te:
Perhaps it needs a short-message exclusion?
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be
glad to try.
On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning of it, added avoidan
te:
Perhaps it needs a short-message exclusion?
short messages with attachments.
if you have an idea how, I'll be glad to try.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adr
on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)
Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to
ained and gets BAYES_99.
the main problem is lack of safe rules with negative scores.
of course, nothing defeats manual training.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu
Is there a plugin available
for this or how would one go about writing one?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
n's package uses this user for running sa-update from
cron script.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee:
MIXED_AREA_CASE,
and MIXED_IMG_CASE. Despite obviously bad To: and CC: addresses, the only rule
that triggered was paltry:
TO_MALFORMED=0.1
0.1. Seriously? Could we at least get a 0.1 for the CC address also?
apparently they are more eligible for meta rules.
--
Matus UHLAR - fantomas, uh.
01 0.001 0.001
a bug report should do that.
until then, put:
score USER_IN_DKIM_WELCOMELIST -100.000
into your local overrides.
https://pastebin.com/6u4uNnLQ
Ideas greatly appreciated.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e
On 8/20/2021 6:23 AM, Matus UHLAR - fantomas wrote:
it seems that some TLD rules catch strings that are not domains:
* 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
* [URI: ups.mfr.date (date)]
* 5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,
* .guru
On 2021-08-21 17:50, Matus UHLAR - fantomas wrote:
https://alioth-lists.debian.net/pipermail/nut-upsuser/2021-August/012539.html
* 5.8 KAM_LIST3_1 Likely Mailing List Purveyor Spam
5.8 is way too much
On 22.08.21 11:33, Benny Pedersen wrote:
reduce it localy then
I know how to handle
Hello,
another KAM FP:
https://alioth-lists.debian.net/pipermail/nut-upsuser/2021-August/012539.html
* 5.8 KAM_LIST3_1 Likely Mailing List Purveyor Spam
5.8 is way too much
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail
date
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
I intensively train spams and FPs.
I maintain a few servers, default score is at 5 and reject over 8.
one server without proper training, score is left at amavis default and
reject on 10.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail
e kinda redundant here
!DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU
if message is not signed, then signature can't be valid or invalid. If any
of signatures is valid, the message is signed.
the !DKIM_SIGNED is useless here unless it's a perfor
nt to look at then just focusing on one set
of rules.
to be more precise, I have case where these caused mail to be autolearned as
ham which is even worse than a FN
I tried to filter out other rules that could cause it.
Unfortunately no other rules hit that could avoid trainin.
Matus UHLAR - fan
On 27.07.21 14:18, David Bürgin wrote:
There is an alternative milter (which I maintain) that adds
all X-Spam-* headers received from spamd.
Matus UHLAR - fantomas:
the original milter does the same. Adds headers from spamd.
However, it does NOT take into account ay X-Spam-* headers received
spamd.
However, it does NOT take into account ay X-Spam-* headers received from
remote server.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
STED # yes DKIM, no SPF
meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH
|| ALL_TRUSTED # yes DKIM, yes SPF
shouldn't these contain DKIM_VALID_AU instead?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
0 3600
;; Query time: 130 msec
;; SERVER: 184.173.92.18#53(184.173.92.18)
it has subdomains that do exist and have data tho.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem N
ially at the beginning,
and I couldn't force myself to understand it (multiple times).
Maybe you should start with the easy parts and follow with those more
compliated functionality, because I feel the description starts with the
latter.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fan
Matus UHLAR - fantomas wrote:
I have just checked, both do:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0 SeaMonkey/2.53.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
On 17.07.21 01:08, Jared Hall
Matus UHLAR - fantomas wrote:
Message-ID: <2021071214.horde.zzz...@example.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__
om>
(i have access to a few icewarp servers, I can check that somewhere)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
inside Office documents
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
the KAM.cf takes care of the rest.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukol
art of olevba) to see if the macros are truly malicious.
I will try the OLEVBMacro plugin alongside, thanks for the heads up.
note that standard SA rules don't contain any rule using the OLEVBMacro
functions, but the KAM.cf do.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.
*\@/i
describe FROM_LOCAL_DIGITS From: localpart has long digit sequence
header FROM_LOCAL_HEX From =~ /[0-9a-f]{11}\S*\@/i
describe FROM_LOCAL_HEXFrom: localpart has long hexadecimal
sequence
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk
21:51, Alex wrote:
Would anyone like to help me block this office phish? It includes an
HTML file that presents an O365 login page:
https://pastebin.com/JMSrY6KU
More javascript in an HTML file.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to rece
Matus UHLAR - fantomas:
this is more an issue of how milter itself operates.
the milter is supposed to see e-mail as it was received from (smtp) client -
even without Received: headers, just with other milters' modifications.
If SpamAssassin (SA from now) has to see Authentication-Re
ocal rules.
Unfortunately, much of mail seems to hit DCC_CHECK even they don't look
bulky. 1.1 points for DCC_CHECK is fine here but FSL_BULK_SIG and other
hits pushed mail over required_score.
maybe replacing (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) with DIGEST_MULTIPLE
would be more safe
--
Matus U
mAssassin still does it's spam processing. Meaning it's
not a way to skip spam checking for particular recipients.
On 2021-06-04 08:52, Matus UHLAR - fantomas wrote:
however, you can shortcircuit messages matching USER_IN_ALL_SPAM_TO, so
the rest of rules is not applied:
On 04.06
//spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is
On 03.06.21 09:23, Henrik K wrote:
> That's just outdated information. It's fine to scan even 20MB+ messages, it
> just requires some memory.
On Thu, Jun 03, 2021 at 09:32:28AM +0200, Matus UHLAR - fantomas wrote:
and CPU and time...
On 03.06.21 11:14, Henrik K wrote:
Th
03.06.21 09:23, Henrik K wrote:
That's just outdated information. It's fine to scan even 20MB+ messages, it
just requires some memory.
and CPU and time...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to th
this is outside of a SpamAssassin's scope. SpamAssassin's work is to
classify e-mail.
delivering to spam folder is a job of mail delivery agent, that should make
sure mail is delivered to proper user.
If wou want to redirect spam to a particular user, you can use e.g. amavisd'
quaranti
it? We cant change the header name as it is
an externally hosted system.
x-\$switch should work, but do you really have headers like this?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto
ons and both have Return-Path equivalent to
X-Envelope-From: and recipients in X-Envelope-To:
I assume amavis only uses X-Envelope-* when picking mail from quarantine and
that Return-Path is not important.
Why it's empty, no idea.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.
Matus UHLAR - fantomas:
Possible workarounds require trusting the Authentication-Results: header
either via SA milter (which would add synthetized Received: header after
it), or via SpamAssassin itself (trust headers added by "host" immediately
after last trusted/internal "Receiv
o re-check SA score for such
e-mail later.
I have tried receiving mail with fake Authentication-Results: header and it
got deleted by opendkim-milter, to opendkim-milter may be trusted for this
setup.
SA would need an option which hosts to trust Authentication-Results: from.
--
Mat
false positives in order
to stop.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
TYPE_WIN1251
header NSL_RCVD_HELO_USER
header REPTO_419_FRAUD
score FREEMAIL_REPLYTO_END_DIGIT 0.25
score MISSING_HEADERS 0.915 1.207 1.204 1.021
score SPF_HELO_NONE 0.001
so you don't have points from body rules.
your mentioned URI_DEOBFU_INSTR is a meta rule:
meta URI_DEOBFU_INSTR __URI_DEOBFU_
rst_part/i
On 08.05.21 15:02, RW wrote:
From: RW
Why would you want to do this? Surely the value in this is "hi"
being followed by an email address - regardless of a match. If anything
the mismatch is more spammy.
Do you mean that "hi rw" is more spammy than "hi rwmai
1:47:43.565 [10847] dbg: rules: ran body rule __KAM_LIST3_3 ==> got hit:
"specific lists"
...seen in the body
May 5 11:47:43.677 [10847] dbg: rules: ran body rule __KAM_LIST3_4 ==> got hit:
"user mailing list"
... in the mail signature:
Nut-upsuser mailing lis
D_PRO')
72_active.cf:enlist_uri_host (SUSP_URI_NTLD_PRO) pro
72_active.cf:header PDS_PRO_TLD
eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
72_active.cf:describe PDS_PRO_TLD .pro TLD
72_scores.cf:score PDS_PRO_TLD 0.999 0.998 0.999 0.998
--
Matus UHLAR - fantoma
nice
If everyone (figuratively speaking, I suppose) is disabling it,
wouldn't it be helpful to define it explicitly or see how it's doing
in masschecks?
It seems like it would be helpful to look at ways mailing lists are
manipulated by spammers more closely and perhaps find some
On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
-1.0 MAILING_LIST_MULTI Multiple indicators imply a
widely-seen list
manager
I have disabled his rule some time ago.
Many spammers use mailing list or their signatures.
On 2021-04-28 11:55, Giovanni Bechis
Domain originates a lot of spam
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
-Spam headers.
therefore I can't explain how a mail with multiple x-spam headers can get to
you.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT
00:07, RW wrote:
>Unless a dynamic pool has been put into the trusted network,
On Thu, 22 Apr 2021 14:15:07 +0200
Matus UHLAR - fantomas wrote:
...which is quite common at ISPs
On 23.04.21 22:35, RW wrote:
I was thinking more of third-party pools. It's better to use
msa_networks anyway, s
ternal_networks?
People said that SA does this by mistake:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255356
Is it a mistake? A bug in SA? Or can something be done to fix this?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail adve
h multiple spaces
whereas a singe period doesn't.
generally, it's safer not to allow regular expressions unlimited range, e.g.
\s{1,3}
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie:
.
On 23.04.21 13:05, Steve Dondley wrote:
Are you using postfix? If so, you can do something like this:
submission inet n - y - -smtpd
-o content_filter=spamassassin
more like "-o content-filter=" so it's turned off, not on.
But that also depends on ho
spam and
ham.
now, train as needed - this one as spam.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998
services."
there's nothing like that inside. The only requirement is to use public DCC
server infrastructure (e.g. share checksums).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: n
M-signed, you have to dkim-sign it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
rowse them.
On the Spamassassin list, I know the person has to be subscribed so I
don't have to CC them. I doubt most mailing lists are smart enough to
CC such non-subscribers on replies.
I don't think it's issue of mailing lists, it should be issue of posters.
--
Matus UHLAR - fan
better the NO_RELAYS as Benny pointed out should only
hit on mail generated in internal network.
The !__LAST_EXTERNAL_RELAY_NO_AUTH I proposed should hit on mail entered
internal network authenticated, which imho means it's an outgoing e-mail.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://
means, so you need
at least one relay, otherwise it won't hit.
Are you sure you need it this way?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek rekla
On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
I understand this as:
if mail was received by internal relay unauthenticated, it's
external,
On 19.04.21 12:49, Bill Cole wrote:
I cannot make SA behave that way.
On 19 Apr 2021, at 13:03, Matus UHLAR - fantomas wrote:
wh
>On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
>> I understand this as:
>>
>> if mail was received by internal relay unauthenticated, it's
>> external,
On 19.04.21 12:49, Bill Cole wrote:
>I cannot make SA behave that way.
On Mon, 19 Apr 2021 19
On 19 Apr 2021, at 11:30, Matus UHLAR - fantomas wrote:
I understand this as:
if mail was received by internal relay unauthenticated, it's external,
On 19.04.21 12:49, Bill Cole wrote:
I cannot make SA behave that way.
why not?
meta KAM_DMARC_REJECT __LAST_EXTERNAL_RELAY_NO
the most direct tactic would be to modify
KAM_DMARC_REJECT to not hit if ALL_TRUSTED is hit.
On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
that would cause problems if you set up trusted_servers to any
foreign server
you trust not to fake headers.
On 19.04.21 09:46, Bill Cole wrote
the most direct tactic would be to modify KAM_DMARC_REJECT to
not hit if ALL_TRUSTED is hit.
On 19 Apr 2021, at 9:26, Matus UHLAR - fantomas wrote:
that would cause problems if you set up trusted_servers to any
foreign server
you trust not to fake headers.
On 19.04.21 09:46, Bill Cole wrote
most direct tactic would be to modify KAM_DMARC_REJECT to not
hit if ALL_TRUSTED is hit.
that would cause problems if you set up trusted_servers to any foreign server
you trust not to fake headers.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to
;t
hit, because it means DMARC pass.
I am not sure how exactly does SPF match:
header SPF_PASS eval:check_for_spf_pass()
I'm not sure SPF should hit for locally submitted e-mail.
however, putting exemption of local mail to KAM_DMARC_REJECT could help us
to accept locally submitted
advice would be appreciated.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
indicators of server reputation.
using all of them as indication of spamminess is fine, but not enough.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
.
UCEPROTECTL2 and UCEPROTECTL3 list that IP range.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without
On 12.04.21 16:48, Anders Gustafsson wrote:
I tried to send you exemples earlier, but your spam filter blocked my email.
apparently my spam filter works better ;-)
...publishing them on own web, via pastebin or similar service should be better.
Matus UHLAR - fantomas 12.04.2021 12:13
04.21 09:12, Steve Dondley wrote:
Yes. And my SA scores have improved about 100% since I did this.
great.
Now, do you have razor, pyzor and dcc installed and their equivalent SA modules
enabled?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to rece
BS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
have you set up own caching, non-forwarding DNS server?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address
On 12.04.21 11:41, Anders Gustafsson wrote:
A LOT of the SPAM that is not blocked directly by RBLs seem to originate from
LANSET Corporation. Are they a
known spamsource?
do you have examples?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to
rules built into SA are good enough or if pyzor improves the accuracy
of SA enough to be worth the extra cycles to install it and keep it
functional.
What do you think?
enable and install RAZOR and DCC. all of them help.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantoma
st I don't have something
misconfigured before I report 300+ emails. From what I've read in the
emails last week, this would be highly unusual.
2) If I do have that many false positives, I need to figure out how to
bulk report that many of them.
--
Matus UHLAR - fantomas, uh...@fantomas.s
ilter granularity.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
mailto:envelope-from=mau...@gmx.ch> ; receiver=
[...]
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels do
Am 2021-04-08 17:46, schrieb Bill Cole:
On 8 Apr 2021, at 6:25, Matus UHLAR - fantomas wrote:
and there is no undef_whitelist_auth, and the unwhitelist_auth
does NOT work.
It does work in 3.4.5, although if you're not there yet I'd advise
waiting for 3.4.6.
See https://bz.
>On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote:
>> I prefer to solve problems instead of playing with scores.
>>
>> It seems that abusers have worked around SA by using google domains
>> and addresses for sending spam from.
On 04.04.21 14:19, RW
On 04 Apr 2021, at 05:21, Matus UHLAR - fantomas wrote:
I prefer to solve problems instead of playing with scores.
On 04.04.21 06:35, @lbutlr wrote:
The way that SA solves problems is by changing score values.
The entire foundation of SA is "playing with scores".
I disagree. The
understandable mess.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
An update to this:
On 04.04.21 12:54, Matus UHLAR - fantomas wrote:
I have received spam from:
From: "Linda marry (via Google Drive)"
it wasn't catches because of:
60_whitelist_auth.cf:def_welcomelist_auth *@google.com
Now that users can abuse google.com domain, isn'
On 04.04.21 13:09, Benny Pedersen wrote:
>change score to 7.5
>change score to -3.5
On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote:
I prefer to solve problems instead of playing with scores.
It seems that abusers have worked around SA by using google domains
and address
On 2021-04-04 12:54, Matus UHLAR - fantomas wrote:
I have received spam from:
From: "Linda marry (via Google Drive)"
it wasn't catches because of:
60_whitelist_auth.cf:def_welcomelist_auth *@google.com
Now that users can abuse google.com domain, isn't it time to remo
TLD From Google Drive and Reply-To is
* from a suspicious TLD
I even have following in my local.cf to be able to carch google
docs/drive/whatever spam via URIBL:
clear_uridnsbl_skip_domain goo.gl google.com
util_rb_2tld google.com
--
Matus UHLAR - fantomas,
5rIHlvdSwNClhmaW5pdHkgTWFuYWdlbWVudA==
105
106 --3k4f1c2=_dmQLapWUlhFkRkERazqcs8FmA0
107 Content-Type: application/octet-stream;
108 name="Mar-28 Voicemail.eml"
109 Content-Transfer-Encoding: base64
110 Content-Disposition: attachment;
111 filename="Mar-28 Voicemail.e
cally expiring out of Bayes, leading to FPs and FNs.
On 17.03.21 22:01, RW wrote:
>It wont do that by default. You would need to have something removing
>the signature hashes from the database.
On Thu, 18 Mar 2021 14:01:28 +0100 Matus UHLAR - fantomas wrote:
oh, yes, i
FPs and FNs.
On 17.03.21 22:01, RW wrote:
It wont do that by default. You would need to have something removing
the signature hashes from the database.
Matus UHLAR - fantomas wrote:
oh, yes, it does:
bayes_auto_expire (default: 1)
If enabled, the Bayes system will
that multiple people reported long delivery time when expiration has
occured, and it's often recommended to turn this off and do expiration e.g.
from cron job.
BAYES database stored in redis does not have this issue.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warni
e places one false negative is enough to multiple
similar mail from BAYES_50 to BAYES_999
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- H
under root without the '-x' flag (which
disables this behavior).
spamc connects to spamd passing the username to it, so you can override
current user by passing the "-u username" flag to it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT t
problem.
https://bobcares.com/blog/bind-edns/ default edns0 is now 4096, but
sometimes its can only be 512, check logs and read this link
logs of DNS server, like BIND. It can force maximum UDP size to e.g. 1500
i am not a dns expert, sorry
--
Matus UHLAR - fantomas, uh...@fantomas.sk
answer and die on timeout.This not only affects final SA result, but
performance.
Correct Kernel UD tunning solves the problem!
On Tuesday, March 2, 2021, 04:46:08 PM GMT+1, Matus UHLAR - fantomas
wrote:
do you run local resolving (non-forwarding) DNS server?
On Monday, March 1, 2021
It is not a timeout problem: both tcpdump and dns-cache log show immediate
answers to 100% of queries in less than 1 second.
May this be solved in the new AskDns John Hardin mentioned some days ago?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to
On 2021-03-01 11:19, Matus UHLAR - fantomas wrote:
do you want to say, only delegated domains are searched, not
subdomains?
On 01.03.21 15:25, Benny Pedersen wrote:
yes spamassasin works this way
I apparently missed docs about this.
And, frankly, it'a apparently not ideal, at least f
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote:
How can I make SA to rbl-check for subdomain, not just google.com
domain?
On 28.02.21 15:58, Benny Pedersen wrote:
2nd tld cf file or
On 01.03.21 11:19, Matus UHLAR - fantomas wrote:
do you want to say, only delegated domains are searched
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote:
How can I make SA to rbl-check for subdomain, not just google.com
domain?
On 28.02.21 15:58, Benny Pedersen wrote:
2nd tld cf file or
do you want to say, only delegated domains are searched, not subdomains?
https://github.com/spamhaus
up
L_URIBL_FANTOMAS DNSBL:google.com:rhsbl.fantomas.sk
How can I make SA to rbl-check for subdomain, not just google.com domain?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVA
Hello,
it seems that BIGNUM_EMAILS on signatures containing e-mail address after
telephone number like:
Mobil: +421 904 000 111
e-mail: addr...@example.com
Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==> got hit:
"000 111 e-mail"
--
Matus UHLAR -
at: https://github.com/telecom2k3/CHAOS
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for
On 21-01-31 12:58:48, Axb wrote:
Cisco forgot to renew spamcop.net
Registry Expiry Date: 2022-01-30T05:00:00Z
On 31.01.21 12:02, Georg Faerber wrote:
That's still one year to go, isn't it?
Den 31-01-2021 kl. 15:35 skrev Matus UHLAR - fantomas:
seems that this has been ov
On 31.01.21 15:43, Axb wrote:
On 1/31/21 3:35 PM, Matus UHLAR - fantomas wrote:
On 31.01.21 12:02, Georg Faerber wrote:
On 21-01-31 12:58:48, Axb wrote:
Cisco forgot to renew spamcop.net
Registry Expiry Date: 2022-01-30T05:00:00Z
That's still one year to go, isn't it?
seems tha
301 - 400 of 2533 matches
Mail list logo