On Sat, Jan 24, 2004 at 12:53:27AM -0500, Scott Lambert wrote:
> The attached message sent through spamcop has tripped the
> FORGED_MUA_MOZILLA. Maybe it needs to be looked at?
I would say bad behavior by spamcop. They added:
X-Mailer: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/10
ilto:[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 12:44 PM
To: "Mitch (WebCob)"
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] False positive on MAILTO_TO_SPAM_ADDR
At Mon Jan 5 18:42:45 2004, "Mitch \(WebCob\)" wrote:
>
> /usr/share/spamassassin/20_uri_tests.cf:uri MAILTO_T
At Mon Jan 5 18:42:45 2004, "Mitch \(WebCob\)" wrote:
>
> /usr/share/spamassassin/20_uri_tests.cf:uri MAILTO_TO_SPAM_ADDR
> /^mailto:[a-z]+\d{2,}\@/is
> /usr/share/spamassassin/20_uri_tests.cf:describe MAILTO_TO_SPAM_ADDR
> Includes a link to a likely spammer email
>
> The way I read this test (
At 12:17 PM 12/28/2003, Simon Matthews wrote:
Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
If you're going to use 192.168.*.* networks, add them to your
trusted_networks statement and it should clear things up a bit.
---
Matt,
Thanks for the suggestion.
I checked in the logfiles and it looks like the 192.168.10 domain is
already treated as trusted (ie. spamassassin infers automatically that it
is trusted).
I see lines in the logfile such as:
debug: received-header: relay 192.168.10.250 trusted? yes
Simon
At 0
At 02:16 PM 12/11/2003, Satya wrote:
Okay, it seems to me that blocking because someone is in a dynablock
is the same class as blocking because the email comes from .ru or East
Asia or is in the wrong langauge. I guess I'll just start blocking all
email from Earthlink (I don't know anyone there), S
On Dec 11, 2003 at 13:05, Ryan Moore wrote:
>Their database isn't wrong, as the IP is listed as being in a dialup
>range, which would appear to be accurate by my guess. I would think that
Okay, it seems to me that blocking because someone is in a dynablock
is the same class as blocking because th
At 12:42 PM 12/11/2003, Chris Barnes wrote:
I got a false positive this morning, where it looks like the main
culprit was bad information in SORBS and RJABL. The sender is a local
Earthlink customer.
Any idea on how to get the SORBS & RJABL databases fixed?
Those lists that fired off are dial-up
Their database isn't wrong, as the IP is listed as being in a dialup
range, which would appear to be accurate by my guess. I would think that
the default rulesets are setup in such a way that it wouldn't catch that
sort of hit, since they did relay through the ISP's server, perhaps
someone else
ROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Evan
> Platt
> Sent: Tuesday, September 30, 2003 12:05 PM
> To: SpamAssassin
> Subject: Re: [SAtalk] False Positive: Delivery Status Notification
> (Failure)
>
>
> --On Tuesday, September 30, 2003 11:28 AM -0600 Dan Tappin
--On Tuesday, September 30, 2003 11:28 AM -0600 Dan Tappin
<[EMAIL PROTECTED]> wrote:
> I have a bunch of these hotmail failure notices being tagged as SPAM.
> Does any one have a quick fix for this?
>
> I am guessing a rule to give a low score to the <> return path combined
> with a '[EMAIL PROT
BA> On Mon, 10 Feb 2003 11:24:51 - Kevin Anthoney
BA> <[EMAIL PROTECTED]> wrote:
BA> > Apologies for top posting, BTW. I'm at work, hence $£@@@#!! Outlook.
http://www.flash.to/oe-quotefix/ >
--
/\___/\ /\___/\
\_@ @_/
On Mon, 27 Jan 2003 the voices made Matt Kettler write:
MK> (hmm, I see this tempting Tony and several others to send me a bunch of
MK> non-spam emails in a language I don't speak... hmm)
Vad får dig att tro det? ;-)
Honestly, I don't have much non-english e-mails that either aren't personal o
Hmm, well, it looks like I'll have to agree with the 8bit-header call.. but
I think the SUBJ_FULL_OF_8BITS is incorrect and representative of a genuine
SpamAssassin bug.
For the 8bit header part, this received: line has an interesting DNS lookup
answer for a PTR lookup of 10.91.4.225... can't s
ore the GA generated
is pretty well placed.
At 03:14 PM 1/24/2003 -0500, [EMAIL PROTECTED] wrote:
-Original Message-
From: Vivek Khera [mailto:[EMAIL PROTECTED]
Sent: Friday, January 24, 2003 11:21 AM
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] False positive for foreign language
>>>
On Sat, 2003-01-04 at 18:13, Ben Jackson wrote:
> On Sat, Jan 04, 2003 at 12:40:38PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> > [the following false positive:]
> > Thank you for your message regarding
> > Systematic scanning from 209.241.48.162
>
> I have a personal SA rule that'
On Sat, Jan 04, 2003 at 09:13:02AM -0800, Ben Jackson wrote:
> I don't see any way for the default rlueset to have any of the rules
> that I find most effective for avoiding false positives:
>
> - mentions my IP address
> - uses my real name
> - includes part of my address
> - mentions keyword
On Sat, Jan 04, 2003 at 12:40:38PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> [the following false positive:]
> Thank you for your message regarding
> Systematic scanning from 209.241.48.162
I have a personal SA rule that's worth -5 for my cable modem IP address.
I don't see any wa
On 2003-01-04 12:40:38 +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> I know this is probably not very relevant with 2.5 release so soon.
> Anyway - see the attached message. Would have scored even higher (8.7)
> with 2.43 default scores.
Tell them to generate valid dates and use a senders n
Perhaps this bug would be worth a read:
http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1074
In short, X_OSIRU_DUL_FH should, in theory, be negative and that
X_OSIRU_DUL is as it should be. However the GA assigned a small positive
score to X_OSIRU_DUL_FH. I might theorize this as suggesti
On Thu, Dec 19, 2002 at 09:39:17PM -0500, James R. Van Zandt wrote:
> The announcement of Debian 3.0r1 was labeled as spam, with these hits:
>
> Anyway, I'd appreciate your adding this to your "nonspam" corpus.
> (I hope you don't mind the attachment.)
Hrm.
2.43:
X-Spam-Status: No, hits=-1.3 req
On Thu, Dec 19, 2002 at 09:39:17PM -0500, James R. Van Zandt wrote:
>
> The announcement of Debian 3.0r1 was labeled as spam, with these hits:
>
> SPAM: Hit! (2.7 points) BODY: Claims you can be removed from the list
> SPAM: Hit! (2.4 points) BODY: No such thing as a free lunch (2)
> SPAM: Hit!
Hmm you're report regards SpamAssassin 2.20, a rather old version of SA to
say the least, Using the current release version of spamassassin (2.43) I
get a negative score for this mailing.
In the future, please realize that if you're running an old version of SA,
you should test against a semi-r
I tried to get this to happen and it didn't set off that rule. Try posting a
bug to bugzilla.spamassassin.org and attaching the entire message (as an
attachment, not cut and paste)
--
Michael Moncur mgm at starlingtech.com http://www.starlingtech.com/
"Confusion is always the most honest respons
On Thu, Oct 24, 2002 at 10:09:37AM +0200, Thomas -Balu- Walter wrote:
> Today I got a false positive for a mail generated by the
> postfix-log-analyzer "pflogsumm", because of the following hits:
>
> SPAM: Start SpamAssassin results --
> SPAM: This mail is
On Wed, 2002-10-02 at 10:37, Johnny L. Wales wrote:
> Hiya!
>
> Is there some place where I can send my false positives? As a
> for-instance, I got a message from sourceforge which said my mailing list
> ID was about to expire, and it got tossed in my SpamAssassin folder. I'd
> like to show it to
I vote for "liability for personal injury or death" -- how
likely is a spammer to stick that in their messages?
C
On Sunday, July 14, 2002, at 11:47 AM, Suzanne Britton wrote:
> In the many months I've been using SpamAssassin, I've only seen
> one false
> positive. I just checked it against
At 2:27 PM -0400 on 4/22/02, Duncan Findlay wrote:
> > Or is a threshold of 5 too low ? What do other people use ?
>
>I use 4.0, and I'm very happy.
I use 3.7 and I'd argue that I'm slightly happier. ;-)
Gawain
___
Spamassassin-talk mailing list
[E
On Sun, Apr 21, 2002 at 02:56:02PM +0200, Klaus Heinz wrote:
> With the new version 2.20 I got a false positive with a newsletter
> I receive.
>
> X-Spam-Status: Yes, hits=6.8 required=5.0 tests=EXCUSE_3,
> HTTP_WITH_EMAIL_IN_URL version=2.20
> X-Spam-Report: 6.8 hits, 5 required;
>
7 is the most common at my site.
---
Ed.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric
> S. Johansson
> Sent: Sunday, April 21, 2002 4:44 PM
> To: Klaus Heinz; [EMAIL PROTECTED]
> Subject: Re: [SAtalk] false positive
> I've been using SA for about 2 months now and have been running with the
> default threshold of 5 hits.
>
> With the new version 2.20 I got a false positive with a newsletter
> I receive.
My very first hit with SA was on a subscribed newsletter, mostly caused by
CTYPE_JUST_HTML. Within a day I
> >Or is a threshold of 5 too low ? What do other people use ?
>
> I typically use 8 to 9
I keep my threshold at 7.0 for 2.11 and that seems to work as well for the
current release. I have about one spam message slip through for every 30-40
that are caught, but only about half of those that slip
I think one thing we're learning with each x.y0 release of spamassassin is that
rule scores need to be tweaked after the GA runs, and that within a week or so
after x.y0 we need to release x.y1, which fixes almost all scoring issues. I
agree that 4.1 is probably a little high for that rule; proba
At 02:56 PM 4/21/2002 +0200, Klaus Heinz wrote:
>Or is a threshold of 5 too low ? What do other people use ?
I typically use 8 to 9
--- eric
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassi
On Thu, Mar 07, 2002 at 01:33:04PM -0500, Matthew T. Jachimstal wrote:
> The following email (full headers and SA report only) is getting falsely
> marked as spam, even though we have 'whitelist-from *@techdata.com' in
> /etc/mail/spamassassin/local.cf.
If you're using spamd, did you restart it a
Yeah, I guess I should send myself a hotmail message and see how they've
changed headers...
C
On Thu, 2002-02-21 at 07:20, Dallas Engelken wrote:
> > I was just debugging some (non-spamassassin related) mail problems so I
> > sent a message from a hotmail account to my real mail address. It was
> I was just debugging some (non-spamassassin related) mail problems so I
> sent a message from a hotmail account to my real mail address. It was
> tagged with FORGED_HOTMAIL_RCVD even though it was sent from hotmail.
> This is with the Spamassassin in Debian unstable.
FYI
This has been covered
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yep, I've noticed it flagging a lot of e-mails from friends that have
legitimate hotmail accounts as well. That's on 2.0 on my Red Hat
Linux box.
Seth Bokelman
PC Support Specialist
College of Social & Behavioral Sciences
University of Northern Iowa
I'm actually inclined to add a check_url(regexp) function that properly
extracts all URL's using the same rules as Outlook uses (which is the target
client for spammers), and then checks it for matching the regexp. I'll look
into that next week if I remember to do it.
Matt.
--
<:->Get a smart ne
jm> wierd. for 3 months, nobody but spammers sent HTML-only mail, now
jm> everyone's doing it :( Better mod the score downwards...
cewatts> Is the really high HTML-only score a GA-created one? WOW, is
cewatts> that high.
jm> yeah, goes to show how effective it was, until all these other
jm> m
- Original Message -
From: "Charlie Watts" <[EMAIL PROTECTED]>
> On Wed, 23 Jan 2002, Daniel Rogers wrote:
>
> > I think that 4.33 might be a little aggressive for HTML-only mail.
> > Especially with a default threshhold of 5.
>
> > Finally, I see why this matches the 'Forged eudoramail.c
Charlie Watts said:
> Is the false eudoramail.com hit because of an editing mistake? It looks
> like the forged eudoramail and forged excite checks are almost identical.
> I wonder if there was a copy/paste that didn't get edited ...
> Justin/Craig?
mea culpa ;)
> Is the really high HTML-only
Daniel Rogers said:
> I've attached the message below. I think that 4.33 might be a little
> aggressive for HTML-only mail. Especially with a default threshhold of 5.
> Also, I know a lot of people aren't clued enough to realize that the 'full
> name' box is supposed to be their full name and
Looks like Justin just checked that in right before release... might well be buggy -- certainly would have thought the check for from excite.com should be something else for eudoramail...
The score for HTML only is GA-evolved. My GA actually scores it even higher than justin's against the s
On Wed, 23 Jan 2002, Daniel Rogers wrote:
> I think that 4.33 might be a little aggressive for HTML-only mail.
> Especially with a default threshhold of 5.
> Finally, I see why this matches the 'Forged eudoramail.com' test, but
> should it? It seems like a perfectly valid set of excite.com head
45 matches
Mail list logo
