At 11/24/03 04:21 PM , Mairhtin O'Feannag wrote:
I made changes to my local.cf file, and they don't seem to be "taken".
If you're using spamd, did you turn off spamd and restart it? It only reads
its config on startup.
of it. So if you only block the /16 nets,
you'll be stopping maybe 22% or so of spam, while I guarantee you, you'll
be dealing with a massive FP rate if you block the /8s.
--Kai MacTane
state: "AT&T Labs ... said the patent was purely
defensive."
--Kai MacTane
--
"Flesh. Your temple screaming... to be he
care that your users/customers will scream, you now know an easy way
to do it.)
I've had pretty good luck with sbl.spamhaus.org, list.dsbl.org, and
relays.ordb.org. bl.spamcop.net also seems fairly good.
--K
scation), you can probably get away with:
/pen[^ tde']s/i
But it seems a little unsatisfactory, somehow.
--Kai MacTane
--
"I looked Death in the face last night,/I saw him in a mirror,
And he simply smiled,/He told
l, unless you actually *intend* to capture
that text for some later use.
Hope this helps, even if it actually means you have no use for the operator.
--Kai MacTane
--
"I looked Deat
s]\w{1}<[\w\s\$&!-]{0,150}>\w{1}\W/
Having recently checked on some stuff in the O'Reilly regex book... No, !
doesn't need escaping inside a character class. But - *does* need it,
unless it's the first character. So I'd say:
/[>\s]\w{1}<[-\w\s\$&!]{0,15
ip it out of the message somehow?
How about the top Delivered-To: header? Will that work?
--Kai MacTane
--
"I hear the roar of a big machine,
Two worlds and in between;
Hot
guration option.
--Kai MacTane
--
"There is no faith in which to hide; even truth is filled with lies.
Doubting angels fall to walk among the living.
I'm in this mood because of scorn, I'm in a mood for total war.
T
gers. You can set it up to just add
1.5, or 0.5, or 0.1, points to the message's score.
(Indeed, adding just 0.1 or 0.01 would be a great way to test the rule for
a little while, and get some sense of how much trouble it might cause if
the score were increased.)
ration
statements to your local.cf.
No, you don't: SA automatically reads all .cf files in
/etc/mail/spamassassin. In alphabetical order, IIRC, which means that rules
in no-osiru.cf will overwrite ones in local.cf.
--
I (and my users) likely to see a rise in FPs?
--Kai MacTane
--
"The seasons don't fear the reaper,
Nor do the wind, the sun and the rain.
story/0,248620,20277794,
00.htm
http://slashdot.org/articles/03/08/27/0214238.shtml?tid=111
--Kai MacTane
--
"Soft and only you, lost and only you,
Strange
At 8/27/03 05:57 PM , Carlo Wood wrote:
On Wed, Aug 27, 2003 at 01:30:22PM -0700, Kai MacTane wrote:
> I take it you want something a little better thought-out than just
>
> body CHILD_PORN /child pornography/i
> [et cetera...]
That seems like a bad idea.
Well, I *did* imply, in the f
that host has your domain in its /var/qmail/control/rcpthosts
and .../locals files.
--Kai MacTane
--
"When nothing's sacred any more,
When the demon's knocking on your doo
coded from
Quoted-Printable or Base-64-encoded format if necessary. All HTML
tags and line breaks will be removed before matching.
This doesn't suggest to me that the Subject: is included. Perhaps the doco
could be updated to reflect this?
o devise rules to stop it.
Even just a couple dozen of them.
It also occurs to me that, if it's difficult to find such a corpus, then
there really isn't that much of a problem. Building up a set of rules just
to stop one smear attempt seems li
ion typo for "suit". Or by "Siuth" (typo for
"South"), since there's no \b anchor on the tail end.
This rule seems ready for some very interesting FPs. (But then again,
you've alrea
imple eval for it.
Oh, crud. Okay, I guess this answers my recent RD question, too. Thanks, I
was wondering if I was going nuts.
--Kai MacTane
--
"Don't you know this flesh y
quot; or "WOMBAT" in the Subject: line, I
get back the following:
To: [EMAIL PROTECTED]
From: Kai MacTane <[EMAIL PROTECTED]>
Subject: Mail for Mr. WOMBAT
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Spam-Status: No, hits
s just not include the Content-Disposition information? I've also tried
replacing [^\"] with just plain [^"] and with [^\.] instead; this changes
nothing.
--Kai MacTane
by whitelist_to).
--Kai MacTane
--
"When nothing's sacred any more,
When the demon's knocking on your door,
You're still staring down at the floor."
r (though I'll admit RFC2821 specifies MAY).
If it's the former situation, then you're quite right that Message-ID:
should not be added after the initial SMTP injection point. (However, I
don't know how to configure Postfix. Sorry.)
, like
most other Unix daemons, and it will re-read its configuration files
(including filtering rules). But 2.55 and before simply crash when HUPped;
the only way to get them to re-read the rules is by killing and restarting
them.
--Kai MacTane
uot;cunt", found in the name of the town of
Scunthorpe in England. If AOL's filters had been using /\bcunt\b/ instead
of just /cunt/, users from Scunthorpe wouldn't have been annoyed, and the
rest of the world wou
r second.
I realize your problem is already in the past, but in case you (or anyone
else on this list) ever runs into the same problem again, I wanted to
advise on this method of dealing with it.
ally, when I let
spamd run as many of itself as it likes, then when a spammer tries to mail
many of my users all at once, the multiple spamds spike my CPU load enough
that *nothing* gets done.
--K
roblem both from the command line and during standard
bootup sequence.
--Kai MacTane
--
"I looked Death in the face last night,/I saw him in a mirror,
And
t you probably would NOT want to use: /(\w)\1+/ , because then any
double-letter will be caught by this regex.
--Kai MacTane
--
"I looked Death in the face last night,/I saw him
e" lines as you see fit. Note that I haven't tested the regex
on RULE_3 yet; I think it's correct, but test it before deploying it.
--Kai MacTane
--
"And wh
score they like as their auto-deletion threshold.
--Kai MacTane
--
"Friends of science and sensuality,
They seek the silence
essage up if you're interested.
--Kai MacTane
--
"Playing dead and sweet submission,
Cracks the whip deadpan on cue."
--Siouxsie and the
0.1
body FOOBAR_CAPS /\b(FOOBAR|WOMBAT)\b/
describe FOOBAR_CAPS Includes Mr. Foobar Wombat's real name in CAPS.
score FOOBAR_CAPS 0.1
Now, when I send an email with "FOOBAR" or "WOMBAT" in the Subject: line, I
get back the following:
To: [EMAIL PROTECTED]
From: Ka
hink that "only porn sites get
blocked by porn filters".
--Kai MacTane
--
"I looked Death in the face last night,/I saw him in a mirror,
And he simply smiled,/He told me not to worry:
He told me just to take my
.
And personally, I'd just do:
body RULE_NAME /banned ?c/i
Although some people have already posted much better regexes for matching
various ways to obfuscate "banned CD". In all truth, I'd go with one of
those, instead.
those
directories, but if the directories themselves don't exist, then the tools
should generally exit with an error message.
--Kai MacTane
--
"I looked Death in the face las
#x27;ve been planning to try to package it for open-source
distribution, but haven't gotten around to it yet.)
--Kai MacTane
--
"You wear guilt/Like shackles on your f
t;banned
-books" in about three minutes. Admittedly, I changed the sentence
structure in most cases to get the C-word right after "banned", but none of
these are that unusual.
Tacking on that "d" is a good way to avoid false positives.
At 8/18/03 01:28 PM , Matt Kettler wrote:
At 12:08 PM 8/18/2003 -0700, Kai MacTane wrote:
In other places, such as in Ms. Zanre's rule, it means "beginning of line
or string", just as $ means "end of line or string".
True, his rule should work, provided that the GOREA
save their own CPU
power? After all, generating a ROT13 or ROT5 version of each email address
in a million-message spam run has got to be less intensive than generating
an MD5, Blowfish, or other hash.
--Kai MacTane
-
you're using spamd, do you know if it's been reloaded since
you wrote your rule?
--Kai MacTane
--
"Hey, sister Moonshine, hold me 'til the break of dawn,
Hold
e taken to private email.
(Not going after you personally, Mr. Mize. Yours was just the most recent
message to arrive, and formed an easy point of entry for my comment.)
Please, everyone, take this thread elsewhere?
--K
s , or You 'll be spammed again and
again! LOL!
©Copyright clearvisionsclub.com 2003
Like I'd copy this text for my own use?
--Kai MacTane
--
"When nothing's s
end against it.
Same here. The inflexibility of filters that use rules like "block every
mention of the word FOO" is one of the reasons I use SA instead -- it's not
that silly.
--Kai MacTane
-
f
line 44: ff
line 96: ff
The "bsmtp" is from your first Received: header ("with local-bsmtp"); the
others are obviously HTML color specifications. There's nothing past 6
characters. I have no idea why SA is triggering on this rule with this input.
then looking at a few of the other functions in
Mail::SpamAssassin::EvalTest.pm should make it clear how they work.
--Kai MacTane
--
"Lucretia, my reflection, dance
asily be forged. Instead, I'd
probably write an eval function to check the Received: headers, to see when
this host or this mail network *actually* got the mail.
--Kai MacTane
(and figure out how to make it
score higher).
--Kai MacTane
--
"I think that somehow/Somewhere inside of us,
We must be similar/If not the same."
doesn't make them "blithering idiots".
But I would agree that those who don't speak Perl should not attempt to
write their own eval functions. (Basically, "if you don't speak Perl, don't
try writing some Perl. Especially if it's going to affect
e or two of the
existing ones will give you the idea.
If you don't speak Perl, then learning it should be your first step in
trying to write any new eval rules. And learning Perl is outside the scope
of any SA or rule-writing documentation.
efs? In general, I'd grep for
whitelist_from in ~/.spamassassin, /usr/local/share/spamassassin, and
/etc/mail/spamassassin.
Somehow, though, I doubt you'll find "[EMAIL PROTECTED]" in there. I suspect
you've got something else going on.
5 or 6 points.
Naturally, I found this very annoying.
I simply let Bayes auto-learn from my current incoming mail; I didn't feed
it huge spam/ham corpuses.
--Kai MacTane
--
&quo
ot;Unsolicited".
Just in case the above isn't a typo.
Cf. the expansion of CAUCE: "the Coalition Against Unsolicited Commercial
Email".
--Kai MacTane
--
&quo
before, and possibly after, these rules? At least
that would fix the Ezra problem -- are there others?
--Kai MacTane
--
"...and she sighed/And she died/In his arms/And he cried:
`El
h).
Yeah, by default it skips messages over 256K. Judging by the number of JPGs
referenced in the text, I'd guess the message was too big.
--Kai MacTane
--
"And when I
parts of this test are in
20_head_tests.cf; you could comment them out. (In that case, you'd want to
comment out the score line as well.)
--Kai MacTane
--
"When nothing&#x
ty clear.
Then do a rule like:
header CHECK_ORIG_EMAIL_DOMAIN eval:check_orig_email_matches_from()
describe CHECK_ORIG_EMAIL_DOMAIN X-Originating-Email: header domain
doesn't match From:.
scoreCHECK_ORIG_EMAIL_DOMAIN 1.5
ff by three or more spaces.
People I routinely correspond with don't tend to put extra spaces into
their Subject: lines. (And someone ending their Subject: with three spaces
and then "!!!" or "###" probably *is* a spammer.)
kill and restart it?
--Kai MacTane
--
"The seasons don't fear the reaper,
Nor do the wind, the sun and the rain.
We can be like they are."
er if there's something
wrong with your Bayes tokens/db/etc.
--Kai MacTane
--
"In another life I see you/As an angel flying high,
And the hands of time will free you/You will
cess? Are there
any potential "gotchas" I should be aware of? Or should I just go ahead,
and everything will work fine?
In case it matters, the system is Slackware 8.0, with Perl 5.6.1.
[insert nasty side-effects here]! Use at
your own risk!" But I think it's better to put them forward as
possibilities, and let people decide what will help them in their own
particular situation. That's part of what rule customization is all about.
At 7/17/03 11:21 AM , Justin Mason wrote:
>1) Have spamd re-read local.cf when it receives a HUP signal, rather
> that having to be stopped and restarted
Yep, that'll be in for 2.60.
And there was much rejoicing!
--
odoo involved; spamc makes its local
connection to spamd just fine regardless of what domain name the user is.
--Kai MacTane
--
"And when I squinted/The world seemed rose-
;, I still get spamc processes just hanging
around, sometimes for days at a time.
--Kai MacTane
--
"Uh-oh... Gravity works."
65 matches
Mail list logo