Misc: Bigevil Updates, WAS RE: [SAtalk] what can we do with those spam mails

"holdontrynow.com" is actually in my list to add. I'm sorry to say that at my fastest, additions to Bigevil will take at least 2 days. With sooo many people using, and a promise of ZERO FPs, I need to test overnight. Sometimes I like to test more if the update was signifigant. I search for all so

[SAtalk] Tripwire Update

Sorry it took so long, I was waiting to hear back from Fred. He is trapped in the North :) Veriosn 1.14 has been posted to web with Bart Schaefer's changes! Nice work Bart! http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf Chris Santerre System Admin and SA Custom

RE: [SAtalk] Spamwriter

Not that I don't like this discussion, but this really is getting way off topic for Spamassassin. Can it be taken offlist now? --Chris > -Original Message- > From: Brian May [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 12:30 PM > To: Greg Cirino - Cirelle Enterprises; Ba

RE: [SAtalk] most rules hit (so far)

This thread is useless without pics! Oh wait, sorry. This post is useless without the spam! :) Try the new version of Tripwire (1.14) posted today. It's been beechwood aged for twice the flavor! --Chris > -Original Message- > From: Steve Thomas [mailto:[EMAIL PROTECTED] > Sent: Thursda

[SAtalk] Tripwire update 1.15

Fred thawd out. Added the PGP stuff that was requested. Update posted to my site. Link in sig. Who says opensource doesn't respond quickly? Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the

[SAtalk] I got him! The G.bush vdrug spammer is mine! ahahahahahha

$/ What do you think? And I've looked at the numbers. The spam traffic is still increasing since the begining of the year, but my MTA level denials have also increased. The guys at the DNSRBLs are really doing a bang up job. So the amount of spams that gets caught for me to play with have gone

RE: [SAtalk] FP on MY_HTTP_ODD_PORT

that you don't fully understand to under .50 (Well except for Bigevil!) So the answer to your questions is.soon. We are woking on cleaning up what we have now. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm

RE: [SAtalk] most rules hit (so far)

://sthomas.net/spam.txt > > > On Thu, Jan 15, 2004 at 02:10:24PM -0500, Chris Santerre is > rumored to have said: > > > > This thread is useless without pics! > > > > Oh wait, sorry. > > > > This post is useless without the spam! :) > > &

[SAtalk] RE: BigEvil FP

! lol. --Chris > -Original Message- > From: Daniel Kleinsinger [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 10:10 PM > To: Chris Santerre > Subject: BigEvil FP > > > BigEvilList_37 hits on biz.yahoo.com which gave me an FP on an email > from t

RE: [SAtalk] Problems running begevil and tripwire together

Wow that is weird! I think I'm running Tripwire 1.13 because they came so fast and furious I didn't get a chance to upgrade my own server today. Is there some limit to mimedefang? I haven't seen these errors but don't use mimedefang. But I run more rules then almost anyone. I only have 64 megs! SA

[SAtalk] [OT] Spam conference, I'm 0 for 2!

As you can see, I'm in my office now. I was halfway there! Its really a thrilling tail that starts with arctic temperatures, a faulty water pump or thermostat. Me in the cold with no heat for over an hour. My precious sports car on a flat bed with possible valve damage, and a HUGE tow bill because

RE: [SAtalk] Another BigEvil FP

UBE/UCE policy, or I will put them back in. --Chris (cold, so very cold) Santerre > -Original Message- > From: JRiley [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 10:16 AM > To: Overdijk, Harrie; 'Chris Santerre' > Cc: 'Spamassassin-Ta

RE: [SAtalk] Tripwire breaking exim/spamd setup

This is some pretty good info. Can you trow something up on either wiki about exim users/lots of rules/long headers/and default buffer size? I'm sure others might start having this problem. good find! --Chris > -Original Message- > From: Zarjazz [mailto:[EMAIL PROTECTED] > Sent: Friday,

RE: [SAtalk] Image-ONLY e-mails not filtered?

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 8:08 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Image-ONLY e-mails not filtered? > > > FYI -- I'm noticing SPAMs which contain ONLY an image are not > being filtered > at all.

RE: [SAtalk] (OT) Spam Conference 2004 re-cap?

oned a few times of course. :) There is some other small things I still want to digest and talk to the rule writers about. Talk about becoming less reactive got me thinking on some stuff. I urge anyone with the time to view the webcasts. I understood a HELL of a lot more then last year ;) Hopefuly I&

[SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

to find them by now, you must be under a rock (Or a Colts Fan!) ;) Go Pats! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the

RE: [SAtalk] Image-ONLY e-mails not filtered?

> -Original Message- > From: Fred [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 17, 2004 3:54 PM > To: [EMAIL PROTECTED] > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] Image-ONLY e-mails not filtered? > > > [EMAIL PROTECTED] wrote: > > FYI -- I'm noticing SPAMs which con

RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

vid A. Carter [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 12:18 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > Quoting Chris Santerre <[EMAIL PROTECTED]>: > > >

RE: [SAtalk] Re: [RD] Offered Rules

Inline below > -Original Message- > From: Robert Menschel [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 11:02 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Re: [RD] Offered Rules > > > Here's my next set of possible rules for submission to the > SpamAssassin > distribu

RE: [SAtalk] Re: Resolving and hat-checking spamvertised URLs...

I was hoping more people would be running this by now. What is the average scan time per msg when using this? Any timeouts? I know this was being worked on for 2.70, but heck you got it here as a patch already! --Chris (Really needs to upgrade but still proving a point.) > -Original Message

RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

igevil 2.06k > > > Chris, > > What about > http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf file > you submitted? Is that rule set superceded by bigevil and tripwire? > > thanks, > Donald > > -Original Message- > From: Chris Santerre [mai

RE: [SAtalk] BigEvil Archive

Huh? That was posted 2 days ago! And I had tested it longer then that! IF there was an error, I would have heard about it within an hour of posting. What kind of errors in the log? ANyone else having a problem --Chris > -Original Message- > From: Carl Chipman [mailto:[EMAIL PROTECTED]

RE: [SAtalk] Three that got through yesterday

> -Original Message- > From: Evan Platt [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 12:36 PM > To: SpamAssassin > Subject: Re: [SAtalk] Three that got through yesterday > > > > > --On Monday, January 19, 2004 10:51 AM -0500 "Christopher X. Candreva" > <[EMAIL PROTECTED]

RE: [SAtalk] BigEvil Archive

> -Original Message- > From: SpamTalk [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 3:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil Archive > > > > -Original Message----- > > From: Chris Santerre [mailto:[EMAIL PROTECT

RE: [SAtalk] BigEvil Archive

Bah! What was that quote? Something about real men put there files on the internet and letting the world be their backup? Theo has it. :) --Chris (OH I hate EDI! Standard my #$^!) > -Original Message- > From: Gary Smith [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 4:21 PM >

RE: [SAtalk] Schools Slapped? FVGT

> -Original Message- > From: Scott Williams , Area4 [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 9:50 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Schools Slapped? FVGT > > > I just started using the FVGT rules and got this FP. > Do I understand this right, the rule belo

[SAtalk] mdpillsource.com using trojaned machines.....

3 Fax -- 4156341323 Domain servers in listed order: NS0O01.GOODWEBRX.COM NS0O01.MYEFUTURE.NET Chris Santerre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integrati

[SAtalk] Bigevil update 2.06L

Just posted 2.60L. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, bu

RE: [SAtalk] Automated ruleset download

http://sandgnat.com/cmos/rules_du_jour   I save WY to many emails :)   --Chris -Original Message-From: JRiley [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 20, 2004 1:52 PMTo: [EMAIL PROTECTED]Subject: [SAtalk] Automated ruleset download Just curious, if there is

[SAtalk] Bigevil updated again :)

Just posted 2.06M wich contains 1 single additional entry for: oem-expert.biz Why just for one domain? Because they are doing a dictionary attack on a fellow list member resulting in a DOS. Let the larting begin! http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre

RE: [SAtalk] how many spam/ham do I have in my bayes db?

> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:04 PM > To: Adrian Simmons > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] how many spam/ham do I have in my bayes db? > > > At 03:36 PM 1/20/2004, Adrian Simmons wrote: > >Ralf Vitas

RE: [SAtalk] More obfuscation

I'm not sure where the post is, but about 3 weeks ago I think Dallas put a semi-end to the spell-checker debate :) He ran one and the outcome wasn't so good. --Chris > -Original Message- > From: Charles Gregory [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:37 PM > To: [EM

RE: [SAtalk] [OT] - The current state spam.

> -Original Message- > From: Fred [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 9:39 AM > To: AltGrendel; Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] [OT] - The current state spam. > > > AltGrendel wrote: > > On Tue, 2004-01-20 at 18:28, Fred wrote: > >> > >> I ca

RE: [SAtalk] [OT] - The current state spam.

technology obviously > exists and > I think is a much better option. > > Thanks, > James > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Pierre Thomson > Sent: Wednesday, January 21, 2004 10:13 AM

RE: [SAtalk] Another one for BigEvil

aaap :) Just send them to me offlist. However FP reports you might want to copy here. As I remove them from the NEXT update. But people might want to remove them right away. They still trickle in now and then. --Chris (bored today for some reason) > -Original Message- > Fro

RE: [SAtalk] [OT] - The current state spam.

I agree and disagree :) How many times have you heard this: "I don't understand, I have antivirus software." "When was the last time you updated it?" "Update?" :-) I know tons of people with broadband connections that might be on only a few times a week. Some don't even notice their cpu

[SAtalk] New tax Phish?

egit and not a scam, then why oh why on earth would they hire a spammer. Also the products website is no where to be found in the email source. Only thru a redirect. I'm thinking the product website should be larted just for hiring the spammers! mesg attached. Chris Santerre System Admi

RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

Soon there will be one place to go ;) > -Original Message- > From: Frank Pineau [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 8:51 PM > To: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > > >http://www.merchantsoverseas.com/

RE: [SAtalk] v+word problem

Very interesting. Notice the attempt to get confuse the url. Not sure if that is attempted at my old bigevil mining scripts. I'll add plus66.com into bigevil for next update. MrWiggly rule is only for that one type V-drug spam. It has had NO false positives to date. So I'm jacking my score up to

RE: [SAtalk] Surprise mail from myself

> Brad > header __CS_FROM_ME From =~ /[EMAIL PROTECTED]/i header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME describe CS_SPAM_TRICK Spammer forged From + To my domain. score CS_SPAM_TRICK 114.11 # Silly, isn't it? Change to your own

RE: [SAtalk] Multi-line matching workarounds?

> -Original Message- > From: sckot [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 3:45 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Multi-line matching workarounds? > > > Some archive searching has revealed that multi-line > matching isn't > available yet. Is the

RE: [SAtalk] BigEvil PF

I'm sure this is an FP left over from my pull from initial scripts. I don't remember adding them by hand. They check out as legit. They will be removed from next update. (Which was meant for last Sat. but something came up. --Chris > -Original Message- > From: Paul Barbeau [mailto:[EMAIL

RE: [SAtalk] bigevil_54 smonitor

"Negative Ghostrider, the pattern is full." :) There is a '\b' before that. So it is bound. Should not hit that rule ever. Go ahead. Send yourself an email with that in it. Try it if you don't think so. :) Then again, maybe I should mark them as spammersOh, but that is for another list ;)

RE: [SAtalk] bigevil_54 smonitor

2:02 AM > To: Chris Santerre; '[EMAIL PROTECTED]'; > [EMAIL PROTECTED] > Subject: Re: [SAtalk] bigevil_54 smonitor > > > On Monday 26 January 2004 10:53 am, Chris Santerre wrote: > > There is a '\b' before that. So it is bound. Should not hit > that ru

[SAtalk] [OT] Working with FPs from the other end.

story :-) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.'

[SAtalk] Bigevil and thoughts....

report them to playaudiomessage.com. But by the looks from their website, they don't want to hear from you anyway. They stay. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the sp

RE: [SAtalk] A simple tool to extract URL's from mail folders

Yeah, my bigevil thoughts post was sent ages ago! almost 2 weeks before it showed up on the list. I posted a bigevil update and haven't seen it yet! WTF? --Chris > -Original Message- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 29, 2004 1:08 PM > To: Spamassassin

RE: [SAtalk] [RD] spammer reactions to antidrug (humorous)

> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Friday, January 30, 2004 10:55 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [RD] spammer reactions to antidrug (humorous) > > > Today I got an interesting form of obfuscation, apparently to avoid > antidrug.c

[SAtalk] Bigevil 2.10 posted

MMEDIATELY on any FPs you may encounter. This version runs even faster and is smaller then all previous versions. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rule

RE: [SAtalk] Nigerian type spam that only got 0.9 :(

This also buzzed by all my Nigerian rules as well. COOL!!! I've been looking to update those and this is a great one to go with!! And how does one get a "junior wife"? I'd like another! :-) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchants

RE: [SAtalk] quick survey

on, and either dump the score to a variable or a temp file to be added to the next process of the standard spamc run. Reason I haven't? Does seem like a lot of overhead and work for a simple gain. So I'm still trying to just grab these spam tokens via regular rules. *Bayes aside* HTH Chris S

RE: [SAtalk] Testing a newsletter against SA online

ects and just delete. Now that we can tag these random characters, what are they going to do next? You have to love the opt out clause of "want no more of this shit..." Well hell, that company has to be reputible with lanquage like that. Lets purchase their products ;) Chris Santerre Syst

RE: [SAtalk] rule to reference list

on to this. Just not ready to be made public. I'm excited about it! :) *wink* Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsens

RE: [SAtalk] Does sa-learn process encoded messages?

> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 1:20 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [SAtalk] Does sa-learn process encoded messages? > > > At 09:53 PM 8/12/03 -0700, Ricardo Kleemann wrote: > >If a mess

[SAtalk] Corpus design and bayes?

? If yes, well then that is just a bummer :) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men."

[SAtalk] Wiki login Fubar?

Anyone else having problems getting into the wiki to edit? Darn thing don't like me today. I even tried a few different user names. Nothing. :( I want to wiki wiki :) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rule

RE: [SAtalk] FBI fraud reporting site

[EMAIL PROTECTED] > Subject: RE: [SAtalk] FBI fraud reporting site > > > Dear Chris Santerre, > > >From: Chris Santerre > >Subject: RE: [SAtalk] FBI fraud reporting site > >Date: Fri, 8 Aug 2003 17:09:23 -0400 > ... > > > > From: Kenne

RE: [SAtalk] FBI fraud reporting site

> -Original Message- > From: Kenneth Porter [mailto:[EMAIL PROTECTED] > Sent: Friday, August 08, 2003 4:31 PM > To: SpamAssassin List > Subject: [SAtalk] FBI fraud reporting site > > > Just saw this on the DShield list: > > > >

RE: [SAtalk] RD Message body/subject filter help

Title: RE: [SAtalk] RD Message body/subject filter help I said they needed work ;)   I'll throw them up on the wiki and let everyone work on them.   Thanks for the list. I can't believe I missed 'everybody' !!   chris   -Original Message-From: Mike Kuentz (2) [mailto:[EMAIL PRO

[SAtalk] [RD] AOL 7 but not from AOL.

business Date: Mon, 04 Aug 2003 21:07:07 -1100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_B31_C524_51061546.3823D0DE" X-Priority: 3 User-Agent: AOL 7.0 for Windows US sub 118 I'm thinking a simple meta of user-agent AOL, but recieved heade

RE: [SAtalk] Updated list of spam

e can > retrieve (and > contribute to) a constantly updated rules file? > > Just wondering. > > Frank > Check the link in my sig. They are Local rules. An idea is in the works for updating local rules like you are looking for. Chris Santerre System Admin and SA Custom

RE: [SAtalk] [RD] new rules for listwashing tokens, ROT-13 etc.

warm and fuzzy feeling to be part of it. Hats off to the devs and every other poor soul slaving away at a screen for the love of blocking spam! Keep up the great work! Now go add something to the wiki!!! :-) (thanks altgrendel!) Chris Santerre System Admin and SA Custom Rules Empori

RE: [SAtalk] Testing and weighting rules against corpus of spam/non-spam

> running these tests? > > 2. I would like to run my entire rulebase against a ham/spam > corpus, and arrive at statistically "best" weighting of > rules. How is this done? > > Cordially, > > Eric hart > ehart [nospam] npi.net > > www.exit0.us has

RE: [SAtalk] spamvertized rule?

/_/site/nx/images/spacer.gif"; > width="1" height="1" border="0"> > They are easy. The wiki (www.exit0.us) has many an example. There has been work done to make it even easier to make these. uri L_SINCENTRAL /?:sincentral\.(com|net|biz)/i descri

RE: [SAtalk] Rules

how to write > rules for spam assassin? > See link in my sig for examples. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is r

RE: [SAtalk] User who receives load of spam and blacklist_to

ist_to (unless I've misread the docs). > > Any ideas? > > regards, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:[EMAIL PROTECTED] Easy way is to write a simple rule for the email addre

RE: [SAtalk] HEX IN URI and attachments

describe MY_GIF_OBFU Tries to OBFU .gif score MY_GIF_OBFU 1.0 (This next one may be more specific as a URI rule.) rawbody MY_PERCENT_OBFU /\%..\%..\%../i describe MY_PERCENT_OBFU Tries to OBFU link with % signs score MY_PERCENT_OBFU 1.55 Then I believe (I'm not sure) that you simply do a r

RE: [SAtalk] mass-check and user_prefs

ould be appreciated. > > Bob Menschel > Hey Bob. I'm starting to want to do the same. Matt had responded to my wuestion like this before. I put his answer on the wiki at www.exit0.us under testing. Take a look at that. It will answer _some_ of your questions. HTH --Chris Santerre

[SAtalk] [RD] New header rule for no FQDN ?

ON_NAME Email server didn't have a FQDN score WRKSTATION_NAME 0.01 As always, this rule wouldn't score more then say 0.75 on my system. Maybe less. I like more small rules to hit then less big ones. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchan

[SAtalk] Future of eval test?

ike the idea of being able to write custum evals as long as they are _NOT_ placed in the same default eval file as SA. Devs? Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is re

RE: [SAtalk] Useful reporting with SA

I remember hearing of an error like that. go here: http://news.gmane.org/thread.php?group=gmane.mail.spam.spamassassin.general and search for 'malformed utf' there seems to be some hits. hth Chris Santerre System Admin and SA Cu

RE: [SAtalk] Configure to delete messages

of the wiki www.exito.us :) One can't repeat this enough, it is NOT a good idea to automatically delete emails marked spam. Then again, it isn't a good idea to date your cousin, but some people never learn! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merc

RE: [SAtalk] catching the Banned CD spam!

COuld it possible be the double base64 text trick again? Those tend to be goofy. I don't quite understand the darn trick myself. No one has posted a very good explanation yet. Does this spam hit the BASE64_ENC_TEXT rule? --Chris > -Original Message- > From: John McGivern [mailto:[EMAIL PR

RE: [SAtalk] Mention of SA in the "media"

> -Original Message- > From: Nels Lindquist [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 20, 2003 6:29 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Mention of SA in the "media" > > > Have y'all seen this yet? > > "SpamAssassin Unveils New HomeAssassin Product for Unwelcome >

RE: [SAtalk] Exporting spam to txt file, then feeding to sa-learn, Howto?

o the same, dump it to a hamtrap on the SA box. So I have a ham/spamtrap mailbox local on the SA machine to play with. Oversimplified example: :0c: * ^X-Spam-Level: \*\*\*\*\*\*\*\* ! [EMAIL PROTECTED] ! [EMAIL PROTECTED] :0c: * ^X-Spam-Status: No ! [EMAIL PROTECTED] :0 ! [EMAIL PROTECTED] P

RE: [SAtalk] [RD] New header rule for no FQDN ?

> -Original Message- > From: Robert Menschel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 20, 2003 10:32 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] [RD] New header rule for no FQDN ? > > > -BEGIN PGP SIGNE

RE: [SAtalk] How To generate a spammers domain list

jects/Blocklist/reg2rule.pl it uses STDIN and STDOUT.  run reg2rule.pl -h for usage Also make sure you use the -b option to escape out the periods. I thought his code was buggy, but it was a user error :)   more to follow   --Chris Santerre -Original Message-From: myname [mailto:[

RE: [SAtalk] Scanning for a file name

t; > Hey oBKTIGcLGNK Amnon1 rXXcp > 2069 735 > href="http://[EMAIL PROTECTED]/index.php?Xp > 9MH7p"> src="cid:pic1.gif"; width="120" height="15" border="0"> > > > *snip* rawbody MY_PIC_GIF1 /cid.pic\d{1,2}?\.gif/i des

RE: [SAtalk] How To generate a spammers domain list

and STDOUT. run reg2rule.pl -h for usage (Note: the version I have says the default score is 1.0, but it defaults to 0.5, I may have a beta version. But simple to change that code. ) I can't thank Yorkshie Dave enough for writing this script. Saves a TON of time and hits like a rabid pitbul

[SAtalk] [RD] random letters vs. MS.Word

cure the better. Also keep in mind that different versions of word have different encoding. So I would make separate obscure rules. This way spammers can't start falsifying word emails. Even if they do, you would have not based the rule on an obvious Word tag. Chris Santerre System Admin

[SAtalk] [RD] Freshmeat for rules

Well I have a bunch I'm testing out. Some great ones here. Working very nice, so I figure I would share them out. Keep in mind that some of these WORKSTATION rules are for observation purposes. I'm well aware some of the headers could be legit. I will score these small as usual so they just say,

RE: [SAtalk] [RD] Freshmeat for rules

*BIG SNIP* > > header MY_HEADER_TAG6 List-Unsubscribe =~ /^\ describe MY_HEADER_TAG6 Possible spam tag in list unsub, Mailto: > score MY_HEADER_TAG6 0.01 > opps sorry, this was typoed by my big fingers: header MY_HEADER_TAG6 List-Unsubscribe =~ /^\/i Ah that's bett

[SAtalk] [RD] regex clarification

ot;stairs"!! "Honey can you go up/down stairs and get me." "Go get the _blank_ on/near the stairs." Sure sign I need to get away from these rules :P Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/

RE: [SAtalk] Spam using invalid Mime headers to bypass SpamAssassin?

in the original thread about this kind of email. Temporary trick. The devs should have an answer soon for it. --Chris Santerre --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single

RE: [SAtalk] Spam using invalid Mime headers to bypass SpamAssassin?

ary line, then someone should be able to right a quick eval to check for more then one instance of the original boundary tag. Comments? --Chris Santerre --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating

RE: [SAtalk] How To generate a spammers domain list

by hand. I could setup a cron job with wget, but I haven't got around to it.   the spamtrap file has to be created by you. I'm not sure how mailscanner works, but my procmail says that if spam scores over a 7.0, then copy the email to the spamtrap file. Presto, instant corpus.

RE: [SAtalk] [VB] Virus Bounce filtering

ring. > > How do others feel about these actions, and do you have any > recommendations for us? > > Bob Menschel > > I like the way you are handling this. I too am only seeing bounces to the email addresses that are the most public. Your idea of trying to seperate virus+s

RE: [SAtalk] Custom Rules - spamd

ge time to check later today. On a side note, I'm still using 2.4x and about 70% of my points come from custom rules. Using the rules gathered from the emporeum + the ones generated from reg2rule.pl have boosted my average spam score from 9 to about 25!!! Custom rules rock! Chris Santerre System

RE: [SAtalk] [RD] Freshmeat for rules

> -Original Message- > From: Bart Schaefer [mailto:[EMAIL PROTECTED] > Sent: Friday, August 22, 2003 9:04 PM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] [RD] Freshmeat for rules > > > On Fri, 22 Aug 2003, Chris Santerre wrote: > > > opps sorry,

RE: [SAtalk] Message ID

x27;t get delivered to my users. I'm only testing now, so can't share yet. But maybe it will help you guys. Take a look at the message-ID field itself. While the characters may be random, you may see a pattern in them with other spam. hth --Chris Santerre -

RE: [SAtalk] Proposal: Rule for faked HELOs

> -Original Message- > From: Jens Teubner [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 26, 2003 4:14 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Proposal: Rule for faked HELOs > > > Hi, > > although I'm definitely not a SpamAssassin expert, I observed > a pattern > that was pr

RE: [SAtalk] Custom Rules - spamd

> -Original Message- > From: Larry Gilson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 26, 2003 10:08 AM > To: 'Chris Santerre'; 'Matt Kettler'; spamassassin_list > Subject: RE: [SAtalk] Custom Rules - spamd > > > > > >

RE: [SAtalk] Not sure how...

iever that we need a generic counter eval. So that we can simply say, if something shows up this many times, add this many points. In this case it would be the boundary or content type lines.   This is why no one has been hitting on the pic.gif rule.   --Chris Santerre -Original Messag

RE: [SAtalk] Custom Rules - spamd

> -Original Message- > From: Bart Schaefer [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 26, 2003 10:48 AM > To: spamassassin_list > Subject: RE: [SAtalk] Custom Rules - spamd > > > On Tue, 26 Aug 2003, Chris Santerre wrote: > > > > -Ori

RE: [SAtalk] Testing site-wide custom rules, how to?

that matches the regex exactly? Or is grep, egrep, fgrep limited to a different style of regex? Otherwise I have to use a series of greps piped together. WHich sometimes limits what I'm looking for. If this could be done with a small perl script, I would also like the -B, -C, and -A kind

RE: [SAtalk] Custom Rules - spamd

> -Original Message- > From: Larry Gilson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 27, 2003 10:24 AM > To: 'Chris Santerre'; spamassassin_list > Subject: RE: [SAtalk] Custom Rules - spamd > > > Hi Chris, > > > -Original Messag

[SAtalk] SA rejection

notify the intended recipient so they can retrieve the message from the spamtrap and/or moderate the content of your message and resend. Your message is reproduced below for your convenience. [-- Signed: the SpamAssassin mail filter]" Chris Santerre System Admin and SA Custom Rules Empori

[SAtalk] [RD] Rule change. Spammer changed tactic.

Spam tool pattern in MIME boundary score L_MIME_BOUND_SIMPLE 1.44 to header L_MIME_BOUND_SIMPLE Content-Type =~ /boundary=".{0,10}-\w{1,50}-"/ that should do it. Did they think I wouldn't notice? :-) Even without this it scored a 16+ and went to the trap. Chris Santerr

RE: [SAtalk] Message ID

ag. I'm trying to use a bunch of meta rules with the test for this message-id included. I just need more time to go over it. I also want to add a raw rule, but need to get these guys into my corpus first. So far they haven't scored above a 7, and haven't been added. They score a 5.5 ri

[SAtalk] [RD] this is the spam I'm fighting, and why rules don't hit.

legit mailer send this way? Please, if you have something similar, I really want to look at the raw code. I'm curious as to how the base64 code compares. Particularly the very first line of the base64 code. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merch

  1   2   3   4   5   6   >