questions on spamassassin

dear friends, had a few questions 1) what is the sequence based on which the rules are processed ? is there any documentation on this ? how is the rule number example 20_dnsbl_tests.cf or 25_uribl.cf related to the sequence of rule processing ? 2) is there a way by which if a specific rule is

Re: Spam from Turkey?

UriRBLs (centuryfear.guru:SURBL,SURBL,URIBL,SPAMHAUSDBL) or PreRBLs (TRUNCATEGBUDB,BLOCKLISTDE) they get denied instantly Did you try contacting via abuse? M. Omer GOLGELI --- August 31, 2020 8:15 AM, "Bill Cole" wrote: > On 30 Aug 2020, at 3:02, Anders Gustafsson wrote: > &

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

mailing without checks is the better approach IMO. M. Omer GOLGELI August 22, 2020 10:17 AM, "Benny Pedersen" wrote: > @lbutlr skrev den 2020-08-22 08:03: > >> On 21 Aug 2020, at 14:15, Benny Pedersen wrote: >>> blacklist_from *+14927644-* >> >&

Re: Why the new changes need to be "depricated" forever

July 22, 2020 11:46 AM, "M. Omer GOLGELI" wrote: > Like Laura questioned, Oops! /Laura/Loren/ my bad... -- M. Omer GOLGELI

Re: Why the new changes need to be "depricated" forever

ion) just shut the f*ck up,  July 22, 2020 10:39 AM, "Noel Butler" wrote: > if you dont like democracy at work (ppl having their say) , then you fuck off Both of you are acting like children. Well done. ​​​Nice language BTW. -- M. Omer GOLGELI

Re: spamhaus enabled by default

Congrats on derailing another post needlessly. M. Omer GOLGELI July 15, 2020 12:41 AM, "Antony Stone" wrote: > On Tuesday 14 July 2020 at 23:23:29, Martin Gregorie wrote: > >> On Tue, 2020-07-14 at 22:59 +0200, Antony Stone wrote: >> On Tuesday 14 July 2020

Re: spamhaus enabled by default

know that there's such a limit etc. So for that matter, maybe these can be left for the admins decision to enable them after installation. Or all users should be made aware of these limitations in a better manner and clearly for each semi-commercial RBL used. M. Omer GOLGELI

Re: spamhaus enabled by default

nowingly using it and weren't aware of the limits. But maybe this kind of RBLs shouldn't be on by default due to their commercial nature and must be left to the user to activate after installation. M. Omer GOLGELI

Re: Technically not spam

category coincidentally because even if the mail addresses do not exist, you can not get out of the list and can't report address as fake) -- M. Omer GOLGELI May 29, 2020 6:40 PM, "@lbutlr" wrote: > How do people deal with lists that a user subscribed to that re

Re: Question on early detection for relay spam

the number of outgoing messages and notify you if there's a sudden surge of mail requests. M. Omer GOLGELI --- AS202365   https://as202365.peeringdb.com   https://bgp.he.net/AS202365 NOC:  Phone: +90-533-2600533  Email: o...@chronos.com.tr March 3, 2020 10:26

RE: New bitcoin ransom message today

On Wed, 18 Dec 2019, John Hardin wrote: >Can you post a spample This is a very interesting pattern that I've seen in a few (9) spams this week. Here's a spample (with only the To header MUNGED): http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt Lindsay, is that what

RE: New bitcoin ransom message today

As requested: http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt I MUNGED the "To". It's the latest of two sent to me by an awesome volunteer. :) First thoughts: Both were base64 encoded. Both have "disclaimers" that they're not terrorists. :roll-eyes: John Hardin: I'll

Re: 9D character used in words to avoid detection

Ditto to what John said, however, thanks for the spample Mark. :) Mark, is that the exact network image? If not, do you have access to it? If so, please pastebin it. By "network image", I mean not-mangled by any post filter software. Your posted spample is quoted-printable, and should have been

spample: porn extortion with pure numeric From domain and base64 body

There's a new morph of the porn extortion campaign, with some interesting under-the-hood changes. The previous ones were always: - two "quoted-printable" parts (plain text, html) - "From" Outlook accounts - sent via Outlook/Hotmail/MS IPs (no other IPs in route) - passed both DKIM and SPF The

SPF PermError (was: "Re: Scans and Invoice spam containg HREF to something bad")

On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith wrote: > Testing despite these errors the only rule I'm getting a hit on from KAM > is JMQ_SPF_NEUTRAL_ALL Andy, thanks for the very useful spamples! :) Could somebody do a sanity check on the SPF record for "ballybofeycarpets.com"? I get a

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017, David Jones wrote: >Add the Lashback RBL. I am trying to get this added to the default SA >rules. See my post on 2017-10-17 in the following link and increase the >scores after some testing. David, after your Lashback post, I had added it to my FP

spample: Microsoft Office DDE exploit (in OpenXML attachment)

Starting Monday late pm (Iowa time), I've been seeing my first DDE exploits, with significant volume. Here's a spample, with only the account part of the To header munged: http://puffin.net/software/spam/samples/0056_dde_auto.txt The MIME part Content Types are all of the same form, with

phising spam

hello how do we mark such email as spam where our customer is sent an email asking user to verify account to prevent the account being disabled. i have provided below the source of such emails. # Hi metal@mycustomer.net.in , Recently we received some notifications

Re: new campaign: bitly & appengine.google

KAM, thanks! I took a look at your rules, and like your scoring. :) Over my years, I've seen enough BBB scare campaigns which use shorteners, that perhaps it would make sense to add "KAM_SHORT" to your additive list of metas (I forget what that's called). To all the other repliers: Thanks for

new campaign: bitly & appengine.google

There's a new campaign that uses Bitly shorteners to some sort of Google forwarder ("appengine"). Here's some sample Locations returned by HEADing the shorteners:

block phishing spam

hi we are constantly getting spam which has the following in the body of the email dear u...@domain.com where u...@domain.com is the mailto email id ie our customer's email id is there a way to mark emails containing the mailto email id in the body of the email as spam ? normal email

Re: Anyone else just blocking the ".top" TLD?

Just spotted my first snow with the TLD ".jetzt". It's selling for $1.88 at NameCheap so should become widespread. On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote: >We get some (very little) real mail from info, biz, and name domains. >All the other new domains are on a "prove you're not

Re: Today's Google Docs phish

Alex, thanks for the spample! I've only received one (so far), containing the same base domain with the ".win" TLD, also freshly registered at NameCheap with privacy protection and CloudFlare. On Thu, 04 May 2017, Axb wrote: >SA's redirect patterns detected these domains and my logs show >most

spample: banking credential phish using linked image (with no text)

SpamAssassin caught this phish, however some tweaks would have let it thru, and it's an interesting new (to me) approach, so I figured I'd share it with y'all. Full raw spample (with MUNGED email addresses): http://puffin.net/software/spam/samples/0053_phish_image.txt At arrival time,

Re: spample of not(?)-yet-registered "custom" URL Shortener in Phish

On Sun, 25 Sep 2016, RW wrote: >If you mean you poison-pill anything with a redirect, then this >doesn't seem all that clever because tinyurl is such a well known >shortener. I poison pill by default, not always. :) If the arrival time HEAD is a redirect to a "skip" listed domain, the poison

spample of not(?)-yet-registered "custom" URL Shortener in Phish

Here's a spample of a well done "Dropbox" Phish sent thru Gmail, containing a custom URL shortener which (apparently) did _NOT_ exist at message arrival time: http://puffin.net/software/spam/samples/0045_shortener_phish.txt I MUNGED the To & From headers, however I left the original From

Re: spample of "data" URL in well-crafted Phish

On Fri, 16 Sep 2016, John Hardin wrote: >Chip, could you send me some spamples of non-image data: messages >offlist? The only ones I have anywhere are images. Sent last week - thanks for your ongoing work on this John! :) After that request, I decided to add (in my post SA filter) a minimally

Re: drive-by malware customized to the From.RealName of actual Friends

John, thanks a TON for your efforts! I was afraid this would be hard to catch. :( On the bright side, the campaign has been morphing, and they are now (IMO) much less enticing, which is a partial victory. :) ** Update: The emails have gone thru two more significant morphs, first with

Re: Catching well directed spear phishing messages

On Thu, 30 Jun 2016, Olivier Coutu wrote: >The other way to fix that is to detect the lexical distance between the >sender's domain and your organisation's domains, e.g. by building a >plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance. >That could be done for a small number of

Re: spample of "data" URL in well-crafted Phish

On Thu, 8 Sep 2016, John Hardin wrote: >Yes. Given that ID on the first line the corpus owner can find the message >in question, review it, potentially fix misclassifications (that has >happened before), etc. Shiny - that sounds perfect! :) >There's one more exclusion I can add that will take

Re: Anyone else just blocking the ".top" TLD?

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote: >i get a diff-output per mail each time the mailserver configs >are changing That's a completely valid approach, and I am a big fan of pre-emptive first strike (only as applied to potentially evil email). However, the vast majority of those TLDs

Re: Anyone else just blocking the ".top" TLD?

On Sat, 09 Jul 2016, jasonsu wrote: >Fwiw, atm I block all of the following TLDs ... >men, .. >That list is auto-generated. Any & all TLDs that have >sent > 100 messages within the last year *AND* have a Great approach Jason! :) ".men" just recently appeared in my data, and is not showing up

drive-by malware customized to the From.RealName of actual Friends

Spample: http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt I removed 19 (of 20 original) email addresses out of the To header, ST:TOS munged all remaining email addresses, and munged the target URL to match the other mungings. Everything else is exactly as received,

Re: spample of "data" URL in well-crafted Phish

On Sat, 3 Sep 2016, John Hardin wrote: >I've tweaked the FP avoidance a bit, maybe that will be enough >to get the S/O up high enough to publish it. John, do you have any detailed info about the Ham hits? I just datamined my three best corpora, from the beginning of 2014 thru this weekend, and

spample of "data" URL in well-crafted Phish

Freshly caught Spample: http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt The only munging was inserting ".EXAMPLE" between "wellsfargo" and ".com". Four years ago, I read this fascinating article:

Re: SA cannot block messages with attached zip

On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote: >Meanwhile, there is RTF spam that's circulating which is >currently bypassing the sanesecurity sigs. I've just submitted a >sample to Steve, but the db hasn't yet been updated. Here's a >sample: > >http://pastebin.com/ALsSAmwa Alex, thanks for the

Re: Anyone else just blocking the ".top" TLD?

Thanks for all the lists and references, everyone! :) +1 on block-by-default combined with "skips" for the VERY rare exceptions. I'm scoring (poison pill level), not gateway blocking (more about that in a later post). *** New Snow TLD sighting: Since June 30, the TLD ".stream" has been

Re: Catching well directed spear phishing messages

On Tue, 28 Jun 2016 14:13:57 + David Jones wrote: >If I search the Internet for the CEO/CIO/CTO/etc of a company >and send and email from my domain but make the displayed name >in the visible From: be that CEO/CIO/CTO/etc's full name that >the recipient is used to seeing in the mail client,

Re: SA cannot block messages with attached zip

At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote: >We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the

Re: SA cannot block messages with attached zip

At 04:07 AM 5/20/2016, RoaringPenguin wrote: >filename-extension rules that block .js >inside .zip files. +1 We also block these scripting related Windows extensions: .hta .jse .vbs .wsf Those were originally "pre-emptive", however I've now seen both ".hta" and

re: exploitable LinkedIn forwarder/whatever

Thanks Andreas! :) Wednesday am, after re-checking that the specific spam URL was still forwarding to the spam payload destination, I emailed that role account... and to my (VERY pleasant) shock, received an auto-reply which did NOT direct me to an unuseable web form (i.e. the Google model of

exploitable LinkedIn forwarder/whatever

Spotted a new exploited forwarder of some sort at LinkedIn - full spample: http://puffin.net/software/spam/samples/0041_linked_forward.txt Except for the munged "To" and "From" email addresses, that's the pristine network image. It came From a known friend at "swbell", who normally sends

Re: new(ish) malware: RTF with MIME payload

Thanks guys, for all the helpful info and sanity checks! :) Sorry about the Message-ID munging - I get some really useful malware at that domain but no ham, and am a bit paranoid about losing that feed. Followup: >I had considered anchoring the MIME string, however we have a >very powerful

malware campaign: javascript in ".tgz"

Starting about two hours ago, about 40% of my real-time honeypot spam is a new malware campaign. About a third are hitting "BAYES_00", with about 10% of all having negative SA scores. :( Full spample (with munged email addresses): http://puffin.net/software/spam/samples/0040_mal_tgz.txt

new(ish) malware: RTF with MIME payload

Starting about two hours ago, more than 80% of my real-time honeypot spam is a new malware campaign. Full spample (with redacted/munged email addresses and Message-ID): http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt This is a variation on an XML file malware campaign that

spamassassin logging

hi we are using qmailtoaster with spamassassin currently the spamassasin log details show as such is it possible to log the detailed information in the log files ? ie sender email , recipient email spam rules applied and the spam score. thanks, rajesh

spamassassin detailed logging

hi i am using qmailtoaster on centos6.6 64 bit is there a way to have detailed logging for spamassassin which includes the sender and the recepient and the scan result. my current logs are as such which does not show the Jun 19 18:31:45 ns1 spamd[48983]: spamd: connection from localhost

check size of email

hi is there anyway to check the size of emails or count the number of characters in an email using spamassassin ? basically i wish to mark emails that are less than 2 kb in size with long links in them as spam since they mostly spam. also is there any way to check if a word / excel document

spamassassin service slow to start

hi am using qmailtoaster, centos 6 - 64 bit with spamassassin, dovecot, vpopmail, spamdyke, squirrelmail dell server : intel hexcore 2.2 ghz proc, 16 gb ram i have several such servers. on one of my servers all of a sudden there was a high cpu utilization which continued the whole day -- all

Re: Recent spate of Malicious VB attachments II

I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types,

Re: rule for restricting incoming email

hi i am using qmailtoaster when the emails are sent to specified recepients via bcc then there is a header Delivered-To created which i tried to use to check however spamassassin does not seem to check Delivered-To header what could be the problem ? rajesh - Original Message -

rule for restricting incoming email

hi i have an email id : u...@abc.com now i need to set a rule such that u...@abc.com can receive emails only from specific external domains and rest all should be rejected as spam i have set a rule as such header MYDOMAIN_A ToCc =~ /\b(?:test\@mydomain\.com)\b/i header MYDOMAIN_B

Whitelist one mail with multiple destinations

Hi. Here is my scenario: Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) - Zimbra In SpamAssassin, I have a whitelist/blacklist. All the e-mail passes through, but Spams are taged (header and subject). My problem is that when an e-mail comes to multiple destinations and one

Re: Whitelist one mail with multiple destinations

2014-09-10 10:23 GMT-03:00 David F. Skoll d...@roaringpenguin.com: Option 2 is to accept the message unfiltered, split it into multiple copies, and remail each copy so it can be scanned per-recipient. This avoids the delay, but it also means you cannot reject spam with a 5xx SMTP failure code

Re: Whitelist one mail with multiple destinations

2014-09-10 10:17 GMT-03:00 Antony Stone antony.st...@spamassassin.open.source.it: On Wednesday 10 September 2014 at 14:56:06 (EU time), M. Rodrigo Monteiro wrote: Hi. Here is my scenario: Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) - Zimbra My problem is that when

Re: spam with hashes and

himy spamassassin version is : 3.2.5the body content message source is like this. how to i block these#x13DF;#x043E;m#x0440;l#x0435;t#x0435; th#x0435; #x039A;#x043E;hl'#x0455; Surv#x0435;#x0443;!#x13DF;l#x0430;#x0456;m #x0443;#x043E;ur $25 #x039A;#x043E;hl'#x0455; G#x0456;ft #x13DF;#x0430;rd

spam with hashes and

hiwe are getting spam with a lot of hashes #x13AC;m#x0430i checked out KAM.cf but not able to trap such emailsany solution please ?thanksrajesh

Bypass URIBL_BLACK check for 1 domain

Hi. How can I bypass this check only for my domain, say mydomain.com? M. Rodrigo Monteiro fale...@rodrigomonteiro.net http://twitter.com/MarcioRodrigoM/ http://www.facebook.com/mrodrigom/ http://br.linkedin.com/pub/m%C3%A1rcio-rodrigo-de-oliveira-monteiro/28/491/3b8 http://foursquare.com

Re: Bypass URIBL_BLACK check for 1 domain

2014-07-29 13:18 GMT-03:00 Benny Pedersen m...@junc.eu: disabling html postings with big signature could be a start? How does disabling html helps me? If you do have the answer for what I've asked, then it's fine to respond my question, like Axb did. If not, please don't bother to answer

block newletter type spam with long url

hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowbasically i need to block any url which contains several alphanumeric characters at the end.http://domainname.com/dfd/b7e7c7f=a5d66e_a4404d9is there any rule

Re: block newletter type spam with long url

/23/2014 09:09 AM, Rajesh M. wrote: hi we are getting spam with long url links to external websites. some times the links are hundreds of characters long. few examples given below basically i need to block any url which contains several alphanumeric characters at the end.Not a very good idea. Lots

Re: block newletter type spam with long url

kevincan you please post the kam.cf file online ?i understand some basics but am not good at these. rajesh- Original Message - From: Kevin A. McGrail [mailto:kmcgr...@pccc.com] To: axb.li...@gmail.com,users@spamassassin.apache.org Sent: Wed, 23 Jul 2014 08:31:28 -0400 Subject: Re: block

block newletter type spam with long url

hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowis there any rule to block these ?basically i need to block any url which contains several alphanumeric characters at the

[Fwd: Rule Update!]

Good morning. I can also confirm that the rules were updated on my server. Thanks!

No new rules since April 19th?

Hello! I'm using Spamassassin 3.3.1-2 on two of my servers. Recently I've noticed that there haven't been updates on both channels I use (updates.spamassassin.org and sough.rules.yerp.org). Does this mean that there won't be any more updates for version 3.3.1-2? Thanks and regards! David

Rule header from

Hi. How to create a rule to tag e-mails from *@word.*.com.br? This is what I tested: header TEST From =~ /.*\@word\..*\.com\.br/i SA 3.4 M. Rodrigo Monteiro fale...@rodrigomonteiro.net http://twitter.com/MarcioRodrigoM/ http://www.facebook.com/mrodrigom/ http://br.linkedin.com/pub/m%C3

RE: SPAM from a registrar

James, are these botnet or snowshoe spam? When you get a chance, please provide some spamples (pastebin or elsewhere), as Kevin recommended. Please mung JUST the email addresses (e.g. change all email domains to example.com, and change the victim account name to victim). If the victim accounts

Score Problem

) on xx.x.xxx X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.0 tests=HTML_MESSAGE,T_REMOTE_IMAGE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 = mail header = Regards, Rodrigo M. Rodrigo Monteiro fale...@rodrigomonteiro.net http://twitter.com/MarcioRodrigoM/ http

Re: unusual new pump-and-dump campaign (RCHA)

Thanks Alex! :) As Alex's rules imply, it switched over to 100% image spam (in my spamtraps), and continued its excellent syncing. Just on April 11, the volume more than tripled, and it hit many different spamtraps than all previous days. Some of those traps had never been hit before, and/or

unusual new pump-and-dump campaign (RCHA)

links, or any extra headers. The Message-ID always ends with the victim's domain name, NOT the sender (the HTML versions contain standard botnet M-IDs). All are getting thru SA, however most are hitting: HTML_IMAGE_ONLY_28 or HTML_IMAGE_ONLY_32 DC_GIF_UNO_LARGO *** Botnet prep

Re: Rule FH_RANDOM_SURE causing FPs

I just checked the last six months of my most diverse corpus, and found: two Ham, zero spam. Both ham were sent via different ESPs, each of mediocre quality though with multiple legitimate (albeit Pakled-y) customers. One was from Marriott Rewards with terse SA report: score=0.9

RE: Large # of Spam getting through all of a sudden.

On 6/10/2013 2:45 PM, Duncan, Brian M. wrote: I rarely have seen any SpamAssasin hits on the bodies of these messages. (cached, score=-0.125,required 6.5, autolearn=not spam, RP_MATCHES_RCVD -0.12) Do you train the Bayes database manually? Or via autolearn only? I use SA via AMaViS

RE: Large # of Spam getting through all of a sudden.

-Original Message- From: Kris Deugau [mailto:kdeu...@vianet.ca] Sent: Monday, June 10, 2013 2:21 PM To: spamassassin-users Subject: Re: Large # of Spam getting through all of a sudden. *nod* I recently flagged them as a nuisance netblock owner in the internal DNSBL[1] here. I've been

new (?) Google Translate trick using URL Shorteners

There's a new (to me), overly clever campaign combining Google Translate with a URL shortener. It's fairly low volume, but most are sailing thru SA. It's such a goofy pattern it feels like it's worthy of an Extinction level score. :) These started yesterday (Dec 9) at around 2am Eastern US

re: Trouble with bayes poisoning spam

Hi Alex! Actually, that's a Snowshoe IP. Which, on balance, can be a good thing, slaying-wise. :) Almost four years ago, I posted my approach to snowshoe slaying: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e It has

another malware MIME header trick that works with at least one email client

There's yet another variant in the ongoing campaign of HTML file attachments with javascript malware payloads. :( The trick is that it sets the Content-Type to application/zip, and uses an .htm file extension, for example (actual spam): Content-Type: application/zip

new twist on BitLy

There's a new campaign using bitly.com, instead of bit.ly. Other characteristics are: 1. empty plain text Part, followed by a quoted-printable HTML Part 2. very long HTML Title 3. large Style section, with random text (Bayes salad like) 4. current Subject is FW: your arrest record I expect the

Re: all spam emails from mailengine1.com servers

R - elists wrote: does anyone get legit emails that come from the mailengine1.com email marketing servers? Yes, I've seen a trickle of ham, so did some data mining for you... The IP ranges I have for them are: 66.59.0.0 - 66.59.31.255 72.19.192.0 - 72.19.255.255 Does anyone

new technique: borked zip attachment w/malware

There's an interesting new zip attachment obfuscation that uses an encoded EMPTY filename. I've seen barely a trickle, but so far, all have had VERY low SA scores (1.1 with generally unremarkable test hits). I'm still waiting for permission from the recipient to publish a complete sample. Here's

Re: How to get rid of spam with From spoofed to my own domain

run openspf software on my host and I'm having weird problems in the mail Return-Path: emilien.arino@noa.fr X-Original-To: m...@smtp.fakessh.eu Delivered-To: fake...@localhost.r13151.ovh.net Received: from r13151.ovh.net (localhost.localdomain [127.0.0.1]) by r13151.ovh.net (Postfix

Re: Securing spamd [single (non root) OS user]

run by root: ps -C spamd -o user,cmd USER CMD root /usr/sbin/spamd -d -r /var/run/spamd.pid -m 2 -u spamd --nouser-config --helper-home-dir=/sysram/spamassassin --allow-tell spamd spamd child spamdspamd child How secure is that (no I didn't make any crazed chroots

anti virus EICAR file is not detected by the couple clamd amavisd

hi folks in my station anti virus EICAR file is not detected by the couple clamd amavisd all testimonials are welcome --  http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7  gpg --keyserver pgp.mit.edu --recv-key 092164A7 pgpiBHw6zHTrd.pgp Description: PGP signature

RE: DKIM Checks

From: Matt [mailto:lm7...@gmail.com] Sent: Wednesday, May 18, 2011 11:32 AM To: users Subject: DKIM Checks I am running spamassassin-3.2.5-1.el5 on 64 bit CentOS. sa-update -D seems to indicate that the DKIM libraries are installed. ... May 18 10:25:02.683 [15134] dbg: diag: [...]

whitelist ip in trusted network

hi i wish to whitelist a few client's server's static ip in the spamassasin trusted network i am entering a line like this in local.cf file. trusted_networks xxx.yyy.zzz.ppp if i do this then the email from this server ip should be given a negative score but it does not seem to work

Re: whitelist ip in trusted network

On 05/07, Rajesh M wrote: trusted_networks xxx.yyy.zzz.ppp if i do this then the email from this server ip should be given a negative score but it does not seem to work That's not what trusted_networks does. It skips the Received header from those IPs for things like DNS blacklist

Re: new gappy domain campaign (w/sample)

mouss wrote: with a stock config, and without Bayes, it now yields: Hmmm, interesting! Yes, all the caught spam here were due to RBL hits. Which begs the question, what SpamAssassin tests are hitting for the misses vs the kills? Here's what hit (here), for the first 38 missed spams: Test

Re: My attempt at re-calculating test scores

Hi, Is this corpora available for public use (e.g using the corpora for their testings)? All I know is that SA has an old public corpora that dates back in 2005. (Sending from BB) --- Mahmoud Khonji -Original Message- From: Warren Togami Jr. wtog...@gmail.com Date: Thu, 23 Dec 2010

RE: Fake MX

From: Bob Proulx [mailto:b...@proulx.com] Subject: Re: Fake MX [...] but that is distinct from being a tarpit, which is what I'm trying to clarify. A discussion around the definition of tarpit, and why tarbaby might be a suboptimal, though catchy, name? For the record a tarbaby:

RE: email address forgery

Are there domains that have actually defined SPF record type records? I haven’t been able to find any, but it could be the fault of the tools I’m using. L From: Noel Butler [mailto:noel.but...@ausics.net] Sent: Thursday, November 11, 2010 5:14 PM To: users@spamassassin.apache.org Subject: Re:

Re: Full circle DNS test?

How do you expect this to handle cases when a single IP address (i.e single MTA) is responsible for sending emails for multiple domains. The domain name match won't happen for all. That's why we have SPF, SenderID (MS didn't want to feel left out, and DKIM (RFC standard). As far as reverse

Re: Full circle DNS test?

already block all email at my MTA that doesn't pass it. Since January 2007, apparently. So I think it's worth having a test for. On 10/30, m...@khonji.org wrote: How do you expect this to handle cases when a single IP address (i.e single MTA) is responsible for sending emails for multiple

Re: Collecting IP reputation data from many people

I was originally thinking it would be most informative to provide the number of spams and non-spams from each IP over some time period. Google has a presentation in CEAS (check ceas.cc website) that explained a very similar approach to fight SPAM by ranking mail senders. As the presentation

Re: Collecting IP reputation data from many people

www.ceas.cc/2006/19.pdf --- Mahmoud Khonji -Original Message- From: m...@khonji.org Date: Fri, 22 Oct 2010 01:03:54 To: dar...@chaosreigns.com; users@spamassassin.apache.org Reply-To: m...@khonji.org Subject: Re: Collecting IP reputation data from many people I was originally

Re: How do I get delisted from SORBS? [OT]

It differs because I am saying they *should* remain listed forever. False positives are far worst than false negatives for businesses. Some blacklists do not tolerate a FP of more than 1%. Blacklists are behind the line as they don't fight zero-hour attacks, and the only reason why blacklists

Re: Need God/Christian rule sets

How do you propose to make such relations between the keywords, and how to mitigate false positives? Naïve Bayes deals with words independently. If we want to link between words, I think we are into Natural Language Processing (NLP). If you have any good thoughts please share. --- Mahmoud

RE: DOS_OE_TO_MX

-Original Message- From: njjrdell [mailto:nruggi...@dellmagazines.net] Sent: Wednesday, September 29, 2010 11:32 AM To: users@spamassassin.apache.org Subject: Re: DOS_OE_TO_MX I'm pretty sure she would not send a GTUBE. Here is another from her Sep 28 08:35:26 nsmail

RE: DOS_OE_TO_MX

/updates_spamassassin_org/50_scores.cf or some similar directory. To find your config directory path, try this: spamassassin -D config --lint Rosenbaum, Larry M. wrote: -Original Message- From: njjrdell [mailto:nruggi...@dellmagazines.net] Sent: Wednesday, September 29, 2010 11:32 AM

Re: New plugin: DecodeShortURLs

Steve Freegard wrote: Hopefully it will be useful to others; you can grab it from: Thanks Steve! Suggestions (for future enhancements): 1. Consider splitting the list of shorteners between those that are well established and KNOWN to be reasonably diligent, and all others (e.g. the anti-pattern

Re: Yahoo HTML Base64 Attachments

On 19 Sep 2010, John Hardin wrote: Adding to my sandbox for masscheck: rawbody HTML_OBFU_ESC /document\.write\(unescape\((?:%[0-9a-f]{2}){10}/i It performs pretty well. It should be in the next rules update, under a slightly different name (OBFU_JVSCR_ESC). Shiny! How about

application/octet-stream obfuscated JPEGs

There's a new morph from our old nuisance, the inline PNG/RTF, and all manner of wavy image insecure-boy-drugs spammer. :( Here's a sample: http://puffin.net/software/spam/samples/0009_jpg_oct.txt It began (here) on Sep 10, and replaced his (relatively boring) Your wife photos attached

  1   2   3   4   >