alid PGP signatures? Or is it
just a simple regexp check for something resembling one?
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"An ignorant person is one who doesn't know what you have just found out."
-- Will Rogers
_
Excellent! I am continually impressed by SpamAssassin's rate of development.
I've thought of several great ideas only to discover that they're already
implemented in the latest CVS.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who
ECTED]" at
/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/DBBasedAddrList.pm line
147.
procmail: Program failure (70) of "spamassassin"
procmail: Rescue of unfiltered data succeeded
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of th
sh [^\/]*
and should also end when it reaches a space. Or perhaps a parenthesis or quotation
mark? Tab? Pound sign? Anything else that URLs commonly end with?)
This same issue could make a false positive in the HTTP_CTRL_CHARS_HOST rule, but I
haven't run into one.
--
michael monc
orks great!
Many thanx,
Dilly
-- : -- : -- : -- : -- : -- : -- : -- : -- : -- : -- : -- : -- : -- : --
Never do card tricks for your poker group.
---end included message
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, f
DoubleClick, the relatively respectable banner-ad company. Here's a "remove"
URL from the message:
http://ad.doubleclick.net/clk;3824278;6743144;o?http://home.ingdirect.com/promo
/promo_set.asp?p=%9BURdVw%AC.
I've only seen two of these so far, but maybe a "lots of numbers in UR
://bugzilla.spamassassin.org/
OK, submitted as bug # 22. Thanks!
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, few are silent." -- Thomas Neill
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
it.
> I think that a doubleclick.net URL embedded in an email should be a very
> strong indicator of spam.
I agree - one exception might be users who are DoubleClick clients/sponsors and
receive email from them legitimately, but they would probably need to whitelist
it anyway.
--
michael mon
s well as account for the
variations "Make money at home" and "Make $$$ at home".
BTW, I tested this on my own system by piping a bunch of test phrases through
spamassassin -t and it appears to work.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of tho
p://uptime.openacs.org/uptime/delete.tcl?monitor_id=7199
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, few are silent." -- Thomas Neill
___
Spamassassin-talk mailing list
[EMAIL PROTE
Since I upgraded to this morning's CVS version, I've noticed that the
INVALID_MSGID test is positive on every single message I've received. This
isn't a very big sample (5-6 messages) but I've never seen this happen before,
and it happens even when I send test messag
_IN_
WHITELIST_TO version=2.1
I haven't changed anything here besides upgrading SA... Are you sure this isn't
something to do with the RFC2822 changes? Then again, INVALID_MSGID looks like
a normal regex test. Is anyone else having this problem?
--
michael moncur mgm at starlingtec
> could you file a bug report against this problem with
> bugzilla.spamassassin.org? I think spam phrases need a retrofit at
> least as badly as AWL does.
Sure, entered as Bug #31.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"There is no safety
ts for the variation "you no longer wish to receive mail" - it could
just as easily be a separate rule but they are similar.
Also, assuming I'm not the only one who receives these "Investor spec sheet"
spams regularly, perhaps a rule for them?
body INVESTOR_S
have \s* like I should and the INVALID_MSGID problem seems to have gone away.
I'll chalk this one up to gremlins.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"There is no safety in numbers, or in anything else." -- James Thurber
__
something like this at the end of the spam report to avoid
confusion:
* -4.1 -- Whitelist: Correction based on sender's history
While I'm at it, it looks like either the score in the spam report or the
correction applied by the AWL would benefit from rounding...
--
michael
an A_HREF_TO_OPT_OUT rule, but that's different than a simple URL,
and I assume there's some benefit to keeping them separate - i.e.
A_HREF_TO_REMOVE and REMOVE_PAGE)
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I believe in getting into hot water;
d required "NO" to be in caps. These changes might result
in false positives, or at least a lower GA score, though.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I believe in getting into hot water; it keeps you clean."
-- G. K
> i can tell you read the LM magazine
What's that? I don't get it.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I believe in getting into hot water; it keeps you clean."
d spam,
stock spam, health/fitness spam, and so on. Of course, I'm also imagining
someone else doing all of the work. :)
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I believe in getting into hot water; it keeps you clean."
-- G. K. Chestert
d my own custom
rule, but I'm not sure if it's worth including in SA:
body AMERICAN_EMAIL_BRANDS /American Email Brands/
describe AMERICAN_EMAIL_BRANDS American Email Brands, frequent spammer
score AMERICAN_EMAIL_BRANDS 5.0
--
michael moncur
I've had a few spam messages slip through SA recently because they consist of
little or no text, with the entire content of the message in a graphic using an
tag.
I think virtually any message sent as one big graphic would be spam, but I
can't think of a good way to detect it using a regular exp
.spamcop.net, this seems like
something that would be better handled by whitelisting. I assume a single
whitelist check would take less time than a few regular expressions...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I believe in getting into hot water;
pus?
It doesn't include messages from this list, does it? I would think there would
be no trouble calculating a positive score for something like "Monsterhut"...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I don't care what is w
t's something I feel slightly more comfortable with.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I don't care what is written about me so long as it isn't true."
-- Dorothy Parker
50_scores.cf
Description: Binary data
", a well-known spam source.
> body CORRECT_FOR_EXCHANGE /This message is in MIME format/
> describe CORRECT_FOR_EXCHANGE Correct for MIME 'null block'
FYI, I seem to recall SA already having a test like this. You might want to
double-check.
--
michael moncur mgm at starlingte
x27;s what I currently have:
>
> The question is if it's not trivial for spammers to fake the MUA used...
No, I think the question is whether spammers are routinely in the habit of
faking the MUA used. (Regardless, I don't know the answer...)
--
michael moncur mgm at starlingtech.co
TECTED]>
From: customerservice <[EMAIL PROTECTED]>
Subject: A new game
This is a new game
This game is my first work.
You're the first player.
I expect you would enjoy it.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"If we don't change dir
ly be
spam, they're sending it in a very spammy way and the network tests are
flagging it. This is why I reduce the scores on all of the network tests
(except Razor) - too many false positives.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
&q
> I say why bother thinking? Hit 'D' and be done with it.
I guess it's my insatiable curiosity. Don't tell me I'm the only one who gets
these? Maybe I need to talk to some of my friends who have too much time on
their hands.
> C
>
> Michael Moncur wrote:
Trouble is, I've seen lots of spam lately sent using legitimate mailing list
software (i.e. Lyris). I definitely wouldn't use a score as low as -2 for any
of these.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"If we don't change direction soon
to add to a message to defeat SpamAssassin.)
My only other concern is that a few scores might be a bit high - for example,
CTYPE_JUST_HTML is at 4.459. This works for me, but I thought some people were
having false positives on this rule recently. It wouldn't hurt to wait and see
what people
ww.spamassassin.org where
contributed/optional rule files could be made available.
I agree that this would be a good way to handle the US-centric tests - heck,
then someone could even make a file of Thailand-centric tests that penalizes
messages for being in English...
--
michael moncur mgm at sta
T|HOME.?WORKER/i
describe HOME_EMPLOYMENTInformation on home employment
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Misery no longer loves company. Nowadays it insists on it."
-- Russell Baker
"viagra" in the subject should be worth a higher score than "viagra" in the
body.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, few are silent." -- Thomas Neill
__
HOME_EMPLOYMENTInformation on home employment
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, few are silent." -- Thomas Neill
> Actually, since that one's getting awfully big, perhaps the
> following would be
> a bet
, typically) won't count for
the body.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Of those who say nothing, few are silent." -- Thomas Neill
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://l
score address@domain 2
to_score address2@domain -1
...
I suppose I could do this manually easy enough with header rules.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you
equired_hits to 7.0, which seems to work pretty well
with the current scores.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Research is the process of going up alleys to see if they are blind."
-- Marston Bates
_
am-Status header with a
shorter one - this is because the long list of tests in this header tends to
confuse Outlook and prevent the message flag display. The list of matched tests
will be in the spam report anyway.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Re
red negatively by the latest GA. Are you sure
it's strictly a spam tool?
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Research is the process of going up alleys to see if they are blind."
-- Marston Bates
_
> Did you play it? (or at least look at it more closely) Is it really a
> sound file? Some viruses lately are wandering around with different
> filenames and content-types. foo.exe and audio/wav, that sort of thing.
>
> (I'll bet that /http://www.starlingtech.com/
"Research is the process of going
l CGI URLs as spam.
> 2) All e-mail made with MS FrontPage is spam:
Didn't someone already add a rule for this?
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Research is the process of going up alleys to see if they
't think that's required) that
> passed by the filter.
Perhaps they're becoming more popular now, but in my archive of the last 500
spam messages I've received I didn't find a single occurrance of "ADV" or
"ADLT" in the subject. I found 5
rds could be individually scored with their level of, er, porniness...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Every journalist has a novel in him, which is an excellent place for it."
-- Russel Lynes
__
lient set to not bother notifying me with a
sound when spam comes through.
P.S. I have my spam threshold set to 7.0 now. While I've seen a few false
negatives, I have yet to see a single false positive in the last week using
this threshold. I think the 5.0 threshold is a bit low for the cur
I used
a bunch of low-scoring rules rather than fewer high-scoring rules to minimize
the chance of this.
To use, just drop 53_mlm.cf into your SpamAssassin rules directory. It
shouldn't interfere with anything else and installing a new SA release won't
remove the file.
--
michael
otherwise been missed.
To use, just drop 54_stocks.cf into your SpamAssassin rules directory. It
shouldn't interfere with anything else and installing a new SA release won't
remove the file.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"My theory of evolut
5.0
uri EM5000 /em5000\.net/i
describe EM5000 em5000.net:Frequent SPAM content
score EM5000 4.0
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"My theory of evolution i
pam phrases system still broken? Or were these left turned off by
mistake?
I believe the issues with really short messages getting high scores were fixed
and the system should be worth *something* now...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"
ld be added to SA itself since they're specific
to one spam source, but then things like "Monsterhut" and "mycasinobuilder.com"
are in there, so who knows.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Talk sense
Otherwise I'm inclined to just set my personal score for RELAYING_FRAME to 10,
there's no legitimate use for them as far as I'm concerned.
Incidentally, this message matched the LARGE_HEX rule for some reason, I have
no idea why, but that rule being scored negative doesn'
nd an obscure rock music reference:
"...just like the old man in that book by Nabokov"
--The Police, "Don't Stand So Close To Me"
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Talk sense to a f
keeps them? Does the
user you're testing spamassassin with have rights to read them?
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Talk sense to a fool and he calls you foolish."-- Euripides
___
ntical to doing things the normal way.
Ah, that makes sense. I'm going to add a separate personal rule to filter out
the messages with tags specifically - more of a virus
checker's job than SA's I suppose.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com
is should be submitted to
> sourceforge.
Ouch! I'm sorry, I had no idea their archive was as "beta" as that. Fortunately
Geocrawler's archive seems unharmed.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you ei
uot;-" isn't likely to be.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you don't."-- David Smith
___
Spamassassin-talk mailing list
[EMAIL P
> Agreed. If you file a bugzilla bug (bugzilla.spamassassin.org), it will be
> fixed.
Done, see bug # 146.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you don't.&qu
uired=[0-9.]*
* ^X-Spam-Level: \*\*\*\*
| formail -I "X-message-flag: $MATCH"
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you don't."-- David Smith
lient (elm?) would
have this ability.
You could always turn on subject-munging and include the Hits in the subject -
any mail client should be able to sort by that, although it might consider "10"
lower than "6" due to alphabetic rather than numeric sorting.
--
michael monc
ight". However, if I
> use telnet and try to GET or POST it, I'm told it doesn't exist.
If anyone's worried about legal action against SpamAssassin, this is probably
just the sort of post that we should keep off this list...
--
michael moncur mgm at starlingtech.com
is)
would be greatly appreciated. I'll probably be ready to deploy it sometime next
month.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you don't."-- David Smith
___
is)
would be greatly appreciated. I'll probably be ready to deploy it sometime next
month.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"In this business you either sink or swim or you don't."-- David Smith
___
y 5-6 during
the last month.
P.S. The message that scored 45.8 was a genuine "My wife Jody" message and
scored on Razor and a bunch of network tests too - none of my custom rules
affected that one.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Nobody ca
I know this really shouldn't be SpamAssassin's job since it's used more by
virii than by spam, but has anyone had any luck specifically detecting iframe
src=cid tags? Here's my current rule that tries to do so:
rawbody VIRUS_IFRAME_CID /http://www.starlingtech.com/
"Nobody ca
> I think the problem is you need to escape the <.
I tried adding a \ before the < and will see if it helps - I can't test this
since any test message I send works fine with the current regex, it's only the
actual virii that slip through.
< isn't anything special
hecked in):
>
> test VIRUS_IFRAME_CID ok [iframe src="cid:blah";]
But the test will match my rule just fine just like your message did, right?
Since it's not encoded in any way? (changed the <> in test above to avoid
hitting the rule again)
--
michael moncur mgm
the
whitelist isn't stored in the database. If it's just stored in path/username,
where username is the user passed to spamc to look up preferences, that would
be fine.
I may try to get a true SQL-based whitelist working myself when I have some
time.
--
michael moncur mgm at starlin
BJECT /LEAVE in the subject line/
describe LEAVE_SUBJECT Spam unsubscribe (LEAVE)
score LEAVE_SUBJECT 2.5
The vast majority of their messages do NOT have CC in the subject, so so much
for that one. They also tend to be otherwise low-scoring spam.
--
michael moncur
d =~ for header tests:
header SA_TALK List-Id =~ /.*spamassassin\-talk/
BTW, why not just do this?
all_spam_to [EMAIL PROTECTED]
That's what I do. (whitelist_to just doesn't remove enough points to let some
of the messages on this list through)
--
michael moncur
EMOVED_REPLY-2.150
score TO_UNSUB_REPLY -1.996
score WEB_BUGS -0.823
score X_MSMAIL_PRIORITY_HIGH -1.356
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Women who seek to be equal with men lack ambition." -- Tim
triplets.txt I have is in the CVS distribution directory.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Inform all the troops that communications have completely broken down."
-- Ashleigh Brilliant
___
se that slip through would have
been caught with a threshold of 5.0 anyway.
I haven't had a false positive in about a month, but I do have to carefully
whitelist mailing lists and vendor mail.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"It is better to ha
les/triplets.txt" to simply "triplets.txt" in the Makefile and
make install worked fine.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I always wanted to be somebody, but I should have been more specific.&
'm no perl wizard.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I have learned to use the word `impossible' with the greatest caution."
-- Wernher von Braun
> On Thursday 25 Apr 2002 4:34 pm, Sean Harding wrote:
> > On Thu Apr
number
Wasn't ORDER_STATUS supposed to be a negative-scoring rule?
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-fourths of ourselves to be like other people."
-- Arthur Schopenhauer
___
ncreased much over the current 2.0, though, since DCC is really a measure
of "bulkness" rather than spammishness, and without a good whitelist it
could lead to false positives.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-fourths
e las normativas Internacionales sobre SPAM, un E-mail
no podrá ser considerado SPAM mientras incluya una forma de ser removido.
Si usted no desea recibir más de estos emails por favor haga click AQUÍ
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-
ddy and register.com to custom
addresses now...
(I also use addresses like this to register at untrusted web sites - not for
authentication, but to know who to blame and which address to convert to a
spamtrap if I start getting spam.)
--
michael moncur mgm at starlingtech.com http://www.starli
I've received from mailing lists during this time has
been listed in DCC, although I'm sure this does happen with higher-volume
lists.
I'm going to raise the DCC score to 3.0 myself, since my threshold is 7.0
and I whitelist all of my mailing lists. This will supplement Razor nicely
essage from the pop-up item
browser.
I believe both of these methods also work in Outlook 97 but I could be
wrong.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-fourths of ourselves to b
I ran some quick macros on the current RATWARE test and came up with the
attached "20_ratware.cf" file with each mailer in its own rule. I haven't
included scores - perhaps this could be thrown into the next GA run if it's
worthwhile.
--
michael moncur mgm at sta
Perhaps a count
higher than 3 would be better?
Second, the @porn_words Daniel posted doesn't include all of the words that
PORN_3 does. It's missing everything from, er, "whore" to "titties" in the
current CVS.
I'm sure it's better than the current PORN_3 regar
gs over the threshold.
Perhaps after testing it might be good to have a separate LOTS_OF_PORN_3
rule that checks for a higher number...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-fourths
e.
This is not necessarily a bad thing but the threshold should definitely be
something larger than 3.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"We forfeit three-fourths of ourselves to be like other people."
-- Arthur Schopenhauer
ad
an optional eval rule that calls FPROT or sophos or another easily
available, regularly updated virus scanner. Heck, there's even an
open-source one in development:
http://www.openantivirus.org/
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"The ships hun
th a lot of email clients, the second you make *any* font change --
> italics, color, bolding -- it becomes an HTML message.
I believe the "HTML check" in question is a check for Content-type:
text/html ONLY. Outlook, in particular, always includes a text version in a
multiple-part messa
occasions where the AWL causes false negatives.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"The ships hung in the sky in much the same way that bricks don't."
-- Douglas Adams
t looks like it. I
don't know why this is missing from the right-click menu.
I personally use a special IMAP mailbox to report spam. I move the spam to
that folder, and a cron job grabs it every few minutes, runs spamassassin -r
on it, and returns it to my spam archive folder.
--
m
;t use whitelist_to because a score of 6.0 isn't enough to
completely "opt out".
Have you considered that SA in its default configuration is an "opt in"
system anyway? Since it marks messages and doesn't filter them, you could
run it sitewide and let users o
Same here. Appears to be a typo - here's the fix:
Line 81:
if ($self->{conf}->{check_mx_attempts) < 1) {
Should be:
if ($self->{conf}->{check_mx_attempts} < 1) {
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Research is the process
If they're all coming from a similar source (i.e. a mailing list) you might
be better off whitelisting rather than changing scores.
If you're getting false positives with really high scores, you might let us
know which rules they're hitting, as the rules might need work.
-
m,
@paypal.com, and @amazon.com addresses are becoming all too common in
spam...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"Research is the process of going up alleys to see if they are blind."
too, but I doubt spammers bother.
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"My sources are unreliable, but their information is fascinating."
-- Ashleigh Brilliant
___
Have bi
me as whitelist_from but
can have its own score, and use default_whitelist_from in 60_whitelist.cf.
That way (a) anyone can turn off the default whitelist with a single score
entry in a preference file, and (b) spam reports will refer to the "default
whitelist" so it's easy to diag
DVERT_CODE Subject =~ /(?:^\s*|\s+|\[)(?:ADV|cc)[:\]]/i
describe ADVERT_CODESubject: contains advertising tag
This would also catch the "cc:" that many spam subjects start with. I see
more of these than ADV: these days.
--
michael moncur mgm at sta
EAVE_SUBJECT Spam unsubscribe (LEAVE)
score LEAVE_SUBJECT 2.5
I don't recommend them for SA in general since they're only matched by one
spammer who are bound to change their name (again) before too long.
--
michael moncur mgm at starlingtech.com
O_BE_REMOVED_REPLY 0 # -2.150
score TO_UNSUB_REPLY0 # -1.996
score WEB_BUGS 2.0 # -0.823
score X_MSMAIL_PRIORITY_HIGH0 # -1.356
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"
ore or less random score because
there weren't many non-spam ebay questions in the corpus. There certainly
isn't a single spam message with "Question for seller" in the subject in my
archive of the last 5,000 spams I've received.
--
michael moncur mgm at starlingtech.co
e this (in Outlook) as my only spam protection and it caught 90% of spam,
but then the spammers got smart and it stopped working very well at all.
That's when I switched to SpamAssassin...
--
michael moncur mgm at starlingtech.com http://www.starlingtech.com/
"I have often depend
1 - 100 of 181 matches
Mail list logo
