RE: Spam getting through. Getting flooded.

> Here's the rules that I get hits for.. > > Content analysis details: (18.8 points, 5.0 required) > > pts rule name description > -- > -- > 2.5 MISSING_HB_SEP Missing blank line between > message h

RE: sa-learn

> > [EMAIL PROTECTED] .spamassassin]# sa-learn --ham /root/nham/ > Parsing of undecoded UTF-8 will give garbage when decoding > entities at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/HTML.pm line 182. > Parsing of undecoded UTF-8 will give garbage when decoding > entities at > /usr/li

FW: Many URLs resolving to few IPs

> > Do you have the "net" tests enabled? > > See: > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL25864 > > These should be tripping at least the URI_SBL test and just about any > other IP based BL you might have added (e.g. > completewhois, etc.). > I am using the 'net'

Many URLs resolving to few IPs

I was looking at some FN that got given back to me today, and noticed that In a lot of them the URL resolves to 61,232.205.186 This site has a very simple pornographic advert in it, that varies dependent On the URL requested. Is there anyway to use the lookups for these domains in a blacklist w

RE: rule edit

you'll need to escape the * so body VIRUS_SOBER5 /\*\*\* Attachment-Scanner: Status OK/I HTH Richard From: Robert Swan [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 14:00 To: spamassassin-users@incubator.apache.org

RE: Fixing Incorrect ATIME Values

Title: Fixing Incorrect ATIME Values I posted a fix to this problem a while back. Check the archives From: Gustafson, Tim [mailto:[EMAIL PROTECTED]Sent: Tue 19/04/2005 15:33To: users@spamassassin.apache.orgSubject: Fixing Incorrect ATIME Values HelloI know that this is a persistent iss

RE: Mutliple instance of spamd

Guessing at what it is your trying to do, I would suggest you take a look at MailScanner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 15 April 2005 15:43To: SASubject: Mutliple instance of spamd Hello All i'm using SA 3.00 with postfix 2.1 I need to configure multi

RE: 0 Hits on blatant spam

> -Original Message- > From: Tim Wesemann [mailto:[EMAIL PROTECTED] > Sent: 14 April 2005 20:18 > To: users@spamassassin.apache.org > Subject: 0 Hits on blatant spam > > > http://www.timuel.com/badmessage.txt > We have quite a strict filtering setup for porn related messages. Under o

RE: The stock spammer with the ||'s

> 2.7 SORTED_RECIPS Recipient list is sorted by address How is this done? We currently use 2.64 and I haven't seen this particular rule before. Does it require 3.0? R --- This email from dns has been validated by dnsMSS Managed Email Sec

RE: RCVD_IN_SORBS_WEB

If you felt so inclined, you could get some appropriate ascii art, (perhaps of a middle finger?) and send that through to him. Wouldn't count on your having a job much longer tho. I feel your pain regarding users like that. Some people assume that spam there is an on/off switch for spam, and the

RE: sa-learn doesn't learn

>From past experience, I would suggest you checked the dependencies on the 3 files that are created by sa-learn. It sounds like it was able to update bayes_toks but not one of the other files. (Can't remember which) First off, run sa-learn --rebuild. I seem to recall this was needed after running

RE: Need for a new rule?

> -Original Message- > From: Stuart Johnston [mailto:[EMAIL PROTECTED] > Sent: 13 April 2005 21:42 > To: Andreas Davour > Cc: users@spamassassin.apache.org > Subject: Re: Need for a new rule? > > Andreas Davour wrote: > > > > The following message have many characteristics in common with

RE: random rudeness!

> This really belongs in some kind of spam-fighting FAQ or > howto somewhere. I smell a wiki page! R --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information con

RE: Recommendation on SARE rules to add.

> -Original Message- > From: Robert Markin [mailto:[EMAIL PROTECTED] > Sent: 13 April 2005 06:25 > To: users@spamassassin.apache.org > Subject: Recommendation on SARE rules to add. > > SA 3.0 > > I was wondering if anybody had a recommendation for a initial > SARE set of rules to add.

RE: OT: Do spammers have a sense of humor?

These spams are a personal favorite of mine, because they carry with them the slim chance that they are in fact perfectly legitimate messages. Imagine my girlfriend saw that I had received this, I would have to try and explain myself without pointing out forged headers etc! R > -Original Mes

RE: Extra Sare Rules for meds?

> > One of the things the SARE group has realized, is that using > '*' in any regex is a bad idea. Trust me on that one. We > avoid it like the plague. > > --Chris > Are there any other rules of thumb such as this that would be really useful to know? Many thanks, Richard ---

RE: WHich is better

> -Original Message- > From: Peter Marshall [mailto:[EMAIL PROTECTED] > Sent: 07 April 2005 13:30 > To: SpamAssassin list > Subject: WHich is better > > I am looking for opinions. > > Problems I have with both: > 1. What is the best method of obtaining the spam / ham. I > have the

RE: Rule-sets

> > Thanks to all the replied, we have rules_du_jour and I am > now getting > > an idea of how it works. I suppose the obvious question is > has anybody > > written a good howto on writing your own rules. And if so > where is it? > You probably also want to learn more about regular expressio

RE: Annoying Job Offer spam

I know the feeling. Stock spam seems to be the number 1 FN at the minute, but we relay for an investment firm so we have to be careful about how we handle it. They are forced to obfuscate the disclaimer at the bottom of the message, and there are some good words to match on inside that. That's th

RE: Extra Sare Rules for meds?

When I worked on this, I basically took the anti_drug ruleset, and added a check to ensure that the rules only fire on obfuscated versions of the name. This can be done using negative lookahead in the rule Header SAMPLE_RULE Subject =~ /(?!viagra)v[1i][a4]gr[4a]/i As an example (and only an examp

RE: Annoying Job Offer spam

We're seeing a lot of those here too, usually with a 2 word subject line, (?:job|employment|...)[ _\-](?:opportunity|availability|offer|invitation|...) I haven't had a chance to write a rule to manage them, but I reckon this will be the basis for it. Hth R > -Original Message- > From

RE: SA Rules

I'd noticed a number of FPs on the chickenpox ruleset from .doc, .ppt files. HTH R > -Original Message- > From: Robert Bartlett [mailto:[EMAIL PROTECTED] > Sent: 01 April 2005 15:05 > To: users@spamassassin.apache.org > Subject: SA Rules > > Trying to cleanup any rules that might be

RE: RCVD_IN_BSP_TRUSTED

I believe that this domain is in fact legitimate and the messages in question are *not* spam. My little sister signed up for it and I got this crap in my inbox as result. Basically she signed up, and puts in a list of everyone who's email address she knows. Birthdayalarms sends out a message to ea

Interesting new spam!

Friend of mine got this mail through last night. Its quite interesting I thought, and maybe represents a new strategy from the spammers that is worth considering? R -Original Message- From: Curtis Daly [mailto:[EMAIL PROTECTED] ] Sent: 07 March 2005 17:18 To:

RE: Problem with a Rule

Use header LOCAL_MAIL From =~ /[EMAIL PROTECTED]/I Alternatively whitelist_from [EMAIL PROTECTED] This is generally not considered a good idea tho, because these headers are very easy to forge. (viruses tend to masquarade as internal->internal mail) R -Original Message- From: Jon Mc

RE: Potential new auto-learning strategy

7;t get to play with spam all day :( ). If there are other people keen on doing this then maybe we can get a collaboration going.   R From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: 02 March 2005 15:16To: Gray, Richard; users@spamassassin.apache.orgSubject: RE: Potential new auto-learning

Potential new auto-learning strategy

I saw an article a while back about some DJs who were using perl as a mixing tool by writing perl code that edited itself while it ran in a loop. I thought this was kind of cool.   I studied AI at university, and remember a good bit of discussion regarding feedback systems.   So, to combin

RE: ASCII-Art like spam?!

Hrm, I missed the original message completely! Guess that means I have some rules somewhere that catches them :) -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 16:17 To: Nick Bright; users@spamassassin.apache.org Subject: Re: ASCII-Art like spam?! At

RE: mail not being scanned fully????

Rather than just pushing messages through the system, I would recommend testing your regexps using the following program (http://regex.osherove.com/) It's very useful for checking syntax, and pointing out exactly what parts of the message have triggered on a particular rule. Failing that the next

RE: Rule advice please

I see the logic you are adopting, but unfortunately it doesn't quite pan out. Take the 4th example you provided. Here you acknowledge that while enunciating is not an anagram of ejaculating, it is still a possible outcome from your set. Mathematically the problem faced is this: Writing the anagr

RE: Rule advice please

subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i subject =~ /\b(?!dripping)d[ripn]{6}g\b/i subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i You can't use rules like this. The pattern "can" matches your first ex

Barracuda's Spam firewall

Anyone care to comment on how successful/effective this particular product is? (http://www.barracudanetworks.com)   There is something of a major dispute going regarding whether this represents better value for mney than other solutions (including our own, self built service)   If any of you fi

RE: ENC: Wet 30 to 40 girls hrony and wants you

Apologies. I didn't post a complete ruleset, merely some useful examples. The basic motivation is that I have a rule that matches on various references to size, a rule (below) that matches on references to genitalia, and a rule that matches on mammary references (trying to beat our internal profan

RE: ENC: Wet 30 to 40 girls hrony and wants you

ssage- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you I made a few custom rules looking for intentional misspellings of certain subject words. We use Bayes, s

RE: ENC: Wet 30 to 40 girls hrony and wants you

I have this same SPAM regularly occuring in our network, and frequently the domain has yet to be listed in the SURBL lists. I have yet to find another effective way of catching this other than writing a long list of rules to match the varying subject lines -Original Message- From: Jeff C

RE: SA vs MIMESweeper

We currently use the quarantine features of MailSweeper, and use SA for the spamfiltering (mail me privately if you really need to know how this is done) After countless phone calls to ClearSwift regarding a wide range of problems, I can say with confidence that unless you get through to the 1 guy

RE: alternatives

Hi Ronan, I myself have been looking at this for the company I work for, and may be able to provide some insight. DSPAM is an entirely statistical filter, so is similar in behaviour to the BAYES part of SA. It implements a number of more sophisticated algorithms and strategies for recognising s

ROLEX spam

Does anyone have a good ruleset for catching all this fake watch spam?   I'm seeing more of it in our systems here, and don't want to duplicate effort if one of you fine people has already got one written.   TIA   Richard --- This email from

new strategy?

Please just throw fish at me if this has already been proposed, but I was thinking today about what aspects of spamming a spammer finds hard to change.   Changing names and IP addresses are easy, but I imagine that finding a DNS server that will be authoratitive for them is a tougher challen

RE: over ride BAYES

An interesting solution to your problem might be to write some meta rules like this (in pseudo code) Meta ANTI_BAYES00 && BAYES_00 Describe ANTI_BAYES00 Negating the bayes_effect for RBLs Score ANTI_BAYES00 2.6 And repeat for the other BAYES_XX rules Not disimilar from a previous t

RE: Tracking Rule Hits

Hrm, this may be a reason to upgrade to 3.0 then From: Ben Story [mailto:[EMAIL PROTECTED] Sent: 08 February 2005 13:55To: Gray, Richard; users@spamassassin.apache.orgSubject: RE: Tracking Rule Hits I believe you could do this using the information that SA puts in syslog now.  It lists

RE: Upgrading to 3.0

Thanks for the feedback loren. We do use a *lot* of custom rules, so I'll make it a more long term target I think.   Richard From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: 08 February 2005 11:10To: users@spamassassin.apache.orgSubject: Re: Upgrading to 3.0 Certainly better spam catch

Tracking Rule Hits

Is there a way to log the number of times a specific rule has hit within spamassassin. Ideally I'd like to see how often a rule hits, and the average score of the messages that it hit on, but anything along those lines would help   At the minute the best idea I have come up with is to use an

Upgrading to 3.0

Apologies for asking this if the answer is obvious, but I couldn't see it anywhere in the wiki   we currently use 2.64   What are the reasons for upgrading to 3.0?   TIA   R --- This email from dns has been validated by dnsMSS Managed Email Sec

RE: Help...dcc

Title: Help...dcc     >  debug: DCC -> check failed: no X-DCC returned (did you create a map file?): no valid DCC server hostnames   Did you?   The errors certainly suggest that everything is working, but that dcc can't find any servers.   R 

RE: Scalar modifiers

From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: 27 January 2005 14:55 To: Gray, Richard; users@spamassassin.apache.org Subject: Re: Scalar modifiers At 06:54 AM 1/28/2005, Gray, Richard wrote: >My concern regard processing time. This is basically going to double >the number of rules in t

Scalar modifiers

Hi all, I'd like to implement within SpamAssassin (2.64) the ability to scale a spam score based on a certain rule (specifically, I want to scale the spam score by 1.5 if its from an IP listed as a DUL) My basic theory is that if I take every rule and build a meta rule from it that includes the

RE: Regular expression expanding

PROTECTED] Sent: 28 January 2005 02:51 To: Gray, Richard; users@spamassassin.apache.org Subject: Re: Regular expression expanding At 09:23 AM 1/27/2005, Gray, Richard wrote: >body >MANGLED_CASH/(?!cash)\b[cǩ\(][_\W]{0,[EMAIL PROTECTED],5}[sz >5\$][_\W]{0,5}h\b/i My understanding of rule mat

Regular expression expanding

I'm trying to get my head around regular _expression_ matching.   body MANGLED_CASH /(?!cash)\b[cǩ\(][_\W]{0,[EMAIL PROTECTED],5}[sz5\$][_\W]{0,5}h\b/i My understanding of rule matching was that the '(?!cash' bit required an | (or) in order to work. Can anyone break down the logic of ho

RE: Bayes DB's

Surely that would only happen if there were equal amounts of Spam and ham passing through. Otherwise the token will have a tendency toward whichever the program has seen more of. From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: 06 December 2004 10:50To: users@spamassassin.apache.orgSubje

Bayes DB's

Our mailservers add their name to the received from header of every message. As far as I can see, SA detects this and uses it to create tokens when autolearning.   Because our DB is shown more spam than ham, there are tokens in the DBase that identify messages coming from our server as being

RE: Bayes DB Get Corrupted Quickly

Hi Tim, The script I sent you dumps the tokens out to a text file because SA stores them in a Berkeley DB format. If you want to do it in place then just have a look at the script and edit the appropriate values. If you get really desperate then the two processes (encoding and decoding) are essent

RE: Bayes question

Title: Re: Bayes question > So, what happens when you take these two overlapping databases and> combine them is that certain tokens (those that have overlap) are then> double counted.  This makes the database, at least according to the> bayes model SA is using, statistically invalid. Using

Trashed Bayes DBase

The Bayes DBase we use here was set to the default autolearn levels.   IT was first set about 1 year ago and the first anyone looked at it was when I started looking at how it was performing.   Basically, it was tagging about 75% of mail as BAYES_00 (we receive about 70% SPAM here), so the

RE: Brightmail

Thanks everyone for your useful and informative input. We are currently re-evaluating our email services and your feedback has been a great help. Richard --- This email from dns has been validated by dnsMSS Managed Email Security and is free from

Brightmail

Brightmail seems to be getting a lot of good press on the SPAM front.   So I'm wondering, why do people running large mail systems choose SA over corporate offerings. Is it cost? Is it configurability, or performance?   Can anyone shed any light on how Brightmail achieves the rather impre

Feature Request: Bayes as a more general detector

We consider the Bayes system as a detector of SPAM, which 'technically' it isn't. What it reports is how close a given message is to one of two sets, given that it has been previously shown examples of each of the two sets.   Because this is the case, I'm thinking it should be possible to us

RE: Strange differences

Title: Strange differences I suspect that the first time you see the mail it is not listed in the various URI blocklists, and when you re-run the message it is.   R From: Thomas Kinghorn [MTNNS -Rosebank] [mailto:[EMAIL PROTECTED] Sent: 29 November 2004 05:42To: users@spamassassin.apache.or

RE: sa-learn ham

We had a similar problem with our system a while back (SA 2.64, Exim 4 using exiscan) I found the attached script. It didn't work perfectly, so I edited it a bit. However, this was 2-3 months ago, and I didn't comment my changes (it was only for my company ;) ) We had a problem that because i

RE: Idea for better scoring

Firstly: Hi, First posting to the list. Secondly: > It seems to work well but isn't based on much more than a whim and a little observation. I get very few ham hits on _my_ mail with it, but > I mainly get pretty clean looking ham. This seems like a sensible approach in general. However, it s