Re: uri(bl) checks don't detect URLs with capitalized Http

[EMAIL PROTECTED] wrote: In an older episode (Thursday 14 April 2005 00:54), Theo Van Dinter wrote: In this case, however, it's not clear if he's running something like a Fedora RPM version of SpamAssassin where he could just go ahead and update at will, or if it's something like Barracuda/etc, wh

Re: uri(bl) checks don't detect URLs with capitalized Http

In an older episode (Thursday 14 April 2005 00:54), Theo Van Dinter wrote: > In this case, however, it's not clear if he's running something like a > Fedora RPM version of SpamAssassin where he could just go ahead and update > at will, or if it's something like Barracuda/etc, where you really can'

Re: uri(bl) checks don't detect URLs with capitalized Http

On Wed, Apr 13, 2005 at 06:37:19PM -0400, Matt Kettler wrote: > Theo, from reading the bugzilla report the fix in question isn't even > in a released version of SA (yet) and only in SVN head.. Dan said it was > fixed in head on /2005-01-28, and there have been no releases since / > 2004-12-16 (3.0

Re: uri(bl) checks don't detect URLs with capitalized Http

Theo Van Dinter wrote: >On Thu, Apr 14, 2005 at 12:08:16AM +0200, [EMAIL PROTECTED] wrote: > > >>how would you apply the (apparently existing) fix to an existing SA 3.* >>installation where SA comes from a distributor? can the affected perl module >>be installed via a CPAN shell for example? >

Re: uri(bl) checks don't detect URLs with capitalized Http

On Thu, Apr 14, 2005 at 12:08:16AM +0200, [EMAIL PROTECTED] wrote: > how would you apply the (apparently existing) fix to an existing SA 3.* > installation where SA comes from a distributor? can the affected perl module > be installed via a CPAN shell for example? If you're running a version of

Re: Need for a new rule?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Davour wrote: [snip] | Are there any rule for this? Would one be hard do design? I haven't seen | anything about is in the documentation. OR, I haven't understood what | I've read... I just wrote a bunch of obfu-rules with negative lookaheads an

uri(bl) checks don't detect URLs with capitalized Http

http://bugzilla.spamassassin.org/show_bug.cgi?id=4111#c12 how would you apply the (apparently existing) fix to an existing SA 3.* installation where SA comes from a distributor? can the affected perl module be installed via a CPAN shell for example?

Re: Need for a new rule?

Joe Kletch wrote: > >>> >>> >>> body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i >>> >> >> > > I added this rule a while back and removed the yahoo and it seems to > help--but only adds 1.0 to the score and it wasn't enough to put the > mail over my threshold of 3.5. How would I incre

Re: Need for a new rule?

On Apr 13, 2005, at 3:49 PM, SRH-Lists wrote: There have been several threads about this specific spammer in the last few months. Some of them with this exact question - mostly the answer is no. e mail with No Thanks in the subject to st0ck62 @ yahoo.com It is much easier to match on this email

RE: Need for a new rule?

> While generic tests for character/letter obfuscation are > difficult, this > guy is pretty predictable. > > body SRH_PENNY2 /(?:e\s*mai\||mi[|l]{2}ions|resu\|ts|wi[|l]{2})/ > > Add your own l->| words to this list, although he hasn't failed to use > one in the list above in each one of hi

procmail and sieve working together..

I have been playing around with SA on a test server since I got it running on friday. I have searched google and the archive for this mailing list on gmane but have been unable to find a working solution for my problem. My mail server runs fetchmail which delivers pop'd mail to a postfix 2.2.

RE: Need for a new rule?

M>-Original Message- M>From: Andreas Davour [mailto:[EMAIL PROTECTED] M>Sent: 13 April 2005 21:23 M>Cc: users@spamassassin.apache.org M>Subject: Need for a new rule? M> M> M>The following message have many characteristics in common with much M>spam I've been getting lately. It's about inve

RE: Need for a new rule?

> There have been several threads about this specific spammer > in the last > few months. Some of them with this exact question - mostly > the answer > is no. > > > e mail with No Thanks in the subject to st0ck62 @ yahoo.com > > It is much easier to match on this email address with someth

Re: Need for a new rule?

Andreas Davour wrote: The following message have many characteristics in common with much spam I've been getting lately. It's about investments, often shares, stock options or oil. One odd thing about those messages is that they all, like the one quoted below, have the letter 'l' substituted for

Re: SA randomly sucking up huge amounts of memory

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you check for corrupt or gigantic auto-whitelist files? Many of the other reports have noted that... - --j. Dennis Skinner writes: > Hello all, > > Searched SA's website and google and scanned the past several weeks of > emails to this list

SA randomly sucking up huge amounts of memory

Hello all, Searched SA's website and google and scanned the past several weeks of emails to this list without luck. I hope someone can help me out. A week or two ago, SA started randomly sucking up huge amounts of memory in one or more of the spamd children. I added the --max-conn-per-child=2

Need for a new rule?

The following message have many characteristics in common with much spam I've been getting lately. It's about investments, often shares, stock options or oil. One odd thing about those messages is that they all, like the one quoted below, have the letter 'l' substituted for the pipe character i

Re: Removing SA headers

On 12 Apr 2005 at 13:51, Matt Kettler wrote: > No, you can use a procmail rule to funnel the non-spam messages into > spamassassin -d, which will remove the markup. > Thank you, that is what I did, :0fw:clearSA.lck * ^X-Spam-Status: No | spamassassin -d

Re: SpamAssassin Suddenly Not Catching Spam

Thanks a lot! M. [EMAIL PROTECTED] wrote: In an older episode (Wednesday 13 April 2005 20:47), Marisabel Rodríguez wrote: Hello, how can I do for unsubscribe me? the headers of each mail that i receive from this list contain the line: list-unsubscribe:

Re: SpamAssassin Suddenly Not Catching Spam

Marisabel Rodríguez wrote: > Hello, > how can I do for unsubscribe me? > I searched in the site but I didn´t find anything. > Best regards, > M. Try reading the message headers for any message on the list: list-unsubscribe: This is the RFC complaint way to advertise

Re: SpamAssassin Suddenly Not Catching Spam

In an older episode (Wednesday 13 April 2005 20:47), Marisabel Rodríguez wrote: > Hello, > how can I do for unsubscribe me? the headers of each mail that i receive from this list contain the line: list-unsubscribe:

Re: SpamAssassin Suddenly Not Catching Spam

Hello, how can I do for unsubscribe me? I searched in the site but I didn´t find anything. Best regards, M. Vivek Khera wrote: On Apr 13, 2005, at 2:25 PM, Matt Kettler wrote: Besides, it's also easy for spam to get a "real" SPF_PASS. Just export a record for spammerdomain.com which passes everythi

Re: SpamAssassin Suddenly Not Catching Spam

On Apr 13, 2005, at 2:25 PM, Matt Kettler wrote: Besides, it's also easy for spam to get a "real" SPF_PASS. Just export a record for spammerdomain.com which passes everything. Funny thing is that I *literally* could do that if I wanted to... But I don't... we don't accept mail for spammerdomain.

Re: SpamAssassin Suddenly Not Catching Spam

Loren Wilton wrote: > >SPF_HELO_PASS, > >This might well be a negative scoring rule. Spam usually shouldn't be able >to get an SPF_PASS rating. > Dude... SPF_HELO_PASS is an informational rule ONLY. It's there to act as a debugging aid to an admin using SPF for the first time. This rule based o

Re: sa-learn - bayes training...

Jean Caron wrote: Folks, I searched the archive, tried different things, yet I need to ask a few questions. I'm running SA 3.0.2 with Qmail/QQ 1.25, and procmail, on linux. Works great. Bayes auto-learns ok, I run sa-learn from a "dedicated" user every night for ham and spam. My logs show how ma

yet another Sendmail filter for SpamAssassin daemon spamd

Hello, all. I decide to publish my own filter for Sendmail, which use the Milter API. It has only the most necessary in the real life opportunities: 1. Except from scan the messages which greater than defined size; 2. Except from scan the hosts/networks (white list); 3. Mark subject if SPAM detec

Re: SpamAssassin Suddenly Not Catching Spam

Loren Wilton wrote: SPF_HELO_PASS, This might well be a negative scoring rule. Spam usually shouldn't be able to get an SPF_PASS rating. It can easily get one if it's sent *from the spammer's own domain* and they set up SPF records for it. Remember, SPF and Domain Keys are *anti-forgery* technol

sa-learn - bayes training...

Folks, I searched the archive, tried different things, yet I need to ask a few questions. I'm running SA 3.0.2 with Qmail/QQ 1.25, and procmail, on linux. Works great. Bayes auto-learns ok, I run sa-learn from a "dedicated" user every night for ham and spam. My logs show how many msgs were i

Local 419 mail rule set. Take 2.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone spot the deliberate mistake? :-( Craig. - This time with the attachment. - Dear list, I've got a few local rules which I use to supplement the basic SA installation (3.0.2), but I don't really have a sizeable ham/spam corpus to test them aga

Re: Local 419 mail rule set.

On Wednesday 13 April 2005 08:00 am, Craig McLean wrote: > Dear list, > I've got a few local rules which I use to supplement the basic SA > installation (3.0.2), but I don't really have a sizeable ham/spam corpus > to test them against. Also, I'm aware that there will likely be some > cross-over wi

Local 419 mail rule set.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear list, I've got a few local rules which I use to supplement the basic SA installation (3.0.2), but I don't really have a sizeable ham/spam corpus to test them against. Also, I'm aware that there will likely be some cross-over with the SARE ruleset,

Re: Recommendation on SARE rules to add.

-Original Message- From: Jeff Chan <[EMAIL PROTECTED]> To: users@spamassassin.apache.org Date: Wed, 13 Apr 2005 00:42:26 -0700 Subject: Re: Recommendation on SARE rules to add. > On Tuesday, April 12, 2005, 10:24:54 PM, Robert Markin wrote: > > SA 3.0 > > > I was wondering if anybody had

Re: SpamAssassin Suddenly Not Catching Spam

Loren Wilton wrote: 1. Why did it get SPF_PASS if it is spam? Nice analysis, Loren. The only nit-pick I would make is that many spammers have valid SPF records set up, usually I believe "v=spf1 +all". A quick grep through my last 4000 spams shows 345 with SPF_PASS hits. That is actually

spamassassin+ldap

RE: random rudeness!

> This really belongs in some kind of spam-fighting FAQ or > howto somewhere. I smell a wiki page! R --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information con

logging to mysql, splitting up the fields

Hi I log the maillog to a mysql table using syslog-ng. I could split up the below line to time,date,host,msg (time,date,host are missing in this example - only msg is visible). spamd[29483]: result: Y 3 - FORGED_RCVD_HELO,MISSING_MIMEOLE,NO_RDNS2,SMILEY,VOWEL_FROM_7 scantime=0.4,size=2439,mid=

Re: random rudeness!

On Tuesday, April 12, 2005, 8:31:53 AM, List User wrote: >>... >> >>List Mail User wrote: >>> Did either of you try listing himlove. com (invalid telephone/fax), >>> or notice that the contacts' email is from a non-existant domain, >>> heroutside. com. Or that the name servers in carr821. com

RE: Recommendation on SARE rules to add.

> -Original Message- > From: Robert Markin [mailto:[EMAIL PROTECTED] > Sent: 13 April 2005 06:25 > To: users@spamassassin.apache.org > Subject: Recommendation on SARE rules to add. > > SA 3.0 > > I was wondering if anybody had a recommendation for a initial > SARE set of rules to add.

Re: Recommendation on SARE rules to add.

On Tuesday, April 12, 2005, 10:24:54 PM, Robert Markin wrote: > SA 3.0 > I was wondering if anybody had a recommendation for a initial SARE set > of rules to add. I am not exactly satisfied with my amount of FN's > currently. Any ideas would be appreciated. > Robert It might be helpful to se

inplace scan on maildir

Hello! I'd like to run SpamAssassin on my mail. It's stored locally, in Maildir format. I'd like SpamAssassin to modify the message headers in-place. Specifically, I don't want to use procmail or similar systems. Is this possible? System info: * Remote mailserver. * Sync email using OfflineIM

RE: about SPF

M> M>Martin, the mail didn't go through the same server. Is it possible M>that you've omitted 212.250.162.17 from your list of trusted_networks? M>This would cause an SPF failure. M> M>When I set my trusted_networks to 212.250.162.0/24 and run these M>messages through, they both get SPF_PASS.

Recommendation on SARE rules to add.

SA 3.0 I was wondering if anybody had a recommendation for a initial SARE set of rules to add. I am not exactly satisfied with my amount of FN's currently. Any ideas would be appreciated. Robert

RE: SQL install with mSQL driver

Michael, You're 100% on the money. I went back and found that the version table was empty. I populated it with "3" and it magically works. One more item for our intrawiki. That's curveball with the missing entry just had me all messed up. Thanks, Gary Wayne Smith -Original Message

RE: SQL install with mSQL driver

http://spamassassin.apache.org/dist/sql/README Clearly states: DBI-1.20 Msql-Mysql-modules-1.2219 perl v5.6.1 Are for the database I did complete export of the production data structure and then imported it into the new mysql database for testing. But I think you're on to something. I pointed t

Re: SQL install with mSQL driver

On Tue, Apr 12, 2005 at 06:59:27PM -0700, Gary W. Smith wrote: > > I have installed DBD::mysql and it still doesn't work. The install file > says that DBD::mSQL is required and the options that I specified when we > installed it was for mysql (as the mSQL diver is covers it as well). > Can you

Re: SQL install with mSQL driver

Gary W. Smith wrote: Alan, I have installed DBD::mysql and it still doesn't work. The install file says that DBD::mSQL is required and the options that I specified when we installed it was for mysql (as the mSQL diver is covers it as well). It's funny though that AWL is logging to the DB. Also,

RE: SQL install with mSQL driver

Alan, I have installed DBD::mysql and it still doesn't work. The install file says that DBD::mSQL is required and the options that I specified when we installed it was for mysql (as the mSQL diver is covers it as well). It's funny though that AWL is logging to the DB. Also, something to note,

Re: I like this one.... Particularly the BS from Yahoo.....

--On Tuesday, April 12, 2005 7:29 PM -0400 Matt Kettler <[EMAIL PROTECTED]> wrote: I don't see them (yahoo) marketing it as an anti-spam solution. They market it as a tool to solve problems that anti-spam efforts face (spoofing). http://antispam.yahoo.com/domainkeys/ Wouldn't it be better to host

Re: Re[2]: Arithmetic score for replaced O's and I's?

Sorry, for some reason Kmail shows the text in my 2 previous mails only when viewing the message source, some MIME problem apparently. So once more: In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote: > Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED],

Re: Re[2]: Arithmetic score for replaced O's and I's?

In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote: > Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| f1nd > a 600D horme 4 them... > > (Not the entire spam emails, please -- just the obfuscations.) I just sent you obfuscations privately off

Re: Re[2]: Arithmetic score for replaced O's and I's?

In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote: > Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| f1nd > a 600D horme 4 them... > > (Not the entire spam emails, please -- just the obfuscations.) I just sent you mine off list, is that wha

RE: Gateways, analyze first, insert into bayes later ?

Herold Heiko said: >> From: Matt Yackley [mailto:[EMAIL PROTECTED] >> Are you using a sitewide bayes DB? This may affect your > > I will at first, I need to start as soon as possible, This should be a bit easier to manage and quicker to setup and you may find that it works well enough to skip tr

Re[2]: Arithmetic score for replaced O's and I's?

Hello Keith, Tuesday, April 12, 2005, 6:10:38 PM, you wrote: KI> Robert Menschel wrote: >> The question is how intelligent do you want to make the rule(s). If >> you want something like >> >> body L_PIPE m'\w\w\|\w\w' >> body L_ZER0 m'\w\w0\w\w' >> body L_VEEE m'\\/\w' >> body L_

Re: SQL install with mSQL driver

Gary W. Smith wrote: Hello, I’m using 3.0.x on RHEL 3 right now in our production environment and was looking at setting up a new test environment. We use MySQL for the common bayes DB which is working well for us in production. Today I tried installing the same packages for Perl that I did for

Re: Arithmetic score for replaced O's and I's?

Robert Menschel wrote: The question is how intelligent do you want to make the rule(s). If you want something like body L_PIPE m'\w\w\|\w\w' body L_ZER0 m'\w\w0\w\w' body L_VEEE m'\\/\w' body L_ m'\w/\\\w' body L_LONE m'\w\w1\w\w' meta L_OBFU2 L_PIPE + L_ZERO + L_VEEE + L_ +

Re[2]: Arithmetic score for replaced O's and I's?

Hello Matt, Tuesday, April 12, 2005, 12:08:01 PM, you wrote: MT> On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote: >> Hello, >> I believe I asked for this a few days ago and was told that I would need >> to write a plugin to do this =) MT> Hmmm...shouldn't have to. I know the

Re: Rules to identify simplified and traditional chinese character sets

> This code fragment illustrates how I do this for Internet headers: > > header CHINESE_WL_1 Content-Type =~ /gb2312/i > describe CHINESE_WL_1 White list Simplified Chinese > > Does anyone no how to create a rule to detect these codes in a mime > header? There was talk on the dev list a

Re: SpamAssassin Suddenly Not Catching Spam

> I assume that "negatively-scored" means that it is less likely to be spam, > correct? Yes. Specifically it means a rule with a negative score value. High positive scores (over some threshold value, usually 5.0) indicate spam. This score is usually an accumulation of smaller score values from va

Re: Arithmetic score for replaced O's and I's?

> > I believe I asked for this a few days ago and was told that I would need > > to write a plugin to do this =) > > Hmmm...shouldn't have to. I know the basic layout of what it should > look like, I just suck at regex. It should be similar to below... > > body CHECK_1 (SOME REGEX I DON'T KNOW

Re: SpamAssassin Suddenly Not Catching Spam

> A few days ago I suddenly started having spam get through just like the bad > days prior to my upgrade. Is there some way for me to figure out why SA is > not doing its thing for me? Always ask: what changed? Probably the rules because you are using RDJ, in this case. HOW OFTEN are you callin