You mean like the one that's in the default SA 2.43 ruleset?
header FROM_MALFORMED From !~
/(?:\"[^\"]+\"|\S+)\@\S+\.\S+|<\S+(?:\!\S+)+>/ [if-unset: [EMAIL PROTECTED]]
At 03:03 PM 1/16/2003 -0700, Kevin Miller wrote:
Does anyone have a rule designed for detecting invalid From: addresse
On Thu, Jan 16, 2003 at 07:13:45PM -0500, Tom Allison wrote:
> Failed to run RAZOR_CHECK SpamAssassin test, skipping:
> (Can't locate object method "check_razor" via package
> "Mail::SpamAssassi
> n::PerMsgStatus" (perhaps you forgot to load
> "Mail::SpamAssassin::PerMsgStatus"?
> ) at /u
Theo Van Dinter wrote:
On Thu, Jan 16, 2003 at 07:13:45PM -0500, Tom Allison wrote:
Failed to run RAZOR_CHECK SpamAssassin test, skipping:
(Can't locate object method "check_razor" via package
"Mail::SpamAssassi
n::PerMsgStatus" (perhaps you forgot to load
"Mail::SpamAssassin::PerMsgSta
On Thu, 16 Jan 2003, Chris Edwards wrote:
> | The problem or feature of the current system seems to be that you don't
> | really know who the email is from. Received: and From: headers can be
> | faked, so that you really don't know that the listed location is the
> | true originating location.
Justin Mason wrote:
Tom Allison said:
debug: lock: created /home/harvey/.spamassassin/auto-whitelist.lock.penguin.3
452
debug: lock: 3452 trying to get lock on /home/harvey/.spamassassin/auto-white
lis
t pass 0
debug: lock: link to /home/harvey/.spamassassin/auto-whitelist.lock ok
debug: lock: u
VERSION 2.43
-
debug: running full-text regexp tests; score so far=-10
debug: Razor2 is not available
Failed to run RAZOR_CHECK SpamAssassin test, skipping:
(Can't locate object method "check_razor" via package
"Mail::SpamAssassi
n::PerMsgStatus" (perhaps you forgot to load
"M
Tom Allison said:
> debug: lock: created /home/harvey/.spamassassin/auto-whitelist.lock.penguin.3
> 452
> debug: lock: 3452 trying to get lock on /home/harvey/.spamassassin/auto-white
> lis
> t pass 0
> debug: lock: link to /home/harvey/.spamassassin/auto-whitelist.lock ok
> debug: lock: unlinked
Does anyone have a rule designed for detecting invalid From: addresses?
Seems 99.9% of my spam has a malformed From:
Thanks
Kevin
---
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information
debug: lock: created /home/harvey/.spamassassin/auto-whitelist.lock.penguin.3452
debug: lock: 3452 trying to get lock on /home/harvey/.spamassassin/auto-whitelis
t pass 0
debug: lock: link to /home/harvey/.spamassassin/auto-whitelist.lock ok
debug: lock: unlinked /home/harvey/.spamassassin/auto-whi
On Thu, 16 Jan 2003 [EMAIL PROTECTED] wrote:
> I keep hearing this said, but I think this line of thinking overlooks the
> obvious: Bouncing emails tagged by SA isn't to notify the spammers, it's
> to notify the senders of legitimate email that SA sometimes catches. If
> you're running spamd in an
On Thu, 2003-01-16 at 18:36, Rich Puhek wrote:
> Scot Wilcoxon wrote:
> >> YOUR DEGREE MAY BE
> We also may want to consider the effect on our existing rules. Perhaps
> we'll need a preprocessor to s/<\!--.*-->//g so that spammers can't
> simply do something like:
>
> free porn and low rate m
At 09:36 AM 01/16/2003, you wrote:
We also may want to consider the effect on our existing rules. Perhaps
we'll need a preprocessor to s/<\!--.*-->//g so that spammers can't simply
do something like:
free porn and low rate mortgages
That's apparantly their goal, and would be fairly easy for a
Michael Shields wrote:
In article <[EMAIL PROTECTED]>,
Rich Puhek <[EMAIL PROTECTED]> wrote:
We also may want to consider the effect on our existing rules. Perhaps
we'll need a preprocessor to s/<\!--.*-->//g so that spammers can't
simply do something like:
free porn and low rate mortgages
I
On Thursday, January 16, 2003, 12:23:30 AM, you wrote:
CE> I use this:
CE> # This is a reformulation of standard test VERY_SUSP_RECIPS
CE> header SimilarToNames ToCc =~ /\b([a-z][a-z])[^@,<>\(\)
CE> ]{0,20}(@[-a-z0-9_\.]{2,4}).{0,80}?(?:\1[^@,<>\(\) ]{0,20}\2.{0,80}?){2,}/is
In article <[EMAIL PROTECTED]>,
Rich Puhek <[EMAIL PROTECTED]> wrote:
> We also may want to consider the effect on our existing rules. Perhaps
> we'll need a preprocessor to s/<\!--.*-->//g so that spammers can't
> simply do something like:
>
> free porn and low rate mortgages
It would be a good i
I was thinking about adding a different way to pass user info to spamd, so
we wouldn't need all these hacks to lookup username for all the different
configurations.
I was thinking of adding a -D option to spamc which would be the path to
the users home directory.
Then spamd would be modified to t
Justin Mason wrote:
Rich Puhek said:
I'm not sure how useful the RBLs themselves would be to a large group of
diverse users, or if it would be most useful if maintained locally.
Once it's closer to ready for primetime, I think I'll sourceforge it,
and we'll see how it goes.
Wow -- great idea
That was my mistake abou the permissions, they were 1777.
- Original Message -
From: "Theo Van Dinter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 16, 2003 9:54 AM
Subject: Re: [SAtalk] Problem with 2.43 and DCC
___
On Thu, Jan 16, 2003 at 09:34:43AM -0800, [EMAIL PROTECTED] wrote:
> Just trying new ideas. Checked /tmp. it's drwxrwxrwx. I'm pretty sure
> it's a permissions problem. I have the proper holes poked in the firewall
It should be 1777 not 777. Don't know if it's related, but ...
--
Randomly G
Rich Puhek said:
> I'm not sure how useful the RBLs themselves would be to a large group of
> diverse users, or if it would be most useful if maintained locally.
> Once it's closer to ready for primetime, I think I'll sourceforge it,
> and we'll see how it goes.
Wow -- great idea! Sounds like
Hmmm. If you guys were to use DBI to access the .db file, then people
could actually have the option of using any backend database. I realize
it's too late for the coming release, but maybe it's something worth
considering for the future.
Justin Mason wrote:
sabat said:
Since the
Scot Wilcoxon wrote:
YOUR DEGREE MAY BE
Cute. Comments with text without having whitespace between the text and
comments. It may be legal, but it's not common for legibility reasons.
Scripts might generate it, although I tend to write scripts which
insert whitespace in such situations
Just trying new ideas. Checked /tmp. it's drwxrwxrwx. I'm pretty sure
it's a permissions problem. I have the proper holes poked in the firewall
for DCC, according to their FAQ. The strange thing is that it almost wants
to work when spamd is run as root. Spamd at least fires up, but then it
ha
Robert Strickler wrote:
Jeremy Turner [[EMAIL PROTECTED]]
keep statistics for a "X strikes and you are out"
milter to deny access completely for X minutes when they hit too many
bad addresses or have a 0 ham to X spam ratio.
Sounds like an MTA thing, not really a SpamAssassin thing. I woul
On Thu, Jan 16, 2003 at 10:44:52AM -0600, Scot Wilcoxon wrote:
> Cute. Comments with text without having whitespace between the text and
> comments. It may be legal, but it's not common for legibility reasons.
> Scripts might generate it, although I tend to write scripts which
> insert whites
On Thu, 2003-01-16 at 10:30, Dustin Baer wrote:
> Why not send it to a discard directory and run a nightly cron job to let
> people know what was caught, e.g. From, To, Subject, SpamAssassin
> score. Then set up a web page (or an email alias to a program) that
> will allow someone to request the d
> "JM" == John Madden <[EMAIL PROTECTED]> writes:
>> else, do it. But don't fake the SMTP sender.
JM> Right - the SMTP sender wasn't faked. It was "blackboard
JM> (blackboard.ivy.tec.in.us...)" -- no mention of hotmail.com.
You're confusing the SMTP sender with the SMTP client.
-
| The problem or feature of the current system seems to be that you don't
| really know who the email is from. Received: and From: headers can be
| faked, so that you really don't know that the listed location is the
| true originating location. You can't reliably bounce an email or notify
| a po
On Thu, 2003-01-16 at 16:26, Ross Vandegrift wrote:
> On Thu, Jan 16, 2003 at 09:40:00AM +, Ian MacDougall wrote:
> > We have a similar structure, but for reasons I won't go into we have SA
> > behind our primary mailservers.
>
> Actually, would you mind going into this? It seems really stran
On Thu, 2003-01-16 at 08:53, Mike Scheidler wrote:
> Here's an excerpt from one that got by SA (version 2.43). I've never seen
> this tactic before, though maybe someone else has. It scored a 4.8.
> The gaps seem to be randomly spaced.
[...]
> While the obfuscating comments are
> all identical in
YOUR DEGREE MAY BE
Cute. Comments with text without having whitespace between the text and
comments. It may be legal, but it's not common for legibility reasons.
Scripts might generate it, although I tend to write scripts which
insert whitespace in such situations.
Might this detect it?
> SA 2.43 triggers the FORGED_HOTMAIL_RCVD rule if there is a
> hotmail.com From: address, but no Received: header corresponding to the
> Hotmail format (like your case).
> This has been changed in SA 2.50, which differentiates between a hotmail
> address with forgerd hotmail received headers and h
[EMAIL PROTECTED] wrote:
>
> On 15 Jan 2003, Jeremy Turner wrote:
>
> > 2. As discussed previously on this thread (I believe), it might be a
> > bad idea to send an email back to a spam source. At best, the address
> > doesn't exist, creating a returned bounce email and wasting bandwidth.
> > A
On Thu, Jan 16, 2003 at 10:39:38AM -0500, John Madden wrote:
> I believe the logic is hosed there, then. There's nothing wrong with
> announcing that your email address is @hotmail.com when sending through
> another machine.
Actually, my reading of the code was incorrect, sorry. The current
vers
> There's nothing wrong with that, except when you announce it as the SMTP
> sender. That is, you're sending bounces there. This is a *very* common
> spammer trick. The test is misnamed perhaps, but the test
> itself is correct. If you want to set the From address to something
> else, do it. B
> Guess why the score for that rule was not set at 7.0 in the first place.
>
> Playing with the score of a single rule is a perilous excercise. The
> scores are computed to work correctly *together*, not in isolation.
I've found that some of the default rules don't work all that well. We
get a l
On Thu, Jan 16, 2003 at 10:15:05AM -0500, John Madden wrote:
> The full report contained within the rest of the message claims that SA is
> looking in the Received headers for the forging, and call me crazy, but I
> don't see any hotmail.com in the Received headers here.
SA 2.43 triggers the FORGE
On Thu, 16 Jan 2003, John Madden wrote:
> > Exactly. The mail has a hotmail from address, but nothing in the
> > Received headers says it came from hotmail, so it gets flagged.
>
> I believe the logic is hosed there, then. There's nothing wrong with
> announcing that your email address is @hotm
On Thu, 2003-01-16 at 10:15, Jerry Rasmussen wrote:
> My main concern is someone in my company losing or not responding to
> an important email because it was marked SPAM.
I am concerned about this as well, so we never ever ever send spam to
/dev/null. We tag it, and send it along, giving the c
On Thu, Jan 16, 2003 at 09:40:00AM +, Ian MacDougall wrote:
> We have a similar structure, but for reasons I won't go into we have SA
> behind our primary mailservers.
Actually, would you mind going into this? It seems really strange to do
it this way, but I'm sur eyou have reasons. I'd be i
>>> "Stephane" <[EMAIL PROTECTED]> 01/15/03 05:42PM >>>
>Hello again,
>Our infrastructure would look like:
>Internet-->[SA]-->[Mailsweeper]-->[SMTP/Lotus Notes gateway]-->Lotus Notes Mail
>reader on Client PC
>Each bracketed text is a separate server, so SA would be a dedicated relay, with no
>l
> "JM" == John Madden <[EMAIL PROTECTED]> writes:
>> Exactly. The mail has a hotmail from address, but nothing in the
>> Received headers says it came from hotmail, so it gets flagged.
JM> I believe the logic is hosed there, then. There's nothing wrong with
JM> announcing that your email ad
>> The full report contained within the rest of the message claims that
>> SA is looking in the Received headers for the forging, and call me
>> crazy, but I don't see any hotmail.com in the Received headers here.
>> The scenario here
>
> Exactly. The mail has a hotmail from address, but nothing i
Jeremy Turner [[EMAIL PROTECTED]]
>> keep statistics for a "X strikes and you are out"
>> milter to deny access completely for X minutes when they hit too many
>> bad addresses or have a 0 ham to X spam ratio.
> Sounds like an MTA thing, not really a SpamAssassin thing. I would point
you to your
My main concern is someone in my company losing or not responding to an important
email because it was marked SPAM. It seems to me there is a difference between a
company with say 1000 or less users who only recieve a few 100 spam emails a day and
an ISP with 10s of thousands of users who would
On Thu, 2003-01-16 at 08:32, [EMAIL PROTECTED] wrote:
> On 15 Jan 2003, Jeremy Turner wrote:
>
> > 2. As discussed previously on this thread (I believe), it might be a
> > bad idea to send an email back to a spam source. At best, the address
> > doesn't exist, creating a returned bounce email an
Well I'll try not to top post and unleash the dogs! :)
> However I couldn't find any description of a
> successful implementation with a similar setup than ours -- I
> would guess at least a few other companies must follow the same model.
I'm in the process of going live with the standard:
[fi
On Mon, Jan 13, 2003 at 02:39:19PM -0800, Daniel Quinlan wrote:
>e. Submitting your results
>
> Upload them via rsync with the names "ham-nobayes-net-username.log"
> and "spam-nobayes-net-username.log". Also make sure the tag name
> of CORPORA_SUBMIT_VERSION_2_5_0_CHECK1 app
Here's an excerpt from one that got by SA (version 2.43). I've never seen
this tactic before, though maybe someone else has. It scored a 4.8.
Hi , c23mts
YOUR DEGREE MAY BE
CLOSER THAN YOU
THINKWe remove the obstacles that cause adults to
abandon hope.DID YOU KNOW that you could
On 15 Jan 2003, Jeremy Turner wrote:
> 2. As discussed previously on this thread (I believe), it might be a
> bad idea to send an email back to a spam source. At best, the address
> doesn't exist, creating a returned bounce email and wasting bandwidth.
> At worst, the spam source could be a vali
At 08:22 AM 1.16.2003 -0500, Segree, Gareth wrote:
>do a spamd without the -d (daemonise) option and see what error is returned.
>
>-Original Message-
>From: Mike Burkhouse [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, January 15, 2003 02:57 PM
>To: [EMAIL PROTECTED]
>Subject: [SAtalk] Spamd
Thank you for your reply, Gareth.
After receiving your reply, I tried to run spamd with the following
options:
Spamd -x -c -F 0 -L
Spamd still won't start. Any ideas?
Thank You,
Mike
-Original Message-
From: Segree, Gareth [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003
do a spamd without the -d (daemonise) option and see what error is returned.
-Original Message-
From: Mike Burkhouse [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 02:57 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Spamd won't start
Hi everyone.
I just subscribed to this li
Jeremy Turner said:
> > The next step is to keep statistics for a "X strikes and you are out" milter
> > to deny access completely for X minutes when they hit too many bad addresses
> > or have a 0 ham to X spam ratio.
>
> Sounds like an MTA thing, not really a SpamAssassin thing. I would
> poin
Mike,
I must agree with you, I think that is a better way.
Thanks.
Mike Loiterman wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Message: 20
Date: Thu, 16 Jan 2003 00:24:39 +
From: Michael Andreasen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [SAtalk] Exim and Spamassas
> From: "Stephane" <[EMAIL PROTECTED]>
>
>
> I think most companies are afraid of implementing opensource software as a
> component for an important service such as email. I think that generally
> even though people know email has not been designed to be a 100% reliable
> protocol they still make
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> Message: 20
> Date: Thu, 16 Jan 2003 00:24:39 +
> From: Michael Andreasen <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Exim and Spamassassin - how to drop spam?
>
> Exim & Spamassassin... I'm almost there, but ...
>
> I ha
Jeremy Turner wrote:
On Wed, 2003-01-15 at 18:32, SpamTalk wrote:
I think Exim might also have the capability.
I believe it does have this capability. I've been meaning to test it
out.
What I would like to see is the ability of the gateway to use LDAP to
validate the recipient exists
On Wed, 2003-01-15 at 22:42, Stephane wrote:
> Amongst the answers to my previous post ("has a large company implemented SA") there
>was a very good idea on success stories with SA... It is true that most of the people
>on the net who would say they were happy with SA and that it worked well for
On Thu, 16 Jan 2003 the voices made Martin Schroeder write:
MS> [Please limit your line length to <=70 chars/line]
MS>
MS> On 2003-01-15 22:42:07 -, Stephane wrote:
MS> > exists today disappears ? With opensource you cannot have a
MS> > contractual engagement to provide support or updates, nor
60 matches
Mail list logo
