Single user install (was: Wild hair)

2024-09-26 Thread Kenneth Porter
I've been running SpamAssassin for longer than seems realistic (2.28 with 1998 Red Hat Hurricane?). Anyway I have started moving everything mail to yet a new machine, Ubunto LTS 24.04.01. That only supports SA 4.0.0. I've been contemplating the pain of sideloading 4.0.1 into the system. Then I

Re: Question about sa-updates

2024-06-21 Thread Kenneth Porter
On 6/21/2024 8:56 PM, Paul Schmehl wrote: I scratched my head, then looked up the man page for sa-update on the web. Sure enough, that’s where the rules go. Is that where my local.cf file should be located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf file in /var/lib/….

Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

2023-12-06 Thread Kenneth Porter
On 12/6/2023 5:19 AM, Benny Pedersen wrote: can't procmail use X-Spam-Flag ? I think the reason I run it twice is that the mimedefang invocation doesn't have access to personal Bayes data. When it runs, it's not yet known what user(s) the mail is destined for.

Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

2023-12-05 Thread Kenneth Porter
On 12/5/2023 10:57 PM, Benny Pedersen wrote: mimedefang does not use spamd, you only need either spamassassin only with spamd or mimedefang with spamassassin not running spamd It's a small server so I can afford to run SA twice, once at the MTA level through mimedefang (which can potentially

Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

2023-12-05 Thread Kenneth Porter
After installing the package, I found I needed to manually restart spamd and also mimedefang with: # systemctl restart spamassassin # systemctl restart mimedefang After that I saw errors from my nightly sa-learn jobs about a missing HashCash module. I checked for a .rpmnew file in /etc/mail/sp

Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7

2023-12-03 Thread Kenneth Porter
I want to relate my experience in packaging the latest RH RPM for CentOS 7: I first checked out the package sources from Fedora. This is the spec file and patches but not the SA tarballs. I already have a regular user for building packages and have run rpmdev-setuptree to create a packaging en

Re: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...

2023-07-07 Thread Kenneth Porter
Check the systemd unit file. It should set the user the service runs as.

Re: DMARC Aggregate reports - false positives

2023-06-23 Thread Kenneth Porter
Mine don't get reported as spam. But I'm getting daily reports from mimecast.org that claim to be "Content-Type: application/gzip" but have file extension .zip. Examination finds that they're really PK zip files. So the script I use to process them tosses them as malformed. The source domain ha

Seeing big (>1MB) spam

2023-02-14 Thread Kenneth Porter
I started seeing some spam today in the 1-1.5 MB range. I was surprised to see obvious spam in my Inbox, but discovered it had no SA headers. It turned out that my procmailrc rule was only scanning messages smaller than 700k. I boosted it to 2MB: :0fw * < 200 | /usr/bin/spamc -s 200

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

2022-12-20 Thread Kenneth Porter
On 12/19/2022 7:59 PM, Kenneth Porter wrote: https://bugzilla.redhat.com/show_bug.cgi?id=2154501 https://bodhi.fedoraproject.org/updates/FEDORA-2022-e341ba52a1 https://koji.fedoraproject.org/koji/buildinfo?buildID=2102188 It looks like the packaging fails before building anything because the

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

2022-12-20 Thread Kenneth Porter
On 12/19/2022 11:10 PM, Greg Troxel wrote: Actually, not really. Packages should be able to run out of the box, with no network fetching needed. The pkgsrc entry -- also updated to 4.0.0 -- fetches the release rules at package build time and includes them. But, it does build 😄 I haven't yet

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

2022-12-19 Thread Kenneth Porter
RPM status for Red Hat distros: https://bugzilla.redhat.com/show_bug.cgi?id=2154501 https://bodhi.fedoraproject.org/updates/FEDORA-2022-e341ba52a1 https://koji.fedoraproject.org/koji/buildinfo?buildID=2102188 It looks like the packaging fails before building anything because the filename in t

Re: why are not all rules run all the time

2021-10-08 Thread Kenneth Porter
--On Friday, October 08, 2021 2:04 PM +0200 Thomas Seilund wrote: When you say a rule hits do you then mean that the rule contribute to the score? Can a rule hit and contribute with a value of zero to the score? Setting a rule's score to zero (eg. in local.cf) disables the rule. This is how

Re: TLD rules catch non-domain data

2021-08-20 Thread Kenneth Porter
On 8/20/2021 1:53 PM, Greg Troxel wrote: I just had it falsely hit, in that it triggered on mail that was ham. There was a .club URL, but it was to a club website mentioned in mail that I actually agreed to get and that was on topic. So I would suggest that rules that do not show actual evidence

Re: TLD rules catch non-domain data

2021-08-20 Thread Kenneth Porter
On 8/20/2021 6:23 AM, Matus UHLAR - fantomas wrote: it seems that some TLD rules catch strings that are not domains: *  2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs *  [URI: ups.mfr.date (date)] *  5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, *  .guru, .c

Re: Question about whitelisting of naadac.org

2021-08-11 Thread Kenneth Porter
--On Wednesday, August 11, 2021 8:57 PM + Lukasz Maik wrote: The company naadac.org is experiencing problems with their e-mails being marked as SPAM, when they are putting link to their domain www.naadac.org in the signature of their mails. Is it possible to whitelis

Leaning toothpick syndrom (was: KAM_SOMETLD_ARE_BAD_TLD false positive)

2021-08-11 Thread Kenneth Porter
On 8/11/2021 8:05 AM, Kenneth Porter wrote: BTW, does SA permit use of Perl-style regex delimiters to avoid leaning toothpick syndrome? https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome Answering my own question, I see it used in this rule: uri    __IMGUR_IMG m,^https

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

2021-08-11 Thread Kenneth Porter
On 8/11/2021 7:39 AM, Jared Hall wrote: *Maybe* a little more refinement could prevent it picking  up .hidden folders that have a BAD_TLD name. /[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i The CVS/Kodak uri would still fail on this pattern, as

Re: KAM_SOMETLD_ARE_BAD_TLD false positive

2021-08-10 Thread Kenneth Porter
--On Wednesday, August 11, 2021 12:29 AM -0400 "Kevin A. McGrail" wrote: Hi Kenneth, the ruleset is designed for a system scoring over 5.0. Did the rule from the cell provider cause an fp? Is your threshold higher than 5.0? I use the stock threshold of 5.0. I'm using the ruleset via the ch

KAM_SOMETLD_ARE_BAD_TLD false positive

2021-08-10 Thread Kenneth Porter
My cellular supplier has a weekly bag of goodies (coupons, schwag) and last week's included a free photo refrigerator magnet from CVS. So I signed up a CVS/Kodak account to put in my order. Like most such offers, they start sending me marketing mail, and the first one hit KAM_SOMETLD_ARE_BAD_TLD

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kenneth Porter
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" wrote: We use the olevbmacro detection added to SA. I would guess that's blocking the payload.I would guess that's blocking the payload. I see the plugin in the distribution but it doesn't appear to be loaded by default and the ru

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kenneth Porter
--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall wrote: The Word document (without macros) loads an external encrypted Excel file It has macros. It tricks the user into enabling and running them by telling him to enable the document for editing and enabling "content" (ie. macros). Hidin

Re: Looking for a sample of the Microsoft zero day print nightmare

2021-07-03 Thread Kenneth Porter
On 7/2/2021 6:39 PM, Kevin A. McGrail wrote: Anyone know if this is delivered via email? I'm trying to make sure I block the payload if it is. I found a copy of the repo and see that it works by adding an evil printer driver to the remote server over an IP connection. So email is a vector if

Re: sa-update error 3 no mirrors.sought.rules.yerp.org

2021-03-16 Thread Kenneth Porter
--On Sunday, March 14, 2021 1:23 PM +1000 Simon Wilson wrote: You've not stated your OS but on a RHEL/CentOS 7 box the correct way to remove is to go to /etc/mail/spamassassin/channel.d and delete sought.conf. RHEL bugzilla for the issue:

Re: URLs hidden in Morse code

2021-02-11 Thread Kenneth Porter
On 2/10/2021 11:30 AM, Bill Cole wrote: CONFIRMED: SeaMonkey v2.53.6 (latest version) DOES NOT execute JavaScript in email. I don't think the intent is to run it in the MUA. It's probably distributed as an attachment (ie. inline) to save to disk and be viewed outside the MUA in a normal brow

URLs hidden in Morse code

2021-02-09 Thread Kenneth Porter
I'm reminded of the recent post suggesting that SA parse QR codes to feed URLs to block lists. The email includes a web document pretending to be an Excel document (double extension .x

Backscatter to role addresses

2021-01-30 Thread Kenneth Porter
What do others do about backscatter to their role addresses? It seems spammers have recently discovered the role addresses noc, hostmaster, and webmaster for one of my business domains and are forging them as senders. As a result, I'm seeing lots of backscatter from various spam-detectors. (Thi

Fedora sa-update and systemd randomized timer

2020-12-31 Thread Kenneth Porter
With the discussion of the KAM channel and Fedora's sa-update script that uses directory-based channel configuration, I went snooping into their script and systemd units. It looks like sa-update.cron has a 2-hour random delay before it looks for updates. I'm thinking it would be nice to move th

Re: Rule for plussed adddress

2020-12-27 Thread Kenneth Porter
--On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole wrote: You definitely want to escape that '+' and catch the recipient instead of sender: header RULENAME To:addr =~ /\+.+\@/ score RULENAME -1 That looks like what I want. Although since my server is hacked to accept a dot as

Rule for plussed adddress

2020-12-26 Thread Kenneth Porter
I usually sign up for a web service using a "plussed" address like shiva+vendorn...@sewingwitch.com. (My server also recognizes a dot instead of a plus, to deal with broken websites that won't allow me to use a plus in my email address.) I use procmail rules on my server to filter messages from

Re: mark emails as being spam originating from an ip range owner

2020-09-29 Thread Kenneth Porter
--On Tuesday, September 29, 2020 10:48 AM + Andy Smith wrote: Or consider using ASN plugin: With that hint, I found this interesting service: One could use this to, for example, create firewall rules to block connections from hostile ASNs.

Re: Moving Spam to Junk Folder

2020-09-03 Thread Kenneth Porter
--On Thursday, September 03, 2020 3:03 PM -0400 bobby wrote: I would prefer it to go into my Junk folder. How can I make this happen? That blog article shows how to do it with Dovecot's lmtp using its dovecot-pigeon rule system. But it can't put a message in a folder if it never gets it.

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

2020-08-22 Thread Kenneth Porter
--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. Would not Pyzor accomplish the same thing? Submit the SendGrid spam to

Re: Zero-point garbage text that isn't caught by the small-font rules

2020-08-21 Thread Kenneth Porter
--On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? I just got one with this tag: Another:

Re: update fail

2020-07-15 Thread Kenneth Porter
--On Wednesday, July 15, 2020 9:59 AM -0400 "Kevin A. McGrail" wrote: I'm sure someone has produced an RPM for CentOS 6 for 3.4.4 by now. I'm using John Hardin's recommendation from his 2020-02-07 post and it's working fine on CentOS 7: You can download the original (as well as later ver

Re: Spamassassin RPM for Centos 7

2020-02-07 Thread Kenneth Porter
--On Thursday, February 06, 2020 2:30 PM -0800 John Hardin wrote: The RPM is available here, assuming you trust me: http://www.impsec.org/~jhardin/antispam/centos7/ 3.4.4 is now available as well, I've been running it for about a day now and I don't see any problems - but my volume is *ver

Facebook notifications sent from dynamic address

2019-10-05 Thread Kenneth Porter
(Nothing wrong with SA. Just an FYI about a popular service that abuses the Internet and SA catches it.) I noticed one of my notifications from Facebook today got tagged by SA. Here's the two that put it over: 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.5 RCV

New URL shortener

2019-06-06 Thread Kenneth Porter
I'm seeing a lot of fake DHL delivery notices using the shortener smarturl.it. I suggest adding it to __URL_SHORTENER.

Re: recent update to __STYLE_GIBBERISH_1 leads to 100% CPU usage

2019-05-30 Thread Kenneth Porter
On 5/29/2019 6:12 AM, Karsten Bräckelmann wrote: I see this has been filed in bugzilla by now. Fo those looking for the bug report: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7707

Re: spamd child high CPU usage, connection reset

2019-05-30 Thread Kenneth Porter
On 5/29/2019 3:41 PM, Yves Goergen wrote: Hello, Today SpamAssassin started failing on my server system. I could observe the following: * There are 5 processes named "spamd child" with very high (100%) CPU usage This could be the style gibberish rule hanging. There's another thread here a

Bad List-Id from SparkPost mailing service

2019-05-01 Thread Kenneth Porter
You may recall I have a local rule that flags badly-formatted List-Id headers as probable spam. It works quite well. However, I've seen a couple false positives recently from my bank and credit card companies. The Message-IDs make it clear that both are coming from SparkPost, which seems to be

Re: ClamAV - low detection rates on malware attachments lately

2018-11-08 Thread Kenneth Porter
--On Thursday, November 08, 2018 10:59 AM -0500 Kris Deugau wrote: https://sourceforge.net/projects/unofficial-sigs/ It's been in Debian for a while too. That upstream link is an old version; it was forked or taken over (not sure which) by extremeshok.com at https://github.com/extremeshok/

Re: ClamAV - low detection rates on malware attachments lately

2018-11-07 Thread Kenneth Porter
On 11/7/2018 1:24 PM, Kris Deugau wrote: I use a combination of adding local signatures (mainly hashes for "random-executable-inna-archive") and selected signatures from a number of third parties to the stock set in a "primary" Clam instance that's an absolute yes/no check, and using only thi

Re: config files in spamasassin is unintended tlds :/

2018-11-05 Thread Kenneth Porter
--On Monday, November 05, 2018 12:14 PM -0500 Bill Cole wrote: FWIW, BIND 9.x (since 9.4-ish) will parse and load a zone with such an A in it, but complains and does not serve the record: NXDOMAIN for a normal query, no hint of it in a zone transfer. BIND's check-names directive controls whe

Re: config files in spamasassin is unintended tlds :/

2018-11-04 Thread Kenneth Porter
--On Sunday, November 04, 2018 7:28 PM -0500 Bill Cole wrote: most of my examples of "Not A URI" were in fact turned into clickable links by some horrific MUA. If it's clickable, some user will click on it. If it's not, a malicious message may beg the user to copy and paste it into the brow

Re: Spamassassin 3.4.2 RPM for CentOS 6

2018-10-22 Thread Kenneth Porter
--On Monday, October 22, 2018 3:46 PM + Emanuel Gonzalez wrote: rpm for Centos 7??? If you're comfortable rebuilding a source RPM, see my thread on using the Fedora 29 SRPM on CentOS 7. If you've modified your sysconfig file, you'll need to remove the daemon switch to use it with that

Re: sa-compile after sa-update

2018-10-11 Thread Kenneth Porter
An RH bug was opened and closed on this in 2014: https://bugzilla.redhat.com/show_bug.cgi?id=1151565 I attached a patch to the bug for the latest sa-update.cron script from the 3.4.2 RPM to invoke sa-compile if the plugin is enabled and re2c is installed.

sa-compile after sa-update

2018-10-10 Thread Kenneth Porter
I'm experimenting with the Rule2XSBody plugin and I've figured out that I have to run sa-compile after sa-update to create the compiled versions of local rules. I don't see anything in either sa-update or the Red Hat-supplied sa-update.cronscript invoked from cron (or a systemd timer) that invo

Re: Using SpamAssassin 3.4.2 Fedora 29 package on CentOS 7

2018-10-10 Thread Kenneth Porter
On 10/10/2018 9:43 PM, Henrik K wrote: There's no need to avoid editing .pre files. They are versioned for reason and old ones are never changed after release. The SPF plugin is enabled in init.pre, so it isn't versioned. But it's marked as a config file in RPM so it won't be overwritten by a

Using SpamAssassin 3.4.2 Fedora 29 package on CentOS 7

2018-10-10 Thread Kenneth Porter
I'm trying to update my CentOS 7 distro 3.4.0 package to the 3.4.2 source package in the Fedora 29 repo and wanted to alert others to possible issues. (Why is there

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

2018-09-17 Thread Kenneth Porter
--On Monday, September 17, 2018 3:13 PM -0400 "Kevin A. McGrail" wrote: You can install the srpm and then in /usr/src/RedHat you get various files like tar files and patches with a spec file that says how to build it. That path would be if you were building as root, which is not recommended.

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

2018-09-17 Thread Kenneth Porter
--On Monday, September 17, 2018 3:13 PM -0400 "Kevin A. McGrail" wrote: You can install the srpm and then in /usr/src/RedHat you get various files like tar files and patches with a spec file that says how to build it. That path would be if you were building as root, which is not recommended.

Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

2018-09-16 Thread Kenneth Porter
On 9/16/2018 5:44 PM, Kevin A. McGrail wrote: Thanks for the post.  The bug is way out of line though. Earlier bug that should probably be the one tracked: https://bugzilla.redhat.com/show_bug.cgi?id=1629474

Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

2018-09-16 Thread Kenneth Porter
Here's the Red Hat Bugzilla bug requesting a new package for Fedora/RHEL be issued ASAP: https://bugzilla.redhat.com/show_bug.cgi?id=1629491 Once the official package drops, you should be able to download the SRPM here: https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everyt

Re: Malforrmed List-id

2018-05-06 Thread Kenneth Porter
--On Thursday, May 03, 2018 1:16 PM -0500 David Jones wrote: I agree. Whitelisting or subtracting points should be tied to domain authentication or IP reputation. Spammers are reading this email thread and are already crafting emails to match this rule. That's a fundamental problem with an

Re: Malforrmed List-id

2018-05-06 Thread Kenneth Porter
--On Thursday, May 03, 2018 8:58 PM +0200 Benny Pedersen wrote: corpus testing should show how bad it is if it is Indeed. The scores I gave are just what work well for me. They'd need to go through corpus testing to work for general release, and then sites could override the corpus scores a

Re: Malforrmed List-id

2018-05-06 Thread Kenneth Porter
--On Thursday, May 03, 2018 8:44 PM +0200 Benny Pedersen wrote: hallo, mimedefang does not use spamd MD compiles and runs its own copy of SA internally. I have spamd running for individuals to filter email after it's past the MTA.

Re: Malforrmed List-id

2018-05-03 Thread Kenneth Porter
--On Thursday, May 03, 2018 4:16 PM +0100 RW wrote: The '?' seems superfluous. Agreed. I removed it and restarted my SA services (spamd and mimedefang).

Re: Malforrmed List-id

2018-05-03 Thread Kenneth Porter
--On Thursday, May 03, 2018 3:28 AM +0200 Benny Pedersen wrote: List-Id: valid or invalid ? :=) Your message got this score: X-Spam-Status: No, score=-23.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,KP_LIST_ID_DOMAIN_IN_BRACKETS,MAILING_LIST_MULTI, R

Malforrmed List-id

2018-05-02 Thread Kenneth Porter
I'm having very good results with this rule. I'm scoring it at 5 with no false positives. The high negative score for a legitimate looking List-id will file it into my List/Unknown folder for new lists and for any spammers trying to abuse this, so it's not a problem for my personal filtering.

Re: Blacklist for reply-to?

2018-02-19 Thread Kenneth Porter
On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,     FREEMAIL_F

Re: Blacklist for reply-to?

2018-02-19 Thread Kenneth Porter
On 2/18/2018 5:09 PM, Antony Stone wrote: On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: Question time! You receive spam with a reply-to your own address. What do you do? I take it that this is now a rather different question that the one you originally asked in this thread, w

Re: Blacklist for reply-to?

2018-02-18 Thread Kenneth Porter
--On Sunday, February 18, 2018 4:21 PM -0500 Rupert Gallagher wrote: It is not spam. You get it if you have an account with alibaba. Just configure it. These emails are addressed to many of my web-page-only addresses that I've never used to sign up for anything. They're clearly unsolicited.

Blacklist for reply-to?

2018-02-18 Thread Kenneth Porter
Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that.

Re: Malformed List-Id header

2018-02-16 Thread Kenneth Porter
On 2/16/2018 12:57 PM, Alex wrote: I think it's a mistake to whitelist (or even deduct significant points) based on a header that can be controlled by a spammer. We see tons of spam that has properly crafted MIDs. If you're using procmail, it sounds like this is on a personal account, so perhaps

Re: Malformed List-Id header

2018-02-16 Thread Kenneth Porter
I just put this into service. I'm white-listing mailing lists. Most go to their own folder via procmail filtering, and unrecognized ones go to the folder Lists/Unknown until I write a procmail rule. But this rule should catch lazy abusers. After a bit more experience I'll crank up the punishmen

Re: Malformed List-Id header

2018-02-13 Thread Kenneth Porter
On 2/4/2018 3:35 PM, Kenneth Porter wrote: I've noticed quite a bit of spam lately with a malformed List-Id header. Most notably, the angle brackets are missing, but the contents of the angle brackets when present often don't look like a domain. No dots, for example. <https:/

Malformed List-Id header

2018-02-04 Thread Kenneth Porter
I've noticed quite a bit of spam lately with a malformed List-Id header. Most notably, the angle brackets are missing, but the contents of the angle brackets when present often don't look like a domain. No dots, for example.

Matching base64 subject

2013-08-27 Thread Kenneth Porter
I'm trying to use this set of rules to spot Chinese or Russian characters in the subject line: To debug the rules, I've replaced the leading __ in sub-rules with T_. The rules don't seem to matc

Re: Romance spam

2013-03-09 Thread Kenneth Porter
--On Thursday, March 07, 2013 11:26 PM +0100 Benny Pedersen wrote: only bayes hitting ?, and it autolearns ham ? Presumably the autolearn=ham applies to anything that doesn't get marked as spam. Once I move it to my Uncaught folder, it gets retrained that night as spam. But I need to upg

Re: Romance spam

2013-03-06 Thread Kenneth Porter
--On Wednesday, March 06, 2013 9:27 AM -0500 "Kevin A. McGrail" wrote: I haven't seen any of this at all. Do you have an example on pastebin and I can look through my logs? Might be getting hammered by another rule/rbl/etc. Here's an example:

Re: Romance spam

2013-03-06 Thread Kenneth Porter
--On Wednesday, March 06, 2013 3:35 PM +0100 Axb wrote: aren't these the ones with the @yandex.ru dropbox in the body? Good catch. I just checked for that in my Uncaught folder (which I feed to Bayes each night) and the List-Id appears in most but not all that have that dropbox address.

Romance spam

2013-02-21 Thread Kenneth Porter
I'm noticing the following header in recent "romance" spam that looks like it might be an easy pattern to match. It's an unsubscribe link with a mailto link with a hex digit username of up to 20 digits. This is from a grep of my Uncaught folder. List-Unsubscribe:

Re: blizzard (and others) faux messages

2010-06-29 Thread Kenneth Porter
--On Tuesday, June 29, 2010 2:37 PM -0700 John Hardin wrote: So it sounds like they're not sending everything through the same system. Time to post a report about that in one of their game forums. (Which one? Suggestions? Bug Reports? Customer Support? I think the last one, as that's where the

Re: blizzard (and others) faux messages

2010-06-29 Thread Kenneth Porter
--On Tuesday, June 29, 2010 11:17 AM +0200 Mark Martinec wrote: What I want: 1) Message from blizzard that has no dkim gets scored +10 adsp_override blizzard.com custom_high I just checked some recent messages and found that auto-replies from the ha...@blizzard.com address (to which on

Novel indentation

2010-06-25 Thread Kenneth Porter
I'm getting some nonsense spams that contain a big block of text/plain and matching HTML part, and the text/plain part has an interesting indentation pattern: The first line is indented with a single space, and all subsequent lines start with 3 spaces: Debate Over Vaccines And Autism/ADD Exper

Re: percentage off spam

2010-05-18 Thread Kenneth Porter
--On Tuesday, May 18, 2010 10:59 AM -0400 Charles Gregory wrote: I agree that full smaples are needed. The % Subject alone is not enough. But I would expect there is something 'common' to the body that would combine in a meta rule for decent score with minimal fp... So throw some examples up

Re: Low-scoring discount ED spam

2010-05-05 Thread Kenneth Porter
--On Wednesday, May 05, 2010 11:29 AM +0200 Matus UHLAR - fantomas wrote: do you wipe bayes database often? If not, it's not needed to retrain on all messages, since they are not forgotten. I don't recall ever deleting the DB. It's my understanding that sa-learn remembers which messages it'

Re: Low-scoring discount ED spam

2010-05-03 Thread Kenneth Porter
--On Tuesday, May 04, 2010 4:22 AM +0100 RW wrote: Are you training BAYES? A lot of these are hitting BAYES_50 or even BAYES_00. I've been copying them into my "Uncaught" folder which is run with "sa-learn --spam --mbox" each night. I just noticed that my Uncaught folder is huge and has l

Low-scoring discount ED spam

2010-05-03 Thread Kenneth Porter
I've been getting regular spam that advertises a percentage discount for ED in the subject line, and names the ED in the From line. It consistently fails to breach the 5.0 score line and keeps showing up in my regular Inbox. I think I have the latest code and rules. Am I suffering from the cur

Re: Google feedproxy redirector abuse

2009-11-20 Thread Kenneth Porter
--On Monday, November 16, 2009 10:27 AM -0800 John Hardin wrote: meta MANY_GOOG_PROXY __FEEDPROXY > 5 Got one with exactly 5 today. Looks like they're learning.

Google feedproxy redirector abuse

2009-11-16 Thread Kenneth Porter
I've been seeing pill spam with lots of identical URIs pointing at feedproxy.google.com over the last week or two. All the URI's seem to be this (leading http slash slash removed): feedproxy.google.com/~r/CraigslistHoustonAllForSale/WantedSearchquothealthquot/~3/3yX2enlGlyE/ I've no idea where

SpamAssassin is not a filter

2009-10-14 Thread Kenneth Porter
From : SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering

Subject keyword plugin?

2009-08-17 Thread Kenneth Porter
Is there a plugin that can read a text file of keywords, one per line, and build the equivalent Perl regex rule for keywords in the Subject line?

Using ASN plugin on internal SA scanner

2009-08-06 Thread Kenneth Porter
--On Thursday, August 06, 2009 2:53 PM -0400 Michael Scheidell wrote: enable the ASN plugin.. it will create bayes tokens. then train your system, any ASN that sends you mostly spam will hit bayes_>50%? Is there a way to get the ASN plugin to report on other than the first hop in the heade

Geographical distance

2009-08-06 Thread Kenneth Porter
A recent thread on spam detection suggested that geographical distance from sender to recipient correlates with spam, and that spammers tend to cluster geographically. Are there any plugins that can calculate these distances? I suppose the output would be two rules (or two sets of rules, with mu

Pet photo signatures

2009-08-05 Thread Kenneth Porter
This just seems like another good way to sneak spam through: I love to share photos of my cat, but I don't want to choke up the email system with them, esp. if it enables spammers one more avenue to piggyback their crap on.

Re: large unicode email nails CPU

2009-08-04 Thread Kenneth Porter
--On Tuesday, August 04, 2009 2:17 PM +1200 Jason Haar wrote: strace shows spamd running around looking for unicore/lib/gc_sc files - which is related to unicode "stuff". I don't know if that's the problem - but that's all I could find. This looks like a good candidate to open a Bugzilla for

Re: Any one interested in using a proper forum?

2009-07-30 Thread Kenneth Porter
On Thursday, July 30, 2009 2:01 PM -0700 ktn wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. Or you could use a news reader pointed at Gmane's news server and subscribe to the SA newsgroups. A web interface is available here:

Re: Titter invite spam

2009-06-23 Thread Kenneth Porter
--On Monday, June 22, 2009 5:59 PM -0700 John Hardin wrote: On Mon, 22 Jun 2009, Cerebus wrote: The zip file contains a file with the name: document.pdf .exe (note the long run of spaces) My security sanitizer would quarantine that. http:/

Re: spam and carbon emissions

2009-04-16 Thread Kenneth Porter
--On Wednesday, April 15, 2009 4:22 PM +0100 Martin Hepworth wrote: Interesting article http://www.newscientist.com/article/dn16951-spam-tramples-environment-wit h-huge-carbon-footprint.html?DCMP=OTC-rss&nsref=online-news I wonder how they figure out the transmission costs are are doing someth

Re: RFC's suck

2009-04-05 Thread Kenneth Porter
--On Saturday, April 04, 2009 9:11 PM +0100 Nix wrote: I hasten to point out (a little late) that the talk itself was excellent and hiliarious, but that you need excellent eyes or telepathy to grasp it all without the slides. Agreed. The presenter is very entertaining and the poor quality of

Re: RFC's suck

2009-04-02 Thread Kenneth Porter
On Thursday, April 02, 2009 12:13 PM -0600 LuKreme wrote: You should be sending mail out through your ISP which should be accepting your outbound mail as from you since they know who you are. Once your ISP (with their correctly configured SASL enabled mailserver) passes it along to the next s

Re: RFC's suck

2009-04-01 Thread Kenneth Porter
On Thursday, April 02, 2009 12:53 AM +0200 mouss wrote: Spam is a social problem, and social problems can't be solved by technical means only. technology des certainly help, to some extent. One of the ways technology can help is by increasing the cost of spam. SA has already done that by ma

Re: RFC's suck

2009-03-31 Thread Kenneth Porter
--On Tuesday, March 31, 2009 3:03 AM -0600 LuKreme wrote: Because the idea is to be able to simply retire the current SMTP and that will be a lot simpler if the new service is on a new port. It will also be much easier to justify. You're reminding me how long it's taking to get IPv6 adopted.

Re: Pastebin for spam examples

2009-03-30 Thread Kenneth Porter
On Monday, March 30, 2009 10:15 PM +0200 KarstenBräckelmann wrote: There's a reason, pastebins (just like URL shortener services) are implementing spam filtering and various other spam/bulk counter- measures. That's because they have been abused by spammers. Creating a dump to put your spam i

Re: RFC's suck

2009-03-30 Thread Kenneth Porter
On Monday, March 30, 2009 2:13 PM -0600 LuKreme wrote: The changes (RFC2822) did not change enough. What is really needed is SoSMTP (Son of SMTP) defined for port 26. It would be 8bit compatible and would NOT be backward compatible with current SMTP. It would not have folding of headers line

Re: RFC's suck

2009-03-30 Thread Kenneth Porter
--On Monday, March 30, 2009 7:52 PM +0100 Rik wrote: The MAIL RFC's were conceives a long time ago and have had some changes. Sure - the mail system is not ideal - however, with no RFC's we would end up with closed, stupid proprietary systems that don't talk. Microsoft Exchange is one reason

RFC's suck

2009-03-30 Thread Kenneth Porter
This video was recently posted to the MIMEDefang list, and illustrates how bad the RFC's for mail format are. No wonder SA has such trouble deciding what's spam and what's legitimate. NOTHING is legitimate, due to problems with the standards. (And this doesn't even discuss SMTP, just the format

Pastebin for spam examples

2009-03-30 Thread Kenneth Porter
--On Saturday, March 28, 2009 3:32 PM -0700 RobertH wrote: pastebin said the headers tripped the spam filter so i have to post this way... I've seen this complaint before. Perhaps SA or one of the other anti-spam websites could host a pastebin for spam examples, that explicitly does NOT ru

  1   2   3   4   >