something to strip off all of the email headers?
For the BAYES_99, as already mentioned you probably need to retrain
bayes, making sure to correct any incorrectly trained email messages.
-jeff
verlap. A message with bayes >= 99.9% hits both
rules. BAYES_99 ends at 1.00 not .999.
-jeff
See below:
On 5/13/2022 8:41 PM, Arne Jensen wrote:
Den 13-05-2022 kl. 23:42 skrev Jeff Koch:
We're getting numerous false positives on 'RCVD_IN_DNSWL_HI RBL'.
When I check these IP's (193.106.175.39, for example) at
https://www.dnswl.org they are NOT listed.
* -5.0
* [193.106.175.39 listed in list.dnswl.org]
How can I fix this? I've run sa-update and it does not help.
TIA - Jeff
n
/usr/share/spamassassin
So, I can do Meta-. in Emacs and it goes directly to the 'header
FSL_HELO_NON_FQDN_1' definition
-jeff
as planned. If
this is something no one else has thought of before, then obviously
document it for science so it may save other people's lives. :)
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
://cgi-demo:cgi-d...@www.rhyolite.com/dcc-demo-cgi-bin/. It
requires a user name of cgi-demo and a password of cgi-demo the same
as the user name.
-jeff
they know
which bulk mail they solicited. The only false positives (mail marked
as bulk by a DCC ...
-jeff
From: Kevin A. McGrail kmcgr...@pccc.com
Date: Wed, 18 Mar 2015 10:21:39 -0400
Anyone use this RBL or familiar with it? Pros/cons? Efficacy data?
regards, KAM
I get 5% spam hits on DYNA and 10% on NOPTR. The SPAM list isn't that
great ( 1% spam and some false hits).
-jeff
the spam-score if matched? Would I have to implement a
separate rule for each address?
use blacklist_to bogus_us...@mydomain.com ...
This will lead to hits on USER_IN_BLACKLIST_TO
-jeff
out of bayes. At some point
you start getting timeouts at different points in the email delivery
chain.
I have a separate sa-learn (or spamc -L) procmail recipe that has a
serialization lock.
-jeff
) = each %hdrs ) {
push(@tokens, $self-_tokenize_line ($value, H$prefix:, 0));
}
-jeff
, as long as the messages are
learned correctly. In addition to not having enough spam messages
you probably have learned various spam messages as ham.
-jeff
(i.e., user=domain.tld)?
Thanks,
Jeff
.
The message is at http://pastebin.com/UZeDtLWZ
You need to save the complete original message. Many of the headers are
missing.
MISSING_DATE=0.1,MISSING_MID=0.497,NO_RECEIVED=-0.001,NO_RELAYS=-0.25
With sufficient training you should be able to get BAYES_99 +
BAYES_999
-jeff
do I get the error.
Any ideas?
Jeff
.
Also, the GeoIP data file should be fixed:
Error Opening file /usr/local/share/GeoIP/GeoIPv6.dat
You need to post samples (to pastebin). We can't make comments on what
*should* be hitting unless we can see the message itself.
Yep.
-jeff
From: Matus UHLAR - fantomas uh...@fantomas.sk
Date: Mon, 19 May 2014 15:44:30 +0200
On 17.05.14 14:11, Jeff Mincy wrote:
It would have been easier to figure out why it was matching if the
matching spf entry was printed out, for example something like this:
May 8 18
From: Matus UHLAR - fantomas uh...@fantomas.sk
Date: Sun, 18 May 2014 18:22:49 +0200
On 17.05.14 14:11, Jeff Mincy wrote:
I just got some spam that was erroneously spf whitelisted hitting
WHITELIST_FROM_SPF
It took me a while to figure out why it was getting WHITELIST_FROM_SPF
$scanner-{sender};
foreach my $regexp (values %{$scanner-{conf}-{$param}}) {
if ($scanner-{sender} =~ qr/$regexp/i) {
##New dbg output here:
dbg(spf: $param: $scanner-{sender} matches $regexp entry);
return 1;
}
}
}
return 0;
}
-jeff
,} part to be unbounded.
Is the 10 number part really important?
-jeff
I setup an email server today and for the life of me I can't figure out why
my spamaassin implementation is flagging all of my emails from the server
with DATE_IN_FUTURE_03_06
any help would be appreciated.
thanks in advance
Jeff
Return-Path: xxx
Delivered-To: spam-quarantine
X-Envelope
http://lists.surbl.org/pipermail/announce/2013-May/000209.html
Date: Wed, 1 May 2013 05:54:48 -0700
To: SURBL Announce annou...@lists.surbl.org
Subject: [SURBL-Announce] MW malware sublist added to multi, replaces OB
As announced last October, malware data has been moved from PH
to a new
are training
bayes to recognize tokens added by your users during the forwarding
process as a spam indicator.
-jeff
From: Kevin A. McGrail kmcgr...@pccc.com
Date: Thu, 21 Feb 2013 08:46:40 -0500
On 2/20/2013 8:51 PM, Jeff Mincy wrote:
...
This leads to various bad things (RDNS_NONE broken WHITELIST_FROM_RCVD)
Is there anything in SpamAssassin that can deal more elegantly
solutions.
There is of course a third option for me - I could turn off the spam
filtering on Rcn email. Most of the spam is blocked by Rcn, there's
almost no point in trying to filter what little spam is left.
-jeff
From: Matus UHLAR - fantomas uh...@fantomas.sk
Date: Thu, 21 Feb 2013 16:36:18 +0100
On 2/21/2013 9:03 AM, Jeff Mincy wrote:
Well, I trust the network not to lie. This is more of an omission
On 21.02.13 10:26, Kevin A. McGrail wrote:
Your Clinton-esque logic likely
in SpamAssassin that can deal more elegantly with
this particular problem? Perhaps Some sort of please_fill_in_rcvd_rdns
type option?
I'm still on 3.2.5 (yes I know it is old).
-jeff
means unknown, mostly due to stale database. You can update the
IP::Country database. See:
http://wiki.apache.org/spamassassin/RelayCountryPlugin
-jeff
if you are really getting about 1 per day. You
could just turn off Bayes. Or you could just turn Bayes off. I'm
almost at the same point with my home email, for the same reason.
-jeff
for this issue are
scant.
There have been numerous posts on BAYES.
-jeff
USER_IN_SIMPLE_WHITELIST (or some other variation). The
description of the test could include warnings about how easy
it is to spoof whitelist_from.
-jeff
From: RW rwmailli...@googlemail.com
Date: Tue, 19 Jun 2012 23:43:57 +0100
On Tue, 19 Jun 2012 18:02:28 -0400
Jeff Mincy wrote:
From: John Hardin jhar...@impsec.org
Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT)
On Tue, 19 Jun 2012, Benny Pedersen wrote
On Thursday, December 1, 2011, 10:11:35 AM, Darxus Darxus wrote:
On 12/01, Jeff Chan wrote:
Also keep in mind that PH has a generally low score even for net
+ bayes since it doesn't hit a large portion of spam in the SA
corpus.
No. Scores are not determined by how many spams a rule hits
it does hit are
generally going to be phishing or malware, so IMO it should have
a much higher score. Unless people want to get phishing and
malware
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
want
whitelist_from_dkim *@bertolini-sales.com auth.ccsend.com
The auth.ccsend.com comes from the signature line
DKIM-Signature: ... d=auth.ccsend.com
-jeff
Disposition =~
/automatic-action\/MDN-sent-automatically; deleted/
This appears to be some new MS Exchange bounce message.
I'm running 3.2.5 if it matters.
thanks.
-jeff
-setup
and:
http://www.surbl.org/links#mirrors
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
with
the easiest way to get help is to post a complete sample including all
the headers using some pastebin and send the link and the x-spam-status
line that you get on your SpamAssassin to the group.
Otherwise all you're going to get vague platitudes like train bayes.
-jeff
be combined into a single rule (untested) using
regexp (?:index|nana|ontokoros|tbt|webadmin)
uri LOCAL_URI_EXAMPLE
/zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/
-jeff
there is a responsible party to hopefully act on
unsubscriptions, fire the spammy marketer, etc. It's sort of a
degenerate case of the degenerate case of email addresses going
to to a third party, except it's the same party.
Spam is easy. Ham is hard.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
approaches.
Those degenerate cases of both are indeed interesting.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
that struggle with these
issues every day. Maintaining accurate ham and spam corpora and
making policies for what belongs in which category is trivial in
some easy cases like bot pill spam, but non-trivial in other
cases.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
.
But here's some raw data from someone who tracks it.
Now:
http://www.sdsc.edu/~jeff/spam/cbc.html
A year ago:
http://www.sdsc.edu/~jeff/spam/2010/bc-20100109.html
Are we winning?
It has been in news also, spam has decreaced since autumn and then again
in december. We just have to wait
rbldnsd an BIND configs for the zone and
spamassassin rule, and we will check them.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
(__LOCAL_SENDER __TRUSTED_NETWORKS)
score VALID_LOCAL_SENDER -0.1
-jeff
whitelist_from_rcvd *...@mydomain.com mydomain.local
trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx
internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24
bayes_learn_to_journal.
Add a cron job to periodically sa-learn --sync (say hourly)
and another cron job to do sa-learn --force-expire (daily/weekly)
-jeff
.
If this is the case you can turn off bayes_auto_expire and run expire
from cron. You could also try learning to the journal and doing
sa-learn --sync periodically from cron.
-jeff
===
2010-03-31 01:22:25 1Nwlbc-0001QS-Ua H=
host81-136-197-86.in-addr.btopenworld.com
goes into further
detail on this new list.
Please also see this bugzilla:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6335
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
can do this at a variety of levels: in
particular, the session, the envelope, and the mail headers.
Although this feature is desirable in some circumstances, it is a
major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka
spam).
I think this argument is now over.
Best Regards,
Jeff Koch
of the tools - among other tools (e.g. DKIM,
domain keys, not accepting email from servers with no RDNS, etc) -
developed to help reduce spam.
--
Get your web at Conactive Internet Services: http://www.conactive.com
Best Regards,
Jeff Koch, Intersessions
How silly. That's like saying an iPhone is not a gaming device even though
plenty of people use it to play game apps. Perhaps you should re-read the
SPF FAQ's.
At 04:31 PM 2/25/2010, you wrote:
Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500:
I disagree.
I don't know to what you
program which we neither have the time
or money to do. Since we like our customers and they pay the bills it is
now a dead issue.
Any other experiences? I love to hear.
Best Regards,
Jeff Koch, Intersessions
then the periodic
backscatter showers have got steadily smaller, so it looks as though
mailservers configured check SPF before bouncing undeliverable mail have
been getting steadily more common.
Either that or spammers tend to avoid forging domains that have SPF.
-jeff
a direct
relay with a compromised account ) you may be relaying the spams
inadvertently on the outbound , but never get FBL's until all the world
blacklists you
--
J.D. Falk
jdf...@returnpath.net
Return Path Inc
Best Regards,
Jeff Koch, Intersessions
a contact name I would appreciate it.
Jeff
Delivered-To: intersessions.com-jeffk...@intersessions.com
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
pegasus.avspamfilter.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=RDNS_NONE,URI_HEX autolearn
JD - and after spending an hour registering and filling out forms I finally
get this email. Sweet!
Jeff
Delivered-To: intersessions.com-jeffk...@intersessions.com
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
pegasus.avspamfilter.com
X-Spam-Level: *
X-Spam-Status
hand, they send out emails from
their abuse-admin saying that they have no such program.
Yahoo is making me crazy.
If anyone has the email address of someone their that can actually get an
ISP signed up for the program I would appreciate it.
Best Regards,
Jeff Koch, Intersessions
From: Robert Nicholson robert.nichol...@gmail.com
Date: Fri, 12 Feb 2010 19:32:00 -0600
Perhaps my confusion lies in the fact that it looks like headers != metadata?
Is there a way or setting that allows metadata to result in headers in the
message?
Did you try add_header?
this moronic jack-ass ATTITUDE page.
Heh. Using IE 7.0 I get:
Your browser cannot handle the 9 year old standard required by the
web page you attempted to access. ...
IE 7.0 displays the page fine, but you have to save the file out as a
plain html file.
-jeff
://www.openspf.org/, then you paste
the results into the DNS TXT record for your domain).
SPF is great for what it does.
-jeff
As I understand it, as soon as rules are published, some of the
senders of unsolicited messages immediately change their behavior
to defeat or bypass the rules, so publishing them is somewhat
counterproductive.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
only autolearn and not correcting messages that were
learned incorrectly.
-jeff
From: KÄrlis Repsons karlis.reps...@gmail.com
Date: Sat, 30 Jan 2010 14:07:16 +
On Saturday 30 January 2010 13:54:14 Jeff Mincy wrote:
Retrain the message correctly in Bayes. Bayes will catch on to this
after a few times. The subject alone should be a strong enough clue
From: Ralph Bornefeld-Ettmann ilike...@bornefeld-ettmann.de
Date: Sat, 30 Jan 2010 18:14:10 +0100
Am 30.01.2010 16:48, schrieb Jeff Mincy:
From: KÄrlis Repsons karlis.reps...@gmail.com
Date: Sat, 30 Jan 2010 14:07:16 +
On Saturday 30 January 2010 13
From: KÄrlis Repsons karlis.reps...@gmail.com
Date: Sat, 30 Jan 2010 17:20:23 +
On Saturday 30 January 2010 15:48:36 Jeff Mincy wrote:
BAYES_99,DCC_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_FIVETEN_SPAM,RCVD_IN_NIX
SPAM,RCVD_IN_UCEPROTECT1,RCVD_IN_UCEPROTECT2
. Any ideas why one server would
have the errors and the other not? Prior to upgrading, I wasn't getting any
errors with 3.2.5...
Jeff
the same rules...
Jeff
-Original Message-
From: John Wilcock [mailto:j...@tradoc.fr]
Sent: Wednesday, January 27, 2010 10:03 AM
To: users@spamassassin.apache.org
Subject: Re: Fuzzyocr and rule errors after upgrade to 3.3.0
Le 27/01/2010 18:57, Justin Mason a écrit :
Either someone forgot
.
sa-learn tells how many tokens were deleted you when you do --force-expire, for
example:
expired old bayes database entries in 152 seconds
1516428 entries kept, 115692 deleted
token frequency: 1-occurrence tokens: 73.76%
token frequency: less than 8 occurrences: 16.19%
-jeff
to the journal is faster.
Also, What is the size of your database? Maybe you are spending lots
of time doing expires or something.
-jeff
From: Cecil Westerhof ce...@decebal.nl
Date: Sat, 09 Jan 2010 16:24:56 +0100
Jeff Mincy j...@delphioutpost.com writes:
I upgraded from 3.0.4 to 3.2.5. I have the feeling that sa-learn takes
more time with 3.2.5 as it took with 3.0.4. Can this be true
logging?
or, should i check the MTA and it's assigns that deal with the header?
The rule is probably also defined in some other file.
Are you using 00_FVGT_File001.cf? If so check there.
-jeff
The date is grossly in the future.
##} FH_DATE_PAST_20XX
-jeff
?
Best Regards,
Jeff Koch, Intersessions
in the header. Might be convenient
when postprocessing mail with standard (line oriented) text utili-
ties.
-jeff
trying to get more users sending
there login and passwords then what ever it really is ?
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Best Regards,
Jeff Koch, Intersessions
How could a two character tag like SA be annoying? You must never use a
blackberry or iPhone to check your email either.
At 11:12 AM 12/15/2009, RW wrote:
On Tue, 15 Dec 2009 09:44:50 -0500
Jeff Koch jeffk...@intersessions.com wrote:
I have to say that it is extremely annoying
not
also make it easy to follow discussions on other devices?
At 12:00 PM 12/15/2009, Toni Mueller wrote:
Hi,
On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory cgreg...@hwcn.org
wrote:
On Tue, 15 Dec 2009, Jeff Koch wrote:
I have to say that it is extremely annoying that this mailing
As I said not everyone controls the mailserver they get their list mail from.
At 12:55 PM 12/15/2009, LuKreme wrote:
On 15-Dec-2009, at 10:52, Jeff Koch wrote:
At 12:41 PM 12/15/2009, Benny Pedersen wrote:
open your eyes and see more, both the above smartphones above can
handle imap just
Instead of trying to make points why not read the whole thread? As I said
in a prior response - not everyone has management control over the
mailserver they use to get SA list mail.
At 01:01 PM 12/15/2009, Toni Mueller wrote:
On Tue, 15.12.2009 at 12:52:44 -0500, Jeff Koch
jeffk
I give up!
Best Regards,
Jeff Koch, Intersessions
, It's your email, so you
can do anything you want. If you think HABEAS is so bad just set the
HABEAS scores to zero and save the network bandwidth.
-jeff
:
ifplugin Mail::SpamAssassin::Plugin::Razor2
# How many seconds you wait for razor to complete before you go on without
the results
razor_timeout 15
endif
-jeff
=99/20
-jeff
From: Dan Schaefer d...@performanceadmin.com
Date: Tue, 13 Oct 2009 09:18:44 -0400
Jeff Mincy wrote:
From: Dan Schaefer d...@performanceadmin.com
Date: Tue, 13 Oct 2009 08:54:29 -0400
Jason Bertoch wrote:
Dan Schaefer wrote:
I just enabled
From: Dan Schaefer d...@performanceadmin.com
Date: Tue, 13 Oct 2009 10:17:43 -0400
Jeff Mincy wrote:
From: Dan Schaefer d...@performanceadmin.com
Date: Tue, 13 Oct 2009 09:18:44 -0400
Jeff Mincy wrote:
From: Dan Schaefer d
Fuz1=many Fuz2=many
If you get 'dccifd is not available:
... dbg: dcc: dccifd is not available: no r/w dccifd socket found
then you need to use dcc_dccifd_path or dcc_home
-jeff
From: Rick Knight rick_kni...@rlknight.com
Date: Tue, 13 Oct 2009 09:42:18 -0700
Jeff Mincy wrote:
From: Rick Knight rick_kni...@rlknight.com
Date: Tue, 13 Oct 2009 08:53:21 -0700
Just following this thread because I recently got dcc working also
the email from the mailing list to DCC, which will
increase the DCC count. Eventually somebody will report the mailing
list as spam to DCC and you will get a DCC match on the default
many=99.
You have to whitelist the mailing list in the dcc whiteclnt file.
-jeff
if dccproc is not given -Q when processing a stream of mail that has
already been seen by a DCC client. Additional reports of a message
increase its apparent bulkness.
-jeff
reports the message to DCC with a count of many.
After that everybody else querying the same message will get a count
of many.
-jeff
is blank then the whitelist_from_rcvd won't work.
Your internal_networks and trusted_networks needs to be setup correctly.
-jeff
-Spam headers:
formail -I X-Spam msg
-jeff
like
this in your procmail.
-jeff
From: Jonas Eckerman jonas_li...@frukt.org
Date: Thu, 23 Jul 2009 15:37:11 +0200
Michael Hutchinson wrote:
I saw a test
message with just the word test in the subject hit DCC once.
That's really strange, I don't see how DCC would fire on the subject..
the
sample scripts like edit-whiteclnt.
Pyzor and Razor are easier to use because of the whitelisting.
Razor and DCC are both highly effective (80%), and Pyzor is good (40%).
-jeff
LD_LIBRARY_PATH.
-jeff
will be trusted. Various tests are not run on
trusted hosts.
-jeff
RW-15 wrote:
On Sat, 11 Jul 2009 12:52:56 -0700 (PDT)
dmy i...@dwsa.de wrote:
As far as I understand SpamAssassin is supposed to just check the ip
that directly delivered the email to my server but not the IP
SpamAssassin in procmail (etc).
Anyway, no sample -- no way to point out your issue. Do paste at least
the headers of such a mail.
Yep.
-jeff
Best Regards,
Jeff Koch
1 - 100 of 880 matches
Mail list logo