Re: double backslash in the log messages

On 2024-05-21 13:42:23 -0400, Bill Cole wrote: > On 2024-05-21 at 11:00:57 UTC-0400 (Tue, 21 May 2024 17:00:57 +0200) > Vincent Lefevre > is rumored to have said: > > > While testing a rule with SpamAssassin 4.0.0 under Debian/stable > > (I wasn't aware

double backslash in the log messages

to have a double backslash in the log messages or is this a bug? -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Score 0.001

AILING_LIST_MULTI,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=4.0.0 The value 6.31 does not even appear in the spamassassin source package. -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 1

Re: spamd: still running as root

t;. This is what I have on my new bookworm machine. -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: subscribe to blacklist for domains

or which this may not be the case. For instance, the Message-ID may be generated on the machine from which the message is sent, with some internal hostname on the right-hand side (this is better to ensure unicity), thus is not resolvable. -- Vincent Lefèvre - Web: <https://www.vinc17.net/

Re: subscribe to blacklist for domains

hat the answer resolves back to the IP (among the answers, as there may be several IP addresses). -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: subscribe to blacklist for domains

detail > about what, exactly, was objectionable. I doubt that spammers take 550 messages into account, or even read them. -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: subscribe to blacklist for domains

On 2022-08-16 12:05:43 -0400, Kris Deugau wrote: > Vincent Lefevre wrote: > > On 2022-08-15 10:39:05 -0400, Kris Deugau wrote: > > > Vincent Lefevre wrote: > > > > Rejecting mail (instead of accepting it and dropping it) is useful > > > > in case of fa

Re: subscribe to blacklist for domains

On 2022-08-15 11:33:53 -0400, Greg Troxel wrote: > Vincent Lefevre writes: > > On 2022-08-13 14:05:43 -0400, joe a wrote: > >> On 8/13/2022 12:38 PM, Martin Gregorie wrote: > >> . . . > >> > 2) There's no mandatory need to REJECT spam. It has always been u

Re: subscribe to blacklist for domains

On 2022-08-15 10:39:05 -0400, Kris Deugau wrote: > Vincent Lefevre wrote: > > Rejecting mail (instead of accepting it and dropping it) is useful > > in case of false positives. > > I'm a bit torn on this. > > On the one hand, yes, the sender now knows for sure their m

Re: subscribe to blacklist for domains

On 2022-08-13 19:09:26 -0400, joe a wrote: > On 8/13/2022 4:52 PM, Vincent Lefevre wrote: > > Well, if you don't reject the mail with the reason that the address > > is invalid, the spammer could deduce that the address is valid > > (at least potentially valid). By not reject

Re: subscribe to blacklist for domains

ect the mail with the reason that the address is invalid, the spammer could deduce that the address is valid (at least potentially valid). By not rejecting spam, the spammer could think that the spam arrived at its destination and would validate the address. -- Vincent Lefèvre - Web: <https://ww

Re: getting waring from spamassassin.apache.org

tion project for mailing lists that the > ASF Infra team has warned us was in progress a few weeks ago. I also got several such notices, but for subversion.apache.org mailing-lists, from 2019 and 2020. So indeed, this seems to be global to Apache mailing-lists. -- Vincent Lefèvre - Web: <

Re: shit from serverion

al.org. This includes snowshoe spam (sent by consecutive IP addresses during the same day). -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: shit from serverion

a good indication of real spam). I have the same kind of things for DATACLUB, DigitalOcean, EONIX, LAYER-HOST, RootLayer and UCLOUD-NET (though spam from DATACLUB IPs seems to have stopped, and also almost for EONIX). -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validate

Re: message with autolearn=no is ignored by sa-learn

On 2022-06-14 13:39:29 +0200, Reindl Harald wrote: > Am 14.06.22 um 13:36 schrieb Vincent Lefevre: > > When? The message has autolearn=no, so it wasn't trained when > > passed via SpamAssassin while it was received. Then it was in > > my main mailbox, where there's no traini

Re: message with autolearn=no is ignored by sa-learn

On 2022-06-14 12:13:10 +0200, Reindl Harald wrote: > Am 14.06.22 um 11:52 schrieb Vincent Lefevre: > > On a machine with spamassassin 3.4.6 under Debian 11, a new spam > > arrived, and the headers showed: > > > > X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09

message with autolearn=no is ignored by sa-learn

-spam --no-sync", but I got Learned tokens from 0 message(s) (1 message(s) examined) Why "from 0 message(s)"? -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer ari

Re: 3 Lines of Defense

I had good success with greet pause set to 11 seconds. Empirically 5 seconds made little difference, but I could see a marked reduction at anything above 10 seconds. Longer than 15 didn’t give much further improvement though. Sent from my iPhone > On Sep 28, 2019, at 08:39, Grant Taylor

Re: Invoice phish

I see an interesting dichotomy. Students are on Google, fac/staff on O365 now. Guess which group is phished most often? If you said students, bzzzt. It’s the O365 users, by a large margin. Faculty and staff should be best trained. Also protected by “Advanced Threat Protection”. Sent from

Re: Penalty for no/bad SPF

SPF is designed for authentication, not spam filtering. Using a crowbar as a hammer. We apply a small score mainly so we see the elements reported. If the "majors" are using in their hygiene stack, for evalation like you are, I haven't seen much evidence of that. Of course it's hard to

Re: Penalty for no/bad SPF

: Wednesday, January 24, 2018 12:12:56 PM To: users@spamassassin.apache.org Subject: Re: Penalty for no/bad SPF On 01/24/2018 01:58 PM, Vincent Fox wrote: > I'd rather not think about the manhours I've wasted this year on SPF. > > > The guy at Evotec.com, among others, who t

Re: Penalty for no/bad SPF

assin.apache.org Subject: Re: Penalty for no/bad SPF On Wed, 2018-01-24 at 19:01 +, Vincent Fox wrote: > SPF is a zombie legacy that someone should shoot in > the head. > SPF is still good for what I've always thought was its main use: detecting spam delivered by backscatter.

Re: Penalty for no/bad SPF

SPF is designed for whitelisting, not blacklist. Remember when "shields" appeared in mail clients, and how fast that feature disappeared? Far too many people clicking on phish that seemed "authentic". With the explosion of cheap domains and registrars, there's really no snowshoe Black Hat

Re: Receiving a lot of junk from Office 356

O365 has many very large tenant ponds now. Rules inside a tenant may be very lax about trusting other users inside the tenant. So one compromised account, easily leads to tens/hundreds of others. So their 2nd round of phish, nets Black Hats enough compromised accounts to blast out a

Re: Today's Google Docs phish

Sendmail access.src: From:proREJECT Guess that's why I haven't heard about this on our campus. I block dozens of these apparently lawless domains. From: Alex Sent: Wednesday, May 3, 2017 6:37:49 PM To: SA Mailing list Subject:

Re: Google anti-phishing code project

Come on, look at the datestamps on the addresses in that list! Plenty from 2009. I only know of this project because a few compromised accounts from our campus were once listed there, and were rejected by other sites. Went through tedious process of trying to find email for owners, and get

Re: Fastest listing RBL ?

I cannot state strongly enough, that blocking entire top-level domains these days should come before RBL. *.top, *.link, *.download, etc. RBL depends on paid or free. Paid: Spamhaus, the 800 lb gorilla of RBL. Also URIBL various feeds. Direct query to a dedicated address with fresh data FTW.

Re: Anyone else just blocking the ".top" TLD?

gt; Sent: Thursday, November 3, 2016 9:33:59 AM To: users@spamassassin.apache.org Subject: Re: Anyone else just blocking the ".top" TLD? Unless you have customers/employees/vendors complaining that they are not receiving legitimate email from that TLD why would you un block it?? On Nov

Re: Anyone else just blocking the ".top" TLD?

Resurrecting thread TOP remains at the err... top of abuse heap. XYZ insights anyone? They have been on my reject list for a long time, but claim to be cleaning it up. Thinking to drop my shields on this one. https://gen.xyz/blog/antiabuse

Re: whitelist_auth and how to test

I suppose it depends on definition of "trustworthy". I had the experience with SendGrid, of them adding new servers without rDNS information. I called in and astoundingly enough, their "technical" person explained to me DNS didn't matter, and he had no interest in addressing it. A trustworthy

Re: Spoofed Domain

Tuesday, August 9, 2016 3:19:27 PM To: Vincent Fox Cc: SpamAssassin Subject: Re: Spoofed Domain When you say SPF is not a good tool for filtering, do you mean that it shouldn't be used at all? Or if SPF_FAIL is triggered that an email should be rejected altogether? _____

Re: Spoofed Domain

SPF is not a good tool for filtering IMO. Scoring? Why score them? If you get to the SpamAssassin layer with this you've already failed. Reject! We use ClamAV Foxhole databases, to severely restrict attachment types. Combined with a little bit of greet_pause, and a ton of greylist penalty

Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

together a simulacrum. From: Axb <axb.li...@gmail.com> Sent: Monday, August 1, 2016 12:53:27 PM To: users@spamassassin.apache.org Subject: Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold) On 01.08.2016 21:30, V

Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

I keep seeing people say "well if you have postscreen, greylisting is just dumb". Well what is the equivalent for other MTA? I still see a lot of spambots on PBL hosts, that never contact again. So the blanket statement "bots are recoded" just doesn't jibe with what I see. Maybe you could

Re: Protected Sky?

On 06/27/2016 01:15 PM, Reindl Harald wrote: Am 27.06.2016 um 21:27 schrieb Vincent Fox: I saw a reference today in my MxToolbox report, to an RBL named Protected Sky which had like double the listing activity of Spamhaus. Does anyone know anything about this outfit? that's a bullshit RBL

Protected Sky?

Hello, I saw a reference today in my MxToolbox report, to an RBL named Protected Sky which had like double the listing activity of Spamhaus. Does anyone know anything about this outfit? We primarily rely on Spamhaus at present, with some others thrown in which catch some that Spamhaus doesn't.

Re: Which DNSBLs do you use?

Greylisting imo helps a lot with RBL lag. Delay suspect IP long enough that by the time they retry, if they do, they are on half a dozen RBL and score high and reject. Sent from my iPhone > On Jun 17, 2016, at 13:23, Reindl Harald wrote: > > > > Am 17.06.2016 um

Re: Odd results when using whitelisting

I've been using dnsmasq myself on a list server, with DHCP disabled, and configured to answer only localhost, for caching. The stock package seems limited to 10,000 entries BTW. But it seemed fairly bug-free as opposed to nscd, and simple to setup unlike BIND. Gladly switch to something else.

Re: Problem with SPF plugin and MX2

In 20 years never saw need for backup mx. If MX pool is down remote MTA should queue it. Only practical use I've seen is NoListing setup. I suppose you might run a server in the Arctic which could lose contact for weeks and you'd want to ensure no bounces. Ymmv. Sent from my iPhone > On May

Re: Whitelisting and Expedia/Orbitz

SPF is only about envelopes? Unless you are Microsoft, who check against the From in the header. From: Reindl Harald Sent: Friday, May 20, 2016 10:23:45 AM To: users@spamassassin.apache.org Subject: Re: Whitelisting and

Re: SA cannot block messages with attached zip

+1 Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family. They are #1 on our list about 50% of the time for weeks now. I got a commendation last week for prevention work, so rare in email adminning. Security team would be swimming in overtime if it weren't for foxhole_js in

Re: understanding HELO_DYNAMIC_IPADDR

On 05/13/2016 01:24 PM, David Jones wrote: This is a very simple concept and yet most mail admins don't know it or follow it. I know right? IMO network/firewall backgrounds are worse though. They are used to thinking in IP all day and DNS is just this optional convenience. Cheers.

Re: understanding HELO_DYNAMIC_IPADDR

On 05/13/2016 12:29 PM, Daniel J. Luke wrote: While you are at it, make sure your forward and reverse dns match. At least weekly, I get someone bickering with me that reverse DNS is not any kind of requirement to be a legitimate server. Often it comes from well-paid network

Re: Anyone else just blocking the ".top" TLD?

ald <h.rei...@thelounge.net> Sent: Tuesday, April 26, 2016 2:55:46 AM To: users@spamassassin.apache.org Subject: Re: Anyone else just blocking the ".top" TLD? Am 26.04.2016 um 11:23 schrieb Heinrich Boeder: > Hi, > >> On Apr 21, 2016, at 3:43 PM, Vincent Fox <vb..

Re: Anyone else just blocking the ".top" TLD?

Resurrecting thread Recently seeing increase in spam from these gTLD: pro bid trade I'm adding them to my reject list, do with this information what you will. -hth

Re: Anyone else just blocking the ".top" TLD?

On 03/28/2016 12:35 PM, Reindl Harald wrote: nothing easier than that with postfix, just start with. I wish my EDU was cool with Postfix or Exim. However our routing pool is Sendmail, and the PHB here are determined to "upgrade" to Proofpoint which is Sendmail based.

Re: Anyone else just blocking the ".top" TLD?

Whoops, list truncated. Continuing From:work REJECT From:cricketREJECT From:xn--plai REJECT From:review REJECT From:countryREJECT From:kimREJECT From:scienceREJECT From:party REJECT From:gq REJECT From:topREJECT From:unoREJECT

Re: Anyone else just blocking the ".top" TLD?

On 03/27/2016 06:58 PM, Thomas Cameron wrote: Has anyone actually gotten a single legit message from that domain? Never. WTF was ICANN thinking? I occasionally go through the lists of abused gTLD here: http://www.surbl.org/tld/ It certainly saves a lot of hygiene processing time to just

Re: Botnet + p0f (was: Botnet Score)

be inserted by p0f+p0fanalyzer+amavisd (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li Another alternative is my stuff at: http://whatever.frukt.org/p0fstats.text.shtml The stuff there uses UDP to send p0f info from the system running p0f (probably the firewall

Re: new system

...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. Vincent Li http://bl0g.blogdns.com

Re: R: new system

On Wed, 13 Jun 2007, Giampaolo Tomassoni wrote: -Messaggio originale- Da: Vincent Li [mailto:[EMAIL PROTECTED] On Wed, 13 Jun 2007, Jerry Durand wrote: Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since

Re: v3.2.1 gives spamd: handle_user unable to find user:

\n); Since you don't run spamd in paranoid mode -P option, spamd will not die and fall back to user nobody Vincent Li http://bl0g.blogdns.com

Re: [SPAM] RE: Poor performance with v3.2.0

is a SunFire v210 with 2 processors and 2 GB ram.) Vincent Li http://bl0g.blogdns.com

Re: [SPAM] Re: ANNOUNCE: Apache SpamAssassin 3.2.0-rc3 PRERELEASE available!

job bounces and I don't see any VBounce rules firing. It is not commented out in v320.pre. Am I missing something ? Regards, Rick Have you specified whitelist_bounce_relays hostname_of_your_MTA in /etc/mail/spamassassin/local.cf ? It works on my site. Vincent Li http

Re: Re: ANNOUNCE: Apache SpamAssassin 3.2.0-rc3 PRERELEASE available!

On Wed, 25 Apr 2007, Rick Macdougall wrote: Vincent Li wrote: On Wed, 25 Apr 2007, Rick Macdougall wrote: It's running here but I'm getting hammered by joe job bounces and I don't see any VBounce rules firing. It is not commented out in v320.pre. Have you specified

Re: Re: ANNOUNCE: Apache SpamAssassin 3.2.0-rc3 PRERELEASE available!

On Wed, 25 Apr 2007, Rick Macdougall wrote: Justin Mason wrote: Rick Macdougall writes: Vincent Li wrote: On Wed, 25 Apr 2007, Rick Macdougall wrote: It's running here but I'm getting hammered by joe job bounces and I don't see any VBounce rules firing. It is not commented out

RE: Testing Spamassassin with the mail command

OK Everyone - Send him your SPAM!!! ;-) Just kidding... I'm not sure what you're looking for from us. Please be more specific. By the way, I use Sendmail as well, and find the spamass-milter to be a great way to link in spamassassin. Also, the blacklists are very effective. If you need any

RE: Question on use of SpamCop plugin

Regarding using this feature... I currently have SA reformatting the spam as an attachment (default behavior) - do I need to stop the attachment thing for spamcop or can I just forward the messages as-is? -Original Message- From: Michael Parker [mailto:[EMAIL PROTECTED] Sent: Thursday,

Re: spamd: server killed by SIGTERM (every hour!)

[22160] info: spamd: processing message (unknown) for root:0 Fri Apr 13 17:00:13 2007 [29550] info: spamd: server killed by SIGTERM, shutting down Thanks, Andy. Are you running spamd/spamc as root? it is not recommended to run spamd as root. Vincent Li http://bl0g.blogdns.com

Re: [SPAM] Install spamassassin

about intergrating spamc/spamd pair (spamassassin) with postfix: http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix?highlight=%28spamd%29 Vincent Li Bloghttp://bl0g.blogdns.com

Re: RelayChecker (now Botnet ) 0.4

hotmail :) http://www.vcn.bc.ca/~vli/P0f.pm Thank Mark for the inspiration! Mark Vincent Li http://pingpongit.homelinux.com Opensource .Implementation. .Consulting. Platform.Fedora. .Debian. .Mac OS X. Bloghttp://bl0g.blogdns.com

Re: Max-children setting not high enough causing spamassassin to hang?

system. Vincent Li http://pingpongit.homelinux.com Opensource .Implementation. .Consulting. Platform.Fedora. .Debian. .Mac OS X. Bloghttp://bl0g.blogdns.com

Re: Parsing Email

functions and such. :) -- Randomly Selected Tagline: Zero equals Zero - Prof. Farr Vincent Li http://pingpongit.homelinux.com Opensource .Implementation. .Consulting. Platform.Fedora. .Debian. .Mac OS X. Bloghttp://bl0g.blogdns.com

Re: Quarantined Spam.

Vincent Li System Admin On Fri, 8 Sep 2006, Jared wrote: Hi, Is there anyway I can resend the emails which have been quarantined. as some of the emails should not have been quarantined. I'm using plesk 7.5 reloaded with spam assassin. I am using Amavisd-new SQL quarantine and MailZu

Re: DnsResolver.pm gives up unnecessarily on EACCES result

2006/8/4, Rosenbaum, Larry M. [EMAIL PROTECTED]: SpamAssassin version 3.1.4 running on Perl version 5.8.7 SunOS email 5.9 Generic_118558-10 sun4u sparc SUNW,Sun-Fire-V210 In the connect_sock() method in DnsResolver.pm, there is a loop starting at line 177 that starts out like this: # find

Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY

! And I think I will keep my cutoff score as 2 because I get so many spam every day and some of them just score 2.3! You can train your bayes to learn the false negative email as spam, get some SARE custom rules, enable network test. Cheers, Tao Vincent System Administrator

Re: How to install iXhash

--lint 7) if it passes, restart spamd or any other persistent daemons that use the spamassassin perl API. Thanks Matt - what directory would you put iXhash.pm in? If I get this to work I'll update the wiki. Should be under /Whatever/Mail/SpamAssassin/Plugin/ I think. Vincent Li System

Re: 2nd mail server problem

, legitimate sender MTA will queue it's email and try later, you would not lost email. Vincent

How SpamAssassin recognize chinese character?

, perlunicode, perlre..still could not find relevant information. Thanks in advance! Vincent

Re: How SpamAssassin recognize chinese character?

On 9 Jan 2006, at 10:08 PM, Jon Armitage wrote: Vincent Li wrote: I have been using SpamAssassin for quite a while, and used SARE rules and other custom rules. I am interested in writing my own chinese spam rules to block chinese spam email. I cheat and use an Exim acl statement to reject

Re: How SpamAssassin recognize chinese character?

On 9-Jan-06, at 2:16 PM, Matt Kettler wrote: Jon Armitage wrote: Vincent Li wrote: I have been using SpamAssassin for quite a while, and used SARE rules and other custom rules. I am interested in writing my own chinese spam rules to block chinese spam email. I cheat and use an Exim acl

Is my bayes database healthy?

Hi folks, I am running clamav/amavisd-new/spamassassin, spamassassin is called from amavis. my amavis is runned as user clamav. I did not explicitly set bayes_auto_learn,bayes_path.. in /etc/mail/spamassassin/local.cf, but under ~clamav, I can see bayes database file, I run sa-learn --dump magic

How to let SpamAssassin read local custom rules

Hi all, This question might have been asked many times, I googled, no answer found yet. I am running Mac OS X/Amavisd-new/SpamAssassin3.0. SpamAssassin is called by Amavisd-new. my amavisd.conf : # SpamAssassin settings $sa_local_tests_only = 1; # (default: false) $sa_timeout = 30;

Re: How to let SpamAssassin read local custom rules

Hi Rainer, You mean I should always start amavisd service with debug-sa options? Thanks Vincent On Tue, Jan 25, 2005 at 07:45:08PM +0100, Rainer Sokoll wrote: spamassassin -D is your friend. Sorry, have to correct myself: amavisd debug-sa, in this particular case. Rainer

security key invalid on host

on spamassassin.apache.org without success Thank you -- Vincent Toussaint Hybride.com