Re: Mismarked Ham

> On 14-Oct-2009, at 19:40, MySQL Student wrote: >> Which rule(s) is then incorrect? What is the right solution here? Is >> the only option to whitelist the user? On 14.10.09 19:54, LuKreme wrote: > What makes you think any of the rules are incorrect? A score of 6.1 is > not 100% (or even 99%, I

Re: Mismarked Ham

> > What makes you think any of the rules are incorrect? A score of 6.1 is not > > 100% (or even 99%, IIRC) spam. On 14.10.09 22:40, MySQL Student wrote: > Incorrect in that at least one of the rules fired when they should not > have, making the valid email to be marked as spam. Or maybe they did

Date in report safe page

It seems that SpamAssassin attaches the Date header from the original (attached) email when it creates the announcement email. Would it be better to create a new current Date for the "new" email? The idea here is to fix forged Date, as it often is. I sort my mail with Date, and hate when the spa

exclude domain from server-wide

Hi, How do I exclude a domain from a server-wide envoirment? regards

Re: exclude domain from server-wide

Spamassassin List schrieb: > Hi, > > How do I exclude a domain from a server-wide envoirment? > > regards > > > with magic words ? *g describe your mail spamassassin server setup ( cause there are thousend ways which it might be implemented at your side ), then you might get an answer -- Be

Re: dns query timed out while sa-update

Karsten Bräckelmann-2 wrote: > > > A good first attempt would be, to ask the opendns DNS servers directly, > getting rid of the router in the picture. > > $ dig @208.67.222.222 5.2.3.updates.spamassassin.org txt > Yes, that one I had already tried and works. Also, using that opendns' ser

Re: SpamAssassin is not a filter

Kenneth Porter wrote: From : SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and

sneaky pharma spam shooting past standard rules

I just received what appeared to be a standard "certain north american country" pharma spam that went straight by rules I have that normally catch it. Within Thunderbird (and any other HTML-capable MUA) it's blatantly shouting its wares. Clever usage of SPANs appear to enable it to sneak straight

Re: sneaky pharma spam shooting past standard rules

15.10.2009 18:38, Jason Haar kirjoitti: I just received what appeared to be a standard "certain north american country" pharma spam that went straight by rules I have that normally catch it. Within Thunderbird (and any other HTML-capable MUA) it's blatantly shouting its wares. Clever usage of

Re: sneaky pharma spam shooting past standard rules

On 10/15/2009 09:44 AM, Jari Fredriksson wrote: > > Spam detection software, running on the system > "wellington.fredriksson.dy.fi", has > identified this incoming email as possible spam. The original message > ... I assume you are trying to imply that SA does catch it. Well it has been a while s

Re: sneaky pharma spam shooting past standard rules

On Thu, 15 Oct 2009, Jason Haar wrote: I just received what appeared to be a standard "certain north american country" pharma spam that went straight by rules I have that normally catch it. Within Thunderbird (and any other HTML-capable MUA) it's blatantly shouting its wares. Clever usage of SP

Re: SpamAssassin is not a filter

On Wed, 14 Oct 2009 17:24:03 -0700 Kenneth Porter wrote: > So I suggest changing the wording of that paragraph to replace > "filter" with "classifier": I can't do any harm, but I doubt it would make much difference because not many people would read it and I think most ordinary users regard it a

RE: exclude domain from server-wide

>> How do I exclude a domain from a server-wide envoirment? >> >> > with magic words ? *g > > describe your mail spamassassin server setup ( cause there are > thousend ways which it might be implemented at your side ), then you > might get an answer I am running a qmail + simscan + spamassassi

Re: sneaky pharma spam shooting past standard rules

John Hardin wrote: On Thu, 15 Oct 2009, Jason Haar wrote: I just received what appeared to be a standard "certain north american country" pharma spam that went straight by rules I have that normally catch it. Within Thunderbird (and any other HTML-capable MUA) it's blatantly shouting its wares.

Re: sneaky pharma spam shooting past standard rules

On Thu 15 Oct 2009 05:44:30 PM CEST, Jari Fredriksson wrote http://pastebin.com/m56d2db96 spruceclose dot com redirect listed in a number of bl now from equal replyto badrelay -- xpoint

Re: sneaky pharma spam shooting past standard rules

On Thu 15 Oct 2009 06:08:02 PM CEST, John Hardin wrote The spans do look suspicious, I'm putting a rule into my sandbox... wonder if google knows about a tilde r user in the server 2 tilde chars in the url double // tidy finds some errors in html -- xpoint

Re: sneaky pharma spam shooting past standard rules

On Thu, 15 Oct 2009, Rick Knight wrote: John Hardin wrote: 27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) (79.163.117.156) 28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300 You might want to consider instituting a HELO-no-dots reject at S

Re: sneaky pharma spam shooting past standard rules

John Hardin wrote: On Thu, 15 Oct 2009, Rick Knight wrote: John Hardin wrote: 27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) (79.163.117.156) 28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300 You might want to consider instituting a

Re: [sa] sneaky pharma spam shooting past standard rules

Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is still catching them. LOL The key to this trick is the spammer tries to insert 'invisible' text. Either very small font size, as in your example, or colors that match the background, or both, so that the intended wordin

Re: [SA] SpamAssassin is not a filter

RW wrote: >> So I suggest changing the wording of that paragraph to replace >> "filter" with "classifier": > > I can't do any harm, but I doubt it would make much difference because > not many people would read it and I think most ordinary users regard > it as a fairly pedantic distinct anyway. >

Re: SpamAssassin is not a filter

On 15-Oct-2009, at 12:40, Adam Katz wrote: They've been very gracious to our community so far, Since they stopped trying to sue everyone? No wait, they didn't stop, they just lost their lawsuits. Yeah, not really seeing that 5 year legal battle with SpamArrest as gracious, myself. I suspec

Re: [sa] sneaky pharma spam shooting past standard rules

On Thu, 15 Oct 2009, Charles Gregory wrote: Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is still catching them. LOL None of the existing FLOAT rules caught these. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALah

Re: [SA] SpamAssassin is not a filter

LuKreme wrote: > On 15-Oct-2009, at 12:40, Adam Katz wrote: >> They've been very gracious to our community so far, > > Since they stopped trying to sue everyone? > > No wait, they didn't stop, they just lost their lawsuits. > > Yeah, not really seeing that 5 year legal battle with SpamArrest as

Re: sneaky pharma spam shooting past standard rules

>>> What are using to filter on HELO-no-dots? >> >> I'm using milter-regex. My sample config is here: >> >> http://www.impsec.org/~jhardin/antispam/ >> >> What is your MTA if it's not sendmail? It may have a similar >> capability built in. On 15.10.09 10:22, Rick Knight wrote: > I'm using Send

Re: sneaky pharma spam shooting past standard rules

On Thu, Oct 15, 2009 at 08:38, Jason Haar wrote: > I just received what appeared to be a standard "certain north american > country" pharma spam that went straight by rules I have that normally > catch it. Within Thunderbird (and any other HTML-capable MUA) it's > blatantly shouting its wares.  Cl

Re: SpamAssassin is not a filter

On 15-Oct-2009, at 13:21, Adam Katz wrote: LuKreme wrote: On 15-Oct-2009, at 12:40, Adam Katz wrote: They've been very gracious to our community so far, Since they stopped trying to sue everyone? No wait, they didn't stop, they just lost their lawsuits. Yeah, not really seeing that 5 year l

Re: [SA] sneaky pharma spam shooting past standard rules

2 if I trusted it. I like it, so I'm throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now: # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROMFrom:raw =~ /^\t/m describe MC_TAB_IN_FROMFrom: Contains a tab scoreMC_TAB_IN_FROM

Re: sneaky pharma spam shooting past standard rules

On Thu 15 Oct 2009 09:24:44 PM CEST, Matus UHLAR - fantomas wrote FEATURE(`block_bad_helo') in sendmail.mc if i remember sendmail it need to be added in sendmail.m4 and when saved, m4 sendmail.m4 will create sendmail.mc -- xpoint

Re: sneaky pharma spam shooting past standard rules

On Thu, 15 Oct 2009, Matus UHLAR - fantomas wrote: What are using to filter on HELO-no-dots? I'm using milter-regex. My sample config is here: http://www.impsec.org/~jhardin/antispam/ What is your MTA if it's not sendmail? It may have a similar capability built in. On 15.10.09 10:22, Ric

Re: [SA] sneaky pharma spam shooting past standard rules

On Thu 15 Oct 2009 09:43:52 PM CEST, Adam Katz wrote # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROMFrom:raw =~ /^\t/m describe MC_TAB_IN_FROMFrom: Contains a tab scoreMC_TAB_IN_FROM0.6 # 20091015, considering bump to 1.2 also tab

Re: SpamAssassin is not a meat butcher

LuKreme wrote: > SpamArrest WON THEIR TRADEMARK. And for that I am glad. Perhaps my personal stance was improperly gauged; I understand Hormel's stance and actions, though I wouldn't support their legal actions and I sided with SpamArrest's fair usage given Hormel's stated policies. I see nothin

Re: dns query timed out while sa-update

wild_oscar schrieb: > I might leave it at that. The problem that I've been scratching my head > about is why does it work when using the nameserver directly but not when > using the router's IP address, which is forwarding to the same address. > It might be a problem with the router, although it

Re: sneaky pharma spam shooting past standard rules

Hi, > With this: > >      Received: from public30108.xdsl.centertel.pl (HELO > marcin-8963fd6f) (79.163.117.156) > > my postfix setup would have simply dropped it on the floor at the > HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't > talk to it. Kurt, can you explain how y

Re: sneaky pharma spam shooting past standard rules

Rick Knight wrote: > John, > > What are using to filter on HELO-no-dots? I've looked at milter-regex, > but I can't get it to build on my slackware 12 system. That would be the __HELO_NO_DOMAIN rule, modified from vanilla 3.2.5 by updates.spamassassin.org to something less useful and then reverte

Re: sneaky pharma spam shooting past standard rules

On 15-Oct-2009, at 17:31, MySQL Student wrote: Hi, With this: Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) (79.163.117.156) my postfix setup would have simply dropped it on the floor at the HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't

Re: sneaky pharma spam shooting past standard rules

On 15-Oct-2009, at 17:31, MySQL Student wrote: Kurt, can you explain how you're doing it with postfix? Sorry, pasted the wrong thing in the previous email. smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit

Re: sneaky pharma spam shooting past standard rules

On 15-Oct-2009, at 17:57, LuKreme wrote: smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit Oh, and for the record, on my mail server these two restrictions stop 50% of all attempted connections. That's 50%

Re: sneaky pharma spam shooting past standard rules

On Thu, 15 Oct 2009, LuKreme wrote: On 15-Oct-2009, at 17:57, LuKreme wrote: smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit Oh, and for the record, on my mail server these two restrictions stop 50% of all attempted connecti

Re: sneaky pharma spam shooting past standard rules

On Thu, 2009-10-15 at 09:38 -0600, Jason Haar wrote: > I just received what appeared to be a standard "certain north american > country" pharma spam that went straight by rules I have that normally > catch it. Within Thunderbird (and any other HTML-capable MUA) it's > blatantly shouting its wares.

Re: sneaky pharma spam shooting past standard rules

Quoting LuKreme : On 15-Oct-2009, at 17:31, MySQL Student wrote: Hi, With this: Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) (79.163.117.156) my postfix setup would have simply dropped it on the floor at the HELO/EHLO. If it doens't HELO with an FQDN and a proper

Re: sneaky pharma spam shooting past standard rules

John Hardin wrote: On Thu, 15 Oct 2009, LuKreme wrote: On 15-Oct-2009, at 17:57, LuKreme wrote: smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit Oh, and for the record, on my mail server these two restrictions stop 50% of al

Re: sneaky pharma spam shooting past standard rules

Hi, > smtpd_helo_restrictions = permit_mynetworks, >        reject_invalid_helo_hostname, >        reject_non_fqdn_helo_hostname, >        permit I'm currently using reject_non_fqdn_sender and reject_non_fqdn_recipient. I wanted to be sure I should use the two helo restrictions you've listed abov

Re: sneaky pharma spam shooting past standard rules

Sure. Here's a snippet from main.cf: --begin snippet-- smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination check_r

Re: [SA] sneaky pharma spam shooting past standard rules

On Thu, Oct 15, 2009 at 03:43:52PM -0400, Adam Katz wrote: > > # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 > header MC_TAB_IN_FROMFrom:raw =~ /^\t/m > describe MC_TAB_IN_FROMFrom: Contains a tab > scoreMC_TAB_IN_FROM0.6 # 20091015, cons

Re: sneaky pharma spam shooting past standard rules

Rick Knight wrote: > What are using to filter on HELO-no-dots? I've looked at milter-regex, > but I can't get it to build on my slackware 12 system. > In postfix, it's easily done with smtpd_helo_restrictions= check_helo_access=pcre:/etc/postfix/table Table would contain a line like this: /^[^

svn rules and viewvc

i used to be able to use wget to "easily" download rules from jhardin and other sandboxes now with this new viewvc, it is a total pain in the backside to do anything. how do we make it so it is easy to get the sandbox rules again? - rh

Re: [SA] SpamAssassin is not a filter

Adam Katz wrote: > If you own a company trying to *trademark* something with the word > "Spam" in it (e.g. "SpamArrest"), that infringes upon their trademark. > If you own a company with a product with the word "Spam" in it and > you don't try to trademark it (e.g. SpamAssassin, SpamCop), they won

RE: exclude domain from server-wide

> > I am running a qmail + simscan + spamassassin + clamav on a > centos 5.3. > > Regards > s..a..l...@gmail, there are many ways to do it... you could try @example.com in your /var/qmail/control/badmailfrom might work... depending on some factors... you could smtp reject above a cer