On Thursday, September 9, 2004, 3:11:44 PM, Jeff Chan wrote:
> On Thursday, September 9, 2004, 3:05:30 PM, Bill Landry wrote:
>> - Original Message -
>> From: "Ryan Thompson" <[EMAIL PROTECTED]>
>>> We need to find the correlation of IP addresses to hostnames. See
>>> http://whois.sc/ ; I
*** THIS IS A RELEASE CANDIDATE ONLY, NOT THE FINAL 3.0.0 RELEASE ***
SpamAssassin 3.0.0-rc4 is released! SpamAssassin 3.0.0 is a major update and
includes a number of new email and anti-spam technologies.
SpamAssassin is a mail filter which uses advanced statistical and
heuristic tests to ident
On Thursday, September 9, 2004, 6:22:39 PM, Scott wrote:
SAC> On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre
SAC> <[EMAIL PROTECTED]> writes:
>> OK, this isn't the first time we've had this discussion, but Raymond
>> and I felt this should be made public again. He ran thru some tests
>> of 150
On Thursday, September 9, 2004, 3:57:46 PM, Ryan Thompson wrote:
> Jeff Chan wrote to Justin Mason:
>>> Yeah. I was referring to the proposal to lookup IP addresses for
>>> href hostnames directly (instead of looking up the NS'es.)
>>
>> Yep. Resolving domain names found in spam URIs is slow
>
I am new to SpamAssassin, which is why I am going to be asking
stupid questions;)
I have SpamAssassin on a gateway mail server (machine A) that
delievers to a qmail server (Machine B). I have both Mutt clients
(via Maildir/) and Outlook clients (via POP3) accessing the mail.
I thought that sa-le
On Thursday, September 9, 2004, 2:52:53 PM, Matt Kettler wrote:
> At 05:23 PM 9/9/2004, Chris Santerre wrote:
>>OOH yeah! I didn't know that! Are we sure this is actually what it
>>means and not just a miss-syntaxed paragraph? It actually resolves the IP
>>against the RBL lookup?
>>
>>If so
[ Whew! CC trimmed :-) ]
Jeff Chan wrote to Justin Mason:
Yeah. I was referring to the proposal to lookup IP addresses for
href hostnames directly (instead of looking up the NS'es.)
Yep. Resolving domain names found in spam URIs is slow
Aha. Key word = "domain names".
All the world's a host. Spam
On Thursday, September 9, 2004, 2:48:51 PM, System Dan Mahoney wrote:
> On Thu, 9 Sep 2004, Matt Kettler wrote:
> If it's blacklisting based on resolved ip, it should probably be noted
> that there are a couple of caveats:
> 1) Spammers can set up multiple ip addresses to an A record. Whatever
> -Original Message-
> From: Scott A Crosby [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 09, 2004 5:23 PM
>
> We should be a bit more careful than this --- require that a
> new URL has to resolve to the same IP address as, say, at
> least 3 other SURBL entries before be
On Thursday, September 9, 2004, 3:28:27 PM, Raymond Dijkxhoorn wrote:
>> Holy fsck guys! We have a good thing going here. We're put a
>> lot of work into it so far, and it's working pretty well. Let's
>> not tear apart the SURBL project, OK?
>>
>> Give me a chance to make some improvements in th
On Thursday, September 9, 2004, 3:22:39 PM, Scott Crosby wrote:
> On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <[EMAIL PROTECTED]> writes:
> How does this sound? Combine spamtraps with SURBL, using the IP as a
> hint to fully automatically add on the new domain. If a spamtrap email
> includes
Hi!
ADD THEM TO SBL. DO NOT ADD THEM TO SURBL.
kay!
Holy fsck guys! We have a good thing going here. We're put a
lot of work into it so far, and it's working pretty well. Let's
not tear apart the SURBL project, OK?
Give me a chance to make some improvements in the next version
of the data engin
On Thursday, September 9, 2004, 3:19:49 PM, Justin Mason wrote:
> Raymond Dijkxhoorn writes:
>> >> 1) Spammers can set up multiple ip addresses to an A record. Whatever
>> >> does the reporting should check all A records, from the top down. i.e.
>> >> query each NS multiple times to make sure it'
On Thu, 9 Sep 2004 16:56:33 -0400, Chris Santerre <[EMAIL PROTECTED]> writes:
> OK, this isn't the first time we've had this discussion, but Raymond
> and I felt this should be made public again. He ran thru some tests
> of 1500+ domains and found the following data. Looks like they maybe
> send f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Raymond Dijkxhoorn writes:
> >> 1) Spammers can set up multiple ip addresses to an A record. Whatever
> >> does the reporting should check all A records, from the top down. i.e.
> >> query each NS multiple times to make sure it's not being round-rob
On Thursday, September 9, 2004, 2:26:37 PM, Chris Santerre wrote:
>>-Original Message-
>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>>Sent: Thursday, September 09, 2004 5:17 PM
>>To: Raymond Dijkxhoorn
>>Cc: Alex Broens;
>>[EMAIL PROTECTED]; SURBL
>>Discussion list (E-mail); Spamas
Hi!
Did you actually have a look on the sata provided at the start of this
thread ? Sure, it COULD be different, but somehow, it isnt.
Yes, I did. But I'm trying to think ahead of current practice, by what's
considered a GOOD practice to keep a site up, and what's bad. I'm not saying
they're
Jeff Chan wrote to Ryan Thompson:
On Thursday, September 9, 2004, 2:34:00 PM, Ryan Thompson wrote:
"Can't" is a curse word to a scientist. "Can't *yet*", on the other
hand, is usually a good motivator!
- Ryan
A good scientist has at least a working understanding of the
theoretical limits of knowled
On Thursday, September 9, 2004, 3:05:30 PM, Bill Landry wrote:
> - Original Message -
> From: "Ryan Thompson" <[EMAIL PROTECTED]>
>> We need to find the correlation of IP addresses to hostnames. See
>> http://whois.sc/ ; I can, with some help, duplicate what they're doing
>> in a way that
Hi!
1) Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e.
query each NS multiple times to make sure it's not being round-robined or
reported differently from multiple DNS servers.
2) I can easily forsee spammer
On Thursday, September 9, 2004, 2:22:17 PM, Raymond Dijkxhoorn wrote:
>> 1) Those registers are going to feel some rath soon from the antispam
>> community.
>> 2) We gonna mark the IP, you silly little monkeys!
>>
>> I think the code should be added into the SURBL code. It would need to be a
>> pat
Hi!
OK by auto include them I guess you were referring to domains,
not IPs. If so, that's what I'm proposing for the SC data.
Yes, we need to list the domains.
Very good idea. Ask Larry privately if you can feed SBL.
Lets see if he responds to my other mail first. He's rather busy lately i
notic
- Original Message -
From: "Ryan Thompson" <[EMAIL PROTECTED]>
> We need to find the correlation of IP addresses to hostnames. See
> http://whois.sc/ ; I can, with some help, duplicate what they're doing
> in a way that will help us fight spam.
Uh oh, whois.sc is listed in WS... :-o
Bi
Jeff Chan wrote to SURBL Discussion list and Spamassassin-Talk (E-mail):
.com is so large and rapidly changing as to be practically
unknowable. That's what I mean by "can't".
IIRC, .com is up to about 25M domains, and it's way, way higher than the
other gTLDs (and light years beyond ccTLDs).
By th
On Thu, 9 Sep 2004, Raymond Dijkxhoorn wrote:
Hi!
1) Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e.
query each NS multiple times to make sure it's not being round-robined or
reported differently from mul
On Thursday, September 9, 2004, 2:49:39 PM, System Dan Mahoney wrote:
> On Thu, 9 Sep 2004, Jeff Chan wrote:
>> On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
>>> However, for all we know *so far*, 219.254.32.111 could be a HA cluster
>>> of a few dozen machines, and, while there
At 05:23 PM 9/9/2004, Chris Santerre wrote:
OOH yeah! I didn't know that! Are we sure this is actually what it
means and not just a miss-syntaxed paragraph? It actually resolves the IP
against the RBL lookup?
If sowell then...problem solved, and devs get a cookie :)
Actually, upon close
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Mahoney, System Admin writes:
> On Thu, 9 Sep 2004, Matt Kettler wrote:
>
> If it's blacklisting based on resolved ip, it should probably be noted
> that there are a couple of caveats:
>
> 1) Spammers can set up multiple ip addresses to an A re
On Thursday, September 9, 2004, 2:36:25 PM, Raymond Dijkxhoorn wrote:
>> Please do not include broad IPs in SURBLs. That goes against
>> the way we have designed them. If I find this happening, I will
>> take action to stop them. PLEASE DO NOT DO IT!!
> That was not my intention...
OK by auto
Hi!
1) Spammers can set up multiple ip addresses to an A record. Whatever does
the reporting should check all A records, from the top down. i.e. query each
NS multiple times to make sure it's not being round-robined or reported
differently from multiple DNS servers.
2) I can easily forsee spa
On Thursday, September 9, 2004, 2:23:56 PM, Chris Santerre wrote:
>>From: Matt Kettler [mailto:[EMAIL PROTECTED]
>>At 04:56 PM 9/9/2004, Chris Santerre wrote:
>>>So is there a way to use the IP info in a good way? Could SA
>>or SURBL do a
>>>quick ping of the URL and match against a URL? This wou
On Thu, 9 Sep 2004, Matt Kettler wrote:
If it's blacklisting based on resolved ip, it should probably be noted
that there are a couple of caveats:
1) Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e.
query
On Thu, 9 Sep 2004, Jeff Chan wrote:
On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
However, for all we know *so far*, 219.254.32.111 could be a HA cluster
of a few dozen machines, and, while there may be 200 pill spammers on
that cluster, there may be 20,000 other legit sites.
W
On Thursday, September 9, 2004, 2:34:00 PM, Ryan Thompson wrote:
> "Can't" is a curse word to a scientist. "Can't *yet*", on the other
> hand, is usually a good motivator!
> - Ryan
A good scientist has at least a working understanding of the
theoretical limits of knowledge.
Jeff C.
On Thursday, September 9, 2004, 2:28:07 PM, Ryan Thompson wrote:
> However, for all we know *so far*, 219.254.32.111 could be a HA cluster
> of a few dozen machines, and, while there may be 200 pill spammers on
> that cluster, there may be 20,000 other legit sites.
> With our current data, we can'
Jeff Chan wrote:
On Wednesday, September 8, 2004, 7:30:48 AM, Marco Bovenkamp wrote:
I run my
own mailserver, with SA.
Most people don't.
That's why I *also* said 'I probably don't qualify as your typical 'home
user''
I agree with you that a provider should do the filtering and the clients
shoul
Hi!
Please do not include broad IPs in SURBLs. That goes against
the way we have designed them. If I find this happening, I will
take action to stop them. PLEASE DO NOT DO IT!!
That was not my intention...
If we can submit them for listing inside the SBL, fine, any submission
method available t
>-Original Message-
>From: Matt Kettler [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 5:18 PM
>To: Chris Santerre; SURBL Discussion list (E-mail)
>Cc: Spamassassin-Talk (E-mail)
>Subject: Re: Start an IP list to block?
>
>
>At 04:56 PM 9/9/2004, Chris Santerre wrote:
>>So
Jeff Chan wrote to Chris Santerre:
It is a question about the limits of knowledge. In our universe we
can't see the potential collateral damage from listing a shared host,
so we should not do it. From our point of view it's not knowable.
Sure the hosting company knows whether that's the case, but
>-Original Message-
>From: Jeff Chan [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 5:26 PM
>To: Chris Santerre
>Cc: SURBL Discussion list (E-mail); Spamassassin-Talk (E-mail)
>Subject: Re: Start an IP list to block?
>
>
>On Thursday, September 9, 2004, 1:56:33 PM, Chris Sa
On Thursday, September 9, 2004, 2:17:03 PM, Justin Mason wrote:
> Raymond Dijkxhoorn writes:
>> Hi!
>>
>> > Chris, Raymond ,
>> >
>> > I went thru a random few of these and they're were listed at Spamhaus.
>> > Using spamhaus at SMTP level or SA doing RBL lookups would have caught and
>> > stoppe
On Thursday, September 9, 2004, 2:00:25 PM, Raymond Dijkxhoorn wrote:
>> OK, this isn't the first time we've had this discussion, but Raymond and I
>> felt this should be made public again. He ran thru some tests of 1500+
>> domains and found the following data. Looks like they maybe send from
>> z
Chris Santerre wrote to SURBL Discussion list (E-mail):
OK, this isn't the first time we've had this discussion, but Raymond
and I felt this should be made public again. He ran thru some tests of
1500+ domains and found the following data. Looks like they maybe send
from zombies, and never their ho
On Thursday, September 9, 2004, 1:56:33 PM, Chris Santerre wrote:
> OK, this isn't the first time we've had this discussion, but Raymond and I
> felt this should be made public again. He ran thru some tests of 1500+
> domains and found the following data. Looks like they maybe send from
> zombies,
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 5:17 PM
>To: Raymond Dijkxhoorn
>Cc: Alex Broens;
>[EMAIL PROTECTED]; SURBL
>Discussion list (E-mail); Spamassassin-Talk (E-mail)
>Subject: Re: Start an IP list to block?
>
>
>-
Hi!
1) Those registers are going to feel some rath soon from the antispam
community.
2) We gonna mark the IP, you silly little monkeys!
I think the code should be added into the SURBL code. It would need to be a
patch for SA 3.0 as it is prbly too late for it to go in now. But it should
be simple t
On Thursday, September 9, 2004, 2:14:29 PM, Jeff Chan wrote:
> On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote:
>> Chris Santerre wrote:
>>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>>> quick ping of the URL and match against a URL? This would allow
Hi!
No, that wont work. The spams are sended in via trojans/proxys only the
websites are static. SOME are blocked with DSBL and so but most of the
time they start a spamrun with a fresh set it seems.
So yes, they are inside spamhaus, but only the websites, didnt see mails
sended out from there (ye
>-Original Message-
>From: Jeff Chan [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 5:14 PM
>To: SpamAssassin Users; SURBL Discuss
>Subject: Re: Start an IP list to block?
>
>
>On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote:
>> Chris Santerre wrote:
>
>>> OK,
At 04:56 PM 9/9/2004, Chris Santerre wrote:
So is there a way to use the IP info in a good way? Could SA or SURBL do a
quick ping of the URL and match against a URL? This would allow us to simply
list 1 IP instead of all these domains.
Chris, SA 3.0 appears to already support checking DNS blacklist
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Raymond Dijkxhoorn writes:
> Hi!
>
> > Chris, Raymond ,
> >
> > I went thru a random few of these and they're were listed at Spamhaus.
> > Using spamhaus at SMTP level or SA doing RBL lookups would have caught and
> > stopped them... Spamcop probabl
>-Original Message-
>From: Raymond Dijkxhoorn [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 5:10 PM
>To: Alex Broens
>Cc: [EMAIL PROTECTED]; SURBL
>Discussion list (E-mail); Spamassassin-Talk (E-mail)
>Subject: Re: Start an IP list to block?
>
>
>Hi!
>
>> Chris, Raymond ,
On Thursday, September 9, 2004, 2:05:28 PM, Alex Broens wrote:
> Chris Santerre wrote:
>> OK, this isn't the first time we've had this discussion, but Raymond and I
>> felt this should be made public again. He ran thru some tests of 1500+
>> domains and found the following data. Looks like they ma
Hi!
Chris, Raymond ,
I went thru a random few of these and they're were listed at Spamhaus.
Using spamhaus at SMTP level or SA doing RBL lookups would have caught and
stopped them... Spamcop probably has quite a few of them listed as well
No, that wont work. The spams are sended in via trojans/pro
Chris Santerre wrote:
OK, this isn't the first time we've had this discussion, but Raymond and I
felt this should be made public again. He ran thru some tests of 1500+
domains and found the following data. Looks like they maybe send from
zombies, and never their hosts. IPs are similar across the bo
Hi!
OK, this isn't the first time we've had this discussion, but Raymond and I
felt this should be made public again. He ran thru some tests of 1500+
domains and found the following data. Looks like they maybe send from
zombies, and never their hosts. IPs are similar across the board.
219.254.32.1
OK, this isn't the first time we've had this discussion, but Raymond and I
felt this should be made public again. He ran thru some tests of 1500+
domains and found the following data. Looks like they maybe send from
zombies, and never their hosts. IPs are similar across the board.
So is there a w
I've had good results doing bayes learn_to_journal and then running a
rebuild every hour.
This runs quick, even with concurrent access's.
Bayes get's updated quickly.
Bayes is only locked for a few seconds every hour, less than 3 seconds.
Ralf Hildebrandt said:
> * Justin Mason <[EMAIL PROTECTED]
Evan Platt wrote:
> Agreeed. OoO is pointless. No point in it. I can't count how
> many times I
> post to a list, and get an e-mail back that "I am out of the office.
> Contact Joe @ XXX-XXX- in my absence. Until the OoO reply can be
> configured to not reply to spam, not reply to group mails,
At 07:50 AM 9/9/2004, you wrote:
If you are that concerned about what information is revealed in out of
office autoreplies, you should not be allowing OoO autoreplies externally
anyway. They pose a far greater security risk in terms of leaking
information that can be used in social engineering
>-Original Message-
>From: John Fleming [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 1:25 PM
>To: Spamassassin users
>Subject: Re: rules_du_jour
>
>
>Chris Thielen said:
>> Hi John
>>
>> On Wed, 2004-09-08 at 19:10 -0500, John Fleming wrote:
>>> I've been manually updatin
Thanks for the ideas, procmail will not help, as not all of my email
users are local,
I will look at mimedefang for this, although the other points mentioned
here do have a point, also defining global rules to ignore the spam
message for OoO message is too complicated for any email system i kno
Kevin Peuhkurinen wrote:
If you are that concerned about what information is revealed in out of
office autoreplies, you should not be allowing OoO autoreplies
externally anyway. They pose a far greater security risk in terms of
leaking information that can be used in social engineering attacks
Chris Thielen said:
> Hi John
>
> On Wed, 2004-09-08 at 19:10 -0500, John Fleming wrote:
>> I've been manually updating 8-9 rulesets every couple of months and,
>> with
>> Bayes, get great results. Now I'd like to use rules_du_jour.
>> rules_du_jour
>> is in /root/bin, and perms executable as sugg
Hi folks,
I've been getting the below error for any messages that spamassassin
processes:
Sep 9 13:44:40 bh spamd[71200]: razor2 check skipped: No such file or
directory IO::Socket::INET: Operation now in progress ...propagated at
/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line
> -Original Message-
> From: Smart,Dan
> To: Chris Santerre; [EMAIL PROTECTED]
> Subject: RE: SARE_FRAUD vs SURBLs (Was: RE: Mass-check errors)
>
> I then did a
> Perl -d:Dprof /usr/bin/spamassassin < testfile And then ran
> the profiler as described on the Wiki.
> Dprofpp comp
Chris, I followed the process documented in ...
http://wiki.apache.org/spamassassin/ProfilingRulesWithDprof
I used the Dprof with SpamAssassin, as I couldn't get Dprof to work with
mass-check without a Segmentation Fault.
For testing, I create a Maildir with messages that took longer than 30
se
Hi John
On Wed, 2004-09-08 at 19:10 -0500, John Fleming wrote:
> I've been manually updating 8-9 rulesets every couple of months and, with
> Bayes, get great results. Now I'd like to use rules_du_jour. rules_du_jour
> is in /root/bin, and perms executable as suggested. I've also made the
> appr
Jeff Chan wrote:
SARE_FRAUD has rules to catch text patterns in messages. It does
not look for phishing URI domains and IP addresses. Therefore PH
and SARE_FRAUD are not equivalent, and you may want to keep using
the SARE rule, even if you are using PH in multi.surbl.org.
More importantly, many o
You could block them with your MTA (Postfix, Qmail etc).
> -Original Message-
> From: Rob Blomquist [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 09, 2004 12:08 AM
> To: users@spamassassin.apache.org
> Subject: Catching Windows executables as attachments
>
> I have currently tun
At 09:33 AM 9.9.2004 -0400, Theo Van Dinter wrote:
>On Wed, Sep 08, 2004 at 10:49:09PM -0700, Loren Wilton wrote:
>> However, it has been removed from 3.0. And while I agree with removing
>> binary attachments before scanning in SA, I consider that removing the
>> mime-part header that contained t
On Thu, 9 Sep 2004 11:37:19 -0400 (EDT)
"Jason Levine" <[EMAIL PROTECTED]> wrote:
> Michael, I did the Bayes --backup from DB and --restore to SQL, and
> it imported it all in as each specific user. That is to say:
>
> - there's a table, bayes_vars, that has a record for each user, and
> assigns
Michael, I did the Bayes --backup from DB and --restore to SQL, and it
imported it all in as each specific user. That is to say:
- there's a table, bayes_vars, that has a record for each user, and
assigns each user an id.
- the other three relevant tables (bayes_token, bayes_seen, and
bayes_expir
>-Original Message-
>From: Jeff Chan [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 3:07 AM
>To: [EMAIL PROTECTED]
>Subject: SARE_FRAUD vs SURBLs (Was: RE: Mass-check errors)
>
>
>On Wednesday, September 8, 2004, 7:12:26 AM, Smart,Dan Smart,Dan wrote:
>> What I found was th
If you are that concerned about what information is revealed in out of
office autoreplies, you should not be allowing OoO autoreplies
externally anyway. They pose a far greater security risk in terms of
leaking information that can be used in social engineering attacks than
the risk you are w
On Wed, 8 Sep 2004 22:07:53 -0700, you wrote:
>I have currently tuned my SARE spam filters, and am humming right along, I get
>one or 2 uncaught spams a day which is no big deal. But I would like to catch
>the virus emails that have Win exe, scr, bat, and the like for attachments,
>but I can't
On Thu, Sep 09, 2004 at 09:01:15AM -0500, Josh Trutwin wrote:
>
> My previous install used a global whitelist / bayes database for all
> accounts. That wasn't the best idea but it worked for a while. If
> you re-train with sa-learn does the AWL also get re-built?
>
Bayes and AWL have nothing t
Hi,
I have a question, and hope someone has a solution,
I run Spamassassin 2.63 site-wide with sendmail and spamass-milter.
When an email is marked as SPAM, the headers are added, and the subject
is changed, now lets assume some particular user has enabled "Out of the
office" , the "bounced" mess
On Wed, 8 Sep 2004 21:19:52 -0500
Michael Parker <[EMAIL PROTECTED]> wrote:
You with the SPF folks on spf.pobox.com?
> It imports as whatever user you run sa-learn as.
Yeah, I'm seeing this behavior. I hacked my qmail-scanner to pass in
the email address as the username to spamc for my vmailmgr
On Wed, Sep 08, 2004 at 10:49:09PM -0700, Loren Wilton wrote:
> However, it has been removed from 3.0. And while I agree with removing
> binary attachments before scanning in SA, I consider that removing the
> mime-part header that contained the type and name is a mistake. There have
> been any n
>-Original Message-
>From: Rob Blomquist [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 09, 2004 1:08 AM
>To: users@spamassassin.apache.org
>Subject: Catching Windows executables as attachments
>
>
>I have currently tuned my SARE spam filters, and am humming
>right along, I get
>o
> I have currently tuned my SARE spam filters, and am humming right
> along, I get
> one or 2 uncaught spams a day which is no big deal. But I would like
> to catch
> the virus emails that have Win exe, scr, bat, and the like for
> attachments,
> but I can't find a rule for them.
>
> Is there one?
Rob Blomquist wrote:
> I have currently tuned my SARE spam filters, and am humming right
> along, I get one or 2 uncaught spams a day which is no big deal. But
> I would like to catch the virus emails that have Win exe, scr, bat,
> and the like for attachments, but I can't find a rule for them.
MailScanner is another fine wrapper for SA and your favorite virus scanner. It
has rules to block attachments by filename and/or by file type as indicated by
the "magic" bytes at the beginning. This stops new virii before they are
recognized by AV programs. Even with hourly AV updates, we get
David,
Thank you! I'll go take a peek at the web site. CommuniGate is
all new to me, and any help is wonderful. I continually lobbied for using
sendmail, but was out voted...
Thanks again,
Mark
At 01:16 PM 9/8/2004, David Birnbaum wrote:
Mark,
We set up our own integration package; ho
* Jim Sabatke <[EMAIL PROTECTED]> [2004-09-09 03:14]:
> umm, you need the comment there. bash knows to look past it
> on the first line (and only the first line).
It's the kernel not the bash, that has to interpret the shebang line and
calls the interpreter/shell. For bash this is just a commen
From: "Christof Damian" <[EMAIL PROTECTED]>
> > On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > > In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a
> > > number (but by no means all) viruses, and can be useful for
> > > various things. However, it has been removed from 3.0.
> On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a
> > number (but by no means all) viruses, and can be useful for
> > various things. However, it has been removed from 3.0.
That is a shame, I use that at the moment to score+2
I have set up my MTA to reject mail with SA scores over 12. This will
distort the stats produced by mass-check cos all I get in is the "its
probably spam" mail; is it still OK to send in the mass-check results?
Chris
Use something like mimedefang. It blocks attachments you don't want and
will run clamav, SA etc on incoming mail.
Chris
On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > But I would like to catch
> > the virus emails that have Win exe, scr, bat, and the like for
> attachments,
> > but I can't
On Wednesday, September 8, 2004, 7:30:48 AM, Marco Bovenkamp wrote:
> I run my
> own mailserver, with SA.
Most people don't.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
On Wednesday, September 8, 2004, 7:12:26 AM, Smart,Dan Smart,Dan wrote:
> What I found was that the Textcat language rules was main time-sink,
> followed by the SARE_FRAUD ruleset. Since SURBL now has the PH list, I
> removed the FRAUD ruleset too.
Dan,
SARE_FRAUD has rules to catch text patterns
* Justin Mason <[EMAIL PROTECTED]>:
> perldoc Devel::DProf -- that's the perl profiler. but as you said,
> it now appears to be bayes -- it could be that if a scan is taking
> a *very* long time, what's actually taking place is a Bayes expiration
> run, which happens once every N days (typically)
> But I would like to catch
> the virus emails that have Win exe, scr, bat, and the like for
attachments,
> but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
Sadly there really isn't one. People will tell you to simply use a more
appropriate tool for virus catchi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le Mercredi 08 Septembre 2004 15:03, Seyyed Mehdi Sheikhalishahi a écrit :
> Hi
> I installed qmail and spamassissin on it. I don't know how configure
> spamass to have a blacklist, whitelist ?
> How update spam database of spamass for new spammer?
> T
I have currently tuned my SARE spam filters, and am humming right along, I get
one or 2 uncaught spams a day which is no big deal. But I would like to catch
the virus emails that have Win exe, scr, bat, and the like for attachments,
but I can't find a rule for them.
Is there one? How can I cat
On Wed, Sep 08, 2004 at 05:47:03PM -0500, Josh Trutwin wrote:
> On Wed, 8 Sep 2004 16:04:00 -0500
> Michael Parker <[EMAIL PROTECTED]> wrote:
>
> > To migrate AWL data you can use the convert_awl_dbm_to_sql script in
> > the tools directory.
>
> Looks like I have it working though I think I'm goi
- Original Message -
From: "Jim Sabatke" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, September 08, 2004 8:12 PM
Subject: Re: rules_du_jour
> John Fleming wrote:
> > - Original Message -
> > From: "Jim Sabatke" <[EMAIL PROTECTED]>
>
> >>
> >>1. Did you change the first line of ru
- Original Message -
From: "Jim Sabatke" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, September 08, 2004 8:16 PM
Subject: Re: rules_du_jour
> John Fleming wrote:
> > P.S. If you know how to get my mail command back, I obviously would
like to
> > know that too! It used to be there, and I
Hello Obantec,
Wednesday, September 8, 2004, 7:58:20 AM, you wrote:
OS> Hi
OS> I have upgraded from 2.60 to 2.64 but the test
OS> spamassassin -t < sample-nonspam.txt > nonspam.out locks up.
OS> spamassassin -t < sample-spam.txt > spam.out works as expected.
OS> Any ideas?
OS> spamassassin -D
1 - 100 of 110 matches
Mail list logo