On Thu, Mar 09, 2006 at 10:05:15AM -0500, Kevin A. McGrail wrote:
> However, this rule does trigger on the technique I sent. I want to work on
> the nested anchor idea as well but in the meantime, I'd like to hear
> feedback on this trigger. It seemed REALLY spammy to me. Anyone get any
> hit
On Friday, March 10, 2006 9:43 PM -0700 Philip Prindeville
<[EMAIL PROTECTED]> wrote:
Do you mean:
http://validator.w3.org/source/
I thought that was just a web form-based validator. I'll have to look at it
to see if the validator can be run over an attachment (ie. an HTML MIME
part) from
On Friday, March 10, 2006 9:09 PM -0500 Matt Kettler <[EMAIL PROTECTED]>
wrote:
It might even pass the *message* whole to the scanners.. I know most
tools like clamav can deal with being fed a raw mime-822 message and
parse out all the attachments, decompress them, scan them, without any
extern
Kenneth Porter wrote:
> Anyone know of a good validator that can be run over a MIME part to report
> on the quality of the HTML? This might be used as a go/no-go filter at
> milter level, or it could be used as an SA plugin to assign a variable
> score based on the quality of the HTML.
>
> For
I'll be going through all scripts installed on the server. I've limited
quite a bit, already. PHP is really really bad. But, I've done a heck of
a lot to close things down. I'm sure I missed something, somewhere, in
the scripts. What a pain, running multiple domains for others.
My scri
Michael Grant wrote:
> Between Mailscanner and Amavisd-new, it seems we need one or the other
> of these programs to recursively dig into and possibly uncompress a
> message with attachments to be able to virus scan it completely.
Actually MailScanner does NOT recursively dig into compressed atta
On Friday, March 10, 2006, 8:07:44 AM, Payal Rathod wrote:
> On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
>> Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
>> network tests like razor/pyzor/dcc?
> No, can you please tell in short how to use surbl exactly? I am
On Saturday, March 11, 2006 2:32 AM +0100 Michael Grant
<[EMAIL PROTECTED]> wrote:
Between Mailscanner and Amavisd-new, it seems we need one or the other
of these programs to recursively dig into and possibly uncompress a
message with attachments to be able to virus scan it completely. Does
Ma
Any header with X- in front of it is a non-standard mail header and
any mailer can stick one of those in if it wants. This was probably
stuck in by your mailer. I did a google search for this header and
there are lots and lots of messages out there with this header in it
near or at the top.
Mich
Lisa Casey wrote:
X-EMS: wait 10s
X-EMS: wait 20s
X-EMS: wait 30s
Return-Path: <[EMAIL PROTECTED]>
Received: from p2148-ipbf504marunouchi.tokyo.ocn.ne.jp
(p2148-ipbf504marunouchi.tokyo.ocn.ne.jp [221.191.114.148])
etc
What's with the X-EMS wait stuff?
I couldn't say for sure, but they remind m
Between Mailscanner and Amavisd-new, it seems we need one or the other
of these programs to recursively dig into and possibly uncompress a
message with attachments to be able to virus scan it completely. Does
Mailscanner do as effective a job as Amavisd in this regard?
When I installed Amavisd a
Hi,
I got a couple of those image only spams today but there was something
different at the top of the headers that I'ld never seen before.
Headers:
X-EMS: wait 10s
X-EMS: wait 20s
X-EMS: wait 30s
Return-Path: <[EMAIL PROTECTED]>
Received: from p2148-ipbf504marunouchi.tokyo.ocn.ne.jp
(p2148-ipbf
On Wednesday, March 08, 2006 6:46 PM -0800 Kenneth Porter
<[EMAIL PROTECTED]> wrote:
Makes me wonder about installing outbound filters that run a validator
and reject anything that fails. I often see flame wars on mailing lists
about allowing HTML posts to the list, but I wonder how the argumen
On Friday, March 10, 2006 4:17 PM -0800 jdow <[EMAIL PROTECTED]> wrote:
But also check out the mail scripts you have. I don't have any such so I
don't pay attention to specifics. But they have been known to have various
vulnerabilities that get addressed over time. If you got the script from
som
On Friday, March 10, 2006 9:52 AM -0800 Kelson <[EMAIL PROTECTED]> wrote:
Hmm, Fedora Core 2 is officially EOL'd. Are you updating things
manually, or through Fedora Legacy?
Fedora Legacy does show an Apache update released on Feb. 18:
http://fedoralegacy.org/updates/FC2/
And subscribe to th
From: "NW7US, Tomas" <[EMAIL PROTECTED]>
JDOW:
I run Fedora 2 (RedHat) Linux. I've updated most everything. I've not
updated to the very latest Apache. Perhaps that's needed.
How would I go about determining if indeed I have a vulnerability such as
what you are hinting at? I watch log
Eric W. Bates wrote:
> Eric W. Bates wrote:
>> Matt Kettler wrote:
>>
>> ...
>>
>>> No, it could fire on *ANY* external IP that isn't the first hop.
> I don't think I was clear. I don't question that any IP in the chain
> might cause the difficuly. I was questioning why, if 127.0.0.1
On Fri, 10 Mar 2006, Daryl C. W. O'Shea wrote:
On 3/10/2006 11:22 AM, Dan Mahoney, System Admin wrote:
I of course have no idea what to make of this output. Pointers?
Each line is one file descriptor. So it doesn't appear that it's using an
insane number of them.
Next time spamd hangs u
On 3/10/2006 11:22 AM, Dan Mahoney, System Admin wrote:
I of course have no idea what to make of this output. Pointers?
Each line is one file descriptor. So it doesn't appear that it's using
an insane number of them.
Next time spamd hangs up, you might want to do this check though.
I'm
Eric W. Bates wrote:
> Matt Kettler wrote:
>
> ...
>
>>No, it could fire on *ANY* external IP that isn't the first hop.
I don't think I was clear. I don't question that any IP in the chain
might cause the difficuly. I was questioning why, if 127.0.0.1 is the
problem, why it
That doesn't kill performance, sorry. I get average times of 0.1-0.3
seconds/mail using that rule (and a lot of other ones) while the cpu lives
happily. In several servers. You don't need a plugin for that.
Ruben
> -Mensaje original-
> De: Matt Kettler [mailto:[EMAIL PROTECTED]
> Enviado
Eric W. Bates wrote:
>
>
> Matt Kettler wrote:
>>> Eric W. Bates wrote:
>>>
Matt Kettler wrote:
> Eric W. Bates wrote:
>
>
>> I recently upgraded from 2.63 to 3.1 and having done so, my entries for
>> trusted_networks no longer seem to functional.
>>
>> I hav
Ruben Cardenal wrote:
> Hi,
>
> Loren answered that a month ago. Is in the archives. You may use:
>
> header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
> .{0,30}\s*\1\b/i
>
> That covers "Fw: userid" and "Fw: (some word[s]) userid".
>
True, but that's using () and \1, w
On Fri, Mar 10, 2006 at 02:59:09PM -0500, Jonathan Engbrecht wrote:
> I'm seeing a lot of image-only spam of the following form:
>
> rcpt to: @domain.com
> Subject: Fw:
Yeah, there's a lot of that.
> Is there a way to create a simple spamassassin rule that will hit on
> this? I could use ()
Hi,
Loren answered that a month ago. Is in the archives. You may use:
header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
.{0,30}\s*\1\b/i
That covers "Fw: userid" and "Fw: (some word[s]) userid".
Ruben.
> -Mensaje original-
> De: Matt Kettler [mailto:[EMAIL PROTE
Eric W. Bates wrote:
> Eric W. Bates wrote:
>>> Matt Kettler wrote:
>>>
Eric W. Bates wrote:
>
> ...
Maybe.. Were there any untrusted hosts in-between 68.64.105.61 and your
network
in the Received: headers?
>>>
>>> No. But even if there were, wouldn't the rule
Eric W. Bates wrote:
> Matt Kettler wrote:
>> Eric W. Bates wrote:
>>
>>> I recently upgraded from 2.63 to 3.1 and having done so, my entries for
>>> trusted_networks no longer seem to functional.
>>>
>>> I have way to many trusted network lines, but in particular I know that:
>>>
>>> trusted_netwo
Matt Kettler wrote:
> Eric W. Bates wrote:
>
>>I recently upgraded from 2.63 to 3.1 and having done so, my entries for
>>trusted_networks no longer seem to functional.
>>
>>I have way to many trusted network lines, but in particular I know that:
>>
>>trusted_networks68.64/13
>>
>>is no longer
Jonathan Engbrecht wrote:
> hello assassin-types,
>
> I'm seeing a lot of image-only spam of the following form:
>
> rcpt to: @domain.com
> Subject: Fw:
>
> Is there a way to create a simple spamassassin rule that will hit on
> this? I could use () and \1 in regular expressions and a giant,
Eric W. Bates wrote:
> I recently upgraded from 2.63 to 3.1 and having done so, my entries for
> trusted_networks no longer seem to functional.
>
> I have way to many trusted network lines, but in particular I know that:
>
> trusted_networks68.64/13
>
> is no longer working because:
>
> Con
hello assassin-types,
I'm seeing a lot of image-only spam of the following form:
rcpt to: @domain.com
Subject: Fw:
Is there a way to create a simple spamassassin rule that will hit on
this? I could use () and \1 in regular expressions and a giant,
multi-line matching RE (probably), but I'
I recently upgraded from 2.63 to 3.1 and having done so, my entries for
trusted_networks no longer seem to functional.
I have way to many trusted network lines, but in particular I know that:
trusted_networks68.64/13
is no longer working because:
Content analysis details: (5.9 points, 5.0
NW7US, Tomas wrote:
I run Fedora 2 (RedHat) Linux. I've updated most everything. I've not
updated to the very latest Apache. Perhaps that's needed.
Hmm, Fedora Core 2 is officially EOL'd. Are you updating things
manually, or through Fedora Legacy?
Fedora Legacy does show an Apache update
And I note that the .67 machine alias "prop.hfradio.org" includes a
comments page. That script could be vulnerable if updates to the OS
are not fully installed.
I've done quite a bit of buttoning up, here. I'll take a closer look at
this, too.
Maybe this is obvious, but from experience, mak
--- Loren Wilton <[EMAIL PROTECTED]> wrote:
> Rather than a custom plugin, I think you are looking for
> a custom wrapper
> around SA. People have written such things for blog
> software, which would
> not be too much different from your use. You could
> probably also do some
> creative routin
Rather than a custom plugin, I think you are looking for a custom wrapper
around SA. People have written such things for blog software, which would
not be too much different from your use. You could probably also do some
creative routing to run the mail through spamd and get a result back.
Obviou
I think email addresses should be scored differently from urls.
Clicking on an email address isn't going to take you to a site which
auto-installs all manner of malware on your PC.
But these spams are still a nuisance - especially to us thankless admins
who get enormous amounts of hassle from our
On Fri, 10 Mar 2006, Daryl C. W. O'Shea wrote:
On 10/03/06 12:50 AM, Dan Mahoney, System Admin wrote:
As I'm not a C programmer, I don't know what the relation is between a
kqueue and an FD -- but could it be related?
kqueues use FDs, so they are related.
If that original dccifd process (PI
On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
> Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
> network tests like razor/pyzor/dcc?
No, can you please tell in short how to use surbl exactly? I am very new
to SA.
> Also the pasted spam originates from a korean
Sorry all,
It didn't go through. Let me find another way to send it.
- Original Message -
From: "" <[EMAIL PROTECTED]>
To: "Craig McLean" <[EMAIL PROTECTED]>; "Randal, Phil" <[EMAIL PROTECTED]>
Cc:
Sent: Friday, March 10, 2006 8:46 AM
Subject: Re: Latest spammers' trick - email ad
Here is one I have;
body only:
- Original Message -
From: Brown Lane
To: [EMAIL PROTECTED]
Sent: Monday, March 6, 2006 10:15 AM
Subject: billing
| Not seen any of these yet, any chance of some examples?
|
| C.
JDOW:
I run Fedora 2 (RedHat) Linux. I've updated most everything. I've not
updated to the very latest Apache. Perhaps that's needed.
How would I go about determining if indeed I have a vulnerability such as
what you are hinting at? I watch logs pretty closely, but cannot farret
out t
On 10/03/06 10:26 AM, Matt Kettler wrote:
Randal, Phil wrote:
Hi folks,
We're seeing increasing amounts of spam coming in which the email's body
contains seemingly innocuous (but obviously irrelevant) text plus an
email address for more information.
With no urls in the message, uribls are usel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Randal, Phil wrote:
> Hi folks,
>
> We're seeing increasing amounts of spam coming in which the email's body
> contains seemingly innocuous (but obviously irrelevant) text plus an
> email address for more information.
>
[snip]
Phil,
Not seen any of t
Randal, Phil wrote:
> Hi folks,
>
> We're seeing increasing amounts of spam coming in which the email's body
> contains seemingly innocuous (but obviously irrelevant) text plus an
> email address for more information.
>
> With no urls in the message, uribls are useless...
>
> Currently we've had sp
Hi folks,
We're seeing increasing amounts of spam coming in which the email's body
contains seemingly innocuous (but obviously irrelevant) text plus an
email address for more information.
With no urls in the message, uribls are useless...
Currently we've had spams with emails from (AT) nicereal
--- Raymond Dijkxhoorn <[EMAIL PROTECTED]> wrote:
> Hi!
>
> > If something like this could be implemented, the way
> > content filters are; it could go a long way to reduce
> SPAM
> > generated through free webmail providers.
>
> Those free webmail providers can also filter outgoing
> mail, ri
You could also easily filter based on the subject, if it's always something
obvious like "Parhamcy news", and perhaps on obvious misspellings like
"tabIet", "abIets" etc (note the i in stead of l). And I don't think it
would be too hard to create a special rule to search for a long string of
indivi
Hi!
If something like this could be implemented, the way
content filters are; it could go a long way to reduce SPAM
generated through free webmail providers.
Those free webmail providers can also filter outgoing mail, right?
Bye,
Raymond.
Hi list,
I would like to know if anyone has ever tried to use SA as
a SPAM filter for POST requests from a proxy server.
Why I ask this is simple. I have found SA to be very
effective in the control of SPAM when I have control over
the SMTP server through which users send mail. However, I
have a
From: "Matt Kettler" <[EMAIL PROTECTED]>
NW7US, Tomas wrote:
Ok, this one is new to me. Can someone guide me as to where my
security is broken, if I get these headers on a message?
Return-path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
helios.hf
I have found that most mail I receive has received headers as:
Received: from sesame.csx.cam.ac.uk ([131.111.8.41])
by aurora.northfolk.ca (envelope-from
<[EMAIL PROTECTED]>)
with esmtp (Exim 4.50)
id 1FHfBB-0006Bq-GL
for [EMAIL PROTECTED]; Fri, 10 Mar 2006
We've been seeing the same thing. It died out for a while, now the
fire hose has been opened again. The latest batch seems to be in
"Living Color" too. Different colors for different characters.
Mark
At 05:22 AM 3/10/2006, Payal Rathod wrote:
Hi all,
I need help in decoding pharmacy spam
I assume there was an html side of that that you didn't post, or else that
site ate it.
There isn't a huge amount to go on in what you posted. The net checks are
probably the best bets, along possibly with Bayes. The target uri should
show up in SURBL, and there is a good chance the source ip wo
Payal Rathod wrote:
Hi all,
I need help in decoding pharmacy spam again. I am getting 100s of them.
I have attached them at,
http://pastebin.ca/45108
Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
network tests like razor/pyzor/dcc?
Also the pasted spam originates from a k
Hi all,
I need help in decoding pharmacy spam again. I am getting 100s of them.
I have attached them at,
http://pastebin.ca/45108
Can someone tell how to block these things out?
With warm regards,
-Payal
NW7US, Tomas wrote:
> Ok, this one is new to me. Can someone guide me as to where my
> security is broken, if I get these headers on a message?
>
>> Return-path: <[EMAIL PROTECTED]>
>> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
>> helios.hfradio.org
>> X-Spam-Status:
57 matches
Mail list logo
