Hi all,
I get several spam that are HTML but they are not detected.
In fact, they use the mark out such as in this example :
Do you want to l O u V u E u R m P b A y Y for your j M
How can I modify the rules of spamassassin to deal with it ?
Thank you.
--
Emmanuel Lesouef
Chris wrote:
> I had a FN awhile ago that I ran through spamassassin -t and it gave the
> same score as the original:
>
> score=4.3 required=5.0 tests=BAYES_99,HTML_MESSAGE,
> SARE_HTML_TITLE_LWORD,SARE_UNSUB18
>
> Then I ran it through spamassassin -r and for some reason it picked up the
Duane Hill has:
> per-user [...] just over 10 gig [...] InnoDB [...]
> http://wiki.apache.org/spamassassin/DBIPlugin [...] bayes_vars table
> has 14,102 rows
Jason Frisvold:
> I'll have to give innodb a try.. :) Thanks for the tip...
Jason, if you haven't moved to innodb already, try "SHOW P
From: "Michael Monnerie" <[EMAIL PROTECTED]>
And if you don't care about spoofs, don't check it.
Not long ago I learned about a malformed spf spoof trick that allowed
spam through from addresses not normally allowed to send it directly.
{^_^}
I had a FN awhile ago that I ran through spamassassin -t and it gave the
same score as the original:
score=4.3 required=5.0 tests=BAYES_99,HTML_MESSAGE,
SARE_HTML_TITLE_LWORD,SARE_UNSUB18
Then I ran it through spamassassin -r and for some reason it picked up the
From address and added t
In the early days of encrypted mail (e.g. PGP), encoding the mail using
base64 was one of the few ways to make sure that none of the intervening
MTA's would mess with your message body (which was important if it
was being relayed via Bitnet, X.400, MAPI, etc)... and affect the crypto-
checksum of t
>...
>http://zmi.at/x/penis-spam.txt
>
>Wow, the first time this year a SPAM passed my filters and even SA=20
>without being marked. Is there work being done to prevent such SPAM=20
>passing?
>
>mfg zmi
>...
>// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
>// http://zmi.at
Loren Wilton wrote:
>> What's the difference? Your meta rule is fundamentally identical to
>> Loren's rule, is it not?!
>
> Yes. The difference is the meta doesn't have an indeterminate length
> .* match in the middle.
>
> However, since in this case backtracking shouldn't be possible, the
> met
Justin Mason writes:
>
> [EMAIL PROTECTED] writes:
> > Rob McEwen (PowerView Systems) wrote:
> > > Is there ever a legit reason to Base64 encode plain text?
> >
> > Microsoft Outlook Web Access for Exchange Server 2000 base64-encodes plain
> > text.
>
> yep -- I've also seen other Sexchange pe
> What's the difference? Your meta rule is fundamentally identical to
Loren's
> rule, is it not?!
Yes. The difference is the meta doesn't have an indeterminate length .*
match in the middle.
However, since in this case backtracking shouldn't be possible, the meta
should actually be a little slow
[EMAIL PROTECTED] writes:
> Rob McEwen (PowerView Systems) wrote:
> > Is there ever a legit reason to Base64 encode plain text?
>
> Microsoft Outlook Web Access for Exchange Server 2000 base64-encodes plain
> text.
yep -- I've also seen other Sexchange permutations doing it, too.
(We had a rule
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Monnerie wrote:
> On Dienstag, 21. März 2006 21:35 mouss wrote:
>> I'd follow. I even think there are more spammers with good spf
>> than legit' people with spf.
>
> Could also be. SPF still doesn't help against SPAM, just against
> forgery. W
Philip Prindeville wrote:
> Anyone have monthly numbers for the percentages of
> sites that have SPF turned on for their incoming messages?
>
> I.e. if you received 1000 messages last month... how many
> unique domains were represented, and of those, how many
> had SPF enabled? And how many messa
Jeremy Fairbrass wrote:
> What's the difference? Your meta rule is fundamentally identical to
> Loren's rule, is it not?!
They are identical, yes. Loren brought up .* as a potential red flag, and I
suggested a way to avoid it.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
What's the difference? Your meta rule is fundamentally identical to Loren's
rule, is it not?!
Cheers,
Jeremy
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Loren Wilton wrote:
> header LW_NONEWSSubject =~ /^Re:\s.*\bnews$/i
...
> The .* should be safe in that regex since a sub
On Dienstag, 21. März 2006 21:35 mouss wrote:
> I'd follow. I even think there are more spammers with good spf than
> legit' people with spf.
Could also be. SPF still doesn't help against SPAM, just against
forgery. Where SPAM often tries to forge, but thats another story.
> one thing we know: s
On Dienstag, 21. März 2006 21:42 mouss wrote:
> - if you wanna add spf records, do
> - if you wanna check spf, do
And if you don't care about spoofs, don't check it.
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531
Loren Wilton wrote:
> header LW_NONEWSSubject =~ /^Re:\s.*\bnews$/i
...
> The .* should be safe in that regex since a subject isn't very long
> and the things on either side are anchored.
If you're paranoid you could do a couple of meta rules:
header _SUBJECT_STARTSWITH_RE Subject =~ /^Re:\s/
Randal, Phil a écrit :
> The rule I use is:
>
> header HC_NEWS Subject =~ /\bnews/i
> describe HC_NEWSNews of new spam
> score HC_NEWS 1.5
>
> I've been running this with a score of 2.0 for weeks without problems.
>
doesn't this flag this message itself?
I'd favour a
On Tuesday, March 21, 2006 at 8:51:09 PM, [EMAIL PROTECTED] confabulated:
> On 3/21/06, Duane Hill <[EMAIL PROTECTED]> wrote:
>> I am using a per-user configuration here and my DB size currently is
>> sitting at just over 10 gig. All of the tables within the MySQL schema
>> are using the Inno
Rob McEwen (PowerView Systems) a écrit :
> Is there ever a legit reason to Base64 encode plain text?
>
it is legit, but not recommended. People using text-based MUAs have no
chance to guess what's in there. and this for no valuable reason. of
course, MS .dat is worst...
> For various reasons whi
Forrest Aldrich wrote:
Yes, every messge (see below, too).
Please send me three copies of a message in a tarball:
- the original, unscanned message
- the original message after it has gone through spamass-milter
- the original message after it has gone through spamc, not spamass-milter
Be su
Rob McEwen (PowerView Systems) wrote:
> Is there ever a legit reason to Base64 encode plain text?
Microsoft Outlook Web Access for Exchange Server 2000 base64-encodes plain text.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com So
Is there ever a legit reason to Base64 encode plain text?
For various reasons which I won't go into now, I'm thinking about decoding and
overwriting the original Base64 encoded text with its decoded text and then
leaving the message that way (whether caught spam or ham).
Any thoughts?
Rob McEw
Krispisen a écrit :
> Hi !
>
> I found this in the bogofilter FAQ :
>
> How can I use SpamAssassin to train Bogofilter?
> If you have a working SpamAssassin installation (or care to create one), you
> can use its return codes to train bogofilter. The easiest way is to create a
> script for your M
On 3/21/06, Duane Hill <[EMAIL PROTECTED]> wrote:
> I am using a per-user configuration here and my DB size currently is
> sitting at just over 10 gig. All of the tables within the MySQL schema
> are using the InnoDB storage instead of the MyISAM. I am also using
> the SA plugin for cachin
Philip Prindeville a écrit :
> Well, we zap anything that comes in Windows charsets.
>
> There's nothing that you can send us in Windows charsets that can't be
> represented in either ISO or UTF charsets...
>
> And in any case, there's an RFC requirement that states that if the
> content be
> rep
Michael Monnerie a écrit :
> I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just
> tell you if a sender host is permitted to send e-mail for the given
> domain, so you can prevent *forgery* of e-mails, which I find
> important. I don't want others to be able to send from @zm
On Tue, Mar 21, 2006 at 02:57:17PM -0500, Fred T wrote:
> I created a screen-shot to help me explain what's going on.
> http://www.i-is.com/mass-check.gif
Hrm. Why are you doing 2 different runs?
>I am thinking that those numbers in the first run should be
>appearing in the HAM colum
jdow a écrit :
> I'd hazard a guess that there is about as much spam that passes SPF tests
> as there is ham that passes SPF tests.
>
I'd follow. I even think there are more spammers with good spf than
legit' people with spf.
> At least in the case of spam it means the blacklists mean something.
Well, we zap anything that comes in Windows charsets.
There's nothing that you can send us in Windows charsets that can't be
represented in either ISO or UTF charsets...
And in any case, there's an RFC requirement that states that if the
content be
represented in USASCII, then it should be so. S
On Tuesday, March 21, 2006 at 6:03:57 PM, [EMAIL PROTECTED] confabulated:
> The absolute best way to remove users DB entries is this way:
> sa-learn -u [EMAIL PROTECTED] --clear
Thanks. I never gave it a thought before now.
--
"This message is made of 100% recycled electrons."
Hello users,
I'm using mass-check script here to check rules against a corpus and
I noticed possibly a bug in the mass-check script. Before I went
and created a ticket, I just want to check to see if this is a bug
or if I am reading the results wrong.
I created a screen-shot to help me
On Tuesday March 21 2006 10:37 am, Iain Smith wrote:
> Payal Rathod wrote:
> > Hi,
> > To my various email addresses I am getting lot of "Re: news" spam.
> > SA is not catching all of it. I have pasted a links of headers and body
> > at, http://pastebin.ca/46477
> > Can someone advise on it please?
We're also getting loads of this sort of subject line:
[re:] your investor special pr news release
Top Financial Market Specialists Trader watch special pr news release
fw: Top Financial Market Specialists Trader watch special pr news
release
News from DLsoft: new Mac's products added
857 rule hi
Paul,
Thanks for posting the patch.
This works, I just tested it. I also forwarded it to Dan Nelson
(spamass-milter). I'm not certain this is the "correct" way to fix
it, though. Will let you know if I hear more.
Thanks.
Paul Stavrides wrote:
version=3.1.1
X-Spam-Checker-V
The absolute best way to remove users DB entries is this way:
sa-learn -u [EMAIL PROTECTED] --clear
Michael
You could use something like
header LW_NONEWSSubject =~ /^Re:\s.*\bnews$/i
scoreLW_NONEWS2
describe LW_NONEWSNot news to me!
The .* should be safe in that regex since a subject isn't very long and the
things on either side are anchored.
Loren
The rule I use is:
header HC_NEWS Subject =~ /\bnews/i
describe HC_NEWSNews of new spam
score HC_NEWS 1.5
I've been running this with a score of 2.0 for weeks without problems.
Tweak as you see fit.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Counci
On Tue, Mar 21, 2006 at 10:12:53AM -0500, Dimitri Yioulos wrote:
> My system is tagging these messages, mainly with bayes, dcc, and
> razor. Phile Randall posted a rule to tag "news" in the subject just
> a few days ago, and that's also being hit.
Do you have the rule by Phile? I cannot seem to
On Tuesday, March 21, 2006 at 5:34:31 PM, [EMAIL PROTECTED] confabulated:
> Duane Hill wrote:
>> Matthew.van.Eerde wrote:
>>> delete from bayes_(token|seen|expire) where id in
>>> (select id from bayes_vars where username = '[EMAIL PROTECTED]');
>>
>> Cool! I haven't gotten too deep yet into MySQ
Duane Hill wrote:
> Matthew.van.Eerde wrote:
>> delete from bayes_(token|seen|expire) where id in
>> (select id from bayes_vars where username = '[EMAIL PROTECTED]');
>
> Cool! I haven't gotten too deep yet into MySQL. I knew there was a
> shorter way of doing this. Thanks for the tip!
bayes_(tok
On Tuesday, March 21, 2006 at 5:26:30 PM, [EMAIL PROTECTED] confabulated:
> Duane Hill wrote:
>> delete from bayes_token where id = (select id from bayes_vars
>> where username = '[EMAIL PROTECTED]');
> ...
>> delete from bayes_seen where id = (select id from bayes_vars where
>> us
Duane Hill wrote:
> delete from bayes_token where id = (select id from bayes_vars
> where username = '[EMAIL PROTECTED]');
...
> delete from bayes_seen where id = (select id from bayes_vars where
> username = '[EMAIL PROTECTED]');
>
> delete from bayes_expire where id = (select
Yes, every messge (see below, too).
F
Daryl C. W. O'Shea wrote:
version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
mail.forrie.com
X-Virus-Scanned: ClamAV 0.88/1345/Mon Mar 20 07:03:16 2006 on
mail.forrie.com
X-Virus-Status: Clean
Forrest Aldrich wrote:
Here ar
Hi,
Many thanks Theo Van Dinter, Gary V and others who helped. As suggested
by Theo Van Dinter, I change the home directory of clamav user as
/var/amavisd and then executed "/usr/local/bin/sa-learn -D --sync" it
took around 6 hours but now "bayes_journal" has been reduced from 3.5 GB
42 KB. How I
On Tuesday, March 21, 2006 at 2:54:19 PM, [EMAIL PROTECTED] confabulated:
> Greetings,
> I'm looking for some fine tuning help. It seems that we are currently
> I/O limited due to the massive load spamassassin puts on the bayes
> database. The database is currently about 3.5 Gig, including indi
Tracey Gates wrote:
> I have seen a lot of postings talk about the BAYES_99 rule. I think
> that this rule will help tremendously with catch some of this spam as I
> have already implemented the "news" rule that Phile Randall posted. I
> have searched my server and I do not find the BAYES_99 rule
Hi !
I found this in the bogofilter FAQ :
How can I use SpamAssassin to train Bogofilter?
If you have a working SpamAssassin installation (or care to create one), you can use its return codes to train bogofilter. The easiest way is to create a script for your MDA that runs SpamAssassin, tests the
On Dienstag, 21. März 2006 06:28 jdow wrote:
> I'd hazard a guess that there is about as much spam that passes SPF
> tests as there is ham that passes SPF tests.
I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just
tell you if a sender host is permitted to send e-mail for the
On 3/21/06, Gary W. Smith <[EMAIL PROTECTED]> wrote:
> It appears that you are user per user bayes. If you have a large number
> of users and performance is becoming an issue you might want to change
> over to site wide bayes and disable per user.
How are you training Bayes? Do you allow the use
Jason Frisvold wrote:
1) How effective is it really? Will users likely notice a huge change
if bayes was disabled?
We use a site wide bayes DB, and it's very effective for us. As an
example, last week our bayes DB got corrupted and we lost that aspect of
scoring for about 3 hours. Our help d
I have seen a lot of postings talk about the BAYES_99 rule. I think
that this rule will help tremendously with catch some of this spam as I
have already implemented the "news" rule that Phile Randall posted. I
have searched my server and I do not find the BAYES_99 rule already on
there so where d
On Tuesday March 21 2006 9:29 am, Payal Rathod wrote:
> Hi,
> To my various email addresses I am getting lot of "Re: news" spam.
> SA is not catching all of it. I have pasted a links of headers and body
> at, http://pastebin.ca/46477
> Can someone advise on it please?
> With warm regards,
> -Payal
Greetings,
I'm looking for some fine tuning help. It seems that we are currently
I/O limited due to the massive load spamassassin puts on the bayes
database. The database is currently about 3.5 Gig, including indices.
I have a few questions regarding the operation of Bayes.
1) How effective is
We use AWL via SQL. We wrote a script that will prune certain records
from the database weekly to keep AWL small. Basically we delete any
entries with a positive score and a count of 1 (as these are mostly
randomly generated addresses that will never happen again).
> -Original Message-
Yousef Raffah wrote:
> This might be a general question but it is quite new to me, why do I see
> the message has two "different" spam scores?
Because it looks like was scanned by two different copies of spamassassin.
One copy has been modified to use "X-NAI-Spam-*" as it's headers, one
generati
Hi,
To my various email addresses I am getting lot of "Re: news" spam.
SA is not catching all of it. I have pasted a links of headers and body
at, http://pastebin.ca/46477
Can someone advise on it please?
With warm regards,
-Payal
Hello All,
As I have noticed several threads concerning the breaks in headers,
I decided to install the v3.1.1 on a test machine first. Not seeing
the breaks in the headers I proceeded to upgrade our secondary MX
server last night. After trapping numerous amounts of messages to
v
It appears that you are user per user bayes. If you have a large number
of users and performance is becoming an issue you might want to change
over to site wide bayes and disable per user.
As for user purging, no, there is no user detection to process users
that are no longer in the system.
> --
Got this patch from a FreeBSD user yesterday. I tested it for a day and
all seems just fine.
This backs out the 3.1.1 change and reverts to the 3.1.0 behavior.
This
leaves some 3.1.1 CRLF code in Message.pm, but it now has no effect.
Normal processing of the headers fixes any trouble I was hav
Payal Rathod wrote:
> Hi,
> To my various email addresses I am getting lot of "Re: news" spam.
> SA is not catching all of it. I have pasted a links of headers and body
> at, http://pastebin.ca/46477
> Can someone advise on it please?
> With warm regards,
> -Payal
Bayes has been catching these he
This might be a general question but it is quite new to me, why do I see
the message has two "different" spam scores? Also, are there any updated
rules to stop these new spam messages getting in sometimes?
Using SA 3.1.0
Return-Path: <[EMAIL PROTECTED]>
Received: from 10.0.0.4 by ocs.savola.com w
63 matches
Mail list logo
