Re: OT: Microsoft Breech

Am 2024-03-19 14:51, schrieb Thomas Cameron: Does anyone else just block all traffic from *.onmicrosoft.com? I have literally NEVER gotten anything from that domain which is not obvious junk. We block and have a whitelist with 49 entries at the moment. Michael

Re: google.com spam

Am 2021-04-08 17:46, schrieb Bill Cole: On 8 Apr 2021, at 6:25, Matus UHLAR - fantomas wrote: and there is no undef_whitelist_auth, and the unwhitelist_auth does NOT work. It does work in 3.4.5, although if you're not there yet I'd advise waiting for 3.4.6. See

Re: google.com spam

Am 2021-04-08 17:26, schrieb Bill Cole: On 8 Apr 2021, at 8:04, Matus UHLAR - fantomas wrote: On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote: I prefer to solve problems instead of playing with scores. It seems that abusers have worked around SA by using google domains and

Re: Catch subtly-different Reply-To domain

Am 2021-02-20 08:58, schrieb Dominic Raferd: Is there a rule to catch cases where the domain of the Reply-To header is a subtle variant on that in the To header. Take this (real) example from a phishing email sent yesterday: From: "Karen Howard" Reply-To: "Karen Howard" I realise that other

Re: Why is SENDGRID_REDIR score so high?

Am 2020-09-16 05:28, schrieb John Hardin: On Tue, 15 Sep 2020, Mark London wrote: Hi - I receive email from spiceworks.com help desk, which are sent via sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score, which is 3.4 ? Thanks. - Mark They trigger the rule because they

Re: Bitcoin ransom mail

Am 2019-12-10 19:03, schrieb Joseph Brennan: A user here reported a new twist on the bitcoin ransom mail. New to me, anyway. From: Casper Mitten Sent: Monday, December 9, 2019 10:00 PM The Subject was a single word, supposedly a password. The message was a jpg picture of text. Although it

Re: From:name spoofing

Am 2018-02-17 00:46, schrieb Amir Caspi: On Feb 16, 2018, at 4:41 PM, John Hardin wrote: Not necessarily safe. If your MTA receives a message without a Message-ID, it is supposed to generate one. And if it does so, it will probably do so using your (recipient) domain...

Re: From:name spoofing

Am 2018-02-17 00:41, schrieb John Hardin: On Fri, 16 Feb 2018, Michael Storz wrote: Am 2018-02-15 19:27, schrieb David Jones: We have covered this issue a few times recently on this list but I don't think anything definitive was ever decided or recommended to detect and block this sort

Re: From:name spoofing

Am 2018-02-15 19:27, schrieb David Jones: We have covered this issue a few times recently on this list but I don't think anything definitive was ever decided or recommended to detect and block this sort of spoofing: https://pastebin.com/juXLD8vr This appears to be a spoofed email from a

Re: maillist.pm module ?

Am 2017-12-22 12:04, schrieb Axb: On 12/22/2017 10:58 AM, Michael Storz wrote: Am 2017-12-21 18:08, schrieb Axb: On 12/21/2017 05:20 PM, Benny Pedersen wrote: RW skrev den 2017-12-21 17:12: On Thu, 21 Dec 2017 16:40:13 +0100 Benny Pedersen wrote: is this plugin used at all ? i see

Re: maillist.pm module ?

Am 2017-12-21 18:08, schrieb Axb: On 12/21/2017 05:20 PM, Benny Pedersen wrote: RW skrev den 2017-12-21 17:12: On Thu, 21 Dec 2017 16:40:13 +0100 Benny Pedersen wrote: is this plugin used at all ? i see freemail defines __ml why does it not use maillist.pm to detect maillists ? asking

Re: FROM header with two email addresses

Am 2017-10-02 19:43, schrieb David Jones: On 09/27/2017 09:52 AM, Kevin A. McGrail wrote: I recently stumbled onto a mail with a Spam link where the FROM header field looked like this: From: "Firstname Lastname@" sendern...@real-senders-domain.com> Jakob, just wanted to let you know I

Re: Direct download link detection - new variant

Am 2017-07-26 17:22, schrieb Dianne Skoll: On Wed, 26 Jul 2017 17:15:43 +0200 Michael Storz <michael.st...@lrz.de> wrote: [...] /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/ You may get FPs. See for example https://supportcenter.checkpoint.com/supp

Re: Direct download link detection - new variant

Am 2017-07-26 15:08, schrieb Dianne Skoll: On Tue, 25 Jul 2017 08:36:22 -0400 Dianne Skoll wrote: All of the URLs match this pattern: /\/[A-Z]{4}\d{6}\/$/ We see a new variant with the subject "Your Virgin Media bill is ready" and URLs that match: uri

Plans for a DMARC plugin ???

Are there any plans for a DMARC plugin for SpamAssassin? Reacting to a DMARC policy of reject (AOL/Yahoo) seems only feasible with SpamAssassin because so many exceptions are needed for software which destryes DKIM signatures: - mailing lists - MS Exchange - Novell GroupWise - Lotus Domino

Re: Plans for a DMARC plugin ???

Am 2014-04-30 10:23, schrieb Axb: On 04/30/2014 10:10 AM, Michael Storz wrote: Are there any plans for a DMARC plugin for SpamAssassin? Reacting to a DMARC policy of reject (AOL/Yahoo) seems only feasible with SpamAssassin because so many exceptions are needed for software which destryes DKIM

Re: Plans for a DMARC plugin ???

Am 2014-04-30 11:00, schrieb Axb: On 04/30/2014 10:30 AM, Michael Storz wrote: Am 2014-04-30 10:23, schrieb Axb: On 04/30/2014 10:10 AM, Michael Storz wrote: Are there any plans for a DMARC plugin for SpamAssassin? Reacting to a DMARC policy of reject (AOL/Yahoo) seems only feasible

Re: Plans for a DMARC plugin ???

Am 2014-04-30 11:08, schrieb Tom Hendrikx: On 04/30/2014 11:00 AM, Axb wrote: On 04/30/2014 10:30 AM, Michael Storz wrote: Am 2014-04-30 10:23, schrieb Axb: On 04/30/2014 10:10 AM, Michael Storz wrote: Are there any plans for a DMARC plugin for SpamAssassin? Reacting to a DMARC policy

Re: Plans for a DMARC plugin ???

Am 2014-04-30 11:33, schrieb Jim Popovitch: On Apr 30, 2014 5:09 AM, Tom Hendrikx t...@whyscream.net wrote: On 04/30/2014 11:00 AM, Axb wrote: On 04/30/2014 10:30 AM, Michael Storz wrote: Am 2014-04-30 10:23, schrieb Axb: On 04/30/2014 10:10 AM, Michael Storz wrote: Are there any

Re: Plans for a DMARC plugin ???

Am 2014-04-30 12:10, schrieb Django [BOfH]: HI! Am 30.04.2014 11:14, schrieb Axb: Seems to me that amavisd-new would be the better place to handle this You ned a mail filter, witch can see (!) SPF-Auth and DKIM-Auth while DMARC is checking both results. So the only really good and best

Re: Plans for a DMARC plugin ???

Am 2014-04-30 12:23, schrieb Axb: On 04/30/2014 12:10 PM, Django [BOfH] wrote: HI! Am 30.04.2014 11:14, schrieb Axb: Seems to me that amavisd-new would be the better place to handle this You ned a mail filter, witch can see (!) SPF-Auth and DKIM-Auth while DMARC is checking both

Re: Plans for a DMARC plugin ???

Am 2014-04-30 12:58, schrieb Axb: On 04/30/2014 12:50 PM, Michael Storz wrote: Am 2014-04-30 12:23, schrieb Axb: On 04/30/2014 12:10 PM, Django [BOfH] wrote: HI! Am 30.04.2014 11:14, schrieb Axb: Seems to me that amavisd-new would be the better place to handle this You ned a mail filter

Re: Plans for a DMARC plugin ???

Am 2014-04-30 13:15, schrieb Mark Martinec: On 04/30/2014 10:10 AM, Michael Storz wrote: Are there any plans for a DMARC plugin for SpamAssassin? Reacting to a DMARC policy of reject (AOL/Yahoo) seems only feasible with SpamAssassin because so many exceptions are needed

Re: Plans for a DMARC plugin ???

Am 2014-04-30 13:36, schrieb Kevin A. McGrail: On 4/30/2014 7:15 AM, Michael Storz wrote: Thanks, your answers are very helpful for solving the problems we are facing. On a related note, if you need, I did implement a modification routine for mailman in mimedefang. Code published at http

Re: Plans for a DMARC plugin ???

Am 2014-04-30 14:30, schrieb Mark Martinec: I agree that a DMARC SpamAssassin plugin would be valuable. Michael Storz wrote: How about implementing it in Amavisd-new in addition (I couldn't resist to ask here too :-) I think it more naturally fits into SpamAssassin, contributing to the final

false positives by FREEMAIL_FORGED_REPLYTO

Since Yahoo and AOL have moved to a DMARC policy of reject, mail senders are changing the way they are sending their emails. Instead of using the email address of an user in RFC5322.From they use their own address and put the address of the user in the Reply-To field. FREEMAIL_FORGED_REPLYTO

Re: false positives by FREEMAIL_FORGED_REPLYTO

Am 2014-04-24 12:58, schrieb Axb: On 04/24/2014 12:52 PM, Michael Storz wrote: Since Yahoo and AOL have moved to a DMARC policy of reject, mail senders are changing the way they are sending their emails. Instead of using the email address of an user in RFC5322.From they use their own address

Re: false positives by FREEMAIL_FORGED_REPLYTO

Am 2014-04-24 13:27, schrieb Axb: On 04/24/2014 01:22 PM, Michael Storz wrote: Am 2014-04-24 12:58, schrieb Axb: On 04/24/2014 12:52 PM, Michael Storz wrote: Since Yahoo and AOL have moved to a DMARC policy of reject, mail senders are changing the way they are sending their emails. Instead

Re: false positives by FREEMAIL_FORGED_REPLYTO

Am 2014-04-24 14:31, schrieb Axb: On 04/24/2014 02:20 PM, Michael Storz wrote: Am 2014-04-24 13:27, schrieb Axb: On 04/24/2014 01:22 PM, Michael Storz wrote: Am 2014-04-24 12:58, schrieb Axb: On 04/24/2014 12:52 PM, Michael Storz wrote: Since Yahoo and AOL have moved to a DMARC policy

Re: false positives by FREEMAIL_FORGED_REPLYTO

Am 2014-04-24 16:11, schrieb Benny Pedersen: Michael Storz skrev den 2014-04-24 15:22: I have answered that already, why this is not a good idea. so freemail_whitelist *@linkedin.com ? Does not work: rule: meta FREEMAIL_FORGED_REPLYTO __freemail_hdr_replyto !FREEMAIL_FROM