Tristan Miller wrote:
Greetings.
In article [EMAIL PROTECTED], Theo Van Dinter wrote:
FWIW: While this type of thing may sound like a good idea, it also
opens you to a remote abuse of resources. If I'm a spammer and I
want to annoy people, I'd start sending all of my mails with fake
Bowie Bailey writes:
I think the real question is: Is there a benefit to doing this?
You are creating a rule with a negative score. Negative scoring rules
are for the purpose of preventing false positives. Are you having a
problem with signed emails being marked as spam? If not, this
On Donnerstag, 6. April 2006 19:34 Bowie Bailey wrote:
I think the real question is: Is there a benefit to doing this?
I had an idea of a *really big* benefit:
If SA checks the sig, and inserts into the header whether it's valid or
not, even clients *without* any GPG installation can have a
Michael Monnerie wrote:
On Donnerstag, 6. April 2006 19:34 Bowie Bailey wrote:
I think the real question is: Is there a benefit to doing this?
I had an idea of a *really big* benefit:
If SA checks the sig, and inserts into the header whether it's valid
or not, even clients *without* any
On Donnerstag, 6. April 2006 23:11 Bowie Bailey wrote:
And if a spammer decides to spoof that header? The client has no way
to distinguish between headers added before or after it came to your
server.
If SA runs it of course has to remove old such headers preexisting,
and insert it's own
On Thu, Apr 06, 2006 at 11:20:24PM +0200, Michael Monnerie wrote:
Not exactly on SPAM detection rate, but on GPG/sig acceptance. If SA
could validate such sigs, there's a big benefit for *every* recipient,
'cause if somebody forges e-mails with wrong sigs, it's marked as SPAM
and sorted
On Donnerstag, 6. April 2006 23:37 Theo Van Dinter wrote:
It's worth noting that I've seen signed mails get regularly mangled
when going through mailing lists,
That happens when the list filters certain types of content-type and
such sections. It's up to the list admin to fix that.
which is
mouss wrote:
David Gibbs wrote:
Folks:
[...]
My particular example ...
I want to create a rule that will assign a specific score if the subject
contains the word 'euromillion', but have a lower score if the subject
contains 'million'.
Obviously if I put two separate rules with the
Title: RE: rule for spam with geocities link, multiline expression
-Original Message-
From: Maarten de Boer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 23, 2006 5:06 AM
To: users@spamassassin.apache.org
Subject: rule for spam with geocities link, multiline _expression_
I am receiving, already several weeks, a lot of spam in the following
form:
-
\w+,
http://\w\w.geocities.com/\w+\d+
\w+ \w+
-
For example:
-
Beth,
http://au.geocities.com/ethylic40187
Rocco Maldonado
-
Is it possible to write a rule to detect
Basically, just for some testing, when spam assassin marks a message as
spam I want it to provide me with the different rules that were
processed in that mail and what scores they contributed to the total
score - appended into the marked message.
spamassassin -t message.txt
Loren
Larry Starr a écrit :
Lately I have seen a number of SPAM messages with a sender in the form of:
@somedomain.whatever
sender envelope or From header? Can you send me a copy?
for example: @ipyub.com
I'm not sure if this is intentional or simply broken ratware.
I guess it is broken.
On Sat, Jan 21, 2006 at 02:17:50PM -0600, Rob Poe wrote:
I need a custom rule that looks for
X-Status: F
In the header, and adds a value to the score. (i.e. 2.5)
If anyone has some direction .. :)
header X_STATUS_F X-Status =~ /^F$/
score X_STATUS_F 2.5
--
Randomly Generated
On Wed, Dec 07, 2005 at 01:43:59PM -0700, Chris Stone wrote:
Works great here (watch wrapping):
header __SUBJ_NEWS Subject =~ /(^news$)|(^[a-z]+ news$)|(^news
alert$)|(^press release$)|(^news report$)|(^winner$)|(^plea?s[ae]nt news$)/i
meta SENET_BRK_NEWS_GIF
On Wednesday 07 December 2005 06:33 am, Matthew Daubenspeck wrote:
Recently I have been receiving a TON of Stock Spam lately. For the most
part, the subject is news related (news, updated news, breaking news,
etc) and the message itself is empty except for a .GIF file with Stock
information on
SARE_BMLSARE_SPOOFSARE_BAYES_POISON_NXMSARE_OEMSARE_RANDOMSARE_HEADER_ABUSESARE_SPECIFICSARE_CODING_HTMLSARE_GENLSUBJSARE_UNSUBSARE_URI0SARE_REDIRECT_POST300SARE_SPAMCOP_TOP200SARE_OBFU
-Original Message-From: Loren Wilton
[mailto:[EMAIL PROTECTED] Sent: Monday, November 21, 2005 4:55
PMTo: users@spamassassin.apache.orgSubject: Re
It would appear that you are hopelessly stuck, then. Trusted hosts has
become a very important part of SA's activities.
{^_^}
- Original Message -
From: Casey King [EMAIL PROTECTED]
I do understand that the trusted hosts needs to be fixed, but not being
fully in control, I am not
Title: Message
First, fix your trusted hosts. You shoudln't be trusting a DSL line
on some other system.
Second, you don't mention what version of SA you are using, nor what rules
files you are using. It looks like you don't have antidrug rules, which
would imply 2.6x. In any case some of
this?
-Original Message-
From: Jean-Paul Natola [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 2:50 PM
To: Gene Heskett; users@spamassassin.apache.org
Subject: RE: Rule for this ??-LINT
On Monday 14 November 2005 11:22, Casey King wrote:
Okay,
I have the rule in my local.cf as
body
Jean-Paul Natola wrote:
Hi all, I *believe* I have applied the following rule correctly,
To verify I ran the --lint , it all checked out ok BUT its giving
some errors with respect to the whitelisted entries I have in the
local.cf that resides in the SA directory
I know my whitelist
This one works like magic .. Also on the new variant which seems to have been
released this weekend.
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^[EMAIL PROTECTED]/
meta L_DRUGS1 L_DRUGS11 L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in
to '1' or '11'???
thanks
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 3:01 AM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: RE: Rule for this ??
This one works like magic .. Also on the new variant which seems
Casey King wrote:
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^[EMAIL PROTECTED]/
meta L_DRUGS1 L_DRUGS11 L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body.
This rule goes in the local.cf file right? I added this rule, and
; SpamAssassin Users
Subject: RE: Rule for this ??
Casey King wrote:
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^[EMAIL PROTECTED]/
meta L_DRUGS1 L_DRUGS11 L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body.
This rule goes
-Original Message-
From: Pierre Thomson [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 9:19 AM
To: Casey King; SpamAssassin Users
Subject: RE: Rule for this ??
Casey King wrote:
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^[EMAIL PROTECTED]/
meta L_DRUGS1 L_DRUGS11
-Original Message-
From: Pierre Thomson [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 9:19 AM
To: Casey King; SpamAssassin Users
Subject: RE: Rule for this ??
Casey King wrote:
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^[EMAIL PROTECTED]/
meta L_DRUGS1 L_DRUGS11
Jean-Paul Natola wrote:
Here’s an intelligent html coder
I viewed the source of the code because I was curious as to how these
words flew right through my SA ,
You will note that if turned into plain text , he used a bunch of
tables and cells to produce the following;
Try this
On Sonntag, 30. Oktober 2005 20:20 Daniel Watts wrote:
I'm not The God Of Regex, but maybe that helps:
body SOFTWARE_SPAM_BODY2 /(\$\d{1,3}\.\d{0,2}){10,}/s
#matches $xx.xx at least 10 times
If you have $133, your rule doesn't fit, as you forgot the .. Try
body SOFTWARE_SPAM_BODY2
M.Lewis a écrit :
I've written a rule that *should* be catching a fair amount of spam.
I've ran spamassassin --lint and it shows no errors. I purposefully
created an error in this set of rules and did spamassassin --lint
again and it shows the error. So I know my set of rules is being
Thomas Deliduka wrote:
I have been dealing with a spammer that seems to defy every option to
limit him. So, I decided to create a final rule that should kill him.
I noticed that the subject in the text file always looks like
=3D?iso-8859-1?blah blha blah
It may or may not have 3D
From: Kris Deugau [EMAIL PROTECTED]
Thomas Deliduka wrote:
I have been dealing with a spammer that seems to defy every option to
limit him. So, I decided to create a final rule that should kill him.
I noticed that the subject in the text file always looks like
=3D?iso-8859-1?blah blha blah
Perhaps someone on the list can give me a suggestion then. Here is 5 e-mails
and how the subject line is done. (different every time) perhaps a pattern
can be found that I haven't found?
Subject: =?iso-8859-1?Q?G=D4od_pro_CI=C2IS_VI=E1GRRA?=
Subject: =?iso-8859-1?Q?Go=F6d_offr_C=EFAIS_VI=E3GRRA?=
How about 70_sare_header.cf and 99_OBFU_drugs.cf? Slap it down GOOD.
{^_-}
- Original Message -
From: Thomas Deliduka [EMAIL PROTECTED]
Perhaps someone on the list can give me a suggestion then. Here is 5
e-mails
and how the subject line is done. (different every time) perhaps a
In fact, if the header is correctly writtren
(the relevant part is =?ISO-8859-something?B?text?= or
=?IOS-8859-something?Q?text?= for
base64 or quoted printable, and the something can range from 1 to 15), it would
be a sure
indication of a european sender.
The b and q can be lowercase, and
--On Saturday, August 06, 2005 4:18 PM -0700 jdow [EMAIL PROTECTED]
wrote:
By that I meant that telnet localhost pop3 followed by an retr 1
(once logged in) showed the spaces normalized to exactly one in all cases.
That's interesting... I just went checking my uncaught spam folder for
jdow wrote:
2.2. Header Fields
Header fields are lines composed of a field name, followed by a
colon (:), followed by a field body, and terminated by CRLF.
A field name MUST be composed of printable US-ASCII characters
(i.e., characters that have values between 33 and 126,
Hi Ralph,
now if most software is sending a message with 0 or 1 whitespace after the
colon,
it might be an idea to consider 2 or more whitespaces there as an indicator of
an unusual
mail program.
Now if it could be confirmed that certain often used mailers always trim the
subject
specified by
From: Ralph Seichter [EMAIL PROTECTED]
jdow wrote:
2.2. Header Fields
Header fields are lines composed of a field name, followed by a
colon (:), followed by a field body, and terminated by CRLF.
A field name MUST be composed of printable US-ASCII characters
(i.e., characters
So this should tell something. I'm not sure what.
{^_-}
- Original Message -
From: [EMAIL PROTECTED]
Hi Ralph,
now if most software is sending a message with 0 or 1 whitespace after the
colon,
it might be an idea to consider 2 or more whitespaces there as an
indicator of an unusual
Tells me that dovecot normalizes headers to include exactly one space.
(I did a little more testing with zero spaces squeezed through procmail
to my mail folder. It came through that just fine. But it lost the
customized spacing in dovecot.)
{^_^}
- Original Message -
From: jdow [EMAIL
From: Kenneth Porter [EMAIL PROTECTED]
--On Saturday, August 06, 2005 3:23 AM -0700 jdow [EMAIL PROTECTED]
wrote:
Tells me that dovecot normalizes headers to include exactly one space.
(I did a little more testing with zero spaces squeezed through procmail
to my mail folder. It came
On Fri, Aug 05, 2005 at 03:09:50PM -0400, Matthew Yette wrote:
Does anyone know how I would create a rule that detected any subject
lines that start with a whitespace? For example:
Subject: This would be tagged as spam
By convention, all subjects start with whitespace.
Subject: Re: Rule
)
315-356-0597 (f)
AIM/Yahoo: MAPolceNOC
MSN: [EMAIL PROTECTED]
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 3:24 PM
To: users@spamassassin.apache.org
Subject: Re: Rule for subjects that start with a whitespace
On Fri, Aug 05, 2005
Matthew Yette wrote:
When I wrote quotes, it was just to imply the actual subject. I'm
looking to detect messages that have a space before the first letter
of the subject.
If I recall the appropriate RFC correctly, you're looking for something
that - by definition - doesn't exist. Whitespace
Kris Deugau wrote:
If I recall the appropriate RFC correctly, you're looking for
something that - by definition - doesn't exist. Whitespace is
whitespace, so the content of a header begins with the first
non-whitespace character after the colon.
I checked
would create a rule that detected any subject
lines that start with a whitespace? For example:
Subject: This would be tagged as spam
By convention, all subjects start with whitespace.
Subject: Re: Rule for ... starts with a space, for example.
In your example, the subject starts with a double
From: Ralph Seichter [EMAIL PROTECTED]
Kris Deugau wrote:
If I recall the appropriate RFC correctly, you're looking for
something that - by definition - doesn't exist. Whitespace is
whitespace, so the content of a header begins with the first
non-whitespace character after the
jdow wrote:
If I understand you then you are looking at a subject line that looks
like this in the raw mail file.
Subject: This would be tagged as spam
This would render in email programs as a subject including the quotes:
This would be tagged as spam
The normal subject header begins
From: Matt Kettler [EMAIL PROTECTED]
jdow wrote:
If I understand you then you are looking at a subject line that looks
like this in the raw mail file.
Subject: This would be tagged as spam
This would render in email programs as a subject including the quotes:
This would be tagged as
From: Kris Deugau [EMAIL PROTECTED]
Ralph Seichter wrote:
I checked http://www.faqs.org/rfcs/rfc2822.html for this:
2.2. Header Fields
Header fields are lines composed of a field name, followed by a
colon (:), followed by a field body, and terminated by CRLF.
A field name
That said, the rule I think you're looking for might look something
like:
header SUBJ_SPACE_START Subject:raw =~ /^\s+/
But I don't think that will ever trigger.
I was just looking at a bunch of stock market spams last night. One of the
most notable characteristics of them was that
--On Friday, August 05, 2005 6:03 PM -0700 Loren Wilton
[EMAIL PROTECTED] wrote:
I think a lot of mail/news programs assume that the subject body starts
immediately after Subject: , unless the character immediately after the
colon isn't a space, in which case the subject starts there.
From: Kenneth Porter [EMAIL PROTECTED]
--On Friday, August 05, 2005 6:03 PM -0700 Loren Wilton
[EMAIL PROTECTED] wrote:
I think a lot of mail/news programs assume that the subject body starts
immediately after Subject: , unless the character immediately after
the
colon isn't a space, in
Matt Kettler wrote:
1) \b is NOT a substitute for spaces. It's zero-width. For things other
than the
beginning/ending of a rule, use \s unless you REALLY understand the difference.
i.e. you should know why /hello\bWorld/ will never match anything.
In this case /\\bT/ would match both T
On Jul 14, 2005, at 6:05 PM, Robert Menschel wrote:header FROM_STARTS_WITH_NUMS From:addr =~ /^\d{6,}\S+\@/i The email address used in the From header begins with 6 (or more) digits. it's not hitting on 360SkinCare.com, but on the user part of the email address (doesn't even look at the domain
wrote on Fri, 15 Jul 2005 09:52:26 -0700:
Not 6 digits, but maybe the degree symbol is contributing. I'll
advise not to start the username with 360°.
That degree sign isn't allowed unescaped in there anyway.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet
If that username starts with six digits, it hits that rule, as shown
in Loren's example.
Ah, here is the From header:
From: 360° Skin Care [EMAIL PROTECTED]
Not 6 digits, but maybe the degree symbol is contributing. I'll advise not
to
start the username with 360°.
No, you misunderstood
On Jul 15, 2005, at 3:19 PM, Loren Wilton wrote:If that username starts with six digits, it hits that rule, as shown in Loren's example. Ah, here is the From header: From: 360° Skin Care [EMAIL PROTECTED] Not 6 digits, but maybe the degree symbol is contributing. I'll advise notto start the
Been using SA for quite a while and agree it's working great.
Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
name a domain?
Is this related to the suspicious hostname flags? Or is that
related to the use of webmail? If the former, then they're getting
dinged at
Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
name a domain?
From the rule name (without looking) I'd say it refers to the from address.
From: [EMAIL PROTECTED] It may be that it refers to the
hostname itself starting with numbers, but that seems a little unlikely.
On Jul 14, 2005, at 4:14 AM, Loren Wilton wrote:Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29 - Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul 2005 21:00:29 - Are you really located in England? So far as I know PacBell doesn't serve that area. I
On Thursday 14 July 2005 16:50, [EMAIL PROTECTED] typed:
On Jul 14, 2005, at 4:14 AM, Loren Wilton wrote:
Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29
-
Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul
2005 21:00:29 -
Are you really
On Jul 14, 2005, at 8:55 AM, Duncan Hill wrote:On Thursday 14 July 2005 16:50, [EMAIL PROTECTED] typed: On Jul 14, 2005, at 4:14 AM, Loren Wilton wrote: Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29 - Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul 2005
...
Been using SA for quite a while and agree it's working great.
Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
name a domain?
Is this related to the suspicious hostname flags? Or is that
related to the use of webmail? If the former, then they're getting
dinged at
Michael W Cocke wrote:
Does anyone have a rule to chech the envelope To: against the header
to: ? I'm sure that there's a reason why it's allowed to be different,
but it doesn't apply here, and almost half of the spam that gets thru
everything else would get stopped by that.
No. It's
Does anyone have a rule to chech the envelope To: against the header
to: ? I'm sure that there's a reason why it's allowed to be
different, but it doesn't apply here, and almost half of the
spam that gets thru everything else would get stopped by that.
[First I am new here and so may know
John Rudd wrote:
Forgive me if the newer versions of SA have this built in (I know
there's something about defining your local IP addresses), but I had a
user ask me today if I could set up our system to flag messages which
have only been circulated around our campus.
If your
you'll need to escape the *
so
body VIRUS_SOBER5 /\*\*\* Attachment-Scanner: Status OK/I
HTH
Richard
From: Robert Swan [mailto:[EMAIL PROTECTED]
Sent: 12 May 2005 14:00
To: spamassassin-users@incubator.apache.org
On Thu, 12 May 2005 09:00:10 -0400
Robert Swan [EMAIL PROTECTED] wrote:
I am having trouble with a custom rule and wondered if anyone know why
this didn't work. I have pasted an error from sa-learn and also the
rule below.
body VIRUS_SOBER5 /*** Attachment-Scanner: Status OK/i
hi Robert,
In an older episode (Thursday 12 May 2005 15:00), Robert Swan wrote:
I am having trouble with a custom rule and wondered if anyone know why
this didn't work. I have pasted an error from sa-learn and also the rule
below. I am running Redhat 9 and Spamassassin 3.0.3
Thanks all
Robert
Peace he would say instead of goodbyepeace
my brother.
From: Robert Swan
Sent: Thursday, May 12, 2005 9:00
AM
To:
spamassassin-users@incubator.apache.org
Subject: rule edit
I am having trouble with a custom rule and wondered if
Hello, Mike.
Do you limit the maximum size of messages to be scanned?
For reduce receiving of 100% spam messages use the Exim sender
verification; then if you are
use exiscan and it can, do reject messages from zombie computers with
bogus HELO, like HELO 123.123.123.123 or HELO
On Mon, 2005-04-25 at 11:58 +0100, Mike Grice wrote:
Hi there,
I'm running SA 3.0.2 via spamc/spamd on an Exim mail server, but I'm
finding I quickly run out of memory and the machine collapses into a
burning heap as soon as it touches swap.
Is there a rule of thumb of how many SA
From: Mike Grice [EMAIL PROTECTED]
On Mon, 2005-04-25 at 11:58 +0100, Mike Grice wrote:
Hi there,
I'm running SA 3.0.2 via spamc/spamd on an Exim mail server, but I'm
finding I quickly run out of memory and the machine collapses into a
burning heap as soon as it touches swap.
Is
Indeed, coincidence. Grab the SARE rulesets that deal
with OEM stuff and Mortgage stuff.
Loren
- Original Message -
From:
Daniel Kaliel
To: users@spamassassin.apache.org
Sent: Friday, April 15, 2005 8:08
AM
Subject: Rule Set
There are two
forms of spam
Ron,
On Thu, Apr 07, 2005 at 10:23:24AM +0100, Ron McKeating wrote:
Thanks to all of you who replied about the job offer spams. Could
anybody point at the best site for the latest rulesets and an
explanation of what each one does.
The main site for rules is generally
On Thu, 2005-04-07 at 10:53 +0100, Matthew Newton wrote:
Ron,
On Thu, Apr 07, 2005 at 10:23:24AM +0100, Ron McKeating wrote:
Thanks to all of you who replied about the job offer spams. Could
anybody point at the best site for the latest rulesets and an
explanation of what each one does.
On Thu, Apr 07, 2005 at 11:00:52AM +0100, Ron McKeating wrote:
On Thu, 2005-04-07 at 10:53 +0100, Matthew Newton wrote:
Ron,
On Thu, Apr 07, 2005 at 10:23:24AM +0100, Ron McKeating wrote:
Thanks to all of you who replied about the job offer spams. Could
anybody point at the best site
Thanks to all the replied, we have rules_du_jour and I am
now getting
an idea of how it works. I suppose the obvious question is
has anybody
written a good howto on writing your own rules. And if so
where is it?
You probably also want to learn more about regular expressions too.
Thanks to all the replied, we have rules_du_jour and I am now
getting an
idea of how it works. I suppose the obvious question is has anybody
written a good howto on writing your own rules. And if so where is it?
Ron
see this page:
http://www.rulesemporium.com/links.htm
I need to add more.
On Thu, 2005-04-07 at 12:27 +0100, Gray, Richard wrote:
Thanks to all the replied, we have rules_du_jour and I am
now getting
an idea of how it works. I suppose the obvious question is
has anybody
written a good howto on writing your own rules. And if so
where is it?
You
From: Ron McKeating [mailto:[EMAIL PROTECTED]
On Thu, 2005-04-07 at 12:27 +0100, Gray, Richard wrote:
Thanks to all the replied, we have rules_du_jour and I am now
getting an idea of how it works. I suppose the obvious question is
has anybody written a good howto on writing your own
-Original Message-
From: Bowie Bailey [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 07, 2005 10:44 AM
Cc: users@spamassassin.apache.org
Subject: RE: Rule-sets
From: Ron McKeating [mailto:[EMAIL PROTECTED]
On Thu, 2005-04-07 at 12:27 +0100, Gray, Richard wrote:
Thanks to all
On Thu, 7 Apr 2005 12:27:58 +0100, Gray, Richard wrote
You probably also want to learn more about regular expressions too.
There
Was a lot of stuff that I didn't know before I started doing this.
In particular, useful things like back chaining and forward referencing
are useful to
Sure, but it's probably prone to FP's... use at your own risk.
body PT_01/[a-z][01\|][a-z]/
This also catches the vertical bar which is used as a substitute for lowercase
'l'. I use it as part of a META rule; by itself I would give it a very low
score.
Pierre Thomson
BIC
Hello Rocky,
Wednesday, March 30, 2005, 7:34:05 PM, you wrote:
RO Before i pull my hair out doing bench/resource test, i was wondering if
RO anyone out there knew if there was much of a speed/resource usage
RO difference between the following way of writing the same rule.
RO Method A:
RO body
Rocky Olsen wrote:
Before i pull my hair out doing bench/resource test, i was wondering if
anyone out there knew if there was much of a speed/resource usage
difference between the following way of writing the same rule.
Method A:
body rule_a /(?:feh|meh|bleh)/i
vs.
Method B:
bod
Thanks
On Thu, Mar 31, 2005 at 05:16:25PM -0500, Matt Kettler wrote:
Rocky Olsen wrote:
Before i pull my hair out doing bench/resource test, i was wondering if
anyone out there knew if there was much of a speed/resource usage
difference between the following way of writing the same rule.
Ok. What totally minless dumb thing did I do that I just can't see?
How are you running SA? Did you restart spamd? In many setups SA is
persistant, and needs to be explicitly reloaded in some way or other to
reload the modified rules.
Did you run spamassassin --lint from the console on your
At 08:03 PM 3/16/2005, Vicki Brown wrote:
Ok. What totally minless dumb thing did I do that I just can't see?
This rule is in my /etc/mail/spamassassin/local.cf
body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i
score CF_BAD_URL4 10.0
describe CF_BAD_URL4 .net Junk site
I received a piece of
At 17:57 -0800 03/16/2005, Loren Wilton wrote:
Ok. What totally minless dumb thing did I do that I just can't see?
How are you running SA?
spamd -d -c
at system startup
then, from procmailrc, I push each message through
| /usr/local/bin/spamc -s 256000 -t 60
Did you restart spamd?
Vicki Brown wrote:
At 17:57 -0800 03/16/2005, Loren Wilton wrote:
Ok. What totally minless dumb thing did I do that I just can't see?
How are you running SA?
spamd -d -c
at system startup
then, from procmailrc, I push each message through
| /usr/local/bin/spamc -s 256000 -t 60
Did you
gh6.net-munged, don't the SURBLs have this one yet? Another from
the taiwanmedialtd.com-munged group (two new domains a day - time for
Spamhaus to take notice; Also they seem to hace given up on the Turkish
address as on last week).
Paul Shupak
[EMAIL PROTECTED]
Hi!
gh6.net-munged, don't the SURBLs have this one yet? Another from
the taiwanmedialtd.com-munged group (two new domains a day - time for
Spamhaus to take notice; Also they seem to hace given up on the Turkish
address as on last week).
gh6 .net is listed in about every SURBL list. If
Loren,
While true for vdrugz.net-munged, gh6.net-munged does not always
use a www. prefix. Also, now gh6.net-munged is caught by the SBL, 4 SURBLs,
and completewhois (if you use it). I get 14.6 points for just the bare
domain name. vdrugz.net-munged is caught by the SBL and 4
At 20:15 -0800 03/06/2005, Vicki Brown wrote:
I can create a user rule for mail not addressed (To or Cc) to me
header CF_NOT_FOR_METoCc !~ /[EMAIL PROTECTED]/
score CF_NOT_FOR_ME 4.0
describe CF_NOT_FOR_ME Neither To nor Cc me
However, the
Hello Matthew,
Thursday, March 10, 2005, 6:19:48 AM, you wrote:
MN I've put together the following rule to try and catch the
MN read-downwards type spam shown below. Could someone with a decent
MN size corpus check it for me please? :-) (or if you see any obvious
MN errors or improvements; it
From [EMAIL PROTECTED] Thu Mar 10 06:20:20 2005
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: mailto:[EMAIL PROTECTED]
list-unsubscribe: mailto:[EMAIL PROTECTED]
List-Post: mailto:users@spamassassin.apache.org
List-Id: users.spamassassin.apache.org
Delivered-To:
Following discussions on this list about obfuscating words to avoid spam
detection, and not being a ninja, I'd like some feedback about the
possible efficacy or pitfalls on rules like the following.
[snip]
In general, there are three main ways of dealing with these obfuscations:
1.
SNIP
subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i
subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i
subject =~ /\b(?!dripping)d[ripn]{6}g\b/i
subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i
You can't use rules like this. The pattern can matches your first
801 - 900 of 928 matches
Mail list logo
