arlier, this type of
email should bypass SpamAssassin in procmail (etc).
Anyway, no sample -- no way to point out your issue. Do paste at least
the headers of such a mail.
Yep.
-jeff
ate to remove the sorbs rules, so
>that we don't suffer a bunch of timeouts? Or how does that work?
>
>- Charles
WHAT? Sorbs and Spamhaus are polar opposites. Spamhaus is a great
organization while SORBS is a POS that helped give all blacklists a bad name.
I don't know if SpamAssassin has ever used it.
Jeff Moss
TIA
Best Regards,
Jeff Koch
et they still come through. I know this is a generic outline of
>> > the problem, but it¹s a start, if you need more info I can send it.
>> >
>> > -Jeff
>> >
>> >
>> >
>> > Server Specs:
>> > Mac OSX Server 10.5.7
>> &g
http://pastebin.ca/1465504
On 6/18/09 2:00 PM, "Benny Pedersen" wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don¹t appear to be scored at all (see attached header)
>
> test:
>
> spamassassin 2>&1 -D --lint
>
> any er
No errors... The only error I ever received had to do with rewriting the
subject which was unimportant to me so I commented it out, other then that
no errors
On 6/18/09 2:00 PM, "Benny Pedersen" wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don
8:04 +0200
Message-ID:
MIME-version: 1.0
Content-type: text/html; charset="iso-8859-1"
On 6/18/09 12:02 PM, "John Hardin" wrote:
> On Thu, 18 Jun 2009, Jeff Drury wrote:
>
>> > SA is working for the most part beyond expectations, the only problem
>> &
through
sa-learn, yet they still come through. I know this is a generic outline of
the problem, but it¹s a start, if you need more info I can send it.
-Jeff
Server Specs:
Mac OSX Server 10.5.7
SA 3.2.1
Perl 5.8.8
Postfix 2.4.3
Amavisd 2.5.1
eful feature too?
I've sometimes wanted the other way - eg get more debugging output for
a particular message.
-jeff
From: Linda Walsh
Date: Wed, 27 May 2009 17:28:35 -0700
Jeff Mincy wrote:
>From: Linda Walsh
>Date: Wed, 27 May 2009 12:48:43 -0700
>
>Bowie Bailey wrote: >
>At face value, this seems very counter productive.
>
mail from a particular sender was FP or FN then AWL
will have an incorrect average and will wind up doing or trying to do
the wrong thing with subsequent email for that sender.
You can remove addresses using spamassassin --remove-from-whitelist
-jeff
hard to get tinyurl.com to generate a link for some known
> spam URLs. I suspect they are indeed doing SURBL lookups. Hope I didn't
> end up blacklisting myself :-}
Yes, tinyurl and several other URL shortening services use SURBL
data to fight abuse of their services:
http://www.sur
low any of the following:
1. Listwashing
2. Mapping out of spam traps
3. Poisoning of spam traps
4. Confirming delivery of spams and email addresses
etc.
Jeff C.
> On Wed, May 27, 2009 at 05:25, Rob McEwen wrote:
>> Jason Haar wrote:
>>> Why can't SURBL be expanded to
for Pyzor and DCC.
add_header all Pyzor _PYZOR_
add_header all DCC _DCCB_; _DCCR_
I don't know how headers are added in amavis.
-jeff
pam-DCC: -I X-Spam-Level: -I X-Spam-Bayes:
-I X-Spam-Relay: -I X-Spam-Report: -I X-Spam-AWL: -I X-Spam-Karma: -I
X-Spam-ASN: -I X-Spam-CRM114: -I X-Spam-Relay-Country: < msg
-jeff
to whitelist probably does not have spf setup.
-jeff
27;t get any awl
hits on the AWL addresses learned from virus email.
-jeff
hat these rules will eventually show up in sa-update.
-jeff
On Thu, 30 Apr 2009, LuKreme wrote:
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
>
<([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="=_NextPart_000__\
enough
because there probably aren't a trillion unique email addresses. A 10^-12
probability of collision would allow 6 million entries in the DB.
This is not to suggest that I ever understood the part about using half-length
MD5.
Jeff Moss
Attack
has a chart that shows the probability of collision for hashes of various
lengths.
http://en.wikipedia.org/wiki/Birthday_attack
Jeff Moss
ens*
of e-mails, all purporting to come from ME that came from the *same*
server! In this case, as I only send a half dozen messages per month from
that account, the spammer would get the favored rating?
Only if the spammer uses the same server that you do.
-jeff
robably catchable by body text and/or header patterns.
Could make a good new rule as suggested in the "Code Rot" thread.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
Your idea will FP anytime anybody adds a new email device or the ISP
changes (etc).
You could use the sagrey plugin to add a point to email from a new
email address+ip pairs.
-jeff
tch them with phrase rules. Any thoughts?
If the phishes are claiming to come from your own domain, then
use SPF or DKIM on your real outbound mail. Then any message
claiming to be from your domain that doesn't match the SPF record
or DKIM key can be considered a forgery and handled
appropriately.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
Jeff Grossman wrote:
>I am seeing a test/rule that comes back as "AM:BOOST". I cannot find
>this rule in the spamassassin rules. Does anybody know where this
>might be coming from? I am also running SaneSecurity rules in ClamAV,
>maybe it is in there?
>
>I am run
I am seeing a test/rule that comes back as "AM:BOOST". I cannot find
this rule in the spamassassin rules. Does anybody know where this
might be coming from? I am also running SaneSecurity rules in ClamAV,
maybe it is in there?
I am running SpamAssassin and ClamAV thru Amavis.
Thanks,
Jeff
only thing you can do is set the factor which acts on both
positive and negative scores.
And while I'm at it, can anyone verify whether 'constantcontact' is really
a legit mail service or a spam haven? That's the FP that caused this
issue
they do email for various organizations.
-jeff
auto_whitelist is in one of those config files.
-jeff
grams (CRM114, for example) this really hurts the accuracy.
What are your thoughts on this? I've been randomizing my spam/ham when
I train or retrain, but I don't have enough experience with SA to say if
this is beneficial, useless, or detrimental.
Jeff
older
:0:
* ^X-Spam-Level: .*\(\*\*\*\*\*\*\*\*\*\*
Maildir/10/new
:0:
* ^X-Spam-Level: .*\(\*\*\*\*\*\*\*\*\*
X-Spam-Level: ***
Maildir/9/new
You don't want the extra 'X-Spam-Level: ***' line here.
-jeff
,short)_), spam=(_SPAMMYTOKENS(5,short)_)
-jeff
header all Bayes bayes=_BAYES_,
N=_BAYESTC_(_BAYESTCLEARNED_-_BAYESTCHAMMY_+_BAYESTCSPAMMY_),
ham=(_HAMMYTOKENS(5,short)_), spam=(_SPAMMYTOKENS(5,short)_)
-jeff
x27;s not firing and I'm not sure why:
describe KP_CYRILLIC Cyrillic code page
header KP_CYRILLIC Subject =~ /Windows-1251/
scoreKP_CYRILLIC 0.1
Try Subject:raw to inhibit decoding?
-jeff
From: Bowie Bailey
Date: Thu, 26 Mar 2009 12:07:23 -0500
Jeff Mincy wrote:
>
>If I'm reading the spamc man page correctly, it will wait 5
>minutes for spamd to process the message, but it will only wait
>about 3 seconds for a connection to sp
From: Bowie Bailey
Date: Thu, 26 Mar 2009 09:55:45 -0500
Jeff Mincy wrote:
>From: Bowie Bailey
>Date: Thu, 26 Mar 2009 08:48:30 -0500
>
>Brian J. Murrell wrote:
>> On Wed, 2009-03-25 at 15:01 -0400, Micha
s messages are processed reasonably quickly everything will
be fine. If spamd takes too long to process messages then the MTA
will start timing out (like 2-10 minutes). What happens then is up to
the MTA.
-jeff
they
run first.
Black lists aren't all that useful for stopping spam. The email
addresses are forged in spam.
-jeff
From: Chris Barnes
Date: Mon, 23 Mar 2009 11:14:37 -0500
Jeff Mincy wrote:
> Yow. The negative scoring bayes rules are extremely reliable when well
> trained. Ham messages are not trying to evade the filter. Defeating
> bayes with poison is mostly a myth. T
e avoid AWL and Bayes negative scores.
If you sent us a copy of the spam, we could test it and show you what
should be hitting.
Use pastebin instead.
-jeff
threshold but seeing junk mail coming in with negative
scores.
Train BAYES. The message hit BAYES_00. You want BAYES_99. So either
you have incorrectly learned similar messages or you haven't trained
enough.
-jeff
--
Hoover
From: Matt Kettler
Date: Wed, 18 Mar 2009 19:49:53 -0400
Jeff Mincy wrote:
>From: Matt Kettler
>Date: Tue, 17 Mar 2009 21:30:02 -0400
>
>fl...@pbartels.info wrote:
>> Hello,
>>
>> instead of disabl
From: Greg Troxel
Date: Wed, 18 Mar 2009 15:33:31 -0400
Jeff Mincy writes:
>From: Matt Kettler
>Date: Tue, 17 Mar 2009 21:30:02 -0400
>
>> shouldn't SpamAssassins bayes mechanism just ignore the complete
>> message header
of these
tokens are hapaxes that are never used by other messages. These just
fill up the bayes database. Maybe if the Message-ID tokens were even
more processed then maybe these could be more useful for bayes - eg -
replace 1234.56789 with a format %4d.%5d, or throw out all of the
timestamp numbers and keep the just the stuff after the @.
-jeff
On 3/1/09, Jeff Chan wrote:
> For historical reasons, the SURBL public nameservers were serving
> individual lists ab, sc, ob and ws in addition to multi. However
> these individual lists have all been deprecated in favor of multi for
> several years since multi contains all lis
he data are relatively static,
i.e., not updated very often, then this could generate a lot of
arguably unnecessary DNS traffic.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
#x27;t think
this represents a SMTP conversation, it was DAV.
Given the SExchange borkeness, it's entirely appropriate that SA would
penalize the score of these emails. Not because blackberry.com is doing
something wrong (because it doesn't appear to be), but because this
spec
riminal ISPs and registrars need to do much more to stop
abuse of their services and networks.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
files are locked while an automatic Bayes
expiry runs.
-jeff
rs set that field deceptively or incorrectly some
of the time or don't set it at all other times, so that an
attempt to automatically detect the character set is useful in
some cases? This is just a guess on my part however.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
ty 1.WITHOUT that text
> BAYES_50 probability 0.5905with that poisonous snippet
Perhaps helping get the first message through was the desired
effect? I get the impression that getting the first one through
successfully is a major goal. It seems they expect the later ones
to get bloc
ld need to make
changes to use multi.surbl.org, namedly to upgrade to
SpamAssassin 3
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
nstallations of version 2.6. They
should almost certainly upgrade to something more recent.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
now. Therefore if anyone is using the
individual lists, please stop doing so and use multi instead. A
single query to multi will check all SURBL lists.
http://www.surbl.org/lists.html
Cheers,
Jeff C.
From: Kai Schaetzl
Date: Sun, 01 Feb 2009 17:40:00 +0100
Jeff Mincy wrote on Sun, 1 Feb 2009 10:01:49 -0500:
> I use vbounce rules to detect bounce messages that were missed by
> various procmail filtering rules. Any message identified as a bounce
> is proc
ou aren't doing anything special
delivering bounce messages then a FP in this rule wouldn't matter very
much.
-jeff
ltime($t)), $t-int($t/60)*60,
$dt, $dt-$dp, $_); $dp=$dt' $*
}
Or pipe it directly to the one liner:
spamassassin -D < email.txt 2>&1 | perl -MPOSIX
-jeff
I used the plugin for a while, but stopped using it when the
number of hits dropped off.
-jeff
NS
> server. If there are a reasonable amount of duplicate queries then this
> could help performance substantially.
Another solution is to use a nameservice that doesn't change
DNSBL results. One such service is:
http://www.opendns.com/
See:
http://www.surbl.org/faq.html#dnspr
[31869] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[31869] dbg: config: using "/home/jeff/.spamassassin/user_prefs" for user
prefs file
[31869] dbg: config: using
"/var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre"
From: mouss
Date: Thu, 11 Dec 2008 19:55:44 +0100
Asif Iqbal a écrit :
> I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
>
> whitelist_from_rcvd joe.sm...@here.com qtdenexmbm24.AD.HERE.COM
>
> But email from that address still tagged
ED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL &&
!__L_VIA_ML)
priority L_UNVERIFIED_GMAIL 500
scoreL_UNVERIFIED_GMAIL 2.5
I got these rules from this list. I added !DK_VERIFIED to
L_UNVERIFIED_YAHOO.
-jeff
ide a strong transport
encryption layer.
Shouldn't both ESMTPS and LMTPS be acceptable and included in the regexp?
Thanks.
-jeff
er is using the same sending address over and over again,
blacklist them entirely.
Yep.
That said, I've never seen a spammer re-use the same address twice.
The sagrey plugin addresses this. Sagrey hits on the 95% of
spam that is from a new email+IP.
-jeff
appreciate it.
Jeff
At 07:53 PM 11/21/2008, you wrote:
On Sat, November 22, 2008 01:41, Jeff Koch wrote:
> How do I correct this problem? When I run 'nslookup 74.220.16.65' from
> various machines it shows the correct answer.
your computer, your problem :)
i showed 2 links, sh
Hi Benny:
How do I correct this problem? When I run 'nslookup 74.220.16.65' from
various machines it shows the correct answer.
At 07:02 PM 11/21/2008, you wrote:
On Sat, November 22, 2008 00:22, Jeff Koch wrote:
> As far as I can tell 'cronus.intersessions.com' h
tell 'cronus.intersessions.com' has reverse setup and it
matches 74.220.16.65.
What am I missing?
Best Regards,
Jeff Koch, Intersessions
ze 200
FWIW, how bad would I screw things up if I were to override the BAYES_00
score to 0?
With proper training this should not be necessary. Also, 0 would
disable the test, so you won't get any BAYES_00 hits. A small
temporary non zero score would be better so you can continue to
track the problem.
-jeff
On Wednesday, November 12, 2008, 3:15:26 AM, Henrik K wrote:
> On Tue, Nov 11, 2008 at 04:33:50PM -0800, Jeff Chan wrote:
>>
>> Hi Micah,
>> Thanks very much for the feedback. Does anyone know how many
>> non-profits have more than 1,000 users (i.e., users with
>
On Wednesday, November 12, 2008, 10:55:52 AM, Larry Rosenbaum wrote:
> Where is the price list? I haven't been able to find it.
Hi Larry,
The pricing calculator is the first step of the data feed form:
http://www.surbl.org/datafeed/
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECT
, you will
>>likely get lots of complaints from users of systems that have embedded
>>SA installs, or others who do not monitor this list. I can see many
>>Barracuda users not having a clue why they are now being blocked and
>>their systems are processing messages slower as a
On Tuesday, November 11, 2008, 4:58:01 PM, Dave Koontz wrote:
> Jeff Chan wrote ... (11/11/2008 7:33 PM):
>> Hi Micah,
>> Thanks very much for the feedback. Does anyone know how many
>> non-profits have more than 1,000 users (i.e., users with
>> mailboxes)? The non-p
On Tuesday, November 11, 2008, 8:49:44 AM, Micah Anderson wrote:
> "Jeff Chan" <[EMAIL PROTECTED]> writes:
> I think that SURBL is a valuable service, and I understand how it is
> difficult to maintain such a service without resources.
>> The funding is, by design,
#x27;ll' => 0.0366062570517363
[14618] dbg: bayes: token 'Perspective' => 0.0670493467695761
...
[14618] dbg: bayes: token 'omaha' => 0.958
[14618] dbg: bayes: token 'elsasser' => 0.958
[14618] dbg: bayes: token 'riders' => 0.958
...
[14618] dbg: bayes: score = 0.659988861825694
-jeff
queries for organizations smaller
than 1,000 users or processing fewer than 250,000 messages per
day is unchanged. We hope this matches the spirit of the open
source community at least somewhat.
Cheers,
Jeff C.
Date: Thu, 6 Nov 2008 09:17:33 -0800
To: "SURBL Announce" <[EMAIL PROT
RT_ABSOLUT
/var/lib/spamassassin/3.002005/updates_spamassassin_org/*.cf
/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf:replace_rules
T_FRT_ABSOLUT
where is T_FRT_ABSOLUT defined? Shouldn't there be a header or body
rule somewhere.
Am I missing something?
-jeff
you
want to stop more phishing spams, consider increasing the score.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
itelist_from_rcvd?
Right now if an email is in either you get a hit on USER_IN_WHITELIST,
which is scored at a -100 by default. So split out
USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST.
-jeff
e will reinforced as spam.
But now I am unsure about the autolearning. Should I train autolearned
messages or not? Or, in other words, can spamassassin learn the same
message twice (to learn faster), if I tell him to do so?
The autolearned messages have already been learned, you do not need to
learn the message again.Nothing bad will happen if you do learn a
message again, other than wasting CPU time.
-jeff
ted out, use uri rules instead of full or rawbody.
-jeff
> thx for the trouble...
Something tells me Theo may not be sharing his FPs with you
anymore. ;)
Seems you don't need them anyway
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
This will actually work. I've been involved in a university experiment doing
this for over a year now. Simply put, trying to create a list of new spammer
domains is a "count to infinity" problem. Creating a list of old domains is
not.
Jeff Moss
___
[Pardon the spam; thought this new blacklist might be worth at
least trying.]
Apparently Barracuda will be publishing a free-to-use sender
blacklist called BRBL:
http://www.barracudacentral.org/rbl
Haven't tried it myself but thought it may be of interest.
Cheers,
Jeff C.
--
Jeff
these kinds of spam:
1. Blacklist the sites
2. Make a rule with a pattern for the message text
Both can and probably should be done.
P.S. Please contact the owners of the site or their web host and
ask them to secure the server. It's probably an insecure or
sniffed password.
Jeff C
ds of spams are getting through? 419s are hard to
catch.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
URIBL_SBL checks the IP addresses of the nameservers of web sites
in the message body against the Spamhaus SBL list.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
with ESMTP
> id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST)
[...]
> http://wroteprove.com
Use SURBLs. Enable network tests:
http://www.surbl.org/faq.html#nettest
jp.surbl.org blacklisted that domain at 14:33 CEST
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ite with porntube redirect
> scoreGMD_R_DOT_HTML 3.5
> Note: making it an uri rule doesn't hit them all.
> enjoy
It and video.exe are Storm.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
r storms in response to forged mail
> — whether deliberately targeted, as a “Joe-Job”, or as a
> side-effect attempts to evade over-simplistic sender address
> verification as seen in spam, viruses, and so on.
[...]
It helped us.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
> bigfoot. It's only personal bank account information-- why keep the
> data in-house? :-)
Presumably you mean customercenter.net, owned by Checkfree.
customercenter.com appears to be owned by domainers/squatters.
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
ws XP SP3 with default Outlook
Express. !!! Oh my. Whatta heck! Oh my.
Can we get rid of this Outlook problem, so many ppl have reported
problems already? Or is it fixed? Good. Thanks.
Please show full headers of the message.
Best Regards,
Jeff Koch, Intersessions
XP SP3 with default Outlook
Express. !!! Oh my. Whatta heck! Oh my.
Can we get rid of this Outlook problem, so many ppl have reported problems
already? Or is it fixed? Good. Thanks.
Best Regards,
Jeff Koch, Intersessions
ed it to SA manually at 1203UTC and it DID hit URIBL_BLACK. I looked up
the URI in question and it was listed on 5/15 at 1153UTC.
--Jeff
re, etc. Sorry, my fault for not thinking that one through.
--Jeff
ist
The two commands were run on the same host, by the same user, within
seconds of one another, and yet the scores for the AWL test are 1.5
different.
Any thoughts on what I'm missing or doing wrong?
Thanks!
--Jeff
message ID after the '@'. I don't have
access to Outlook for testing.
On a side note, Outlook and Outlook Express also HELO with the computer's
name when sending a message through an email server.
Best Regards,
Jeff Koch, Intersessions
sdell wrote:
[snip]
Scratch that and reverse it. If it does match, then it will score the
message header as fake. oops :) sorry. Let me check some more things.
Did outlook really generate this message-id:
Message-ID: <[EMAIL PROTECTED]>
?
Best Regards,
Jeff Koch, Intersessions
pe: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
--=_NextPart_000_0039_01C8AF72.8920CD60
At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
Jeff Koch wrote:
Hi Matus:
Here's the header. We're seein
.3790.4133
This is a multi-part message in MIME format.
At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the
Hi:
Our users are getting false positives with hits on
4.2 FORGED_MUA_OUTLOOK
and are saying they are 100% certain that the email was sent from MS
Outlook Express. Is this a known problem or are these users doing something
wrong?
Best Regards,
Jeff Koch
It has become clear to me that reputation for authenticated
domains is the next big weapon in the fight against spam. The only
remaining uncertainty is who will have the first and/or best deployment.
Jeff Moss
101 - 200 of 1038 matches
Mail list logo