On 11/10/2014 02:32 AM, Rich Wales wrote:
This *AXB_XRCVD_8B8* rule seems excessively broad to me. It seems it
could wrongly catch e-mail that was legitimately Amavis-scanned on its
way out by a server whose name just happened to be eight characters long.
I think a better rule would take advant
This *AXB_XRCVD_8B8* rule seems excessively broad to me. It seems it
could wrongly catch e-mail that was legitimately Amavis-scanned on its
way out by a server whose name just happened to be eight characters long.
I think a better rule would take advantage of other anomalies with these
fake heade
Hi,
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old
* [URIs: bestwestern.com]
I looked around for a place to report an FP, but also thought everyone
else should know about this, since it's so obviously incorrect.
Their whois looks like the record was updated on the
On 11/09/2014 11:51 PM, Dave Funk wrote:
On Sun, 9 Nov 2014, Axb wrote:
On 11/09/2014 09:51 PM, Alex Regan wrote:
Hi guys,
One of my user's hotel reservations almost got tagged incorrectly:
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: bestwester
On Sun, 9 Nov 2014, Axb wrote:
On 11/09/2014 09:51 PM, Alex Regan wrote:
Hi guys,
One of my user's hotel reservations almost got tagged incorrectly:
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: bestwestern.com]
I looked around for a place to rep
On 11/09/2014 11:20 PM, Axb wrote:
On 11/09/2014 09:51 PM, Alex Regan wrote:
Hi guys,
One of my user's hotel reservations almost got tagged incorrectly:
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: bestwestern.com]
I looked around for a place to
On 11/09/2014 09:51 PM, Alex Regan wrote:
Hi guys,
One of my user's hotel reservations almost got tagged incorrectly:
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: bestwestern.com]
I looked around for a place to report an FP, but also thought every
>Yeah they tried a similar trick with MailScanner years ago, basically dont
>trust someone elses mail to tell the truth as per usual
You are right about trust, but in this case we can detect fake amavis-headers
and score bigtime in a safe way. And from what I can tell from my logs it hits
Yeah they tried a similar trick with MailScanner years ago, basically dont
trust someone elses mail to tell the truth as per usual
On Sunday, 9 November 2014, Marieke Janssen wrote:
> >hitting like crazy and safe
>
> Confirmed, thank you.
>
> /MJ
>
>
--
--
Martin Hepworth, CISSP
Oxford, UK
>hitting like crazy and safe
Confirmed, thank you.
/MJ
Hi guys,
One of my user's hotel reservations almost got tagged incorrectly:
* 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: bestwestern.com]
I looked around for a place to report an FP, but also thought everyone
else should know about this, since it's
On 11/09/2014 06:59 PM, Axb wrote:
On 11/09/2014 06:45 PM, Rich Wales wrote:
Hi. Recently, I've noticed that some spam arriving on my mail server
contains a "Received:" header line citing amavisd-new -- possibly an
attempt to trick spam filters into concluding the message has already
been scann
On 11/09/2014 06:45 PM, Rich Wales wrote:
Hi. Recently, I've noticed that some spam arriving on my mail server
contains a "Received:" header line citing amavisd-new -- possibly an
attempt to trick spam filters into concluding the message has already
been scanned and is presumably free of problem
Hi. Recently, I've noticed that some spam arriving on my mail server
contains a "Received:" header line citing amavisd-new -- possibly an
attempt to trick spam filters into concluding the message has already
been scanned and is presumably free of problems.
Here is an example of one of these -- t
On Sun, 9 Nov 2014, David B Funk wrote:
For NUMERIC_HTTP_ADDR the rule is: /^https?\:\/\/\d{7}/is
If that pattern were terminated like:
/^https?\:\/\/\d{7}(?::\d+)?(?:\/|$)/is
it should prevent the FPs (hopefully with out destroying its effectiveness)
Oops, for that new formulation it would a
Recently I've seen a bunch of FPs on URI_HEX & NUMERIC_HTTP_ADDR thanks to some
URLs that look like:
https : // 4490379 . fls . doubleclick . net / activityi
(extra spaces my addition, remove to see actual URL)
These were embedded in some amtrack ticket confirmation messages. Looking
at my logs,
On 11/09/2014 08:03 AM, Robert Schetterer wrote:
Am 08.11.2014 um 21:11 schrieb Reindl Harald:
slightly OT but don't know a better list - has somebody a larger list of
parking-only nameservers than below? sadly you find easily parking
companies but not the dedicated nameservers or a clear inform
17 matches
Mail list logo