On Thu, 2009-06-18 at 14:04 -0400, Michael Scheidell wrote:
> main sleaze, as in spam from larger, established, 'legit' companies. I
> am seeing a 20% increase in spam that doesn't trigger any of the zombie,
> forged, gappy or dialup list rules. Neither are they triggering SARES
> or SOUGHT ru
Adam Cécile (Le_Vert) wrote:
Anthony Peacock a écrit :
[..]
0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[62.57.252.74 listed in zen.spamhaus.org]
3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
2.0 RCVD_IN_JANET_DUL
On 18.06.09 19:14, MySQL Student wrote:
> Hi Dan,
I'm not Dan. This is a mailing list. Meny people read it and many can
respond your mail.
> > Do I need the backslashes to escape the spaces?
> >
> > no, although \s would be fine.
> Okay, so either \s or nothing at all works just the same?
the \
Anthony Peacock pisze:
> Adam Cécile (Le_Vert) wrote:
>> Hello,
>>
>> Could you give us the line from your local.cf to enable such tests ?
>>
>> Thanks in advance,
>
> Which tests? You quote the whole list, some are standard some are
> additions.
Hi Anthony,
Please show us your addition tes
Michael Scheidell wrote:
> Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some
> with and some without knowledge and adherence to the US Federal CAN-SPAM
> laws.
> Maybe I am stuck in 1994 when (most) people respected the net. Maybe I
> react badly when one of these main-sleaze e
We're seeing increasing amounts of that here.
I too think that it is sold-on "marketing lists".
Some of the spams mention "partner organisations" in their excuse for
spamming disclaimer at the bottom of the email.
I once had an interesting email discussion with a spammer who'd bought a
mailing
Cedric Knight wrote:
> (b) are from UK-based registered companies and ostensibly directed to
> other businesses in the UK. Many are for worthless sales training
> webinars - I don't know if they teach more people how to send lots of
> spam email. An anonymous benefactor posts a useful monthly li
Hi,
Paweł Tęcza wrote:
Anthony Peacock pisze:
Adam Cécile (Le_Vert) wrote:
Hello,
Could you give us the line from your local.cf to enable such tests ?
Thanks in advance,
Which tests? You quote the whole list, some are standard some are
additions.
Hi Anthony,
Please show us your additi
On Fri, Jun 19, 2009 at 3:04 AM, Jason Haar wrote:
> Speaking of image/rtf/word attachment spam; is there any work going on
> to standardize this so that the textual output of such attachments could
> be fed back into SA?
That functionality already exists (has for almost 3 years, actually),
but as
On Fri, June 19, 2009 04:09, David B Funk wrote:
> The last 3 you can install using CPAN, Razor2 has to be explcitly fetched
> installed and configured (but is worth it).
newer use CPAN direct on a host that uses RPM/DEB/PORTAGE/BSD
make a native RPM/DEP/PORTAGE/BSD from CPAN is the way to go, if
On Fri, June 19, 2009 07:59, Chip M. wrote:
> Always VERY good advice, particularly given the age difference. :)
it should be noted that sa-update does not just fetch all new rules in
newer sa versions, but it can be backported to have most rules if one want
to make the work with it
--
xpoint
Hi,
I'm currently convincing my boss to throw away a domain that receives so
much backscatter, its useless to try filtering the legitimate mail.
Could i do anything useful with it?
Spamtrap won't work since 99.99% of mails are backscatter from
"legitimate" hosts. Can't block those.
Maybe a b
On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
> Hello People,
> http://pastebin.com/m5988eed
are you sure you want email To: r...@uw.edu.pl from outside world ?
assume its the envelope recipient, if not just ignore me :)
check your aliases in mta
> http://pastebin.com/m5835257
same here To
On Fri, June 19, 2009 13:32, Arvid Picciani wrote:
> Maybe a backscatter list wants them?
set MX to 127.0.0.1 problem resolved :)
atleast for you, wonder how many host doing things thay are not aware of
in terms of spam problems created (we dont scan mails outgoing from our
host is the worst cas
On Fri, 2009-06-19 at 13:04 +1200, Jason Haar wrote:
> Hi there, just a FYI
>
> I just received this: http://pastebin.com/m54006b68
>
> 420K in size - standard configuration of SA wouldn't have even run over
> this message. [...]
SA would have scanned it by default just fine. The default size li
Cedric Knight wrote:
(1) Report to SpamCop and DCC/Pyzor.
ditto, and better, since we use the commercial version of DCC, it also
include a reputation score.
DCC reputation score is really nice, since if the ip address does lots
of spamming, you get a hit on it even if 'this' zero day sp
On Fri, 2009-06-19 at 13:32 +0200, Arvid Picciani wrote:
> Hi,
> I'm currently convincing my boss to throw away a domain that receives so
> much backscatter, its useless to try filtering the legitimate mail.
> Could i do anything useful with it?
> Spamtrap won't work since 99.99% of mails are ba
Anthony Peacock pisze:
> Hi,
>
> Paweł Tęcza wrote:
>> Hi Anthony,
>>
>> Please show us your addition tests, of course :D
>
> Unless you are a UK Higher Education organisation you won't be able to
> use RCVD_IN_JANET_DUL.
What a pity. We are Polish university :)
> Other than that I think the
On Fri, 2009-06-19 at 00:28 +0200, Benny Pedersen wrote:
> On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
>
> > w-crook.com.ar.multi.uribl.com has address 127.0.0.2
> > w-crook.com.ar.multi.surbl.org has address 127.0.0.46
>
> it now make sense with ttl in 300 sec :)
>
> but if i get time
Paweł Tęcza wrote:
Anthony Peacock pisze:
Hi,
Paweł Tęcza wrote:
Hi Anthony,
Please show us your addition tests, of course :D
Unless you are a UK Higher Education organisation you won't be able to
use RCVD_IN_JANET_DUL.
What a pity. We are Polish university :)
Yes, but this is just an
Benny Pedersen pisze:
> On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
>> Hello People,
>
>> http://pastebin.com/m5988eed
>
> are you sure you want email To: r...@uw.edu.pl from outside world ?
>
> assume its the envelope recipient, if not just ignore me :)
>
> check your aliases in mta
Hello
Anthony Peacock wrote:
> Paweł Tęcza wrote:
>> Anthony Peacock pisze:
>>> Hi,
>>>
>>> Paweł Tęcza wrote:
>>
Hi Anthony,
Please show us your addition tests, of course :D
>>> Unless you are a UK Higher Education organisation you won't be able
>>> to use RCVD_IN_JANET_DUL.
>>
>> Wha
Randal, Phil pisze:
> Paweł Tęcza wrote:
>> What's the rule for deliberately misspelled words?
>>
>> My best regards,
>>
>> Pawel
>
> In this country, at least, "misspelled" belongs in that list of misspelt
> words.
>
> Oh, don't we all love American English? *grin*
Hi Phil,
It's funny, is
Randal, Phil pisze:
> Anthony Peacock wrote:
>> Paweł Tęcza wrote:
>>> Anthony Peacock pisze:
Hi,
Paweł Tęcza wrote:
>>>
> Hi Anthony,
>
> Please show us your addition tests, of course :D
Unless you are a UK Higher Education organisation you won't be able
to
On Fri, 19 Jun 2009, Jason Haar wrote:
Hi there, just a FYI
I just received this: http://pastebin.com/m54006b68
420K in size...
H. Big question for developers: Does the performance 'burden' of a
large e-mail come from the 'reading' of that mail into spamassassin and
initial processing? Or
On Fri, Jun 19, 2009 at 4:42 PM, Charles Gregory wrote:
> H. Big question for developers: Does the performance 'burden' of a large
> e-mail come from the 'reading' of that mail into spamassassin and initial
> processing? Or is the 'cost' of a large message only 'paid' when SA attempts
> to run
On Fri, 19 Jun 2009 14:19:11 +0100
"Randal, Phil" wrote:
> In this country, at least, "misspelled" belongs in that list of
> misspelt words.
It doesn't, either is fine. It's just that in British English they're
both pronounced as misspelt. Misspelled is only an Americanism if
it's pronounced
I highly recommend using Postfix to prevent some of this from even getting
through to SpamAssassin to begin with.
This was the most helpful page for me. I've modified things to suit my own
needs, of course. The results have been stellar. SpamAssassin barely does
any work now.
http://jimsun.linxn
Has this caught spoofed mail? On an average day I successfully filter approx
10k junk mail messages, only about 5-10 make it through for the entire
organization, of these our individual mail programs filter these as junk...
I guess many would find this acceptable, but to me no spam is my target
O
On Fri, June 19, 2009 18:18, Jeff Drury wrote:
> I guess many would find this acceptable, but to me no spam is my target
no it wont stop users sending html and images to maillists, but it would
be nice if it did :)
--
xpoint
On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
>
> >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>
> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> or a feature? :)
That depends. If the URIs are always lowercasein the spams, making the
On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> >
> > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> >
> > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> > or a feature? :)
>
> Th
> From: felic...@kluge.net On Behalf Of Theo Van Dinter
>
> On Fri, Jun 19, 2009 at 3:04 AM, Jason Haar
> wrote:
> > Speaking of image/rtf/word attachment spam; is there any work going
> on
> > to standardize this so that the textual output of such attachments
> could
> > be fed back into SA?
>
>
On Fri, 19 Jun 2009, Benny Pedersen wrote:
> On Fri, June 19, 2009 04:09, David B Funk wrote:
> > The last 3 you can install using CPAN, Razor2 has to be explcitly fetched
> > installed and configured (but is worth it).
>
> newer use CPAN direct on a host that uses RPM/DEB/PORTAGE/BSD
>
> make a n
Once you have a part you can use the documented methods in
Message::Node to access data (see "perldoc
Mail::SpamAssassin::Message::Node"). You will probably want
$p->decode() which returns a decoded (base64, quoted-printable) string
of the part contents.
On Fri, Jun 19, 2009 at 7:00 PM, Rosenbau
On Fri, 19 Jun 2009, Chip M. wrote:
3. use a country of origin/route plugin
#3 is somewhat controversial, and if implemented must be done
VERY carefully.
I've been looking into country-based IP blocking and it seems to boil down
to two choices:
1) A Spamassassin Plugin named 'relaycountry',
On 19 Jun, 2009, at 06:12 , Karsten Bräckelmann wrote:
On Fri, 2009-06-19 at 13:04 +1200, Jason Haar wrote:
Hi there, just a FYI
I just received this: http://pastebin.com/m54006b68
420K in size - standard configuration of SA wouldn't have even run
over
this message. [...]
SA would have sc
Hi Matus (and list :-)
> I'm not Dan. This is a mailing list. Meny people read it and many can
> respond your mail.
Yes, thanks, I had responded to him directly and probably didn't need to,
but the reply-to must not be set to the list address?
/spam sample/ will match the test anywhere on line
Configuring postfix well is extremely effective. For all the time I've
invested trying to minimize the spam that reaches my company's users, that
single web page has helped greater than anything else I've done.
Postfix should be your first line of defense. SpamAssassin is usually your
second and
On Fri, 2009-06-19 at 13:57 -0600, LuKreme wrote:
> On 19 Jun, 2009, at 06:12 , Karsten Bräckelmann wrote:
> >> I just received this: http://pastebin.com/m54006b68
> >>
> >> 420K in size - standard configuration of SA wouldn't have even run over
> >> this message. [...]
> >
> > SA would have scann
John Hardin wrote:
>
> That's not what I asked - are you _training_ as that user? That's often
> the problem when bayes isn't behaving the way you expect.
>
> sa-update won't bring 3.2.1 up to 3.2.5; you're not getting the up-to-date
> rules, which may catch those.
>
> That said, I'm gettin
Chip M. wrote:
>
> Owen, particularly with 419/scam spams, it's VERY helpful if you
> tell us more about your ham ecology.
>
> It would also be helpful if you told us about your FP pipeline.
> For example: Do you have a corpus? Can you easily analyze
> individual SA hits on ham, over an exten
Dnia 2009-06-19, pią o godzinie 09:45 -0700, John Hardin pisze:
> On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> > On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> > >
> > > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> > >
> > > I've just noticed "missing"
At 22:59 18-06-2009, Chip M. wrote:
Here's a dump of the complete Countries routes of your samples
(frequency first, then square brackets around the IP immediately
outside your own network):
2 [France], Nigeria
Do you really get such emails from Nigeria? :-)
Regards,
-sm
On Fri, 2009-06-19 at 15:12 -0700, SM wrote:
> At 22:59 18-06-2009, Chip M. wrote:
> >Here's a dump of the complete Countries routes of your samples
> >(frequency first, then square brackets around the IP immediately
> >outside your own network):
> > 2 [France], Nigeria
>
> Do you really get such
At 15:36 19-06-2009, McDonald, Dan wrote:
Of course. Don't you? Although usually the Nigerians relay through
Italy, and sometimes Hong Kong.
I don't see any email of that type originating from Nigeria in terms
of SMTP. Most of these emails originate from other
countries. Blocking Italy or
On Fri, 19 Jun 2009 16:30:29 -0700
SM wrote:
> At 15:36 19-06-2009, McDonald, Dan wrote:
> >Of course. Don't you? Although usually the Nigerians relay through
> >Italy, and sometimes Hong Kong.
>
> I don't see any email of that type originating from Nigeria in terms
> of SMTP. Most of these
On 19 Jun 2009 05:59:50 -
"Chip M." wrote:
> I would NEVER block the Netherlands (it _IS_ one of the Geekiest
> nations on the planet!), however it does have many freemailers who
> are often compromised, so when it occurs in COMBINATION with an
> "unlikely" nation like Mexico, it's worth cons
On Sat, June 20, 2009 03:27, RW wrote:
> It would be nice to automate this and keep track of real statistics, so
> spammy routes could be auto-discovered.
AWL plugin already does this pr /16
can be changed to track /24 /32 if one wants a bigger database :)
--
xpoint
On 19 Jun, 2009, at 14:38 , Karsten Bräckelmann wrote:
On Fri, 2009-06-19 at 13:57 -0600, LuKreme wrote:
On 19 Jun, 2009, at 06:12 , Karsten Bräckelmann wrote:
I just received this: http://pastebin.com/m54006b68
420K in size - standard configuration of SA wouldn't have even
run over
this
At 17:26 19-06-2009, RW wrote:
The last hop into the internal network is rarely from Nigeria, but I
find it turns up in X-Spam-Relay-Countries in about 9% of my own spam.
Can you send me a sample of the email headers off-list?
Regards,
-sm
51 matches
Mail list logo
