On Mon, 30 Mar 2015 23:41:21 +0200
Reindl Harald wrote:
> well, than you can't use recent MS Exchange as a MX and have to place
> a MTA in front which get it's user list via database, LDAP or
> whatever and is able to reject invalid RCPTs
Indeed.
Office 365 does not grant LDAP access. So the o
On Mon, 30 Mar 2015 21:47:10 +0200
Reindl Harald wrote:
> but i doubt that exchange don't know it's valid rcpt's and always
> backscatters with no way to disable that behavior - even in case of
> microsoft i doubt
Google specifically for Exchange 2013. AFAIK, it's impossible in
general to get
On Mon, 30 Mar 2015 21:34:02 +0200
Reindl Harald wrote:
> one reason are the genius MS Exchange setips with a spamfilter in
> front, set the spamfilter IP to "completly trusted" and by
> incompetence in that moment also disable the address verification
> from the spamfilter
Recipient verificatio
On Mon, 30 Mar 2015 20:07:56 +0100
RW wrote:
> AFAIK there is no blacklist that lists individual sender email
> addresses.
There's this one:
https://code.google.com/p/anti-phishing-email-reply/
but its contributors are usually quite competent and won't list a
joe-jobbed address.
Regards,
Da
On Thu, 26 Mar 2015 17:27:03 -0600
"@lbutlr" wrote:
> > ]]] If action is taken in the delivery process, with the result
> > that the ]]] message does not reach its goal, the e-mail is
> > "suppressed".
> > How does that not apply to a 5xx reject?
> Because a reject happens before the delivery p
On Thu, 26 Mar 2015 11:55:27 -0400
Michael Orlitzky wrote:
> If one of your customer domains has non-default settings, give them
> their own IP address and a separate MX record pointing to that
> address.
We filter more than 8000 domains. That is not feasible.
Regards,
David.
On Thu, 26 Mar 2015 10:12:22 -0500 (CDT)
Dave Funk wrote:
> If they are compatible you respond with a 250, if not with a 452 (or
> other 45* type reply).
We looked at doing this. There are some serious downsides:
1) Some senders (for example, mailing list tools) send to quite a number
of recip
I find this discussion intriguing. The German law cited earlier also
forbids you from changing data (original German word "verändert" ---
did I get that right?)
It seems to me this could make subject tagging illegal. In fact, a rigid
interpretation could make SMTP illegal since you add a Receive
On Thu, 26 Mar 2015 15:57:14 +0100
Robert Schetterer wrote:
> David, reject means your server dont take a mail, the sender
> mailserver may bounce it back, after some time , its not your job to
> take care of that.
Yes, I'm pretty sure I understand the difference between reject and discard.
What
On Thu, 26 Mar 2015 15:45:07 +0100
Reindl Harald wrote:
> boah postfix responds with a "postfix/cleanup[21827]: 3lCS043tlCz1l:
> milter-reject: END-OF-MESSAGE" to the delivering client and the
> server on the other side generates a bounce containing the reject
> message
So then the sender think
On Thu, 26 Mar 2015 15:05:06 +0100
Reindl Harald wrote:
> * spamass-milter -r 8.0
> * messages above 8.0 are *rejected*
Silently? Or do you generate an NDR? I'm genuinely curious as to how you:
1) Accept mail for some recipients
2) Reject mail for others
3) Without generating backscatter
4
On Thu, 26 Mar 2015 14:54:07 +0100
Robert Schetterer wrote:
> Uff , why should i waste my time in telling you the untruth...
I took a look at the Heise article and Google Translate says:
]]] If action is taken in the delivery process, with the result that the
]]] message does not reach its goal
On Thu, 26 Mar 2015 14:53:26 +0100
Reindl Harald wrote:
> he is not allowed to silent throw away a letter, but if he can't
> deliver it it's sent back
"can't" deliver is different from "won't" deliver.
If you reject a message because you don't like its content, it's not
because you "can't" deli
On Thu, 26 Mar 2015 14:47:16 +0100
Reindl Harald wrote:
> i proved you that i can assign differnt scores to a single message
> with more than one recipients *per recipient*
Assigning scores is passive. What do you do with the scored messages?
If all your users are content to use tagging only, a
On Thu, 26 Mar 2015 14:39:52 +0100
Reindl Harald wrote:
> * you write a mail
> * your server get a 5xx reject from the destination
> * your server generates a NDR and informs you
> * you write a mail
> * your server get a 200 repsonse
> * the destination silent discards
> you *really* don't see
On Thu, 26 Mar 2015 14:37:08 +0100
Reindl Harald wrote:
> i have to show nothing after for nearly a decade most german IT
> magazines had articles about that topic written by law experts
The only link I found written by a German law expert said that
the it "may" apply to spam filtering if the r
On Thu, 26 Mar 2015 14:33:08 +0100
Reindl Harald wrote:
> boah - spamass-milter *rejects* above 8.0 points based on the header
What if one of the recipients is opted-out and has categorically stated
that he/she wants to receive every piece of email? Then you're
breaking German law.
> basicly y
On Thu, 26 Mar 2015 14:29:01 +0100
Robert Schetterer wrote:
> As i wrote, there maybe exceptions, but in general
> youre not allowed to silent discard any mail ( unless its your own ,
> or its a virus )
Well, seeing as we have customers in the EU, I really would like to see
the text of the direc
Hi,
A followup:
1) has anyone been convicted under 303a StGB for suppressing email during
spam filtering?
2) How is rejecting with a 5xx code any less of a "suppression" of the
data than silently discarding with a 2xx code? In either case, the
recipient does not receive the mail. The fact that
On Thu, 26 Mar 2015 14:19:09 +0100
Reindl Harald wrote:
> > Is it? Could you perhaps point me to the EU directive stating this?
> > I'm sure there must be lots of qualifications
> in germany 2 years jail
It says: "Whoever unlawfully deletes, modifies, suppresses..."
You have to show that sile
On Thu, 26 Mar 2015 14:14:10 +0100
Reindl Harald wrote:
> > That is a non-solution. You are assuming all users have the same
> > criteria for what is or isn't spammy content.
> you stopped premature reading my repsonse - WHY?
> look again at the "X-Spam-Status" header below
> a single mail sent
On Thu, 26 Mar 2015 14:02:19 +0100
Robert Schetterer wrote:
> Silent discard mail is mostly forbidden in the EU,
Is it? Could you perhaps point me to the EU directive stating this?
I'm sure there must be lots of qualifications.
Regards,
David.
On Thu, 26 Mar 2015 13:54:45 +0100
Reindl Harald wrote:
> > 1) Directed to multiple recipients...
> the content is the same, reject it or not
That is a non-solution. You are assuming all users have the same
criteria for what is or isn't spammy content.
> the same way you reject a mail with a
On Thu, 26 Mar 2015 12:09:58 +0100
Reindl Harald wrote:
> why in the world would a reject *before queue* trigger a backscatter
> or bounce on my side?
How do you do before-queue rejection of a message that is...
1) Directed to multiple recipients...
2) Some of which have different spam thresho
On Thu, 26 Mar 2015 11:36:36 +0100
Reindl Harald wrote:
> What make you think you have the right to put a mail for a different
> person to /dev/null without reject it proper and so sender nor RCPT
> are aware?
People who sign up for our service do so knowing that we sometimes
silently discard s
On Thu, 26 Mar 2015 07:53:49 +0100
Reindl Harald wrote:
> accepted means your SMTP sevrer responded with a 250 status code and
> not with a 4x temporary or 5x permanent error aka rejected the message
No. Accepted means delivered to the end-user's mailbox.
As an analogy: I do not believe the po
On Wed, 25 Mar 2015 16:08:34 -0600
"@lbutlr" wrote:
> There is a difference between ___block___ and ___silently discard___.
> Blocking is fine, silently discarding is just evil and should be
> illegal everywhere.
Nonsense.
Silently discarding is sometimes the only sensible thing to do. If
you
On Sun, 22 Mar 2015 12:44:26 -0400
Alex Regan wrote:
[...]
> So instead of trying to figure out the proper expiry period, you just
> start over completely every two weeks?
No, we use a two-week sliding window to construct our Bayes DB. We don't learn
for two weeks and then dump everything; ra
On Sat, 21 Mar 2015 20:51:49 +
RW wrote:
> The two calculations produce the same result when
> Ns2/Nh2 = (Ns2-Ns1)/(Nh2-Nh1)
> i.e. if spam and ham is being added in the same ratio that it occurs
> in the database.
Yup, that's correct; I got it wrong by extrapolating from a numerical
examp
On Sat, 21 Mar 2015 15:10:19 +
RW wrote:
> The only token probabilities that can be skewed by token expiry are
> those than get expired and are then subsequently relearned.
Yup. But they might turn out to be important.
> Even then when those tokens are relearned the probabilities will end
On Fri, 20 Mar 2015 17:09:29 -0400
"Kevin A. McGrail" wrote:
> And I've heard arguments for and against removing the poisoning
> information. YMMV.
I think it seldom pays to be too clever with Bayes. If (and this is a
big if) you have a large enough sample of mail, in our experience it's
bett
On Mon, 16 Mar 2015 10:51:59 -0400
"Bill Cole" wrote:
> Is the code for doing this shared anywhere or is it sharable? Please?
It's part of our commercial CanIt software. But I can post a
chunk of Perl that's roughly what we do.
We parse the message into a MIME::Entity. Then if we need to trun
On Sun, 15 Mar 2015 14:19:17 -0500 (CDT)
Dave Funk wrote:
> However that glue can be intelligent and contain business logic.
And getting back to the original topic... that is why my favorite
milter is MIMEDefang. :)
It does integrate with SpamAssassin, but it also lets you write your own
busine
On Sat, 14 Mar 2015 20:45:16 +0100
Robert Schetterer wrote:
> In the last ten years i saw a handfull of these, but ok, perhaps
> different at your site.
Mostly they're spams with the payload in a PDF document, a Word
document or an image. Very occasionally, we see ones where the plain-text
is p
On Sat, 14 Mar 2015 20:17:27 +0100
Robert Schetterer wrote:
> Ok, but big spam mails are extrem rare, i wouldnt invest time in that
They are quite rare, but common enough IMO that our customers would be
annoyed if we didn't scan them.
Regards,
David.
On Sat, 14 Mar 2015 18:01:10 +0100
Robert Schetterer wrote:
> define oversize...,
It's configurable, obviously.
> cutting mail content may not allowed in many countries,
Ummm... WTF? We cut what we pass to SpamAssassin. We don't actually
alter the original message. That is either accepted,
On Sat, 14 Mar 2015 17:08:50 +0100
Reindl Harald wrote:
> Am 14.03.2015 um 17:00 schrieb Kevin A. McGrail:
> > On 3/14/2015 1:14 AM, David B Funk wrote:
> >> truncating a large message and
> >> only passing the first N-KB to SA. As that involves munging MIME
> >> headers it has to be done inside
On Fri, 13 Mar 2015 17:35:34 -0500 (CDT)
sha...@shanew.net wrote:
> All this, of course, after searching high and low for a milter, proxy,
> or some other contraption that would allow me to "clone" a mail stream
> to a totally separate server without disrupting the original stream
> (like port spa
On Fri, 13 Mar 2015 16:41:33 -0500 (CDT)
Shane Williams wrote:
> What are your favorite (not spamass-milter) options for plugging
> spamassassin into a milter?
MIMEDefang because it gives you a whole filtering framework in Perl
in addition to integrating with SpamAssassin.
http://www.mimedefang
On Tue, 24 Feb 2015 23:06:02 +0100
Yves Goergen wrote:
> If the mail server now blocks all .exe in .zip without
> actually scanning the contents, they're going to complain.
At some point, you need to be firm and take care of your users'
security. We run a commercial filtering service and we
unc
On Thu, 19 Feb 2015 09:34:28 -0500
Alex Regan wrote:
[David Skoll]
> > spreadsheet with a macro virus in it. ClamAV is essentially
> > useless at detecting viruses, so it's a real problem... any ideas?
> Useless? Are you using the third-party patterns?
No, because when I tried some of them, th
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart wrote:
> I use amavis-new and block based on file type. My users should never
> get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zi
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn wrote:
> On 2/18/2015 2:10 PM, Reindl Harald wrote:
> > the source contains at least socket:// and heavy pulsating disk-IO
> > noticed from the RAID10 as long the process was active - will give
> > it a try in a isolated VM to look what it does the n
On Wed, 18 Feb 2015 20:10:46 +0100
Reindl Harald wrote:
> it would be nice when SA adds a *low score* in case of documents
> containing macros - that may make the difference in a milter setup in
> combination with other rules and bayes to reject or not
Yeah, that's what we do. We add 3.7 poin
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin wrote:
> Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven otherwise, IMO.
(And adding the ability for MS Office macros to execute external programs
and fetch content over the Internet *is* inherently
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell wrote:
> Another option might be to add a virus scanner to your pop/imap
> server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's 100% successf
On Fri, 06 Feb 2015 01:48:53 +
Martin Gregorie wrote:
> ICL mainframes for me: 1900 initially, then 2903 (in NYC would you
> believe) and then 2966 medium rang iron into the early 80. Even the
> '66s were using EDS200 and EDS640s.
Oooh, are we comparing greybeards? (I don't have a beard any
On Fri, 9 Jan 2015 10:15:13 +0100
MAYER Hans wrote:
> What is the sequence of processing data ?
> I assume the MTA ( I am using sendmail 8.15.1 ) is receiving the
> complete e-mail and afterwards mimedefang and spamassassin is
> processing the content.
No. The milter makes various callbacks dur
On Fri, 05 Dec 2014 12:15:10 -0500 (EST)
Derek Diget wrote:
> Been a long time since I dug into MIME details and MUA display
> formating, but don't forget about "format=flowed" when it comes to
> Content-Type: Text/Plain and line wrapping. And/or,
> Content-transfer-encoding: quoted-printable
Since most mail clients that send HTML mail also send a text/plain part with
similar content, my filter looks for messages with the structure:
multipart/alternative
text/plain
text/html
and converts that little subtree to just:
text/plain
There is o
On Thu, 04 Dec 2014 23:40:39 +0100
Axb wrote:
> uri__URI_COSTCO /costco\.com/i
> uri __URI_PHPASKC /\.php\?c\=/
> meta AXB_URI_COSTCO_JJ (__URI_COSTCO && __URI_PHPASKC)
> score AXB_URI_COSTCO_JJ 10.0
I've seen variants purportedly from Kroger, Target and Best Buy.
We're ha
On Mon, 01 Dec 2014 08:51:26 -0800
Ted Mittelstaedt wrote:
> Locate will not show files that a user has set private (or root
> has set private like /usr/local/certs/machineprivatekey.key
On my system, updatedb lets you set a flag to permit that
(the "--require-visibility no" option.)
Regards,
On Mon, 01 Dec 2014 08:16:22 -0800
Ted Mittelstaedt wrote:
> I generally do this a few times a year:
> cd /
> find . -print > somename.txt
> That puts an entire listing of filenames in a file in
> the root dir. Then if I'm looking for something I can
> just grep in that file.
Why not just use
I will contribute one post to this thread.
http://marc.info/?l=spamassassin-users&m=14124117308&w=2
Just saying.
Regards,
David.
On Wed, 26 Nov 2014 14:10:04 +0100
Reindl Harald wrote:
> the unbound stats on our inbound MX saying the opposite
How much of those are DNSBL lookups against DNSBLs with short TTLs?
Regards,
David.
On Wed, 26 Nov 2014 07:53:20 +0100
Matthias Leisi wrote:
> Yes, such an approach might initially double the amount of queries
> and has an increased risk of not getting DNS responses, but on the
> other hand such "tree information" can be nicely cached with
> reasonably long TTLs, even for the fa
On Sat, 22 Nov 2014 13:15:29 +0100
Aban Dokht wrote:
> We also have honeypots with enabled IPv6 MX, but SPAM over IPv6 is
> very, very seldom.
We keep reputation reports from a large number of mailboxes and
they break down roughly as follows:
IPv4 mail: about 475 million reports of which 166 mi
On Fri, 21 Nov 2014 08:43:22 -0800 (PST)
John Hardin wrote:
> On a public mailng list isn't a great place to discuss such tactics...
I suspect spammers are dumb and will just vacuum up any address
they can find. Also, the scammers who sell CDs with millions of
email addresses on them are unlike
On Fri, 14 Nov 2014 18:24:05 +0100
Matus UHLAR - fantomas wrote:
> >I have an experimental botnet detector that looks for multiple
> >messages with similar subjects that come from many different
> >countries (as determined by geolocating the relay IP.)
> isn't this what DCC is about?
Similar id
On Fri, 14 Nov 2014 14:58:46 +0100
Reindl Harald wrote:
[David]
> > I don't agree with that contention. Botnet operators have so many
> > resources at their disposal that I doubt they care about or even
> > notice any sort of delaying or tarpitting.
[Harald]
> they don't because they have not m
On Fri, 14 Nov 2014 13:35:34 +0100
Reindl Harald wrote:
> *but* it makes a ton of troubles for large *legit* sending clusters
> which often after a 4xx reject handover that mail to a different node
> and so get again a 4xx
With very little loss of effectiveness, you can modify the algorithm
so
On Fri, 14 Nov 2014 07:45:49 -0500
Miles Fidelman wrote:
> From the point of view of someone who administers a lot of systems
> and mailing lists, I end up getting multiple copies of lots of
> messages. I've been thinking for a while about how to implement
> anti-spam rules based on receiving mu
On Fri, 14 Nov 2014 08:39:13 +0100
Matthias Leisi wrote:
> On Fri, Nov 14, 2014 at 6:35 AM, John Hardin
> wrote:
> > if you're in a business environment you may have an uphill battle
> > with managing expectations, to wit: email is *not* intended to be
> > instant messaging - and may run up aga
On Thu, 13 Nov 2014 15:08:40 -0500
Justin Edmands wrote:
> What if this list grows to 2 entries?
How are you calling SpamAssassin? Maybe you should build (for example)
a Berkeley DB of whitelisted addresses and simply skip SpamAssassin for
those ones, assuming the method you use to integrat
On Fri, 07 Nov 2014 18:03:32 +0100
Benny Pedersen wrote:
> What mua clients shows invalid mimetypes ?
Microsoft, thank you... if the attachment name ends in ".htm" or ".html" it
is treated as HTML regardless of MIME type.
Actually, most MUAs do this. There are an unbelievable number of MIME
ge
Hi,
I've seen a couple of hundred phishing emails come in that all had an
attachment of type "application/html" which is (of course) bogus.
I've put in a rule to block these and will see how it goes.
I've put an example up at http://pastebin.com/M3dRp4dD
with only slight editing to hide the actua
On Wed, 29 Oct 2014 01:31:51 +0100
Reindl Harald wrote:
> frankly in times of LMTP and Sieve there is hardly a need to use
> procmail - it is used because "i know it and it just works" - so why
> should somebody step in and maintain it while nobody is forced to use
> it
I use Email::Filter, no
On Tue, 28 Oct 2014 10:24:37 -0700
jdow wrote:
> > Sure, but that doesn't mean a consummate chef need fear them!
> Nonetheless one should keep bare knife switches away from said chef
> lest he forget that being an consummate expert in one field does not
> make him even barely competent in other
On Tue, 28 Oct 2014 13:28:19 +0100
"Andrzej A. Filip" wrote:
> > It may be a standard, but it's nowhere near as flexible as Perl. I
> > have very unusual filtering requirements (for example, rules that
> > change depending on time-of-day or depending on who has the support
> > pager that week) t
On Mon, 27 Oct 2014 23:50:20 -0700
Ian Zimmerman wrote:
> Or you could run dovecot and its sieve plugin. Sieve is a real
> standard (RFC 5228) which procmail never was.
It may be a standard, but it's nowhere near as flexible as Perl.
I have very unusual filtering requirements (for example, rule
On Mon, 27 Oct 2014 13:52:31 -0700
jdow wrote:
> Do the pertinent "we" have more important things to do? I suspect
> yes. I'd expect that the proper denizens for this list are not all
> that naive.
I dunno. This happens a couple of times a month and spawns threads
5-10 messages long each time.
So...
How hard would it be to have the mailing list quarantine a message
whose subject consists solely of the word "unsubscribe" ?
Do we have the technology? :)
Regards,
David.
signature.asc
Description: PGP signature
On Thu, 23 Oct 2014 18:00:29 -0400
"Kevin A. McGrail" wrote:
> Procmail has some weird syntax
Procmail is also unmaintained abandonware, as far as I can tell.
If you use SpamAssassin, you probably like Perl, so I would recommend
Email::Filter instead. It's far more flexible than procmail and le
On Tue, 14 Oct 2014 16:10:52 +0200
Axb wrote:
> and to avoid further discussions of what header may pollute bayes or
> not, I've removed all header entries which are not directly related
> to AV/filter products.
I'm not sure I agree with being too clever about Bayes. Surely by its
very nature,
On Mon, 06 Oct 2014 21:28:02 +0200
Karsten Bräckelmann wrote:
> Unless the message's MIME-structure is severely broken, these tokens
> appear somewhere other than a base64 encoded attachment.
Agreed, and a Qmail bounce message is a prime example of a message
whose MIME structure is "severely bro
On Sat, 04 Oct 2014 13:59:54 +0200
Benny Pedersen wrote:
> On October 4, 2014 4:08:00 AM "David F. Skoll"
> wrote:
> > So it occurs to me that if
> > a mail comes in with a Return-Path: header that does not match
> > the envelope sender, that's anothe
On Fri, 03 Oct 2014 23:16:35 +0200
Axb wrote:
> interesting...
> welcome.aexp.com. 14400 IN TXT "v=... etc."
Yes, I know all that... none of these spams is actually getting
through.
I just thought the many X-* headers might be a new pattern.
Also, in this particular case, the
Sorry to follow up on myself, but...
> > depending on how many hops a mail takes
> > the number of such headers increases
Yes, so a refinement may be to make the threshold depend in some way
on the number of Received: headers too. This would clearly have to
be an eval() test.
Regards,
David.
On Fri, 03 Oct 2014 22:02:59 +0200
Reindl Harald wrote:
> hard to say in general, that are not so much X-Headers
> i have seen a lot of spam really tagged with such
> headers because some outgoing mailserver had indeed
> a spamfilter and the messages did not reach the block
> score and depending
Hi,
I've noticed a trend in which spammers put in a bunch of X- header
purporting to show that a message is good. I've appended sample
headers (slightly obfuscated to hide recipient) below.
I wonder if a test for more than (say) 8 "X-*" header in
an inbound mail would be a good spam indicator?
On Wed, 10 Sep 2014 10:59:16 -0300
"M. Rodrigo Monteiro" wrote:
> > Option 2 is to accept the message unfiltered, split it into
> > multiple copies, and remail each copy so it can be scanned
> > per-recipient.
> How can I do it?
It depends on the MTA you're using. If you use one that supports
On Wed, 10 Sep 2014 09:56:06 -0300
"M. Rodrigo Monteiro" wrote:
> My problem is that when an e-mail comes to multiple destinations and
> one of them is whitelisted, all these destinations becomes whitelisted
> too.
There are really only two ways to get around this, and neither one
is particularl
On Thu, 4 Sep 2014 11:02:27 -0700 (PDT)
George Johnson wrote:
> I'm getting another slew of these this morning, all with a variety of
> strange headers added apparently to foil spam filtering. All are
> getting through my spamassassin set up, which is usually nearly
> bulletproof. Typical headers
On Wed, 03 Sep 2014 16:49:48 -0400
"Kevin A. McGrail" wrote:
> One is CanIt by Roaring Penguin
> (http://www.roaringpenguin.com/products/canit-pro)
Much as I'd love to get customers on our hosted anti-spam service,
you should go with KAM's service if you want to benefit SpamAssassin most.
KAM i
On Wed, 03 Sep 2014 21:52:39 +0200
Axb wrote:
> oh.. a phish - not the usual hacked WP sites with only one link in
> them and maybe a line or two of trash I was thinking of...
Yes. It seems that hacked WP sites are a general-purpose tool being
used by phishers, malware distributors, weight-loss
On Wed, 3 Sep 2014 14:19:21 -0500 (CDT)
David B Funk wrote:
> Do you understand that the visible body size may be completely
> different from the MTA byte-count?
Yes. That message substantially longer than 100 characters. Here's
the actual visible text with HTML stripped out:
On Wed, 03 Sep 2014 20:26:21 +0200
Axb wrote:
> try adding this to the meta (req SA 3.4)
Gah, I'm still running 3.3. I'm assuming that
check_body_length('100') fires on a message that is less than 100
characters. However, I'm seeing other types of spam hitting the rule
that are much larger. M
On Wed, 3 Sep 2014 18:02:31 +
"Spectrum CS" wrote:
> Would you be able to share your regexp? I'm struggling to update my
> regexp to catch the .php :)
Ah, this is what I have. (I've changed the rule names, but that shouldn't
matter.)
uri__RP_D_00069_1 /\/wp-content\/(?:plugins|them
On Wed, 3 Sep 2014 10:49:50 -0700 (PDT)
John Hardin wrote:
> On Wed, 3 Sep 2014, David F. Skoll wrote:
> > I think the FPs can be almost eliminated if we additionally insist
> > the URL contain ".php" somwehere after the /wp-*/ component.
> Right. That's wh
On Wed, 03 Sep 2014 19:36:00 +0200
Axb wrote:
> I've seen a rather large number of legit msgs including links to
> images in /wp-content/
I tested the rule. Lots of false-positives.
I think the FPs can be almost eliminated if we additionally insist the
URL contain ".php" somwehere after the /w
On Tue, 02 Sep 2014 13:32:26 -0700
Ted Mittelstaedt wrote:
> The point of blocking on DNS or IP based blocking is to issue
> that error 5xx because that is the ONLY thing that is going to
> cause the spammer to delist.
You are an optimist, aren't you?
> Because at that point they are
> now wast
On Fri, 15 Aug 2014 10:39:03 -0700 (PDT)
John Hardin wrote:
> On Fri, 15 Aug 2014, David F. Skoll wrote:
> > SPF is so easy ("v=spf1 +all")
> Doing *that* should be worth a point or two by itself.
Yes. I even through about implementing it, but there are so many ways
to
On Fri, 15 Aug 2014 19:34:04 +0200
Robert Schetterer wrote:
> Am 15.08.2014 um 19:28 schrieb David F. Skoll:
> > Looks like about 66% of our spam samples had SPF "pass".
> yes this is what i awaited, any idea about DKIM ?
Less spam has DKIM 'pass'; our stat
On Fri, 15 Aug 2014 18:45:39 +0200
Robert Schetterer wrote:
> are there any stats how much spam is send with right/exist
> SPF/DMARC/DKIM (TLS)
I have some statistics for SPF:
spam=> select count(*) from incidents where status = 'spam' and incident_report
like '%SPF query returned ''pass%';
c
On Fri, 15 Aug 2014 11:21:47 -0400
Bowie Bailey wrote:
> Considering only the spam:
> 67% Spamhaus rejections
> 33% Marked by SA
> YMMV, but it works quite well for me.
Indeed, MM does V. :)
spam=> select count(*) from incidents where status = 'spam';
count
---
2391
spam=> select coun
On Fri, 15 Aug 2014 10:02:14 -0500
Steve Bergman wrote:
> So basically, elevate it to the level of an absolute blacklist.
> I'm not sure I trust Zen that much. I'm more a Bayes proponent than a
> DNSBL proponent.
Me too. I'm also surprised that the OP claimed it caught 70% of his
spam. I see
On Wed, 13 Aug 2014 17:11:32 +0200
Axb wrote:
> On 08/13/2014 05:04 PM, Antony Stone wrote:
> > For the Nigerian 419 spam, the last thing you want to do is reply
> > to it :)
> unsubscribe doesn't mean "reply"
The point is that any unsubscribe mechanism must of necessity inform
the list owner t
On Wed, 13 Aug 2014 16:43:29 +0200
Antony Stone wrote:
> - spammers who get unsubscribe responses will use that to confirm
> the address and send more, therefore unsubscribing to them is a bad
> idea
I wonder how often this happens. This implies that spammers actually care
about the quality of
On Tue, 12 Aug 2014 10:02:37 -0400
Bowie Bailey wrote:
> On 8/12/2014 9:48 AM, David F. Skoll wrote:
> > 1) An objective criterion: Was the message unsolicited?
> Unfortunately, that can be difficult to determine.
Yes, definitely. But in principle, a message is either soli
On Tue, 12 Aug 2014 09:41:07 -0400
Alex wrote:
> I define "legitimate" as having been sent through a reputable
> company's mail system. Chances are, Computer Associates aren't
> spamming people.
I disagree with that. In my opinion, only two criteria are needed
to define spam:
1) An objective c
1 - 100 of 489 matches
Mail list logo