can you change it to list reverse, so freemail domains is all other then
what is not freemail domain ?
this is imho more simple to knwo where to pay for email then to know with
domains is free :-)
this olso save us work to add new spamming and free email domains all time
else i can just say its
Where can I find the url to download the FreeMail Plugin?
--
DJ Helmes
Hi, I have been updating some dependencies CPAN, but spamassassin
shows that warn:
spamassassin --lint
[18198] warn: Use of uninitialized value $tlds in regexp compilation
at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/FreeMail.pm
line 121.
someone on the list could explain this warn?
> Hello,
>
> I updated my FreeMail plugin with a big list of domains
> (http://www.rhyolite.com/anti-spam/freemail.html).
>
> Try it out:
>
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
>
> Pretty good hit ratio here, especially when
Henrik K wrote:
Hello,
I updated my FreeMail plugin with a big list of domains
(http://www.rhyolite.com/anti-spam/freemail.html).
Try it out:
http://sa.hege.li/FreeMail.pm
http://sa.hege.li/FreeMail.cf
Pretty good hit ratio here, especially when you add some extra scores like
FREEMAIL_FROM
Henrik K writes:
> I updated my FreeMail plugin with a big list of domains
> (http://www.rhyolite.com/anti-spam/freemail.html).
>
> Try it out:
>
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
>
> Pretty good hit ratio here, especially when you
On Sat, 2008-03-22 at 12:28 +, Justin Mason wrote:
> Henrik K writes:
> > I updated my FreeMail plugin with a big list of domains
> > (http://www.rhyolite.com/anti-spam/freemail.html).
> >
> > Try it out:
> >
> > http://sa.hege.li/FreeMa
On Sat, Mar 22, 2008 at 06:41:26PM +0530, Tarak Ranjan wrote:
>
> On Sat, 2008-03-22 at 12:28 +, Justin Mason wrote:
> > Henrik K writes:
> > > I updated my FreeMail plugin with a big list of domains
> > > (http://www.rhyolite.com/anti-spam/freemail.
On Sat, 2008-03-22 at 15:51 +0200, Henrik K wrote:
> On Sat, Mar 22, 2008 at 06:41:26PM +0530, Tarak Ranjan wrote:
> >
> > On Sat, 2008-03-22 at 12:28 +, Justin Mason wrote:
> > > Henrik K writes:
> > > > I updated my FreeMail plugin with
> Henrik K writes:
> > > > > I updated my FreeMail plugin with a big list of domains
> > > > > (http://www.rhyolite.com/anti-spam/freemail.html).
> > > > >
> > > > > Try it out:
> > > > >
> > > > > http:/
Henrik K wrote:
Hello,
I updated my FreeMail plugin with a big list of domains
(http://www.rhyolite.com/anti-spam/freemail.html).
Try it out:
http://sa.hege.li/FreeMail.pm
http://sa.hege.li/FreeMail.cf
Pretty good hit ratio here, especially when you add some extra scores like
FREEMAIL_FROM
On Mon, Mar 24, 2008 at 09:19:19AM -0700, Marc Perkel wrote:
>
> I have a suggestion for your freemail plugin. I don't know if you can do
> this but if you can I want to see how.
>
> First look at the last received and verify that it is genuine. (Forward
> Confirmed rDN
Marc Perkel wrote:
Henrik K wrote:
Hello,
I updated my FreeMail plugin with a big list of domains
(http://www.rhyolite.com/anti-spam/freemail.html).
Try it out:
http://sa.hege.li/FreeMail.pm
http://sa.hege.li/FreeMail.cf
Pretty good hit ratio here, especially when you add some extra
Henrik K writes:
> On Sat, Mar 22, 2008 at 12:28:34PM +, Justin Mason wrote:
> > Henrik K writes:
> > > I updated my FreeMail plugin with a big list of domains
> > > (http://www.rhyolite.com/anti-spam/freemail.html).
> > >
> > > Try it ou
You would open a bug on the Bugzilla, and attach a patch; we then apply
that patch, and it's updated in the next release of SpamAssassin.
Is a CLA needed?
Loren
Loren Wilton writes:
> > You would open a bug on the Bugzilla, and attach a patch; we then apply
> > that patch, and it's updated in the next release of SpamAssassin.
>
> Is a CLA needed?
actually, yep, I guess it's big enough to qualify, unfortunately!
http://wiki.apache.org/spamassassin/AboutC
Hello,
I've revamped fully the old code. Works still the same, but has some new
functions. It's also a bit more careful when parsing body (new parser,
emails inside <> are ignored, as well ones inside urls etc), so it might
even reduce FPs and add hits, who knows.
Domains are now separated from
On Thu, Jun 26, 2008 at 08:01:32AM +0200, Benny Pedersen wrote:
>
> can you change it to list reverse, so freemail domains is all other then
> what is not freemail domain ?
>
> this is imho more simple to knwo where to pay for email then to know with
> domains is free :-)
I'm not sure if I follo
On Thu, Jun 26, 2008 at 09:18:11AM +0300, Henrik K wrote:
> On Thu, Jun 26, 2008 at 08:01:32AM +0200, Benny Pedersen wrote:
> >
> > can you change it to list reverse, so freemail domains is all other then
> > what is not freemail domain ?
> >
> > this is imho more simple to knwo where to pay for
Benny Pedersen wrote:
can you change it to list reverse, so freemail domains is all other then
what is not freemail domain ?
this is imho more simple to knwo where to pay for email then to know with
domains is free :-)
So... every time someone registers a new domain name for their start-up
co
On Wed, 2008-07-02 at 10:14 -0400, Dj Helmes wrote:
> Where can I find the url to download the FreeMail Plugin?
http://sa.hege.li/FreeMail.pm
> --
> DJ Helmes
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
signature.asc
Description:
On Wed, 2 Jul 2008, Dj Helmes wrote:
Where can I find the url to download the FreeMail Plugin?
Right on the plugins wiki page:
http://wiki.apache.org/spamassassin/CustomPlugins
It's toward the bottom of the page.
On 3/21/08 at 4:59 PM +0200 Henrik K wrote:
>Hehe, yeah it should be ok. Let me know if you spot any false FPs with
>REPLYTO..
I recently installed the FreeMail 1.10 SA plugin and am getting a
ridiculous number of FPs. I haven't installed Regexp::Assemble but that
shouldn't make any difference in
On Tue, Aug 26, 2008 at 11:15:32AM -0500, Larry Nedry wrote:
> On 3/21/08 at 4:59 PM +0200 Henrik K wrote:
> >Hehe, yeah it should be ok. Let me know if you spot any false FPs with
> >REPLYTO..
>
> I recently installed the FreeMail 1.10 SA plugin and am getting a
> ridiculous number of FPs. I hav
On Tue, 2008-08-26 at 11:15 -0500, Larry Nedry wrote:
> Below are the FreeMail stats from the last 10,000 messages processed
> by SA.
Are these scores based on hand-sorted spam/ham? Or is %OFHAM because
this is the only test that hit?
FREEMAIL_FROM is by nature a pretty week sign. FREEMAIL_REP
On 2/17/2015 11:42 AM, ricky gutierrez wrote:
Hi, I have been updating some dependencies CPAN, but spamassassin
shows that warn:
spamassassin --lint
[18198] warn: Use of uninitialized value $tlds in regexp compilation
at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/FreeMail.pm
line 121
2015-02-17 10:52 GMT-06:00 Kevin A. McGrail :
> That variable comes from
> $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE;
Hi Kevin, good to hear around here,
>
> Sounds like you might have some mish-mash of SpamAssassin versions and
> plugins.
well , update to version spamassas
On 2/17/2015 12:21 PM, ricky gutierrez wrote:
2015-02-17 10:52 GMT-06:00 Kevin A. McGrail :
That variable comes from
$Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE;
Hi Kevin, good to hear around here,
Sounds like you might have some mish-mash of SpamAssassin versions and
plugin
On Tue, 17 Feb 2015, Kevin A. McGrail wrote:
On 2/17/2015 12:21 PM, ricky gutierrez wrote:
2015-02-17 10:52 GMT-06:00 Kevin A. McGrail :
> That variable comes from
> $Mail::SpamAssassin::Util::RegistrarBoundaries::VALID_TLDS_RE;
Hi Kevin, good to hear around here,
> Sounds like you might
2015-02-17 11:49 GMT-06:00 Kevin A. McGrail :
> That sounds like an RPM. Missing RPMs and CPAN may lead to issues. What did
> you update from CPAN? What distribution, etc. are you using?
CentOS release 6.6 (Final)
add a list cpan modules.
--
rickygm
http://gnuforever.homelinux.com
r
CPAN:
Henrik K wrote:
Hello,
I've revamped fully the old code. Works still the same, but has some new
functions. It's also a bit more careful when parsing body (new parser,
emails inside <> are ignored, as well ones inside urls etc), so it might
even reduce FPs and add hits, who knows.
Domains are no
On Sun, May 10, 2009 13:15, Ned Slider wrote:
> Or maybe I'm trying to reinvent a wheel someone already has up and
> running :-)
a bank without SPF or DKIM signing is NOT worth using
--
http://localhost/ 100% uptime and 100% mirrored :)
Just curious - how did you build that list?
Henrik K wrote:
Hello,
I've revamped fully the old code. Works still the same, but has some new
functions. It's also a bit more careful when parsing body (new parser,
emails inside <> are ignored, as well ones inside urls etc), so it might
even reduce
On Sun, May 10, 2009 at 01:08:29PM +0300, Henrik K wrote:
>
> Hello,
>
> I've revamped fully the old code. Works still the same, but has some new
> functions. It's also a bit more careful when parsing body (new parser,
> emails inside <> are ignored, as well ones inside urls etc), so it might
> e
Hi Henrik,
> I've revamped fully the old code. Works still the same, but has some new
> functions. It's also a bit more careful when parsing body (new parser,
> emails inside <> are ignored, as well ones inside urls etc), so it might
> even reduce FPs and add hits, who knows.
>
> Domains are now
Bill Landry wrote:
> Hi Henrik,
>
>> I've revamped fully the old code. Works still the same, but has some new
>> functions. It's also a bit more careful when parsing body (new parser,
>> emails inside <> are ignored, as well ones inside urls etc), so it might
>> even reduce FPs and add hits, who k
On Tue, May 12, 2009 at 07:25:26PM -0700, Bill Landry wrote:
> Hi Henrik,
>
> > I've revamped fully the old code. Works still the same, but has some new
> > functions. It's also a bit more careful when parsing body (new parser,
> > emails inside <> are ignored, as well ones inside urls etc), so it
Henrik K wrote:
>> When I run "spamassassin --lint" no problems are reported. Any thoughts
>> on why this is happening only when updating the sought rules?
>
> It seems sa-update only lints the directory that it downloaded, thus no
> freemail_domains cf is ever seen. I've now reduced the warning
On Sun, May 10, 2009 at 01:08:29PM +0300, Henrik K wrote:
>
> http://sa.hege.li/FreeMail.pm (see inside for some documentation)
> http://sa.hege.li/FreeMail.cf (for some examples)
I've added suggestion for this:
header __freemail_reply eval:check_freemail_replyto('reply')
meta FREEMAIL_REPLY (__f
Hello,
Would you please remove Runbox.com from that list as we have not been a free
email provider since 2001.
Kim
--
View this message in context:
http://old.nabble.com/FreeMail-plugin-updated-tp23468766p29599495.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
On Thursday September 2 2010 01:52:28 Runbox wrote:
> Would you please remove Runbox.com from that list as we have not been a
> free email provider since 2001.
> Kim
Thanks, removed!
Should propagate with the next sa-update.
Mark
Benny Pedersen wrote:
On Sun, May 10, 2009 13:15, Ned Slider wrote:
Or maybe I'm trying to reinvent a wheel someone already has up and
running :-)
a bank without SPF or DKIM signing is NOT worth using
Yes - but I think what he's saying is that you have to start with a list
of
Marc Perkel wrote:
Or maybe I'm trying to reinvent a wheel someone already has up and
running :-)
a bank without SPF or DKIM signing is NOT worth using
Yes - but I think what he's saying is that you have to start with a list
of bank domains, the test those domains with higher scrutiny.
Do
Mike Cardwell wrote:
Marc Perkel wrote:
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compi
Ned Slider wrote:
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compiling a regular
expressi
Mike Cardwell wrote:
Ned Slider wrote:
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compili
On 11-May-2009, at 03:11, Ned Slider wrote:
My thinking is that combined as a meta with a few simple keywords/
phrases (eg, alert, security, account suspended etc) it might make a
very effective rule against bank phish.
The only thing that needs to be done to prevent bank phish is to check
Ned Slider a écrit :
> [snip]
> I
> would really like to see the creation of a tld along the lines of .bank,
> and make it like .gov or .edu (ac.uk) where only confirmed banks and
> financial institutions can register such domains.
my $devil{"advocate"}->mode = $status->enabled;
and after banks
> > In the meantime I'm left working on the basis that for the large part,
> > banks simply don't send email to my clients so *any* email claiming to
> > be from a bank is immediately highly suspicious and could probably be
> > scored well on the way to being spam.
> >
>
> I personally use dedica
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
On Mon, 11 May 2009, Marc Perkel wrote:
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
I think mouss' point is that if banks considered phishing "their problem"
they would be pursuing effective technological and policy solutions like
proper S
John Hardin wrote:
On Mon, 11 May 2009, Marc Perkel wrote:
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
I think mouss' point is that if banks considered phishing "their
problem" they would be pursuing effective technological and policy
sol
On Tue, 12 May 2009, Ned Slider wrote:
Then you get phish where the From address is a bank domain, and the
envelope address is from a completely unrelated domain with a valid spf
record so even a simple From_Bank && spf_pass isn't going to work.
That might make a useful general rule, though:
Hi;
Ned Slider wrote:
>My point is it's really not easy to track down such information even
when banks do occasionally try to do the right thing. Maybe there is
already a >list out there. If not, maybe we should compile one? It's
hard work trying to do it by yourself, but done as a group it w
On Mon, 2009-05-11 at 19:36 -0700, John Hardin wrote:
> On Tue, 12 May 2009, Ned Slider wrote:
>
> > Then you get phish where the From address is a bank domain, and the
> > envelope address is from a completely unrelated domain with a valid spf
> > record so even a simple From_Bank && spf_pass i
On 11-May-2009, at 17:20, Marc Perkel wrote:
mouss wrote:
Is phishing really a problem for banks? I don't think so.
You're kidding right?
No, he has a point. The people with the problem are the customers. The
bank is at best neutral and at worst couldn't care less.
Also, despite the amou
On Tuesday 12 May 2009, LuKreme wrote:
>On 11-May-2009, at 17:20, Marc Perkel wrote:
>> mouss wrote:
>>> Is phishing really a problem for banks? I don't think so.
>>
>> You're kidding right?
>
>No, he has a point. The people with the problem are the customers. The
>bank is at best neutral and at wo
Marc Perkel a écrit :
>
>
> mouss wrote:
>> Is phishing really a problem for banks? I don't think so.
>
(I'll forgive you for snipping the rest of the paragraph, and thus
isolating a single phrase which was part of a context...).
> You're kidding right?
>
No. I never heard of a bank losin
John Hardin a écrit :
> On Tue, 12 May 2009, Ned Slider wrote:
>
>> Then you get phish where the From address is a bank domain, and the
>> envelope address is from a completely unrelated domain with a valid
>> spf record so even a simple From_Bank && spf_pass isn't going to work.
>
> That might m
Mike Cardwell wrote:
Marc Perkel wrote:
Or maybe I'm trying to reinvent a wheel someone already has up and
running :-)
a bank without SPF or DKIM signing is NOT worth using
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with
On Wed, 13 May 2009, Ned Slider wrote:
uri LOCAL_URI_HIDDEN_DIRm{https?://.{1,40}/\.\w}
describe LOCAL_URI_HIDDEN_DIR contains hidden directory of form
example.com/.something
the fourth might be indicative of a hacked server with a hidden
phishing directory.
Any comments?
John Hardin wrote:
On Wed, 13 May 2009, Ned Slider wrote:
uriLOCAL_URI_HIDDEN_DIRm{https?://.{1,40}/\.\w}
describeLOCAL_URI_HIDDEN_DIRcontains hidden directory of form
example.com/.something
the fourth might be indicative of a hacked server with a hidden
phishing directo
On 12-May-2009, at 18:27, John Hardin wrote:
uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
--
No matter how fast light travels it finds the darkness has always
go there first, and is waiting for it.
Ned Slider wrote:
uriLOCAL_URI_PHISH_UK3
m{https?://.{1,40}/.{1,60}\.(ac|co|gov)\.uk}
describeLOCAL_URI_PHISH_UK3contains obfuscated UK phish link of
form example.com/bank.co.uk
Ah, this rule hits on unsubscribe links etc, which wasn't what was
intended. For example:
Hi;
Ned Slider wrote:
>First up, from Mike's inspiration above, I came up with these:
I took your rule and added some meta rules to it. I'm getting hits on
phishes, but I haven't seen any legitimate traffic hit it.
This may be that I have not seen any real bank mail or it could be that
it misse
neil wrote:
Hi;
Ned Slider wrote:
>First up, from Mike's inspiration above, I came up with these:
I took your rule and added some meta rules to it. I'm getting hits on
phishes, but I haven't seen any legitimate traffic hit it.
This may be that I have not seen any real bank mail or it could be
LuKreme wrote:
On 12-May-2009, at 18:27, John Hardin wrote:
uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
I'd say so - I'm seeing lots of FPs on this, most prominently on mail
from mail.elsevier-alerts.com
--
--
On Fri, 15 May 2009, Adam Stephens wrote:
LuKreme wrote:
On 12-May-2009, at 18:27, John Hardin wrote:
> uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
I'd say so - I'm seeing lots of FPs on this, most prominently on mail
from mail.elsevier-
Adam Stephens wrote:
LuKreme wrote:
On 12-May-2009, at 18:27, John Hardin wrote:
uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
I'd say so - I'm seeing lots of FPs on this, most prominently on mail
from mail.elsevier-alerts.com
I believ
John Hardin wrote:
On Fri, 15 May 2009, Adam Stephens wrote:
LuKreme wrote:
On 12-May-2009, at 18:27, John Hardin wrote:
> uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
I'd say so - I'm seeing lots of FPs on this, most prominently on mail
On Fri, 15 May 2009, Ned Slider wrote:
Adam Stephens wrote:
LuKreme wrote:
> On 12-May-2009, at 18:27, John Hardin wrote:
> > uri URI_HIDDEN/\/\../
>
>
> Ah, that's very very nice.
>
> Scoring it at 3.0, too aggressive?
>
I'd say so - I'm seeing lots of FPs on this, most pro
John Hardin wrote:
On Fri, 15 May 2009, Ned Slider wrote:
Adam Stephens wrote:
LuKreme wrote:
> On 12-May-2009, at 18:27, John Hardin wrote:
> > uri URI_HIDDEN/\/\../
> > > Ah, that's very very nice.
> > Scoring it at 3.0, too aggressive?
>
I'd say so - I'm seeing lots of FPs o
On Fri, 15 May 2009, Ned Slider wrote:
John Hardin wrote:
On Fri, 15 May 2009, Adam Stephens wrote:
>
> I'm seeing lots of FPs on this, most prominently on mail
> from mail.elsevier-alerts.com
Really? Sites are sending out legitimate URLs pointing to hidden
directories?
Could you pos
John Hardin wrote:
>> http://pastebin.com/m1268fbe6
>
> Thanks. Here's the problematic URI:
>
>http://../cd.asp?i=572550545&UserID=4DFEDDHIIBCFBH55
>
> in the unsunscribe link.
Which was actually:
> =2E/cd=2Easp?i=3D572550545=26UserID=3D4DFEDDHIIBCFBH55=22>
And thus:
>
This is *very*
Adam Katz wrote:
John Hardin wrote:
http://pastebin.com/m1268fbe6
Thanks. Here's the problematic URI:
http://../cd.asp?i=572550545&UserID=4DFEDDHIIBCFBH55
in the unsunscribe link.
Which was actually:
=2E/cd=2Easp?i=3D572550545=26UserID=3D4DFEDDHIIBCFBH55=22>
And thus:
This is *ve
> Adam Katz wrote:
>> Relative URIs are only safe when prefacing the URI. Requiring the
>> protocol beforehand should do the trick. Since "http://"; is the
>> implied protocol and is 8 chars, we get this:
>>
>> uri URI_HIDDEN /.{8}\/\../
Ned Slider wrote:
> Yep - that works great for me and I un
On Fri, 15 May 2009, Adam Katz wrote:
Adam Katz wrote:
Relative URIs are only safe when prefacing the URI. Requiring the
protocol beforehand should do the trick. Since "http://"; is the
implied protocol and is 8 chars, we get this:
uri URI_HIDDEN /.{8}\/\../
Ned Slider wrote:
Yep - that w
Adam Katz wrote:
Adam Katz wrote:
Relative URIs are only safe when prefacing the URI. Requiring the
protocol beforehand should do the trick. Since "http://"; is the
implied protocol and is 8 chars, we get this:
uri URI_HIDDEN /.{8}\/\../
Ned Slider wrote:
Yep - that works great for me and
John Hardin wrote:
> What about an explicit "https://.."; URI?
I have no problem marking that as spam (you're thinking too hard).
>> I should also have noted that while this works around the SA bug, it
>> also ignores hidden dirs and files appearing early in relative paths,
>> like
>
> That hre
On May 15, 2009, at 5:44, Adam Stephens
wrote:
LuKreme wrote:
On 12-May-2009, at 18:27, John Hardin wrote:
uri URI_HIDDEN/\/\../
Ah, that's very very nice.
Scoring it at 3.0, too aggressive?
I'd say so - I'm seeing lots of FPs on this, most prominently on
mail from mail.el
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
That won't catch http://www.spammer.example.com/.../hidden-
malware.asf, it will only catch the relative url form "../path/to/
content" which SA improperly prefaces with "http://";
uri URI_HIDDEN /.{8}\/\../
Will catch
On Fri, 15 May 2009, LuKreme wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
That won't catch http://www.spammer.example.com/.../hidden-malware.asf,
How so? That rule matches "ple.com/.." in that URI.
--
John Hardin KA7OHZhttp://www.impsec.
On 15-May-2009, at 14:35, LuKreme wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
That won't catch http://www.spammer.example.com/.../hidden-
malware.asf, it will only catch the relative url form "../path/to/
content" which SA improperly prefaces with "http://";
On Fri, 15 May 2009, LuKreme wrote:
Of course, if SA didn't preface URIs with http:// on its own, this
wouldn't be an issue. However, I am not willing to call that a bug as I
suspect there is a very good reason for it.
It's a bug in the specific case of a URI like "../whatever", as it doesn't
>> On 15-May-2009, at 12:46, Adam Katz wrote:
>>> uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
>> That won't catch
>> http://www.spammer.example.com/.../hidden-malware.asf, it will only
>> catch the relative url form "../path/to/content" which SA improperly
>> prefaces with "http://";
>>
>> uri URI_H
May I suggest that the test for reply_to and email addresses in the body
of the email be separate routins and separate rules and separate scores.
Also perhaps there should be a rule to see if the from is freemail but
no freemail in received headers. For example, from is yahoo.com but no
yahoo h
Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form "../path/to/content" which SA improperly
prefaces with "http://";
uri URI_HID
On Mon, 8 Mar 2010, Ned Slider wrote:
Adam Katz wrote:
> > On 15-May-2009, at 12:46, Adam Katz wrote:
> > > uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
> > That won't catch
> > http://www.spammer.example.com/.../hidden-malware.asf, it will only
> > catch the relative url form "../path/to/c
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the
sequence ../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOC
On Mon, 8 Mar 2010, Ned Slider wrote:
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
>
> So I've refined the rule to specifically exclude hitting on the sequence
> ../. which stops the rule triggering on multiple relative paths.
>
> uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.
90 matches
Mail list logo
