Re: false positive: KHOP_BIG_TO_CC

On 10/2/13 6:30 AM, "Tony Finch" wrote: > We've had a report from a user about a false positive involving > KHOP_BIG_TO_CC which has a score of 3.4. This seems like an excessive > penalty for perfectly reasonable behaviour. I've also seen false positives on this. I was going to change it to 25

Re: Problems with BCCing from spammers

On 8/15/13 11:53 AM, "Ted Mittelstaedt" wrote: > On 8/15/2013 12:14 AM, Axb wrote: >> On 08/15/2013 12:20 AM, Ted Mittelstaedt wrote: >> >>> I take it by the: >>> >>> a) lack of usable responses >>> b) responses NOT claiming this ISN'T a bug >> >> it is *not* a bug. It's not SA's task to spl

Re: spam problem Centos 6

On 7/11/13 3:23 PM, "Dejan Doder" wrote: > Yes of course I have installed spamassassin Some of the spamassassin tuning parameters are amavisd specific, or overwritten by amavisd. In particular, the tag_level parameters in amavisd.conf is used set threshold scores for including headers, marking

Re: PayPal spam filter?

On 6/12/13 2:30 PM, "Juerg Reimann" wrote: > Hi there, > > Is there a filter to block PayPal phishing mails, i.e. everything that claims > to come from PayPal but is not? I believe Paypal is DKIM signed, so it shouldn't be hard to modify these rules for PayPal: header __L_ML1 Precedence

Re: Massive spamruns

On 6/12/13 1:25 PM, "Alex" wrote: > > John Hardin wrote: >> As was suggested earlier: greylisting? > > I really don't think my users would tolerate the delay, so I've never > implemented it. They would have vendors calling them on the phone > complaining, not to mention users. From what I un

Re: Spam rule

On 6/6/13 5:14 PM, "Wolfgang Zeikat" wrote: > Hi, > > In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote: > >>> with body or >>> subject contains 'lalalalala' AND url with PDF NOT contains >>> 'trusted.n

Re: Spam rule

On 6/6/13 4:23 PM, "Rejaine Monteiro" wrote: >Hi list, > > How can I make a rule to do something like this: block messages For the pedantic, SpamAssassin doesn't block mail. It marks it. Whether you block mail that has been marked with some other process is up to you... > with body o

FP on SPOOF_COM2OTH (and potentially SPOOF_COM2COM)

I had a recent FP message that hit noth the SPOOF_COM2OTH and SPOOF_COM2COM rules. I don¹t think COM2OTH is appropriate: Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2OTH ==> got hit: "http://wwwMUNGEDcomtemp.livebooks." Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPO

Re: Calling spamassassin directly yields very different results than calling spamassassin via amavis-new

On 4/16/13 2:59 PM, "Ben Johnson" wrote: >Are there any normal circumstances under which Bayes tests are not run? Yes, if USE_BAYES = 0 is included in the local.cf file. > > If not, are there circumstances under which Bayes tests are run but > their results are not included in the message he

Re: X-Relay-Countries on 3.3.2 vs 3.4

On 3/5/13 2:15 PM, "Scott Ostrander" wrote: > >> From: Benny Pedersen [mailto:m...@junc.eu] >> >> Scott Ostrander skrev den 2013-03-05 20:22: >>> On system A (SA 3.4) I am getting RELAY_COUNTRY_XX Same email on >>> system B (SA 3.2.2) I get RELAY_COUNTRY_ES correctly resolved. >> >> ip2cc 2.1

Re: X-Relay-Countries

On 2/16/13 8:10 AM, "Henrik K" wrote: > Well I updated http://mailfud.org/ip-country-fast/ for the last time.. > (no, you don't need the authorities gifs) > > There is no excuse not using SpamAssassin 3.4 with Geo::IP support (also > ipv6 works). Like the wiki says. 45 open bugs targeted for t

Re: X-Relay-Countries

On 2/14/13 6:21 AM, "Ned Slider" wrote: > On 12/02/13 20:33, Daniel McDonald wrote: >> >> On 2/12/13 1:15 PM, "David F. Skoll" wrote: >> >>> >>> PS: Beware of penalizing other countries too much. My mail originates >>> fr

Re: X-Relay-Countries

On 2/12/13 1:15 PM, "David F. Skoll" wrote: > On Tue, 12 Feb 2013 14:14:46 -0500 > "David F. Skoll" wrote: > >> header RELAY_NOT_US X-Relay-Countries =~ >> /\b(?:[A-TW-Z][A-Z]|[A-Z][A-RT-Z])\b/ > > Emm... should be > > header RELAY_NOT_US X-Relay-Countries =~ /\b(?:[A-TV-Z][A-Z]|[A-Z][A-RT

Re: X-Relay-Countries

On 2/12/13 12:47 PM, "Daniel McDonald" wrote: > I¹ve had a simple rule I use to see if mail is forwarded through a ³foreign > country²: > > header RELAY_NOT_USX-Relay-Countries =~ > /\b(?:[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}|\b/ Oops. I was fiddling with th

X-Relay-Countries

I¹ve had a simple rule I use to see if mail is forwarded through a ³foreign country²: header RELAY_NOT_USX-Relay-Countries =~ /\b(?:[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}|\b/ describeRELAY_NOT_USRelayed though any country other than the US score RELAY_NOT_US0.01 I mo

Re: URIDNSBL: how to query certain lists only?

On 1/4/13 8:38 AM, "Kris Deugau" wrote: > Alexandre Boyer wrote: >> Hi there, >> >> Why dont you perform those checks at the pre-data level, within postfix? > > Because you don't absolutely trust the DNSBL as a one-shot > "this-is-spam" test, but you want to use its data to influence the > spam

Re: latest rules

On 9/22/12 3:31 PM, "James" wrote: > Great thanks. > > I am lowering the required score to 3. That is generally not a desirable practice. > If I still get spam, I will block everything and just use whitelisting. I see that you have bayes enabled. You should train your bayes every now and

Re: Spamassassin and SPF records with "+all"

On 7/11/12 3:45 PM, "Martin Gregorie" wrote: > On Wed, 2012-07-11 at 21:34 +0200, Josef Karliak wrote: >> Good evening, >>within a few days we've spams from domains that has "+all" in the >> TXT spf record. >> > All SPF can do is check that the sender has a valid IP for that domain, > i.e.

Re: FILL_THIS_FORM_LONG usage

On 5/18/12 9:20 AM, "dhanushka ranasinghe" wrote: > Hi. > > What sort of spams are block by the FILL_THIS_FORM_LONG   rule The ones that say you won the lottery or had an inheritance or someone wants to hand you cash, so just fill out this form with your details (including bank routing numb

Re: updates

On 4/12/12 6:22 AM, "Kevin A. McGrail" wrote: > Updates are not publishing because of a lack of corpora to test the rules > against. Sorry, known issue. Can you remind me how far below the threshold we are for corpora? If I hand qualify another couple of thousand hams or so would that be signi

Re: URIBL_DBL_REDIR

I have such a meta (I've been querying URIBL_DBL for some time). Out of 140 hits on the meta, only about 14 pushed the spam over from flagged to quarantined this week. I checked through many of them and each sample looked like obnoxious spam. On 12/28/11 10:51 AM, "Ned Slider" wrote: > Hi Li

Re: DNSWL will be disabled by default as of tomorrow

On 12/13/11 8:09 AM, "Martin Gregorie" wrote: > On Tue, 2011-12-13 at 13:52 +0100, Axb wrote: >> On 2011-12-13 13:44, Kevin A. McGrail wrote: If a list is down or unresponsive for any reason, discards requests or blanks their zone file, the test entry would fail and SA would know to

Re: DNSWL will be disabled by default as of tomorrow

On 12/12/11 12:03 PM, "Jeremy McSpadden" wrote: > Thank you! I raised this question a few months ago and was in awe that it was > enabled by default. It has caused quite a few issues that i've seen around the > ML. They should return a different value than a negative score. Can I ask you a fa

Re: What is the best RBL list?

On 11/28/11 12:55 PM, "dar...@chaosreigns.com" wrote: > On 11/28, Sergio wrote: >>in your opinion, what it will be the best RBL Anti Spam list that could >>not be left in a server, payed or free? > > All the best known RBLs are enabled in spamassassin by default. > > If there are be

Re: proper rule writing for N

On 10/21/11 11:21 AM, "Bowie Bailey" wrote: > On 10/21/2011 12:16 PM, Bret Miller wrote: >> You could say >> header __LOCAL_MAILENGINE ALL =~ /mailengine.+\.com/I Indeterminate length matches are almost never good. How about something like: header __LOCAL_MAILENGINE ALL =~ /\bmailengine[[:

Re: Bayes Poisoning

On 10/18/11 12:12 PM, "Karsten Bräckelmann" wrote: > On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote: >> One of my users submitted a spam for analysis, and I was amazed at the >> efforts this troglodyte expended to poison bayes. >> Is it worth the

Bayes Poisoning

One of my users submitted a spam for analysis, and I was amazed at the efforts this troglodyte expended to poison bayes. Is it worth the effort to try to find huge html comments hiding junk like this? Maybe something like Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/ Describe OBFU_HTML_LONG_

Re: Blacklisting based on SPF

On 10/10/11 9:00 AM, "Marc Perkel" wrote: > > > On 10/7/2011 12:50 AM, Benny Pedersen wrote: >> On 7 Oct 2011 00:28:49 -, John Levine wrote: >>> Nobody with any interest in delivering the mail that their users want. >>> The error rate is much, much too high. >> >> how ? >> > > All forwar

Re: Blacklisting based on SPF

On 10/7/11 3:49 AM, "Julian Yap" wrote: > On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll > wrote: >> On 7 Oct 2011 00:28:49 - >> "John Levine" wrote: >> Does anyone blacklist based on SPF? >> >>> Nobody with any interest in delivering the mail that their users want. >>> The error

Re: "Your mailbox has exceeded..."

On 10/1/11 2:04 AM, "Benny Pedersen" wrote: > On Fri, 30 Sep 2011 14:44:23 -0500, Daniel McDonald wrote: > >> Someone ran a beta ADDRBL back in 2009. I still have the code and >> run a >> couple of private EmailBL lists. > > cool want to share lis

Re: "Your mailbox has exceeded..."

On 9/30/11 2:21 PM, "David F. Skoll" wrote: > On Fri, 30 Sep 2011 12:17:42 -0700 (PDT) > John Hardin wrote: > >> There'd need to be a plugin that would extract from, reply-to, and >> embedded email addresses, plus someone to host a DNS domain for >> checking them. Has anybody already done an

Re: Latest sa-update crashing sa-compile?

On 8/15/11 9:15 AM, "Michael Scheidell" wrote: >On 8/15/11 10:13 AM, Michael Scheidell wrote: >> On 8/15/11 10:07 AM, Daniel McDonald wrote: >>> >>> >> mine too. running sa-update again(just now) picks up a new build. >> interes

Latest sa-update crashing sa-compile?

I just noticed that my cron-job for sa-update/sa-compile has crashed over the weekend. Spamassassin lints fine, but sa-compile fails: Aug 15 08:59:42.970 [469] info: generic: base extraction starting. this can take a while... Aug 15 08:59:42.970 [469] info: generic: extracting from rules of type b

Re: anyone know anything about lashback?

On 8/9/11 8:39 AM, "Michael Scheidell" wrote: > does anyone know about this rbl? > > I'm using it, but not overly impressed. $ grep RCVD_IN_LB /var/log/mail/info.log | grep No, | wc 828 20190 320863 $ grep RCVD_IN_LB /var/log/mail/info.log | grep Yes

Uuencoded message detected as UNWANTED_LANGUAGE_BODY

We got a false positive recently of a message containing only a uuencoded attachment being detected as UNWANTED_LANGUAGE_BODY. The message doesn¹t have a Content-type: header or an Encoding: header. The message part has one blank line and then: begin 644 new_lp_report.csv M4D503U)41$%412Q-151%4D

Re: RP_MATCHES_RCVD

On 7/28/11 11:47 AM, "John Hardin" wrote: > On Thu, 28 Jul 2011, Daniel McDonald wrote: > >> I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the >> Invaluement rbls. Invaluement primarily targets snowshoe spammers. >> >> $ gre

Re: RP_MATCHES_RCVD

On 7/28/11 9:48 AM, "Mike Grau" wrote: > On 07/28/2011 09:28 AM the voices made RW write: >> There seems to be a consensus that SPF and DKIM passes aren't worth >> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when >> it just a circumstantial version of what SPF does expli

Re: Stupid questions V 2.0

On 6/27/11 1:53 AM, "spixx_" wrote: > > Thank you! This what was I was looking for! > > rawbody Not certain why you are using rawbody. I might suggest you use subtests and tflags multiple: E.g: body __GREEN_LIAISON1 /\b(?:proprietary|information|technology|renewables|alternative)\b/i d

Re: Regression in 3.3.2?

On 6/25/11 10:23 AM, "Henrik K" wrote: > On Fri, Jun 24, 2011 at 03:17:28PM -0500, Daniel McDonald wrote: >> >> However, the webmail client is ignored in 3.3.2: >> Jun 24 14:37:29.686 [23089] dbg: received-header: ignored SquirrelMail >> injection: 41

Regression in 3.3.2?

I just upgraded my production spam filter to 3.3.2, and came across an interesting false negative. The mail is an unremarkable 419 scam, that originated from a web-café in Nigeria or Mauritius, using an Italian ISP as the relay. I¹ve seen a lot of these in the past, and have a rule to catch them

Re: FRT_SOMA: what does it mean?

On 6/10/11 8:53 AM, "Alessandro Dentella" wrote: > Hi, > > I see some mail are hit by FRT_SOMA rule that I see is defined as: > > ##{ FRT_SOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags > > ifplugin Mail::SpamAssassin::Plugin::ReplaceTags^M > body FRT_SOMA / P2>\b

Re: Rule dependency problems with v3.3.2-r929478

On 5/21/11 8:52 PM, "Alex" wrote: > Hi, > >>> I'm also using a few of John's rules, including the advance_fee, >>> fillform, and lotsa_money. I think some of his rules reference the >>> missing khop rules. >>> >>> When trying to lint the rules, I receive the following: >>> >>> ADVANCE_FEE_2

Re: RelayCountry Plugin

On 5/20/11 4:58 PM, "RW" wrote: > > > BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country > port to update its database. I just noticed it's nearly two years old. > The scripts to update it are in the source tarball for IP-Country, in the dbmScripts subdirectory. I just

Re: RelayCountry Plugin

On 5/19/11 7:55 PM, "Rapitharian" wrote: > > RW-15 > Can you help me some? I am not even a novice in writing/reading regular > expressions. > What is this doing? X-Relay-Countries=~ > /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/ Start at the beginning of the line. Match zero or more non-alpha c

Re: RelayCountry Plugin

On 5/19/11 8:07 AM, "RW" wrote: > On Thu, 19 May 2011 08:15:00 +0200 > John Wilcock wrote: > >> Le 19/05/2011 04:46, John Hardin a écrit : >>> Sure. Well, not a _single_ rule, but you can achieve what you >>> want... > >>> header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ >>> de

Re: EL5 and EL6 Packages of spamassassin-3.3.2-rc1

On 5/16/11 11:57 PM, "Warren Togami Jr." wrote: > http://people.apache.org/~wtogami/rpm/3.3.2-rc1/ > I made test packages for EL5 and EL6. I began using both in production > just now with no apparent ill effects. We need more people to test this > and provide feedback. I've been running since

Re: whitelist

On 4/18/11 1:44 PM, "Sergei" wrote: > Hello everybody, > > I can't figure out why even after I put an address into a whitelist > (whitelist_from), it's still marked as SPAM. Sorry if this is a common > question. Would be grateful for any suggestions. The simple suggestions: 1. Are you certain

Re: Hijacked email accounts

On 4/4/11 11:03 AM, "David" wrote: > Hello, > > Yahoo doesn't do SPF, and hotmail is still ~all. > > The emails to which I refer where sent by email accounts stolen by > viruses on computers running Windows. > > The virus steals the password, and sends it to the spammer who than uses > the acc

Obfuscating advanced fee scams with html attachements?

I just got a spam that scored relatively low (mostly due to DNSWL_MED). But it also contained an html attachment that would have scored significantly more had it been part of the main message. I put it at http://pastebin.com/vXF0vGVS When I run the complete message, I only get a few hits, mostly

Re: URIBL_RHS_DOB false positives?

On 3/25/11 10:42 AM, "Alex" wrote: > Hi, > >>> But it seems like there is a reset in the URIBL_RHS_DOB database or >>> something. >>> >>> A lot of domains that are not new domains are now listed. >> >> It appears to be hitting on a lot of mail today: >> $ grep DOB /var/log/mail/info.log | cut

Re: __PILL_PRICE Problems

On 3/21/11 8:28 AM, "John Hardin" wrote: > On Mon, 21 Mar 2011, Daniel McDonald wrote: > >> On 3/20/11 10:58 AM, "John Hardin" wrote: >> >>> On Sun, 20 Mar 2011, Matt Elson wrote: >>> >>>>> fails for me, loops, free

Re: Suspicious URL:Re: __PILL_PRICE Problems

On 3/20/11 10:58 AM, "John Hardin" wrote: > On Sun, 20 Mar 2011, Matt Elson wrote: > >>> fails for me, loops, freebsd 7.3, intel, perl 5.12.3, SA 3.3.1, re2c >>> 001305 >>> >>> what rule should we comment out until this is fixed? >> >> Commenting out the following fixed it for me, so shoul

Re: new rules - where do i activate them?

On 3/2/11 9:46 AM, "tr_ust" wrote: > > I'm sorry - there's only one line in the sample of how to write a uri rule. > > Are you saying that for each line I need to create a unique > "LOCAL_URI_EXAMPLE" line? In other words it should look more like this? Yes, although score is usually spelled w

Re: Need Volunteers for Ham Trap

On 2/8/11 3:15 AM, "Warren Togami Jr." wrote: > I'm somewhat annoyed by the armchair quarterback negative comments on > this topic. (Not just you) didn't read the rest of this thread to > realize this particular concern is moot. Ditto. I don't really have time to participate in this activi

Re: Suspicious URL:Re: Suspicious URL:Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

On 1/19/11 2:35 PM, "John Hardin" wrote: > On Wed, 19 Jan 2011, Daniel McDonald wrote: > >> On 1/19/11 10:17 AM, "John Hardin" wrote: >> >>> On Wed, 19 Jan 2011, Lee Dilkie wrote: >>> >>>> Don't get me wrong, I li

Re: Suspicious URL:Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

On 1/19/11 10:17 AM, "John Hardin" wrote: > On Wed, 19 Jan 2011, Lee Dilkie wrote: > >> Don't get me wrong, I liked GL but there are a number of big ISPs that >> have quite long retry timeouts (for some reason, sympatico comes to >> mind) and it got to be too annoying. > > ...and when you encou

Re: mimeheader rule misfiring

On 1/7/11 3:24 PM, "Kris Deugau" wrote: > Can anyone tell me how this rule: > > > mimeheader T_YOUR_ORDER_VIRUS_L Subject =~ /(?:Incoming|Information|Twitter)? ?(?:Message|Ticket)? \#\d+/ You have ? On the first three elements, which means zero-or-one instances.. So, since Incoming|Inf

Re: A new paradigm for DNS based lists

On 12/29/10 11:33 AM, "Marc Perkel" wrote: > > > On 12/29/2010 9:24 AM, Matt wrote: >> So any email from hotmail.com, gmail.com, yahoo.com, etc. if there SPF >> or DKIM passes skip any further DNS tests? >> >> > > Yes - there's no point in doing DNS blacklist lookups on yahoo, hotmail, > an

Re: NJABL is dead?

On 12/29/10 8:29 AM, "Jack L. Stone" wrote: > > Very comprehensive coverage. All of my net checks are done at the MTA level > (sendmail) and none in SA -- it's turned off. What is the benefit of > checking twice? Maybe I missed the benefit. The benefit lies in RBLs that have FP's. You may n

Re: Greylisting (was Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql))

On 12/27/10 4:07 PM, "David F. Skoll" wrote: > On Mon, 27 Dec 2010 13:36:39 -0800 > Ted Mittelstaedt wrote: > >> The real question is, do you get viruses that would make it past SA? > > I can't answer that because we scan for viruses before SA. I would > guess yes. It would be more efficient

Re: DNSBL for email addresses?

On 12/14/10 8:28 AM, "Marc Perkel" wrote: > Are there any DNSBLs out there based on email addresses? No. There was an experimental list for a while. > Since you can't > use an @ in a DNS lookup - how would you do DNSBL on email addresses? # This plugin creates rbl style DNS lookups for ema

Re: spam with different "Received" and "To" headers

On 12/7/10 8:20 AM, "Florescu, Dan Alexandru" wrote: > Hi, > > In the last few days some spam messages have been able to elude the filters I > use. Upon checking the headers, it seems to be following the same pattern. > > I just earned $31 in a few hours at home on the computer! I went to -

Re: Not-so-much LOTS_OF_MONEY

On 12/1/10 2:14 PM, "John Hardin" wrote: > On Wed, 1 Dec 2010, Daniel McDonald wrote: > >> >> >> >> On 12/1/10 1:28 PM, "John Hardin" wrote: >> >>> On Wed, 1 Dec 2010, Daniel McDonald wrote: >>> >>>&g

Re: Not-so-much LOTS_OF_MONEY

On 12/1/10 1:28 PM, "John Hardin" wrote: > On Wed, 1 Dec 2010, Daniel McDonald wrote: > >> Lately, I¹ve been seeing spammers trying to convince you to click on a site >> to make hundreds or tens of Dollars, like: >> >> http://pastebin.com/MfG74WGW

Not-so-much LOTS_OF_MONEY

Lately, I¹ve been seeing spammers trying to convince you to click on a site to make hundreds or tens of Dollars, like: http://pastebin.com/MfG74WGW The mail client probably stripped out the more interesting headers before I got it from my customer, because it originally hit RELAY_RU, and I don¹t

Re: Question about a spam assassin rule

On 11/19/10 2:51 PM, "Bowie Bailey" wrote: > rawbody FR_3TAG_3TAG > m'<[abcefghijklmnoqstuvwxz]{3}>'i > > It looks for an html tag containing exactly three characters followed by > a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a re

Re: email address forgery

On 11/14/10 9:41 AM, "Marc Perkel" wrote: > > > On 11/11/2010 5:07 PM, Rob McEwen wrote: >> On 11/11/2010 7:41 PM, Noel Butler wrote: >>> Really? I don't use SPF in SA, only MTA, if that's the case, it is a >>> shame that SA also is behind the times. It was years ago SPF type was >>> ratified.

Re: Error Running 'sa-update'

On 10/26/10 12:18 PM, "Carlos Mennens" wrote: > Today for the 1st time on my mail server I attempted to manually run > the 'sa-update' command in the shell and got the following: > > > [r...@mail ~]# sa-update > defined(%hash) is deprecated at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin

Re: AW: Problems with SA-Plugin "URLRedirect"

On 9/27/10 8:08 AM, "Hans-Werner Friedemann" wrote: > So, I´ve insert the following line in my v312.pre: > > # URLRedirect > loadplugin Mail::SpamAssassin::Plugin::URLRedirect > /etc/mail/spamassassin/NotUsed/URLRedirect.pm > > > After spamassassin --lint I get: > > Sep 27 15:03:53.971 [10759

Re: Problems with SA-Plugin "URLRedirect"

On 9/27/10 1:41 AM, "Hans-Werner Friedemann" wrote: > Hi @ all > > I have much problems by installing the SA-Plugin "URLRedirect". > I´ve moved the files URLRedirect.cf, URLRedirect.pm, URLRedirect.hostpath and > URLRedirect.subdomain in the directory where my local.cf is. > > If I restar

Re: sa-update 3.3 daily changes

On 9/9/10 7:46 AM, "RW" wrote: > On Wed, 8 Sep 2010 16:02:10 -0700 (PDT) > John Hardin wrote: > >> On Wed, 8 Sep 2010, RW wrote: > >>> What's the reason for the age limit? >> >> The nature of spam (and, to a lesser degree, ham, barring major >> changes like the widespread adoption of HTML ema

Re: spam caught, now how to catch spammer

On 9/5/10 8:46 PM, "Dennis German" wrote: > In the last several weeks I have been receiving a lot of spam with email > addresses of the form: > > learningmadeeasy.???...@??.yourseemlost.net > > accountingeducation.gpx...@oiteew.badpeoplepaper.net > > affordablelifeinsurance.aj...@wiogif

Re: After upgrade the SA to 3.3.1, Mail scanning stop working partially

On 8/22/10 9:46 PM, "Suhag Desai" wrote: > After upgrade the SpamAssassin Server version to 3.3.1, my mail scanning stop > working partially. > This is a known bug. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6419 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: two SA folders and sa-updates

On 8/19/10 7:49 AM, "C. Bensend" wrote: > >> better - *don't even think of using them* - they are not being updated >> and never will. >> >> Anything worthy has already been migrated to SA mainstream and the few >> SARE survivors are also SA commiters so they'll commit to SA instead of >> SARE.

Re: Optional argument in regex

On 8/16/10 6:00 AM, "Mynabbler" wrote: > > I think everybody and their dog made a ruleset regarding 'your email address > has won'. Something like: > > MN_YEAHRIGHT /\bYour (?:email|e-mail) (?:address|account) (?:has won|just > won you)\b/ > > How do you make the second argument optional? So i

Re: List of "banned" words/bounce to sender

On 8/9/10 6:58 AM, "Martin Gregorie" wrote: > On Mon, 2010-08-09 at 14:17 +0300, Henrik K wrote: >> On Mon, Aug 09, 2010 at 11:38:50AM +0100, Martin Gregorie wrote: >>> On Thu, 2010-08-05 at 14:00 -0500, Matthew Kitchin (public/usenet) >>> wrote: Thanks. We are looking at roughly 70,000 name

Re: sa-compile has no effect (under Windows.......)

On 8/2/10 7:53 AM, "Daniel Lemke" wrote: > > > Yet Another Ninja wrote: >> >> compiled rules only affects body & rawbody rules. >> Network tests won't be affected and are probably the reason for the lack >> of a massive difference. >> > > Good advice, I disabled all the other plugins and ran

Re: I need MORE SPAM - You get less spam

On 7/20/10 8:53 AM, "Dave O'Neill" wrote: > On Mon, Jul 19, 2010 at 01:39:32PM -0700, John Hardin wrote: >> I'll say it again, Marc: you'd get better response from large sites if >> you offered source code for a small SMTP daemon that did the connection >> analysis you want and sent to you just t

72_active scores?

Running spamAssassin 3.3.1, via amavisd-new, on Mandriva Enterprise Server 5.1, using scoreset 1 (no bayes, network tests enabled) I¹ve been getting a significant number of spams that are hitting on a number of rules in 72_active.cf, for example: ADVANCE_FEE_3_NEW=0.001, ADVANCE_FEE_3_NEW_MONEY=0

Re: SA checking of authenticated users' messages

On 7/7/10 4:45 PM, "Louis Guillaume" wrote: > On 6/10/10 11:27 AM, Greg Troxel wrote: > (spamass-milter doesn't tell SA about auth) ==> [ rbl checks run against authenticated user's IP address lack of ALL_TRUSTED for authenticated user's mail ] >

Re: Mail discarded

On 6/25/10 4:24 AM, "Sasa" wrote: > Hi, from a few days much incomings mails are blocked and in log file I have > always 'discarded, UBE': That is the standard message from amavisd-new when the spamscore exceeds the discard threshold > but the domain 'email.it' (but I have this problem with

Re: does anyone know of (filtering-)software that would fiddle with Content-Type?

On 6/2/10 9:42 AM, "Joseph Brennan" wrote: > > Per Jessen wrote: > >> I've received a virtually unreadable email - about 3Mb worth, containing >> text, html and a zip file. Nothing unusual about it, except that the >> Content-Type should have been "multipart/mixed" and specified a >> boundary

Re: Interesting link in spam message

On 5/25/10 5:22 PM, "fchan" wrote: > I'm recently got some spam with link to bit.ly A fairly common url shortening service >if > this could be a compromise of Google or something. Nope, just someone abusing a link shortener. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: [OT] was SORBS

On 4/30/10 8:22 AM, "Martin Gregorie" wrote: > On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: >> First, I'd like to point out that not everyone has the option of >> changing ISP's. Believe it or not, there are many folks who have only >> one choice for high-speed internet access (myself inc

Re: Legitimate mail flagged as Spam

On 4/23/10 7:53 AM, "PSuo" wrote: > > Hi, > > I have a problem with legimate mail getting flagged as spam. > The headers mark as following: > > X-Virus-Check-By: mailwash7.pair.com > X-Spam-Check-By: mailwash7.pair.com > X-Spam-Status: Yes, hits=8.7 required=4.0 > tests=BAD_ENC_HEADER,HEL

Re: How to configure spamassassin

On 4/9/10 10:31 AM, "hateSpam" wrote: > > Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get > spamassassin working? Is there any other way to configure spamassassin with > postfix not installing additional software? Yes, there are hundreds of ways to integrate spamas

Re: CLAMAV < 0.95 to be disabled

On 4/9/10 9:45 AM, "Charles Gregory" wrote: > > Realize this is OT, and that even the instigation is OT :) > But I'm hoping someone here just KNOWS 'rpm'. and can help... > (Or can point me to the best forum for a quick answer) > > While attempting to use rpm on RH9 to update to a newer set of

Re: Where is my error?

On 4/5/10 6:53 AM, "Mark Martinec" wrote: > On Monday April 5 2010 13:01:40 Daniel McDonald wrote: >> I'm building a new 3.3.1 SpamAssassin box from scratch, and ran into a >> small problem when I ran lint: >> $ spamassassin --lint >> Apr 2 11:24:05.

Re: Where is my error?

On 4/3/10 8:09 AM, "Alex" wrote: > Hi, > >> I¹m building a new 3.3.1 SpamAssassin box from scratch, and ran into a small >> problem when I ran ‹lint: >> $ spamassassin --lint >> Apr  2 11:24:05.923 [22379] warn: plugin: failed to create instance of >> plugin Mail::SpamAssassin::Plugin::EmailBL.p

Where is my error?

I¹m building a new 3.3.1 SpamAssassin box from scratch, and ran into a small problem when I ran ‹lint: $ spamassassin --lint Apr 2 11:24:05.923 [22379] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::EmailBL.pm: Bareword "Mail::SpamAssassin::Plugin::EmailBL" not allow

.pn TLDs not recognized for util_rb_2tld?

config: SpamAssassin failed to parse line, "co.at.pn" is not valid for "util_rb_2tld", skipping: util_rb_2tld co.at.pn config: SpamAssassin failed to parse line, "co.uk.pn" is not valid for "util_rb_2tld", skipping: util_rb_2tld co.uk.pn config: SpamAssassin failed to parse line, "com.au.pn" is not

Re: Rules for not passing SPF

On 2/2/10 5:38 PM, "dar...@chaosreigns.com" wrote: > On 02/02, Marc Perkel wrote: >> Why would you want to catch domains without SPF as SPF has no >> relationship to detecting spam? > > SPF is entirely about spam. Sorry, but SPF is entirely about ham. We use SPF with vendors who want to ens

Re: Sought Rules Back?

On 2/1/10 9:59 AM, "Jason Bertoch" wrote: > On 2/1/2010 10:58 AM, RW wrote: >> On Mon, 1 Feb 2010 16:30:04 +0100 >> Mark Martinec wrote: >> > Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fra

Re: Sought Rules Back?

On 2/1/10 9:30 AM, "Mark Martinec" wrote: >>> Update returned sought rules 1/31/2010. >> >> Actually back since Jan 6. :) Re-viewed about 1k fraud spam the >> following days, for the Sought Fraud sub-set. > > Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero > as per Justin's r

Re: That Future Bug

On 1/19/10 9:19 AM, "Robert Ober" wrote: > Daniel McDonald wrote: >> >> On 1/19/10 9:02 AM, "Robert Ober" wrote: >> >> >>> Well, I have googled it and read lot's of stuff and the problem >>> persists. I have a server

Re: That Future Bug

On 1/19/10 9:02 AM, "Robert Ober" wrote: > Well, I have googled it and read lot's of stuff and the problem > persists. I have a server on CentOS 5.3 with spamassassin-3.2.5-1.el5 > from that distribution. They have no newer according to yum. The > local.cf fix did not change anything after