On Sat, Jan 24, 2004 at 12:53:27AM -0500, Scott Lambert wrote:
> The attached message sent through spamcop has tripped the
> FORGED_MUA_MOZILLA. Maybe it needs to be looked at?
I would say bad behavior by spamcop. They added:
X-Mailer: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/10
The attached message sent through spamcop has tripped the
FORGED_MUA_MOZILLA. Maybe it needs to be looked at?
--
Scott Lambert KC5MLE System Administrator
Attention Customers:
Refer-A-Friend and receive one month of service for free!
For further details, please visit: ht
ilto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:44 PM
To: "Mitch (WebCob)"
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] False positive on MAILTO_TO_SPAM_ADDR
At Mon Jan 5 18:42:45 2004, "Mitch \(WebCob\)" wrote:
>
> /usr/share/spamassassin/20_uri_tests.cf:uri MAILTO_T
At Mon Jan 5 18:42:45 2004, "Mitch \(WebCob\)" wrote:
>
> /usr/share/spamassassin/20_uri_tests.cf:uri MAILTO_TO_SPAM_ADDR
> /^mailto:[a-z]+\d{2,}\@/is
> /usr/share/spamassassin/20_uri_tests.cf:describe MAILTO_TO_SPAM_ADDR
> Includes a link to a likely spammer email
>
> The way I read this test (
/usr/share/spamassassin/20_uri_tests.cf:uri MAILTO_TO_SPAM_ADDR
/^mailto:[a-z]+\d{2,}\@/is
/usr/share/spamassassin/20_uri_tests.cf:describe MAILTO_TO_SPAM_ADDR
Includes a link to a likely spammer email
The way I read this test (and I may be wrong here) is that an HTML or other
message containing m
At 12:17 PM 12/28/2003, Simon Matthews wrote:
Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
If you're going to use 192.168.*.* networks, add them to your
trusted_networks statement and it should clear things up a bit.
---
Matt,
Thanks for the suggestion.
I checked in the logfiles and it looks like the 192.168.10 domain is
already treated as trusted (ie. spamassassin infers automatically that it
is trusted).
I see lines in the logfile such as:
debug: received-header: relay 192.168.10.250 trusted? yes
Simon
At 0
The email below originated from a dynamic IP address, but was sent via a
normal relay. However, the origin IP address triggered some RBL checks
that I don't think it should have. Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
Also the email
At 02:16 PM 12/11/2003, Satya wrote:
Okay, it seems to me that blocking because someone is in a dynablock
is the same class as blocking because the email comes from .ru or East
Asia or is in the wrong langauge. I guess I'll just start blocking all
email from Earthlink (I don't know anyone there), S
On Dec 11, 2003 at 13:05, Ryan Moore wrote:
>Their database isn't wrong, as the IP is listed as being in a dialup
>range, which would appear to be accurate by my guess. I would think that
Okay, it seems to me that blocking because someone is in a dynablock
is the same class as blocking because th
At 12:42 PM 12/11/2003, Chris Barnes wrote:
I got a false positive this morning, where it looks like the main
culprit was bad information in SORBS and RJABL. The sender is a local
Earthlink customer.
Any idea on how to get the SORBS & RJABL databases fixed?
Those lists that fired off are dial-up
Their database isn't wrong, as the IP is listed as being in a dialup
range, which would appear to be accurate by my guess. I would think that
the default rulesets are setup in such a way that it wouldn't catch that
sort of hit, since they did relay through the ISP's server, perhaps
someone else
I got a false positive this morning, where it looks like the main
culprit was bad information in SORBS and RJABL. The sender is a local
Earthlink customer.
Any idea on how to get the SORBS & RJABL databases fixed?
* *
Received: from sdn-ap-015dcwashp0233.dialsprint.net ([63.188.144.233]
Microsoft Windows XP's "Remote Assistance" invitations trigger a false
positive for me.
Relevant headers:
Message-ID: <[EMAIL PROTECTED]>
Subject: YOU HAVE RECEIVED A REMOTE ASSISTANCE INVITATION FROM: Nikki
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_000
ROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Evan
> Platt
> Sent: Tuesday, September 30, 2003 12:05 PM
> To: SpamAssassin
> Subject: Re: [SAtalk] False Positive: Delivery Status Notification
> (Failure)
>
>
> --On Tuesday, September 30, 2003 11:28 AM -0600 Dan Tappin
--On Tuesday, September 30, 2003 11:28 AM -0600 Dan Tappin
<[EMAIL PROTECTED]> wrote:
> I have a bunch of these hotmail failure notices being tagged as SPAM.
> Does any one have a quick fix for this?
>
> I am guessing a rule to give a low score to the <> return path combined
> with a '[EMAIL PROT
I have a bunch of these hotmail failure notices being tagged as SPAM. Does
any one have a quick fix for this?
I am guessing a rule to give a low score to the <> return path combined with
a '[EMAIL PROTECTED]' from header.
I am pretty new to SA so any help on creating a rule would be great. I
se
BA> On Mon, 10 Feb 2003 11:24:51 - Kevin Anthoney
BA> <[EMAIL PROTECTED]> wrote:
BA> > Apologies for top posting, BTW. I'm at work, hence $£@@@#!! Outlook.
http://www.flash.to/oe-quotefix/ >
--
/\___/\ /\___/\
\_@ @_/
On Mon, 27 Jan 2003 the voices made Matt Kettler write:
MK> (hmm, I see this tempting Tony and several others to send me a bunch of
MK> non-spam emails in a language I don't speak... hmm)
Vad får dig att tro det? ;-)
Honestly, I don't have much non-english e-mails that either aren't personal o
Hmm, well, it looks like I'll have to agree with the 8bit-header call.. but
I think the SUBJ_FULL_OF_8BITS is incorrect and representative of a genuine
SpamAssassin bug.
For the 8bit header part, this received: line has an interesting DNS lookup
answer for a PTR lookup of 10.91.4.225... can't s
ore the GA generated
is pretty well placed.
At 03:14 PM 1/24/2003 -0500, [EMAIL PROTECTED] wrote:
-Original Message-
From: Vivek Khera [mailto:[EMAIL PROTECTED]
Sent: Friday, January 24, 2003 11:21 AM
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] False positive for foreign language
>>>
On Sat, 2003-01-04 at 18:13, Ben Jackson wrote:
> On Sat, Jan 04, 2003 at 12:40:38PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> > [the following false positive:]
> > Thank you for your message regarding
> > Systematic scanning from 209.241.48.162
>
> I have a personal SA rule that'
On Sat, Jan 04, 2003 at 09:13:02AM -0800, Ben Jackson wrote:
> I don't see any way for the default rlueset to have any of the rules
> that I find most effective for avoiding false positives:
>
> - mentions my IP address
> - uses my real name
> - includes part of my address
> - mentions keyword
On Sat, Jan 04, 2003 at 12:40:38PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> [the following false positive:]
> Thank you for your message regarding
> Systematic scanning from 209.241.48.162
I have a personal SA rule that's worth -5 for my cable modem IP address.
I don't see any wa
On 2003-01-04 12:40:38 +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> I know this is probably not very relevant with 2.5 release so soon.
> Anyway - see the attached message. Would have scored even higher (8.7)
> with 2.43 default scores.
Tell them to generate valid dates and use a senders n
Yo!
I know this is probably not very relevant with 2.5 release so soon.
Anyway - see the attached message. Would have scored even higher (8.7)
with 2.43 default scores.
--
featured link: http://fortytwo.ch/gpg/subkeys
--- Begin Message ---
Thank you for your message regarding
Systematic
Perhaps this bug would be worth a read:
http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1074
In short, X_OSIRU_DUL_FH should, in theory, be negative and that
X_OSIRU_DUL is as it should be. However the GA assigned a small positive
score to X_OSIRU_DUL_FH. I might theorize this as suggesti
Check these headers and the Spamassassin 2.43 results (real email addresses
DELETED):
Received: from out005.verizon.net ([206.46.170.143] verified)
by ctgusa.com (CommuniGate Pro SMTP 4.0.1)
with ESMTP id 1052087 for DELETED; Mon, 23 Dec 2002 12:27:03 -0500
Received: from 2hgnl01 ([138.88.118.
On Thu, Dec 19, 2002 at 09:39:17PM -0500, James R. Van Zandt wrote:
> The announcement of Debian 3.0r1 was labeled as spam, with these hits:
>
> Anyway, I'd appreciate your adding this to your "nonspam" corpus.
> (I hope you don't mind the attachment.)
Hrm.
2.43:
X-Spam-Status: No, hits=-1.3 req
On Thu, Dec 19, 2002 at 09:39:17PM -0500, James R. Van Zandt wrote:
>
> The announcement of Debian 3.0r1 was labeled as spam, with these hits:
>
> SPAM: Hit! (2.7 points) BODY: Claims you can be removed from the list
> SPAM: Hit! (2.4 points) BODY: No such thing as a free lunch (2)
> SPAM: Hit!
The announcement of Debian 3.0r1 was labeled as spam, with these hits:
SPAM: Hit! (2.7 points) BODY: Claims you can be removed from the list
SPAM: Hit! (2.4 points) BODY: No such thing as a free lunch (2)
SPAM: Hit! (1.8 points) No MX records for the From: domain
The mentions of "free" had to
Hmm you're report regards SpamAssassin 2.20, a rather old version of SA to
say the least, Using the current release version of spamassassin (2.43) I
get a negative score for this mailing.
In the future, please realize that if you're running an old version of SA,
you should test against a semi-r
ost honest response." --Marty Indik
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jon
> Gabrielson
> Sent: Thursday, November 07, 2002 4:52 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] false positive
>
>
> I have a f
I have a false positive where the presense of
a [u in the subject line i.e. [unknown] or [usa]
causes:
SPAM: UNDESIRED_LANGUAGE_BODY (4.0 points) BODY: Written in an undesired
language
When i remove [u from the subject line this rule no longer
triggers.
Can someone explain to me why this is
How would one go about gathering stats to check to see if an email is
truly a false positive or false negative? Do you put a link at the top
(or bottom) of each email saying 'if this is spam, click here. if this
is not spam, click here' which gets counted/analyzed somewhere?
Jeremy
--
On Thu, Oct 24, 2002 at 10:09:37AM +0200, Thomas -Balu- Walter wrote:
> Today I got a false positive for a mail generated by the
> postfix-log-analyzer "pflogsumm", because of the following hits:
>
> SPAM: Start SpamAssassin results --
> SPAM: This mail is
Today I got a false positive for a mail generated by the
postfix-log-analyzer "pflogsumm", because of the following hits:
SPAM: Start SpamAssassin results --
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise
On Wed, 2002-10-02 at 10:37, Johnny L. Wales wrote:
> Hiya!
>
> Is there some place where I can send my false positives? As a
> for-instance, I got a message from sourceforge which said my mailing list
> ID was about to expire, and it got tossed in my SpamAssassin folder. I'd
> like to show it to
Hiya!
Is there some place where I can send my false positives? As a
for-instance, I got a message from sourceforge which said my mailing list
ID was about to expire, and it got tossed in my SpamAssassin folder. I'd
like to show it to you, but it looks like I already deleted it.
--
Johnny Wales
I vote for "liability for personal injury or death" -- how
likely is a spammer to stick that in their messages?
C
On Sunday, July 14, 2002, at 11:47 AM, Suzanne Britton wrote:
> In the many months I've been using SpamAssassin, I've only seen
> one false
> positive. I just checked it against
In the many months I've been using SpamAssassin, I've only seen one false
positive. I just checked it against the latest SA and it still gets flagged.
I wonder if this could have been avoided (other than by raising the threshold,
of course)?
Suzanne
- ---
>From tril We
At 2:27 PM -0400 on 4/22/02, Duncan Findlay wrote:
> > Or is a threshold of 5 too low ? What do other people use ?
>
>I use 4.0, and I'm very happy.
I use 3.7 and I'd argue that I'm slightly happier. ;-)
Gawain
___
Spamassassin-talk mailing list
[E
On Sun, Apr 21, 2002 at 02:56:02PM +0200, Klaus Heinz wrote:
> With the new version 2.20 I got a false positive with a newsletter
> I receive.
>
> X-Spam-Status: Yes, hits=6.8 required=5.0 tests=EXCUSE_3,
> HTTP_WITH_EMAIL_IN_URL version=2.20
> X-Spam-Report: 6.8 hits, 5 required;
>
7 is the most common at my site.
---
Ed.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric
> S. Johansson
> Sent: Sunday, April 21, 2002 4:44 PM
> To: Klaus Heinz; [EMAIL PROTECTED]
> Subject: Re: [SAtalk] false positive
> I've been using SA for about 2 months now and have been running with the
> default threshold of 5 hits.
>
> With the new version 2.20 I got a false positive with a newsletter
> I receive.
My very first hit with SA was on a subscribed newsletter, mostly caused by
CTYPE_JUST_HTML. Within a day I
> >Or is a threshold of 5 too low ? What do other people use ?
>
> I typically use 8 to 9
I keep my threshold at 7.0 for 2.11 and that seems to work as well for the
current release. I have about one spam message slip through for every 30-40
that are caught, but only about half of those that slip
I think one thing we're learning with each x.y0 release of spamassassin is that
rule scores need to be tweaked after the GA runs, and that within a week or so
after x.y0 we need to release x.y1, which fixes almost all scoring issues. I
agree that 4.1 is probably a little high for that rule; proba
At 02:56 PM 4/21/2002 +0200, Klaus Heinz wrote:
>Or is a threshold of 5 too low ? What do other people use ?
I typically use 8 to 9
--- eric
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassi
Hi,
I've been using SA for about 2 months now and have been running with the
default threshold of 5 hits.
With the new version 2.20 I got a false positive with a newsletter
I receive.
X-Spam-Status: Yes, hits=6.8 required=5.0 tests=EXCUSE_3,
HTTP_WITH_EMAIL_IN_URL version=2.20
X-Spa
On Thu, Mar 07, 2002 at 01:33:04PM -0500, Matthew T. Jachimstal wrote:
> The following email (full headers and SA report only) is getting falsely
> marked as spam, even though we have 'whitelist-from *@techdata.com' in
> /etc/mail/spamassassin/local.cf.
If you're using spamd, did you restart it a
The following email (full headers and SA report only) is getting falsely
marked as spam, even though we have 'whitelist-from *@techdata.com' in
/etc/mail/spamassassin/local.cf.
My suspicion is that the From: Header is actually 'FROM:', and the case
difference is causing the problem. Is there any
this one caught on
subject contains ?
received yahoo header
received from known spam-harbour
recevied from relay in relays.osirusoft
how to make sa ignore this email?
--
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
a
I think this is interesting because it points at a place where the
TO_LOCALPART_EQ_REAL test may be commonly triggered (besides dman's
username) -- mail to mailing lists.
This may even be likely, if the user uses some kind of address book, and puts
in the list's name in the name field, and if the
Yeah, I guess I should send myself a hotmail message and see how they've
changed headers...
C
On Thu, 2002-02-21 at 07:20, Dallas Engelken wrote:
> > I was just debugging some (non-spamassassin related) mail problems so I
> > sent a message from a hotmail account to my real mail address. It was
> I was just debugging some (non-spamassassin related) mail problems so I
> sent a message from a hotmail account to my real mail address. It was
> tagged with FORGED_HOTMAIL_RCVD even though it was sent from hotmail.
> This is with the Spamassassin in Debian unstable.
FYI
This has been covered
ty of Northern Iowa
- -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Henrik Enberg
Sent: Thursday, February 21, 2002 9:03 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] False positive on FORGED_HOTMAIL_RCVD test
FYI,
I was just debugging some (non-spamas
FYI,
I was just debugging some (non-spamassassin related) mail problems so I
sent a message from a hotmail account to my real mail address. It was
tagged with FORGED_HOTMAIL_RCVD even though it was sent from hotmail.
This is with the Spamassassin in Debian unstable.
--
We spent a lot of time
<:->Get a smart net
> -Original Message-
> From: Michael Moncur [mailto:[EMAIL PROTECTED]]
> Sent: 31 January 2002 07:38
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] False positive in HTTP_ESCAPED_HOST rule
>
>
> I had a false positive today from a non-spam (b
I had a false positive today from a non-spam (but semi-commercial) message and it
appears to be a bug, albeit one that isn't too likely to occur, in the
HTTP_ESCAPED_HOST rule. Since this rule is scored at 4.0 I thought I should mention it.
Here's the text that triggered the score:
-
Check
jm> wierd. for 3 months, nobody but spammers sent HTML-only mail, now
jm> everyone's doing it :( Better mod the score downwards...
cewatts> Is the really high HTML-only score a GA-created one? WOW, is
cewatts> that high.
jm> yeah, goes to show how effective it was, until all these other
jm> m
- Original Message -
From: "Charlie Watts" <[EMAIL PROTECTED]>
> On Wed, 23 Jan 2002, Daniel Rogers wrote:
>
> > I think that 4.33 might be a little aggressive for HTML-only mail.
> > Especially with a default threshhold of 5.
>
> > Finally, I see why this matches the 'Forged eudoramail.c
Charlie Watts said:
> Is the false eudoramail.com hit because of an editing mistake? It looks
> like the forged eudoramail and forged excite checks are almost identical.
> I wonder if there was a copy/paste that didn't get edited ...
> Justin/Craig?
mea culpa ;)
> Is the really high HTML-only
Daniel Rogers said:
> I've attached the message below. I think that 4.33 might be a little
> aggressive for HTML-only mail. Especially with a default threshhold of 5.
> Also, I know a lot of people aren't clued enough to realize that the 'full
> name' box is supposed to be their full name and
Looks like Justin just checked that in right before release... might well be buggy -- certainly would have thought the check for from excite.com should be something else for eudoramail...
The score for HTML only is GA-evolved. My GA actually scores it even higher than justin's against the s
On Wed, 23 Jan 2002, Daniel Rogers wrote:
> I think that 4.33 might be a little aggressive for HTML-only mail.
> Especially with a default threshhold of 5.
> Finally, I see why this matches the 'Forged eudoramail.com' test, but
> should it? It seems like a perfectly valid set of excite.com head
65 matches
Mail list logo
