Re: From name containing a spoofed email address

On 19 Jan 2018, at 16:17 (-0500), Chip wrote: Do you mean don't whitelist_auth *@example.com *unless* they have published spf/dkim? I can't speak to Dave's meaning (although I value it...) but in fact whitelist_auth directives only have any effect if the domain has published SPF or DKIM

Re: From name containing a spoofed email address

On 19 Jan 2018, at 20:02 (-0500), jdow wrote: After your first time being a victim of cyberstalking you'll soon enough wish your "from" line was as generic as mine. People who put their full name in the From: line haven't been mugged yet. I spent a year learning about this 1985-1986. I

Re: From name containing a spoofed email address

On 19 Jan 2018, at 10:20 (-0500), Rupert Gallagher wrote: > Empty Message You're repeating yourself... -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: From name containing a spoofed email address

After your first time being a victim of cyberstalking you'll soon enough wish your "from" line was as generic as mine. People who put their full name in the From: line haven't been mugged yet. I spent a year learning about this 1985-1986. As a byproduct of this habit of mine, when I see a "To:

Re: From name containing a spoofed email address

On 01/19/2018 03:17 PM, Chip wrote: Okay, trying to understand. You say: whitelist_auth *@*.chase.com whitelist_auth serv...@paypal.com This would trust emails from any subdomain under chase.com and serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules. Okay, got that.

Re: From name containing a spoofed email address

Okay, trying to understand. You say: whitelist_auth *@*.chase.com whitelist_auth serv...@paypal.com This would trust emails from any subdomain under chase.com and serv...@paypal.com that hit SPF_PASS or DKIM_VALID_AU rules. Okay, got that. But I'm confused when you further

Re: From name containing a spoofed email address

On 01/19/2018 02:21 PM, Jeffs Chips wrote: I would be very interested in knowing what features in SA  flag spoofed email addresses.  Knowing the methods used or plugins available to detect spoofed emails is integral to the project I'm working on. That is the million dollar question. If we

Apache SpamAssassin Looking for Student Developers and Project ,Ideas for Google Summer of Code 2018

On behalf of the Apache SpamAssassin PMC, we are supporting the Google Summer of Code for 2018. GSOC is a global program focused on bringing more student developers into open source software development. Students work with an open source organization on a 3 month programming project during their

Re: From name containing a spoofed email address

I would be very interested in knowing what features in SA flag spoofed email addresses. Knowing the methods used or plugins available to detect spoofed emails is integral to the project I'm working on. __ "Perhaps sleep did not evolve. Perhaps it was the thing from which

Re: From name containing a spoofed email address

Thanks! FYI for some reason Gmail is classifying these emails as spam. __ "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On Jan 19, 2018 3:11 PM, "John Hardin" wrote: > On Fri, 19

Re: From name containing a spoofed email address

On Fri, 19 Jan 2018, AJ Weber wrote: False Positive i.e. SA incorrectly classifying a message as SPAM. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C

Re: From name containing a spoofed email address

False Positive On 1/19/2018 2:55 PM, Jeffs Chips wrote: I am trying to follow this interesting thread - can someone tell me what "FP" means? __  "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On

Re: From name containing a spoofed email address

I am trying to follow this interesting thread - can someone tell me what "FP" means? __ "Perhaps sleep did not evolve. Perhaps it was the thing from which wakefulness emerged.” -- Matthew Walker, Sleep Scientist On Jan 19, 2018 12:02 AM, "Pedro David Marco"

Re: From name containing a spoofed email address

I too have a plugin written I've been using for a short while from the last time this was brought up, I too would like to get some spamples of spoofed From:name emails. There are a few FP situations, I get around these by seeing what the difference in between the length of the found email

Re: From name containing a spoofed email address

I've got a basic plugin written for this now, but I'd like to do a litle more testing before I make it widely available. If you have mail samples (ham or spam) with an "@" character in the name part of the From field that you're willing to share, let me know. BTW, I've already run into some

Re: catching a dot in the number of a rule

On 01/19/2018 09:31 AM, Robert Boyl wrote: Hi, masters! I know [1-9]{1,5} spreadsheets catches somnething like 23244 spreadsheets What about 23.244 spreadhseets? How to make the rule consider a dot in the number? Thank you! Rob https://regex101.com/ \d{1,2}\.?\d{1,5} -- David Jones

catching a dot in the number of a rule

Hi, masters! I know [1-9]{1,5} spreadsheets catches somnething like 23244 spreadsheets What about 23.244 spreadhseets? How to make the rule consider a dot in the number? Thank you! Rob

Re: New rule --- From:name domain mismatches From:addr domain

Also copy and paste in a reply does not work. Crapware... Sent from ProtonMail Mobile On Fri, Jan 19, 2018 at 16:18, Rupert Gallagher wrote: > It turns out that PM does not forward e-mails. > > Sent from ProtonMail Mobile > > On Fri, Jan 19, 2018 at 16:16, Reindl Harald

Re: From name containing a spoofed email address

Empty Message

Re: New rule --- From:name domain mismatches From:addr domain

It turns out that PM does not forward e-mails. Sent from ProtonMail Mobile On Fri, Jan 19, 2018 at 16:16, Reindl Harald wrote: > Am 19.01.2018 um 16:14 schrieb Rupert Gallagher: > Empty Message how many of > them are expected? what idiotic MUA does that?

Fwd: New rule --- From:name domain mismatches From:addr domain

Empty Message

Re: Turn OFF SA spam filtering but keep ON header examination

Hi Dianne, Good to hear from you. I need the dkim/spf lookup features of SpamAssassin.  procmail will filter and dump into folders but AFAIK does not do any kind of spf or dkim verification.  There are stand-along scrips that can do that but using those are above my pay grade unless someone

Re: Turn OFF SA spam filtering but keep ON header examination

On Thu, 18 Jan 2018 16:01:13 -0500 Chip wrote: > I'm tied to a Cpanel/WHM VPS which can't be changed. That's a problem. It's like having someone require you to play Hungarian Rhapsody while wearing mittens. I mean sure... maybe it's possible, but why would you try? Is

Re: Autolearn says it learned but dump magic stays at zero

On 01/19/2018 08:56 AM, Heiler Bemerguy wrote: Em 19/01/2018 11:27, David Jones escreveu: On 01/19/2018 08:12 AM, Heiler Bemerguy wrote: Hi guys, I'm new to the list so pardon any stupidity I may say.. lol I'm using SpamAssassin 3.4.1 with Postfix 3.1.6 on Debian 9.     ii  spamassassin

Re: Autolearn says it learned but dump magic stays at zero

Em 19/01/2018 11:33, Bill Cole escreveu: These show Bayes learning by the user debian-spamd. BUT: root@mailer:~# sa-learn --dump magic This checks the Bayes DB for the user root. root != debian-spamd You need to either run sa-learn as debian-spamd (possibly infeasible) or make root use

Re: Turn OFF SA spam filtering but keep ON header examination

yes, everything you say is accurate and correct. We are not looking for perfection in the gathering of statistics, only ballpark. No one will ever open the bogus, phishing emails because the emails are not attached to a living person.  Once the statistic is collected the email is automatically

Re: Autolearn says it learned but dump magic stays at zero

Em 19/01/2018 11:27, David Jones escreveu: On 01/19/2018 08:12 AM, Heiler Bemerguy wrote: Hi guys, I'm new to the list so pardon any stupidity I may say.. lol I'm using SpamAssassin 3.4.1 with Postfix 3.1.6 on Debian 9.     ii  spamassassin *3.4.1-6+deb9u1 * all  Perl-based spam    

Re: Turn OFF SA spam filtering but keep ON header examination

On 01/19/2018 08:30 AM, Chip wrote: Good question. Saying why I care about spf and dkim but not spam sounds contradictory, I know. The reason is because this project doesn't care if spam arrives, only if the spam or email (even authenticated properly email) is spoofed. How are you going to

Re: Turn OFF SA spam filtering but keep ON header examination

Thank you!  I see that shortcircuit is already enabled in 320! I think you really hit on something. Thanks again! I knew there was a simple answer. On 01/19/2018 09:35 AM, David Jones wrote: > On 01/19/2018 08:24 AM, Chip wrote: >> Ok point take - I should have mentioned earlier that *part* of

Re: Turn OFF SA spam filtering but keep ON header examination

On 01/19/2018 08:24 AM, Chip wrote: Ok point take - I should have mentioned earlier that *part* of the reason to stick with SA is because it does spf and dkim checks.  My mistake. Moving on now, David, good suggestions!  Enlighten me about the Shortcirtcuit plugin please.  How does one

Re: Autolearn says it learned but dump magic stays at zero

On 19 Jan 2018, at 9:12 (-0500), Heiler Bemerguy wrote: [...] I had cleared bayes database with --clear some days ago and had restarted spamassassin service. Today I saw some autolearning on mail.log, but all the "dump magic" values are still 0 see: **spamd: result: Y 8 -

Re: Turn OFF SA spam filtering but keep ON header examination

Good question. Saying why I care about spf and dkim but not spam sounds contradictory, I know. The reason is because this project doesn't care if spam arrives, only if the spam or email (even authenticated properly email) is spoofed.  We are doing checks on senders and the likelihood of a

Re: From name containing a spoofed email address

Empty Message

Re: Autolearn says it learned but dump magic stays at zero

On Fri, 19 Jan 2018 11:12:53 -0300 Heiler Bemerguy wrote: > > > I had cleared bayes database with --clear some days ago and had > restarted spamassassin service. Today I saw some autolearning on > mail.log, but all the "dump magic" values are still 0 > > > root@mailer:~# sa-learn --dump magic   

Re: Autolearn says it learned but dump magic stays at zero

On 01/19/2018 08:12 AM, Heiler Bemerguy wrote: Hi guys, I'm new to the list so pardon any stupidity I may say.. lol I'm using SpamAssassin 3.4.1 with Postfix 3.1.6 on Debian 9. ii  spamassassin *3.4.1-6+deb9u1 * all  Perl-based spam filter using text analysis local.cf:

Re: Turn OFF SA spam filtering but keep ON header examination

Ok point take - I should have mentioned earlier that *part* of the reason to stick with SA is because it does spf and dkim checks.  My mistake. Moving on now, David, good suggestions!  Enlighten me about the Shortcirtcuit plugin please.  How does one activate it or use it? The manual gives an

Re: Mail flagged as spam on command line getting passed through as ham

On 18 Jan 2018, at 14:52 (-0500), Andy Howell wrote: Any ideas what I'm doing wrong? Your server and command line invocations are using different configurations. WHY that is happening is impossible to know without more information about how you're using SpamAssassin in your mail server.

Re: Turn OFF SA spam filtering but keep ON header examination

On 01/19/2018 08:07 AM, RW wrote: On Thu, 18 Jan 2018 18:49:52 -0500 Chip wrote: Very well stated.  Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures.  Based on fail or pass, or some combination in concert with the sender's email

Autolearn says it learned but dump magic stays at zero

Hi guys, I'm new to the list so pardon any stupidity I may say.. lol I'm using SpamAssassin 3.4.1 with Postfix 3.1.6 on Debian 9. ii  spamassassin  3.4.1-6+deb9u1 all  Perl-based spam filter using text analysis

Re: Turn OFF SA spam filtering but keep ON header examination

On Thu, 18 Jan 2018 18:49:52 -0500 Chip wrote: > Very well stated.  Bravo! > > The end point here is to examine the email headers that specifically > refer to dkim and spf signatures.  Based on fail or pass, or some > combination in concert with the sender's email address, they get moved > into

Re: Turn OFF SA spam filtering but keep ON header examination

On 01/18/2018 05:49 PM, Chip wrote: Very well stated.  Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures.  Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders.

Re: Turn OFF SA spam filtering but keep ON header examination

Chip schrieb am 19.01.2018 um 00:49: The end point here is to examine the email headers that specifically refer to dkim and spf signatures.  Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. The right thing to do

Re: From name containing a spoofed email address

On Friday 19 January 2018 at 07:40:07, Rupert Gallagher wrote: > See my post of 25/20/2017 to this list. My calendar doesn't go that far :( Antony. -- I wasn't sure about having a beard at first, but then it grew on me. Please reply to the