We've had a report from a user about a false positive involving
KHOP_BIG_TO_CC which has a score of 3.4. This seems like an excessive
penalty for perfectly reasonable behaviour.
header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,25},){10}/
describe KHOP_BIG_TO_CC Sent to 10+ recipients ins
On Wed, 8 Sep 2010, John Hardin wrote:
>
> It's expected and very welcome. It means the age-limited nightly masscheck
> corpora have once again gotten large enough that the score generator can
> safely publish updated rules and scores on a regular basis.
Ah, good news :-)
Tony.
--
f.anthony.n.fi
sa-update for version 3.3 is usually very quiet - last update 4 July;
previous one 12 June. We have been getting daily updates since Saturday
morning. Is this expected?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECR
On Fri, 3 Jul 2009, RW wrote:
>
> I understand that Spamhaus doesn't recommend this, because dynamic IP
> addresses can be reassigned from a spambot to another user, but I added
> my own rule it does seem to work. In my mail it hits about 9% of my
> spam, with zero false-positives.
You will get fa
On Sun, 26 Aug 2007, Dave Pooser wrote:
>
> Except that I can verify addresses after checking blacklists, RDNS and other
> checks to make dictionary attacks harder on the spammers. It may be possible
> to put ACLs on VRFY in Exim, but I haven't looked into it.
I don't believe dictionary attacks ar
On Sat, 25 Aug 2007, Dave Pooser wrote:
>
> So do you run your servers with VRFY enabled?
Yes. If you are verifying addresses at RCPT time, which you must to avoid
spam blowback, then there's no point disabling VRFY.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
IRISH SEA: SOUTHERL
On Thu, 12 Apr 2007, Suhas Ingale wrote:
> I followed those links but could not make it working. Exim started rejecting
> all the messages saying IP is listed in RBL. Where exactly should I add the
> "deny dnslists"?
There's an example at
http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch07
On Thu, 12 Apr 2007, Suhas Ingale wrote:
>
> Following is my ACL list from exim conf. I want to add DNS checks for hosts
> so that connections from blacklisted IP addresses are blocked at MTA level.
http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch40.html#SECTmorednslists
Tony.
--
f.a.n.f
On Tue, 27 Feb 2007, #Ronan McGlue wrote:
>
> what information is available during the DATA_ACL eg to perform lookups on to
> get the username to use for SA?
The only thing that Exim provides is the list of all recipients,
$recipients (plural). What I would recommend that you do is use an ACL
vari
On Tue, 27 Feb 2007, #Ronan McGlue wrote:
>
> I am looking to move to peruser scanning, so I would need to change only one
> line of the above to
>
> spam = $local_part:true
> which will use the local part of the email address as the username.
This won't work because there may be multiple
On Thu, 11 Jan 2007, Michael Scheidell wrote:
> I don't think I see any sudden drop, was the worlds #1 spammer in that
> hut in fluga that got bombed last night?
I haven't seen any drop recently either. For my systems (daily legit
volume 300,000 and spam 10x that) the spam peak was in the first h
On Wed, 22 Nov 2006, Steve [Spamassasin] wrote:
>
> 2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
> 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
> Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00
> Received:from sjc2bat08.sjc.ebay.com (sjc2bat08.sjc.ebay.com [
On Tue, 21 Nov 2006, Evan Platt wrote:
> So used to be mail from Richard Smith, subject "Me again Richard". Now
> they're using the last name, ie "Me again Smith"
Their fake Received: line is still the same.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
BAILEY: CYCLONIC BECOMING N
On Fri, 10 Nov 2006, Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find any
> common elements in these emails because whoever this putz is, they're adapting
> a lot.
http://article.g
They have a forged Received: line which has a "by" field containing the
domain of the recipient address, a "for" field which matches the From:
header, and an "id" field of the form XX-XX-XX (similar to Exim's
queue IDs, though Exim IDs are always 1X-0X-XX).
Received: from [217.21
On Sat, 4 Nov 2006, Michael Scheidell wrote:
> So? Build something better. Its open source. Don't use the RFCI scores,
> drop them, stop bithing about somehting YOU can change.
Well, I've added a -2 for email from Amazon, but I thought other people
might like a warning. No need to flame someone w
On Fri, 3 Nov 2006, Michael Scheidell wrote:
>
> Not a false positive if their servers are broken.
True from the RFCI point of view, but NOT true from the SpamAssassin point
of view. These messages are wanted by their recipients so should not be
scored as spam by SpamAssassin.
Tony.
--
f.a.n.fin
On Fri, 3 Nov 2006, Ralf Hildebrandt wrote:
> * Tony Finch <[EMAIL PROTECTED]>:
>
> > Amazon.co.uk was listed by RFC-Ignorant at the start of this week, and it
> > is now scoring more than 5: DNS_FROM_RFC_DSN 2.87, DNS_FROM_RFC_POST 1.44,
> > FROM_EXCESS_BASE64 1.05.
Amazon.co.uk was listed by RFC-Ignorant at the start of this week, and it
is now scoring more than 5: DNS_FROM_RFC_DSN 2.87, DNS_FROM_RFC_POST 1.44,
FROM_EXCESS_BASE64 1.05.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
IRISH SEA: VARIABLE 3 OR LESS, BECOMING WESTERLY 4 OR 5 LATER.
On Thu, 12 Oct 2006, alex wrote:
> just got a bunch of bounced mails that have my ip in the header,
> but I checked my mail logs and don't see any relaying.
> does that mean the header is forged?
I've seen lots of this over the last couple of months. It seems to be
related to malware activity, be
On Tue, 15 Aug 2006, Guy Waugh wrote:
>
> Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root):
> localhost.fabulous.com. config error: mail loops back to me (MX problem?)
>
> Do people actively combat this somehow?
Exim has a feature ignore_target_hosts which causes it to stri
On Mon, 7 Aug 2006, Hamish wrote:
> Yeah, Right... And Verisign never wildcarded domains either did they? Duh!
> right back at you.
>
> > RFC 1123 section 2.1:
> >
> > The syntax of a legal Internet host name was specified in RFC-952
>
> Hostname vs DomainName
The domain name system itself do
On Mon, 7 Aug 2006, Hamish Marson wrote:
>
> The RFC's actually state that a domain MUST start with a letter, and
> be any letter or digit or hyphen after. So according to the RFC's
> purely numberic domains are illegal.
No! Wrong! Totally wrong! If they were illegal they would never have been
all
On Mon, 7 Aug 2006, Sietse van Zanen wrote:
> Caring about 'legitimate' e-mail coming from these domains would be like
> caring about the 'legitimate' claims of Bush saying he is a true
> christian...
All-numeric domains are popular in China because they are easier for
people to deal with tha
The reason that message submission is done with SMTP is because of the
number of SMTP extensions that the MUA will want to use, in particular
DSNs, deliver-by, deliver-after, message tracking, and whatever else may
be invented in the future. If you want to make message submission a part
of IMAP an
On Mon, 15 May 2006, John Rudd wrote:
> Technically, that doesn't make it a standard. That means it's on the track to
> becoming a standard.
It doesn't even mean that. There are many RFCs which are not standards-
track, including this one which is "experimental". Note that all the MARID
RFCs haa
The following headers come from a legitimate message - I have obscured the
sender's name, but that's all. The "SlipStream SP Server" seems to have
appended the client username and IP address to the message-ID, causing the
FP. See also:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200
On Sun, 19 Feb 2006, Terry Miller wrote:
> I looked this up and can't see where I'm doing anything wrong, but the
> subject is not being rewritten.
You should probably ask this question on the exim-users list. I suspect
(but I am not certain) that exiscan doesn't support the message rewrite
parts
On Wed, 21 Dec 2005, [EMAIL PROTECTED] wrote:
> You see, it does not allow me to unsubscribe.
It's ezmlm, so you can just reject all messages from the list and it will
unsubscribe you :-)
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. S
Brian Leyton wrote:
>
> What it comes down to is that I have a Linux machine at the front-end,
> running MimeDefang, Spamassassin, etc., which passes everything it hasn't
> rejected on to an old Exchange Server. I can't turn off the bounce messages
> at the Exchange Server (for various stupid reas
On Wed, 18 May 2005, Jeffrey N. Miller wrote:
> I want to setup a SMTP relay filtering SPAM and viruses. The relay will
> relay the mail to my Exchange server. Is there well documented HOWTOs
> on setting this up using Exim, Spamassassin, Mimedefang and a good virus
> scanning software? I see H
On Mon, 2 May 2005, Justin Mason wrote:
>
> It might be worthwhile maintaining some kind of spammer tactics
> knowledge base, on the wiki maybe?
There's http://www.jgc.org/tsc/ but it's more focussed on textual
obfuscation than low-level tactics.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http:/
On Wed, 2 Mar 2005, Justin Mason wrote:
> Shane Williams writes:
> > I noticed the HELO_DYNAMIC_* thread and the conclusion that IMP adding
> > a Received header may be a source of problems.
>
> I think the problem is being caused by IMP being "too good" at
> generating a Received header that looks
On Wed, 2 Feb 2005, Matthew Newton wrote:
>
> I have been asked why this message got such a "high" score. It seems to
> mainly be because of the
>
> 3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
http://bugzilla.spamassassin.org/show_bug.cgi?id=4065
Tony.
--
f.a.n.
On Fri, 28 Jan 2005, Matt Kettler wrote:
> > The order and spacing of the items after the from keyword is wrong. The
> > specification for Received: lines is in RFC 2821. A correctly formatted
> > line would be something like
> >
> > Received: from hotmail.com (bay22-dav1.bay22.hotmail.com
> > [64
On Mon, 31 Jan 2005, Ole Nomann Thomsen wrote:
>
> So I don't feel able to bugzilla this one - any takers?
It isn't a bug in SpamAssassin.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
FAEROES: NORTHWEST 5 TO 7, OCCASIONALLY VARIABLE 3 OR 4 FOR A TIME. RAIN AT
TIMES. MODERATE OR GO
> > > Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
> > > hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
> > > Anti-Virus for Internet Mail 6.41.149 Release) with SMTP; Wed, 19 Jan
> > > 2005 19:41:14 -
> >
> > F-Secure Anti-Virus for Internet M
On Fri, 28 Jan 2005, Ole Nomann Thomsen wrote:
> Hi, it seems that HELO_DYNAMIC_IPADDR fires wrongly on this header:
>
> Received: from bay22-dav1.bay22.hotmail.com[64.4.16.181]:30781 (EHLO
> hotmail.com) by mailgateway.sitc.dk ([195.231.241.98]:25) (F-Secure
> Anti-Virus for Internet Mail 6.4
On Wed, 12 Jan 2005, Martin Hepworth wrote:
>
> you guys running that rule live at cam.ac.uk?
I haven't actually finished testing it properly yet, because it has got
muddled up in the upgrade to SA 3.0.2 which I keep forgetting to finish
:-)
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dota
On Wed, 12 Jan 2005, Menno van Bennekom wrote:
>
> I noticed that FORGED_MUA_OUTLOOK falsely triggers with this hotmail-email
> that is sent from Outlook-Express via the http-hotmailserver.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4065
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://do
On Wed, 15 Dec 2004, David B Funk wrote:
> On Wed, 15 Dec 2004, Christopher X. Candreva wrote:
> >
> > Depoly SPF, use the submission port to talk to your own mail server, problem
> > solved.
Although that allows you to support roaming users, SPF still breaks mail
forwarding. It's usable as a Spam
On Tue, 14 Dec 2004, Clarke Brunt wrote:
>
> it seems to me that a 'fail' result is a perfectly good reason to reject
> a message outright, which is what I do (without it even being passed to
> SpamAssassin).
How many users do you have? Do none of them have vanity addresses?
Tony.
--
f.a.n.finch
If the top level domain of the HELO name exists (it has NS records or a
SOA record) but the second and third (if present) level domains do not,
the check triggers.
You have to allow for missing top level domains because of private
addresses, and you have to check both the 2LD and 3LD because some
On Tue, 28 Sep 2004, Kris Deugau wrote:
>
> I did this for a while, but somewhere along the line some of those
> unassigned netblocks got assigned. I didn't discover this until about 6
> months after one corporate customer suddenly couldn't send mail to one
> of their suppliers. Fortunately I had
On Mon, 27 Sep 2004, Dan Mahoney, System Admin wrote:
> Hey guys, as a quick survey, if you're blocking ips at the MTA level, which
> are you using?
The MAPS RBL+ is our most effective blocking rule.
Tony.
--
f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/
FORTIES: WEST OR NORTHWEST 6 OR 7,
45 matches
Mail list logo
