s)|rank well on
[a-z]+\b'
Thanks. - Mark
Matus - Oops! I had installed a new email server last year, running
Ubuntu, and I didn't realize by default, updating is off.
After updating, I see that we are getting blocked by RCVD_IN_VALIDITY.
My bad. Thanks very much! - Mark
On 11/14/2024 8:44 PM, uh...@fantomas.sk wrote:
FWIW, Today I discovered that RCVD_IN_VALIDITY_CERTIFIED,
RCVD_IN_VALIDITY_RPBL, and RCVD_IN_VALIDITY_SAFE, were being triggered
for every email that our server received. I do not use a public DNS
server. I disabled all of them. Strange. - Mark
0 PM, Grant Taylor via users wrote:
On 7/17/24 18:04, Matija Nalis wrote:
I.e. would you consider it to be significantly less likely to be spam
if it contained "Dear Elizabeth," while being addressed to
"mark@domain" instead of to "elizabeth@domain" ?
I've see
Does anyone have a rule to detect "Dear xxx," in the body of the
message, where the "To:" address is xxx@domain?
We've been getting phishing email sent to us with variations of that.
Hi, Dear, etc, followed by the username of the address.
Thanks. - Mark
Alex - Check out the FROM_FMBLA_NEWDOM rules. Are you seeing any emails
hitting them?
In my case, URIBL_RHS_DOB is no longer working at all. Is this still
working? - Mark
On 7/8/2024 5:13 PM, Alex wrote:
Hi,
I'm seeing emails from smartlendingclub dot com getting through that
Bill - Thanks for the response. As an aside, it would be nice (though
impossible?) for a spam filter to be more suspicious of emails coming
from a new email address, that is not in my Sent folder or my Inbox.
FWIW. - Mark
On 6/25/2024 11:21 AM, Bill Cole wrote:
Mark London
is rumored to
d reverse lookups. But the
number getting blocked, is still huge.
On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:
Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct. All the IP sources of this spam, don't a
valid reverse lookup of the IP address, to an IP name. That
Marc - You are correct. All the IP sources of this spam, don't a valid
reverse lookup of the IP address, to an IP name. That will solve my
problem. Thanks! - Mark
On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a lot of such
networks.
ams have. So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received. This didn't help. I'm curious if anyone is
noticing this spam. Thanks. - Mark
This takes a while (afaik months at least).
reject emails with a very high spam,
which these spams have. So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received. This didn't help. I'm curious if anyone is
noticing this spam. Thanks. - Mark
z
Sorry, I didn't change the subject line when I posted this.
On 9/29/2023 12:41 PM, Mark London wrote:
Hi - Can anyone tell me why the following email header triggered
DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line?
Strangely, if I run spamassassin from the command l
On 9/29/2023 1:47 PM, Reindl Harald (gmail) wrote:
Am 29.09.23 um 19:37 schrieb Bill Cole:
Strangely, if I run spamassassin from the command line on the
message, DKIM_SIGNED is not triggered. SpamAssassin version 3.4.6
Oh. So you've let a piece of security software go most of year after
th
-Spam-Level header, as I have some customized
rules.) Thanks. - MARK
Received: from SRV-EXCHANGE.sdis58.local
(static-css-csd-160189.business.bouyguestelecom.com [176.162.160.1
89])
by simplerelay.pulsation.fr (Postfix) with ESMTPS id 644B1203A3E3;
Fri, 29 Sep 2023 04:56:31
Dropbox now has an invoice feature, that allows you to create a customized
invoice. So what this person did was to create an invoice that looks like it’s
coming from PayPal. Except for the fact that the From address shows it is
coming from Dropbox.
Months ago I saw a similar problem with f
I’ve never seen a false positive with USER_IN_DEF_SPF_WL.
> On Mar 20, 2023, at 1:48 PM, Reindl Harald wrote:
>
>
>
>> Am 20.03.23 um 18:44 schrieb Mark London:
>> It seems like it too high a negative score.
>
> then adjust it in local.cf
>
> the poin
It seems like it too high a negative score.
On 3/20/2023 1:24 PM, Reindl Harald wrote:
Am 20.03.23 um 18:17 schrieb Mark London:
Can someone tell me why this paypal phishing email, managed to
trigger USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing
Can someone tell me why this paypal phishing email, managed to trigger
USER_IN_DEF_SPF_WL?
Or put it another way. Why wasn't it detected as a phishing email? Thanks.
Received: from a39-208.smtp-out.amazonses.com
(a39-208.smtp-out.amazonses.com [54.240.39.208])
by PSFCMAIL.MIT.EDU (8.14.7/
Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my
email, because there is no List-Id. The email actually came from a
microsoft account. - Mark
header __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/
header __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/
h
t the
bottom. And they left the postal address of amazon, without the word
amazon.
I hate bogus spam that is so obviously bogus that it avoids filter
rules. :) - Mark
On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org wrote:
Subject:
Re: Maybe it's time to revive EvilNum
My site is getting a lot of spam that is getting past spamassassin.
Because it has a hone number to call, and rather than a link to login
using username and password. Mostly fake amazon purchases. They are
getting past a lot of URL block lists because of that. FWIW. - Mark
Hi - I receive email from spiceworks.com help desk, which are sent via
sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
which is 3.4 ? Thanks. - Mark
Terms and Conditions:
https://u2752257.ct.sendgrid.net/ls/click?upn
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
<https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/>
- Mark
Can we start a separate mailing list for people to discuss this issue elsewhere?
"As programmers, our day to day work doesn’t typically present us with
opportunities to take a stand against racism. Situations like this are
opportunities to be the change we want to see. When you get that
opportunity and you don’t act, or even worse, you defend the status quo."
That quote wa
hanging the names by many others. For example, I found:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
So this issue is nothing new, and the arguments on this issue, that have
been occurring on this mailing list, have already occurred.
- Mark
On 7/10/2020 7:18 PM, Marc Roos wrote
Spamassassin is not alone.
https://www.google.com/search?q=whitelist+blacklist&rlz=1C1CHBD_enUS893US893&sxsrf=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351&source=lnms&tbm=nws&sa=X&ved=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw&biw=1008&bih=5900
of __BITCOIN_ID needs to updated to include this
format. Thanks.
- Mark
a "1" in it:
For sure figure 1 is convincing that nqR is a good organising
Maybe this rule needs tweaking? Thanks.
- Mark
ic we were receiving, I'm surprised it didn't
show up sooner on the other RBLs.
Thanks. - Mark
Is PDS_TONAME_EQ_TOLOCAL_SHORT new? I see it hitting real emails here, but
hitting no spam emails. Thanks.
- Mark
Sent from my iPhone
I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS
is mostly hittng real emails at my site 1168 real emails versus 219 spam
mls. Luckily, the score is not high, to be making any difference.
FWIW. - Mark
test for short non-html emails that only have utf-8
characters and a single link at the bottom of the email.
Sent from my iPhone
> On Jul 2, 2019, at 8:42 AM, Kevin A. McGrail wrote:
>
> Mark, can you put a sample up on pastebin? That looks like ASCII hex but
> ending up with U
Hi - I'm trying to filter emails that have only special characters in
them. Like the text of the following email. Thanks. - Mark
- =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1=
=B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1=
=B4=
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
Thanks. - Mark
\W*\S+\@psfc.mit.edu,/i
And that works. although I don't know why I need the \W*. But,
whatever! Never mind. - Mark
On 12/20/2018 12:30 PM, Mark London wrote:
Hi - What's the best rule to catch email with multiple addresses in the From:
line? I realize thatrfc2822allows it. But the only e
ALL =~ /From: \S+\@psfc.mit.edu,/i
It's still not triggered. Any ideas? Thanks. - Mark
a bitcoin address in it. :) - Mark
--
I've got a personal webpage that includes all types of products and
ser
This email hit the new (to me) BITCOIN_PAY_ME rule. Never ending fun. 😟
Begin forwarded message:
> From: "Broaddus Walther"
> Date: December 17, 2018 at 1:49:04 PM EST
> To: m...@psfc.mit.edu
> Subject: You should definitely go through this before something negative can
> happen 17.12.2018 08:
Sorry, I cut off the full URL. It should have been:
https://pastebin.com/5ASMFahi
On 12/12/2018 12:16 PM, Mark London wrote:
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
that rule
is disabled (score = 0). Without that, the email would have gotten
through.
Rule T_MIXED_ES was triggered. But that rule has too many false
positives to be of any use (IMHO, from looking at my spam logs).
Thanks! - Mark
The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe
it needs updating? - Mark
On 12/5/2018 11:19 AM, Mark London wrote:
No longer just embedded =9D characters.
From: =?utf-8?B?bmlnaHRt0LByZQ==?=
To:
Subject: You are my victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME
No longer just embedded =9D characters.
From: =?utf-8?B?bmlnaHRt0LByZQ==?=
To:
Subject: You are my victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="a0d0993ce53319101c19af03d5311b0976b26b"
X-Scanned-By: MIMEDefang 2.79 on 18.18.166.1
to be limited right now, to a few (one?) spammer, who
is presently using it in their porn blackmail spam.
- Mark
Forwarded Message
Subject:[OFF-list] 9D character used in words to avoid detection
Date: Sat, 17 Nov 2018 15:42:08 -0600
From: Chip M.
To: Mark London
Mark, could you post a full spample to the SA list?
Thanks in advance!
"Ch
John & Kevin - Thanks for the rules! This tactic was used in a porn
blackmail spam. Considering that we are currently are receiving a
large amount of those types of spams, it might be possible that this
tactic might catch on. Or not! We'll see. - Mark
On 11/17/2018 8:23
?
Thanks.
Mark
nd say "No, I'm not
fine, and we can't talk". But I doubt that will resolve the issue. :)
I'm just curious if anyone else has encountered this. Thanks. - Mark
ot; \<\S+\@\S+\>/
header BAD_2FROM_ALLALL =~ /From: \"[\S ]+\<\S+\@\S+\>" \<\S+\@\S+\>/
Here's the full header. Thanks. Mark
Received: from mail.wtf.net (mail.wtf.net [66.202.56.170])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id w8DCLlXe0172
On 6/28/2018 1:46 PM, users-digest-h...@spamassassin.apache.org wrote:
Subject:
Re: Using UTF-8 characters to avoid spam filter rules.
From:
RW
Date:
6/26/2018 12:12 PM
To:
users@spamassassin.apache.org
On Tue, 26 Jun 2018 00:33:11 -0400
Mark London wrote:
Hi - Some of the words in the
here any rule I canu se, to detect messages that are mostly plain ASCII
characters, but are using enough UTF-8 characters, that obviously have
been put in to avoid spam rules? Thanks. - Mark
Forwarded Message
Subject:GKJ: [x...@mit.edu] 26.06.2018 03:39:27 You can easi
er case letters? Thanks. - Mark
MIME-Version: 1.0
From: c...@nmlc.com
To: markrlon...@gmail.com
Date: Sun, 31 Dec 2017 18:42:25 CET
Subject: Never Pay For Covered Home Repairs Again-Best deal of the year,
Iimited-Time*Njvt
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
On 12/11/2017 10:59 AM, Reindl Harald wrote:
Am 11.12.2017 um 16:44 schrieb Mark London:
I'm getting a lot of flakey spam messages, that don't trigger any
significant spamassassin rules, even though it obviously looks really
bogus.
Here's an example. Any suggestions?
https
ded to my
work address I tried stripping off all the forwarding headers, but it
doesn't trigger any RBLs
Thanks for any help.
- Mark
meta rules that combine __HTML_IMG_ONLY with the RBLs, and I've found
that to be useful. But for some reason, __HTML_IMG_ONLY does not
include HTML_IMAGE_ONLY_32. Is there any reason that this was left out?
- Mark
Sent from my iPhone
> On Nov 18, 2017, at 5:29 PM, RW wrote:
>
> On Sat, 18 Nov 2017 15:46:16 -0500
> Mark London wrote:
>
>> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email
>> address like this:
>>
>> mqsjkeqgy...@sina.com
>>
FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email
address like this:
mqsjkeqgy...@sina.com
But it doesn't. Yet it does trigger on this:
dxn...@sina.com
Curious.
- Mark
not sure if all of these are currently in use, but:
txt.voice.google.com
mms.att.net
tmomail.net
vzwpix.com
vtext.com
On 10/24/17 10:09 AM, Marc Perkel wrote:
> Does anyone have a cell phone network list of host names where email
> from cell phones might be coming from? So far I have:
>
> my
fficial rule to test for invalid double addresses? Do I
need to open a ticket? - Mark
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTE
describe __FROM_NAME_CONTAINS_A
Hi - Sorry if this has been discussed before. I'm seeing a lot of html
spam with a few links, followed by a line that just contains
yed for too long a time period.
Mark London
Natick, May
I'm not using dns forwarding.
Sent from my iPhone
> On Dec 6, 2016, at 5:13 PM, Reindl Harald wrote:
>
> get rid of dns forwarding and use dns servers with *real* recursion, that
> topic makes people sick after so many years
>
>> Am 06.12.2016 um 22:58 schrieb Mark
anged? Thanks. - Mark
This was a email message sent to my markrlon...@gmail.com account. Note
the hostname of markrlondon23474.seksizlex.co! - Mark
SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/460142604-11776440226-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/NZ
ges,
then reload amavisd and grep through the log:
tail -f /var/log/amavisd-debug.log | egrep '(TxRep|auto-whitelist): '
Mark
On 6/8/2016 1:20 PM, John Hardin wrote:
On Wed, 8 Jun 2016, Mark London wrote:
Hi - We received an email with several large postscript attachments,
and the content type was "text/plain". This caused our spamassassin
server to use up 100% CPU, parsing the attachments as
I prevent this in the future? I know about the time limit
feature, but this doesn't prevent the server from running 100% of the
time, before the time limit is reached. Any suggestions? Thanks. - Mark
Content-Transfer-Encoding: base64
Content-Type: te
two minutes.
Mark
Btw, the fix for:
"each on reference is experimental at ..."
"keys on reference is experimental at
/usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm"
is at Bug 7208:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7208
Mark
On 2015-12-18 16:29, Axb wrote:
On 12/18/2015 04:17 PM, Mark Martinec wrote:
On 2015-12-17 22:41, Axb wrote:
could you make a version using redirector_pattern so the redirected
target can be looked up via URIBL plugin?
Isn't this already the case? Redirect targets are added
to a list of
On 2015-12-17 22:41, Axb wrote:
could you make a version using redirector_pattern so the redirected
target can be looked up via URIBL plugin?
Isn't this already the case? Redirect targets are added
to a list of URIs and are subject to same rules as
directly collected URIs.
Mark
# spaspamassassin -D -t < p2 2>&1 | grep baddomain
p2 doesn't pick up on baddomain.com
Any thoughts or have I stumbled upon a problem?
Two problems there, one is in your regexp, the other is in
the SpamAssassin logic of dealing with redirects.
The parameter of redirector_pattern is a r
from a svn 3.4 branch
( svn checkout http://svn.apache.org/repos/asf/spamassassin/branches/3.4
spamassassin-3.4 )
or downgrade Net::DNS to a pre-1.* version (i.e. 0.83).
Mark
ts. The changes brought by 1.03
affected SpamAssassin on two fronts, both are due to an
incompoatible API change in Net::DNS: different object class
expected by bgread (which affected a handful of other
Perl modules too), and a change in semantics of "retry" and
"retrans" options, which affected DKIM plugin.
Mark
Anyway, an ASN test would fail on mailing list mail by google senders.
A DKIM test would also likely but not necessarily fail in such mail,
depending how a mailing list is configured. For example this
SpamAssassin mailing list preserves DKIM signature validity just fine.
Mark
ocs say:
bgread
Reads the answer from a background query (see "bgsend").
The argument is an "IO::Socket" object returned by "bgsend".
To me, this is an incompatible documented change - not something
one would expect in an 1.02 -> 1.03 update.
Mark
ine 735.
There is a CPAN ticket open for this:
https://rt.cpan.org/Public/Bug/Display.html?id=108745
Please stick to Net::DNS 1.02 until this is resolved.
Mark
eoIP.dat and GeoIPv6.dat there.
Mark
e are also other tricks that a spammer can't play.
It's not possible to emulate all different behaviours of
various mail reading programs. Still, in the case we have
it would make sense to try also the utf-16le, since this is
a default endianness in Windows.
Mark
UTF-16BE or UTF-16LE, and there is no BOM mark at the
beginning of each textual part, so endianness cannot be
determined. The RFC 2781 says that big-endian encoding
should be assumed in absence of BOM.
See https://en.wikipedia.org/wiki/UTF-16
In the provided message the actual endianness is LE, and
BO
flags to spamd:
spamd_enable="YES"
spamd_flags="-s local5"
spamd_command_args="-d -A [2a03:6000:::xxx] -u spamd -x -q -r
${pidfile}"
But after the update the line "spamd_command_args" seems to be ignored.
Put all command line options for spamd in spamd_flags.
Mark
://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
Mark
Not to forget the fix at:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
which is also needed with Net::DNS 1.01 or later.
Already cherrypicked in the FreeBSD port of SpamAssassin:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202283
Mark
=7208
fix in revision 1684653:
https://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URILocalBL.pm?r1=1684653&r2=1684652&pathrev=1684653
Mark
le of
your Received header field (which is perfectly valid
according to RFC 5321).
Mark
was added _after_ a message went though a content filter.
Remove it and re-try the command-line spamassassin test in the message.
Mark
time by SpamAssassin, or explicit expiration runs, e.g. from
a cron job. With these traditional back-ends the bayes_token_ttl
setting has no effect.
and has spawned a whole subculture of solutions and work-arounds
Indeed. These mostly pre-date the availability of a Redis back-end.
Mark
Jim Barber wrote:
From: Mark Martinec [mailto:mark.martinec...@ijs.si]
Are you using some third-party SpamAssasin plugin that relies on the
deprecated subroutine Mail::SpamAssassin::Util::uri_to_domain ?
I'm getting the same error:
May 15 12:34:41 smtp-syd mimedefang-multiplexor[
warning (the 'Undefined subroutine').
Mark
ven though these are two
independent issues).
Mark
sassin::Logger;
+use Mail::SpamAssassin::Util::RegistrarBoundaries; # deprecated
BEGIN {
===
Mark
ignatures,
which are also pre-computed by amavisd on the complete (non-truncated)
pristine message, and passed to SpamAssassin for use in the DKIM
plugin.
Mark
27;);
The CPU usage is obtained by calling Unix::Getrusage .
Mark
ilities can
be provided and is passed to the 'debug' argument of SA.
Mark
much use to the general public.
The requirement for timing can be requested by a application using
the SpamAssassin library. Currently amavisd does turn it on and
the SpamAssassin timing report is included in the amavisd log,
but the spamd does not include the timing report in its log.
Mark
> On May 2, 2015 7:08:10 PM Mark Martinec wrote:
>> > May 2 06:45:29 sunshine spamd[22293]: Use of uninitialized value
>> > $hasStructureInfo in numeric eq (==) at (eval 46) line 5520.
>>
>> This one seems to come from a module Geo::IP, called form a
score should be 0.01
by default. Make sure the sa-update has provided an up-to-date
version of rules.
Mark
-zero.
There must be some problem with assigning a score to
such test rule (the 1.0 is a default value if a score line
is missing).
An invalid or unverifiable DKIM signature is supposed to be
treated equivalent to a missing signature.
Mark
this before, but I did check for any leftover PID files (none
exist). I also rebooted our system, to no avail.Going to attempt
downgrading to see if that fixes the bug.
spamd --debug
Mark
1 - 100 of 1107 matches
Mail list logo
