Re: Rule Advice

On Jul 15, 2005, at 3:19 PM, Loren Wilton wrote:If that username starts with six digits, it hits that rule, as shown in Loren's example. Ah, here is the From header: From: 360° Skin Care <[EMAIL PROTECTED]> Not 6 digits, but maybe the degree symbol is contributing. I'll advise notto start the us

Re: Fedora changed SpamAssassin default level to 7?

Kelson wrote: > Ah, yes, the classic "I hate X, but I'd rather rant about it on my front > porch than tell the people who can actually do something about it" > stance. Eh...I can sort of see both sides. I hate projects that hide behind Bugzilla, which has quite possibly the worst user interface I

Re[2]: Does SA 304 look for these HTML tricks?

Hello Matt, Dr. Young, Friday, July 15, 2005, 10:40:03 AM, you wrote: MK> Dr Robert Young wrote: >> . >> {whatever} MK> Those should both trip HTML_FONT_SIZE_TINY. MK> Unfortunately, that's a low scoring rule due to some FPs and limited number of MK> spam hits in the 3.0 corpus. The FPs ma

Re: I am NOT a spammer

Don Levey wrote: > 1) Segregate dynamic IPs into one netblock, static IPs into another. I think as we get closer and closer to running out of IPv4 addresses, this is going to get less and less common. A lot of places can no longer afford to have IPs sitting around unused because of subnetting.

Re: Does SA 304 look for these HTML tricks?

> Forcing the negative-scoring rules to run first causes SA to have to scan the > whole body twice, (once for the negatives, then once for the positives) which > nullifies the speed benefits. If SA did a pass-per-rule you could sort the > passes and speed it up, but AFAIK SA does the body rules in

Re: Does SA 304 look for these HTML tricks?

> I have a " font size=+0" & "font size=1" sample, and from what I can "font size=+0" and "font size=0" are not the same thing. The first one sets a relative font size. In this case it is an unchanged relative value, which is pretty stupid and useless, but certainly not illegal. The font would

Re: Rule Advice

> If that username starts with six digits, it hits that rule, as shown > in Loren's example. > > Ah, here is the From header: > > From: 360° Skin Care <[EMAIL PROTECTED]> > > Not 6 digits, but maybe the degree symbol is contributing. I'll advise not to > start the username with 360°. No, you misun

Re: Penny stocks, microcaps, etc.

> The spams I've seen contain a LARGE disclaimer, with granted a FEW > typos. Does any of this help anyones rules? Yes, that is a good source for rules. Some of the SARE rules for this are based on some ruels I wrote, and they were looking for interesting phrases and spellings in that discalimer.

Re: this receive line only in spam

Chris Santerre wrote on Fri, 15 Jul 2005 14:24:55 -0400: > I played too much PSP and it has effected my brain pod :) Well, have a nice weekend with or without the PSP :-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http:/

Re: rawbody or body

Tim Macrina wrote: Can anyone explain to me what the difference is between rawbody and body when writing spamassassin rules. Theo, etc explained the difference between rawbody and body quite well. I won't re-iterate that. > I am currently using body for > most of my body rules but I did fi

Re: Does SA 304 look for these HTML tricks?

Dr Robert Young wrote: I have a " font size=+0" & "font size=1" sample, and from what I can tell in the report, this rule is not being hit. But I thought there were some "small font" rules included. Hence ( at least in part) my question. Being fairly new to SA, does it go through "each and ev

Re: rawbody or body

- Original Message - From: "Tim Macrina" <[EMAIL PROTECTED]> Can anyone explain to me what the difference is between rawbody and body when writing spamassassin rules. I am currently using body for most of my body rules but I did find one that was not working. I was looking for a specifi

Re: rawbody or body

On Fri, Jul 15, 2005 at 03:14:08PM -0400, Tim Macrina wrote: > Can anyone explain to me what the difference is between rawbody and > body when writing spamassassin rules. I am currently using body for It's pretty well documented, but basically there's 3 states of message: - pristine, used for ful

rawbody or body

Can anyone explain to me what the difference is between rawbody and body when writing spamassassin rules. I am currently using body for most of my body rules but I did find one that was not working. I was looking for a specific html tag and it did not work but when I changed it to rawbody it worked

Re: Does SA 304 look for these HTML tricks?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter writes: > On Fri, Jul 15, 2005 at 01:40:03PM -0400, Matt Kettler wrote: > > Those should both trip HTML_FONT_SIZE_TINY. > > Unfortunately, that's a low scoring rule due to some FPs and limited number > > of spam hits in the 3.0 corpu

Re: Does SA 304 look for these HTML tricks?

I have a " font size=+0" & "font size=1" sample, and from what I can tell in the report, this rule is not being hit. But I thought there were some "small font" rules included. Hence ( at least in part) my question. Being fairly new to SA, does it go through "each and every" rule and test lis

RE: this receive line only in spam

> -Original Message- > From: Kai Schaetzl [mailto:[EMAIL PROTECTED] > Sent: Friday, July 15, 2005 1:15 PM > To: users@spamassassin.apache.org > Subject: Re: this receive line only in spam > > > Chris Santerre wrote on Fri, 15 Jul 2005 11:59:33 -0400: > > > That subnet is listed in spew

Re: Net::DNS and Spamassassin

On Thu, 14 Jul 2005, Matthias Fuhrmann wrote: > On Thu, 14 Jul 2005, Jose Hidalgo wrote: > > > OS: FreeBSD 4.9-RELEASE-p12 > > > > p5-Mail-SpamAssassin-3.0.4 > > p5-Net-DNS-0.51 > > razor-agents-2.72 > > perl-5.8.7 > > > > When trying to report a message it fails with the following error: > > > >

Re: Does SA 304 look for these HTML tricks?

On Fri, Jul 15, 2005 at 01:40:03PM -0400, Matt Kettler wrote: > Those should both trip HTML_FONT_SIZE_TINY. > Unfortunately, that's a low scoring rule due to some FPs and limited number > of spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution > based. *shrug* Legit senders u

Re: Does SA 304 look for these HTML tricks?

Dr Robert Young wrote: . {whatever} Those should both trip HTML_FONT_SIZE_TINY. Unfortunately, that's a low scoring rule due to some FPs and limited number of spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution based. *shrug* inserting "" in the middle of "key word

Re: Rule Advice

wrote on Fri, 15 Jul 2005 09:52:26 -0700: > Not 6 digits, but maybe the degree symbol is contributing. I'll > advise not to start the username with 360°. That degree sign isn't allowed unescaped in there anyway. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Service

Re: Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

The Doctor wrote on Fri, 15 Jul 2005 10:03:10 -0600: > 1) I do have user-configs that have whitelists but it seems to have next to > no >effect. What could be wrong? what about details? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactiv

Re: this receive line only in spam

Chris Santerre wrote on Fri, 15 Jul 2005 11:59:33 -0400: > That subnet is listed in spews. Block away! Spews is not reliable at all, don't use it for blocking! Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & h

Re: Distinguishing between mail that is "almost certainly" or "pr obably" spam

On 7/12/05, Kang, Joseph S. <[EMAIL PROTECTED]> wrote: > Richard, I didn't think this was possible either but I just tried it. > > What I did was create a rule to look for "X-Spam-Level: " in > the message headers. I had some messages that had scored over 15 and one > that was aro

Re: Does SA 304 look for these HTML tricks?

Dr Robert Young wrote: . {whatever} inserting "" in the middle of "key words" When you pass an email through SpamAssassin with things like the above in it, do you see any tests hit?

Re: Rule Advice

On Jul 14, 2005, at 6:05 PM, Robert Menschel wrote:header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i The email address used in the From header begins with 6 (or more) digits. it's not hitting on 360SkinCare.com, but on the user part of the email address (doesn't even look at the domain

Does SA 304 look for these HTML tricks?

. {whatever} inserting "" in the middle of "key words" Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-64

Re: this receive line only in spam

>... > >FYI, >I got another receive line here that occurs only in spam, with always the >same ip-segment (not the ip-address that actually delivers the mail). >First I tagged it with SA but now I block the mail in postfix, 15% less >spam!. >Maybe somebody recognizes these lines. It's the second rec

Re: Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

The Doctor wrote: 1) I do have user-configs that have whitelists but it seems to have next to no effect. What could be wrong? Is your SA being *executed* as those users? 99% of site-wide configurations run as one user only, usually root,mail, or nobody. SpamAssassin does not look at th

Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

1) I do have user-configs that have whitelists but it seems to have next to no effect. What could be wrong? 2) 3.1.0 and BSDes. The ruid problem, will that be adddressed in 3.1.0 pre4? -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and

RE: this receive line only in spam

> -Original Message- > From: Menno van Bennekom [mailto:[EMAIL PROTECTED] > Sent: Friday, July 15, 2005 10:41 AM > To: users@spamassassin.apache.org > Subject: Re: this receive line only in spam > > > FYI, > I got another receive line here that occurs only in spam, > with always the >

RE: Penny stocks, microcaps, etc.

> -Original Message- > From: Evan Platt [mailto:[EMAIL PROTECTED] > Sent: Friday, July 15, 2005 11:09 AM > To: spamassassin-users@incubator.apache.org > Subject: Re: Penny stocks, microcaps, etc. > > > At 10:04 PM 6/23/2005, you wrote: > >Sare's obfuscation rule set is doing a pretty go

Re: GIF attachments

At 09:33 AM 7/15/2005, Dr Robert Young wrote: Is there a good way to handle spam where the bulk of the "ad" is a image file (jpg, gif, etc) that is attached to the email so that it "displays" when the user opens the email? See my reply under: "Re: Tag all emails with gif, jpg, tif, or tiff?"

Re: this receive line only in spam

FYI, I got another receive line here that occurs only in spam, with always the same ip-segment (not the ip-address that actually delivers the mail). First I tagged it with SA but now I block the mail in postfix, 15% less spam!. Maybe somebody recognizes these lines. It's the second receive line, an

RE: SPAMD dies

Title: SPAMD dies What user is spamd running as? I'm guessing its a permissions problem. These always seem to be permission based problems.   If we wait long enough, Matt will post a FAQ worthy answer ;)   --Chris -Original Message-From: Thomas Kinghorn [MTNNS -Rosebank] [mai

Re: GIF attachments

Dr Robert Young wrote: Is there a good way to handle spam where the bulk of the "ad" is a image file (jpg, gif, etc) that is attached to the email so that it "displays" when the user opens the email? Dr. Robert Young ALI Database Cons

GIF attachments

Is there a good way to handle spam where the bulk of the "ad" is a image file (jpg, gif, etc) that is attached to the email so that it "displays" when the user opens the email? Dr. Robert Young ALI Database Consultants 1151 Williams Dr

RE: I am NOT a spammer

Loren Wilton wrote: > Now, I grant IPV6 is a different problem. But this particular case > should be trivially solvable if anyone felt it was worth solving. > > Loren I agree that it wouldn't be a tough problem to solve if it were necessary to do so. But that seems like too much overhead

Re: How can I correct this FalsePositive?

Sander Holthaus - Orange XL wrote on Fri, 15 Jul 2005 13:13:19 +0200: > because > their mail looks needlessly spammish. Not from their point of view. It's an advertisement with some "value-added" stuff (the weather foreacast). Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Int

Re: Unsubscribing

Ron McKeating wrote on Fri, 15 Jul 2005 11:08:02 +0100: > Is my suggestion of > having a "don't send me any traffic for x weeks" option viable ? There are list managers which allow you to indefinitely suspend your subscription without unsubscribing, f.i. Mailman. I don't know if ezmlm (I think

Re: Unsubscribing

On Friday 15 July 2005 12:05, Loren Wilton typed: > > Is there information somewhere else > > that tells people how to unsubscribe from the list. > > Yes, its hidden in the headers of the messages from the list, where most > rational people won't think to look. I guess they did that as a test, > s

RE: How can I correct this FalsePositive?

Kai Schaetzl wrote: > Thomas Booms wrote on Fri, 15 Jul 2005 10:29:35 +0200: > >> Content analysis details: (2.2 points, 2.0 required) > > Your problem is this setting. You should know by now from > following the list that this is stupid. So, why do you do that and > then ask for help? Set your

Re: How can I correct this FalsePositive?

* Loren Wilton wrote (07/15/05 12:02): >> X-Spam-Status: Yes, score=2.2 required=2.0 > tests=HTML_BACKHAIR_8,HTML_MESSAGE, >> HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4 > > The easiest way to eliminate this FP would be to take your spam threshold > back to 5, or at least someth

Re: Unsubscribing

> Is there information somewhere else > that tells people how to unsubscribe from the list. Yes, its hidden in the headers of the messages from the list, where most rational people won't think to look. I guess they did that as a test, since this list is supposed to be for mail admin (or at least

Re: How can I correct this FalsePositive?

> X-Spam-Status: Yes, score=2.2 required=2.0 tests=HTML_BACKHAIR_8,HTML_MESSAGE, > HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4 The easiest way to eliminate this FP would be to take your spam threshold back to 5, or at least something close to that. The rules that hit on this ma

Re: How can I correct this FalsePositive?

Thomas Booms wrote on Fri, 15 Jul 2005 10:29:35 +0200: > Content analysis details: (2.2 points, 2.0 required) Your problem is this setting. You should know by now from following the list that this is stupid. So, why do you do that and then ask for help? Set your spam threshold correctly and y

Re: Unsubscribing

On Fri, 2005-07-15 at 09:49 +, Duane Hill wrote: > On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated: > > > I am shortly to go on hols for 2 weeks and so was planning to > > unsubscribe until I get back. I notice on the web page at > > http://wiki.apache.org/spamassassin/M

Re: Unsubscribing

* Duane Hill wrote (07/15/05 10:49): > On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated: > >> I am shortly to go on hols for 2 weeks and so was planning to >> unsubscribe until I get back. I notice on the web page at >> http://wiki.apache.org/spamassassin/MailingLists > >> i

Re: Unsubscribing

On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated: > I am shortly to go on hols for 2 weeks and so was planning to > unsubscribe until I get back. I notice on the web page at > http://wiki.apache.org/spamassassin/MailingLists > it tells you how to subscribe And in the heade

Unsubscribing

I am shortly to go on hols for 2 weeks and so was planning to unsubscribe until I get back. I notice on the web page at http://wiki.apache.org/spamassassin/MailingLists it tells you how to subscribe Subscription: send mail to users-subscribe -at- spamassassin.apache.org but does not tell you how

Re: Long Scanning Delays

Hi Thank you for yours and everyones advice, I now have a decent set of rules and found that SURBL checks were being done twice (Or possibly conflicting) and it seems to be running better since I upped the softlimit so hopefully that should be sorted :) Cheers, John Daryl C. W. O'Shea wrote

Re: How can I correct this FalsePositive? [Correcture]

There was a mistake in my pasting of the whitelist entries. These are [EMAIL PROTECTED] and [EMAIL PROTECTED] Thomas -- Booms EDV - hosting & more - Herrenstrasse 10 D-59073 Hamm www.booms-edv.de [EMAIL PROTECTED]

How can I correct this FalsePositive?

Hi all, a customer mades an abonnement for a weather newsletter and spamassassin always tags it as spam. I've explicitely set some email addresses in the database driven whitelist: Filtername Einstellung Letzte Änderung Funktion WHITELIST_FROM

[ot?] themafia.us virus hosting.

Not sure where to post this, but this should reach a fair number of admins. themafia.us, hosted on Yahoo! is kindly serving up 2 txt files of email addresses and a virus. The mail that tries to get the gullible looks like   You have just received a virtual greeting from a friend! . You