...
That's where the human tweaking is supposed to happen; if gobs of spam
flag the 80% meter of some test while no ham does, and the 90% meter is
almost never hit by anything, it should have a higher value than the 80%
meter does. If the 90% meter has more ham than spam despite the 80% meter
...
On 10/23/2006 7:01 PM, John Rudd wrote:
Eric A. Hall wrote:
http://www.ehsco.com/misc/spamassassin/std_compliance.cf might help or
work for what you're doing.
Make sure to read the disclaimers and warnings
Those helped a lot. There's only three checks I can't do with them
(probably
...
To: users@spamassassin.apache.org
From: Evan Platt [EMAIL PROTECTED]
Subject: Moderator: User needs to be unsubscribed...
...
For every post, I'm getting:
Subject: Autoreply from [EMAIL PROTECTED] (was Re:perl hogging
my memory? )
Errors-To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
the junk went to each poster
instead of the list:
...
Subject: Tom Van Overbeke is out of the office.
From: [EMAIL PROTECTED]
To: List Mail User [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Date: Tue, 11 Apr 2006 08:28
...
Mark Martinec wrote:
As required per docs, the MTA is considered trusted and internal,
and MSA is declared trusted and NOT internal.
(both MSA and MTA are on the same IP network)
...
Is it normal that our own MSA ip address is being submitted for RBL tests?
It' normal, in the sense
I wonder if it is pure coincidence or not - There seems to have
been an upswing in the use of 0-day domains today (which don't get caught
by DOB - e.g. stedatlan.com-M olpartmen.com-M in the past hour). But
we still have the various BLs, so these are still high scoring spams:-)
...
Jeff Chan wrote:
On Thursday, June 22, 2006, 10:35:10 AM, Ken A wrote:
Rick Wesson over at Alice's Registry has a dnsrbl listing recently
registered domains (see below). I thought this might be of interest to
SA users. Anyone used this, or other rbl with similar functions?
Scoring?
...
Well - I'm a member of the Exim cult - but if something better comes
along I might convert. :)
And you're not even British:) Actually I count Exim in the short
list of well done and readily usable/useful MTAs (i.e. works as expected,
not can be made to work). Still, I'm partial to
...
On Montag, 12. Juni 2006 10:03 Jamie L. Penman-Smithson wrote:
On 12 Jun 2006, at 07:53, Michael Monnerie wrote:
yesterday I've got some new kind of spam:
X-Envelope-From: [EMAIL PROTECTED]
Received: from abruxateatro.com (unknown [210.245.161.31])
by power2u.goelsen.net
...
Is anyone else getting spam from gmail? The ones I'm getting are very
lengthy but doesn't look like bayes poison.
headers
Microsoft Mail Internet Headers Version 2.0
Received: from mail2.adventureaquarium.com ([10.0.0.205]) by
MAIL-I.adventureaquarium.com with Microsoft
...
Here's what I'm trying. I'm using MyDNS but added a few fields.
Basically I'm createing a white list and a black list. The while list
merely prevents an IP from getting on the black list. An IP gets on the
whitelist for 12 hours and on the blacklist for 4 hours. The idea being
to prevent
...
From: List Mail User [EMAIL PROTECTED]
All of this would use up 6 bits and still leave 17 for any other
purposes you have in mind (assuming codes from 127.0.0.2 to 127.0.0.126).
Uses up 6 of the 7 bits in that range, Paul. Did you mean 127.0.0.2
through 127.255.255.254?
{o.o
...
From: List Mail User [EMAIL PROTECTED]
...
From: List Mail User [EMAIL PROTECTED]
All of this would use up 6 bits and still leave 17 for any other
purposes you have in mind (assuming codes from 127.0.0.2 to 127.0.0.126).
Uses up 6 of the 7 bits in that range, Paul. Did you mean 127.0.0.2
...
Paul,
I've always thought of you as chief scientist among everyone on the spam
assassin list... I've seen you dissect the inner mysterious workings of a
spam like no other... uncovering the spammer's tracks like a superhero FBI
agent meticulously piecing together data from the forensics lab.
...
My guess is that these came in before any of razor, uribl, etc, got ahold of
them. I just checked them all:
score=3D43.64
score=3D16.961
score=3D24.61
score=3D13.893
score=3D10.81
score=3D34.878
score=3D39.367
score=3D23.321
score=3D41.673
score=3D47.624
score=3D36.642
score=3D14.435
You have a bunch of problems; You have no PTR record for your MXs
except to the dead end of worldfamousgiftbaskets.net - That domain has bogus
Whois/registration data (i.e. Not Given is invalid). Also that domain has
no 'A' or 'MX' records. Your NS records in the TLD zone files don't
...
On Thursday 25 May 2006 21:31, Kai Schaetzl took the opportunity to write:
Jamie L. Penman-Smithson wrote on Thu, 25 May 2006 17:12:07 +0100:
.de does not have a working WHOIS server, that's fundamentally broken:
No, *your* whois client is outdated and broken.
snip
And this is not the
...
From: Kai Schaetzl [EMAIL PROTECTED]
Jamie L. Penman-Smithson wrote on Fri, 26 May 2006 00:52:39 +0100:
After some research, I came to the conclusion that .de is, indeed,
still broken:
ftp://ftp.isi.edu/in-notes/rfc3912.txt
And *where exactly* does this RFC say that the whois
I'm doing some research using WHOIS to find the owners of domains in the
URI blocklists and finding that many of them have the same owners. I
thing that a database of owners of the URIs that spam links to could be
extremely useful in detecting spam.. I;m seeing that a huge amount of
spam is
...
What are your thoughts guys? Lower the score for URI_BLACK and JP?
seriously? the domains is 3 days old and is unreachable, and uses
outfitter.net NS's which appear to have an identity crisis.
April 25th,
ns1.outfiter.net 206.173.156.105
ns2.outfiter.net 24.98.13.40
April
...
For the last week, I feel like I should receive a paycheck from Geocities!
All I've been doing is submitting damn redirect web pages. I even did some
testing and found some sites listed in NANAS as far back as 5 days that were
still active.
The source code for these pages use at most 3-4
...
I run mail on the secondary server against 3 RBLs (the slightly slower
response is the
price they pay for going to the secondary), which things things out, but
running a
second implementation of SA on the secondary is not something I really
considered.
Do most people run SA or something
...
I believe that's a fundamental logic rule, so yes.
A B == ~A || ~B
--Russell
Almost:
-- Not to confuse things with C's short ciruit operations
|
v
( A and B ) equals ( not ( ( not A ) or ( not B ) ) )
^
...
Matt Kettler replied:
John Tice wrote:
Greetings,
This is my first post after having lurked some. So, I'm getting these
same RE: good spams but they're hitting eight rules and typically
scoring between 30 and 40. I'm really unsophisticated compared to you
guys, and it begs the
...
Bart Schaefer wrote:
The largest number of spam messages currently getting through SA at my
site are short text-only spams with subject Re: good followed by an
obfuscated drug name (so badly mangled as to be unrecognizable in many
cases). The body contains a gappy-text list of several other
Neat stuff Paul.. I'll have to try it out.
That said, technically, doesn't this really look up the IP address by fetching
the NS record, not the A record of the URI? (this would catch domains hosted at
the same nameserver, not domains hosted at the same server IP address)
Or has SA changed and
Leo's pill domains. Feed several to sa-learn (gets you a high BAYES
score), make sure that net tests are enabled and do use digests (DCC, Razor
and Pyzor); Then these spam will get 30+ point scores. Even with no net
tests, your example scores 4 points without BAYES, so training BAYES
Hi,
Is anyone here familiar with the web page email address scraping
software sold at: http://newsman.asp.be/featuresu.jsp ?
I only found this because one of their programmers, subscribed to
this list (i.e. [EMAIL PROTECTED]), is running an out-of-office auto-responder
...
Anyone else seeing these? These are really one of the very few things
that are still sneaking through:
How are you, Cathy Caparula
ME dical Ree-fill for Cathy Caparula is ready.
Please re-confirm your information.
http://geocities.com/VickieBarrett4208
Your order info as per our
...
Loren Wilton wrote:
3 decimal places, not 3 significant digits.
ie: 10.001 has 5 significant digits, but 3 decimal places.
AFAIK there are no SA rules with scores more exact than 3 decimal places.
So, no.. you would not have any rounding issues at that point.
Yes you would, or
...
I'm not sure if this on was a legitimate spam or if it was a troll from
someone that didn't like this company...
Loren
...
They look like a quite legitimate company, but a little sloppy
(check out the registration for cyberservicesllc.com - which is them
also). They appear
...
Michael Monnerie wrote:
Hi, I get some legitimate newletter that's incorrectly marked as
FORGED_OUTLOOK. Could someone fix that tests? Others may have that
problem, too.
(almost) full message at http://zmi.at/x/ham01.txt
mfg zmi
Are you sure that is a valid OE-email? Doesn't appear to
...
mouss wrote:
Matt Kettler wrote:
While daryl's comment here isn't entirely on the mark, it is close.
Daryl, read the docs closer. SA does accept this format.
Stephan, If you want to do an implied mask to cover a whole, you MUST
end in a . ie: you must use 10. not 10. If you fail to
I have three samples of what looks like the same adult spam. When I first
received it, it scored 0 points. Training on the first sample now scores
Bayes_99, but nothing else. Each sample adds itself to DCC, but subsequent
ones are not hitting DCC at all, until I train on those.
I can add
Larry wrote:
Can I blacklist a domain but make an exception for one person in that
domain?
Like;
blacklist_from [EMAIL PROTECTED]
with the exception of [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED] won't blacklist [EMAIL PROTECTED] or
[EMAIL PROTECTED]
Now blacklist_from
...
Received: (from [EMAIL PROTECTED]) by mx-103.gdicustomers2.ws
(8.12.9p2/8.12.9/Submit) id 32Nhzj9ndZMB.) for [EMAIL PROTECTED]; Sat
Mar 11 05:40:17 2006) (envelope-from [EMAIL PROTECTED]))
Message-Id: [EMAIL PROTECTED]
Date: Sat, 11 Mar 2006 05:40:17 PST
From: Scott Gillespie [EMAIL PROTECTED]
...
...
Thoughts, anyone?
Um... SA should already be treating email addresses in the body as
URIs... Are you sure yours isn't looking up the offending domains
agianst the URIBLs you're using?
I don't believe that's accurate. I know Jeff C. argued that it wasn't
what SURBL was intended for
...
Paul Shupak:
Very nice disection/research of that spam! I learned much just from your
message. I really appreciate the time you took if only that it helps me (and
probably some others...) learn a bit more about how to investigate these types
of e-mails.
This thread was well worth it just
interambulacrums com - brand new domain, private registration.
But the name servers at ns[12].ECBOLINE-com - Whois address checked
at USPS ( http://zip4.usps.com/zip4/welcome.jsp ):
This address is NON-DELIVERABLE
225 N GUADALUPE ST STE 239
239
SANTA FE NM 87501
Hi All,
A specific message is hitting the following rule:
* 5 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: annealbatross.org]
The sender would like to know how to fix it and i
am unable to find any reference anywhere on the
procedure stating how to go
4dquiz-com (dot instead of dash) is getting DNS service from
orderbox-dns_com ('_' instead of '.') - This makes them immediately
suspect; Some of the subdomains and servers in that domain are strictly
black, others are grey - They have been widely discussed in some non-public
forums
Cute registration too - name BUSINESGROUPNY, address in New York,
but the address is only valid if you change HILLSIDE, NY to HILLSIDE, NJ.
(The excellent USPS site at http://zip4.usps.com/zip4/welcome.jsp gives
up this data in a few seconds).
Paul Shupak
[EMAIL PROTECTED]
Evan,
The spammer is Taiwan Media (Telecom long ago) Ltd. They're using
the domain swzo.com-MUNG with Whois/registration contacts email account at
[EMAIL PROTECTED] and DNS from ns[12].0l23.com-MUNG. They are listed in
Spamhaus' ROKSO with more data there - friends/associates of
List Mail User wrote:
winterizewithscotts.com
Scott's lawncare registered user updates.
Matt,
winterizewithscotts.com looks like a case of affiliate spamming or
misuse of sweepstakes entries.
See:
http://forums.gottadeal.com/archive/index.php/t-14640.html
http
...
Matt,
In each case, normal HTML gives a referrer page, so no affiliate
ID is needed.
Paul.. None of those pages contain a link. The user would have to
copy-paste or hand-type the url. That would defeat any referrer mechanism.
Also, whether cutpaste generates a
...
List Mail User wrote:
Paul.. None of those pages contain a link. The user would have to
copy-paste or hand-type the url. That would defeat any referrer mechanism.
Also, whether cutpaste generates a referral all depends on your
browser and the setting used in some (e.g. Opera
...
List Mail User wrote:
Huh? (Lookup strawman in a dictionary, please.)
That's my understanding of what you were claiming happened. Yes, it
looks like an absurdly weak argument. However, it's the argument you
presented, as best I can make sense of your posts.
Or are you admitting that you
...
On Sat, 2006-02-18 at 08:45 -0700, Gary V wrote:
Without the entire
message I don't think anyone can determine if there is some problem
with
your system, or if this particular spam simply scored low because the
spammer is good at what they do. BTW, it is helpful to see what rules
winterizewithscotts.com
Scott's lawncare registered user updates.
Matt,
winterizewithscotts.com looks like a case of affiliate spamming or
misuse of sweepstakes entries.
See:
http://forums.gottadeal.com/archive/index.php/t-14640.html
After all this arguing about whether a URI can be over-weighted (or
if a group of related lists are), on one of my local servers I tested the
short message (with the URL intact) with arbitray innocuous headers:
...
Yes, but Paul, quoting real spam domain's isn't the real problem here.
The problem is the same thing happens to nonspam domains. In the past month
it's
happened to me TWICE that a nonspam domain got misreported to two different
URIBLs.
One of them, as mentioned before, is an update site
...
On Friday, January 13, 2006, 10:12:40 AM, Irina Irina wrote:
Hello Matt and all,
I enabled SURBL checks on a secondary server yesterday. It catches spam so
great that I like it very much.
Today I enabled it on our main server... Queue started to grow, messages
were piling up. I had
...
If you ever made a payment or received one via paypal the address would
not be private.
--
Mr Michele Neylon
...
Yes, but how to connect a paypal tagged email, an eBay account
name and an eBay email contact account. Clause 'C' of the PayPal privacy
policy says that your PayPal email
===8---
Make it happen!
Here : www.rektoky ,ohya add .com ^_^
===8---
Slips past the filters.
sigh
{^_^}
Looks like a relatively new pair of ROKSO members,
Brian Fabian/Gregory Parsons. Mostly pills and porn from
Canada - largely hosted on zombies. The name servers at
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, January 06, 2006 1:31 PM
To: mouss
Cc: Jeff Peng; users@spamassassin.apache.org
Subject: Re: URIBLFP? [Was: SA or Commercial AntiSpam products]
mouss wrote:
(top posting because not a reply:)
...
Is their a way to get the URI's to look at stuff like this?? I'm seeing =
more and more spam with these kinds of things in them to get by URI =
detection..
http://asia.geocities.com/april19781matt1487
Thanks, Billy
...
Not that it answers your question, but this is Robert Soloway
...
I'm getting quite a bit of spam with
Return-Path:
in the headers.
Will I likely see valid e-mail with this? Searching my previous mail,
it appears to all be bounce warnings.
If so, what's the best way to just blackhole this? I have postfix, and put
/Return-Path: / Reject in the
...
Seems he's been tagged for $11.2 BILLION for sending 280 million
spams to a small Iowa based ISP.
http://www.theinquirer.net/?article=28733
http://www.qctimes.net/articles/2006/01/04/news/local/doc43bb692ac9e86281138542.txt#top
And he's apparently unknown to Rokso!
{O.O}
He may not
...
This drug spam message body seems problematic, since the URI is
google, being used to search for the spammer's. Naturally the
actual spammer domain bluevallet.com is blacklisted. This
showed up Tue, 03 Jan 2006 14:45:48 +0100
...
Leo is good at finding new forms of abuse. The
Many people have opinioned:
Leonardo Rodrigues Magalhães a écrit :
SA ML, and several others, maintain From address as the original
sender of the message, which made me have some troubles whitelisting it.
I tought using whitelist_from, but it wouldnt work because there's no
...
List Mail User a écrit :
Many people have opinioned:
Leonardo Rodrigues Magalhães a écrit :
SA ML, and several others, maintain From address as the original
sender of the message, which made me have some troubles whitelisting it.
I tought using whitelist_from, but it wouldnt
...
Paul, the procmail script Loren and I use simply strips it out. I've read
too many folks on this list talk about scanning outbound for one reason
or another to figure premarking is a good spam sign.
Of course, there are odd cases to consider.
Suppose somebody honest or at least passing
...
mouss wrote,
...
Adding a 2.798 just because mail comes from a misconfigured ISP may be
too much if the sender uses a semi-broken mailer (the gfi NL is an
example, but I've seen worst!) and these ISPs are aware of the situation
since long, so it doesn't seem they are doing anything to
At 08:48 AM 12/27/2005, Jonn R Taylor wrote:
How can I make this go thourgh SA when it thinks it allready has
Why wouldn't it go through SA?
SA doesn't have any built-in behaviors that will prevent it from
re-scanning a message.
Did you do something in your procmailrc to cause procmail to
...
List Mail User wrote on Mon, 26 Dec 2005 16:46:00 -0800 (PST):
How about the case of http=3A=2F=2Fwww=2Ecnn=2Ecom=2F2003=2F
inside of HTML? i.e. http://www.cnn.com/2003/ - from a phishing spam,
the full line was:
You mean it displayed like this in the mail agent *after* Q decoding
...
I recently got an FP for an (opted in) gfi.com newsletter.
X-Spam-Status: Yes, score=5.454 required=5 tests=[BLANK_LINES_70_80=1.236,
DNS_FROM_RFC_ABUSE=0.479, DNS_FROM_RFC_POST=1.44, DNS_FROM_RFC_WHOIS=0.879,
FROM_EXCESS_BASE64=1.052, HTML_MESSAGE=0.001, HTML_TAG_EXIST_TBODY=0.126,
...
You can only safely skip messages with an X-Spam-Status: that reads
yes,
due to the fact that you can't trust it. Of course, spammers can always
forge a X-Spam-Status: on themselves that declares the message to be
spam,
but if they do.. more power to em..
Or even better, you can check
...
I recently got an FP for an (opted in) gfi.com newsletter.
X-Spam-Status: Yes, score=5.454 required=5 tests=[BLANK_LINES_70_80=1.236,
DNS_FROM_RFC_ABUSE=0.479, DNS_FROM_RFC_POST=1.44,
DNS_FROM_RFC_WHOIS=0.879,
FROM_EXCESS_BASE64=1.052, HTML_MESSAGE=0.001, HTML_TAG_EXIST_TBODY=0.126,
...
Mouss,
List Mail User a écrit :
updated.by - check http://www.tld.by/cgi-bin/registry.cgi
You'll see that update.by is a registered domain! Therefore
updated.by is indeed a URI. QED
the question is: if foo.example-DEMUNGED is listed in uribl/surbl, does
that make
...
Is foo.tld=bar a valid hostname part in a URI? I doubt that. now, would
a MUA show that as a URI followed by bar?
I think that SA should provide an option to enable/disable:
uri_broken_mua, so that people not caring for broken MUAs can avoid
such false positives.
How about the case
updated.by - check http://www.tld.by/cgi-bin/registry.cgi
You'll see that update.by is a registered domain! Therefore
updated.by is indeed a URI. QED
Paul Shupak
[EMAIL PROTECTED]
...
So far, so good. Everything I'm trying gives me an NXDOMAIN response,
though. Anyone have a couple of IPs that are on Spamhaus that I could use
for testing purposes?
-Aaron Boyles
ITC Applications Programmer
Almost all RBLs (not RHSBLs) will respond to the test point
127.0.0.2. In
...
Ah, List, Matt, and Dallas, thanks all. Used all of them to get the answer
I was looking for.
So simply parsing the the Answer section to see if there was a 127.0.0.2
response should verify for me, it seems.
I also vaguely remember reading something about .4 and .6 responses as well.
Anyone
...
On a side note, is anyone very familiar with any protocols involving public
blacklists? I'm looking for the ability to simply toss an IP at a site
somewhere, and get a simple 'yes/no' response as to whether or not it's a
spam IP?
-Aaron Boyles
ITC Applications Programmer
...
Far
tuxorama.com does a SMTP probe for every posting to this list
and is one of the very few IPs I have firewalled off. The probes seem
to always come from 81.169.185.26 (now they'll probably change IPs and I'll
have to block some other IP or range), so they, while irritating are very
easy to
...
List Mail User wrote:
tuxorama.com does a SMTP probe for every posting to this list
and is one of the very few IPs I have firewalled off. The probes seem
to always come from 81.169.185.26 (now they'll probably change IPs and I'll
have to block some other IP or range), so they, while
...
On the contrary. That's exactly what it asks for. The key for understanding
the
requirements here is client identity.
If we rewrite it this way:
So we find it is actually not only *not* contained with RFC2821
any requirement that the HELO/EHLO argument match the reverse DNS record,
...
mous replied to my comments (originally directly to Kai):
List Mail User a écrit :
[snip]
Leave the FQDN part out and you can try to base an argument on 2821,
but there sections 2.3.4 and 2.3.5 simply and clearly states that Domain
names are used as names of hosts and of other
...
Hi,
what is the problem with putting a single computer into a hosting center, name
it mycompany.com,
and also let it helo as mycompany.com?
Of course it should have reasonable dns entries but that's a different story
Wolfgang Hamann
None. In the last year I have received valid
wrote on 16 Dec 2005 16:22:29 -:
what is the problem with putting a single computer into a hosting center,
name it mycompany.com,
and also let it helo as mycompany.com?
It's not considered an FQDN, it's a domain. Depending on how strict the helo
syntax test is it will
fail at this
...
DJB is generally of the opinion that if you do not know how to properly
configure your mail server, you should be hiring someone who does. So
no, his software generally does not work right out of the box.
opinion - not troll
Personally I have some rather harsh ideas about mail server
Well, now to join Geocities and Tripod, we have Leo on AOL.
The URL, http://hometown.aol.com/assavralloWi/immerse.html redirects to
www.uditines.com, a fairly vanilla pill site (IP 61.31.214.81, listed
in SBL35716). Further redirection takes you to the landing page in a
subdirectory at:
...
Matt Kettler wrote on Mon, 12 Dec 2005 16:13:21 -0500:
Others would say they trust it explicitly and would
immediately give it 10.0.
If I trust it I use it at MTA level. My opinion ;-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services:
Kai Schaetzl wrote:
Matt Kettler wrote on Mon, 12 Dec 2005 17:12:50 -0500:
There's all different degrees of trust and more ways to go about it than we
can
count here :)
I think simpler. Either I trust it or not, so either I use it or not. :-)
Kai
Personally, I have yet to find a
...
snip
What's up with all those Delivered-To: headers being inserted between
Received: headers.
I suspect those are confusing SA.
Really the best way to tell exactly what's up is to save one of those messages
that false-hit ALL_TRUSTED and run it through spamassassin -D.
The debug out will,
Hey folks, I was having a thought about phone numbers in spam messages,
and the old brain pinged an idea at me. I'd really appreciate any feedback!
It occurred to me that I get a fair amount of spam which includes
phone/fax numbers. It also occurred to me that given a string like
...
It seems they have taken leave of their database. The Earthlink mailers
have somehow gotten listed in their DUL listings. They are quite positively
not DUL based. If SORBS can get this screwed up I'd suggest lowering their
scores in the rules files.
===8---
[EMAIL PROTECTED] ~]$ dig
...
Am Mittwoch, 23. November 2005 23:11 schrieb jdow:
From: Mathias Homann [EMAIL PROTECTED]
the ProofPoint Spam Detection (TM) module uses the ProofPoint
MLX(TM) technology for automated learning (pat.pend.) which in
itself doesn't tell
^---
...
Quin Parker wrote:
Hello
I was wondering if somebody could answer a question I have about SA's use of
external blacklists which filter e-mail addresses.
As I understand it (please correct me if I'm wrong), SA can be configured to
look up lists such as those held on rfc-ignorant.org,
...
On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote:
Hello,
I have had to remove spamcop from my rbl check list. they have had some
legitimate mail servers listed recently. They had the gentoo mail list
listed and some other important servers which i cant see why they were
Lots of real spam doesn't score this high. 22.9 points
on SA 3.0.4. Someone's zombie ratware misfired. Is this some
record for points per line - infinite. The only change was to
substitute {VICTIM} for the actual account.
Paul Shupak
[EMAIL PROTECTED]
pts rule name
...
List Mail User wrote:
Of course, the originals transmogrify quite quickly and the '/?'
was posted a couple of days ago.
Actually it was posted a couple weeks ago. About two or three days
later I started to get spams without the query string. The rule worked
well for a few weeks
...
Hi,
I have setup SA 3.1 under FC4, which is working quite well. However,
one type of message that still gets through is a series of mails that are
made up of no text other than a varying subject, then a picture, which is
black text on white, which looks exactly like an ordinary email.
...
Unfortunately, I've had plenty of FPs with the basic *.geocities.com.. A
lot of
enthusiast websites of various sorts are hosted there and my users like
to
forward around links to them.
I wonder what the effect of listing /\w\.\w\w\.geocities\.com\b/ would be?
That would only catch the
...
List Mail User a écrit :
You're a lot more polite than I am. I prefer:
my_domain.tld 550 You're lying - Trying to use my host
.my_domain.tld550 You're lying - Trying to use my host
I don't wanna risk being sued/beaten by some angry guy:)
Its very
...
Does anyone have a geocities rule that catches most of the spams
and has few FPs?
Cheers,
Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/
Do you want to block the general drug spam, the SoftTab/ED spam,
the porn, the penis enhancers or the stock pumpdumps (don't
...
Note that OUR domain is vlaamse-kern.com and that the sender pretends to be
vlaamse-kern.com as well!
you can add an SA rule, but it's easier to block this in the MTA. I
don't use SM, but in postfix, this amounts to creatin a file containing
things like:
vlaamse-kern.com REJECT
...
Hi All,
This may not be the right forum, but I am unable to contact
spamcop.nethttp://spamcop.netfolks by e-mail.
I've noticed that spamcop.net http://spamcop.net is MIA, when attempting
to surf to their site I receive an error message An error occurred while
processing your
...
On Sat, 2005-11-12 at 10:56 -0500, Pierre Thomson wrote:
A slightly more compact way to treat the final digit:
bodyPROLO_LEO1 /85\,45|1\,2[12]/
bodyPROLO_LEO2 /69\,95|3\,3[23]/
New uri showed up today, so the updated rule I use is
...
List Mail User wrote:
...
I believe some people using the SARE rules report ~100 points for them
(after half a day or so, they fail every net test, and very many
small rules). Also, the typical ones are delivered by zombies, so
often the DUL tests hit right away, and if you can afford
1 - 100 of 265 matches
Mail list logo
