Daryl C. W. O'Shea wrote:
On 27/02/2008 6:18 PM, Asif Iqbal wrote:
What is short of putting the sender email to white list to reduce the
score of this email. It is a valid email. Here is the report
As presented to SpamAssassin, it was not a valid email. It had no headers.
Daryl
It is completely accurate and copied and pasted from the message file
itself.
I am running Exim. What configuration should I be looking at on how to
block messages with return paths like that?
Dave Funk wrote:
On Wed, 27 Feb 2008, Matt wrote:
The MTA never really sees whats in the headers.
On Wed, 27 Feb 2008, Asif Iqbal wrote:
What is short of putting the sender email to white list to reduce the
score of this email. It is a valid email. Here is the report
* 0.1 TW_XC BODY: Odd Letter Triples with XC
* 0.1 TW_KK BODY: Odd Letter Triples with KK
* 0.1 TW_GN
On Wed, 27 Feb 2008, Matt wrote:
The MTA never really sees whats in the headers. It only adds to the
headers. When an SMTP connection first begins the connecting MTA says
helo this [EMAIL PROTECTED] Thats what SPF looks
at. The MTA then adds that as the return path to the headers.
Actually
On 27/02/2008 6:18 PM, Asif Iqbal wrote:
> What is short of putting the sender email to white list to reduce the
> score of this email. It is a valid email. Here is the report
As presented to SpamAssassin, it was not a valid email. It had no headers.
Daryl
> X-Spam-Flag: YES
> X-Spam-Checker-V
What is short of putting the sender email to white list to reduce the
score of this email. It is a valid email. Here is the report
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
qmail.home.net
X-Spam-Level: **
X-Spam-Status: Yes, score=6.4 required=5.0 tes
On Wed, 27 Feb 2008, Russell Jones wrote:
If what you said is right, why does SPF only look at the return-path address
and not the From: address?
Nobody pays attention to return-path, they only look at From to see who their
mail client says the email
address is from.
SPF is a technology th
On Tue, Feb 26, 2008 at 19:13 -0500, Daryl C. W. O'Shea wrote:
[...]
> If you or your company would like to fund the development of it, I'm
> willing to prioritize the work. Seriously. Otherwise, "should have by
> now" does not apply to free software. Especially free software that is
> easily mo
In article <[EMAIL PROTECTED]>, Chip M.
<[EMAIL PROTECTED]> writes
>A brief search shows this actually started at least a month ago:
> http://chris.pirillo.com/2007/01/16/google-docs-spam/
Erm, that's from 13 months ago :-)
Kevin
On Wed, 27 Feb 2008, JP Kelly wrote:
>it seems like they could/should be caught but they often have very low
scores.
>they all have yahoo.co.uk in the from address
In and of itself, "yahoo.co.uk" in the From isn't too helpful, unless you
know you'll never get anything legit from there, then you c
On Wed, 27 Feb 2008, Theo Van Dinter wrote:
>What's the trick here? Looks like a normal docs URL to me.
Poor terminology on my part. I am Only An Egg. :)
Is "exploit" a more correct term?
I meant that this is the latest way that spammers are taking advantage of
the trusting attitude most folk
I ran a spamassassin -D on the message and the biggest thing that made
it take a hit was the almost 3 points it took off of the score because
of the bayes db being only a 1% probability. Supposedly it says its
learned spam from about 500 messages, and ham from about 5000. Maybe I
should put aut
> That doesn't make sense. Maybe I am misunderstanding this. From openspf.org:
>
> What does SPF actually DO?
>
> Suppose a spammer forges a hotmail.com address and tries to spam you.
>
> They connect from somewhere other than Hotmail.
>
> When his message is sent, you see MAIL FROM: <[EMAIL PROTEC
At 11:27 27-02-2008, Russell Jones wrote:
That doesn't make sense. Maybe I am misunderstanding this. From openspf.org:
What does SPF actually DO?
Suppose a spammer forges a hotmail.com address and tries to spam you.
They connect from somewhere other than Hotmail.
When his message is sent,
On Wed, Feb 27, 2008 at 02:38:50PM -0600, Chip M. wrote:
> They look like this:
> http://docs.google.com/doc?id=MUNGED_MUNGED
>
> I've added "doc" to my list of tokens that are word matched in my own
> battery of anti Google Tricks tests.
What's the trick here? Looks like a normal docs URL
I'll give this a shot. thanks
Matt Kettler wrote:
Mike Fahey wrote:
This page specifically uses /etc/mail/spamassassin.
Yeah, I read that the first time. It is wrong. In fact, I'd say it's
stupid.
I'll go edit the wiki article when I get a chance, but I want to have
some time to really
They look like this:
http://docs.google.com/doc?id=MUNGED_MUNGED
I'm not sure if the id is personally identifiable, so MUNGED both halves of
it.
I've only seen two so far, and haven't visited either (again, due to the
potential PII - both samples were from other people).
Very little else
On Wed, Feb 27, 2008 at 3:12 PM, Henrik K <[EMAIL PROTECTED]> wrote:
> On Wed, Feb 27, 2008 at 03:00:49PM -0500, Aaron Wolfe wrote:
> > On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx <[EMAIL PROTECTED]> wrote:
> > > Marc Perkel wrote:
> > > > It appears that Postfix only does DNS blacklists and no
On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx <[EMAIL PROTECTED]> wrote:
> Marc Perkel wrote:
> > It appears that Postfix only does DNS blacklists and not whitelists
> > then. I was going to publish my whitelist and Postfix instructions but I
> > guess I can't do that.
>
> That would be a better
Marc Perkel wrote:
> It appears that Postfix only does DNS blacklists and not whitelists
> then. I was going to publish my whitelist and Postfix instructions but I
> guess I can't do that.
That would be a better question for the postfix-users list. Probably
the way to do this is with the check_
Forgot to put this address in CC. In case anyone is interested in
following the convo:
Original Message
Subject:
Re: No SPF_FAIL flag, why?
Date:
Wed, 27 Feb 2008 13:27:52 -0600
From:
Russell Jones <[EMAIL PR
At 11:02 27-02-2008, Russell Jones wrote:
This email was received and is very much spam, (February 77% off,
Viagra HTML spam), and was sent to this user FROM this user (which
they obviously did not spam themselves). What can I do to make the
score higher than what it was scored, as well as why
This email was received and is very much spam, (February 77% off, Viagra
HTML spam), and was sent to this user FROM this user (which they
obviously did not spam themselves). What can I do to make the score
higher than what it was scored, as well as why didn't the SPF fail? The
record for pitter
everyday i get 2 or three of these coming through.
it seems like they could/should be caught but they often have very low
scores.
they all have yahoo.co.uk in the from address
---example1---
---
headers
---
From: [EMAIL PROTECTED]
Subje
created a patch so it does
--- /var/lib/spamassassin/3.002004/70_sare_uri_cf_sare_sa-update_dostech_net/200510102200.cf.orig 2008-02-25 06:15:39.0 +0100
+++ /var/lib/spamassassin/3.002004/70_sare_uri_cf_sare_sa-update_dostech_net/200510102200.cf 2008-02-27 18:21:47.0 +0100
@@ -73,7
I have a MIMEDefang(2.63)+SpamAssassin(3.1.9) setup that is catching a lot of
spam, but specific spam messages are slipping through. It appears to be
fairly consistent day-to-day.
If the email is a HTML message, spamassassin will hit on the HTML_MESSAGE
rule and that's it. These spam emails are
> It appears that Postfix only does DNS blacklists and not whitelists
> then. I was going to publish my whitelist and Postfix instructions but I
> guess I can't do that.
http://linux.softpedia.com/get/Communications/Email-Filters/maRBL-16435.shtml
this link helps :-)
test for rbl blacklist and
Hello Everyone,
My hostkarma black/white/yellow lists were too complex to be accessed by
Postfix. So I have created a Postfix compatible blacklist for those of
you who want to bounce a lot of spam before routing it into SA.
reject_rbl_client blacklist.junkemailfilter.com
If you're using Exim
Matthias Leisi wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
mouss schrieb:
|> Does Postfix allow you to use white lists? If so - what's the syntax?
|> I'm about to publish my whitelist for Postfix.
|>
|
| No. DNSWL offer an rsync access.
That's the exact reason we offer rsync acces
I will check that.
Thank a lot
--[ UxBoD ]-- wrote:
>
> score here as follows :-
>
> Content analysis details: (17.1 points, 5.0 required)
>
> pts rule name description
> --
> --
> 5.0 BOTNET
score here as follows :-
Content analysis details: (17.1 points, 5.0 required)
pts rule name description
-- --
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=213.189.148.42,rdn
Hi,
Here http://pastebin.com/m309761a5
Thank
--
View this message in context:
http://www.nabble.com/Need-rule-for-this-type-of-spam-tp15714057p15714459.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
please post the full message via something like pastebin. we need to see the
headers aswell.
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID
Hi,
My spamassassin setup work great but I receive alot spam like this :
Subject: M!cro soft Office_2OO7 for XP,Vis+a 79. Retail 838 -save 2466-
sas jmp statistical discovery 7 - 129
use -newsoftdeal .com- |n Web Browser
Erase - before you use |n Web Browser
ulead photoImpact x3 - 29
intuit
Matthias Leisi wrote:
mouss schrieb:
|> Does Postfix allow you to use white lists? If so - what's the syntax?
|> I'm about to publish my whitelist for Postfix.
|>
|
| No. DNSWL offer an rsync access.
That's the exact reason we offer rsync access *to a specially formatted
file* (see http://www
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
mouss schrieb:
|> Does Postfix allow you to use white lists? If so - what's the syntax?
|> I'm about to publish my whitelist for Postfix.
|>
|
| No. DNSWL offer an rsync access.
That's the exact reason we offer rsync access *to a specially formatt
> policyd works a treat :) V2 is also in development aswell.
I will take in account your judge..
:-)
rocsca
--[ UxBoD ]-- wrote:
policyd works a treat :) V2 is also in development aswell.
it's not the same. I don't know why they call it V2.
As far as I know, Cami is no more involved. so I would stick with the
"current" (which is a single C threaded program).
policyd works a treat :) V2 is also in development aswell.
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2
> > What do I need to set up GL? Only the command below or there is
> > something other parameter that I could set up (eg: the time spent
> > before a message is accepted and so on)?
> >
> >
>
> of course, you need to install a policy server! Cami's
> policyd is a good choice (it also has ot
Hi Benny,
Benny Pedersen wrote:
http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml
disable DomainKey plugin and add DKIM plugin will help on that msg
and search on DKIM mta scores for not being sent from a DKIM signer
I will have a look at this.
But I have already made sufficient chang
Derek Harding writes:
> On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote:
> >
> > For anyone interested here is the full email (well one of them)...
> >
> > http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml
> >
>
> Looks to me as though someone has found a way to abuse ning.com's
> http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml
disable DomainKey plugin and add DKIM plugin will help on that msg
and search on DKIM mta scores for not being sent from a DKIM signer
On 2/27/2008 10:16 AM, Derek Harding wrote:
On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote:
For anyone interested here is the full email (well one of them)...
http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml
Looks to me as though someone has found a way to abuse ning.com's
pl
Marc Perkel wrote:
Postfix allows you to use blacklists as follows:
reject_rbl_client blacklist.junkemailfilter.com
Does Postfix allow you to use white lists? If so - what's the syntax?
I'm about to publish my whitelist for Postfix.
No. DNSWL offer an rsync access. This is better for perfo
On 26.02.08 19:30, aritza sobrinos wrote:
> Im getting false positives like this:
>
> X-Spam-Status: Yes, score=3.776 tag=x tag2=3.5 kill=3.5 tests=[BAYES_50=
> 0.001,
> HTML_10_20=0.246, HTML_MESSAGE=0.001, HTML_SHORT_LENGTH=0.389,
> SPF_HELO_SOFTFAIL=3.14, SPF_PASS=-0.001]
>
>
> SPF_HELO_SOF
On 26.02.08 11:56, Russell Jones wrote:
> For some reason spamd is not scoring email nearly as high as
> spamassassin scores if you run the message through manually. I do not
> understand this, and it is causing spam to get through that should have
> been blocked. As you can see when running spa
On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote:
>
> For anyone interested here is the full email (well one of them)...
>
> http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml
>
Looks to me as though someone has found a way to abuse ning.com's
platform/systems. I suspect they'd be v
Rocco Scappatura wrote:
And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing
newer bots retry, so GL is only effective is the time
interval is large enough, but that's not a neutral thing so
should be restricted to suspicious mail. That's what I
On 26.02.08 11:18, Igor Chudov wrote:
> If I recall correctly...
>
> This Habeas is some sort of a braindead business idea to insert an
> unauthenticated header in bodies of "legitimate" emails coming from
> their customers, to assure spam filters that the email is legitimate.
afaiuc, Habeas is
On 26.02.08 19:20, Miguel Angel wrote:
They are getting high score because are using dynamic ip ranges and they
match rbl lists.
If you relay mail from your dynamic addresses w/o authentication, they
should be in your trusted_networks. Then they'll get ALL_TRUSTED and
probably DOS_*_TO_MX, unle
On 26.02.08 19:20, Miguel Angel wrote:
> They are getting high score because are using dynamic ip ranges and they
> match rbl lists.
If you relay mail from your dynamic addresses w/o authentication, they
should be in your trusted_networks. Then they'll get ALL_TRUSTED and
probably DOS_*_TO_MX, un
Hi Jason,
> This is and always has been documented behaviour in Qmail-Scanner.
> Please read the FAQ
I tried to find the link but I have not found. You may send me the
right link?
Cheers
--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than
Hi,
ram wrote:
On Tue, 2008-02-26 at 08:49 +, Anthony Peacock wrote:
Hi,
I have just received a number of spam emails which got through the
filtering system because they hit the HABEAS_ACCREDITED_COI rule, which
give them -8. They all came to role based addresses that are never used
to
> > And spammer are becoming more faster as the time goes on.. Is it
> > convenient to use gray listing
>
> newer bots retry, so GL is only effective is the time
> interval is large enough, but that's not a neutral thing so
> should be restricted to suspicious mail. That's what I use GL
> for
55 matches
Mail list logo
