ing other ways to lower spams. I have to add
DCC and Razor soon to complement I guess.
--
Charles Gagnon | My views are my views and they
http://unixrealm.com | do not represent those of anybody
charlesg at unixrealm.com| but me.
In Europe, do you think Mil
es: 25
I thought the "From [EMAIL PROTECTED]" and "whitelist_from
[EMAIL PROTECTED]" would WhiteList that message no problem but as the
X-Spam-Status shows, the message was flagged as SPAM.
Is it something obvious I am missing? Is it because of the localhost
sour
FFEE font as
'invisible', perhaps because it is just one or two points outside the
'range' permitted by SA? But also note that they have used a ZERO point
size for the font. Can we test for that? I will be. :-)
>body>
>font COLOR=EE style="fo
On Tue, 20 Jan 2004, Robert Menschel wrote:
> CS> I'm not sure where the post is, but about 3 weeks ago I think Dallas
> CS> put a semi-end to the spell-checker debate :)
Perhaps I need to re-clarify. The idea is NOT to treat mis-spelled words
as spam. The idea is to find specific 'close matches'
On Wed, 21 Jan 2004, Sidney Markowitz wrote:
> Does anyone who is concerned about the obfuscation have any statistics
> to show that it really is a problem for the current rules plus network
> tests plus a well-trained Bayes?
Right now, there would be no statistics, because the text obfu has jus
On Tue, 20 Jan 2004, Marcus Frischherz wrote:
> But there is: there exists (at least in PHP) a function called
> levenshtein, which calculates the similarity between two words. Surely
> there must exist a perl equivalent to it. see:
> http://at.php.net/manual/en/function.levenshtein.php
So I g
. There is no
'pattern' I can think of to defeat this mis-spelling spam in any other
way.
- Charles
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth o
On Sun, 18 Jan 2004, Ian Southam wrote:
> CG> carry a few spammers. Would we want to whitelist the AOL mail servers? |-P
> Pick on the right people, AOL for their size generate very little spam.
I still wouldn't whitelist them. ;-)
> Now adelphia.net, level3 .. :-).
Do I hear an earthlink?
ail servers? |-P
No, Habeas has the right idea, making the LAW work against spammers.
- Charles
On Sun, 18 Jan 2004, Jonas Eckerman wrote:
> A simpler way would be to use a DNS whitelist (like an RBL but white
> instead of black, called RWL below).
>
> HABEAS would need to create a he
amp, and only if the timestamp is 'new' does the script perform the
various downloads. This way, most nights, there is ONE HTTP access, to get
the timestamp, and its a small file, rather than several big ones.
This might require a 'central' site t
a web address actually ends up being an executable.
Sneaky very sneaky. I think I will setup a procmail rule to snag
these. No reason to burden spamassassin. But thought you all might like a
bit of warning
- Charles
---
The SF.N
*instructions* on the
necessity of installing additional software? Or better still, why not
sue the computer/software manufacturers for producing an unsafe product?
Now THERE is an argument for culpability.
- Charles
---
The SF.Net email is
> Computers are like cars. If you crash your car into someone else's car
> (or house, or business), you're gonna pay for the damage you caused.
And if someone STEALS your car, the person who stole it is responsible,
even if you are unaware of the theft. With insurane being compulsory, in
some p
gitimate user IP's as possible.....
- Charles
>
> -
> Content preview: Thank you for your email to Habeas! This message has
> been automatically generated in response to your email regarding
> "Habeas Misuse", a summary of which appears below.
es awarded damages from a company that simply goes
bankrupt on paper, doing very little damage to the parent spammer company.
Then it will come down to a test of the laws that hold directors and
parent companies responsible for corportate 'misdoings'..
It is going to be interest
four or five words,
regardless of the size of the mail.
Now that I think about it, using a size parameter will just be an excuse
to have spammers pad out their mail to make them bigger. (sigh)
Hope these comments help.
- Charles
---
T
earned a lot from it. So its a work in progress.
Good to hear. If they need any help. :-)
- Charles
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
adv
5" then score 'x'.
- Charles
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Fre
ally spam, but perhaps that will be worth the
effort to stop the spammers?
> This would *really* be a shamebasically letting the spammers win
> without even putting up a fight.
Let's put up a fight. Feed habeas reports!
- Charles
--
each letter. Is there a simple test
for this sort of obfuscation? A trick in SA rules?
- Charles
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced br
oying, just set the score for the habeas rule to 0.
- Charles
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic ch
when my mail client doesn't quote the attachments. (sigh)
Anyways, I find that a test for 'VPRX' plus a few simple obfuscations
works nicely.
- Charles
---
This SF.net email is sponsored by: Perforce Software.
Perforce
we still prefer to see this 'small' score because of the
tremendous amount of spam that is sent through free e-mail services that
use numbered ID's.
We also encourage our members to use an e-mail alias, to avoid having
spammers get hold of their account addresses.
- Charles
On Wed, 31 Dec 2003, Charles Tassell wrote:
> I wonder if a better way to do this would be to add an extra field to
> the rule (or maybe change BODY to BODY_STRIPPED or HEADER_STRIPPED)
> which removes everything that is *not* a letter before doing the regexp
> check. IE, does a s/
x27;t see it being too useful on the body, but it would be
great to catch those Per\scri;ption subject lines.
Rich Puhek wrote:
Roger Merchberger wrote:
> Rumor has it that Charles Gregory may have mentioned these words:
>
>> [snippety]
>> Rule:
>> BODY RULENAME /a strin
On Wed, 31 Dec 2003, Rich Puhek wrote:
> Would something like "excessive" instances of /(\w)\1/ work?
Yes, that sounds like a good idea. Which leads back to the request I made
previously for a mechanism to COUNT the number of occurences of a match,
for 'excessive' use of something that is legitim
easy enough thing to automate 'behind the scenes'.
- Charles
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn ev
ems that are not
properly set-up. But this is not the fault of spamassassin, it is a lack
of awareness on the part of system administrators..
- Charles
On Sun, 28 Dec 2003, Morris Jones wrote:
> That's a tough one Lenny.
>
> There is no company that produces Spamassassin.
On Sun, 28 Dec 2003, Evan Platt wrote:
> >Yow, how am I supposed to stop spam like this? There isn't anything to filter
> >on except the word 'adult'. I guess 'rape' works as well.. But I'm not really
> >inclined to filter messages with the word rape in them, nor give them a 3+
> >score.
> When's
Hello all!
And a happy holiday to you all!
I don't suppose the irony is lost on anyone that a bunch of anti-spam
fanatics are celebrating the holidays by trying to make the "world's worst
spam"?? (LOL)
- charles
On Wed, 24 Dec 2003, Kurt Buff wrote:
> Heck, even with b
mny
obfuscations clearly only happens in spam.
- Charles
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the
count' would be 'wrong' for tests that looked for 'x.x.x' in a longer
string x.x.x.x.x.x (in this case *four* matches on the one string).
We would probably have to get very 'careful' with the regex position
variable, to avoid 'overlaps' that inflate t
;evals' - and even then
with clever coding it might be applied to those. But I don't think it
would be a lot of code. It would probably take longer to document the new
usage :-)
- Charles
---
This SF.net email is sponsored by: IBM
1) Will RPM's be out soon?
OR
2) It sounds like this release is mostly just rule changes.
Is there yet a mechanism (an easy way) to just update rules without
going through an 'install' process?
Thanks for all the hard work!
- Charles
On Mon, 8 Dec 2003, Jus
e one header that we test for, which does not contain that
art.
I'm so confoosed! :-)
- Charles
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM'
gt; account...
My favorite gremlin for mysterious crashes and hangs is the LINEBUF
parameter in procmailrc. Make sure their other rules (particularly
whitelist rules before spamc call) are not too big for the buffer
-Charles
---
This S
y easy to assemble for anyone who is responding to
bugzilla reports, and insure that all of them are caught/adjusted.
Unfortunately, running SA for an ISP, I don't have the option of retaining
e-mail for a 'corpus' for all our users, so I can't just test (my p
seem to have
problems? Even a cut-n-paste list on the website would do. I'm not looking
to create a lot of work for people - but I am slightly concerned that
short of getting 2.61 there may be some clients losing mail because of a
bug that could easily be fixed by a quick sc
SA? Or should we be down-grading the
score for the above two tests?
- Charles
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Le
On Wed, 3 Dec 2003, [ISO-8859-1] Jürgen R. Plasser wrote:
> I'd like to install SA 2.60 from source on a RH 9 box
I used the binary rpms and as long as I uninstalled the old spamassassin
manually, the new multiple rpms went in fine.
-
And the point of the mail with the attached jpg would be.?
- C
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and he
more.
You might want to check that your scripts to 'manually' restart SA invoke
the correct binary.
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
he
ome confusion among a few of our users
when they turn on the filter in the default 'flag' mode and expect spam
to stop appearing in their box. But once we explain the system, and how
they can use 'flag mode' to test their filter and choose an appropriate
threshold for deletion,
Hello!
Okay, not to pick on Miroslav, but, here is a case where a legitimate
English language e-mail has 'Windows-1251' embedded in the subject line.
So I don't think it would be fair to filter on this alone. So I ask again,
is there a way to identify when the contents are going to be a jumble of
e a note to 'pool.com' suggesting that they include the
bouncing domain in that canned message of theirs. I got a human reply of
"looking into it", so we might get lucky there, too.
- Charles
---
This SF.net email is sp
What the? I have received several of these today. I'm not sending any mail
that would actually generate a legitimate delivery receipt, so what does
this message mean?
Side note: they are using an old domain that is disused, so definitely a
a spam behind this somewhere.
- Ch
hat
it represents non-English mail when it appears in the Subject line?
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE
On Fri, 21 Nov 2003, Justin Mason wrote:
> Charles Gregory writes:
> >I've been playing with the 'locales' settings, and they work quite well
> >where a message has been properly formatted with 'charset' headers, but
> >here's a message whos
iously a non-English characterset, but I
cannot see any indication of how to detect/filter this.
Suggestions for rules welcome. - Charles
On Sat, 22 Nov 2003 [EMAIL PROTECTED] wrote:
> Return-Path: <[EMAIL PROTECTED]>
> Received: from a99153.upc-a.chello.nl (a99153.upc-a.chello.nl
I ask again, particularly of the list maintainers, has anyone written mail
to 'pool.com' and/or 'thewizard.net' to solve the problem at the source?
- Charles
On Wed, 19 Nov 2003, Ken Bass wrote:
> For every submission I keep getting the below bounce / along with
> ad
On Wed, 19 Nov 2003, Martin McWhorter wrote:
> >filters." AT&T says it is re-evaluating the patent and has not decided how
> >it will use the technology.
> >SOURCE: News.com; AUTHOR: Paul Festa, CNET
> >http://news.com.com/2100-1032_3-5108918.html
> Here is a suggestion: Sue spammers that use techn
m reading them. I was just wondering if the 'bug' was in the
list processing. It's my Pine, so no worries. It only happens on the
few messages that people send quoted-printable anyways. :-)
Thanks anyways!
- Charles
On Tue, 18 Nov 2003, David B Funk wrote:
> Based upon the headers of your message, it looks like you're using pine
> v4.05.
My apologies. I keep forgetting that my Pine is on an *ancient* Solaris
system, and not the reasonbly up-to-date mail server. Unfortunately, the
(expletive) thing is so heav
Hello,
Lately on several e-mails from the list, I've been seeing an error message
in my Pine mail program that says:
[Error: Formatting error: Non-hexadecimal character in QP encoding]
More importantly, the message is *truncated* in the display.
Oddly enough, when I quote the message to reply
is not 'legtimate' (not a DSN), if that was
at all workable.
- Charles
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click her
equired_hits, this would be difficult
to guess at. But 0.5 seems like a fair value in line with other
indicators of 'possible' spam.
- Charles
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to
d about the
> clients they take. If you'd like to send the spam my way, I can try
> running it thru the channels there to see if anything comes of it.
Sorry, I didn't keep the spam. If it's rare, don't worry about it.
I
On Fri, 14 Nov 2003, Matt Kettler wrote:
> Unfortunately the list admins can't track which address is generating these
> bounces. There's no subscribed addresses that seem to match the very little
> bit of information that's in the bounce itself..
If contacting the domains does no good, may I su
Just curious: Has anyone actually written to either 'pool.com' or to
'thewizard.net' and complained about this bounce?
- C
On Fri, 14 Nov 2003, Marcio Merlone wrote:
> FYI.
> Begin forwarded message:
> Date: Fri, 14 Nov 2003 16:45:05 +
> From: [EMAIL PROTECTED]
> To: Marcio Merlone <[EMAIL P
Hallo!
Another spam today, with the infamous empty return path.
(Return-Path: <>)
But I didn't see any test that was catching this. Is there something
legitimate about an empty return path that makes it a bad test?
- Charles
uf of 'stock alert' spams
I'm wondering if I should test/score either the domain or the 'prnews'
tree? I was thinking of giving it something like a 0.5 or so.
(this would be a site-wide block for our ISP)
Thoughts/comments? Thanks.
- Charles
-
have a script re-generate the whitelist.rc file, taking
care to escape all special characters, remove blank lines, etc.
- Charles
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
develo
is a special code that tells the
regex not to save the 'back-reference' variable it would normally create
containing whatever matched that portion of the regex in parentheses. It
saves a few processing cycles each time you do this. In a large collection
of tests, it can be
ple scores. The zeroes in positions 1 and 3 are designed to
disable the Razor2 tests when network tests are disabled
Also note that this test will *overlap* with the existing 51-100 test, so
you may want to disable it by scoring it all zeroes, and create a 51-89
test. Or you can just use cumulat
7;re quite right. Should be 'rawbody'.
I actually had it right in my rule, but the line wrap messed up the paste
to my posting, so I typed in 'body' manually.
Thanks for catching me on that one.
- Charles
---
This SF.n
l detect the 1-5 character situation.
My only other suggestion would be to the spamassassin developers to create
a chunk of code that scans HTML for tables and has the smarts to
re-assemble a broken table of text into 'lines', before testing for
buzzwords.
- Charles
--
On Wed, 29 Oct 2003, Colin A. Bartlett wrote:
> Charles Gregory Sent: Wednesday, October 29, 2003 4:33 PM
> > Just at a rough guess, I would say that whoever resides on or near
> > [EMAIL PROTECTED] or 'force9.net' has
> > something strange in their mail handl
On Wed, 29 Oct 2003, Chris Santerre wrote:
> Actually, I'm sorry Charles. You may have gotten 4 copies from me!
I tried to take that into account. Including your 'direct' replies, the
count is actually up to 5 or 6. The interesting thing, if you look at
those headers is that th
any details on whose address/domain bounced.
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us
rce9.co.uk postmaster, to see if they can identify the prob
Full headers of the badly routed message below:
- Charles
On Wed, 29 Oct 2003, Chris Santerre wrote:
> Return-Path: <>
> Delivered-To: [EMAIL PROTECTED]
> Received: from james.hwcn.org (james.hwcn.org [199.212.94.66])
cases, but there are some (poorly written)
systems that return the mail without the 'Received' headers quoted.
So the check would have to be complicated enough to determine that the
'Received' headers were indeed quoted, but did not contain the IP address
by moglobal.com (8.12.5/8.12.5) with ESMTP id h9THoCFA016317;
> Wed, 29 Oct 2003 12:50:12 -0500
> Received: by internal.merchantsoverseas.com with Internet Mail Service
(5.5.2653.19)
> id ; Wed, 29 Oct 2003 12:28:22 -0500
> Message-ID:
<[EMAIL PROTECTED]&
that string, it
scores 0.1 for each occurence, adding up to a significant score?
I would like to add '(|)' to my local.cf - sounds like the
next up-n-coming (no pun intended!) spammer trick.
- Charles
---
This SF.net email is spons
ck. Don't ask
why this works (if it does this time). The script looked like it should
handle the whole path properly.. Like I said: "Weird".. :-)
- Charles
---
This SF.net email is sponsored by: The SF.net Donation Progr
do this?)
Anyone know of any easy-to-use software, particularly that could do the
first task - make changes to 'access' lists in postfix, so that spammers
will get theire connections blocked (saving bandwdith)?
- Charles
--
copy of the old rpm in
/var/spool/repackage, in case you need to install it again.
Then run your rpm commands to install the new separate packages.
- Charles
---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what
nk I like your idea better - that way all user files are in
one place when I go to remove a user
I'll think about this one. Thanks!
- Charles
---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to sh
e
achieving this much desired goal?
- Charles
---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $
e spam fill up the user's disk quota. :-(
Any help much appreciated
- Charles
---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know wh
on process.
- Charles
On Sat, 18 Oct 2003, Chris wrote:
> :0fw: spamassassin.lock
> * < 256000
> | spamassassin
>
> Which I *think* calls spamc? I don't have spamd running on my system
> and SA is working so I assume it's either calling spamc or on demand
> calling spamd.
On Fri, 17 Oct 2003, Diego Puppin wrote:
> is it possible to add the spamassassin "hits" score to the spam mails,
> so that I can sort my spam box and find the "spammest" emails?
> I would like to have my spam emails tagged as:
> **SPAM** (score) Subject
> so I can sort and find which has 30 hits a
RH9 default spamassassin-2.44? Is it
important?
Thanks!
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better service
On Thu, 16 Oct 2003, Jeff Lasman wrote:
> They announced the phase out at least a year ago; perhaps longer.
I just spoke to Red Hat, and none of their front line people could name a
date, though they 'guessed' that it must have been later than July/03 when
the Red Hat 10 Beta was released
> >
On Thu, 16 Oct 2003, Rich Puhek wrote:
> Spamd does see the message (I verified by looking for the message ID in
> the debug output), and the message appears to run through spamd fine,
> but it lands in my mailbox with no markup.
The other thing I've had cause this is if the buffer size in procm
match the tests 'DNSBL' or similar,
you can give each of these tests a very high score (20+) and then use
a test in procmail to catch scores higher than 20 and delete them.
This also would skim off the top x% of the worst spammers anyways.
- Charles
--
On Wed, 15 Oct 2003, Theo Van Dinter wrote:
> On Wed, Oct 15, 2003 at 02:59:58PM -0400, Charles Gregory wrote:
> > And now that I look at it, that particular file is my local.cf that I
> > didn't want over-written! So does this mean it aborts, is half way done,
> > or WH
for updating my Red Hat 9 SA 2.44 RPM to 2.60 as
sson as possible, thanks!
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provi
Hiyo!
Are we talking about messages that have been processed through spamd but
not marked, or ones that somehow bypassed spamd altogether? I find an
occasional message gets missed by spamd when I *restart* it to pick up on
new rules :-)
- Charles
On Wed, 15 Oct 2003, Martin, Jeffrey wrote
the condition that does not belong there.
You should have:
body /condition/i
But it sounds like you have
body /condition/ i
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000
uff on Unix
flavors, because DOS uses a CR/LF end of line, while Unix only uses one of
the two (LF?). In perl, I use the test $WHATEVER=~s/\r//g; to get rid of
the extra char.
- Charles
---
This SF.net email is sponsored by: SF.n
ld be more noticable, and perhaps
even filterable.
- Charles
---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better s
you can test your message against a reasonably recent version so
> that we can tell if it's a bug that's been fixed or not? 2.44's a bit on
> the stale side and there's been a whole lot of bug fixes since then.
As noted, I'm go
On Tue, 14 Oct 2003, Matt Kettler wrote:
> OSIRUSOFT is and has been DEAD. They now match EVERY IP address in the
> world in an effort to force everyone to wake up and stop using OSIRUSOFT as
> a blacklist.
Ah. Excellent. So I need not worry about this. Thanks!
2.60-1.i386.rpm # or whatever the resulting name
Thanks for this info. I've been noticing an annoying increase in spams
getting by SA in the last week or so. Getting releases straight from the
source will help.
- Charles
---
This SF.ne
ion medications at bargain prices
Our doctors will write you a prescription
I'll stop here, because the above line SHOULD match the regex.
Is there something about the windows charset that throws off the recipe?
Or are they using 'high bit' to invalidate the regex?
- Charles
t to be sure we weren't hacked.
In the short term, I've lowered the score for the Osirusoft tests, but
that won't help our mail that goes to other spamassassin sites
- Charles
---
This SF.net email is sponsored by: SF.net Giveba
en for the address that I
can easily use.
I'm running spamd 2.44 from /etc/procmailrc under RH Linux 9.
Thanks!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Charles Gregory Hamilton CommunityNet Member Services
[EMAI
I am using SpamAssassin (2.53 currently) in a world wide corporate
environment. I have more problems with false positives from Europe, Asia,
Africa, and even Australia than in North and South America.
I am using Sendmail-Switch and call SpamAssassin from MimeDefang with
"action_discard", so I ha
My environment includes a firewall mail relay running a product called
Gauntlet, followed by a Sendmail Switch mailhub running MimeDefang to call
SpamAssassin, then ultimately Exchange( plus some Lotus Notes, GroupWise,
UNIX mail, VAX mail and others).
Gauntlet, like most commercial virus protectio
PM
At 04:29 PM 6/26/2003 -0500, Charles Mount wrote:
>Does anyone have a good way of blocking mail from anonymous mailers like
>http://manicmail.net ?
>It may not be comm
1 - 100 of 115 matches
Mail list logo
