Re[2]: [SAtalk] New HTML spam body obfuscation.

Hello Dallas, Wednesday, January 14, 2004, 6:22:05 AM, you wrote: >> As for Dallas's run against his corpus showing very few hits, I did >> mention this is the first time I've ever seen this "trick" used and is >> presumably fairly new. So those rules *might* have some value in the >> future. DL

Re: [SAtalk] improving spamassassin (mass-check question)

Hello PieterB, Justin has already answered, better than I can, but I'll add my two cents: Wednesday, January 14, 2004, 4:23:07 AM, you wrote: P> I would like to start contributing to spamassassin and help to fight P> spam. Fastastic. Welcome aboard. P> http://au.spamassassin.org/hacking.html

Re[2]: [SAtalk] [Fwd: Re: mtier1 spam problem]

Hello Bart, Josh, Wednesday, January 14, 2004, 12:54:22 PM, you wrote: >> I just received an encrypted email from a coworker and this is what SA >> gave me. It got slammed with tripwire rules (it isn't supposed to, >> right?). BS> In off-list mail I've suggested an improved (I feel) regex for tr

Re: [SAtalk] Does somebody have a rule against 'unnecessary encoding' of subjects?

Hello Chr., Wednesday, January 14, 2004, 11:33:35 AM, you wrote: CvS> Does somebody have/know a rule to catch 'unnecessary encodings'? Define "unnecessary." Some are valid, some are obfuscation attempts. I use the following rules (see my personal rules pages on the exit0.us wiki, and note that

Re: [SAtalk] Spamassassin syslog weirdness

At 1/12/2004 02:47 PM -0500, Mick Szucs wrote: >A message arrived the other day that when it was processed by spamd was logged >in /var/log/messages instead of /var/log/maillog (like all other mail >processed by spamd.) The message in question contained a high volume of >control characters in t

Re[2]: [SAtalk] Scoring the Habeas header ...

Hello Mike, Wednesday, January 14, 2004, 10:32:31 AM, you wrote: MB> Years of patiently tracking down addresses in headers, LARTing clueless MB> ISPs, and reporting violators to whoever gives a rat's ass, did not result MB> in any reduction in the volume of spam in my Inbox (and my co-workers', w

Re: [SAtalk] spamassassin on Gateway server (MX)

I use postfix w/ amavis and spamassassin and it works flawlessly. I placed the SA box at my MX record's IP address and then relay (using postfix) to my primary mail server. The mail server is behind my firewall and uses NAT to send mail out. Actually both boxes are behind the firewall... although

[SAtalk] Newbie Question: full list of headers?

I'm writing some custom rules and i am wondering if there is a list somewhere of what parts of the header i can test? such as header NO_REAL_NAME From =~ header TO_HAS_SPACESTo:addr =~ ^

Re: [SAtalk] spamassassin on Gateway server (MX)

At 09:56 AM 1/15/04 +0545, Pankaj wrote: I feel I am being a bit misunderstood. I simply need to configure my MX to have SpamAssassin running.I do not need any antivirus . How do I do it ? Running RedHat Linux 8.1 and Sendmail 8.12.10 in it. If your mailserver is relaying, it's not possible to jus

Re: [SAtalk] Moving bayes to a different server - not working

On Thu, Jan 15, 2004 at 05:02:35PM +1300, Scott Truman wrote: > Sheesh...how do I know what was 'running' on the other box or atleast > what SpamAssassin was using? You could do "file bayes_toks" and see what comes back. :) -- Randomly Generated Tagline: We question most of the mantras around he

[SAtalk] spamassassin on Gateway server (MX)

I feel I am being a bit misunderstood. I simply need to configure my MX to have SpamAssassin running.I do not need any antivirus . How do I do it ? Running RedHat Linux 8.1 and Sendmail 8.12.10 in it.         List:   spamassassin-talkSubject:    RE: [SAtalk] setting up spamassassin on G

RE: [SAtalk] Moving bayes to a different server - not working

Thanks for your reply. Sheesh...how do I know what was 'running' on the other box or atleast what SpamAssassin was using? Cheers Scott -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Thursday, 15 January 2004 4:54 p.m. To: Scott Truman Cc: [EMAIL PROTECTED] Subj

Re: [SAtalk] Should I just outright block *.biz domains?

I figured as much. I know that there probubly are some legit .biz holders out there, so I wasn't sure if it was alright to just block them all. Hence why I asked first. I figured it probubly wasn't the best idea, but if I asked first then I would know for certain if it was a good idea

Re: [SAtalk] Moving bayes to a different server - not working

On Thu, Jan 15, 2004 at 04:46:26PM +1300, Scott Truman wrote: > The new server is running Redhat ES3.0 and I had to install the DB_File > perl module. Do I need anything else? It depends. If you used DB_File on the old box, you can probably get away with running the appropriate db_update then let

Re: [SAtalk] [OT and long] Port Blocking (was: Spamwriter).

--On Wednesday, January 14, 2004 9:03 PM -0500 Rubin Bennett <[EMAIL PROTECTED]> wrote: If ISP's started blocking port 25 outbound except to their servers, I would then be forced to change my config every time I move my system. Where's that port 25 going to? Ideally for mobile users you use the

[SAtalk] Moving bayes to a different server - not working

Hi all, I have recently copied a bayes database from one server to another. The former was running SpamAssassin 2.5x and the new one is running SpamAssassin 2.61. Unfortunately I get the following error: debug: bayes: no dbs present, cannot scan: /etc/exim/bayesdb/bayes_toks debug: Score s

Re: [SAtalk] Spamwriter

On Wed, 14 Jan 2004, Greg Cirino - Cirelle Enterprises wrote: > From: Greg Cirino - Cirelle Enterprises <[EMAIL PROTECTED]> > Date: Wed, 14 Jan 2004 21:05:05 -0500 > Subject: Re: [SAtalk] Spamwriter > To: Bart Schaefer <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > X-Spam-Status: No, hits=-4.9 re

Re: [SAtalk] Spamwriter

On Wed, 14 Jan 2004 21:05:05 -0500, you wrote: >Running any type of "Server" is a violation of every consumer high speed >access connection TOS. I don't want to beat this off-topic dead horse any longer than anyone else, but I do want to point out the very excellent consumer high speed service S

Re: [SAtalk] [OT and long] Port Blocking

This is why I beleive ISPs who have a restriction should publish their address blocks which are NOT supposed to be sending mail directly out. It then becomes the recipient mail domain's responsibility if they choose to block on the information published. In your small ISP case, you would not pu

Re: [SAtalk] [OT and long] Port Blocking (was: Spamwriter).

>So I set up IMAPs for my incoming mail, and by using 'localhost' as my >outbound mail server, I never have to change my config. >If ISP's started blocking port 25 outbound except to their servers, I >would then be forced to change my config every time I move my system. >Only a few clicks, but agg

[Now way OT] Re: [SAtalk] Spamwriter

On Wed, 14 Jan 2004, Greg Cirino - Cirelle Enterprises wrote: > Running any type of "Server" is a violation of every consumer high speed > access connection TOS. That's a rather sweeping statement. > Call it what you want, but if it serves, it's a Server "Serving" normally means "answers incomi

Re: [SAtalk] [OT and long] Port Blocking (was: Spamwriter).

On Wed, 14 Jan 2004, Rubin Bennett wrote: > This is the Wrong Answer!!! > Speaking as someone who uses such a "Dynamically Assigned" IP, I can > tell you I'd be royally pissed if Adelphia started blocking outbound > port 25 traffic. Here's why: > I have a laptop running Linux that I use for most

RE: [SAtalk] Spamwriter

> No Hosting Servers > No Email Servers > No FTP Servers > > Just consuming. My mail and web server generates about 10-20MB of traffic per month and is a far far more secure connection than my neighbor's connection which generates 100+MB of outbound traffic per day playing online multiplayer game

Re: [SAtalk] [OT and long] Port Blocking (was: Spamwriter).

On Wed, 2004-01-14 at 19:37, Tim B wrote: > > > > It's well known that filtering is *only* useful for keeping one's inbox > > uncluttered; it does nothing to interdict the flow of crap from > > upstream. You want to put a serious dent in spam? IDP broadband > > providers that give their customers

[SAtalk] the db file location

hi everyone i reinstall my new qmail server and install spamassasin too. how to move the bayes and spamassasin table or library fie from old server to the new server ? where is the file locate ? so that my new server spamassassin no need re learn again. thanks wong

Re: [SAtalk] Spamwriter

| Making a direct outbound connection on port 25 is not "running an email | server", any more than making a direct outbound connection on port 80 is | "running an HTTP server." Running any type of "Server" is a violation of every consumer high speed access connection TOS. Call it what you want, b

Re: [SAtalk] Spamwriter

On Jan 14, 2004 at 20:05, Greg Cirino - Cirelle Enterprises wrote: >The always on folks (sans a few) are mostly responsible >for the proliferation of virus emails, spamming (with the >now I can make money on the internet... so I can pay >for this link so I can check my email at high speed mentalit

Re: [SAtalk] Spamwriter

On Wed, 14 Jan 2004, Greg Cirino - Cirelle Enterprises wrote: > 40 bucks a month does not make you an ISP. > > No Hosting Servers > No Email Servers > No FTP Servers > > Just consuming. Making a direct outbound connection on port 25 is not "running an email server", any more than making a direc

Re: [SAtalk] Spamwriter

In Reality, a consumer broadband connection is not the given right to plop any kind of server you want on the network. Consumer Broadband connections, be it cable or dsl are meant for the user to browse faster... that's it The always on folks (sans a few) are mostly responsible for the prolifer

Re: [SAtalk] Spamwriter

"Satya" <[EMAIL PROTECTED]> wrote: | Default-blocking outbound port 25 is fine, as long as the ISPs don't | use it as an excuse to insist that I buy a business class line. You also have got to be kidding... greg - Original Message - From: "Satya" <[EMAIL PROTECTED]> To: <[EMAIL PROTE

Re: [SAtalk] Spamwriter

It's well known that filtering is *only* useful for keeping one's inbox uncluttered; it does nothing to interdict the flow of crap from upstream. You want to put a serious dent in spam? IDP broadband providers that give their customers direct access to port 25 on remote systems by default. Spam fro

RE: [SAtalk] Spamwriter

On Jan 14, 2004 at 15:57, Chris Santerre wrote: >I completely agree with this!! I've recently had a discussion off list with >some people. I totally believe by DEFAULT this should be blocked for all >broadband users. HOWEVER, this is ONLY if a simple request to unblock at NO >charge is all it take

Re: [SAtalk] Should I just outright block *.biz domains?

At 03:30 PM 1/14/2004, Dragoncrest wrote: Just curious, but I've never noticed once where someone sent me legitimate mail from a .biz domain name. How about you guys? Would you think that it would be safe to go ahead and just outright block all email coming from .biz domain names? Well, we hos

Re: [SAtalk] Can you use a matched element in one rule against another match in a second rule?

On Wed, Jan 14, 2004 at 06:10:56PM -0500, Matt Kettler wrote: > At 05:46 PM 1/14/2004, Scott Lambert wrote: > >I would like to be able to match the forged HELO then use it in a > >variable for the two X-AntiAbuse lines. Possible? > > meta rules allow you to do boolean and or arithmetic match-ups.

Re: [SAtalk] Spamwriter

"Mike Batchelor" <[EMAIL PROTECTED]> wrote: | Why should I have to pay extra for a business-class DSL line just so I can | avoid using the ISP's heavily clogged relay, when my own mail server can | deliver my emails directly? You have got to be kidding Greg

Re: [SAtalk] Bayes Learning

On January 14, 2004 12:07 pm, Paul Barbeau wrote: > Has anyone create a button (or some other way) that i can install on a > client outlook that will submit the email to the my bayes learning account? > The current process to "resend the message" is above most of my users and > button would be much

RE: [SAtalk] Should I just outright block *.biz domains?

I have several clients with valid .biz domains that only send legitimate email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dragoncrest Sent: Wednesday, January 14, 2004 5:30 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Should I just outright block *.biz d

Re: [SAtalk] Spamwriter

Hi, On Wed, 14 Jan 2004, Mike Batchelor wrote: > --On Wednesday, January 14, 2004 8:28 AM -0600 Bob Apthorpe > <[EMAIL PROTECTED]> wrote: > > > IDP broadband > > providers that give their customers direct access to port 25 on remote > > systems by default. > > Why should I have to pay extra for a

RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

Chris, Could you add a |MESSAGE to the PGP signature lines in tripwire so that it does not trigger on PGP encrypted messages? I believe someone else has suggested this earlier in the thread but it wasn't in version 1.13. I made this change after receiving multiple false positives on PGP encrypted

[SAtalk] Should I just outright block *.biz domains?

Just curious, but I've never noticed once where someone sent me legitimate mail from a .biz domain name. How about you guys? Would you think that it would be safe to go ahead and just outright block all email coming from .biz domain names? Are there any other domain names or TLD's I should a

Re: [SAtalk] Can you use a matched element in one rule against another match in a second rule?

At 05:46 PM 1/14/2004, Scott Lambert wrote: I would like to be able to match the forged HELO then use it in a variable for the two X-AntiAbuse lines. Possible? meta rules allow you to do boolean and or arithmetic match-ups... ie: meta LOCAL_DRUGS_DIET_PAIN (__LOCAL_DRUGS_DIET && __LOCAL_DRUG

Re: [SAtalk] The CAN-SPAM act....

On Wed, 14 Jan 2004, Bob Rosenberg wrote: > >(Expect to see a lot more spam with the date set 30 days in the past.) > > But wouldn't the Received Headers which show REAL timestamps show > intent to evade the law by BackDating the Message and thus provide > evidence for enforcement under the law

Re: [SAtalk] SA runs as root instead of user in sitewide config

Paul Fielding wrote: > From what I've been able to determine, I *think* what's happening is > that when procmail is running via the user rc file, SA is being run > as the proper user and the proper user SA prefs are being called. > However, when I use the sitewide rc file, SA seems to be being call

[SAtalk] Can you use a matched element in one rule against another match in a second rule?

I've been getting spam with a forged HELO and using the same HELO string in the X-AntiAbuse headers. Here are the relevent lines: Received: from mailtopager.net (ACB8FA80.ipt.aol.com [172.184.250.128]) by mail.lambertfam.org (8.12.10/8.12.10/UTIL-INCH-3.0.10) with SMTP id hBQ27Svo001799

Re: [SAtalk] bayes file permisions

small chastising rant: Subject lines exist for a reason, on high volume lists, please use them. "no subject" makes you look lazy and/or lacking in inteligence, usualy both. At 05:05 PM 1/14/2004, Christopher Tarricone wrote: It seems to me that SpamAssassing is running as the user vpopmail so

Re: [SAtalk] The CAN-SPAM act....

At 09:57 -0800 on 01/14/2004, Bart Schaefer wrote about Re: [SAtalk] The CAN-SPAM act: The postal address requirement isn't for unsub purposes. CAN-SPAM specifically requires an Internet-based opt-out mechanism that takes effect within 10 days and remains usable for 30 days after the email c

Re: [SAtalk] blocking list problem

At 04:45 PM 1/14/2004, VCI Help Desk wrote: To further my confidence that something is wrong I can manually check a server IP address where this happens by doing an 'nslookup 56.202.127.204.http.dnsbl.sorbs.net' and it comes back blank (no match). Does anyone have any ideas what's causing t

RE: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want to

The problem comes from the URLs, in this case. For example www.somewhere.com/checkflight.pl?airport=jfk or any manor of hits like that. In fact most every false positive hit I've seen on this ruleset is a URL, is it possible to exclude them from the checks? Andrew

[SAtalk] HEh...

Thought this was a little humorous... Habeas is Misusing their own mark? - Content preview: Thank you for your email to Habeas! This message has been automatically generated in response to your email regarding "Habeas Misuse", a summary of which appears below. There is no

Re: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want to miss this one!

On Wed, 14 Jan 2004, Chris Santerre wrote: > > After installing the tripwire rules I see the following in my > > Exim paniclog > > (I'm using exiscan): > > 2004-01-14 11:50:37 1Agr2C-0008RG-UP string_sprintf expansion > > was longer > > than 8192 If _all_ the tripwire (v 1.13) rules were hit, t

[SAtalk]

The permissions on my bayes_journal and bayes_toks files keep changing. Has anyone else encoutered this problem? I get the following error in my /var/log/messages file: Jan 14 16:50:56 zion spamd[638]: cannot write to /usr/share/spamassassin/db/bayes_journal, Bayes db update ignored Jan 14 16:50

RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

> -Original Message- > From: Kurt Yoder [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 4:54 PM > To: Chris Santerre > Cc: 'Matthew Trent'; Spamassassin-Talk > Subject: RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't > want to miss this o ne! > > > > Chris S

RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

Chris Santerre said: > Popcorn, Weeds, Backhair, and Tripwire. One spam could hit 5 of > each. But > I'm still curious. I've got to have more rules then anyone else. I > get VERY > long description headers. But I don't get any errors. What SA > version are > you running? Heh... sorry, it's not m

Re: [SAtalk] X-MAILER header

You can modify the header that Chilkat uses to be that of your own. You just specify that header like you would any other. Chilkat puts their name in their for a default, but if you specify one, it will show your own. I use this component for my web e-mail system and I love it!! Frederic Tarase

RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't w ant to miss this o ne!

> -Original Message- > From: Kurt Yoder [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 4:45 PM > To: Chris Santerre > Cc: 'Matthew Trent'; Spamassassin-Talk > Subject: Re: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't > want to miss this o ne! > > > > Chris S

[SAtalk] blocking list problem

I have a strange problem I cannot figure out. The mother of a customer of mine is on ComCast.net She has been having problems sending emails to her daughter, my customer. This lady has been very patient with us by switching from MSN email, to Yahoo email to her ComCast email. She can't send e

Re: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

Chris Santerre said: > *SNIP* >> >> Well I tried to send this through the GMANE mail-to-news thing but >> it >> complained about me not being subscribed to the list, so I'm >> just sending >> it directly to you: >> >> After installing the tripwire rules I see the following in my >> Exim paniclog >

Re: [SAtalk] Spamwriter

Chris Santerre wrote: -Original Message- (snip) I completely agree with this!! I've recently had a discussion off list with some people. I totally believe by DEFAULT this should be blocked for all broadband users. HOWEVER, this is ONLY if a simple request to unblock at NO charge is all i

Re: [SAtalk] Bayes.

> If you think some tokens should be "stronger" than others, please do a > 10-fold cross-validation testing run which should *prove* that to be the > case. We don't adopt Bayes tokenizer or combiner changes without > such testing. considering I have no idea how to do this or where to even be

RE: [SAtalk] New TRIPWIRE rule set, hitting PGP messages

> |-BEGIN PGP MESSAGE- > |Charset: ISO-8859-1 > |Version: GnuPG v1.2.3 (GNU/Linux) > |Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > ...encrypted mumbo jumbo... > > |-END PGP MESSAGE- > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.3 (GNU/Linux) > Com

Re: [SAtalk] Does somebody have a rule against 'unnecessary encoding' of subjects?

At 02:33 PM 1/14/2004, Chr. von Stuckrad wrote: Hi! Does somebody have/know a rule to catch 'unnecessary encodings'? I saw a mail with the following subject: ENCODED: Subject: =?ISO-8859-1?B?RG8geW91cnNlbGYgYSBmYXZvciEgTG9vayBhdCB0aGlz?= REAL:Subject: Do yourself a favor! Look at this Fro

[SAtalk] SpamAssassin Version

I recently upgraded our SA through the Perl CPAN setup. I upgraded from 2.57(?) to the latest 2.61. Everything went great, but when I look at the headers, they report version 2.60, not 2.61. Did I miss something, or did someone else? Todd Adamson [EMAIL PROTECTED] --

Re: [SAtalk] X-MAILER header

--On Wednesday, January 14, 2004 3:37 PM -0500 Ben Hanson <[EMAIL PROTECTED]> wrote: It always stamps a header that reads: X-Mailer: Chilkat ActiveX Mail Control (www.chilkatsoft.com). It's all legitimate internal business traffic. Ben Hanson I.S. MGR Transprint USA Inc. "X-Mailer: Mulberry/3.1

Re: [SAtalk] [Fwd: Re: mtier1 spam problem]

On Wed, 14 Jan 2004, Josh Endries wrote: > Rut roh! > > I just received an encrypted email from a coworker and this is what SA > gave me. It got slammed with tripwire rules (it isn't supposed to, > right?). In off-list mail I've suggested an improved (I feel) regex for tripwire which Chris says

RE: [SAtalk] Spamwriter

> -Original Message- > From: Mike Batchelor [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 2:39 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Spamwriter > > > --On Wednesday, January 14, 2004 8:28 AM -0600 Bob Apthorpe > <[EMAIL PROTECTED]> wrote: > > > IDP broadba

Re: [SAtalk] a goof-proof (?) test for evil mailers

Good one! I noticed this, too, but I call SA from MIMEDefang, so my MTA hasn't yet added a Received: header when MIMEDefang calls filter_recipient(). But it was easier for me to reject these without even bothering to run it through SpamAssassin (which I call later from filter_end()). sub filt

Re: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

--On Tuesday, January 13, 2004 4:08 PM -0500 Chris Santerre <[EMAIL PROTECTED]> wrote: > Tripwire has taken OBFU to the next level! It searches for 3 > characters that shouldn't be together. This is based on the English > language. This description should probably be in the comment at the t

RE: [SAtalk] FP with backhair

> > > > Got my first false positive :-/ > > Backhair scored on a .pdf... > > Any hints how to avoid these? > > > > > > X-Spam-Status: Yes, hits=12.0 tagged_above=3.0 required=5.3 > > tests=J_BACKHAIR_11, J_BACKHAIR_12, J_BACKHAIR_13, J_BACKHAIR_14, > > J_BACKHAIR_21, J_BACKHAIR_22, J_BACKHAIR

[SAtalk] X-MAILER header

Just a quick note in response to somebody's comment regarding the X-Mailer header as being always (or usually) indicative of spam. I run a report distribution server that creates and then emails a couple dozen reports daily to various sales people around the globe for our organization. The mai

Re: [SAtalk] Re: New HTML spam body obfuscation.

--On Tuesday, January 13, 2004 6:20 PM -0600 Scott A Crosby <[EMAIL PROTECTED]> wrote: > The only other option is to run a javascript interpreter, because > there are a near-infinite number of ways javascript could be used to > create text. There's also the halting problem issue. Any active mater

[SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss th is o ne!

*SNIP* > > Well I tried to send this through the GMANE mail-to-news thing but it > complained about me not being subscribed to the list, so I'm > just sending > it directly to you: > > After installing the tripwire rules I see the following in my > Exim paniclog > (I'm using exiscan): > 2004-01

RE: [SAtalk] a goof-proof (?) test for evil mailers

I've had a rule like this from way back. Works great! header MY_IP Received =~/\b(from xxx\.xxx\.xxx\.xxx)\b/i describe MY_IP WHy would I get email from myself? score MY_IP 1.0 Where xxx is your server ip address. I highly recommend people use this rule. 81 hits in December. It used to be a LOT

Re: [SAtalk] Spamwriter

--On Wednesday, January 14, 2004 8:28 AM -0600 Bob Apthorpe <[EMAIL PROTECTED]> wrote: IDP broadband providers that give their customers direct access to port 25 on remote systems by default. Spam from AOL dropped to almost nothing once they did that. Oh, one other thing - when did they do that?

Re: [SAtalk] Scoring the Habeas header ...

--On Wednesday, January 14, 2004 2:48 PM -0500 John Ruttenberg <[EMAIL PROTECTED]> wrote: Mike Batchelor: And as soon as SA is upgraded to recognize when a lawsuit is pending, I might turn the HABEAS_SWE rule back on. Until then, a forged Habeas header is a free pass for spam to get through the

RE: [WL] [SAtalk] How to count pattern matches?

--On Tuesday, January 13, 2004 11:12 AM -0600 Bob Apthorpe <[EMAIL PROTECTED]> wrote: > Since scores are generated by the GA based on the accuracy and frequency > of rules being triggered, how do you accurately set scores for rules that > generate a score dynamically? Good point. Does it help any

[SAtalk] UPDATES! Bigevil AND Tripwire!

And just like that we have an update already. A few FPs fixed thanks to some SATALK members. So Bigevil 2.06i and Tripwire 1.13 have been posted. (I still think emode.com is spam! But removed.) For those of you who sent me domains to add to bigevil this week, they will be in the next update. I h

Re: [SAtalk] filter suggestions

--On Monday, January 12, 2004 10:35 PM -0600 Brian McGroarty <[EMAIL PROTECTED]> wrote: > I'm getting a TON of mail with a bunch of random uncommon-but-real > words to thwart Bayesian filtering, combined with a single picture > link. Spamassassin is giving these only about one point apiece. Check

[SAtalk] New TRIPWIRE rule set, hitting PGP messages

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heh whoops that subject probably didn't make much sense, I'll resend with a proper subject, my apologies. Rut roh! I just received an encrypted email from a coworker and this is what SA gave me. It got slammed with tripwire rules (it isn't supposed to,

Re: [SAtalk] Bayes.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Petersen writes: >> See 'man sa-learn' or use >> http://www.spamassassin.org/doc/sa-learn.html >> http://wiki.spamassassin.org/w/BayesInSpamAssassin > >This doesn't say much about HOW it's used in SA, though. For instance, >does SA bayes score

Re: [SAtalk] Does somebody have a rule against 'unnecessary encoding' of subjects?

On Wed, 14 Jan 2004, Chr. von Stuckrad <[EMAIL PROTECTED]> wrote: > Does somebody have/know a rule to catch 'unnecessary encodings'? Please check the archive before you post. Keith C. Ivey just posted a rule for this exact thing earlier today. Search for "Munged". -- Brent J. Nordquist <[EMAI

[SAtalk] a goof-proof (?) test for evil mailers

I have noticed that some spam engines (zombies?) use the receiving relay's IP address as the HELO name, presumably trying to look like a trusted source. I made a simple test for this, and it triggers for nearly 10% of inbound spam. # substitute your relay's numeric IP address for AAA BBB CCC DD

[SAtalk] [Fwd: Re: mtier1 spam problem]

Rut roh! I just received an encrypted email from a coworker and this is what SA gave me. It got slammed with tripwire rules (it isn't supposed to, right?). I noticed the .cf doesn't have anything for actual PGP messages, only signatures. The stripped-down message (okay okay, the PGP lines from it)

Re: [SAtalk] body match

Matt Kettler wrote: At 09:20 AM 1/14/04 -0500, Jeff Fulmer wrote: No. I wouldn't expect it to read PDFs. For example, just now it didn't read these types: [-- Type: text/plain, Encoding: 8bit, Size: 1.7K --] [-- Type: text/plain, Encoding: 7bit, Size: 2.3K --] [-- Type: text/html, Encoding: 7bit

Re: [SAtalk] Scoring the Habeas header ...

Mike Batchelor: > --On Tuesday, January 13, 2004 11:39 AM -0800 Brian May > <[EMAIL PROTECTED]> wrote: > > > IF spammers use the > > Habeas headers, and the message is in fact spam, they will be sued. > > And as soon as SA is upgraded to recognize when a lawsuit is pending, I > might turn the H

Re: [SAtalk] unsubscribe f1g4zz0 giochi@telvia.it

General guidance for unsubscribing yourself from a sorceforge list. First, find the List-Unsubscribe header embedded in any post to the list. Such as the one below for this list. List-Unsubscribe: If your mailclient is brain dea

Re: [SAtalk] unsubscribe giochi@telvia.it

This should go to [EMAIL PROTECTED] with the unsubscribe command in the body. --On Wednesday, January 14, 2004 8:01 PM +0100 giochi <[EMAIL PROTECTED]> wrote: > On Wed, 14 Jan 2004 08:44:00 -0800 > [EMAIL PROTECTED] wrote: > >> This is an automated response. >> >> There were problems with the e

Re: [SAtalk] FP with backhair

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: > At 01:44 PM 1/14/2004, Gary Funck wrote: > >I'd asked this before (with no answer on the 'dev' list), > > Not surprising.. unless it's part of active development work ie: discussion > of methods to fix a bug, coding, test resu

Re: [SAtalk] Spamwriter

--On Wednesday, January 14, 2004 8:28 AM -0600 Bob Apthorpe <[EMAIL PROTECTED]> wrote: IDP broadband providers that give their customers direct access to port 25 on remote systems by default. Why should I have to pay extra for a business-class DSL line just so I can avoid using the ISP's heavily

RE: [SAtalk] FP with backhair

Matt replied (in part): > > >I thought it was only supposed to scan text/html attachments? > > I've never heard anyone claim such. > Here's what the current docs. say: body SYMBOLIC_TEST_NAME /pattern/modifiers Define a body pattern test. pattern is a Perl regular expression. The 'body' in this

[SAtalk] Does somebody have a rule against 'unnecessary encoding' of subjects?

Hi! Does somebody have/know a rule to catch 'unnecessary encodings'? I saw a mail with the following subject: ENCODED: Subject: =?ISO-8859-1?B?RG8geW91cnNlbGYgYSBmYXZvciEgTG9vayBhdCB0aGlz?= REAL:Subject: Do yourself a favor! Look at this As there isn't any 'non standard ascii' in the text

Re: [SAtalk] improving spamassassin (mass-check question)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PieterB writes: >http://au.spamassassin.org/hacking.html lists how to submit >mass-check results. I have a couple of questions: > >* The CORPUS_POLICY lists that you should use hand-verified spam/ham > tiles, but the CORPUS_SUBMIT lists that you shou

[SAtalk] SA runs as root instead of user in sitewide config

I've done a fair amount of digging and haen't found an answer for this.  The short story is that when I run procmail and SA on a per-user basis via a .procmailrc script in the user directory, everything works fine.  As soon as I remove the .procmailrc script and add /etc/procmailrc, the user

Re: [SAtalk] Bayes.

> See 'man sa-learn' or use > http://www.spamassassin.org/doc/sa-learn.html > http://wiki.spamassassin.org/w/BayesInSpamAssassin This doesn't say much about HOW it's used in SA, though. For instance, does SA bayes score URI tokens higher than it does general body tokens? (if not, it should) Wha

Re: [SAtalk] FP with backhair

On Wed, Jan 14, 2004 at 10:39:15AM -0800, Andreas Stollar wrote: > Seems like any attachment, especially a binary such as a pdf would go over > the maximum size to be scanned by SA. This must have been one tiny pdf, or > you have set your SA instance to scan messages over the max size (default > 25

RE: [SAtalk] FP with backhair

At 01:44 PM 1/14/2004, Gary Funck wrote: I'd asked this before (with no answer on the 'dev' list), Not surprising.. unless it's part of active development work ie: discussion of methods to fix a bug, coding, test results, etc, a post of a general question to sadev will generally be ignored as off

Re: [SAtalk] FP with backhair

This will be correct in 2.7 when SA starts using their own custom MIME parser. There are some issues with the current MIME parser, so answer to Q is a fix is coming soon in the flavor of SA 2.7. Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:[EM

RE: [SAtalk] FP with backhair

> -Original Message- > From: Andreas Stollar [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 12:39 PM > To: Rolf Kraeuchi > Cc: SA > Subject: Re: [SAtalk] FP with backhair > > > Seems like any attachment, especially a binary such as a pdf > would go over the maximum size t

[SAtalk] unsubscribe f1g4zz0 giochi@telvia.it

On Wed, 14 Jan 2004 08:44:00 -0800 [EMAIL PROTECTED] wrote: > This is an automated response. > > There were problems with the email commands you sent to Mailman via > the administrative address > <[EMAIL PROTECTED]>. > > To obtain instructions on valid Mailman email commands, send email to > <[E

Re: [SAtalk] FP with backhair

Seems like any attachment, especially a binary such as a pdf would go over the maximum size to be scanned by SA. This must have been one tiny pdf, or you have set your SA instance to scan messages over the max size (default 250k) Most pdf's are much larger than this. Andreas On Wed, 14 Jan 2004,

Re: [SAtalk] [Fwd: gedanken forsythe deadhead hom] - Does anyone have a filterfor this?

Install bayes. Also set up two rules in your local.cf (mine triggered on the message body you forwarded): #the regex is one line and goes on the same line as the "body" #look for bayes poison and score it higher bodyCP_WORDWORD_10 /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){ 10}/

  1   2   >