Re: Spam from addresses where full name mirrors left-hand side of address

On Mon, 2 Apr 2018, Amir Caspi wrote: many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. So require a minimum length for the middle part: header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/ A meta

Re: Spam from compromised accounts scoring just under block threshold

On Mar 31, 2018, at 4:52 AM, Pedro David Marco wrote: > > Amir, can you provide any pastebin sample, please? I thought it was relatively self-explanatory, but I'm talking about names very much like the ones that Rich Wales included in his recent email (subject: "Spam

Re: Spam from addresses where full name mirrors left-hand side of address

On Apr 1, 2018, at 11:33 PM, Rich Wales wrote: > > I do realize some perfectly legitimate "From:" lines conform to this same > pattern, and the only way to really tell the difference may be via AI or a > real human brain. Not just "some" legitimate mail... a LOT of legitimate

Re: BODY custom rule not working if text and html parts are different?

On Mon, 2 Apr 2018, Pedro David Marco wrote: Yeah, just confirmed. A non-obfuscated URI in plain-text body part is recognized and extracted for uri rules. Thanks John...  can you provide any pastebein sample please??...  It's trivially easy to add a URI to the text body part of any test

Re: FUZZY_XPILL FP hitting all Travelodge emails

On 02/04/18 14:58, RW wrote: On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds

Re: FUZZY_XPILL FP hitting all Travelodge emails

On 02/04/18 14:26, David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus

Re: FUZZY_XPILL FP hitting all Travelodge emails

On 02/04/18 13:35, Pedro David Marco wrote: Sebastian, can you run spamassassin -D -t &1 | grep got | grep FUZZY_XPILL and post the result, please? Hi Pedro. Please find the output below: Apr 2 15:45:59.961 [6928] dbg: rules: ran body rule FUZZY_XPILL ==> got hit: "xon, OX"

Re: FUZZY_XPILL FP hitting all Travelodge emails

On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: > On 04/02/2018 07:18 AM, Sebastian Arcus wrote: > > Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an

Re: FUZZY_XPILL FP hitting all Travelodge emails

On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus > wrote:     I have a

Re: FUZZY_XPILL FP hitting all Travelodge emails

Sebastian,  can you run spamassassin -D -t &1 | grep got | grep  FUZZY_XPILL and post the result, please? PedroD

Re: This sucks

On 01.04.18 18:26, Michael Brunnbauer wrote: I'd like to start to improve things by getting DNS blacklist in Spamassassin to work again. I think it would improve things drastically. So let's look at my problem again: running my example spam through spamassassin gets it marked as spam while using

Re: FUZZY_XPILL FP hitting all Travelodge emails

Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus > wrote: I have a client which handles a lot of hotel bookings as

Re: FUZZY_XPILL FP hitting all Travelodge emails

Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus wrote: > I have a client which handles a lot of hotel bookings as part of their > work - and all hotel booking confirmations coming from Travelodge (a UK > hotel chain) hit FUZZY_XPILL. > > I've tried looking

FUZZY_XPILL FP hitting all Travelodge emails

I have a client which handles a lot of hotel bookings as part of their work - and all hotel booking confirmations coming from Travelodge (a UK hotel chain) hit FUZZY_XPILL. I've tried looking at the regex of the rule, but can't quite get my head around what it is supposed to do, and can't

Re: This sucks

Hello Bill, On Mon, Apr 02, 2018 at 02:33:08AM -0400, Bill Cole wrote: > So I guess I was right? I don't think so. > Is there a tree of Perl modules under /root? No. I actually just reproduced the problem with a completely empty /root: cd / mkdir root1 chmod go= root1 mv root root.old ; mv

Re: BODY custom rule not working if text and html parts are different?

>Yeah, just confirmed. A non-obfuscated URI in plain-text body part is >recognized and extracted for uri rules. Thanks John...  can you provide any pastebein sample please??...  PedroD

Re: BODY custom rule not working if text and html parts are different?

On 01/04/18 19:18, John Hardin wrote: On Sun, 1 Apr 2018, John Hardin wrote: On Sun, 1 Apr 2018, Matus UHLAR - fantomas wrote: On 01.04.18 05:47, Pedro David Marco wrote: This is a problem i see oftenly... what if the URL is only in the TEXT part  and not in the HTML?  many email

Re: Spam from addresses where full name mirrors left-hand side of address

On 2 Apr 2018, at 1:33 (-0400), Rich Wales wrote: [I tried asking this question a couple of days ago, but I've seen no signs that it made it out to the list -- possibly because the sample e-mail addresses I included in my question might have caused it to be flagged as spam.  So here goes again,

Re: This sucks

On 1 Apr 2018, at 21:09 (-0400), Michael Brunnbauer wrote: [...] Figuring out what spamd is using is less simple (and system-specific) but since you've been maintaining a system by hand for a long time I expect you'll be able to figure out how to do so safely. This does not sound very