Re: Validating XML email

2008-10-24 Thread Kenneth Porter
I found that "tidy -eq" gives a pretty good result. To normalize the score, I figure it makes sense to divide the resulting line count by the byte count of the input file. I ran some MS Outlook output through and the most frequent complaint was the unknown tag , but there was also a nesting is

Re: SURBL Usage Policy change

2008-11-12 Thread Kenneth Porter
On Wednesday, November 12, 2008 1:28 PM +0100 Matthias Leisi <[EMAIL PROTECTED]> wrote: Number of users or number of messages is a good approximation of the number of actual DNS queries, and sufficiently simple to determine. At dnswl.org, we consider any source (being losely defined as a /24 d

Re: Detecting Porn photos

2008-12-02 Thread Kenneth Porter
--On Thursday, November 27, 2008 10:44 PM -0600 Luis Daniel Lucio Quiroz <[EMAIL PROTECTED]> wrote: I wonder if there is any module for SA to detect pornographic photos, not only OCR. How about setting up a system like the captcha-breakers, but in reverse? Instead of giving access to porn b

Re: Live.space and Sourceforge

2008-12-08 Thread Kenneth Porter
--On Sunday, December 07, 2008 7:45 AM -0500 Michael Scheidell <[EMAIL PROTECTED]> wrote: Thanks for the uri rule. It is tighter then the one I cobbled together. I'm successfully using an even tighter one posted by Daryl C. W. O'Shea on October 18, with a minor adjustment:

Humor

2009-01-16 Thread Kenneth Porter
Slashdot is running a story about a virus getting loose in the British Navy. I was amused by this comment:

Re: Make a rule to block fake url to pdf files...

2009-01-21 Thread Kenneth Porter
--On Wednesday, January 21, 2009 8:58 AM -0200 Rejaine Monteiro wrote: The email tries to deceive usesr How do you *know* that the email is trying to deceive the user? Legitimate email might have the same pattern of one name in the link and another in the visible text. There's nothing in t

Re: html experts: empty

2009-01-29 Thread Kenneth Porter
--On Thursday, January 29, 2009 8:34 AM -0800 John Hardin wrote: For a long time I have had local rules that score on empty STYLE, FONT, STRONG, SPAN and A tags, and strings of adjacent FONT tags. Unfortunately they hit often enough on legitimate mail sent by braindead MUAs (or, more precisel

Re: html experts: empty

2009-01-30 Thread Kenneth Porter
--On Friday, January 30, 2009 4:41 PM +0100 Matus UHLAR - fantomas wrote: Aren't there any MUAs that try to autodetect the right content type? Even from microsoft? IE had a nasty habit of ignoring the MIME type in HTTP headers and rendering HTML even when one wanted it displayed as text/pla

Re: html experts: empty

2009-01-31 Thread Kenneth Porter
--On Saturday, January 31, 2009 10:31 PM +0100 Kai Schaetzl wrote: Aren't there any MUAs that try to autodetect the right content type? Even from microsoft? No. If they would then you couldn't send any plain text messages that *discuss* HTML code with examples. A simple-minded autodetect s

Re: OT: RE: URI with spaces are not recognized

2009-02-16 Thread Kenneth Porter
--On Monday, February 16, 2009 8:57 AM +1300 Michael Hutchinson wrote: "plenty of people are greedy, gullible, uninformed, overly trusting, stupid, or some combination of the above" This also means: "Anyone that doesn't use a computer as much as an E-Mail administrator" Coincidentally, this

Re: ImageInfo vs FuzzyOCR performance?

2006-10-27 Thread Kenneth Porter
--On Friday, October 27, 2006 6:29 AM -0700 Jeff Chan <[EMAIL PROTECTED]> wrote: Does anyone have any recent feedback about the performance of ImageInfo versus FuzzyOCR about detecting stock image spams (or any others)? Does FuzzyOCR catch significantly more spams than ImageInfo? The last I

Re: R: Age of a domain name - a new test?

2006-10-31 Thread Kenneth Porter
--On Tuesday, October 31, 2006 8:28 AM +0100 Giampaolo Tomassoni <[EMAIL PROTECTED]> wrote: Ok. Why not combine an age check with Hardin's "spam-friendly registar" plugin? Where can I find out more about this plugin? I searched the wiki for "registrar" and it doesn't turn up.

Re: Age of a domain name - a new test?

2006-10-31 Thread Kenneth Porter
--On Monday, October 30, 2006 9:56 PM -0800 Jeff Chan <[EMAIL PROTECTED]> wrote: Generally speaking whois queries is a poor way to determine domain age, at least for client applications. The whois infrastructure is simply not designed to support the volume of queries required, even if locally

Re: Have SA delete a message

2006-11-06 Thread Kenneth Porter
On Tuesday, November 07, 2006 3:21 PM +1300 Simon <[EMAIL PROTECTED]> wrote: We are running debian sarge, with postfix and SpamAssassin 3.1.3. We have setup sa as a filter in postfix and it is now working and 'tag'ing spam correctly. What do i do to have sa delete the message above a certain lev

sa-update DNS not updated (was: Block "wrote:" spams)

2006-11-08 Thread Kenneth Porter
--On Friday, November 03, 2006 5:43 PM + Justin Mason <[EMAIL PROTECTED]> wrote: there's a rule that matches them in 3.1.x sa-update, fwiw. I don't see it either. What's the name of the rule? Dates on files in /var/lib/spamassassin are 20061024. I ran sa-update -D and got this at the en

Re: Rule for raw HTML

2006-11-08 Thread Kenneth Porter
--On Thursday, November 09, 2006 1:21 AM + [EMAIL PROTECTED] wrote: I really dislike html in mails - whether in the right mime part or not - but I have seen many legitimate mails that get mime stuff wrong. Of course these are not normal mail clients, but server generated mails like order con

Re: sa-update -D

2006-11-08 Thread Kenneth Porter
--On Wednesday, November 08, 2006 8:52 PM -0800 R Lists06 <[EMAIL PROTECTED]> wrote: [7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [7317] dbg: diag: module not installed: Razor2::Client::A

Re: sa-update rules for SA 3.1.7 have been updated but they fail lint

2006-11-11 Thread Kenneth Porter
--On Saturday, November 11, 2006 3:20 PM -0500 Theo Van Dinter <[EMAIL PROTECTED]> wrote: "spamassassin --lint -D" will show what rule files are being used. Weekly is probably a good choice, daily is as frequent as I would suggest at the moment. It uses DNS to detect new updates, doesn't it?

Re: ... This Just In / Thought I'd Share ...

2006-11-14 Thread Kenneth Porter
--On Tuesday, November 14, 2006 12:44 PM -0500 Michel R Vaillancourt <[EMAIL PROTECTED]> wrote: LOL ... stupid spammer tricks... check the message ID: mid=<%RNDDIGIT715.%RNDLCCHAR13% [EMAIL PROTECTED] DDIGIT2yahoo.com> Hehe, quoted for those who lost it in the noise.

Zogby polls ignore SpamAssassin users

2006-11-27 Thread Kenneth Porter
I get notifications of new Zogby political polls that head straight to my spam folder. I've tried emailing Zogby about it but have been ignored. Perhaps they don't want the opinions of people who use SA. Here's a typical report: Content analysis details: (5.3 points, 5.0 required) pts rule

Re: 1.1 GB of bayes data ... excessive?

2006-11-27 Thread Kenneth Porter
--On Monday, November 27, 2006 3:28 PM -0800 "John D. Hardin" <[EMAIL PROTECTED]> wrote: Either increase your timeouts, or turn off auto-expiry and schedule expiry using a cron job outside of SA. You'll probably have to do a manual expiry to get it back to a reasonable state. I suggest you do t

Re: HTML Validator

2006-11-27 Thread Kenneth Porter
--On Friday, March 10, 2006 5:08 PM -0800 Kenneth Porter <[EMAIL PROTECTED]> wrote: Anyone know of a good validator that can be run over a MIME part to report on the quality of the HTML? This might be used as a go/no-go filter at milter level, or it could be used as an SA plugin to as

Re: HTML Source Rule

2006-11-29 Thread Kenneth Porter
--On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp <[EMAIL PROTECTED]> wrote: I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done its work to reduce the score. These messages of course ha

Re: HTML Source Rule

2006-11-30 Thread Kenneth Porter
On Thursday, November 30, 2006 5:01 PM -0600 Richard Frovarp <[EMAIL PROTECTED]> wrote: Kenneth Porter wrote: --On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp <[EMAIL PROTECTED]> wrote: I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and t

Wiki: Document the rules!

2006-12-04 Thread Kenneth Porter
See There's now a wiki page that creates a prototype documentation page for a rule: Plug in a rule name and start documenting!

Re: Wiki: Document the rules!

2006-12-04 Thread Kenneth Porter
A little investigation reveals another path: Go to the Tests page from the main web page: Select the latest SA version to see its list of tests. For a given test (AKA rule) click its Wiki link on the right. Either a descriptive page already exists,

Re: Rule update over DNS?

2006-12-06 Thread Kenneth Porter
--On Wednesday, December 06, 2006 1:26 PM +0100 Matthias Leisi <[EMAIL PROTECTED]> wrote: As such, DNS could be used as a transport mechanism with reasonably chosen TTLs. sa-update already uses DNS to check for new updates. The record provides the latest version of the update rule set. The a

Re: sa-update

2006-12-06 Thread Kenneth Porter
--On Wednesday, December 06, 2006 7:07 PM + Duane Hill <[EMAIL PROTECTED]> wrote: I would assume sa-update wouldn't overwrite the default distribution rules that are initially installed. That would mean they would have to be placed somewhere else. This would be based on the fact that a new

Re: Rule update over DNS?

2006-12-08 Thread Kenneth Porter
--On Friday, December 08, 2006 12:20 AM -0500 Duncan Findlay <[EMAIL PROTECTED]> wrote: That's a good point. Those of us packaging SpamAssassin for distributions should think about this. :-) Will it be okay if all Debian users start running sa-update on the same minute of the hour? Are those

Re: Sorry Dhawal - no personal attacks allowed [OT]

2006-12-13 Thread Kenneth Porter
--On Tuesday, December 12, 2006 10:01 AM -0800 Ken A <[EMAIL PROTECTED]> wrote: Some people on this list have to pay per kb of bandwidth used. You might want to read the list with a newsreader, through gmane. Then you just download the headers and pick and choose the bodies you want. My pra

Re: sa-update is broken

2006-12-18 Thread Kenneth Porter
--On Monday, December 18, 2006 11:20 PM +0100 Yves Goergen <[EMAIL PROTECTED]> wrote: So now my SA setup is supposed to be broken or what? Well, it still works so I guess when the next SA version comes out, it'll fix this again. Depends on how you installed it. Or if you have backups. Back up

What did sa-update change?

2006-12-19 Thread Kenneth Porter
I just saw that sa-update pulled a new edition of rules. How can I find out what changed?

Re: What did sa-update change?

2006-12-19 Thread Kenneth Porter
--On Tuesday, December 19, 2006 7:48 PM -0500 Theo Van Dinter <[EMAIL PROTECTED]> wrote: Yeah. The easiest way for us is to check out the svn dir for the updates and look at the revision history. Otherwise grab the previous update, then diff -r. Which dir would that be? This one looks like

Re: Despeckling images for OCR and anti-spam purposes

2006-12-23 Thread Kenneth Porter
--On Saturday, December 23, 2006 12:43 PM +0100 decoder <[EMAIL PROTECTED]> wrote: Which images are you refering to? If you can put up a sample, then I can tell you which scanner setting will catch it :) Does the SA wiki support uploading of images? Perhaps we could have a page of just probl

No text parts

2007-01-19 Thread Kenneth Porter
Are there any rules in the current release (or in updates) to score a message that contains no text parts? I just got a message that had image/jpeg as its top-level MIME component. But it's almost as bad to get a multipart that contains neither text/plain nor text/html (or any other text varian

Re: new RX stuff

2007-01-24 Thread Kenneth Porter
--On Wednesday, January 24, 2007 2:11 PM +0200 Henrik Krohns <[EMAIL PROTECTED]> wrote: I guess this works until spammers just use a "remove the space from domain" method, which pretty much defeats the uri handler. :) Perhaps a simpler test is to see if the domain is resolvable by the recipi

Re: can you trust the MX?

2007-01-30 Thread Kenneth Porter
--On Monday, January 29, 2007 9:03 PM +0100 Magnus Holmgren <[EMAIL PROTECTED]> wrote: So, it is well established that mail from a domain doesn't have to be sent from the MX for the domain. But the converse should be true, shouldn't it? I.e. an MX for a domain is normally a legitimate deliver

help a journalist: What do you wish the CIO understood about fighting spam? (fwd)

2007-01-30 Thread Kenneth Porter
ve the article credibility ("Esther works at a large finance company in the Southwest"). Esther Schindler senior online editor, CIO.com http://blogs.cio.com/blog/37 -- End Forwarded Message -- Forwarded Message Date: Tuesday, January 30, 2007 11:22 AM -0700 F

Re: help a journalist: What do you wish the CIO understood about fighting spam? (fwd)

2007-01-31 Thread Kenneth Porter
Note that I'm not the author of the original message. If you're going to cc, you should cc her.

Re: TVD_SILLY_URI_OBFU

2007-02-02 Thread Kenneth Porter
Here's the current rule: body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*[^a-z0-9.:/\s"'[EMAIL PROTECTED])>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i If I read this right, it looks for an illegal domain character in the domain component after the first dot. The new pattern puts a % after the

Re: TVD_SILLY_URI_OBFU

2007-02-05 Thread Kenneth Porter
On Tuesday, February 06, 2007 12:31 AM +0100 "Chr. v. Stuckrad" <[EMAIL PROTECTED]> wrote: So what really will be needed, would be a combination of Rules for 'illegal hostname in url' and something like the URIBLS to catch 'sytactically legal looking' obfuscations. (if such a thing is feasible)

Re: Obfuscated URL detection via DNS

2007-02-05 Thread Kenneth Porter
On Monday, February 05, 2007 9:51 PM + Justin Mason <[EMAIL PROTECTED]> wrote: - (a) It provides an easy way for a spammer to tell if a piece of mail passes through a SpamAssassin filter, by monitoring hits on their NS. You could give the URIBL rules first shot at the raw name, then inv

EXTRA_MPART_TYPE

2007-02-05 Thread Kenneth Porter
I don't understand why EXTRA_MPART_TYPE is a spam indicator. It seems to be required by RFC 2387: Here's the rule, from SA 3.1.7: header EXTRA_MPART_TYPE Content-Type =~ /(?:\s*multipart\/)?.* type=/i describe EXTRA_MPART_TYPE Header has ext

Re: EXTRA_MPART_TYPE

2007-02-05 Thread Kenneth Porter
On Monday, February 05, 2007 10:14 PM -0500 Theo Van Dinter <[EMAIL PROTECTED]> wrote: Yes. There's a whole discussion about this in https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5110 FWIW, lots of RFC compliant things are spam indicators. So does that mean he can't win? It does l

Re: EXTRA_MPART_TYPE

2007-02-06 Thread Kenneth Porter
On Monday, February 05, 2007 11:29 PM -0500 Matt Kettler <[EMAIL PROTECTED]> wrote: It scores 1.091 points, just barely 1/5 of what's recommended as a sane spam-tag threshold. Clearly, given the relatively low score, this rule isn't a very strong spam indicator. What's the problem? Is it also

Re: Obfuscated URL detection via DNS

2007-02-06 Thread Kenneth Porter
On Tuesday, February 06, 2007 8:49 PM +1300 Jason Haar <[EMAIL PROTECTED]> wrote: Hmm - I would assume the opposite. Most people would run SA in DMZes wouldn't they? And most DMZ design philosophies are that DMZ hosts should attempt to have near-zero access to internal resources. i.e. no intern

Re: TVD_SILLY_URI_OBFU

2007-02-06 Thread Kenneth Porter
The latest obfuscation cleverly uses a dash, a legal domain character, so one can no longer match based on non-domain characters.

RE: False Primary MX Record = MORE spam?

2007-02-08 Thread Kenneth Porter
On Thursday, February 08, 2007 2:04 PM + "Martin.Hepworth" <[EMAIL PROTECTED]> wrote: I found A LOT of spam tries secondary MX first as a way to circumvent spam filters.. I don't think there's anything that prohibits you from listing a server multiple times, so you could include your pri

Re: HTML mail (was Re: A New Approach: Find the Ham)

2007-02-12 Thread Kenneth Porter
--On Monday, February 12, 2007 12:50 PM -0800 Kelson <[EMAIL PROTECTED]> wrote: In other words, what can adequately replace text/html in the non-plaintext multipart/alternative section such that HTML becomes irrelevant for legitimate uses? Microsoft Word? PDF? RTF? Any of those would be wor

RE: Blocking MMS messages?

2007-02-12 Thread Kenneth Porter
--On Tuesday, February 13, 2007 12:28 PM +1300 Philip Seccombe <[EMAIL PROTECTED]> wrote: Whitelisting @mms1.telstra.com would be best wouldn't it? Rather than change rules and end up letting through spam with numbers in the email address etc Big things there seem to be all numbers in email add

Re: NEEDED TODAY!!: Virus Expert Needed For Radio Talk Show

2006-02-02 Thread Kenneth Porter
On Thursday, February 02, 2006 2:07 PM -0500 Rob McEwen <[EMAIL PROTECTED]> wrote: (I'm sending this to surbl, uribl, and SA lists) With such short notice, I don't think they are going to be super picky. Alas, too late now. But why not the clam lists? They're the ones who'd be most qualified

Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick

2006-03-08 Thread Kenneth Porter
--On Wednesday, March 08, 2006 2:24 PM -0800 Jeff Chan <[EMAIL PROTECTED]> wrote: It's an interesting use, but I don't believe it would confuse SpamAssassin, etc. The second URI should be visible enough to be checked, and I added the IP to ph.surbl.org. Is there an SA rule that checks for ne

Re: [Mimedefang] Re: [SURBL-Discuss] Fw: Interesting Phishing Trick

2006-03-08 Thread Kenneth Porter
--On Wednesday, March 08, 2006 8:40 PM -0500 Theo Van Dinter <[EMAIL PROTECTED]> wrote: Not in SA proper. For curiosity sake, I wrote up a quick rule to test it out: MSECSSPAM% HAM% S/ORANK SCORE NAME 027920 49400.850 0.000.00 (all messages) 1.400

Spammer forums

2006-03-09 Thread Kenneth Porter
Saw a story on SlashDot today that mentions this spammer forum site: Here's the SlashDot mention:

Re: Via HTTP??

2006-03-10 Thread Kenneth Porter
On Friday, March 10, 2006 9:52 AM -0800 Kelson <[EMAIL PROTECTED]> wrote: Hmm, Fedora Core 2 is officially EOL'd. Are you updating things manually, or through Fedora Legacy? Fedora Legacy does show an Apache update released on Feb. 18: http://fedoralegacy.org/updates/FC2/ And subscribe to th

Re: Via HTTP??

2006-03-10 Thread Kenneth Porter
On Friday, March 10, 2006 4:17 PM -0800 jdow <[EMAIL PROTECTED]> wrote: But also check out the mail scripts you have. I don't have any such so I don't pay attention to specifics. But they have been known to have various vulnerabilities that get addressed over time. If you got the script from som

HTML Validator (was: Interesting Phishing Trick)

2006-03-10 Thread Kenneth Porter
On Wednesday, March 08, 2006 6:46 PM -0800 Kenneth Porter <[EMAIL PROTECTED]> wrote: Makes me wonder about installing outbound filters that run a validator and reject anything that fails. I often see flame wars on mailing lists about allowing HTML posts to the list, but I wonder h

Re: Amavisd replacement suggestion

2006-03-10 Thread Kenneth Porter
On Saturday, March 11, 2006 2:32 AM +0100 Michael Grant <[EMAIL PROTECTED]> wrote: Between Mailscanner and Amavisd-new, it seems we need one or the other of these programs to recursively dig into and possibly uncompress a message with attachments to be able to virus scan it completely. Does Ma

Re: Amavisd replacement suggestion

2006-03-10 Thread Kenneth Porter
On Friday, March 10, 2006 9:09 PM -0500 Matt Kettler <[EMAIL PROTECTED]> wrote: It might even pass the *message* whole to the scanners.. I know most tools like clamav can deal with being fed a raw mime-822 message and parse out all the attachments, decompress them, scan them, without any extern

Re: HTML Validator

2006-03-10 Thread Kenneth Porter
On Friday, March 10, 2006 9:43 PM -0700 Philip Prindeville <[EMAIL PROTECTED]> wrote: Do you mean: http://validator.w3.org/source/ I thought that was just a web form-based validator. I'll have to look at it to see if the validator can be run over an attachment (ie. an HTML MIME part) from

Sending spam with Mailman

2006-04-10 Thread Kenneth Porter
I suppose I shouldn't be shocked by this but it surprised me to receive some spam sent with Mailman. I have a folder for catching all mailing list mail that doesn't yet have its own procmail rule. The catch-all procmail rule looks for anything with a List-Id header and dumps it in ~/mail/Lists

Re: xxxl spam

2006-04-11 Thread Kenneth Porter
On Tuesday, April 11, 2006 2:14 PM -0400 Matt Kettler <[EMAIL PROTECTED]> wrote: I've not seen it with dummy text, but I have seen the large image spam. However, it's very rare. The problem being that if you're a large-volume spammer, large messages take a longer time to send, and thus reduce y

RE: greetpause was Re: xxxl spam

2006-04-11 Thread Kenneth Porter
On Tuesday, April 11, 2006 1:37 PM -0700 [EMAIL PROTECTED] wrote: Agreed. Spammers have access to all the free CPU bandwidth and processing time they can steal - legitimate MTAs are limited to a budget. Any anti-spam solution that simply rewards CPU and bandwidth spent* is playing into the hand

Re: Web page scraping software

2006-04-11 Thread Kenneth Porter
On Tuesday, April 11, 2006 4:19 PM -0700 List Mail User <[EMAIL PROTECTED]> wrote: Is anyone here familiar with the web page email address scraping software sold at: http://newsman.asp.be/featuresu.jsp ? From that page: NewsMan Pro sends one message per recipient and shows the mem

Non-English languages (was: xxxl spam)

2006-04-13 Thread Kenneth Porter
On Thursday, April 13, 2006 10:32 PM -0600 "Paul R. Ganci" <[EMAIL PROTECTED]> wrote: Unfortunately I am still a linguistic idiot and only speak English ... a Buffalo, NY version at that! My grand parents came over from Italy in 1920 and promptly stopped speaking Italian around my parents. It f

span float obfuscation (was: one SPAM)

2006-04-28 Thread Kenneth Porter
On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <[EMAIL PROTECTED]> wrote: describe OBFUSCATING_FLOAT d Thanks, I was looking for a rule for this. Have you considered submitting it to the devs?

Re: span float obfuscation

2006-04-28 Thread Kenneth Porter
On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <[EMAIL PROTECTED]> wrote: May I post my rules to Bugzilla? Sounds good to me. I would have done so myself but wanted to make sure you get attribution. You'll probably want to subscribe to the -devel list as all bugzilla traffic goe

Re: span float obfuscation

2006-05-01 Thread Kenneth Porter
On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <[EMAIL PROTECTED]> wrote: BTW, I have more rules for catching various types of spams. Which is better for posting new rules? (1) first, posting new rules to this users ML, next, posting to Bugzilla (2) directly posting new rules to B

"Vouching" for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)

2006-05-22 Thread Kenneth Porter
--On Saturday, May 20, 2006 4:54 PM -0700 jdow <[EMAIL PROTECTED]> wrote: Looking at your own email it comes from a COMCAST cable connection in Palmer Ranch Florida through the WFGB mailer. The WFGB mailer is not in SORBS anywhere. YOUR address most certainly is a dialup. So it WILL get tagged u

Help with rule for geocities spam

2006-05-22 Thread Kenneth Porter
I just grepped my entire mail hierarchy for ".geocities.com" and the only legitimate stuff I see either uses the www or uk subdomains. How can I write a rule that matches on that? If it were just one subdomain I could write one rule for all subdomains and one for just the one subdomain and use

RE: Help with rule for geocities spam

2006-05-22 Thread Kenneth Porter
On Monday, May 22, 2006 12:28 PM -0400 Bowie Bailey <[EMAIL PROTECTED]> wrote: I assume you mean "www.geocites.com" and "uk.geocities.com", right? Try this: /(?:www|uk)\.geocities\.com/ Add other anchors as appropriate... Doh! That was too easy! :P BTW, in my corpus the only legit use

Re: Help with rule for geocities spam

2006-05-22 Thread Kenneth Porter
On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie <[EMAIL PROTECTED]> wrote: Or the full line could be: uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com} describe ZMIgeocitiesGOOD probably good geocities site scoreZMIgeocitiesGOOD -1.2 or whatever score you want to give them.

Re: "Vouching" for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)

2006-05-22 Thread Kenneth Porter
On Monday, May 22, 2006 12:28 PM -0700 "John D. Hardin" <[EMAIL PROTECTED]> wrote: Send it over an ssh tunnel so that to the MTA it appears to be coming from 127.0.0.1. That's how I do it. Any way to do that with sendmail at both ends? Currently I use an AuthInfo entry in the sending MTA's a

Re: Help with rule for geocities spam

2006-05-22 Thread Kenneth Porter
As it turns out, I had a SARE rule installed that should catch these, but I found some spams leaking through due to the "insecure dependency" bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. O'Shea's patch for that bug. Here's the SARE rule:

Debugging spamd

2006-05-22 Thread Kenneth Porter
I just posted this: I'd like to throw a line into _handle_hit to log the rule name that's causing it. What's the Perl syntax for "if $score isn't defined, log the rule name"?

Re: Stock Spams; aka Pump and Dump

2006-06-02 Thread Kenneth Porter
--On Thursday, June 01, 2006 1:41 PM -0400 DAve <[EMAIL PROTECTED]> wrote: Currently 3.0.4 on the toasters, 3.0.2 on the MailScanner boxes. These may or may not get updates this month. I've never been fond of "update" as a solution to a problem unless I know the change in version will directly

Processing many mbox folders

2006-06-02 Thread Kenneth Porter
On Friday, June 02, 2006 9:47 PM -0400 JamesDR <[EMAIL PROTECTED]> wrote: How many messages have you trained? You'll need 200 each to get it going, and I recommend at least a thousand of each to really get it going. I use procmail to distribute my mail to over a hundred folders in a large tr

Re: Processing many mbox folders

2006-06-02 Thread Kenneth Porter
On Friday, June 02, 2006 10:51 PM -0400 "Gary D. Margiotta" <[EMAIL PROTECTED]> wrote: # !/bin/sh cd mail/Lists for x in `ls` do sa-learn --ham --mbox $x done Thanks, that handles the top level. ;) I figure I'll need to do something like: find mail/Lists -type f -exec sa-learn --ham

Re: Processing many mbox folders

2006-06-02 Thread Kenneth Porter
--On Friday, June 02, 2006 11:28 PM -0400 "Gary D. Margiotta" <[EMAIL PROTECTED]> wrote: Yep, but his original e-mail said mail/Lists was for ham training, nothing about spam, so that's why I put that in there. It really was a quick and dirty answer, and in his other reply, there's more folder

My "fighting spam" article is live! (fwd)

2007-02-15 Thread Kenneth Porter
Forwarded Message Date: Thursday, February 15, 2007 5:28 PM -0700 From: Esther Schindler <[EMAIL PROTECTED]> To: Esther Schindler <[EMAIL PROTECTED]> Subject: My "fighting spam" article is live! Thanks SO much for your help. I had a huge number of responses, so not e

5 Things the Boss Should Know About Spam Fighting

2007-02-19 Thread Kenneth Porter
Here's a mention of Spamassassin:

MTA for Windows

2007-02-23 Thread Kenneth Porter
I'm looking for an MTA I can install in an all-Windows SOHO. Open source and free preferable. Ideally with hooks for SpamAssassin. (At home I have a Linux box with sendmail, but a friend has no Linux on his LAN.)

FROM_ALL_CAPS (a rule like SUBJ_ALL_CAPS for From)

2007-03-12 Thread Kenneth Porter
One personal flag for me that seems to be a good spam indicator is all-caps From and Subject header content. For example: Subject: NOTIFICATION OF BEQUEST From: BROWN WALTER ASSOCIATES <[EMAIL PROTECTED]> This scored on SUBJ_ALL_CAPS but I'm wondering if anyone's gotten good results from

Re: we're a benchmark!

2007-03-16 Thread Kenneth Porter
On Wednesday, March 14, 2007 11:19 AM + Justin Mason <[EMAIL PROTECTED]> wrote: (found via the fastmail blog. cool!) Indeed. What other large, popular, headless, and easily-acquired Perl applications exist? (I'd guess most other large Perl apps are web-based and hence wouldn't be suitab

Re: NOTICE: SpamAssassin 3.2.0-rc1 PRERELEASE available

2007-04-06 Thread Kenneth Porter
--On Friday, March 23, 2007 3:10 PM + Justin Mason <[EMAIL PROTECTED]> wrote: So when are the betas of the "(STILL TODO ;)"'s coming out? :-) Doc has promised to do them really soon. ;) http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5382 And according to that bug, it's now in th

Single user install (was: Wild hair)

2024-09-26 Thread Kenneth Porter
I've been running SpamAssassin for longer than seems realistic (2.28 with 1998 Red Hat Hurricane?). Anyway I have started moving everything mail to yet a new machine, Ubunto LTS 24.04.01. That only supports SA 4.0.0. I've been contemplating the pain of sideloading 4.0.1 into the system. Then I

<    1   2   3   4