val:check_rbl_txt('spamcop-lastexternal',
'bl.spamcop.net.', '(?i:spamcop)')
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
7;ve done wrong?
I think that's a mailscanner bug... There has been some discussion on
this list about this in the past...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
I notice that me.com (Apple's "mobile me") is now offering a "free 60
day trial" for their mail solution. About half the mail from me.com has
been spam here lately, so I've added it to my local list of freemail
domains. Anyone seen anything similar?
--
Daniel
? You will need
to restart it to load the new rules
> The commands I used are:
[...]
> sa-update --channelfile sa-update-channels.txt --gpgkeyfile
> sa-update-keys.txt
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
at position.
As a one-liner, it is something that can be tacked on the end of a
script that calls sa-update (or in the middle, if you follow up your
sa-update with an sa-compile). Just watch out for the two spaces in the
cut command `cut -d\ -f1-3`
>I never would have thought of doing it that
R_RELAY received from a host that does a lot of
backscatter
score RCVD_IN_BACKSCATTER_RELAY 1.30
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
On Fri, 2009-12-18 at 12:53 +, Christian Brel wrote:
> On Fri, 18 Dec 2009 06:49:41 -0600
> Daniel J McDonald wrote:
>
> > On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote:
> > > On Fri, 18 Dec 2009 03:44:32 -0500
> > > "Daryl C. W. O'Shea&
who really is in charge of this project?
>
It's been fixed. Don't you know how to use bugzilla?
http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460&r2=891459&pathrev=891460
The new scores will come out in 3.3.0, RC1 is very soon...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
sc/%{name}/%{name}-%{version}%{beta}.tar.gz
Source1:
ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz.asc
>
> Kai
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote:
> On 12/14/2009 10:55 PM, Daniel J McDonald wrote:
> > I'd love to have the clamav unofficial signature families scored. I
> > have a fine guess as to how relevant they are, but it is just that - a
> > guess.
a score at random" is that the relative effectiveness
of the various lists isn't tested.
I'd love to have the clamav unofficial signature families scored. I
have a fine guess as to how relevant they are, but it is just that - a
guess. I'd hate to have to guess for everyone's w
artner organization. Or to any competitor. Or
even to yourself.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
about it, but I've not had any
false-positive reports, and I recall at least one false-negative
complaint where RCVD_IN_BACKSCATTER_RELAY had been triggered. (the total
score was only about 4.6, IIRC).
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
.messages.bitdefender.com
1 @bounce.cordblood.com
1 @blingo.pch.bounce.ed10.net
1 @b.email.onestopplus.com
1 @arbys.fbmta.com
1 @americangirl-email.com
1 @agoravip.com
1 @actionnetwork.org
1 @1800petmeds.com
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
n their website either.
Have you tried a razor-revoke?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
On Wed, 2009-10-21 at 18:59 +0200, Lars Ebeling wrote:
> I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA.
>
> http://pastebin.com/m612529a7
>
> The interface is configured in master.cf
It's 42K, so check that you don't have a size limit.
When I scan it I get:
X-Spam-Report:
On Fri, 2009-10-16 at 16:25 -0400, Adam Katz wrote:
> My own proposal to fixing this is to bring back Blue Security's
> do-not-email list, which is to say a freely available index of secure
> hashes representing email addresses that have opted out of bulk email.
> (Recall that the controversial a
he most comfortable way for me to
communicate. SpamAssassin deals with raw mail, so it is expected that
users will be comfortable using mail.
[1]http://www.rhyolite.com/anti-spam/you-might-be.html
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
to
score AE_DETAILS_WITH_MONEY 2.0
score AE_DETAILS_WITH_EMAIL 2.5
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
> It's catching on :-)
this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...
How about:
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[
On Wed, 2009-07-22 at 18:05 -0400, MySQL Student wrote:
> > Please use pastebin.
>
> Yes, will do, thanks.
>
> >>It hit BAYES_99, but that's it. Are there any rules that pertain to
> >>'loan' or this type of mail that can somehow block these?
> >
> > FreeMail.pm and the SOUGHT_FRAUD rules.
>
> S
On Mon, 2009-03-30 at 14:23 -0400, RWS* wrote:
> >
> Thanks very much.
> Bad assumption (on my part too) !
> > spamassassin --version
>SpamAssassin version 3.2.4
> Gawk
>
> > ls -l /var/lib/spamassassin
> drwxr-xr-x 3 4096 Oct 16 18:27 compiled/3.002004 ...
> does not contain a
ce amavisd reload, and postfix flush.
> >
>
>
> why postfix flush? mail may be deferred for reasons unrelated to
> amavisd-new status. just let postfix do its job as usual.
Everything in the queue tempfails when amavisd-new is restarted, since
it can't reach the filter.
ork.
2. Create a rule like this:
header __OUR_DOMAIN_FROMFrom:addr example.com
header __OUR_DOMAIN_ENVELOPEEnvelopeFrom:addr example.com
meta OUR_DOMAIN (__OUR_DOMAIN_FROM || __OUR_DOMAIN_ENVELOPE) && SPF_FAIL
describe OUR_DOMAIN claims to be from our domain but fails
dded.
I've been using this rule to knock some of these down:
uri AE_ASM /\/[[:alpha:]]{28,40}$/
describe AE_ASM long gibberish path used by ASM Marketing
score AE_ASM1
Highly unusual to have a url like that in ham...
I'm running a
On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote:
> Rasmus Haslund wrote:
> >> After a loud outcry from our users from the increasing level of spam in
> >> their inboxes, I installed the Botnet >Plugin.
> >>
> > Is this something that can be used with the SA in Icewarp Merak?
> >
>
> B
s google
> is letting me down a bit?
http://taint.org/2007/08/15/004348a.html
--
Daniel J McDonald <[EMAIL PROTECTED]>
nning perl 5.10
--
Daniel J McDonald - CCIE #2495, CISSP # 78281, CNX
ceived: from unknown (HELO cronus.intersessions.com) (74.220.16.65)
>
> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
> matches 74.220.16.65.
>
> What am I missing?
74/8 was removed from the Bogon list in 2005, but maybe the recipient
hasn't updated
;__spf__.domain.tld" or something like that instead of the TXT
> record for "domain.tld" when checking SPF.
Could of, but underscores are not a legal character in domain names.
And now BIND 9.4 supports the SPF RR type, so we just have to wait a
decade or two until everyone still run
On Tue, 2008-10-14 at 18:17 +0200, Matus UHLAR - fantomas wrote:
> On 14.10.08 11:05, Daniel J McDonald wrote:
> > On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> > > On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> > > >
> > &g
On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> >
> > On 14.10.08 16:20, Martin Gregorie wrote:
> > > Why not change its name to __SPF_PASS and only use it in meta-rules?
> >
> > because that's SA rule, even if I chan
On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > On Mon, October 13, 2008 16:39, Henrik K wrote:
> >
> > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > Obviously you can't redefine SPF_PASS on the fly.
>
> On 13.10.08 21:08, Benny Pedersen wrote:
> > olso that SPF_PASS was ne
On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
>
> On Mon, 22 Sep 2008, Daniel J McDonald wrote:
>
> > On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
> >> We're trying it today.
> >
>
> Hmm I signed up for this 1-2 days ago but never got
mail/info
27
The numbers might be slightly worse for zen, since I had a couple of
multiple-zen hits:
$ grep -c -P BRBL.+[PSX]BL.+[PSX]BL /var/log/mail/info
3
I'm currently scoring it a 1.00, if it really is accurate I would like
to increase it.
--
Daniel J McDonald, CCIE #2495, CISSP #78281,
rter has been in the 10-14 spams per minute
range I don't track the number of connections dropped by greylisting,
so that might be masking anything anomalous.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
be set to test
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
, RAZOR2_CHECK=0.5, RELAY_US=0.01,
SARE_EN_A_6XX_1=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
URIBL_BLACK=1.961, URIBL_JP_SURBL=2.857, URIBL_OB_SURBL=2.132],
autolearn=disabled, quarantine XTaDjzHYEhiO (spam-quarantine)
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
On Fri, 2007-12-07 at 08:38 -0500, Matt Kettler wrote:
> Stefan Jakobs wrote:
> > Let's assume you running a mailrelay for a university and your users are
> > from
> > different countries. Lets assume further on you have no Swedish people at
> > your university (and you get a lot of spam from S
t;,"example.org",
"example.net" ); # list of all local domains
>
> Thanks in advance!
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
.tar.gz
http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.63.tar.gz
http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.62.tar.gz
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
me
stuff over and over. Plus you are missing rules at certain points of
the cycle
> I know this is going to be a
> bit much for some folks on here to handle, but I had to get on with
> life at some point!
true, but you could just find the real problem (permissions) and fix
ey claim that they can
fix neither rDNS or set their SPF record, I might use amavisd-new's
soft-whitelisting to trim a couple of points, or I tell them to pound
sand. Usually I can convince people to fix one or the other.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
they would know... I'd suggest die-ing
instead.
>
> Possibly even have this as as:
> warn_conffile_maxsize (speced in KB, default 1024)
>
> Users that want to use absurdly large files can just raise the number..
+1
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
On Tue, 2007-09-25 at 12:15 -0700, feral wrote:
>
> Hmmm... deepest thread here w/ John Hardin somehow got
> broken... nabble hiccup?
>
> So I am posting response here:
>
> Daniel McDonald wrote:
>
>
> > basically, ensure it can resolve DNS. You can force it with
> >
> > dns_available yes
[
ally, ensure it can resolve DNS. You can force it with
dns_available yes
use_bayes_rules
If you want to turn bayes off:
use_bayes 0
or maybe:
use_bayes_rules 0 (if you want it to attempt to continue to update the
bayes database)
>
> thanks
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
ons
> - all other mails should be forwarded to another email address not on
> the same server
http://www.postfix.org/postconf.5.html#always_bcc
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
if they disappear
then
>
> guenther
>
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
f ending will be read as a rules file.
If you are just a user, not a sysadmin, you may be able to create rules
in ~/.spamassassin/user_prefs, but that depends on a lot of variables
that your sysadmin will be able to tell you about.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Au
spamassassin v3.1.7 to v3.2.1 with the same
> command I saw the following messages:
>
> t/spamc_optCNot found: reported spam = Message
Bug 5510
>
> At the follow error I've stop all.
> Which is it the problem? Lack some library? Can You suggest how can
hort while after I send the email for the file to sync out
> to the server.
works like a champ for me:
[EMAIL PROTECTED] ~]$ sudo grep -o -P POSTCARD.*?= /var/log/mail/info |
sort | uniq -c
444 POSTCARD_01=
That's in just 2 hours...
Thanks!
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
Instead of
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
do:
> From: "Tech support" <[EMAIL PROTECTED]>
Then your message will only score 1.5, and it will be below the fellow's
ridiculously low scoring threshold.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
BL=0.509,
RCVD_IN_XBL=2.896, RDNS_DYNAMIC=0.1, UNWANTED_LANGUAGE_BODY=2.8],
autolearn=disabled
That's out of
[EMAIL PROTECTED] ~]$ sudo grep -o -P GMD_PDF.+?= /var/log/mail/info | sort
| uniq -c
684 GMD_PDF_BAD_FUZZY=
43 GMD_PDF_HORIZ=
67 GMD_PDF_STOX=
24 GMD_PDF_VERT=
-
n that sa-update
will use it...
>
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
they have not yet licensed it for the world, and I
only briefly thought about writing a plugin to call it.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_W2.0
meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS
+BOTNET_NORDNS) > 0
score BOTNET_OTHER 0.5
I'm still getting a trickle of false positives, but that seems to be
much more realistic than 5 for everything.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
> I'm testing this idea now.
Of course, that's what the botnet plugin does.
But if you are looking for known ham sources, that's bonded sender or
some such. They at least have a financial incentive to not send spam.
For anyone else it's just a matter of when they get pwn3d
visd-new as a front-end filter,
discard/quarantine the trash, then deliver to MS Exchange for end users
to read.
And I've been catching actual customers and vendors right-and-left with
the botnet plugin. Too many false positives, even combining it with
p0f, for me to feel very good ab
On Wed, 2007-06-20 at 12:04 +0100, Peter Farrell wrote:
> Having problems re-installing SA.
> Blew away my previous installation cat'ing the .packlist to xargs rm.
> As root, start perl -MCPAN -e shell and 'install SpamAssassin'
> All of the errors in t/logs/* relate to either one of three things:
n character encodings used
> in messages? Basically I want to severely penalize non-Latin1 encodings.
In 3.1.x, just set ok_locales en
in 3.2.x, set ok_locales and also enable the Textcat plugin.
Details in
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#language_options
&g
On Fri, 2007-06-15 at 15:27 -0700, Bill Landry wrote:
> Daniel J McDonald wrote the following on 6/15/2007 2:54 PM -0800:
> > On Fri, 2007-06-15 at 22:08 +0100, Randal, Phil wrote:
> >
> > And a few others... Might as well be completely consistent. Try this
> > pa
ent_udp=>0,
+ dnsrch=>0,
+ defnames=>0,
+ );
+ if ($query = $resolver->search($name, $type)) {
+ # found matches
my $name = "";
if ($query = $resolver->query($ip, 'PTR', 'IN')) {
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
s ignored until trained by at least 100 messages.
> Will
> Spamassassin dump a message if it fits the "spam" characteristcs from bayes?
Like everything else, it is a factor, but not always a deciding factor.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Tue, 2007-06-12 at 16:07 -0400, Rosenbaum, Larry M. wrote:
> > From: Duncan Hill [mailto:[EMAIL PROTECTED]
> >
> > On Tue, June 12, 2007 13:33, Justin Mason wrote:
> > > Daniel J McDonald writes:
> > >> So, you can't build the RPM as root.
> >
aemonized SpamAssassin (like spamd, or amavisd-new)
you will need to restart the daemon after running sa-update.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Tue, 2007-06-12 at 12:45 +0100, Justin Mason wrote:
> Daniel J McDonald writes:
> > On Mon, 2007-06-11 at 21:09 -0400, Rose, Bobby wrote:
> > > I'm seeing the same kind of messages mentioned after compiling from
> > > source on Redhat ES4 and running make test.
&
this same box just a couple of weeks ago, and didn't
see anything in the release notes, or the bugs that I read, telling me
that I would need to make major changes, so I'm flummoxed.
>
> -Original Message-
> From: Daniel J McDonald [mailto:[EMAIL PROTEC
.84%
okay.
make: *** [test_dynamic] Error 255
error: Bad exit status from /var/tmp/rpm-tmp.45769 (%check)
Any thoughts?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
luck Chris. If you know who it is, maybe we should send Vinnie & Luigi
> over to have a little talk with them?
Should we arm them with a RFC-2321 compatible RITA, and a confident
demeanor?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
ing?
Apparently a DDOS attack.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
On Wed, 2007-05-30 at 11:57 -0500, Daniel J McDonald wrote:
> On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote:
> > On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote:
> > > Ok, here's one that does fail:
> >
> > Based on your debug quoti
On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote:
> On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote:
> > Ok, here's one that does fail:
> > under 3.2.0:
> > [16543] dbg: uridnsbl: domain "theauthenticmemento.com" listed
&g
XISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS
Debug says URIBL BLACK matched, and it is scored.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
When I run sa-compile, it breaks while trying to run make:
[EMAIL PROTECTED] ~]$ sudo sa-compile
[32101] info: generic: base extraction starting. this can take a while...
[32101] info: generic: extracting from rules of type body_0
100% [===] 36.75 rules/sec
74 matches
Mail list logo