In a post by Jmason back on Sept. 9 2003, try this:
header MK_CHARSET_IN_SUBJECT Subject:raw =~ /ISO\-8859/i
Change the chrset part to whatever you want, this should allow you access to
un-decoded subject.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-440
I thought up an idea for this, insted of trying to detect the white text in
general, why not try to detect the patterns the spammers are using with
them.. Take the following rules as an example:
rawbody FVGT_rb_WHITE_6_WHITE /f[f0-9].{6}http://www.i-is.com/
--
I see USER_IN_ALL_SPAM_TO this gives negative points, I think it's -100
Your hits was -89.6
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Owen Becker wrote:
> This is somewhat interesting. A fair number of mails are getting
> through with:
>
> X-Spam-Status:
Hello,
In cygwin I see the default rule location as:
/etc/mail/spamassassin/
Try running:
spamassassin -D --lint
and it'll tell you where it's looking to find your rules.
The subject re-write issue has been discussed a lot but I don't know
anything about it. What is the contents of your local.cf
Just a minor correction,
try this:
header__BLOCKTOFFICEOUTTo =~ /[EMAIL PROTECTED]/i
header__BLOCKFOFFICEOUTFrom =~ /[EMAIL PROTECTED]/i
metaBLOCK_MY_OFFICE(__BLOCKTOFFICEOUT && !__BLOCKFOFFICEOUT)
describeBLOCK_MY_OFFICENo E-mail to alias from outside
scoreBLO
We need to know how you integrate SA with your mail server.
Procmail, milter, etc.
Thanks!
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Robert Harrison wrote:
> Hi all,
>
> Lots of helpfull people say this can be done by configuring SA to do
> it.
>
> Howeve
Hello,
Please use this reference for installing SA on Win32.
http://www.openhandhome.com/howtosa260.html
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Efren Pedroza wrote:
> Thanks for everyone that answer this question, I'm really newbie on
> this mater, I did
SA works fine on Win32, it all depends on your MTA and if it allows a hook
to the message.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Matt Kettler wrote:
> At 01:47 AM 11/28/2003, Efren Pedroza wrote:
>
>> Thanks for your attention, but what I'm looking is Se
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
mailto:[EMAIL PROTECTED]
Hello,
Try this:
rawbody W98_UNSUBSCRIBE4 /prefer not to ?see/i
? means 0 or 1 of the previous
So the previous space can appear 0 or 1 times ;)
ian douglas wrote:
> My rul
Is anyone on this list using bl.csma.biz? I see they
have a rule on their site to use them with SA, just wondering how effective and
if many FP's?
http://bl.csma.biz
Frederic TaraseviciusInternet Information Services, Inc.http://www.i-is.com/
Yes, this is a known issue and has been fixed for 2.61. There is a patch on
Bugzilla now to correct it.
P.S. Your message contains this week's new tracking header, thanks for
posting it, this person has been rotating the tracking header about once a
week.
Hel-Tracking:
Frederic Tarasevicius
Int
I came up with another idea to tackle these, I really liked that spam, you
can say it inspired me because it too slipped past my SA rules!
full FVGT_rb_WICKED_SPAM_12
/.{1,2}.{1,2}.{1,2}.{0,400}<\/td>/is
describe FVGT_rb_WICKED_SPAM_12 Hide message with large complex tables 1-2
score FVGT_rb_WIC
Possibly due to spammers watching these groups and crafting their messages
to avoid detection by the rules posted to this and other groups.
If we make it even easier for the spammers to obtain our rules, we would not
be helping anyone but the spammers.
It only takes me about 10 seconds to cut and
Steven Manross wrote:
> For all interested.. I'm *NOT* looking to give this type of rule 5
> points.
>
> I want to give it something like .3 - .6 (but will play with it), as
> noted by many, this isn't an indication of spam, but an indicator of a
> possible spam-source. I believe that people who
I'm trying to write a rule to count how many chr's are in a
HTML message.
My test rule looks like:
full T_FOO
/.{60,110}<\/html>/i
The problem is that none of the test options (rawbody, body,
full) provide the ability to test the entire message like this.
I am guessing I need an e
Chris Santerre wrote:
>> Has anyone else noticed a hugs increase in the amount of spam lately?
>> In the last month or so the volume has more than doubled and a very
>> large portion of it gets through spamassassin 2.41.
>>
>> I have been running spamassassin for almost two years. I have
>> resis
Starting with SA 2.6, the local.cf file should be located under:
/perl/etc/mail/spamassassin/local.cf
It's possible your SA is not seeing the changes you have made.
You can verify this by running spamassassin --lint -d and check the output.
You should always use ALL CAPS for the test names.
Use:
Fred I-IS.COM wrote:
> Here is the latest update for those who are interested, attached is
> the "Freds OBFU" rules.
> This version does not FP on PGP signatures.
> Also using Character Classes and included the set of Subject OBFU
> rules.
>
> *Chris, feel fre
Here is the latest update for those who are interested, attached is the
"Freds OBFU" rules.
This version does not FP on PGP signatures.
Also using Character Classes and included the set of Subject OBFU rules.
*Chris, feel free to post this one to your site!
Frederic Tarasevicius
Internet Informat
Chris Santerre wrote:
>> -Original Message-
>> From: Colin A. Bartlett [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, October 23, 2003 10:44 AM
>> To: Patrick Morris
>> Cc: [EMAIL PROTECTED]
>> Subject: RE: [SAtalk] [RD] yahoo redirect
>>
>>
>> Patrick Morris Sent: Thursday, October 23, 2003
Taking advice from the group, I've switched these rules to using chr set's
[]
body __FVGT_b_OBFU_J /j[bcfgw]/i
body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
body __FVGT_b_OBFU_Q0 /[jkpqtvwz]q/i
body __FVGT_b_OBFU_Q1 /q[afhjkmnsy]/i
body __FVGT_b_OBFU_V /[fgqw]v/i
body __FVGT_b_OBFU_X
I'll have to admin, I was bored this morning. I created a set of rules to
look for domains that include numbers.
IE: www.domain3.com
IE: www.domain3domain.com
Etc..
Take a look at the attachment, I'm looking for criticism both good and bad.
The rules look for 0-9, 01-09, and 11-99 to appear in
't know I could combine an additive rule
with a ! and have it all work ;)
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Daniel Quinlan wrote:
> "Fred I-IS.COM" <[EMAIL PROTECTED]> writes:
>
>> I created a list which might be helpful,
Yes, any *.cf file in that directory will be parsed for rules / config
options.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
Thomas Kinghorn wrote:
> Hi List.
>
> Just a quick question.
>
> Do all custom rules have to be added to the
> /etc/mail/spamassassin/lo
Hello,
The option you are looking for is called:
whitelist_from_rcvd
It's in the doc's, I'm not sure the exact parameters.
Frederic Tarasevicius
Internet Information Services, Inc.
James Herschel wrote:
> Hello,
>
> I've got an odd situation where I've received spam from a (forged)
> valid
I too have seen these, Use the following rule, it works for me:
header __FVGT_h_XNUMBER0 ALL =~ /x-transfer-number/
header __FVGT_h_XNUMBER1 ALL =~ /X-transfer-number/
header __FVGT_h_XNUMBER2 ALL =~ /X-TRANSFER-NUMBER/
header __FVGT_h_XSTAMP0 ALL =~ /x-transfer-stamp/
header __FVGT_h_XSTAMP1
Give this a try, Add to local.cf or something.
add_header all Status _YESNO_, hits=_HITS_ required=_REQD_
tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_
Frederic Tarasevicius
Internet Information Services, Inc.
Mike Schrauder wrote:
> Hi,
> I have been off the list for a whil
Hello,
I created a list which might be helpful, using a dictionary I searched for
letter pairs which did not exist. I created the following meta rule to
search for these non-existant pairs, it might do just what you are looking
for.
body __OBFU_J /j(b|c|f|g|w)/i
body __OBFU_OTHER /(vj|vk|xj|xk
Being fairly new to perl, I'm looking for advice.
I've created a rule to blacklist certian domains which we do not accept
e-mail from. The rule searches for the domain name to appear anywhere in
the message body.
Is it more effecient to use a large complex rule like:
(domain1\.com|domain2\.com|d
You might want to omit:
RCVD_IN_BSP_OTHER
RCVD_IN_BSP_TRUSTED
Those are not blacklists, they are to be used to help identify valid
senders!
Frederic Tarasevicius
Internet Information Services, Inc.
Louis LeBlanc wrote:
> On 10/10/03 10:53 AM, Anne Ramey sat at the `puter and typed:
>> I'm usin
A rule for this already exists, it's called: OBFUSCATING_COMMENT
If you like, you can give this test a higher score in your local.cf file.
No, the rules are not additive!
Frederic Tarasevicius
Internet Information Services, Inc.
Robert Wagner wrote:
> We seem to be getting more messages like:
We are receiving near this much mail traffic, I get about 1 connection every
2 seconds, average of 50k messages per day.
I am using spamD on 3 different servers to spread the load around, it's
working great!
In am also running my own creation (WinSpamC) which allows for
load-balancing between mul
headerLOCAL_FUNNY_SUBJSubject =~ /g00d.{1,30}pr0/i
describe LOCAL_FUNNY_SUBJ Looks like a funny subject I seen once!
score LOCAL_FUNNY_SUBJ 1.0# score whatever you want.
Add something like the rule above to your local.cf or user_prefs file.
A good article on Regular expressio
Hello List!
I just wanted to let those interested people know that we have
a working port of spamC for windows named WinSpamC, also a document explaining
howto run SpamD on windows with cygwin.
http://sourceforge.net/projects/winspamc/
Thank you!
Frederic TaraseviciusInternet Information S
I used to do this until my provider explained to me that it was not
approaite for me to attack the spammers even if they started it. I created
a program to automate filling in their forms, submitting random names, fake
details etc, but I'm sure the spammers could easily filter my submissions
based
This feature is included with 2.60, which version are you using?
Frederic Tarasevicius
Internet Information Services, Inc.
Colin A. Bartlett wrote:
> Hello All,
>
> Been using SpamAssassin myself for about a year now; about a month or
> so site-wide.
>
> Only one feature I wish existed: black
The original code for this rule is:
header __OPT_HEADER_SUBJ ALL =~
/^(?:Resent-)?Subject:.*opt.?(in|out|oem|ed|ion-in|[EMAIL PROTECTED])(?:\b|\d|\@)/im
header __OPT_HEADER_ALL ALL =~
/opt.?(?:in|out|oem|ed|ion-in|[EMAIL PROTECTED])(?:\b|\d|\@)/i
meta OPT_HEADER (__OPT_HEADER_ALL && !__OPT_HEADE
The -a commandline switch is to enable AWL, if you omit this when calling
SA, you will not use AWL.
Frederic Tarasevicius
Internet Information Services, Inc.
Doug Ledbetter wrote:
> Hello all,
>
> What enables or disables the auto-whitelisting feature?
> Would it be use_bayes?
>
>
SA 2.6 uses /perl/etc/mail/spamassassin/local.cf
It's in the docs and if you use -D (for debug) it will tell you where it's
looking.
Frederic Tarasevicius
Internet Information Services, Inc.
Dominic Germain wrote:
> Hi,
>
>
> I just set up a new server with SA 2.60. It's almost the same setup
Anyone read this one yet?
http://www.theregister.co.uk/content/56/33059.html
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mail
Has anyone else noticed that Sorbs is responding real slow today? I'm
seeing it timeout in 4 out of 5 attempts.
Frederic Tarasevicius
Internet Information Services, Inc.
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven
It may have something to do with the following line:
already learnt correctly, not learning twice
Frederic Tarasevicius
Internet Information Services, Inc.
landy wrote:
> i have 36 emails in a folder called spam
>
> i run sa-lear for that directory and it learns only from a few msgs
>
> here is
I don't see any comments in this message, normally they start with and they must break a word for the rule to hit.
Frederic Tarasevicius
Internet Information Services, Inc.
Seelig, CD (Chris) wrote:
> The OBFUSCATING_COMMENT rule on our servers seem to miss a lot of
> mails that would appear (
I noticed a small difference, I don't know if this has something to do with
it, but in the bottom message, with -7.7, where are the other SA headers?
Like which tests fired?
Frederic Tarasevicius
Internet Information Services, Inc.
[EMAIL PROTECTED] wrote:
> I've been getting some spams coming
I need help from the dev team!
In the docs for spamD, it has the following:
---cut---
When spamd receives a connection, it spawns a child to handle
the request. The child will expect to read an email message from the
network socket, which should then be closed for writing on the other end (so
I'm not sure I understand how this *could* work. At least from what I've
seen, with SA you pipe the message in, it does not know the location of the
message, and in some cases the message does not live on the disk.
I think what you are asking for would be easier obtained somewhere else.
Frederic
No, that would never happen in real life.
There is a HTTPD redirector running on 64.94.110.11, the address
12.158.80.10 is only used for the sitefinder.versign.com domain.
Example:
NSLOOKUP www.sdfkjsdf.com
Non-authoritative answer:
Name:www.sdfkjsdf.com
Address: 64.94.110.11
That is the ad
I am using 2.60rc2 & rc3 & rc5 and it works in all these versions. In 2.55
it does not work or was not implemented.
Frederic Tarasevicius
Internet Information Services, Inc.
Razvan Cosma wrote:
> Hello,
> I have seen this option mentioned several places on the web (but not
> in the perldoc
Is this because of running SpamD under AS perl? I am planning to run SpamD
under CYGWIN perl. Are there any problems with this setup? I have it
working all except net tests, having trouble getting Net::DNS to work for
CYGWIN... I'm using 2.6rc4
Frederic Tarasevicius
Internet Information Servic
e projects right?
>
> Andreas
>
> On Mon, 15 Sep 2003, Fred I-IS.COM wrote:
>
>> Date: Mon, 15 Sep 2003 14:45:46 -0400
>> From: Fred I-IS.COM <[EMAIL PROTECTED]>
>> To: "Spamassassin-Talk \\(E-mail\\)"
>> <[EMAIL PROTECTED]>
>>
Hello,
Anyone ever hear of "No Spam Today" mail filtering
software? It boasts that it uses "SpamAssassin" technology.
http://www.no-spam-today.com
Is it a scam, they are charging money for it!
Quoted from their page:
No Spam Today! uses award winning SpamAssassin™ technology
to identify and
That is correct information, but I too am still seeing a few from one server
which has it's date set to March 20th 2003. I wrote a rule to catch mail
from that server and I haven't seen anymore since!
Frederic Tarasevicius
Internet Information Services, Inc.
Steve Thomas wrote:
> On Sat, Sep 13
See this page:
http://www.exit0.us/index.php/CustomRBLs
Frederic Tarasevicius
Internet Information Services, Inc.
Frank Pineau wrote:
> Is there any way to make SA check other RBL's? Ever since the demise
> of Osirusoft, I've been using my own RBL zone file on my DNS server,
> but I'd like to
http://www.collegian.com/vnews/display.v/ART/2003/09/08/3f5beeca27bed
Here's a news article of SA in use at a college. Too bad
the news article was calling it: Spam Assassination
I contacted them to make corrections :)
Frederic TaraseviciusInternet Information Services, Inc.
I've recently integrated a third-party program into SpamAssassin. I found
the best way to do this (in my case) was to create a program to run the 3rd
party app, take the results and add them into a X-Header and append to the
message. Using SA it's simple to create a rule based on X-headers. This
SA Reads all .cf files located in that directory.
Frederic Tarasevicius
Internet Information Services, Inc.
Ralf G. R. Bergs wrote:
> Martin Radford schrieb:
> [...]
>>> 4) I am new to spamassassin. What parameter should I use in my
>>> configuration to cause spamassassin to stop using osirus
http://www.exit0.us/index.php/Win32Install26
Which SMTP server are you using and what type of interface you have to scan
mail is the hardest part.
Frederic Tarasevicius
Internet Information Services, Inc.
[EMAIL PROTECTED] wrote:
> Will the program run on MS windows NT and/or 2000 servers? I
Hello,
I seen a post a few days back which explained that you could
use -D with an extra parameter to specify the debug the RTBL tests.
Can someone re-post this information, I find the docs for 2.55
to be lacking this information.
Thank you,
Frederic TaraseviciusInternet Information Servic
Hello,
Just a FYI the domain name is also mis-spelled, it says:
spamasassin.org
where the proper name is:
spamassassin.org
They are missing an S in the first ASS.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
mailto:[EMAIL PROTECTED]
Chuck Peters w
The ending,
pIz
It's a cap I, and the /i at the end tells it to ignore case.
I think you want a number 1 in there?
Frederic Tarasevicius
Internet Information Services, Inc.
Robin Witkop-Staub wrote:
> I was trying the following filter found on the suggested script
> sharing page. For some re
Hi all, I just received this spam, It made me laugh so I
thought to pass it on.
Welcome to the site it's us again, now we extended our offerings,
here is a list: 1. Heroin, in liquid and crystal form. 2.
Rocket fuel and Tomohawk rockets (serious enquiries only). 3. Other
rockets (Air
Hello,
I found a new set of listwashing tokens, all are located inside HTML
comments.
I created the following transform matrix:
Left side is what the letter should be, the right side is the transformed
text.
An example looks like:
Message sent to [EMAIL PROTECTED]
would look like:
a=d
b=O
c=,
d
ESTNAME $SOMESCORE
>
> That should be four lines in total (MUA wrapped it I think). The
> variables starting with $ should be edited for whatever zone you want
> to use.
>
>
>
> Ryan Moore
> --
> Perigee.net Corporation
> 704-849-8355 (sales)
> 704-849-
Is it possible to use the dsn listing from
RFC-ignorant.org?
This RTBL is meant to check the From line of the e-mail, to
check if the sender is RFC ignorant.
Are these types of DNSBL tests possible with
SpamAssassin?
zone = dsn.rfc-ignorant.org
From their website:
How to Use Domain-Bas
I seen this too, but make sure you run --lint on your config file to ensure
it's good!
See also:
http://www.exit0.us/index.php/Win32Install26
It does not appear that all tests are working on my install of 2.6, --lint
returns as normal but
as in my other post, I am seeing misses where I know there
Can anyone provide a policy for an ISPs' use of Spam
Assassin to filter customers e-mail?
We need to update our policy to explain about SA and our use of it.
I'd like to see how other companies are doing it, how they protect
themselves etc.
Thanks for your time,
Frederic TaraseviciusIn
Wow, that was a 5 hour delay from when I sent that message.
Frederic Tarasevicius
Internet Information Services, Inc.
Fred I-IS.COM wrote:
> Try running spamassassin -D and it should provide more information
> when attempting to do DNS tests.
>
> Frederic Tarasevicius
> Inter
Try running spamassassin -D and it should provide more information when
attempting to do DNS tests.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
mailto:[EMAIL PROTECTED]
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
According to the current online docs:
blacklist_to [EMAIL PROTECTED]
If the given address appears as a recipient in the message headers
(Resent-To, To, Cc, obvious envelope receipient, etc,) the mail will be
blacklisted. Same format as blacklist_from.
Appears on page:
http://au.spamassassin.org/
Hello,
Try this:
header GOREALTIME Subject =~ /GOREALTIME\b/i
I am thinking the problem was the ^ before the text.
I think that means to not match anything following.
Frederic Tarasevicius
Internet Information Services, Inc.
- Original Message -
From: "Danita Zanre" <[EMAIL PROTECTED]
It appears that if a subject contains a period, it will fail
the test for all caps.
Example:
Subject: URGENTASSISTANCENEEDED.
Frederic TaraseviciusInternet Information Services,
Inc.
lot more promising as it only matches skyjack
Mike
-Original Message- From:
Fred I-IS.COM [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 07, 2003 11:42 AM
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] RD Message body/subject filter
help
rawbody MY_OBFU
tives as possible.
ii can be used in roman numerals, also in sur-names.
(ASCII) (antiimperialism) (antiinflammatory) are those words?
Frederic TaraseviciusInternet Information Services,
Inc.
- Original Message -
From:
Chris Santerre
To: 'Fred I-IS.COM' ; Spamassa
I use a similar approach and advertise a dummy sub-domain name in my smtp
banner. Then using a custom rule I look for spammers to use that name in
their message. A lot of the time I see it used in the From and To lines to
make it look like it came from our customers. Is their anything wrong with
The person who marks their rules named RAVEN have coded an improper rule to
match the word SEX.
Take a look in the log file you posted, it gave a score of +50, that rule
should be removed.
Frederic Tarasevicius
Internet Information Services, Inc.
- Original Message -
From: "Robin Witkop
rawbody MY_OBFUY /y(b|j)/i
describe MY_OBFUY Y with unusual chars
score MYU_OBFUY .45
This one catches MAYBE
Frederic Tarasevicius
Internet Information Services, Inc.
- Original Message -
From: "Chris Santerre" <[EMAIL PROTECTED]>
To: "'Greg Leaf'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTE
y matches skyjack
Mike
-Original Message----- From: Fred
I-IS.COM [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 07, 2003 11:42 AM
To: [EMAIL PROTECTED] Subject: Re: [SAtalk] RD Message body/subject filter help
rawbody MY_OBFUY /y(b|j)/i describe
MY_OBFUY Y with unus
This is a good idea for rules, I am planning on creating a few of these,
I'll share when I'm done.
Frederic Tarasevicius
Internet Information Services, Inc.
- Original Message -
From: "Fred I-IS.COM" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thur
I checked real quick and found no User-Agent in AOL.
Versions seen:
X-Mailer: 6.0 for Windows XP sub 10501
X-Mailer: 7.0 for Windows sub 10610
X-Mailer: 8.0 for Windows sub 180
X-Mailer: 8.0 for Windows sub 913
X-Mailer: 8.0 for Windows sub 6015
Frederic Tarasevicius
Internet Information Services
Hello,
I noticed a few messages using
[EMAIL PROTECTED] in the headers. (To, From, CC).
The domain part is random, sometimes I see juno.com or
hotmail.com or china.com but I have many others.
Can someone help me create a custom rule to trap
this?
Thank you,
Frederic TaraseviciusInternet I
Hello,
I noticed an issue with 2.55 and the test for
FORGED_JUNO_RCVD,
The reverse dns for juno customers is: untd.com
This causes a false positive for juno customers.
Thanks,
Frederic TaraseviciusInternet Information Services, Inc.http://www.i-is.com/
81 matches
Mail list logo
