Randal, Phil skrev:
We got a bunch of these slip through as low-scoring.
This rule helps - score as you see fit:
header SPAMMER_HERESubject =~ /here \:\)$/
describe SPAMMER_HERESpammer here
scoreSPAMMER_HERE4
Phil
Thanks Phil!
That simple rule pushes these mails
Got some spams with apparently a single letter per gif, like
a ransom note, with different color backdrounds, capitalization,
fonts, etc., *per letter*. Is this new?
http://www.surbl.org/evidence/single-letter-gif-spam.png
(rendered, somewhat redacted)
(I'm not going to bother posting the me
* On 07/11/06 20:23 -0500, Matt Kettler wrote:
| Odhiambo Washington wrote:
| > Hi,
| >
| > I have been watching one of my servers running 3.1.7 for several days.
| >
| >
|
| > I have used rulesdujour sparingly, with the following rules:
| >
| > TRUSTED_RULESETS="
| > TRIPWIRE
| > ANT
* On 07/11/06 13:19 -0800, Evan Platt wrote:
| At 12:58 PM 11/7/2006, you wrote:
| >It would appear that NDR are not reaching my users, just because of this
| >behaviour.
|
| Why? SpamAssassin isn't deleting messages, so what else is?
Well, I have told my MTA to reject mail that scores above 7, s
Matt Kettler wrote:
> In general I'd take a look at the sizes of the rule files themselves..
> Look for ones that are significantly larger than 128k or so.
Of those, there only few:
-rw-r--r-- 1 root root 384645 Oct 30 2005 70_sare_header.cf
-rw-r--r-- 1 root root 158513 Oct 1 2005 70_sare_o
So today is it possible to simply do a head test and if it indicates
unwanted
language or whatever to not scan the body?
If by "today" you mean using the currently unreleased trunk code, yes.
Is there anything that short circuits body tests once a head test proves
positive for certain types
This might be a better suited question for the DCC list but thought I'd
give a try here.
I am calling DCC via SA and using the default (out of the box) DCC
servers.
SpamAssassin version 3.1.5 DCC 1.3.42
I am seeing this error more and more frequently in my logs and am wondering
if it is j
Garry Glendown wrote:
> Hi,
>
> after fixing sone lint errors that had gone unnoticed for some time, our
> MailScanner/SA filter server has started bogging under the daily flood
> of mail (~100k mails per day) - a load that had not done anything to the
> box before ... As the only change had been f
Looks like this phisher is tracking visits to his page:
/* SiteCatalyst code version: H.5.
Copyright 1997-2006 Omniture, Inc.
More info available at http://www.omniture.com */
var s_account="paypalglobal"
var s=s_gi(s_account)
s.visitorNamespace="paypal"
s.trackDownloadLinks=true
s.linkDownloadFi
Odhiambo Washington wrote:
> Hi,
>
> I have been watching one of my servers running 3.1.7 for several days.
>
>
> I have used rulesdujour sparingly, with the following rules:
>
> TRUSTED_RULESETS="
> TRIPWIRE
> ANTIDRUG
>
It's not part of your problem, but: Do NOT use antidrug with
This might be a better suited question for the DCC list but thought
I'd give a try here.
I am calling DCC via SA and using the default (out of the box) DCC servers.
SpamAssassin version 3.1.5 DCC 1.3.42
I am seeing this error more and more frequently in my logs and am
wondering if it is jus
On Thu, November 2, 2006 20:22, Mark wrote:
> The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or
> IP addresses (not inside braces, like an address literal).
could be a spammer that call his computer "friend" since Microsoft have a
habit of deniding . in the computer name
At 12:58 PM 11/7/2006, you wrote:
It would appear that NDR are not reaching my users, just because of this
behaviour.
Why? SpamAssassin isn't deleting messages, so what else is?
Another thing I have noted is the fact that even legit mail is being
scored highly as spam, but it is the scores th
Hi,
I have been watching one of my servers running 3.1.7 for several days.
With just the default install and a simplistic local.cf, this server is
scoring messages so highly that I have gotten suspicious.
I decided to deinstall and reinstall everything, even blew away all
bayes data!
I especia
Jean-Paul Natola wrote:
> Ok I found the rule,
>
> Now I just got a little more confused
>
> Does SA read and score from
>
> /var/lib/spamassassin/3.001007/updates_spamassassin_org
>
> As well as from
>
> /usr/local/etc/mail/spamassassin ?- this is where I have added
> custom rules in the past
Hi,
after fixing sone lint errors that had gone unnoticed for some time, our
MailScanner/SA filter server has started bogging under the daily flood
of mail (~100k mails per day) - a load that had not done anything to the
box before ... As the only change had been fixing the lint error,
followed by
On Tue, Nov 07, 2006 at 03:20:40PM -0500, Jean-Paul Natola wrote:
> Does SA read and score from
> /var/lib/spamassassin/3.001007/updates_spamassassin_org
> As well as from
> /usr/local/etc/mail/spamassassin ?- this is where I have added custom rules
> in the past.
It'll read from both of those.
Ok I found the rule,
Now I just got a little more confused
Does SA read and score from
/var/lib/spamassassin/3.001007/updates_spamassassin_org
As well as from
/usr/local/etc/mail/spamassassin ?- this is where I have added custom rules
in the past.
And I do use sa-update
Thanks for your t
So today is it possible to simply do a head test and if it indicates unwanted
language or whatever to not scan the body?
Is there anything that short circuits body tests once a head test proves
positive for certain types of tests?
Quoting Justin Mason <[EMAIL PROTECTED]>:
>
> Robert Nicholson w
I'm also getting a lot of variations on this spam trying to promote some junk stock. Every time a different name is in the subject like "Demetrius here :)" or "Mabel here :)" and of course the "From:" is different. RAZOR and DCC catch most of them but some slip through.
One even managed to t
On Tue, Nov 07, 2006 at 01:38:56PM -0500, Jean-Paul Natola wrote:
> I want to know where this rules lives and where the scoring is so that I may
> change it
>
> 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud
Same as all the other default rules, either the default rules directory
(ty
Hi all,
I'm sure this is pretty basic for the more experienced *nix /*bsd admins here
, but I'm not yet one.
I want to know where this rules lives and where the scoring is so that I may
change it
0.0 ADVANCE_FEE_1 Appears to be advance fee fraud
I just upgraded to 3.1.7
TIA
Brian S. Meehan wrote:
> Bowie,
> I implemented your changes and now I'm seeing BAYES scores on all
> messages, whether it is 00 or 99.
> 1) changed courierd "defaultdelivery" to be cleaner
> 2) added the xfilter line to the top of maildroprc above the sorting
> rules 3) added the exception to the
Bowie,
I implemented your changes and now I'm seeing BAYES scores on all
messages, whether it is 00 or 99.
1) changed courierd "defaultdelivery" to be cleaner
2) added the xfilter line to the top of maildroprc above the sorting rules
3) added the exception to the bottom of maildroprc below the sort
Razor, DCC, and Bayes have been catching these handily here, with
occasional header tests. They've all hit in the 5.5-10 range.
I think this is the next stage of the "So-and-so wrote:" spams, which
would explain where my Bayes DB got the data.
--
Kelson Vibber
SpeedGate Communications
John Rudd wrote:
I had a similar problem. I don't divert unknown addresses to salearn,
but if I don't fish a message out of my spam folder within X days, it
gets automatically sent to sa-learn and awl.
Then, last week, I started seeing BAYES_00 on messages that would have
otherwise been scor
sheryle Stafford wrote:
> started getting interrupted and I was sent some version of the following
> with them:
>
> Our UCE (spam) detectors have been triggered by a message you received:-
> From: [EMAIL PROTECTED]
> Subject: SAMHSA Report: Cost/Coverage Limits Primary Barrier to MH
> Treatment
Mike Kenny wrote:
On 11/7/06, Derek Harding <[EMAIL PROTECTED]> wrote:
Gary W. Smith wrote:
>
> Was the SA group listed by spamcop last month? I just now received
> this for messages from October 26th.
>
Who cares?
> <[EMAIL PROTECTED]>:
>
> 209.209.82.24 does not like recipient.
>
> Remot
Anders Norrbring skrev:
James Lay skrev:
On Tue, 07 Nov 2006 14:51:01 +0100
Anders Norrbring <[EMAIL PROTECTED]> wrote:
I don't get any points or hits on the following mail (source code)
[8<]
I don't even see any SpamAssassin headers on this thing saying one way
or the otherdid this
> >I have it working fine, here is the idea:
> >1. Most of the documentation is out of date! One needs do absolutely
> >nothing.
>
> Not true. It may function, but if you do nothing razor has to try and
> discover the servers for every message. This creates unnecessary traffic
> and processing p
Martin Hepworth skrev:
Anders Norrbring wrote:
Anders
heres my analysis
Content analysis details: (12.0 points, 5.0 required)
pts rule name description
--
--
0.7 HOST_EQ_D_D_D_DHOST_EQ_D_D_D_D
Brian S. Meehan wrote:
> Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3)
> The /usr/lib/courier/etc/courierd file has the following line:
> DEFAULTDELIVERY="| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop"
FYI, a cleaner way to do this is:
DEFAULTDELIVERY="| /usr/lib/co
Brian S. Meehan wrote:
Jim,
I have it set so that i'm using /usr/bin/spamassassin now. Thanks for that
info.
Here is the relevant message header from an email that was not caught:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
mail.meehanontheweb.com
X-Spam-Level: ***
X-Spam-Sta
James Lay skrev:
On Tue, 07 Nov 2006 14:51:01 +0100
Anders Norrbring <[EMAIL PROTECTED]> wrote:
I don't get any points or hits on the following mail (source code)
[8<]
I don't even see any SpamAssassin headers on this thing saying one way
or the otherdid this actually get piped throug
Jim,
I have it set so that i'm using /usr/bin/spamassassin now. Thanks for that
info.
Here is the relevant message header from an email that was not caught:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
mail.meehanontheweb.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.1 requir
Rose, Bobby wrote:
I believe the correct process here is that the moderators of the SA
listserver investigate why the listserver got listed on Spamcop. If it
is a case where there are addresses to spamtraps in the list, then maybe
the list needs to send out opt-in verification messages to wee
Thanks for the info. I like you answers much better than the rest of
the insults I have received. I'm not sure how or why I put spamcop in
my blocklist. I was sure that I didn't some time ago. It will be
removed.
With all due respect to the many of the people on this list, when did
everyone on
On Tuesday 07 November 2006 17:24, Gary V wrote:
> > >Installed it off Debian Sid.
> > >How do I get SA to make use of it?
> >
> >Thanks for all the helpful responses.
> >
> >I have it working fine, here is the idea:
> >1. Most of the documentation is out of date! One needs do absolutely
> >nothing
Brian S. Meehan wrote:
Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3)
The /usr/lib/courier/etc/courierd file has the following line:
DEFAULTDELIVERY="| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop"
I had tried it with 'spamc' but there was no difference. When I tried it
w
Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3)
The /usr/lib/courier/etc/courierd file has the following line:
DEFAULTDELIVERY="| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop"
I had tried it with 'spamc' but there was no difference. When I tried it
with /usr/bin/spamd I get
Title: RE: mail bounce warning for the list
Alright, I'll reply to this.
I outright block using RBLs, and spamcop is one of them. Here's the deal:
Senders get a response of the messege being blocked! It is also logged.
The amount of legit mail anually blocked can be counted on two hand
On Tue, Nov 07, 2006 at 10:14:38AM -0500, Matt Kettler wrote:
> http://razor.sourceforge.net/docs/faq.php
>
> But I agree it might be worth mentioning in the SA docs for razor.
FWIW: http://wiki.apache.org/spamassassin/UsingRazor
Already has pointers about firewall ports, license issues, etc.
-
>Installed it off Debian Sid.
>How do I get SA to make use of it?
Thanks for all the helpful responses.
I have it working fine, here is the idea:
1. Most of the documentation is out of date! One needs do absolutely
nothing.
Not true. It may function, but if you do nothing razor has to try an
David Baron wrote:
>> Installed it off Debian Sid.
>> How do I get SA to make use of it?
>>
>
> Thanks for all the helpful responses.
>
> I have it working fine, here is the idea:
> 1. Most of the documentation is out of date! One needs do absolutely nothing.
> SA tests for an will use Razor,
>Installed it off Debian Sid.
>How do I get SA to make use of it?
Thanks for all the helpful responses.
I have it working fine, here is the idea:
1. Most of the documentation is out of date! One needs do absolutely nothing.
SA tests for an will use Razor, Phyzor, etc., if they be installed.
2. A
We got a bunch of these slip through as low-scoring.
This rule helps - score as you see fit:
header SPAMMER_HERESubject =~ /here \:\)$/
describe SPAMMER_HERESpammer here
scoreSPAMMER_HERE4
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
>
Ya for some reason Spamassassin didn't even look at it.
Robert
Peace he would say instead of goodbyepeace my brother.
-Original Message-
From: James Lay [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 07, 2006 8:59 AM
To: Anders Norrbring
Cc: users@spamassassin.apache.or
> From: Rose, Bobby [mailto:[EMAIL PROTECTED]
> So what you're saying is that the rule that people running listservers should
> maintain valid
> recipients who want to receive messages from the list shouldn't be followed
> just because it's
> a list about an antispam product?
I would say, just b
On Tue, 07 Nov 2006 14:51:01 +0100
Anders Norrbring <[EMAIL PROTECTED]> wrote:
> I don't get any points or hits on the following mail (source code)
>
> Return-Path: <[EMAIL PROTECTED]>
> Received: from mail.the-server.net (192.168.222.210 [192.168.222.210])
> by iris (Cyrus v2.1.15) with LM
Anders Norrbring wrote:
Anders
heres my analysis
Content analysis details: (12.0 points, 5.0 required)
pts rule name description
--
--
0.7 HOST_EQ_D_D_D_DHOST_EQ_D_D_D_D
0.9 HOST_EQ_D_D_D_DB
I don't get any points or hits on the following mail (source code)
Return-Path: <[EMAIL PROTECTED]>
Received: from mail.the-server.net (192.168.222.210 [192.168.222.210])
by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100
X-Sieve: CMU Sieve 2.2
Received: from amavis.the-se
Rose, Bobby wrote:
So what you're saying is that the rule that people running listservers
should maintain valid recipients who want to receive messages from the
list shouldn't be followed just because it's a list about an antispam
product? The last time I checked, the most common reason for sp
Hi :)
My setup is Postfix-SpamAssassin-Amavis. I noticed this behavior:
If i receive spam messages to unknown users at my site, for example:
[EMAIL PROTECTED] <- Mail is sent to quarantine
if I send a regular email to [EMAIL PROTECTED] i receive the
postfix warning of "unknown user". So...
Is
El mar, 07-11-2006 a las 15:37 +0200, Mike Kenny escribió:
>
> I copy the files while spamd is running and restart it
> after the copy.
> I run also sa-learn --sync in the slave server.
>
>
> Do you run sa-learn --sync on the master?
>
In
I copy the files while spamd is running and restart it after the copy.I run also sa-learn --sync in the slave server.
Do you run sa-learn --sync on the master?I ask because I wan under the impression that this just synchronized the journal with the database. As you have copied everything ac
jdow wrote:
>
>
> Did you run "sa-learn" as the same user that is active when the email
> is being scanned coming in?
>
Yes, the same user.
jdow wrote:
>
> You do not give enough headers to diagnose the problem. WHAT spam
> rules hit, for example? That email may be going down in flames for
So what you're saying is that the rule that people running
listservers should maintain valid recipients who want to receive messages from
the list shouldn't be followed just because it's a list about an antispam
product? The last time I checked, the most common reason for spamcop lists
is d
El mar, 07-11-2006 a las 14:28 +0200, Johann Spies escribió:
> On Tue, Nov 07, 2006 at 11:22:31AM +0100, Angel L. Mateo wrote:
> > I am running site-wide bayes, not individual bayes databases.
>
> I am also interested in the answer to your question. Do you stop spamd
> when copying the files
segassem pu skram ylno AS
segassem pu skram ylno AS
segassem pu skram ylno AS
segassem pu skram ylno AS
segassem pu skram ylno AS...
Yep - stupid question as i can see :) - am on the right track now.
Thanks!!
On 11/7/06, Theo Van Dinter <[EMAIL PROTECTED]> wrote:
On Tue, Nov 07, 2006 at 03:2
On Tue, Nov 07, 2006 at 11:22:31AM +0100, Angel L. Mateo wrote:
> I am running site-wide bayes, not individual bayes databases.
I am also interested in the answer to your question. Do you stop spamd
when copying the files or restart it after you have done so?
We have three mail servers an
Hi,
I couldn't find any other address to send this.
It seems that ML address is blacklisted.
> Remote host said: 553 5.3.0 <[EMAIL PROTECTED]>... Spam blocked
> see: http://spamcop.net/bl.shtml?140.211.11.2
> Giving up on 212.179.113.183.
See bellow for full transcript.
Best,
--
Arthur Sherm
Gary W. Smith writes:
> Was the SA group listed by spamcop last month? I just now received this
> for messages from October 26th.
Yes. Turn off use of bl.spamcop.net, it's FP'ing on about 25%
of mail last time I checked, including ASF mail.
--j.
> <[EMAIL PROTECTED]>:
> 209.209.82.24 does not
Matt Kettler writes:
> Adam Katz wrote:
> > Theo Van Dinter wrote:
> >
> >> http://wiki.apache.org/spamassassin/HowScoresAreAssigned
> >>
> >
> > Thanks, that's what I was looking for.
> >
> >
> >> The short version is that as far as SA and the perceptron (that which
> >> generates the
El mar, 07-11-2006 a las 00:58 -0900, John Andersen escribió:
> On Tuesday 07 November 2006 00:33, Angel L. Mateo wrote:
> > so one of them classified it as spam and the other not. The only
> > difference I've found is that the master hit the BAYES_60 and the slave
> > the BAYES_80.
> >
> >
On Tuesday 07 November 2006 00:33, Angel L. Mateo wrote:
> so one of them classified it as spam and the other not. The only
> difference I've found is that the master hit the BAYES_60 and the slave
> the BAYES_80.
>
> Why this different score? am I synchronizing my servers the right
>
On Monday 06 November 2006 22:02, sheryle Stafford wrote:
> The message to you has been detected as spam based on either its contents
> or the mail server which sent the message to us, or both.
Even if the content didn't change dramatically, the SOURCE of the enews
may have been reported to one o
On Monday 06 November 2006 21:50, John Rudd wrote:
> And, I have in fact seen misses that had VERY low bayes scores (BAYES_00).
With no more info about the content of said misses it would be hard to say
your bayes was poisoned.
It would be even harder to see how spam would poison bayes to MISS t
It seems to me that your work company runs its own e-mail server with its own
copy of spamassassin. I suggest to contact the network and IT staff at work and
explain them the problem: they can whitelist messages caming from [EMAIL
PROTECTED]
Giampaolo
> I sure hope you guys can help me out her
Hello,
We have two incoming email servers for our organization. We are running
spamassassin in these servers (debian sarge + postfix 2.1.5 +
spamassassin 3.1.0a). To syncronize spamassassin's database and journal
we copy the /var/lib/amavis/.spamassassin of one server (let's call it
the ma
> Anyone dumb enough to block outright on the spamcop BL deserves whatever
> they don't get.
Yeah! Score it, don't pretend it to be God.
Giampaolo
>
> Derek
>
On 11/7/06, Derek Harding <[EMAIL PROTECTED]> wrote:
Gary W. Smith wrote:>> Was the SA group listed by spamcop last month? I just now received> this for messages from October 26th.>Who cares?> <
[EMAIL PROTECTED]>:>> 209.209.82.24 does not like recipient.>> Remote host said: 554 5.7.1 Service unav
71 matches
Mail list logo