code
> 127.255.255.255 to indicate excessive querying. Any questions and/or
> feedback, LMK.
How/where to find information about using Validity reputation list in
SA?
Thank you,
Olivier
Hi,
>> Recently I have received a wave of mails in the form
>> From: word-olivier@somewhere.random
>> To: oliv...@mydomain.com
>>
>> Where the "olivier" part is a valid username on my domain.
>>
>> Is there a rule to catch these with SA?
Thank you, the VM-x-yy-centos.localdomain did the trick.
Best regards,
Olivier
"George A. Theall via users" writes:
> On Thu, Oct 05, 2023 at 02:41:59PM +0700, Olivier wrote:
>
>>Recently I have received a wave of mails in the form
>>From: word-olivier
Hi,
Recently I have received a wave of mails in the form
From: word-olivier@somewhere.random
To: oliv...@mydomain.com
Where the "olivier" part is a valid username on my domain.
Is there a rule to catch these with SA?
Best regards,
Olivier
--
short body text for that reason.
Best regards,
Olivier
--
here is a different path for the KAM GPG
> key.
I have been using
--gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com
very consistently for a while now.
Best regards,
Olivier
--
traction afterward.
Best regards,
Olivier
>
> —
> Peter West
> p...@ehealth.id.au
> “I am the vine; you are the branches.”
>
> On 7 May 2021, at 2:30 pm, John Hardin wrote:
>
> On Thu, 6 May 2021, Alex wrote:
>
> Hi,
>
> I'm trying to use the lat
plugin and send it to Kevin
> for consideration...
I think it is of some intertest. It does not concern the case at hand
(remote image) but could come handy for an attachment.
Best regards,
Olivier
>
> --
> Pedreter
>
> On Tuesday, February 2, 2021, 09:30:36 AM GMT+1,
in an image,
decodeds it and injects the associated text/URL as a document part to be
parsed by SA?
Something like what is being described there maybe
https://docparser.com/blog/barcode-pdf-documents-images/
Best regards,
Olivier
--
I am wondering what grey list should be renamed...
--
change, with a kind
and visible message explaining how they can turn the compatibility on
and that they should upgrade. As it was once writen, most of SA users
are not on this list...
Best regards,
Olivier
able the compatibility
while solving the issues. That will be the less damaging way for our
users.
Best regards,
Olivier
> Additionally, the rule USER_IN_WHITELIST_TO has been renamed to
> USER_IN_WELCOMELIST_TO to assist those running older versions of
> SpamAssassin get stock r
nged to
satify a need of renaming.
That is breaking things for the sake of breaking. And email server
depends on enough number of pieces working well together, no need to
break it on a whim.
Olivier
--
mind a
renaming if the new names are something common, like deny/allow. The
conned names block/welcome sound very artificial to me.
But the realy main issue is compatibility.
Best regards,
Olivier
--
"Kevin A. McGrail" writes:
> [1:text/plain Show]
>
>
> [2:text/html Hide Save:noname (12kB)]
>
> Gents,
Lets be inclusive and assume that some readers on the list may not be
gents, so may even not be women :)
Olivier
may lead to
the death of SA.
Best regards,
Olivier
> On 7/10/20 8:42 AM, jdow wrote:
>> Be sure to purge every instance of "fork" in the code because it sounds
>> too close to the other F..K word. Get the fork out of there.
>>
>> {O,o}
>> i
local list of words. That is the way PdfAssassin is
working, text is pushed as a text block and image as an image attachment
(so they can be further processed by any image plugin like FuzzyOcr). If
that could work, that would be a very great improvement to FuzzyOcr.
Best regards,
Olivier
--
big no no. A couple of FN are not a
problem, but if I miss an important message because it was classified as
spam, I would be really unhappy. So as a result, I have to check the
spam manually. It is not efficient!
Olivier
re are two apostrophes in the same sentence.
I would suggest a second negative lookahead to correct the issue.
-Olivier
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
header __SUBJ_HAS_FROM_1 ALL =~
/\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
If the from and the to are identical and the subject is empty, this rule
hits,
We have started seeing some clickbait spam that hides the suspicious
text behind /
https://pastebin.com/SLMyFvmN
The text /Optima Tax Relief: Do You Still[...]/ is visible in the email
in thunderbird since the image does not load, but spamassassin's body
rule does not trigger
/body T_
I meant it, it's an AND, not an OR. I see FuzzyOCR as
just one more tool that can be added to SA.
Regards,
Olivier
t can
help?
Regards,
Olivier
--
You are correct Pedro, the curly-braces solution does work. I will
integrate the solution, I leave it to you guys to determine if a bug
should be opened and with whom.
On 2018-08-31 15:01, Pedro David Marco wrote:
It works with Perl 5.14.2 but not with 5.20.2
It seems that Perl preprocessor d
I wrote a rule that throws a /variable length lookbehind/ error where
the lookbehind is fixed length. Here is a MWE:
body __Z_NEGATIVE_LOOKBEHIND /(?The error goes away if I remove the case insensitive, or if I put a
character between the two /s/ characters. Using /nn/ instead of /s
We got a few hits on RCVD_IN_PBL for the IP 24.137.53.2 that do not
appear to be listed on spamhaus. I tried
dig 2.53.137.24.zen.spamhaus.org
on that same server and got no results, and even then SA kept hitting
that rule. My understanding of /eval:check_rbl('zen-lastexternal',
'zen.spamhaus.
On 2018-04-18 20:37, Alex wrote:
Hi all, this may be slightly OT, but we've been blocking .emf files
forever but today a user complained that we blocked their Word
documents which apparently have "image1.emf" files in them and were
considered a threat by amavisd due to our restricted file type po
well for C&C servers but we feel like that is a bit late to avoid
an infection.
Are there other solutions that we have not thought of? Are any of you
having trouble with these types of links?
Thanks.
- Olivier
this command to find which rule is causing it to hang
spamassassin -D all,rules-all < yourfile.eml
On 2017-06-16 10:13, Konstantin wrote:
Here is the full msg
https://1fichier.com/?jpqjmsfxkf
Olivier Coutu
used instead of the headers, but
I did not dig into the code enough to find out.
Is this an issue that other people have experienced? I am using
spamassassin 3.4.1 and sa-update version svn1652181
--
Olivier Coutu
On 2016-12-06 11:19, Olivier Coutu wrote:
However, if I run that on machine B (Ubuntu 16.04, SpamAssassin
version 3.4.1, Perl version 5.22.1) that I have recently created,
after the first call to the /get//('From', 0)/ which returns the
correct value, the following calls return the v
27;, 0)/ and has
the same issue.
The bug appears whether the domain is a freemailer or not, but does not
happen when there is no from_name.
I am looking for tips as to where the problem might be. Is it possible
that my /get/ or other calls are modifying the PerMsgStatus? Could it be
related to patches that have been applied with the Ubuntu install?
--
Olivier Coutu
n...@zerospam.ca
ultiple maxhits or did I overlook something? If it is not
designed to work with it, would there be any workarounds to detect
multiple attachments?
--
Olivier Coutu
Assistance technique
Technical Support
T : 514-527-3232 x 2
n...@zerospam.ca
or this? I want to exclude Spammer Countries e.g. China,
> Thaiwan, India, etc...
Don't forget to exclude North America too, because they are the main
source of spam, by far.
Olivier
--
home-made implementation of
Levenshtein's algorithm, but Paul Stead's version is probably simpler
and more appropriate for general use.
Olivier Coutu
On 2016-09-15 10:22, Chip M. wrote:
Have you used that technique to generate tokens for regular
Phish prevention (e.g. all the myriad variations on Paypal)?
r add it to
> the body, it's not "fuzzy OCR" anymore.
To my understanding, the fuzzy part refeered to the way it does OCR
(several passes, with different angles, colours, etc.), not
to the word matching.
Olivier
er is gone. Use convert -interlace from the ImageMagick suite.
In my case, I still have an old executable of gifinter laying around,
but I think you would configure FuzzyOCF.cf with an approprate line of
the form:
focr_bin_gifinter /usr/local/bin/convert -interlace and the needed
parameters.
Best regards,
Olivier
On 2016-07-15 10:22, Reindl Harald wrote:
Am 15.07.2016 um 16:06 schrieb Olivier Coutu:
I am trying to figure out what part of SA is taking the most time on
certain e-mails, e.g
time spamassassin ham-1468528393442166.eml
[...]
real0m34.531s
user0m33.958s
sys0m0.452s
I have
t the debug, but the timing seems to skip
multiple seconds at random intervals that are not indicative of what
rule ran.
--
Olivier Coutu
Assistance technique
Technical Support
T : 514-527-3232 x 2
n...@zerospam.ca
eding out false-positives.
Olivier
ivram needs to know your identity/mail server
address.
Olivier
ssible, it seems a very complicated scenario for a very small
amount of data (how many people will send some log?). It's faster to
Google all the universities of Thailand, find valid usernames and send
the phisihing: more data, easier to reproduce/scale up/port to other
domains of activity.
Olivier
Reindl Harald writes:
> [1:multipart/mixed Hide]
>
>
> [1/1:text/plain Hide]
>
>
>
> Am 29.06.2016 um 06:45 schrieb Olivier:
>>> Though I have devised a mechanism to generate these blacklists, I am
>>> not
>>> finding a suitable evaluat
Ham
list of ham IPs
Spam
List of spam IPs
with no name or personnal data attached (the list could even be posted
to pastebin through a proxy :)
Best regards,
Olivier
Hi,
As promissed, ehere is one week log of FuzzyOcr
http://pastebin.com/XwwdXkTV
The result are not too good.
Olivier
--
independantly? Should th levels info, warn and error always
being displayed and the level debug only with activated with a -D?
What is the proper way to write the error loggin part in a plugin?
Best regards,
Olivier
--
the Bayes process if we inject the mail body +
>>the part extracted from PDF? Should we not better submit only the
>>original message? I have no answer on that.
>
> that is just what I would like to know: If OCR produces results good enough
> for BAYES and other rules.
Will make some results available.
Best regards,
Olivier
unt of flesh on a picture
:) A student here had tried to work on something like that, not sure he
ever managed to do something usable.
I am also useing iamegeCerberus that try to classify images on some meta
data like size, position of text, etc. But it is not doing any ocr.
Olivier
d that tesseract was not enabled by
default! I use FreeBSD, could it be required at install only, but
disabled later in your configuration of FuzzyOcr?
Best regards,
Olivier
--
Matus,
Thank you for your reply.
> On 09.06.16 10:43, Olivier wrote:
>>For years I am having FuzzyOcr pluging running, but it helps little,
>>because it has it's own list of words to keep updated.
>>
>>I am wondering if, instead of using that own list of words
ssassin
Sorry to jump in, but should SA trust the content-type or the file(1)
type, or should try to compare both and do something if they missmatch?
Best regards,
Olivier
ected back is plain garbade:
w_T___l_e?_
But other time the result is interesting like a proper English sentence
full of spam.
So how SA will react if I reinject the garbage? Wil lit just ignore it?
Best regards,
Olivier
--
Catlo
> /usr/local/sbin/clamd && /etc/init.d/spamassassin restart
If you are using init.d for SA, you should also use it for ClamAV. Using
a consistent startup system will certainly go in the right direction.
Olivier
one system or onaother.
Best regards,
Olivier
> - I tried to put clamd followed by a ‘SpamAssassin restart' on
> rc.local: the same, all seems ok but no success.
>
> Only when I restart SpamAssassin manually from a shell (with the clamd
> started) all goes well. As a matt
I have affected a hefty penalty in SA to any mail that comes from one of
these TLDs:
(party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)
.xyz used to be on the list but I have started seeing more legitimate
traffic from the
alyze is:
This document Is password Protected
Click HERE to unlock and access file
best regards,
Olivier
--
al SA rules (if anything new is needed).
Best regards,
Olivier
>
> http://pastebin.com/g7dJ7SHu
>
> There's very little text in the body, so I suspect that's why bayes is
> confused. PDF invoices and conversations involving "payment" and
> "invoice" are not all that uncommon.
>
> Thanks,
> Alex
>
--
im) level, to refuse the
mail when the other end tries to connect first. But as I use postfix, i
am not sure how it is being done with exim.
Best regards,
Olivier
nterrogation is why neither T_BODY_TO_NOMULTI or
T_BODY_TO_MULTI hits as expected. There appears to be some interaction
with the previous line that I do not understand. Am I interpreting
(^|\n|\r) incorrectly? Is there any reason to search for \n or \r
instead of ^? Is there a way to consider a newline with "body" instead
of "rawbody"?
Using:
SpamAssassin version 3.4.1
running on Perl version 5.14.2
on Ubuntu 12.04
Thanks in advance
-Olivier
Hi
anyone can help me ?
mydomain\.fr and mydomain\.com is a sample, it's not specifiquely only gtld
that change
regards
olivier
2015-12-24 7:50 GMT+01:00 Olivier CALVANO :
> Hi
>
> i request your help for create a small rules:
>
> i have a lot of domains, for two of this d
- I do not understand how to properly write the meta ;) for said:
if
CEFSCA001_DOMAIN_72_* or CEFSCA001_DOMAIN_89_* is found
and
CEFSCA001_WHITELIST_116_* is found
result
CEFSCA001_META_1 score -50.0
thanks for your help
Olivier
Thanks, i clear the AWL and now it's good
thanks
for TxRep, do you know where i can find this module and the documentation ?
2015-12-23 16:57 GMT+01:00 Joe Quinn :
> On 12/23/2015 10:53 AM, Olivier CALVANO wrote:
>
>> Hi
>>
>> i have installed a new server on Ce
, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001,
CLASSIC_SUJET_GENERAL_1=2.5] autolearn=no autolearn_force=no
this mail is a very simple mail.
What is AWL ? why score is very big ?
thanks
Olivier
Thanks for your help Abx,
i find the problems :
déc. 23 10:13:43.147 [16981] warn: config: error: rule
'VVVSCA001_WHITELIST_242_META(VVVSCA001_WHITELIST_242_1_1' has invalid
characters (not Alphanumeric + Underscore + starting with a non-digit)
change :
meta VVVSCA001_WHITELIST_242_META(VVVSCA0
=
header VVVSCA001_WHITELIST_242_1_1 From =~ /\@duplopro\.com/i
he idea ?
very thanks for your help
Olivier
2015-12-23 9:10 GMT+01:00 Axb :
> On 12/23/2015 09:05 AM, Olivier CALVANO wrote:
>
>> Hi
>>
>> sorry i am new in regex
>>
>> i have a .cf with:
ok thanks i test
2015-12-23 9:10 GMT+01:00 Axb :
> On 12/23/2015 09:05 AM, Olivier CALVANO wrote:
>
>> Hi
>>
>> sorry i am new in regex
>>
>> i have a .cf with:
>>
>> header VVVSCA001_WHITELIST_242_1_1 From =~ /*\@duplopro\.com/i
>>
>>
01_WHITELIST_242_2_135_8 || VVVSCA001_WHITELIST_242_2_135_9 ||
VVVSCA001_WHITELIST_242_2_135_10 || VVVSCA001_WHITELIST_242_2_135_11 ||
VVVSCA001_WHITELIST_242_2_135_12))
score VVVSCA001_WHITELIST_242_META -50.0
where is my error ?
thanks
olivier
m 0 s)
mail:
OK. have you checked the socket?
In your configuration file you should have LocalSocket /some/path/...
Does it belong to UID/GID clamscan?
Is it mode 666?
Olivier
> --- SCAN SUMMARY ---
> Infected files: 0
> Total errors: 1
> Time: 0.001 sec (0 m 0 s)
> [root@ears tmp]#
>
>
--
I added my user to GID clamscan and still get the lstat error.
>
That means user clamscan cannot read the file eicar. This is idenepdant
of the user that launchs clamdscan. Try to put eicar.txt in /tmp and
make it mode 777.
>
>
> @Olivier, I’ll ask you my question about Perl “glue
Hi,
> On November 18, 2015 6:49:16 PM EST, "Daniel L. Srebnick"
> wrote:
>>Yes it does:
>>
>>
>>
>>clamscan eicar.txt
Using clamscan, you only prove that ClamAV is working.
Your error was in the Perl glue between SpamAssassin and ClamAV, not in
C
nt
> versions of Net::DNS, which SA relied upon to set the RD flag
> automatically. See
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223 for details and
> a patch.
Thank you. I just check and for what it is worth, recent installations of
SA on FreeBSD do include the patch.
Best regards,
Olivier
>
--
ed a 0.0 score before 3rd Sept.
Like others said, on 7 days backlog, the score closer to zero was 0.051
I am useing SA 3.4.1 with sa-update daily.
Olivier
> I use version 3.4.0 and process about 20k emails a day through it. I used
> bayes and this has been regularly updated with 1000 ham a
o change user, that means spamd must be running
as root to begin with.
So I would say:
- start spamd as root
- spamc -u user
- or become user and spamassassin
All this is from memory, because I use SA though amavisd nowdays.
Best regards,
Olivier
> Best regard,
> Marc
>
> A
part, as I said.
I am looking for the SA side.
Oh well, I will give a look at URIDNSBL and see whether/how I can change
it.
Thank you,
Olivier
>
>
> Martin
>
>
>
--
Axb writes:
> On 09/02/15 09:51, Olivier Nicole wrote:
>> Hi,
>>
>> I am looking at malware patrol, but they offer a list of over 300,000
>> rules, that is way too big.
>>
>> So I was considering using it in a URIDNSBL type of way, but including
>> th
Does that exist already?
Thank you,
Olivier
--
f them might not be useful anymore,
but they produce very few false-positives.
-Olivier
Le 2015-08-20 15:04, Joe Quinn a écrit :
On 8/20/2015 2:56 PM, John Hardin wrote:
On Thu, 20 Aug 2015, Olivier Coutu wrote:
I believe that SA may be removing the part
from the From:name, am I correct?
Define this rule:
header __ALL_FROMNAME From:name =~ /.*/
...and run spamassassin
I got a spearphishing e-mail the other day that had a From with the
following form:
From: "Mister President "
I attempted to craft a SA rule to catch the "@" in the From:name but I
was unable to catch anything after the "<"
ex:
From:name =~ /Mister President/hits
From:name =~
Hi
i want create a rules for filters :
i want add 100 in score at all email that have:
"Invoice" or "Facture" in core
AND
a .DOC file attachment
it's possible ?
thanks
Olivieir
19 09:25 bayes_toks
i want export for import after on a new server with SQL Database.
anyone know this problems ?
regards
olivier
nt to go any further, you should read the mail and decide by
yourselve how you classify it. Obviously someone thought it was spam and
reported to razor, but the sender has been paying ISIPP and think they
are legitimate.
Best regards,
Olivier
> or should I contribute this sort of spam to the sco
at is currently working (and that could keep
working despite the update) amd you find yourself trying to restart a
broken version of SA.
Best regards,
Olivier
> ===
> #!/bin/bash
> #
> # Update the Spamassassin rule
self an email if something went wrong.
Being executed only once a day, the extra load of a Perl script is
neglectible.
Best regards,
Olivier
get way to
many FP (many mails about this list, because they talk about spam;
system periodic mail, once a week, a couple of the nightly system
security messages are classified as spam, while I have like 30 of same
messages/day).
Best regards,
Olivier
--
Chris,
Well, I don't run SA on Ubuntu, so I don't know how it is installed. I
just pointed out what was looking strange to me, what direction I would
dig into.
Good luck,
Olivier
--
regards,
Olivier
--
ta into a web form on either a dedicated or exploted web site.
By "reply" I don't mean mail reply, but automatically filling their web
form with garbage.
Bests,
Olivier
the burden of answering a spam phone call, I
already got it), the risk of missing another call is reduces to
something so close to zero it is not worth mentionning and I have the
pkleasure of knowing that I have them waste their time.
Best regards,
Olivier
--
e file, but that's all.
You may consider using amavisd.
bestregards,
Olivier
applications than SA (Amavid-new for example), but with all the modules
below, SA has all the needed to run.
Best regards,
Olivier
p5-Archive-Tar-1.92 Perl module for creation and manipulation of tar files
p5-Archive-Zip-1.30_1 Perl module to create, manipulate, read, and write Zip
arch
p5-Authe
ld be a problem installing ImageMagik or OpenCV, but I need help
to be pointed to the right direction.
Best regards,
Olivier
--
yOCR would have
made a difference, header rules used to catch 99% of the image only spam.
> btw, gmail thinks your domain is spam
What was the error message from gmail? Recently I see a lot of ham being
miss-classified by gmail, all mailing lists that I have been reading
regularly.
Bests,
Olivier
e same bad
word in a message).
Olivier
ds
instead of pushing back the decoded text to SA for SA to analyze.
Best regards,
Olivier
at the
cost of a 15 to 60 minutes delay in incoming email;
- ClamAV and Kaspersky for viruses (even though there are not that
many lately); they fit well in amavis as amavis was preliminarily
designed to catch viruses...
- procmail to handle the mail delivery and quarantine and daily
summary of spam.
I have 250 users.
Good luk,
Olivier
rd, the extractor for MS office that it is based on is
limited for MS office 2003.
Best regards,
Olivier
wondering if fuzzyOCR still has any interest? Like
above, I'd like to see it push the stings it can identify to the body
of the message, for further analysis by SA, rather than having it's
own list of spam words.
Best regards,
Olivier
Hi
Thanks for your answer
2012/9/9 :
> On 09/09, Olivier CALVANO wrote:
>> I want change my old server with SpamAssassin. Anyone know a web site
>> which advises the rules, modules, rbl they must necessarily have to
>> reach a maximum rate of detection ?
>
> Th
Hi,
I want change my old server with SpamAssassin. Anyone know a web site
which advises the rules, modules, rbl they must necessarily have to
reach a maximum rate of detection ?
Actually, i use commercial service of SpamHaus, he have other list
with a best quality ?
Thanks
Olivier
1 - 100 of 141 matches
Mail list logo