On Wed, 6 Dec 2017, Alex wrote:
John wrote:
What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, but
adds 2.5 points to a basic email with just an image attachment.
It's TVD_SPACE_RATIO plus some exclusions of hits on hammy rules.
My point was, does it make sense for this rul
Hi,
>> What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, but
>> adds 2.5 points to a basic email with just an image attachment.
>>
>> https://pastebin.com/cYtygBY9
>>
>> I've tried:
>>
>> whitelist_from_rcvd *@pm.sprintpcs.com sprintpcs.com
>>
>> Ideas greatly appreciated.
>
>
> Tr
On Wed, 6 Dec 2017, Alex wrote:
What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, but
adds 2.5 points to a basic email with just an image attachment.
It's TVD_SPACE_RATIO plus some exclusions of hits on hammy rules.
--
John Hardin KA7OHZhttp://www.impsec.o
On Wed, 6 Dec 2017, Alex wrote:
Hi,
sprintpcs.com has no domain security and for some reason I can't
whitelist them using whitelist_from_rcvd, or even whitelist_from just
to make it even more simple.
Can someone help me figure out what I'm doing wrong? Ideally I'd like
to avoid whitelisting th
Hi,
sprintpcs.com has no domain security and for some reason I can't
whitelist them using whitelist_from_rcvd, or even whitelist_from just
to make it even more simple.
Can someone help me figure out what I'm doing wrong? Ideally I'd like
to avoid whitelisting them, but many people using their cel
On 12/6/2017 10:00 AM, RW wrote:
On Wed, 6 Dec 2017 06:29:01 -0500
Kevin A. McGrail wrote:
I've added these rules to KAM.cf and would appreciate feedback.
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
idea #NUL
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MA
On 12/5/2017 5:28 AM, Sebastian Arcus wrote:
On 02/12/17 18:45, David Jones wrote:
On 12/02/2017 11:22 AM, Sebastian Arcus wrote:
On 02/12/17 13:06, Matus UHLAR - fantomas wrote:
On 12/01/2017 11:17 AM, Sebastian Arcus wrote:
-0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
On 12/06/2017 08:53 AM, Alex wrote:
Also, I know David's scores are different, but is it such a good idea
to assign such a large negative value to all mail passing through
google? In other words, isn't all mail from google going to pass
senderscore90-100, automatically giving every mail from Goo
RW writes:
> On Wed, 6 Dec 2017 06:29:01 -0500
> Kevin A. McGrail wrote:
>
>> I've added these rules to KAM.cf and would appreciate feedback.
>>
>> #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
>> idea #NUL
>> header __KAM_MAILSPLOIT1 From =~ /[\0]/
>> describe __KAM_MA
I know this is way off topic, but I'm trying to get ahold of any spamhaus.org
support members.
On Wed, 6 Dec 2017, Antony Stone wrote:
On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:
On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
Something like this:
header__KAM_MAILSPLOIT1 From =~ /[\0]/
describe__KAM_MAILSPLOIT1RFC2047 Exploit
https://www.mailsploit.com/ind
On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:
> On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
> >
> > Something like this:
> >
> > header__KAM_MAILSPLOIT1 From =~ /[\0]/
> > describe__KAM_MAILSPLOIT1RFC2047 Exploit
> > https://www.mailsploit.com/index
> >
> > And a p
On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
On 12/6/2017 4:27 AM, Frido Otten wrote:
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/i
You can use fail2ban and enable postfix-sasl filter, then those IP will
be banned after few knocks.
Gao
On 2017-12-04 11:17 PM, Colony.three wrote:
Looks like it's doing what it's supposed to, but just checking...
Dec 5 06:58:26 quantumn postfix/smtpd[51554]: lost connection after
AUTH from
David Jones skrev den 2017-12-06 15:28:
I see plenty of legit email with an email address in the From:name so
that would need to be a very low score or combined with other rules in
a meta.
yes misguided spammers wins always
I was pointing out the "cc:" in the From:name to try to hide the
sen
On Wed, 6 Dec 2017 06:29:01 -0500
Kevin A. McGrail wrote:
> I've added these rules to KAM.cf and would appreciate feedback.
>
> #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
> idea #NUL
> header __KAM_MAILSPLOIT1 From =~ /[\0]/
> describe __KAM_MAILSPLOIT1 RFC2047 Expl
Hi,
On Wed, Dec 6, 2017 at 9:02 AM, Benny Pedersen wrote:
> David Jones skrev den 2017-12-06 14:54:
>>
>> Interesting new From: header tactic:
>>
>> https://pastebin.com/9BhD8m9C
>>
>> I have reported this to SpamcCop and Google's abuse.
>
>
> if thay ever listing
>
> untested:
>
> header __FROM_
On 12/6/2017 9:33 AM, Kevin A. McGrail wrote:
On 12/6/2017 9:28 AM, David Jones wrote:
I see plenty of legit email with an email address in the From:name so
that would need to be a very low score or combined with other rules
in a meta.
I was pointing out the "cc:" in the From:name to try to h
On 12/6/2017 9:28 AM, David Jones wrote:
I see plenty of legit email with an email address in the From:name so
that would need to be a very low score or combined with other rules in
a meta.
I was pointing out the "cc:" in the From:name to try to hide the
sender's email address at first glance
On 12/06/2017 08:02 AM, Benny Pedersen wrote:
David Jones skrev den 2017-12-06 14:54:
Interesting new From: header tactic:
https://pastebin.com/9BhD8m9C
I have reported this to SpamcCop and Google's abuse.
if thay ever listing
untested:
header __FROM_ILLEGAL_CHARS From:name =~ /[\@?|:?]?/i
David Jones skrev den 2017-12-06 14:54:
Interesting new From: header tactic:
https://pastebin.com/9BhD8m9C
I have reported this to SpamcCop and Google's abuse.
if thay ever listing
untested:
header __FROM_ILLEGAL_CHARS From:name =~ /[\@?|:?]?/i
could test it imho
Interesting new From: header tactic:
https://pastebin.com/9BhD8m9C
I have reported this to SpamcCop and Google's abuse.
--
David Jones
On Wed, 06 Dec 2017 14:37:28 +0100
Benny Pedersen wrote:
> http://www.postfix.org/postconf.5.html#message_strip_characters
That won't work because the doc says:
Note 1: this feature does not recognize text that requires MIME
decoding. It inspects raw message content, just like header_ch
Kevin A. McGrail skrev den 2017-12-06 14:24:
Re: #5. There is an exploit in that From: Where an Email Address is
used in the Name Field. There's been a lot of discussion about that
type of email on list that it likely wouldn't apply to this group of
rules.
http://www.postfix.org/postconf.5.h
On 12/6/2017 8:06 AM, Ian wrote:
All 14 variations from the MailSploit website apart from #5 triggered
the rule. This is expected as the From: in #5 is simply:
From: "po...@whitehouse.gov"
I.e. there doesn't seem to be an exploit in it ;)
Thanks Ian. I appreciate the testing.
He's ap
On 06/12/2017 11:29, Kevin A. McGrail wrote:
I've added these rules to KAM.cf and would appreciate feedback.
Hi,
All 14 variations from the MailSploit website apart from #5 triggered
the rule. This is expected as the From: in #5 is simply:
From: "po...@whitehouse.gov"
I.e. ther
On Tue, 05 Dec 2017 21:03:07 -0500
Michael Grant wrote:
> On 5 December 2017 18:40:15 GMT-05:00, Benny Pedersen
> wrote:
> >Michael Grant skrev den 2017-12-05 19:01:
> >
> >> loadplugin Mail::SpamAssassin::Plugin::HashBL HashBL.pm
> >
> >this line must not be in cf file but should be in pre f
I've added these rules to KAM.cf and would appreciate feedback.
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
#NUL
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit
https://www.mailsploit.com/index
#\n Multiple inthe From Head
Hi all,
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index
I was thinking that there might be a possiblity to detect this in
spamassassi
On 12/6/2017 4:27 AM, Frido Otten wrote:
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index
I was thinking that there might be a possib
On 04.12.17 21:04, Junk wrote:
what i am asking is how to you manage actual IPs of the hosts providing
services.
you apparently mean, addresses of blacklists (below).
What if at some point one of them or more are out of service?
D you monitor it so in case some stop providing the services yo
Hi all,
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index
I was thinking that there might be a possiblity to detect this in
spamassassi
32 matches
Mail list logo
