On 25-Mar-2009, at 19:29, John Hardin wrote:
If 3.2.x does indeed implement multiline rawbody matches, then we'll
be able to have a robust rule for this - e.g. an HTML email with a
table that has more than 30 columns and more than 5 rows. That will
be difficult to obfuscate.
More than 30 c
On Wed, 25 Mar 2009, John Hardin wrote:
> On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote:
> > So why this actually works to me?
> >
> > rawbody LARGETABLE
> > m'
Then the documentation appears to be out of date. From
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_C
The Doctor wrote:
> All right why is AWL going to score 30+ when it was told to go to -1000
>
> as in
>
> score AWL -1000
You can't assign static scores to the AWL, this goes against the
definition of what it is. It's score is, by design, dynamic on a
per-message basis. Otherwise it would essenti
On Wed, 25 Mar 2009 18:22:46 -0600
The Doctor wrote:
> All right why is AWL going to score 30+ when it was told to go to
> -1000
>
> as in
>
> score AWL -1000
the AWL score is calculated, see the wiki page
On Wed, 25 Mar 2009, Arvid Ephraim Picciani wrote:
John Hardin wrote:
It would be somewhat more robust if SA offered multiline rawbody matching,
but try this:
thanks for your effords. unfortunatly spammers read this list and
they'll adapt too quickly to make any use of custom rules
It'
All right why is AWL going to score 30+ when it was told to go to -1000
as in
score AWL -1000
??
--
Member - Liberal International This is doc...@nl2k.ab.ca
Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahill
John Hardin wrote:
It would be somewhat more robust if SA offered multiline rawbody matching,
but try this:
thanks for your effords. unfortunatly spammers read this list and
they'll adapt too quickly to make any use of custom rules
It's also fairly specific to the HTML in the sample messag
On 25-Mar-2009, at 11:24, Giampaolo Tomassoni wrote:
rawbody LARGETABLE
m'tr'is
Just to be sure my parsing is working correctly, that is flagging if
there are 30 or more TDs in a single TR? If so, couldn't that be
written a lot more compactly?
Out of curiosity, what are you scoring tha
> On Tue, Mar 17, 2009 at 5:18 PM, J.D. Falk
> wrote:
>> RobertH wrote:
>>
>
> Maia Mailguard is a neat project that uses SA/amavisd to
> provide users with a web based quarantine. When a user
> indicates that a message is spam, the system can
> automatically submit the message to Razor, Pyzor,
On Wed, 2009-03-25 at 15:01 -0400, Michael Scheidell wrote:
>
> Match your MTA processes to the spamd children. Your MTA will send 4xx
> 'busy now, come back to play later' message. Let the sending MTA queue it
> back up (or zombies will just go away)
I don't really see that as a socially resp
--On Thursday, March 19, 2009 5:41 AM -0700 John Hardin
wrote:
Hence my subsequent suggestion for an HTML tag scoring plugin. That
_would_ be context-sensitive and I'd feel safe giving an OBJECT tag 20
points that way.
I'd love to see a plugin like this that could flag syntax issues like
un
scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
__ Information from ESET NOD32 Antivirus, version of virus
signature database 3962 (20090325) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__ In
> On Tue, 2009-03-24 at 08:10 -0500, Bowie Bailey wrote:
>>
>> Your assessment sounds right to me. I would make two suggestions.
>>
>> 1) Memory is cheap these days. Add some more RAM.
>
> That's a mitigation strategy, yes, but it doesn't really answer OP's
> question about how to make spamd s
On Wed, 25 Mar 2009, Kris Deugau wrote:
John Hardin wrote:
On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote:
> So why this actually works to me?
>
> rawbody LARGETABLE
> m'>
> Got SA 3.2.4.
I had forgotten about tflags multiple - when did multiline rawbody get
added?
I thought "ra
John Hardin wrote:
On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote:
So why this actually works to me?
rawbody LARGETABLE
m'
I had forgotten about tflags multiple - when did multiline rawbody get
added?
I thought "rawbody" was, literally, the raw message body considered as a
single string.
On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote:
From: John Hardin [mailto:jhar...@impsec.org]
Unfortunately no, at least at this time. rawbody rules don't do
multiline
matching (which would allow column counting), and rules in general are
just hit-or-miss, not hit-N-times.
So why this actuall
On 25-Mar-2009, at 10:36, John Hardin wrote:
# spaces.live.com URI rule posted to SA list a while ago, good for
metas
uri URI_SPACES_LIVE /spaces\.live\.com/
score URI_SPACES_LIVE 0.50
describe URI_SPACES_LIVE contains link to spaces.live.com
I just searched 500,000 ham messages a
> -Original Message-
> From: John Hardin [mailto:jhar...@impsec.org]
> Sent: Wednesday, March 25, 2009 5:40 PM
> To: Ernie Dunbar
> Cc: users@spamassassin.apache.org
> Subject: Re: Colored-in table attack.
>
> On Wed, 25 Mar 2009, Ernie Dunbar wrote:
>
> > Detection of such a message is a
On Wed, 25 Mar 2009, John Hardin wrote:
meta HTML_GRID_OBFU_LIVE (HTML_MESSAGE && URI_SPACES_LIVE &&
__GRID_OBFU_1 && __GRID_OBFU_2 && __GRID_OBFU_3 && __GRID_OBFU_4)
Whoopise! I just remembered "tflags multiple" - this could probably be
improved by having the meta require the __GRID_OBF
On Wed, 25 Mar 2009, Ernie Dunbar wrote:
Detection of such a message is a piece of cake. Any message containing a
Very Large html table (even more than 50 table data fields, or one that
is disproportionately wide could qualify) could trigger such a test, but
I have no idea about how to do a co
On Wed, 25 Mar 2009, Arvid Ephraim Picciani wrote:
http://codepad.org/W53onqK9
i gave on this kind of spam. its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc
It would b
This week, we've been getting plenty of Viagra spam from one spammer who is
using a very large HTML table (180+ 's) with a space in each table data
field. The spammer then creates his message (or usually, just a word) by
using the bgcolor tag in certain table data fields. An example is provide
uri DODGY_SPACES_URI
/http\:\/\/cid-.{1,20}\.spaces\.live\.com\//
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshi
On 25-Mar-2009, at 09:38, Dave Pooser wrote:
Is there a blacklist_noauth? Because it seems that would be far more
useful for paypal.
blacklist_auth *paypal*
You whitelist_auth paypal.com and then a rule that scores +50 for From
contains *...@paypal.com -- quick and easy.
well, of course man
http://codepad.org/W53onqK9
i gave on this kind of spam. its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc
Jeff Mincy wrote:
The question is: How does one fix the problem after it occurs?
The way to fix the problem is to relearn any incorrectly learned
messages. So any spam message that was incorrectly learned as ham,
either automatically or manually, needs to be correctly relearned as
spam usi
On Wed, 25 Mar 2009, Jack Raats wrote:
How to stop these messages? By disallowing html messages???
It may be simple to detect the HTML that's setting up the grid. Please
post a complete sample to pastebin.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@im
> Is there a blacklist_noauth? Because it seems that would be far more
> useful for paypal.
>
> blacklist_auth *paypal*
You whitelist_auth paypal.com and then a rule that scores +50 for From
contains *...@paypal.com -- quick and easy.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"There a
On Mar 25, 2009, at 9:30 AM, Guido wrote:
I believe it means you should take up this issue with the Amavisd-
new support forum.
Since you are not RUNNING SpamAssassin/spamc/spamd then some parts
of the configuration simply are not made effective in your
situation. You must look for a sol
Monky wrote:
> Bowie Bailey wrote:
> >
> > There is a --no-safe-fallback option on spamc which will cause it to
> > exit with an error message in the case of any problems (Normally, it
> > always exits with a 0 exit status). If you don't want anything to
> > go through unscanned, you can try this
On Wed, 2009-03-25 at 08:19 -0600, LuKreme wrote:
> On 24-Mar-2009, at 19:54, RW wrote:
> > On Wed, 25 Mar 2009 01:35:53 +0100 (CET)
> > "Benny Pedersen" wrote:
> >> On Tue, March 24, 2009 03:34, dsh979 wrote:
> Is there a blacklist_noauth? Because it seems that would be far more
> useful for
> I believe it means you should take up this issue with the Amavisd-new support
> forum.
>
> Since you are not RUNNING SpamAssassin/spamc/spamd then some parts of the
> configuration simply are not made effective in your situation. You must look
> for a solution within the software that actual
Glenn Sieb wrote:
> http://www.wingfoot.org/~ges/spam.txt
>
> Can't use pastebin or other tools--it gets flagged as spam. :)
It's a bit mangled there, but I put it back together and got this on my
system:
X-Spam-Status: Yes, score=7.6 required=5.0 tests=FORGED_HOTMAIL_RCVD2,
FREEMAIL_FRO
On 24-Mar-2009, at 19:54, RW wrote:
On Wed, 25 Mar 2009 01:35:53 +0100 (CET)
"Benny Pedersen" wrote:
On Tue, March 24, 2009 03:34, dsh979 wrote:
whitelist_from *...@whitelist3.com
forged senders welcome :)
hope *_from will be removed in next sa, its the badest check in
current sa of all tes
Bowie Bailey wrote:
>
> There is a --no-safe-fallback option on spamc which will cause it to
> exit with an error message in the case of any problems (Normally, it
> always exits with a 0 exit status). If you don't want anything to go
> through unscanned, you can try this setting.
>
>> If I ha
http://www.wingfoot.org/~ges/spam.txt
Can't use pastebin or other tools--it gets flagged as spam. :)
Best,
--Glenn
Chris wrote:
> On Wed, 2009-03-25 at 02:59 +0200, jcput...@centreweb.co.za wrote:
> > i am receiving spam all the time from windows live accounts,
> > spamassassin doesnt even have one hit.. i am using sought rule with
> > openprotects sare rules with dcc,pyzor,razor2 and iXhash.
> >
> > i creat
On Wed, March 25, 2009 06:42, Jack Raats wrote:
> Today I received two messages with a kinds of new(?) spam.
old spam continue
> The messages, html ones, contained the word viagra made by colouring
> cells in a table.
sorry this is old
> The message also contained a link to a blog (live.com).
On (09-03-24 11:10), McDonald, Dan wrote:
> On Tue, 2009-03-24 at 16:30 +0100, Guido wrote:
> > > > - How can I convince spamassassin (used by amavisd-new) to care
> > > >about my user_prefs in the database?
> > What I mean is per recipient settings.
> Have you restarted amavisd-new since you
39 matches
Mail list logo
