Rule to detect IE exploit.
http://vil.nai.com/vil/content/v_100927.htm
Your virus scanners detect this exploit. (mcafeee/clamscan...)
Your mileage may vary.
Will match these exploits:
Replace ttp with http (so it will slip by my scanner and mcafee.)
ttp://[EMAIL PROTECTED]/malicious.html
ttp://[
detcting obfuscation:
html garbage tags:done
normal language letter frequency:easy to do, easy to get by just modify
random keyword to generate same frequency as english words. This would
still catch the stupider spammers doing bayes poisoning.
Detect poisoning attempt, and reject an addition to
>Clive,
>
> Wednesday, December 24, 2003, 8:09:42 AM, you wrote:
>
> CD> I am receiving several spam messages daily in which the message body
> appears
> CD> to consist entirely of random words.
>
Is their anything the developers can do to protect against bayes poisoning?
If the mail message is wa
>> At 02:50 PM 12/12/2003, Dan Tappin wrote:
>> >Here is a custom rule for a PayPal spoof virus that is going around. I
>> >can't get this to trigger a hit in SA. I have linted my
>> >rules and my config files are being loaded properly.
Dan,
Can you post your rule?
I would like to see what you
Another mailing list pointed out the new ie exploit.
What would be the SA code to detect/block such and exploit in email.
Here's an untested potentially cpu intensive rule to detect this, I am not
reccomending this rule, but looking for an improved version of it.
uri KAM_URIPARSE /^[^\/]*\%0[01][^
Archive of this:
http://marc.theaimsgroup.com/?t=10613675441&r=1&w=2
Analyze letter frequency for normal words, and detect non-normal letter
frequency of gibberish.
--luke
> I have noticed that many SPAM emails, end with seversl lines of gibberish,
> such as:
>
> lvwpdfobv qkviylqr qlm
Why doesn't someone setup a rsync for these rules, and then only put in
the conservative rules, and we can potentially rsync the rules into a cf
file.
> Hi Scott,
> Thanks for the heads up.
>
> You wouldn't happen to have a sample of one of those spams would you?
> I'm curious about something. I'
I am upgrading from rc3 to rc4 and I'm using the same spec file that I
used to compile rc3 to compile rc4. I updated it to point to the new
package, so it unzips correctly.
Have any of these variables changes(they must have...)?
from rc3 to rc4?
INST_PREFIX
INST_SITELIB
INST_SYSCONFDIR
DEF
I've decided to switch solely to using spamassassin for rejecting mail
from open relays.
Previously I used sendmail rbl checks and then spamassassin to
filter/reject mail.
I currently use 22 rbl's in sendmail via dccdnsbl or enhndnsbl and I would
like to move the lookpus into sa, to lower my rbl fa
> #Higher scores for bayes
> score BAYES_80 2.50
> score BAYES_90 4.00
>
>
> I think that I messed up with the BAYES ones.. BAYES_80 isn't adding the
> 2.5 points like I wanted. =/
2.60 signifigantly increases default bayes scores.
---
This sf
So what is the best general rule that has been created to match html mail
with garbage html and or garbage html?
As I mentioned earlier something that matched letter frequency on the
first and last part of email should detect garbage words, but didn't
someone submit a patch to detect a large numbe
If you upgrade to 2.60 you need to set your autolearn ham score to 0,
instead of the default of -2 in 2.55.
By default shouldn't the auto-learn threshold for 2.60 be set to 0?
(not at a shell prompt so can't look right now.)
If not I think it should be, otherwise it won't learn ham.
--Luke
As
The release notes for 2.60 mention that it supports dccifd.
Has anyone used the dccifd interface on 2.60 yet?
Could you post code using dccifd?
--Luke
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/
So the zone file is cryptographically signed, so another sharer cannot
change it? This would remove a single DOS target for spammers.
But you have to transfer the whole zone file from peer to peer?
> This seems like a perfect application for P2P technology; make rbldns or
> rbldnsd trivial to conf
> Justin Mason wrote on Thu, 28 Aug 2003 17:18:07 -0700:
>
>> - spamd now supports UNIX-domain sockets for low-overhead scanning,
>> thanks
>> to Steve Friedl for this. Strongly recommended if you're running
>> spamc
>> on the same host as the spamd server
>>
>
> What does this mean, what's th
Upgraded to 2.60-rc3 via rpm packages I built from source.
When looking at some of my users I see this, for their bayse dbase, when I
run:
sa-learn --dump
Output:
0.000 0 0 0 non-token data: bayes db version
0.000 0 73 0 non-token data: nspam
I just installed 2.60-rc3.
I noticed that the minimum score I am getting on messages is 0.0.
Is their a new default minimum score sa will assign email?
The lowest score it will give for example, is 0.0?
Ideas?
---
This sf.net email is sponso
via http://www.slashdot.org
http://slashdot.org/article.pl?sid=03/08/27/0214238&mode=thread&tid=111&tid=126
ariehk writes "As of today, Osirusoft, distributer of the SPEWS and open
relay blocklists, among others, is no longer operational. Servers using
these lists (including the FTC) are currentl
One question.
Q1.)
Have you changed the default settings for an installation of SA?
Have you changed any of the default header, attachment rewriting, behavior
for a default installation, from 2.55 to 2.60?
--Luke
---
This SF.net email is spo
I would have liked to see the comparison where all the network tests and
bayes db were enabled.
> Hi,
>
> Thought you all might be interested in this artical on freshmeat.net:
>
> http://freshmeat.net/articles/view/964/
>
> Later--
> Tim
>
---
> On Sat, 23 Aug 2003, Greg Ennis wrote:
>
>> Dear List Users,
>>
>> I need to install a site wide scanner for spam and viral packets of
>> e-mail
>> that will be resident for the server as well as e-mail packets that will
>> be
>> relayed to an internal server.
>> Greg Ennis
>
> Check out MailSca
I use sendmail+mimedefang+spamassassin for my spam rejections.
Someone else on the list will tell you how to do it using postfix.
Need to use the beta version of postfix.
I also reccomend rejecting at a higher level, and tagging at a lower level.
I started rejecting at 15 and working my way down t
> On Wed, 2003-08-20 at 16:24, Daniel Kaliel wrote:
>> I have been trying to find documentation on how to do this, but have
>> not found any. I spoke with the partnership of my company on this and
>> how it is safer not to, instead filtering email on there email client,
>> however, they have decid
This is mildly related to what you are talking about...
I am not sure I would trust trustic in a production mail server for blocking.
Yet.
I would use it to add spam scores but would not use it as an direct rbl
block.
For some reason it started blocking mail from my redhat mailing list,
which is
Kelson,
I made up a new meta rule.
It will raise the value for any mail that matches both razor and dcc.
Based on your email it appears the false positive rate for mail that
matches both razor and dcc is very very low.
#matches both razor and pyzor
meta MATCH_RAZOR_AND_PYZOR && DCC_CHECK
describ
How exactly did you determine what your hit percentage was for DCC,Razor
and your RBL's?
Could you send me more information on how you accomplished this, as I
would like to analyze the results on my mail server.
>>
>> I've got a similar impression with my corpuses here, the DCC hit
>> rate appears
> Joe -
>
> I've been running it on RH 9 since 2.53, and it has been rock solid. I
> just
> made sure I unset the LANG environment variable before running the
> installation.
> --
Is it worthwhile to have SA complain loudly if the defined langage is utf?
Should it refuse to run?
Complain on the c
> What's new about it, is that Postfix/amavisd-new - with this snapshot -
> can now do realtime smtp 5xx rejection of spam/virus (or save them to a
> quarantine directory, as before.) That lifts Postfix into SA-Exim 4's
> class as far as I'm concerned and I'm happy to be able to support it :-)
>
>
I used this method.
I recently upgraded to File::Scan+ Mcafee Uvscan on mimedefang to detect
zipped copies of the sobig virus.
File::Scan will not detect virus's that are zipped.
--luke
>
> Get the PERL module File::Scan and load it. Then get the MimeDefang
> package
> and install it. Mimedefang is
webuserprefs
http://freshmeat.net/projects/webuserprefs/?topic_id=29
About:
WebUserPrefs is a Web-based editor for SpamAssassin user preferences. It
is written in PHP and supports whitelist and blacklist directives, as well
as others through a simple plugin architecture.
> Is there a web interfac
I am trying to set the values for rbl checks.
I add the following entries to /etc/mail/spamassassin/local.cf
RCVD_IN_ORBS 0 #no longer in service
RCVD_IN_BL_SPAMCOP_NET 4.0
RCVD_IN_OSIRUSOFT_COM 4.0
RCVD_IN_RELAYS_ORDB_ORG 4.0
It appears to not see my entries correctly.
When I run:
spamassassin
Their is another potential method you could use.
Use the isbg.py imap python script to access the folders via imap and
learn the spam.
http://www.rogerbinns.com/isbg/
You could also use winbind to use the correcut NT usernames for the imap
connection from the linux box.
http://nic-ks.greatplains.n
After upgrading the perl db for SA, do you have to do anything to the
existing databases?
Or does it just work…
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon
Byrnand
2.50 by default auto-learns from ham with scores less than -2 an
>From documentation:
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "[EMAIL PROTECTED]", "[EMAIL PROTECTED]", or "*.domain.net" will all work.
# whitelist_from[EMAIL PROTECTED]
> --Luke
> --Computer Science Sysadmin, MSU Bozeman
> --admin(AT)cs.montana.edu 994
Can't you also use mime-defang to convert the html to text?
Wouldn't a better solution be to add the X-Spam-Status: Yes header,
but not rewrite the mail as plain text?
Nice little procmail script, steadily learning how to do things with
procmail, thanks!
-Original Message-
From: [EMAIL P
Your assuming most spammers are smart and are going to got the real
technical route.
In the long term, yes.
Most of them are just in it for the short term buck, and if it's
possible to block all the script-spammers with a dsl account, then sa is
a good thing.
You mentioned that the update time wa
I got the following spam...
Why does the following test, have such a huge minus score to it?
SIGNATURE_LONG_SPARSE (-5.8 points) Long signature present (empty lines)
-Original Message-
From: John F. [mailto:[EMAIL PROTECTED]
Sent: Friday, February 28, 2003 8:40 PM
To:
Subject: Why your
37 matches
Mail list logo
