One of my spamtraps is getting a lot of traffic of messages with
Facebook and Twitter URLs. This is content that is coming from Yahoo
servers, although shows non-Yahoo return addresses, and some portion
have missing subject lines.
On further inspection, I find that the MISSING_SUBJECT, and in
Lawrence @ Rogers wrote:
Are you running it against an e-mail with a known match? Using
spamassassin -D -t sample-spam.txt and having sample-spam.txt contain
the complete e-mail including headers?
Yes, it's a known match. I can take a full copy of a received message
(with headers, although m
Lawrence @ Rogers wrote:
On 29/10/2010 3:32 PM, NFN Smith wrote:
header LR_OBSC_RECIPS To =~ /\"\<\"/
Is this rule being used standalone, or as part of a meta rule? Do you
have a score declared for it? If so, what is it?
Right now, I'm scoring at 1.25 points.
I'm seeing some amount traffic with obfuscated content in To: lines,
where the display name is shown as a angled bracket. For example:
To: "<"
I've been playing with a rule to identify this particular pattern (and
score in metas):
header LR_OBSC_RECIPS To =~ /\"\<\"/
When r
Martin Gregorie wrote:
Alternatively, using a meta rule that combines the above pattern as a
sub-rule with two like this:
/[a-z]{7,8}[0-9]{4}/
that match against From: and Reply-To: headers would appear to be
fairly specific and worthy of a big score, but of course you'll have
spotted that a
aquero wrote:
Hi,
What is the maximum allowed spam score value for a legitimate mail? What
value should i set as the spam score limit?
On my own servers, I lean towards being a little extra conservative. I
don't tag subject lines until the score reaches 6. However, if the
score gets to
After using SpamAssassin for a number of years, I'm finally getting
around to implementing Bayesian filters. For my particular setup, the
bulk of my users are non-technical users who make POP connections
(although there are some that use IMAP clients, both offline and
webmail). Thus, I'm want
Randy Ramsdell wrote:
Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also,
virus e-mails are also very very low. Low enough for me to start
reviewing the e-mail logs for anomalies.
The volume hitting my traps is significantly down, although a few days
ago, I quit trapping fo
mouss wrote:
...
The approach is flawed. a single word shouldn't be enough to tag mail as
spam.
Furthermore, even checking for word boundaries may not help a lot on the
OEM spammers. Several of them do quite a bit of obfuscation work to
try to bypass simple filtering that the OP is askin
Kris Deugau wrote:
NFN Smith wrote:
I'll check the MD archives for release notes, and see what's in the
Testing branch.
Just checked the changelog; there was a fix for this in MD 2.63 upstream:
Yep. I found that shortly after I posted.
Backporting the Debian package s
Jason Bertoch wrote:
I just discovered that over the last several weeks, I'm getting an
accumulation of hidden .spamassassin temporary files accumulating in
/tmp, that aren't getting deleted, and as a result, that volume is
filling up.
There was a version upgrade to SpamAssassin some time a
I'm currently running spamassassin 3.2.1-1~bpo.1 from the Debian
etch-backports branch (yes, I know that backports now has 3.2.4
available, and I'll be upgrading shortly).
On my installation, I'm calling SpamAssassin from MIMEDefang, and so I'm
not running spamc and spamd .
I just discovered
Michael Hutchinson wrote:
-Original Message-
From: Mike Pepe [mailto:[EMAIL PROTECTED]
Sent: Thursday, 20 March 2008 5:18 a.m.
To: users@spamassassin.apache.org
Subject: Cyrillic spam
For some strange reason, I'm seeing Cyrillic spams very frequently
lately.
None of my users read any E
Loren Wilton wrote:
Is decoder (Chris) still developing FuzzyOCR ?
I haven't seen any changes recently, nor any discussion on the FuzzyOCR
mailing list. But then I haven't seen a lot of OCR spams going by since the
stock spams cut down in volume a while back.
I'd say its a good tool to kee
A couple of months ago, I updated FuzzyOcr to the current package
version supported in Debian Stable (2.3b-1).
In the meantime, I notice that when there are hits on FuzzyOcr, the
SpamAssassinReport.txt attachment is showing that I am getting hits on
FuzzyOcr, and the number of points scored by
On the male enhancement spam that's hitting my spamtraps, I'm noticing
that nearly all the messages (presumably a single spammer), are
following a fairly regular pattern -- in particular, where either the
first or second line of text shows some sort of colloquial greeting
(e.g., "hi there" or "
ram wrote:
Sorry this is OT.
We run large email setups for our clients and I also have created many
spamtrap ids. But the problem is I dont seem to get many mails in these
ids
How can I best create spamtrap ids.
The standard methods of publishing ids on your site etc doesnt seem to
work
W
Jake Vickers wrote:
[ "${TMPDIR}" ] || TMPDIR="${SA_DIR}/RulesDuJour"; # Where we store old
rulesets. If you delete
I'm not talking about editing the script. I am talking about the config
file. Do you have /etc/mail/rulesdujour/config ?
Yes, I know that.
When I originally posted, I h
Jake Vickers wrote:
It's in your RDJ config file. My config is in /etc/rulesdujour/ and the
file is called "config". The line in question:
SA_DIR="/etc/mail/spamassassin"
That's where it should save the files it downloads.
I checked the code of rules_du_jour, and the download is done to the
This one should be simple, but I'm not finding a quick answer..
Recently, I enabled updates of the SARE rules I run through
rules_du_jour. Updates are working fine, but there's a minor glitch in
handling the results.
Namely, I have my SARE rules in /etc/spamassassin, and the RDJ updates
are
I'm running SpamAssassin 3.0.3 on a Debian server, and finding lots of
SA-originated .tmp files left in the /tmp director.
In this setup, mimedefang (running as a sendmail milter) is calling
SpamAssassin, and SA is calling DCC. The .tmp files are owned by user
"defang", and from what I can te
Bowie Bailey wrote:
NFN Smith wrote:
/\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i
I'm getting hits on things like 'baddword' and 'badwoord', and even
'badworrd!', but I'm not getting a hit on 'badwordd'
I've tried
I'm working on a series of rules to find obfuscated words in subject
lines that have been misspelled by adding an extra character (often a
repeated letter) to a word. For certain words, it seems to be
appropriate to assume that if they're misspelled in that way, it's
deliberate.
I've got the
Richard Doyle wrote:
I've been getting lots of porn site spam containing words with doubled
letters, like this one:
I was looking at this one yesterday, and thought of a different
approach. It may be a little kludgy, but it seems to work on some basic
tests.
For this, I'm starting with a
Bowie Bailey wrote:
> Good catch Alan, I hadn't noticed that. I think you're right about
the ALL_TRUSTED rule -- and, based on the debug output, right about
the internal_networks rule as well.
My comments have been based on settings for 3.04. I'm not sure if
your version wasn't mentioned bef
MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE
From [EMAIL PROTECTED] Tue Sep 27 15:22:19 2005
Received: from localhost by pulsar.lfa.com
with SpamAssassin (2.64 2004-01-11);
Tue, 27 Sep 2005 15:24:16 -0700
From: NFN Smith <[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:
Alan Premselaar wrote:
NFN Smith wrote:
Following up on my own post. I'm still thrashing, and not getting any
difference in results.
...snip...
Sorry, I just have to ask. Since you're using MIMEDefang... you are
remembering to restart (or reload) mimedefang after making yo
Following up on my own post. I'm still thrashing, and not getting any
difference in results.
NFN Smith wrote:
You really do HAVE to trust all your own mail relays. Anything else is
just broken.
Agreed.
OK, I've expanded my settings, but I'm still not maki
Matt Kettler wrote:
Bowie Bailey wrote:
Ok, so here is what I see as far as the mail path:
- Sent from 24.249.175.230 ... untrusted
- Received by 68.99.120.79 ... trusted
- Received by pulsar.lfa.com ... untrusted (unless SA defaults the
local machine)
If pulsar.lfa.com is untrusted, a
id <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Fri, 23 Sep 2005 15:04:19 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 23 Sep 2005 12:03:32 -0700
From: NFN Smith <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [SPAM: 7.737] Spam test #6
X-Spam-Status: Ye
Bowie Bailey wrote:
X-Spam-Score: 6.87 (**) (required=4)
tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,
NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE
I don't see ALL_TRUSTED, so apparently this email originated outside
of your network. Otherwise
Bowie Bailey wrote:
Is there any way of tracing the behavior, to see what's expected and
how things aren't matching when a message actually comes through?
It sounds to me like your setup is working as expected. Mails coming
from servers in your trusted_networks list will still be scanned for
Bowie Bailey wrote:
Thus, if I'm running SpamAssassin on server xx.yy.zz.ww, and I get a
message from server aa.bb.cc.dd, I want both servers to trust each
other, because I control both servers, and there's no intermediate
relay between the two.
Then you just need to add one line to the con
Bowie Bailey wrote:
From: NFN Smith [mailto:[EMAIL PROTECTED]
Trusted_networks has nothing to do with whether or not a message is
scanned for spam. Trusted_networks is simply a list of the servers
and networks that you trust not to forge header information.
OK. On this particular
This might be one of those small "duh" things, but there's something I'm
missing here.
I'm running SpamAssassin 2.6, being launched from MIMEDefang as a
sendmail milter.
I have several servers and domains in a number of different IP blocks
(i.e., hosted at different co-lo providers). I want to
35 matches
Mail list logo
