Re: [SAtalk] Upgrade or Stay?

2003-11-17 Thread Chris Trudeau
Mike, Check out Chris Santerre's emporium... http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm CT - Original Message - From: "MIKE YRABEDRA" <[EMAIL PROTECTED]> To: "SPAMASSASSIN" <[EMAIL PROTECTED]> Sent: Monday, November 17, 2003 11:37 AM Subject: Re: [SAtalk] Upgrade o

Re: [SAtalk] timed out

2003-11-13 Thread Chris Trudeau
OK... I disabled RAZOR AND DCC and have not experienced the timeout again. is there anything I can do to find out what is causing these delays and solve the problem? CT - Original Message - From: "Chris Trudeau" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent:

[SAtalk] timed out

2003-11-12 Thread Chris Trudeau
All, I'm not sure what the problem is with my MailScanner/SpamAssassin installation. I'm using exactly the same configuration as in another location. RedHat 7.3 DCC Razor2 SpamAssassin 2.60 MailScanner 4.22-5 (testing with same system thats in production) I have validated that DCC is working th

[SAtalk] RBL dumb question

2003-11-12 Thread Chris Trudeau
How would I go about determining WHICH RBLS are being used currently (I know they are "on"). And how would I go about adding/extracting an RBL from the SpamAssassin checks? CT --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November

Re: [SAtalk] IP Blocks to kill at the firewall?

2003-10-23 Thread Chris Trudeau
Found this linked from the Emporium :) http://www.stearns.org/sa-blacklist/sa-blacklist.current You can probably use this... CT - Original Message - From: "John L" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 23, 2003 4:10 PM Subject: [SAtalk] IP Blocks to kill

Re: [SAtalk] RD - Here is a rule to check for Verisign redirect domain

2003-09-17 Thread Chris Trudeau
appen" ??What am I missing?? CT - Original Message - From: "Jon Gabrielson (by way of Jon Gabrielson <[EMAIL PROTECTED]>)" <[EMAIL PROTECTED]> To: "Chris Trudeau" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, S

Re: [SAtalk] RD - Here is a rule to check for Verisign redirect domain

2003-09-17 Thread Chris Trudeau
this IS good, but now go and update the address: > sitefinder.verisign.com Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: sitefinder.verisign.com Address: 12.158.80.10 CT - Original Message - From: "Daniel Quinlan" <[EMAIL PROTECTED]> To: "Fr

Re: [SAtalk] Re: The Verisign folly

2003-09-17 Thread Chris Trudeau
in my mind blocking the address is important too. If you are interested in complaining about the VERISIGN FOLLY... here is the Whois on the new netblock: (I'll bet Mr Bonner would love to hear fromyou all) CT OrgName:VERISIGN, INC. OrgID: VERIS-4 Address:22340 DRESDEN ST City:

Re: [SAtalk] [RD] this is the spam I'm fighting, and why rules don't hit.

2003-08-28 Thread Chris Trudeau
Looks like its time to upgrade this will likely catch the darn pic.gif stuff to then??? Chris? CT - Original Message - From: "Justin Mason" <[EMAIL PROTECTED]> To: "Chris Santerre" <[EMAIL PROTECTED]> Cc: "Spamassassin-Talk (E-mail)" <[EMAIL PROTECTED]> Sent: Thursday, August 28, 2003

Re: [SAtalk] Not sure how...

2003-08-27 Thread Chris Trudeau-Personal
- Original Message - From: Chris Santerre To: 'Chris Trudeau-Personal' ; [EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:00 AM Subject: RE: [SAtalk] Not sure how... This has been discussed. The rules will not hit because of the embedded mime code. T

[SAtalk] Not sure how...

2003-08-27 Thread Chris Trudeau-Personal
This is a bit weird.I have the following rules in my local.cf:rawbody MY_PERCENT_OBFU /\%..\%..\%../idescribe MY_PERCENT_OBFU Tries to OBFU link with % signsscore MY_PERCENT_OBFU 1.55rawbody MY_IMAGE_FILEĀ  /.*name=.*\.(pic|gif|jpg)("|$)/describe MY_IMAGE_FILE Includes an image file either e

[SAtalk] p-i-c-dot-g-i-f

2003-08-25 Thread Chris Trudeau-Personal
this thing got me again today... One squeaked through... My rule didn't fire, but has in the past...not sure what I'm donig wrong...but here is the rule: rawbody MY_IMAGE_FILE /filename="[^"]*\.(gif|jpg)"/ describe MY_IMAGE_FILE Includes an image file either embedded or otherwise score MY_IMAGE_

Re: [SAtalk] HEX IN URI and attachments

2003-08-20 Thread Chris Trudeau
Chris, i was about to throw my hands upin frustration... I think this is it. I have raw mbox mail that spawned the thought, so I'll test the meta comparison and let you know! thanks!!! CT - Original Message - From: "Chris Santerre" <[EMAIL PROTECTED]>

Re: [SAtalk] HEX IN URI and attachments

2003-08-19 Thread Chris Trudeau-Personal
meta rule includingattachment detail...any ideas? CT - Original Message - From: "Chris Trudeau-Personal" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 7:08 AM Subject: [SAtalk] HEX IN URI and attachments > All, > > Is it safe to sa

[SAtalk] HEX IN URI and attachments

2003-08-19 Thread Chris Trudeau-Personal
All, Is it safe to say that no legitimate email would try and hide a URI in the body of a message by using the hex equivalent of the link? It seems to me that is the case. if so, I would like to write a rule that detects the use of this tactic. Also, is it possible for SA to detect attachments?

Re: [SAtalk] SA tags spams even if the required bound isn't reached

2003-08-14 Thread Chris Trudeau
This is likely NOT SA. It is likely either amavis or other external program that is calling SA. There is a SA config parameter where it will change the subject line and other header information, but this stinks of an Amavis configuration parameter. CT - Original Message - From: "Timoth

Re: [SAtalk] Rule for no web site?

2003-08-14 Thread Chris Trudeau-Personal
Bad idea...there are lots of sites out there that block ICMP and that don't have related "www" sites. CT - Original Message - From: "Michael Clark" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 13, 2003 4:51 PM Subject: [SAtalk] Rule for no web site? > Would