> Haven't seen the spam but one of these should work if your
> example text is always the same:
No, it's different... started out being non-obfuscated, but has gradually gotten more
and more "l337".
-id
---
This SF.net email is sponsored b
> Anyone have any good obfuscation rules for p4r1s h1|+0n spam? I'm
> getting a ton of these every day...
http://sandgnat.com/cmos/cmos.jsp gave me a good result, but will not match
a plus sign to substitue for a 't' character.
-id
---
This
Anyone have any good obfuscation rules for p4r1s h1|+0n spam? I'm getting a
ton of these every day...
-id
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you crea
> did you mean:
> rawbody W98_UNSUBSCRIBE4 /prefer not to(?: )?see/i
> Better yet:
> rawbody W98_UNSUBSCRIBE4 /prefer not to[ ]?see/i
> or even:
> rawbody W98_UNSUBSCRIBE4 /prefer not to ?see/i
Ah, didn't know I needed a trailing ? after the set of parentheses, I
thought the syntax was only
> Just my $0.02, but I'd make it this:
>
> color=("?\#?F[0-9A-F]F[0-9A-F]F[0-9A-F]"?|"?white"
FYI, you should also change
color=
to
color(=|=3D)
since I've had some spam slip through because the '=' is converted to =3D in
the raw body.
-id
My rule definition:
rawbody W98_UNSUBSCRIBE4 /prefer not to(?: ) see/i
I want this to catch "prefer not to see" and "prefer not tosee" but the
(?: ) doesn't seem to catch whether the space exists or not.
Spam message contains:
If you'd prefer not tosee subsequent offers:
I searched through
> >to 'pool.com' and/or 'thewizard.net' to solve the problem at the source?
>
> Yes. And without reply...
I had to deal with this on a mailing list of thousands of users. My only
recourse was to write a quick-n-dirty Perl script to run through the
subscriber list and send everyone a very official
> describe MY_RBDY_INVSTXTMY: Invisible text color
> rawbody MY_RBDY_INVSTXT/ color=("?\#?F[0-9A-F]"?|"?white"?).*>/i
> scoreMY_RBDY_INVSTXT2.0
Just my $0.02, but I'd make it this:
color=("?\#?F[0-9A-F]F[0-9A-F]F[0-9A-F]"?|"?white"
.. spammers will use more than just the l
> Anyway, I downloaded the sources, built it, and installed it with no
> problems. I rebuilt the Bayes db. When I started it (in debug mode) it
> logged this and then exited:
My first install (2.55) was via CPAN, and upgraded (also via CPAN) to 2.60
on RedHat 7.3 and had zero problems.
-id
--
(sorry, my Email client got all funky on me this morning, yay Microsoft...)
> Anything that needs to be watched out for when upgrading from
> source install
> to CPAN? I usually do source, but figured I would try CPAN for
> SA, as it has
> worked great for other packages.
I upgraded from a CPAN
> Now you've got me interested. how did you get those stats?
I can't take credit for it.
I turned on logging in SpamAssassin and MailScanner, and Mike Andrews on the
list here submitted a script a few weeks ago that I tweaked a tiny bit
although his worked fine on its own. My maillogs rotate on
> err, i'm not sure how you setup your spamassasin but i have
> mailscanner going well cos it supports a virus scanner as well.
I second that opinion. MailScanner/ClamAV/SA 2.60, and working great on a
small-volume server:
Spam/Mail Statistics;
Total spamassassin rejected scanne
Sorry for the confusion on this...
I have some custom code that splits MailScanner's archive of all incoming
mail into known spam and ham, then I manually move what's left in the
archive into the spam/ham mbox files and then run sa-learn on the spam/ham
mailboxes and then append them to archives o
> my @otherstuff = sort {
> (my $numa) = ($a =~ m/\.(\d+)\./);
> (my $numb) = ($b =~ m/\.(\d+)\./);
> $numa <=> $numb || $a cmp $b
> } @stuff;
you rock, i owe ya a beer ;o)
-id
---
This SF.Net email sponsored by: Apac
> SpamAssassin drinking game:
>
> sips for "How can I get SpamAssassin to delete spams?
> sips for "Unsubscribe me please"
> sips for "Subscribe me please"
> sips for "Quit reading my e-mail!"
For every good, tested rule you create that works, everyone else takes
sips
---
My new mailstats.pl script (matt's script with a few tweaks) is giving me
some grief.
My maillog files are named:
maillog (for today)
maillog.1.gz
maillog.2.gz
etc
maillog.10.gz
etc
When Matt's script does the 'sort', it sorts it as:
maillog
maillog.1.gz
maillog.10.gz
maillog.11.gz
maillog.2.gz
> since http://rd.yahoo.com/*http://taint.org works also
Man, how hard would it be for Yahoo to look at an environment setting to
determine which page referred the user's browser to this redirect, and NOT
redirect if the previous page visited was not a Yahoo home page? Geez...
Would stop this abus
> seem to catch something 'spamish' in just about any email now.. so my
> threshold of 5.5 just doesn't seem practical..
>
> What threshold most of you use out there?
My low threshold is 5.0, and my high was 8.0, but I found even with Bayes_90
set at 6.00, I still get a ton of spam scoring 7.4-7.8
> But the line that contains "is spam" doesn't seem to increment the counter.
> /shrug still looking at that myself.
... because I upgraded to SA 2.60 this week and set MailScanner to log spam
messages via syslog, which wasn't in place for last week.
(slapping self upside the head)
For this week
> You will need to adjust the search string to match your mail logs.
Here's my maillog snippet:
Oct 30 14:12:40 ns1 MailScanner[3201]: New Batch: Scanning 1 messages, 4214
bytes
Oct 30 14:12:40 ns1 MailScanner[3201]: Archived message h9UMAPR07828 to mbox
file /var/spool/MailScanner/archive
Oct
> > my $s = grep /is spam/, @wholefile; # spam
My log does have "is spam" in the log yet the script is returning 0's for me as
well.
Trying to hunt it down. I've even tried other strings from the
MailScanner-generated logs from /var/log/maillog to no avail.
-id
---
> Rather than reducing the values of those scores, why don't you:
> 1) Have outgoing email not get checked by SA (what's the point of that
> anyway?)
It keeps your own users in line by dumping any spam before they send it through
your box. Great for trapping any open relay issues as well, I'd thin
Right now I have MailScanner configured to delete high scoring spam so it
doesn't end up in my user's mailbox, but what about the 'bounce' option?
I'd *really* like to find a way to spoof a 550 error or a 'user unknown' error
that bounces back, just in case the people on the other end ARE cleaning
Am I the only one who's received a half dozen copies of this reply from Chris
from the mailing list?
Chris, is your mailer stuck in a loop or something?
-id
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chris
> Trudeau
> Sent: Thursday, October 23,
> http://www.stearns.org/sa-blacklist/sa-blacklist.current
What's the best way to implement this? Add it on to the end of my MailScanner's
pref's file for SA?
-id
---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like
My primary domain is w98.us, my other domain is wild98.com ... so effectively
you'd cancel out my Email, correct?
-id
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Fred
> I-IS.COM
> Sent: Thursday, October 23, 2003 12:24 PM
> To: Spamassassin-Talk
> Altho not thru SA, I created a set of programs that scan my qmail queue for
> doublebounces & whatnot, scan the headers of normal messages and/or
> doublebounces & log the IP addresses into a postgresql database.
sendmail has an operative for double bounces to redirect those messages to
another
> If you allow shell access, you therefore effectively allow any user to
> meddle with any other user's SA prefs, AWL, and Bayes files if you do
> per-user Bayes as well. :/
Not an issue with chroot'd shell access though ;o)
-id
---
This SF.
> Going from 2.5x to 2.6x should be pretty painless and "just work".. the
> only problem cases I've seen are when people use spamd with "-u root"
> (2.60's spamd bails out if you try to force it to always run as root).
If we're not using spamd, can a CPAN shell 'install' for SA upgrade without a
> Charles Gregory wrote:
> > When we first started using SA, I kept a casual eye on the personal files
> > in .spamassassin, and did not see anything particularly problematic, but
> > NOW I see auto-whitelist and 'bayes' files that are exceeding 1MB in size,
> > each. Is this 'normal'?
Any permis
> We are having a problem with our backend server filling up the root mailbox
> with NDRs of users that are no longer with the company and I am trying to get
> my brain wrapped around the whole SMTP process.
If the postmaster account is filling up with messages about trying to notify the
original
> Spammers DDoS'd them off the net. Stop checking their DNSBL and tell
> others to stop using it too. monkeys.com is dead.
Okay, thanks.
-id
---
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Data
Anyone have any information on infinite-monkeys on how to contact them regarding
getting removed from their systems?
When I enable IM in my MailScanner setup for SpamAssassin, all outgoing mail
from my servers gets kicked into la-la land - I scan all outgoing Email -
because it's matching on Infin
Hey folks.
Left the list for a while but re-subscribed 'cause I have a question to ask:
I have MailScanner running SA for me on 2 different servers and got everything
working VERY well about two months ago.
Within the last 3 weeks, both servers, which are secured and protected against
open relay
Just got this from TopFive's Ruminations collection:
"I think spammers are starting to lose it. Just today I received an offer to
lower my mortgage by three inches." - James Smarjesse
Thought it was hilarious and wanted to share it with fellow spam-blocking
enthusiasts!
-id
obligatory copyrig
> This can be quickly pulled from a whois lookup.
There's always the catch that the standard 'whois' lookup will only look for
.com, .net and .edu domains. If you get a 2-letter domain like .us or .ca or
.it, etc., you need to use a specialized whois tool. Anyone know of an any more
"global" whois
> I'm new to spamassassin. I'm using spamassassin and sendmail installed
> from redhat 9. I also have Mailscanner installed. It looks like
> spamassassin doesn't look at the users user_prefs file. Is there a way
> to configure spamassassin to look at the user_prefs file?
The MailScanner.conf file
I currently have MailScanner set to archive all incoming messages to grab Email
for sa-learn. In the archive, before MY SpamAssassin headers get added, I saw
this message and had to chuckle:
Received: from localhost [127.0.0.1] by quantum.paraphysics.com
with SpamAssassin (2.55 1.174.2.19-2003
> I have some domain mail that is getting tagged as spam that is in my
> whitelist.cf. It almost appears the math is getting computed backwards. If
> something is getting an auto-whitelist adjustment shouldn't it be a negative
> number? Better yet, if something is in the whitelist shouldn't it g
X-MailScanner-SpamCheck: spam, SpamAssassin (score=7.4, required 6, AWL
0.00,
BAYES_30 -0.93, HTML_40_50 0.74, HTML_FONT_COLOR_BLUE 0.10,
MIME_HTML_ONLY 0.10)
0.00
+ -0.93
+ 0.74
+ 0.10
+ 0.10
---
does NOT equal 7.4 ... I'm no math genius but my $2000 calculator here
run
> H, maybe we should make some new rules that test the ratio of
> invisible text to visible text?
But if the background is BLACK, white text is perfectly acceptable ...
right?
So defining "visible" vs "invisible" is your toughest chore.
-id
---
> > (this one WAS spam, I've since trained and added rules for the content)
> > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=5.1, required 6,
> > AWL 0.00, FROM_OFFERS 4.30, OFFERS_ETC 0.37)
>
> Here I suspect the average of emails from this address is nearly zero
> (or perhaps your
I just got two pieces of Email, and they had these SA headers:
(this one wasn't spam, it was a mailing list with advertisements throughout)
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=5.1, required 6,
CLICK_BELOW 0.00, CONSOLIDATE_DEBT 1.10, LOW_INTEREST 2.29,
NO_FEE 0.5
> (Side question, what's a good gap class, \A or [-_*/\. ], or... ?)
I see spaces, periods, tildes (~), and short comment markers a lot ()
-id
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce
> > But I purposely set one of my rules to "awbody" instead of
> > "rawbody" and --lint didn't catch it.
>
> Which version of SA are you running?
2.55
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports,
This started happening yesterday on one of my servers, and just now on another
server and I can't seem to diagnose it (that is, I don't know what to start
looking for).
When I run sa-learn on known spam/ham, I get output like this:
.
> rawbody MY_HTML_OBFU /|<[^pbiu]>/i
> describe MY_HTML_OBFU too long or short HTML comments
> score MY_HTML_OBFU 1.55
kay, I added a t in the [^pbiu] check since I send out newsletters with tables
in HTML format as well as receive copies of those messages. Wouldn't want those
misappropriately def
> hmm, eval tests for idiots, kinda sounds like loaded shotguns for
> idiots, should reduce the idiot count but is that really what is
> desired? :)
Oh, I'd be quite happy with less idiots in the world ;o)
Wait, was that out loud?
-id
---
Th
Hey all,
Got a spam with a whole bunch of or or some other letter of the
alphabet separating various 'catch' words/phrases.
I'd like to do something like this:
body COMMENT_GAPS_1/<\![A-Z]>/i
describe COMMENT_GAPS_1 etc
score COMMENT_GAPS_10.1
body COMMENT_GAPS_2
> a friend blocked all mail from france as a joke once, cos he didn't
> like the french and didn't know anyone there
>
> cut down on spam by 95%
I block a lot of Asia Pacific, some European countries, etc., at a firewall
level on port 25 because I don't know anybody there either and the mail
comin
> > debug: debug: Only 86 ham(s) in Bayes DB < 200
>
> There's your answer as to why Bayes isn't scoring for you.
Gotcha, thanks.
-id
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Porta
> First, run spamassassin -tD output. Is bayes even enabled? are there enough tokens?
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/root/.spamassassin
I've been putting sa-learn through the gears with many thousands of spam
messages (gotta love web hosting 100+ domains most of which do nothing but
collect spam /sigh).
I'm curious how Bayes is *supposed* to be learning... I find that despite
learning from hundreds of MB of spam that spam is still
> When I saw your title I was hoping for a chuckle.
I have a friend that works at Hormel ...I'm sure I could get all kinds of Spam
humor from her.
(Hormel makes the meat they call SPAM)
> Like wise we can go on with more consonants:
>
> score MY_CONSONANT_4 0.15
> score MY_CONSONANT_5
I've been lurking about reading up on training ham mailboxes but don't
generally keep mail on my Linux servers... unless I start making aliases and
extra mailboxes to keep copies on the server and filter it all by hand.
Can sa-learn read Outlook mailboxes? Or does anyone have any
hacks/workarounds
55 matches
Mail list logo
