1 SERIOUS flaw with it. > > With a DNSRBL and email there is one sender to check. With URLs there is no > limit to how many one co

Re: Spam Statistics

On Fri, 5 Mar 2004, Jason Granat wrote: > Yeah, and here's the kicker. He personally has two separate email > accounts. One is published in every Thomas Register, trade journal, > phone book, etc... No brainer for spam there. It's also the one he > uses as his primary account. The other addre

Re: Why does bayes try for R/W tie when autolean=no?

On Mon, 1 Mar 2004, Jeff Makey wrote: > Regarding my patch, Theo Van Dinter wrote: > >you change the expiry algorithm from LRU to FIFO, which is > >very likely to cause checks to be less accurate. > > (For the acronym-impaired: those are Least Recently Used and > First In, First Out.) > > Does sa-

Re: How to Whitelist spamassassin-users ? (whitelist_to_rcvd concept for mailing lists)

On Mon, 1 Mar 2004, Bob George wrote: > Aha! You answered the question I had posted (with no replies :( ) on the topic > of spams to whitelisted lists getting high ham scores with AWL! I'd been > bitten > by spam to securityfocus lists, only to (finally) notice: > > def_whitelist_from_rcvd [EMAI

RE: Need a rule for random words & weird punctuation.

On Mon, 1 Mar 2004, Gary Smith wrote: > Just an odd note. I just got a bounce back from another person who > subscribes to the list with a full mailbox. If you need to sign up to > mailing lists you should try to use an account that won't generate ndr's for > the users. > > Just my $0.02. > >

Re: Need a rule for random words & weird punctuation.

On Mon, 1 Mar 2004, JC wrote: > One of the things I noticed about this was the punctuation. It's there, but > NOBODY I know puts a space BEFORE their punctuation. Um, watch out for FPs. When I speak a language called 'C' I often put spaces before punctuation. (or for that matter, emoticons. ;) -

  1   2   >