On Mon, Apr 27, 2009 at 04:10:48PM -0400, Adam Katz wrote:
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
http://code.google.com/p/anti-phishing-email-reply/
is also useful as it attempts to detail the compromised accounts.
Just
On Tue, Apr 28, 2009 at 02:33, RW rwmailli...@googlemail.com wrote:
On Mon, 27 Apr 2009 18:04:36 +0100
Justin Mason j...@jmason.org wrote:
that's pretty much it. low FPs and a useful number of hits (ie. over
1% iirc).
Unfortunately, that doesn't necessarily mean that the rule is useful.
Dave Funk wrote:
Nah - I really don't like it that way; it doesn't really bring you any
benefit and is more likely to cause collisions if you do it that way.
Don't see how it can cause less DNS traffic either. At least using MD5
hashes your DNS query will only be 32 characters + blacklist zone
Henrik K wrote:
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
http://code.google.com/p/anti-phishing-email-reply/
is also useful as it attempts to detail the compromised accounts.
Just block/quarantine email for those accounts.
Interesting ... this
On Tue, Apr 28, 2009 at 10:31:42AM +0100, Mike Cardwell wrote:
Henrik K wrote:
This might sound a big picky, but using backticks to call the date
command in a perl script is horrible. Try using the standard gmtime
function. Eg:
$date = gmtime().' (UTC)';
Rather than:
$date = `date
Henrik K wrote:
This might sound a big picky, but using backticks to call the date
command in a perl script is horrible. Try using the standard gmtime
function. Eg:
$date = gmtime().' (UTC)';
Rather than:
$date = `date -u`; chomp($date);
/me too busy to man perlfunc
Let this thread
Hello,
I often receive see mail where X-Spam-Report header is longer than 80
characters. This causes mutt to re-wrap the header, which causes the header
be hardly readable. Since SA already wraps other headers, can we consider
that as a bug or does that have an reason/option to tune?
Examples
Henrik K wrote:
If someone wants to try it on their mail feed:
http://sa.hege.li/pra.cf
Don't mind the size, as optimized they only take millisecond or two to run.
Of course when if it starts getting 10x the size, DNS will start looking
attractive..
I have been publishing a sa-update
Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:38, John Hardin jhar...@impsec.org wrote:
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja sa-l...@alexb.ch wrote:
SARE had a nice system where you could submit a rule via email and got
the masscheck
On 4/28/2009 12:52 PM, Matt wrote:
Steve Freegard wrote:
Is it possible to get SVN access just to the sandboxes though? I'd be
happy to submit rules for testing. My membership of the -dev list was
after the PreflightByMail announcement and I would have definitely used
it had I been aware of
On Tue, Apr 28, 2009 at 10:51:33AM +0100, Matt wrote:
Henrik K wrote:
If someone wants to try it on their mail feed:
http://sa.hege.li/pra.cf
Don't mind the size, as optimized they only take millisecond or two to run.
Of course when if it starts getting 10x the size, DNS will start
Henrik K wrote:
This might sound a big picky, but using backticks to call the date
command in a perl script is horrible. Try using the standard gmtime
function. Eg:
$date = gmtime().' (UTC)';
Rather than:
$date = `date -u`; chomp($date);
/me too busy to man perlfunc
Let this thread be
Steve Freegard wrote:
Is it possible to get SVN access just to the sandboxes though? I'd be
happy to submit rules for testing. My membership of the -dev list was
after the PreflightByMail announcement and I would have definitely used
it had I been aware of it.
Ditto on both counts.
On Tue, Apr 28, 2009 at 09:46:44AM +0100, Mike Cardwell wrote:
Henrik K wrote:
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
http://code.google.com/p/anti-phishing-email-reply/
is also useful as it attempts to detail the compromised accounts.
Just
On 22.04.09 13:39, Benny Pedersen wrote:
still running here as server and client
On 24.04.09 15:19, Matus UHLAR - fantomas wrote:
client only here. searching for PYZOR string in SA logs didn't
findanything
for last two days (gotta re-check).
seems I will turn pyzor off
On Tue, 2009-04-28 at 12:21 +0200, Matus UHLAR wrote:
I often receive see mail where X-Spam-Report header is longer than 80
characters. This causes mutt to re-wrap the header, which causes the header
be hardly readable. Since SA already wraps other headers, can we consider
that as a bug or
John Hardin wrote:
I suppose I should ask, what do you mean by a spammer reversing the list?
I guess I meant that it makes it harder for the spammer if he/she gets a
copy of the list to casually look for addresses to avoid without doing
the extra work of encoding the address in the same way
On Sun, 2009-04-26 at 08:17 -0700, Bill Landry wrote:
dig sought.rules.yerp.org
finds no A record. Although yerp.org has an A record, the site
cannot be access via browser, at least not from here...
Yeah, there was another downtime, obviously fixed since.
However, just to clarify on
I was thinking that, particularly for people who trash messages over a
certain threshold and are worried about the SA overhead, a stop-
counting threshold might be a good idea.
So, for example, for my personal mail I could set stop_counting at
7.0, once a message hits 7.0 (with bayes) SA
On Tue, 28 Apr 2009 02:09:02 +0100
Steve Freegard st...@stevefreegard.com wrote:
Well in the case of an emailBL - the worst that can happen is that one
listed md5 collides with an innocent e-mail address. By adding in the
string length it reduces that possibility because both colliding
On Tue, 28 Apr 2009, LuKreme wrote:
I was thinking that, particularly for people who trash messages over a
certain threshold and are worried about the SA overhead, a stop-counting
threshold might be a good idea.
So, for example, for my personal mail I could set stop_counting at 7.0, once
On 28-Apr-2009, at 08:27, John ffitch wrote:
On Tue, 28 Apr 2009, LuKreme wrote:
I was thinking that, particularly for people who trash messages
over a certain threshold and are worried about the SA overhead, a
stop-counting threshold might be a good idea.
So, for example, for my personal
OK, working on my first cup of coffee this morning, so maybe this has
potential.
The way the AWL works is by keeping track of the origin of emails,
both the address and the server (the top line Received header?) that
send the email. So, lets say that I have a lot of email from
On 28.04.09 08:43, LuKreme wrote:
OK, working on my first cup of coffee this morning, so maybe this has
potential.
The way the AWL works is by keeping track of the origin of emails, both
the address and the server (the top line Received header?) that send the
email. So, lets say that I
Ben Winslow wrote:
If you're worried about spammers gaming the hash system
Most likely, they won't care. They'll happily pursue the low hanging
fruit. The only exception is if/when freemail ISPs started using such a
list to start investigating individual accounts for possible
termination. But,
From: LuKreme krem...@kreme.com
Date: Tue, 28 Apr 2009 08:43:46 -0600
OK, working on my first cup of coffee this morning, so maybe this has
potential.
The way the AWL works is by keeping track of the origin of emails,
both the address and the server (the top line
On Tue, 28 Apr 2009, Matt wrote:
Steve Freegard wrote:
Is it possible to get SVN access just to the sandboxes though? I'd be
happy to submit rules for testing.
Ditto
+1
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174
Rob McEwen wrote:
If you're worried about spammers gaming the hash system
Most likely, they won't care. They'll happily pursue the low hanging
fruit. The only exception is if/when freemail ISPs started using such a
list to start investigating individual accounts for possible
termination. But,
Hello Folks,
I am using Spamassassin 3.2.5 with Sendmail 8.14.1 in an installation
for office and offsite users. The initial setup was to have
Spamassassin to rewrite the subject so that the users could setup a
filter in Outlook. Problem is that some users are setup to have their
email
Hi guys,
I was just doing an update and compile and ran into this problem which is
new, as I never had troulbe before. Error is token exceeds limit, as
below. Any help would be appreciated.
SA ~ # sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
--channel updates.spamassassin.org
SA
On Tue, 2009-04-28 at 11:07 -0500, Robert Ober wrote:
filter in Outlook. Problem is that some users are setup to have their
email forwarded to their cellphone/blackberry and the spam is in that
inbox. So I found some articles and decided to have the spam go to a
file. The following is
On 28-Apr-2009, at 08:56, Matus UHLAR - fantomas wrote:
We have more servers users send mail through. Users can't choose which
server will they connect.
That already happens now.
It can also happen when user switched ISP, mail provider, or the mail
provider changes IP address, DNS names or
On Tue, 2009-04-28 at 11:16 -0500, Gary wrote:
I was just doing an update and compile and ran into this problem which is
new, as I never had troulbe before. Error is token exceeds limit, as
below. Any help would be appreciated.
What's your re2c version?
SA ~ # sa-update --gpgkey 6C6191E3
On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:
DROPPRIVS=yes
procmail is being run on behalf of the recipient.
Makes sense, any way to make sure the log is writeable other that to
put all the users in a group?
LOGFILE=/var/log/procmail.log
VERBOSE=yes
LOGABSTRACT=all
MAILDIR is not
On Tue, Apr 28, 2009 at 07:44:08PM +0200 or thereabouts, Karsten Bräckelmann
wrote:
On Tue, 2009-04-28 at 11:16 -0500, Gary wrote:
I was just doing an update and compile and ran into this problem which is
new, as I never had troulbe before. Error is token exceeds limit, as
below. Any help
On Tue, 2009-04-28 at 13:32 -0500, Robert Ober wrote:
On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:
DROPPRIVS=yes
procmail is being run on behalf of the recipient.
Makes sense, any way to make sure the log is writeable other that to
put all the users in a group?
Ah, just answered
I was just doing an update and compile and ran into this problem which is
new, as I never had troulbe before. Error is token exceeds limit, as
below. Any help would be appreciated.
What's your re2c version?
as below, you are correct, re2c.0.13.3
re2c: error: line 159, column
On 4/28/09 3:00 PM, Karsten Bräckelmann wrote:
On Tue, 2009-04-28 at 13:32 -0500, Robert Ober wrote:
On 4/28/09 11:34 AM, Karsten Bräckelmann wrote:
It was global and I want it to stay global. The old procmailrc is:
DROPPRIVS=yes
:0fw
| /usr/bin/spamc
No .procmailrc for the users. And
On Tue, 28 Apr 2009, Robert Ober wrote:
All I want to do now is have all the identified spam(X-Spam-Status: Yes
?) go to a global file instead of delivered to the users. The global
spam file will be readable by only myself and management. Company owned
systems, so no privacy implied nor
Ok, finally got re2c compiled. :) But now sa-compile doesn't seem to
output anything. I run:
/usr/local/bin/sa-compile --config-file=/etc/mail/spamassassin
--updatedir=/var/db/spamassassin/
But no rules are being generated anywhere (that I can find). A single
command-line example in the
2009/4/28 Robert Ober ro...@robob.com:
It was global and I want it to stay global. The old procmailrc is:
DROPPRIVS=yes
:0fw
| /usr/bin/spamc
That's a global config, but you're running it per-user due to the
DROPPRIVS line. fyi.
All I want to do now is have all the identified
On Tue, 28 Apr 2009 11:13:56 -0600
LuKreme krem...@kreme.com wrote:
On 28-Apr-2009, at 08:56, Matus UHLAR - fantomas wrote:
We have more servers users send mail through. Users can't choose
which server will they connect.
That already happens now.
I think his point is that that doesn't
I'm seeing a lot of mail with Viagra in the subject coming through, even
though there is the drugs rules file(20_drugs.cf) in the upgrades
directory(/var/lib/spamassassin/3.002004/updates_spamassassin_org).
Is there a simple way to see what rules files are being read?
Thanks,
-Adam
Never mind, it works. J Just calling it without any parameters
has it default do The Right ThingT.
- Mark
From: Mark [mailto:ad...@asarian-host.net]
Sent: dinsdag 28 april 2009 23:24
To: users@spamassassin.apache.org
Subject: sa-compile command-line?
Ok, finally got re2c
On Tue, 2009-04-28 at 14:44 -0700, Adam Harrison wrote:
I’m seeing a lot of mail with Viagra in the subject coming through,
even though there is the drugs rules file(20_drugs.cf) in the upgrades
directory(/var/lib/spamassassin/3.002004/updates_spamassassin_org).
That doesn't necessarily
Has anyone else noticed these messages as a problem? I have had a few
complaints about messages getting through my spam filter involving
Physicians List in the USA or something like that usually talking about
dentists too. I made this to target it (someone on the list showed me how to
do things
This was actually rather simple to set up. I'll publish the code
(AGPL) that runs it in a bit (I need to clean it up to withstand the
heavy-handed criticism on this list ...). Note, I'm using ZoneEdit's
free NS mirroring, which has limited bandwidth. I'm willing to pay
their minimum threshold
On Tue, 2009-04-28 at 19:43 -0400, Casartello, Thomas wrote:
Has anyone else noticed these messages as a problem? I have had a few
complaints about messages getting through my spam filter involving
“Physicians List in the USA” or something like that usually talking
I have seen quite a few
On 28-Apr-2009, at 15:38, RW wrote:
It's based on the first routable IP address,
Well, that's a very silly thing for it to be looking at. It should be
looking at the LAST routable IP address outside of the trusted
network. Looking at the first routable address is completely worthless.
LuKreme wrote:
On 28-Apr-2009, at 15:38, RW wrote:
It's based on the first routable IP address,
Well, that's a very silly thing for it to be looking at. It should be
looking at the LAST routable IP address outside of the trusted
network. Looking at the first routable address is completely
Matt Kettler wrote:
LuKreme wrote:
On 28-Apr-2009, at 15:38, RW wrote:
It's based on the first routable IP address,
Well, that's a very silly thing for it to be looking at. It should be
looking at the LAST routable IP address outside of the trusted
network. Looking at the
On 28-Apr-2009, at 20:14, Matt Kettler wrote:
The AWL uses the LAST non-private..
This is, IMO, completely broken.
Yep, have to agree. This is seriously retarded.
--
I love as only I can, with all my heart
I've been looking at some of the spam emails I've received lately with
images attached and noticed that FuzzyOCR wasn't running against them.
The same seems to be true when I take these messages and run them with:
spamassassin -t img-email.eml
However if I run them through as follows, I
Andrew Bruce wrote:
I've been looking at some of the spam emails I've received lately with
images attached and noticed that FuzzyOCR wasn't running against them.
[snip]
However if I run them through as follows, I get FuzzyOCR showing up in
the results:
spamassassin -t -D img-email.eml
Andrew Bruce wrote:
I've been looking at some of the spam emails I've received lately with
images attached and noticed that FuzzyOCR wasn't running against them.
The same seems to be true when I take these messages and run them with:
spamassassin -t img-email.eml
However if I run
55 matches
Mail list logo