Kris Deugau writes:
> There will only be one database and set of tables, but one of the fields
> in each table is the user identifier. Fair warning - if you go full
> per-user on a large system, this will MASSIVELY balloon the size of your
> Bayes database, and most users will idle below the
Hi all,
I've got a site-wide bayes mysql setup. It keeps getting poisoned
quickly, because the user patterns are far too divergent from each
other. One person's spam is another person's ham, nobody is happy.
A per-user setup would let each user do their own thing, but I don't see
how I can do t
Great to hear, congrats on making this a channel! A very nice
thanksgiving treat.
"Kevin A. McGrail" writes:
> Morning all,
> I wanted to share the news from
> https://mcgrail.com/newsmanager/news_article.cgi?template=news.template&news_id=11
>
> with you all. We'll also have a mailing lis
Hi all,
I've been trying the
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt list but
lately, I've been getting 'Couldn't connect to server' errors, fairly
regularly. The site says:
'can set them up for frequent downloads (every minute!) using CURL or
WGET - only using the setting that
John Hardin writes:
> On Mon, 24 Aug 2020, Marc Roos wrote:
>
>> You should use spf for this.
>
> Duh.
>
> +1
>
> whitelist_auth *@amazon.com
> blacklist_from *@amazon.com
> whitelist_auth *@*.amazon.com
> blacklist_from *@*.amazon.com
I do not understand this
What is the highest score you've seen a spam get? I think I just broke
my own high score, with a spam that managed to pile up 64 points.
I'm sure you all have seen much higher!
--
micah
We are regularly getting phishes from dhl, fedex, usps, amazon, netflix,
spotify that fakes the from (eg. amazon wants
to send me a amadon-legit.pdf). Usually these are previously unknown to
pyzor, dcc, rbls, and domain reputation doesn't really exist[0].
I'm wondering if anyone has made a rule
Noel Butler writes:
[weird rant deleted]
> There are 192 _other_ countries in the world, the USA is united states
There are 194 other countries in the world.
--
micah
BLM thanks Eric Broch for his continued support.
If you pass on your address, I'll be sure to tell them to send you a
postcard in thanks for your donation.
Eric Broch writes:
> Political correctness, BLM and Antifa (LGBTQ) as well as feminism (and
> many other agendas) are being used as batt
Eric Broch writes:
> As I've pointed out in previous posts the proponents are under a delusion.
It is fascinating that the person who cried about ad hominem attacks so
much resorts to the very same.
Every time Eric Broch writes to me off-list, or on list about this
subject, I donate another $10
Eric Broch writes:
> 2) You accuse "the right wing[er]" of making this issue political when
> we've/I've done no such thing.
hilariously, you then go on to do exactly that:
> The maintainers of the list have listened to those who've turned
> something benign (whitelist/blacklist) into somethin
John Hardin writes:
> On Fri, 19 Jun 2020, micah anderson wrote:
>
>> So, what can I do to tweak these rules to score things up more,
>> specifically the rules that provide a low false positive rate[1]. This
>> seems something that should be done programmatically, and n
Hi folks,
I've spent a lot of time tuning our spamassassin setup over the
years. Channels, RBLs, pyzor, DCC, bayes, KAM rules, some home spun
rules, etc... and things do work fairly well, the rate is very high ,
but the ones that get through are the ones that are designed to get
around the defen
Are there any plugins or techniques that can deal with UTF-8 homographs?
In particular, i'm seeing a lot of attempts to get past filters that
would match on a word like 'amazon', but do not catch it because the 'm'
has been replaced by the UTF-8 version of 'm' that looks identical.
I understand
"@lbutlr" writes:
> Squirrelmail is not supported and I would definitely not recommend
> anyone run it, especially since you have to run a version of PHP that
> hasn’t been supported in 4 years and has known exploits that will
> never be fixed.
I don't want to disagree with you, because I agree.
Matus UHLAR - fantomas writes:
>>> On 31.05.20 10:51, Noel Butler wrote:
>>>>Anyone else noticed it seems to scoring much much higher FP's in past
>>>>few weeks?
>>>>
>>>>Ima disable the damn thing I think.
>
>>Matus UHLAR
Matus UHLAR - fantomas writes:
> On 31.05.20 10:51, Noel Butler wrote:
>>Anyone else noticed it seems to scoring much much higher FP's in past
>>few weeks?
>>
>>Ima disable the damn thing I think.
>
> not here.
here either. I've been noticing quite good results with pyzor
actually, and have thou
Thanks for the reply.
John Hardin writes:
> On Tue, 19 May 2020, micah anderson wrote:
>
>> The final stage I thought would be short-circuited, because it was
>> relayed through our internal network, and we already do spam filtering
>> at the list server stage, we d
Hi,
I've already got short-circuit setup, and it works, but not for mail
that goes like this:
gmail user sends to a mailing list on a mailing list server we
host, that server does some spamassassin scanning, and if it passes it
then delivers to our users subscribed to that mailing list, which i
RW writes:
>> 2. I cannot pass -C report and -L spam at the same time. If I do, I
>> get this message:
>>
>> spamc: Learning excludes reporting to collaborative filtering
>> databases
>>
>> and an exit code 64, which is:
>>
>> EX_USAGE64 command line usage error
>>
>> however, there
Hi,
I noticed a few oddities with 'spamc':
1. I cannot pass a full email address to -u, if I pass 'user' it works,
but if I pass 'u...@example.com' it fails. How do people handle this
with multiple domains?
2. I cannot pass -C report and -L spam at the same time. If I do, I get
this message:
RW writes:
>> I'm wanting to setup a spam trap, that should receive nothing but
>> actual spam, and feed that into spamassassin in some way. I'm
>> wondering the best way to automate feeding that data back to the
>> system.
>>
>> Would it be best used for bayes tuning? It seems not, because it w
Hi all,
I'm wanting to setup a spam trap, that should receive nothing but actual
spam, and feed that into spamassassin in some way. I'm wondering the
best way to automate feeding that data back to the system.
Would it be best used for bayes tuning? It seems not, because it would
be 100% spam. W
Riccardo Alfieri writes:
> Yes, we are seeing an awful lot of phishing sites hosted under
> https://firebasestorage.googleapis.com
>
> I'd say that 99% of them can be catched by a simple regex though, but I
> don't know how common those firebasestorage URLs are in normal emails..
> I personall
Hi,
What is the current state of the art for dealing with tricking people in
the From with the "Name" part? For example:
From: "supp...@example.com"
The "Real Name" part is used to put a fake email address of the actual
domain (example.com would be my domain, or gmail.com or something other
th
Giovanni Bechis writes:
> On 7/3/19 7:11 PM, Riccardo Alfieri wrote:
>> On 03/07/19 17:59, atat wrote:
>>
>>> You say in documentation:
>>>
>>> You should also drop, by default, all Office documents with macros.
>>>
>>> What plugin / method do You reccomend for that ?
>>
>> I'm no expert i
Sean Lynch writes:
>>Having such a list would be very helpful for dealing with fast flux.
>
> SA already has this. It used fresh.fmb.la to detect domains registered within
> the past couple of weeks.
It does? Do I need to enable something to get that?
--
micah
Grant Taylor writes:
>> A very large number (nearly all, in fact) of the spams I receive these
>> days involve domains registered with Namecheap. I've received hundreds
>> of spams involving .icu domains from what appear to be the same spammer.
>> I also receive a large number of scams imperso
"Bill Cole" writes:
> On 20 Nov 2018, at 13:53, John Hardin wrote:
>
>> On Tue, 20 Nov 2018, micah anderson wrote:
> [...]
>>>> What it does do is prevent compiled rules from being installed. But
>>>> as I
>>>> said it's t
RW writes:
> On Tue, 20 Nov 2018 12:53:18 -0500
> micah anderson wrote:
>
>> RW writes:
>>
>> > On Tue, 20 Nov 2018 12:38:24 -0500
>> > micah anderson wrote:
>> >
>> >> I was doing multiplication in rules to add scores, like thi
RW writes:
> On Tue, 20 Nov 2018 12:38:24 -0500
> micah anderson wrote:
>
>> I was doing multiplication in rules to add scores, like this:
>>
>> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 *
>> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOC
I was doing multiplication in rules to add scores, like this:
meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 * __LOCAL_EXCEEDED) + (0.4
* __LOCAL_STORAGE) + (0.4 * __LOCAL_LIMIT)) > 1)
but now when I run spamassassin --lint, I'm told things like this:
Nov 20 09:34:42.096 [11146] warn: c
"Kevin A. McGrail" writes:
> There are people asking me to put KAM.cf under the default sa-update
> crypto signature. Technically, it's easy. But it would have to be
> carefully considered as it's not a project ruleset. Thoughts on that?
I would be interested in KAM as part of an update chann
John Hardin writes:
> On Tue, 14 Aug 2018, micah anderson wrote:
>
>> John Hardin writes:
>>
>>> On Tue, 14 Aug 2018, micah anderson wrote:
>
> OK, I can see about adding some mobile MUA exclusions. Any FP headers you
> can provide (directly) will b
John Hardin writes:
> On Tue, 14 Aug 2018, RW wrote:
>
>> On Tue, 14 Aug 2018 13:24:47 -0700 (PDT)
>> John Hardin wrote:
>>
>>> On Tue, 14 Aug 2018, micah anderson wrote:
>>>
>>
>>>> I searched my pile of mail that I have from two ic
John Hardin writes:
> On Tue, 14 Aug 2018, micah anderson wrote:
>
>> but how can I tell how many messages are part of the corpus?
>
> As RW said, hover over the percentages.
Thanks.
>> Also, the percentages seem very low: 1.5192% Spam, and .0005%
>> Ham... 1.5
Hi,
I'm trying to understand the ruleQA results because I'm trying to track
down how common the rule FRNAME_IN_MSG_NO_SUBJ is spammy.
I load the latest rules:
http://ruleqa.spamassassin.org/20180813-r1837926-n/FRNAME_IN_MSG_NO_SUBJ/detail?s_corpus=1&s_g_over_time=1#overtime
and I see the S/O
"Kevin A. McGrail" writes:
> I think Bayes should be in redis though not SQL.
Curious to know why you think that?
John Hardin writes:
> On Tue, 12 Jun 2018, micah anderson wrote:
>
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (althoug
Matus UHLAR - fantomas writes:
> On 12.06.18 19:37, micah anderson wrote:
>>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>Subject:
>>
>>It did not have a subject, but it did have content (although only
>>encrypted) it also hit:
&g
Reindl Harald writes:
> Am 13.06.2018 um 01:37 schrieb micah anderson:
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (alth
I had a message marked with:
2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject:
It did not have a subject, but it did have content (although only
encrypted) it also hit:
* 1.8 MISSING_SUBJECT Missing Subject: header
which makes sense, because the mail did not hav
Hi,
I'm getting these errors in my log files, quite regularly:
Sep 23 21:58:16 towhee spamd[25561]: Issuing rollback() due to DESTROY without
explicit disconnect() of DBD::mysql::db handle bayes:0.0.0.0 at
/usr/share/perl5/Mail/SpamAssassin/Plugin/Bayes.pm line 1590, line 2.
It appears that
Hi,
I've got some machines that are running logcheck, they periodically send
mail to us with reports. Sometimes those mails have some spammy stuff in
them, because they are mail server logs, or web logs with some spammy
stuff in them.
I don't want spamassassin to deal with these messages, I wan
dar...@chaosreigns.com writes:
> On 01/18, Micah Anderson wrote:
>> updates.spamassassin.org
>> sought.rules.yerp.org
>> khop-bl.sa.khopesh.com
>> khop-blessed.sa.khopesh.com
>> khop-general.sa.khopesh.com
>> khop-sc-neighbors.sa.khopesh.com
>>
>
I've had the following channel list for a while:
updates.spamassassin.org
sought.rules.yerp.org
khop-bl.sa.khopesh.com
khop-blessed.sa.khopesh.com
khop-general.sa.khopesh.com
khop-sc-neighbors.sa.khopesh.com
but I suspect that some of these are no longer good. I was hoping folks
out there might
Dominic Benson writes:
> On 19 Oct 2010, at 17:05, Micah Anderson wrote:
>
>>
>> Hello,
>>
>> I'm running a busy mail server. We've got a bayes database on its own
>> server, with InnoDB tables.
>
> What is your total DB size / server RAM?
I was investigating this morning why a number of spam messages were
coming through and found that they weren't scoring on bayes, because it
was unavailable. The database connection was working fine, but I noticed
that the nightly sa-learn --sync --force-expire had been running since
3am, which was
Hello,
I'm running a busy mail server. We've got a bayes database on its own
server, with InnoDB tables.
I'm seeing a number of these entries in my log files and am struggling
to determine what could be causing them and how to fix them:
Oct 19 07:02:10 spamd3 spamd[27474]: learn: exceeded time
Ted Mittelstaedt writes:
> Actually it's not even that. The notion that Debian spent effort
> detecting and removing DCC source is rather farfetched.
Sorry, but you are pretty off here. Debian does this all the time. I'm
an official Debian Developer and I have personally been involved in
doing
Michael Scheidell writes:
> On 4/21/10 1:25 PM, Ted Mittelstaedt wrote:
>>
>>
>> Distributed Checksum Clearinghouse quite obviously feels that they have
>> captured enough fishes in the ocean and are making plenty of money now
>> and so do not require all of the free advertising that inclusion of
Michael Scheidell writes:
> On 4/15/10 5:35 PM, Micah Anderson wrote:
>> M
>> "The Distributed Checksum Clearinghouse source carries a license that is
>> free to organizations that do not sell filtering devices or services
>> except to their own users and th
Jari Fredriksson writes:
> On 14.4.2010 18:57, yongke wrote:
>>
>> Well, we send emails on behalf of clients, and so we are trying catch
>> phishing spam before they are sent out. Since the email aren't sent yet, we
>> had to generate a mock email for SA. The header in the example is what we
>
Kai Schaetzl writes:
> Micah Anderson wrote on Wed, 17 Mar 2010 18:20:40 -0400:
>
>> saupdates.openprotect.com
>
> It's been said repeatedly on this list: don't use it.
Thanks, should I be using the sought.rules.yerp.org channel instead, or
some of the dostech ones?
micah
I'm using the --randomize option to spamc, along with the -d switch that
has a hostname which resolves to multiple IP addresses.
Does the --randomize get passed the full set of IPs that are resolved
from the -d hostname and then it randomizes those IPs? In otherwords,
you can have one host name
Mark Martinec writes:
>> More new errors that I am getting from an upgrade to spamassassin 3.3:
>
> 3.3.0 ?
Good question... indeed the version is 3.3.0.
>> Use of uninitialized value $start_time in addition (+) at
>> /usr/sbin/spamd line 1382,
>
> That was fixed in 3.3.1 .
Great, I didn't se
Michael Scheidell writes:
> On 4/12/10 4:55 PM, Micah Anderson wrote:
>> I'm getting a lot of these log entries ever since I've upgraded:
>>
>> Apr 9 22:31:14 spamd2 spamd[2774]: dcc: [26896] terminated: exit 241
>>
>>
> what version of dcc are
More new errors that I am getting from an upgrade to spamassassin 3.3:
Use of uninitialized value $start_time in addition (+) at
/usr/sbin/spamd line 1382,
and also the following:
spf: lookup failed: Can't locate object method "new_from_string" via
package "Mail::SPF::Mech::All" at /usr/share/
I'm getting a lot of these log entries ever since I've upgraded:
Apr 9 22:31:14 spamd2 spamd[2774]: dcc: [26896] terminated: exit 241
Obviously this is related to dcc, but I am not finding anything about
what 'exit 241' is, and how I can adjust things so I no longer get them
(or maybe they are
Since upgrading to the new spamassassin, I'm seeing the following two
log entries related to cleanup of child PIDs:
1. Apr 1 08:26:38 spamd2 spamd[396]: spamd: handled cleanup of child
pid [31720] due to SIGCHLD: INTERRUPTED, signal 2 (0002)
2. Mar 28 18:00:15 spamd2 spamd[17562]: spamd: handle
On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd wrote:
> Some people need to put in some alternate values for DNS timeouts, but
> if you've got a local caching name server, you typically don't need
> that.
>
> There aren't any actual bugs in it that I'm aware of, so I haven't
> released a new versi
I'm trying to find out what the current state of the art is for plugins
and channel updates.
What are people using now days? I just reviewed my plugins and ended up
deleting Freemail because it has been pulled into Spamassassin core;
removed the postcards plugin because the original source is now
Hi,
I've been using the Botnet plugin version 0.8 for some time now, and the
plugin itself has been around since 2003 or so. I'm just curious to test
the waters and see what other's think about the relevance in 2010 of
this plugin. Does it still contribute in positive ways to your setup? I
do not
On Fri, 12 Mar 2010 15:44:21 -1000, Julian Yap wrote:
> On Thu, Mar 11, 2010 at 7:58 AM, micah anderson wrote:
>
> > On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap
> > wrote:
> > > Just wanted to add that this particular line is incorrect:
> >
On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap wrote:
> Just wanted to add that this particular line is incorrect:
> meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
> USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
> USER_IN_BLACKLIST)
>
> That will have Blacklisted ema
* Michael Grant [2009-06-05 10:26-0400]:
> On Fri, Jun 5, 2009 at 16:08, Micah Anderson wrote:
> > Michael Grant writes:
> >
> >> I did not realize one could store the bayes scores in sql.
> >>
> >> So I'd store the bayes scores on a third serv
The FreeMail.pm installation instructions are a little thin:
### Install:
#
# Please add loadplugin to init.pre (so it's loaded before cf files!):
#
# loadplugin Mail::SpamAssassin::Plugin::FreeMail FreeMail.pm
My understanding, and please correct me if I am wrong, is that you
actually need to d
I get a significant amount of spam that comes through mailing lists that
I am legitimately subscribed to, either they are the administration
emails asking me if I want to approve the "email" or not, or they are
messages that make it through the list.
These messages are either hitting ALL_TRUSTED,
Michael Grant writes:
> I did not realize one could store the bayes scores in sql.
>
> So I'd store the bayes scores on a third server and let both mxes use
> the same database.
I did this, but my bayes in mysql and pointed two different spamd
machines at it, but I had severe problems that I cou
Karsten Bräckelmann writes:
>> This shows me that I have no idea what these magic things are :) Does
>> this tell you anything useful?
>
>> 0.000 06798614 0 non-token data: nspam
>> 0.000 0 19136753 0 non-token data: nham
>
> That's quite a lot of ham
Adam Katz writes:
> Micah Anderson wrote:
>>> Also, to see how experienced your Bayes knowledge is - use "$ sa-leanrn
>>> --dump magic"
>>
>> This shows me that I have no idea what these magic things are :) Does
>> this tell you anything usefu
Dave Walker writes:
> Micah Anderson wrote:
>> I got a phish message that was understood by bayes as:
>>
>> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
>> [score: 0.]
>>
>> So I traiend with spamc
I got a phish message that was understood by bayes as:
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
So I traiend with spamc -L spam but even after that I am still getting
BAYES_00. Shouldn't the training have bumped that score
I've got a couple custom meta rules, that don't seem to be applying how
I expected them to.
When I run a message that should hit on these rules I get:
[14109] dbg: rules: ran one_line_body rule __LOCAL_PHISHER_USERNAME ==> got
hit: "Username:"
[14109] dbg: rules: ran one_line_body rule __LO
"Benny Pedersen" <[EMAIL PROTECTED]> writes:
> On Tue, November 18, 2008 22:16, Henrik K wrote:
>
> postfwd and trusted_networks msa_networks is what i do use here, then minimal
> dns lookups is needed olso, facebook have random helo so need to be
> whitelisted hard in postfwd and in spamassassin,
Our poor spamassassin machine is not able to keep up with the mail
load. We are constantly getting "prefork: server reached --max-children
setting, consider raising it" errors, and our max-children are already
set at the max that this machine can handle (50).
Since we are using spamc/spamd I fig
mouss <[EMAIL PROTECTED]> writes:
> Henrik K wrote:
>> On Mon, Nov 10, 2008 at 08:49:00AM +0100, mouss wrote:
>>> Henrik K wrote:
On Mon, Nov 10, 2008 at 12:25:42PM +0530, ram wrote:
> The number of DNSWL_LOW and DNSWL_MED misfires have gone up especially
> in last two days. Even Marc
Over at another post about Phishing[0], Brent suggested setting up
hostkarma.junkemailfilter to my RBL list, which I have done... However
it seems to hit a lot of spams giving them a -5 scoring. I've either got
this configured backwards, or this isn't working very well because it
whitelists too mu
Matt Kettler <[EMAIL PROTECTED]> writes:
> Micah Anderson wrote:
>> I set some 'add_header' options in my global local.cf and could not
>> figure out why they were not being applied. It turns out that because I
>> am using SQL user_prefs, any add_header lines
* Justin Mason <[EMAIL PROTECTED]> [2008-11-12 05:20-0500]:
>
> John Hardin writes:
> > On Sun, 9 Nov 2008, Micah Anderson wrote:
> >
> > > Does anyone have any rules to catch these, or suggestions of scores to
> > > tweak to make these hit be
I set some 'add_header' options in my global local.cf and could not
figure out why they were not being applied. It turns out that because I
am using SQL user_prefs, any add_header lines I put in local.cf are just
ignored (even though I have no global or individual add_header lines
configured in my
mouss <[EMAIL PROTECTED]> writes:
> Francis Russell wrote:
>> >> Even with the default DKIM scores, I finding I am getting spam that are
>> >> DKIM_VERIFIED causing the score to dip below zero and let the message
>> >> through, for example:
>> >>
>> >> http://micah.riseup.net/1
>> >
>> > th
"Sujit Acharyya-Choudhury" <[EMAIL PROTECTED]> writes:
> Thanks Henrik. However, I am not using SVN 3.3 so the rule on its own
> will be useful.
I'm using:
# Add a rule to give barracude RBL a +1 score, this is a really good
# RBL, but we were having false-positives when using it to block at
#
Rob McEwen <[EMAIL PROTECTED]> writes:
> Micah,
>
> In addition to the barracuda RBL, this IP is also listed on ivmSIP
> (since 10/21/08) and ivmSIP/24
Can you provide me with the local.cf details to be able to add the
ivm RBLs?
> Additionally, the domain "hardmoney-event DOT com" is blacklisted
"Jeff Chan" <[EMAIL PROTECTED]> writes:
I think that SURBL is a valuable service, and I understand how it is
difficult to maintain such a service without resources.
> The funding is, by design, very moderate and will provide much needed
> support to sustain this initiative.
However, I believe th
I recently added the FreeMail plugin, and although it appears to be
working, when I start SpamAssassin, I receive this message in my log:
Nov 11 06:45:48 spamd2 spamd[29934]: config: dup unknown type freemail_re,
Regexp
I've put the FreeMail.pm in /etc/spamassassin, and created FreeMail.cf
as d
I'm getting probably 4-5 of these a day, the messages vary, so they
aren't the same, but they aren't firing on any specific rules related to
their 'hard money conference/webinar/seminar' etc. Does anyone have any
customized rules for these? I've been training my bayes on them, and its
starting to
* Justin Mason <[EMAIL PROTECTED]> [2008-11-10 05:30-0500]:
>
> John Hardin writes:
> > On Sun, 9 Nov 2008, Micah Anderson wrote:
> > > Does anyone have any rules to catch these, or suggestions of scores to
> > > tweak to make these hit better?
Chris <[EMAIL PROTECTED]> writes:
> On Sunday 09 November 2008 2:33 pm, Micah Anderson wrote:
> 2.5 CTYME_IXHASH BODY: iXhash found @ ixhash.junkemailfilter.com
This one is interesting to me, when I pump these messages through spamc
-R I get:
-5.0 RCVD_IN_JMF_W
John Hardin <[EMAIL PROTECTED]> writes:
> On Sun, 9 Nov 2008, Micah Anderson wrote:
>
>> Does anyone have any rules to catch these, or suggestions of scores to
>> tweak to make these hit better? I am running clamav-milter with the
>> sanesecurity add-ons, but the
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I created a meta-rule out of these (with a score of 8), and then ran
spamassassin -D < phish to see ho
Byung-Hee HWANG <[EMAIL PROTECTED]> writes:
> mouss wrote:
> [...]
>> let's start with DKIM.
>>
>> do you have
>> loadplugin Mail::SpamAssassin::Plugin::DKIM
>
> + i'm use with following rule ;;
> score DKIM_VERIFIED -45.3
Even with the default DKIM scores, I finding I am getting spam that are
I'm getting a number of these types of emails getting through SA with
either negative scores, or very low scores. This is surprising to me as
these are pretty classic spams. I suspect that some of the low scores
are due being DKIM signed.
Does anyone have any rules to catch these, or suggestions
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be be
Sahil Tandon <[EMAIL PROTECTED]> writes:
> Joseph Brennan <[EMAIL PROTECTED]> wrote:
>
>>> We get some legitimate email from @live.com users.
>>
>> But they don't set a Reply-to header. That's the test.
>
> But that wasn't his question; he asked whether any legitimate mail flows
> from live.com.
Karsten Bräckelmann <[EMAIL PROTECTED]> writes:
> On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
>> Joseph Brennan <[EMAIL PROTECTED]> writes:
>
>> > Do you mean attempts to get your users to send their passwords,
>> > or fake mail pretending t
SM <[EMAIL PROTECTED]> writes:
> At 07:56 01-11-2008, Micah Anderson wrote:
>>Here is an example one I received recently, note the hideously low bayes
>>score on this one, caused it to autolearn as ham even, grr.
>
> [snip]
>
>>X-Spam-Status: No, sc
Joseph Brennan <[EMAIL PROTECTED]> writes:
>> Reply-to: [EMAIL PROTECTED]
>
>
> First pass:
>
> header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
> score LOCAL_REPLYTO_LIVE8.0
>
> Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> fp in a couple of months.
I
I have spamd setup to use bayes in a mysql database, works fine. I've
turned off auto-expiry and instead run a cronjob to expire in the middle
of the night (removes about 40k tokens on a run). I've made the DB
innoDB so it can handle locking better. I've got mysql-based user prefs
coming from the
Brent Clark <[EMAIL PROTECTED]> writes:
> Hiya
>
> See SA examples
>
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
>
> Also add hostkarma.junkemailfilter.com to you DNSBL.
Thanks, I'll add this to my local.cf and see how it goes.
> Another thing I do find is useful is adding additio
1 - 100 of 124 matches
Mail list logo
