works at
http://www.real-world-systems.com/mail/sa-heatu.html#backgrnd
which adds aging so as to loose old entries otherwise kept forever.
I also have some thoughts about discarding hammers at the end of that
document.
Any feedback on this would be welcome.
Dennis German
On 3/3/11 10:09 PM, Karsten Bräckelmann wrote:
On Fri, 2011-03-04 at 03:36 +0100, Karsten Bräckelmann wrote:
On Thu, 2011-03-03 at 15:52 -1000, Warren Togami Jr. wrote:
Could we please make an official project statement that 3.2.x is
unsupported and people should really update to 3.3.x?
That
On 3/3/11 8:06 PM, Karsten Bräckelmann wrote:
On Fri, 2011-03-04 at 01:53 +0100, Mikael Syska wrote:
I get the following hits:
Content analysis details: (19.1 points, 5.0 required)
Note though, that your score is on SA 3.3.x, while the OP uses SA 3.2.x.
Yes, I can tell this from the scores.
Can someone comment on the low score assigned to the email located at
http://www.cccu.us/hundredThousand.txt
X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001,
MILLION_USD=1.528
Is my bayes broken?
On Oct 23, 2010, at 12:31 PM, Royce Williams wrote:
On Sat, Oct 23, 2010 at 7:31 AM, Per Jessen p...@computer.org wrote:
Royce Williams wrote:
On Fri, Oct 22, 2010 at 5:19 AM, Michael Scheidell
michael.scheid...@secnap.com wrote:
On 10/21/10 8:50 PM, dar...@chaosreigns.com wrote:
I'd
Is there? should there be a rule for a header like:
To: undisclosed-recipients:;
I am surprised this plain text spam did not trip for US$350,000
sa 3.2.4
http://www.Real-World-Systems.com/mail/spam.un
On Oct 19, 2010, at 5:56 PM, Karsten Bräckelmann wrote:
On Tue, 2010-10-19 at 22:41 +0100, Ned Slider wrote:
On 19/10/10 22:34, Dennis German wrote:
I am surprised this plain text spam did not trip for US$350,000
sa 3.2.4
Uhm, a generic amount of money on it's own is not a sign of spam
pts rule name $1.oo |grep -v \-\-\-\-
where user_prefs.rptonly contains
add_header all report _REPORT_
add_header all testscores _TESTSSCORES(,)_
I run the script multiple times and get unpredictable results regarding the
appearance of MISSING_MID.
Thank you,
Dennis German
Hello world
There is at least one problem with my script, NOT spamassassin.
I did not expect the results to be in different order.
The grep -A14 'pts rule name' may not display all the errors.
Sorry 'bout that.
Dennis
complaints of BLs and before HTML issues.
Has anyone seen this behavior?
Thank you,
Dennis German
Hello world, goodnight moon
and the output will be
significantly smaller.
I don't know of any program, but if there is interest I might write one.
Dennis German
On Sep 15, 2010, at 1:42 PM, RW wrote:
On Wed, 15 Sep 2010 11:18:20 -0400
Dennis German dger...@real-world-systems.com wrote:
On Aug 26, 2010, at 10:11 AM, Grant Peel wrote:
...
~/.spamassassin/bayes* files had grown to 1.5 GB
I have put:
use_bayes 0
bayes_auto_learn0
In the last several weeks I have been receiving a lot of spam with email
addresses of the form:
learningmadeeasy.???...@??.yourseemlost.net
learningmadeeasy.???...@??.hisoftenusing.net
learningmadeeasy.???...@??.wheatdrinkcontrol.net
learningmadeeasy....@??.actbookfelt.net
on SpamAssassin 3.2.4 (2008-01-01)
I request they upgrade last year and they weren't interested.
I request this last week and they are still evaluating it.
Thank you,
Dennis German
,
HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]
autolearn=no
This particular message scored a 2.808 so it's not high or low enough
for bayes to know which way it should learn the message.
--Dennis
On Wed, 2010-04-28 at 12:38 -0400, Carlos Mennens wrote:
I checked /etc/mail/spamassassin/local.cf just now and found only the
following:
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
However I don't know if Amavisd-new is looking at local.cf because I
show parameters
be using 1 GB or so total...
--Dennis
mistakes as easily.
--Dennis
?
Is there a way to have the AWL rule only triggered if there is a minimum
number of messages seen by that sender?
--Dennis
).
--Dennis
? Is there a way to report FP to KHOP?
Thanks,
--Dennis
On Fri, 2010-03-26 at 11:35 -0400, Michael Scheidell wrote:
On 3/26/10 10:41 AM, Dennis B. Hopp wrote:
I received the following e-mail
http://pastebin.com/JXr9buxi
It had a total score of 4.973 (blocked at 5). Among other rules it hit:
KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED
correctly with 3.3.0. There is a patch in
the svn for maia that fixes the issue.
--Dennis
-To header...is there a way
to differentiate In-Reply-To and Reply-To ?
Thanks,
--Dennis
for *this* mailing list would
trigger your rule. So you will also need to meta this with a rule that
tests for yahoo mail server being the sending SMTP client
Good point. I didn't think about that..
--Dennis
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote:
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO
, MSGID_MULTIPLE_AT=1.449] autolearn=no
*
Am I missing something in my local.cf that is not properly scoring all
incoming messages?
In this example you also have tagged_above=-999 which leads me to
believe you are using amavisd-new. Are both servers using
amavisd-new?
--Dennis
Martin suggested and compare it to what
samples I have.
Thanks,
--Dennis
Reply-to
header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i
header __FF2 Reply-to ~= /\.jp/i
meta FORGED_FROM (__FF1 __FF2)
scoreFORGED_FROM 5.0
Thanks Martin. This is actually far simpler then I was thinking it
would be.
--Dennis
the same message).
Sadly, we have had this happen a couple of times with hotmail and yahoo
addresses.
What can I say, some of our clients aren't exactly the most tech savvy.
--Dennis
...and I suppose the same would apply to social networks. I don't use
either, so am somewhat clueless about what goodies are available if you
can access their accounts.
I have some free e-mail accounts that I use as throw away accounts.
When a site just HAS to have a valid e-mail so you can
--Dennis
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote:
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote:
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these messages out
Quoting Kai Schaetzl mailli...@conactive.com:
Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600:
Obviously I have something going on with my bayes, but that's a
separate issue
Indeed. But it's an important issue. If it is that biased for other
spam as well
youa re better off
Thanks,
--Dennis
Nevermind...it was also hitting
T_LOTS_OF_MONEY
and once I expired old bayes tokens it no longer hit BAYES_00. Now I
just have to figure out whats up with my bayes db.
--Dennis
Quoting Dennis B. Hopp dh...@coreps.com:
I have been seeing a few spam mails slip past that talk about being
was thinking that when referring to US Dollars it wouldn't be. Now
that I think about it I can understand why my original thought was
wrong.
I guess it doesn't really matter since the message was actually
hitting another rule (T_LOTS_OF_MONEY) that I somehow missed.
--Dennis
to
see the X-Spam-report (which is Not included in ham !)
My userprefs is always available at
http:/www.Real-World-Systems.com/mail/user_prefs.html
I have not manually trained bayes.
Thanks
John Hardin wrote:
On Tue, 25 Aug 2009, Dennis German wrote:
email with this content:
CONGRATULATION
email with this content:
CONGRATULATION YOUR EMAIL ADDRESS HAS WON YOU THE 2010 FIFA WORLDCUP LOTTER=
Y OPEN THE ATTACHMENT AND VIEW THE PROFILE OF YOUR WINNING FUND=2C ALSO CON=
TACT YOUR CLAIM AGENT
received these scores
X-Spam-testscores:
sa-learn --dump magic
config: could not find site rules directory
0.000 0 3 0 non-token data: bayes db version
0.000 0 262297 0 non-token data: nspam
0.000 0 24621 0 non-token data: nham
0.000 0 142776
copy a message or two (with full headers) to pastebin so we
can have a look?
--Dennis
Summary:
Problem:
Observing scatter from many different sites coming to vari...@mydomain.com
.
These are NDRs (Non delivery Responses) to messages sent from
the forger or infected system :
59.184.51.13 aka triband-mum-59.184.51.13.mtnl.net.in
Is already blacklisted on many Realtime
Is Backscatter.org http://www.backscatterer.org/index.php used by any
rules?
I looked but did not find any.
Dennis G German
I have received many emails in the last hour which were undeliverable,
NOT sent by me.
It seems someone is forging usernames in my domain Real-World-Systems.com
as the from: and the return-path: .
Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in
I have sent a message to
?
Thanks,
Wes
Try putting the header on a site like www.pastebin.com and then put
the link in your e-mail rather then the actual header.
--Dennis
Quoting LuKreme krem...@kreme.com:
On Jul 30, 2009, at 18:12, Dennis B. Hopp dh...@coreps.com wrote:
Yeah I knew that. I have a few negative scoring rules but not many
(outside of what might be in the misc rules sets I have). What is
a good threshold for ham then?
5.0 is the score SA
for
accuracy and I was hoping to make the auto learn a little better. I
thought maybe I just didn't have enough rules (both negative and
positive scoring) to trigger the auto learn often enough.
Thanks,
--Dennis
Quoting John Hardin jhar...@impsec.org:
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has triggered 4510 times, BAYES_99 2366 times and BAYES_50
1568 (all the other BAYES_XX are less then 1000 times).
Do they all add
Quoting Karsten Bräckelmann guent...@rudersport.de:
On Fri, 2009-07-31 at 06:07 -0700, John Hardin wrote:
On Fri, 31 Jul 2009, Dennis B. Hopp wrote:
I cleared my maia statistics a couple of days ago. Since then
BAYES_00 has
triggered 4510 times, BAYES_99 2366 times and BAYES_50 1568
Quoting Karsten Bräckelmann guent...@rudersport.de:
If I'm reading that correctly less then 50% of mail is actually
being filtered (seems like it should be higher then that). Those stats
Actually, the numbers you gave for the last couple days are even
lower. About one third, 15k out of 45k do
,
--Dennis
that. I have a few negative scoring rules but not many
(outside of what might be in the misc rules sets I have). What is a
good threshold for ham then?
--Dennis
Do you see any x-Spam headers in the emails ?
Is this on a shared server (cPanel)?
hateSpam wrote:
I have spamassassin installed in my server but I have never had an email wht
[SPAM] in the subject. I get lots of spam. I think it is not checking
properly.
anybody know how to solve the
How 'bout a link from HEAT ( Heuristic Email Address Tracking )
Matus UHLAR - fantomas wrote:
On Mittwoch 27 Mai 2009 LuKreme wroteNo, you are confused. This is common, lots of people are confused
about this. This is why many people think the name needs to be
changed to Averaged
Sahil Tandon wrote:
On Sun, 17 May 2009, Dennis German wrote:
Could someone discuss or add a wiki page about?
SPF_SOFTFAIL
http://www.openspf.org/RFC_4408#op-result-softfail
SPF_NEUTRAL
http://www.openspf.org/RFC_4408#op-result-neutral
Could someone discuss or add a wiki page about?
SPF_SOFTFAIL
SPF_NEUTRAL
RDNS_NONE Delivered to trusted network by a host with no rDNS
* 12 FUZZY_OCR BODY: Mail contains an image with common spam text insi
de
* [Words found:]
[viagra in 5 lines]
[profit in 1 lines]
[(9 word occurrences found)]
--
Dennis Davis, BUCS
the phishers are now sending out form URLs to
be completed:
http://jotform.com/form/91140758246
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
d.h.da...@bath.ac.uk Phone: +44 1225 386101
There are a group of rules that begin with TDV_ like
TVD_PH_SUBJ_ACCOUNTS_POST, TVD_QUAL_MEDS, TVD_RCVD_SINGLE
What does TDV stand for?
I have had
required_score 3.97
since 4/1/09 but spamassassin email says
X-Spam-Report:
...
Content analysis details: (18.4 points, 4.0 required)
also MISSING_DATE 3.0 should be 2.97 and
MISSING_MID 3.0 should be 2.97
I had these values several days ago!
Any
spamassassin --version
SpamAssassin version 3.2.4
ls -l /var/lib/spamassassin
drwxr-xr-x 3 4096 Oct 16 18:27 compiled/3.002004 ...
The ONLY directory under /var/lib/spamassassin
is
compiled
and it does not contain any .cf files,
nor do any of the subdirectories
PS
Sorry
sa-update
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
There is no /etc/mail directory available. (I believe the /etc directory I
can view is artifical)
I cannot make a mail directory.
I suspect this is another cPanel (shared host) problem.
Is there a way I can
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
I believe this is another cPanel issue.
Attempting to run sa-update displays:
mkdir /etc/mail: Permission denied at /usr/bin/sa-update line 1226
How can I determine that last time sa-update was run?
?
Thanks,
Dennis German
Is there a document regarding the interpretation of
sa-learn --dump magic
config: could not find site rules directory
0.000 03 0 non-token data: bayes db
version
0.000 0 261451 0 non-token data: nspam
0.000 018530
0) Michael, thanks
1) what are the various zero columns??
for example in 0.000 0 3 0 non-token data: bayes db version
2) Is this good? not too good? bad? trouble?
On Mar 16, 2009, at 14:03, Michael Scheidell wrote:
Is there a document regarding the interpretation
Updated, Thought you all might be interested ( see updates)
My intention is to observe false negatives (i.e. spam seen as ham) and
increase the score of one or more of the tests in an effort to cause
additional spam to be detected.
I am using a hosting service where spamassassin
Attempting to see how spamassassin would score a message
I tried
spamassassin lottery.msg
[32179] warn: config: could not find site rules directory
check: no loaded plugin implements 'check_main': cannot scan! at
Is there a utility to display auto-whitelist ?
Modify entries? remove entries?
Yes, it has been a problem as there are so many domains used. However..I
took everyone's earlier suggestions, including training Bayes against FN
snowshoe spam and adding the Barracuda RBL (BRBL), and this appears to
almost completely take care of the problem!! So far I have been able to
Hi, I'm getting hammered by snowshoe spam :-( I've added rules to try to
catch common formats of included URLs in the spam, but I'm wary of scoring
these rules too high because of the potential for false positives. It's
hard to come up with other rules as the spam e-mail content is so generic.
why are those scores low? What gives them negative score?
those rules have quite high score...
Here is an example (without my rules): http://pastebin.com/m4400a74d
The ones that get through are relatively short and simple, and many are very
clean. This example is just one that focuses on
Is this spam for snowshoes or some spam term?
Like a snowshoe spreads the load of a traveler across a wide area of snow,
some spammers use many frequently-changing IP addresses and domains to
spread out the spam load in order to dilute recipient reputation metrics and
evade filters.
see
I've been using this rule to knock some of these down:
[...]
Highly unusual to have a url like that in ham...
I'm running a meta to bump up the score...
Yes, I've actually been doing the very same thing (URI detection and metas,
and then string matching in the tail part of the e-mail) !
Can you repost that with full headers?
Yes, I have to wait for more to come through though as I have gotten into
the habit of just deleting the FNs.
No DNSBL hits on the URI domain?
No, the domains change too quickly, so I almost never get DNSBL hits for
these. I have DNSBL greylisting
your BAYES is misfiring. Ths difference between BAYES_05 and BAYES_99 is
4.6
so you could have score of 5.7 if you'd have well-trained BAYES.
Yes, that would be great. I will look at trying this. I do get tens of
thousands of e-mails a day through this system though so it is hard to do
Everyone has given very helpful feedback! At present it definitely sounds
like I should tweak my rules and train my bayes. I will try taking steps
here and see how it goes.
Thank you all so very much!
--
View this message in context:
Hi, I was hoping someone on this list could help me with a custom rule for
SpamAssassin. I'm not an expert at perl regexps by at all, and spent a lot
of time trying to come up with a working match, all to no avail...
What I would like to match on is URLs that do _not_ start with a third level
How about:
/:\/\/[^.\/]+\.[^\.\/]+\//
Hi John, sweet, this seems to work! Could you help me with how to add a
list of com|net|info|biz|etc before the closing /, so it will match
against a list of known TLDs?
Many thanks, you are awesome :-)
.dh
--
View this message in context:
difficult it would
be for you to install and I've never used it myself.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
Using Spamassassin 3.1.8. I haven't updated SA in about six months. Ran
SA-update -D using the default channel of updates.spamassassin.org, received
error new version is 585884, skipped channel.
What exactly is going wrong here. Has the sa update default channel been
changed?
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
just my 2c worth
On 5/31/07, jdow [EMAIL PROTECTED] wrote:
From: John D. Hardin [EMAIL PROTECTED]
On Wed, 30 May 2007, John D. Hardin wrote:
Take a look at the spamassassin procmail ruleset at
most, if not all spam have spoofed addresses headers that do not resolve to
a valid account on any host, that said, how is it a problem ?
On 5/31/07, Matt Kettler [EMAIL PROTECTED] wrote:
John Rudd wrote:
Per Jessen wrote:
Dennis Kavadas wrote:
guys, even though we use SA for tagging
if i had never meet you before and if i asked you to knock on my door before
barging in, would you believe that was to much to ask of you ?
On 6/1/07, jdow [EMAIL PROTECTED] wrote:
From: Per Jessen [EMAIL PROTECTED]
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real
why ?
On 5/31/07, John Rudd [EMAIL PROTECTED] wrote:
Per Jessen wrote:
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my friends saying just that - about 5 years ago. It
might be fine for personal email
why isn't it useful in a business context ?
there sender gets a challange once ! ...how is that a problem ?
On 5/31/07, Per Jessen [EMAIL PROTECTED] wrote:
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my
i think we all need to read the TMDA FAQ ! :-)
On 6/1/07, Rick Macdougall [EMAIL PROTECTED] wrote:
jdow wrote:
From: Rick Macdougall [EMAIL PROTECTED]
Dennis Kavadas wrote:
if i had never meet you before and if i asked you to knock on my
door before barging in, would you believe
SPF records.
In particular the Sanesecurity additions to ClamAV detect this as:
Html.Phishing.Bank.Sanesecurity.06030604
We've detected (and rejected) over 1300 copies of this particular
phishing scam over the last couple of weeks or so.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY
on the main
site (www.sanesecurity.com). Blog additions are coming, but might
not make it until tomorrow.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
I keep getting this error - Cant locate object method 'new' via package
IO::Zlib at /usr/bin/sa-update line 671 - when attempting to run sa-update.
It worked fine when I ran it about 10 months ago (im way behind).
Using SA version 3.1.3 on Fedora.
at exim's wikki. This specific case is covered in:
http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0710
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
that? It's probably nothing, just want make sure that we
know about this, just in case the bastards found a hole.
Regards,
Dennis Du Krøger
smime.p7s
Description: S/MIME cryptographic signature
Doh, it's easier with some examples, didn't think of posting a link
until I saw another do it in the archives. (sorry for being a newbie :s)
http://www.hp23c.dk/~d/strangespam/
Notice how 3 of the lines stays exactly the same, while 2 are random.
Regards,
Dennis
smime.p7s
upgrading to SpamAssassin-3.1.7. Then
run sa-update. Install the Botnet plugin. That should score on the
sample you've given. Also look at installing selected rules from
the SpamAssassin Rules Emporium if you aren't already doing so.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL
the files located in /etc/mail/spamassassin) I
would happily incorporate it.
Well, you *could* do this with soft links. But that would be
a terrible hack :-(
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
([89.139.185.37] helo=mafioso)
(I've tweaked the BOTNET rules. It would score more with a standard
configuration.)
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
1 - 100 of 125 matches
Mail list logo
