On Mon, Apr 27, 2009 at 04:10:48PM -0400, Adam Katz wrote:
> (note, I'm guessing at the appropriate mailing list for cross-post)
>
> Dennis Davis wrote:
> > http://code.google.com/p/anti-phishing-email-reply/
> >
> > is also useful as it attempts to detail the compromised accounts.
> > Just block
On Tue, 28 Apr 2009, Steve Freegard wrote:
John Hardin wrote:
On Tue, 28 Apr 2009, Steve Freegard wrote:
To reduce the likelihood of collisions then it's better to add the input
string length at the end of the md5 like ClamAV does in it's MD5 sigs
e.g.
s...@laptop-smf:~$ perl -MDigest::MD5 -
On Tue, 28 Apr 2009, Steve Freegard wrote:
Nah - I really don't like it that way; it doesn't really bring you any
benefit and is more likely to cause collisions if you do it that way.
Don't see how it can cause less DNS traffic either. At least using MD5
hashes your DNS query will only be 32 ch
mark wrote:
>>
> Thanks for this, the bug issue had some more info, which I had not
> included in my email:
>
> > I have recompiled spamass-milter with this patch:-
>
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510665
>
> However, this has not resolved the issue, can you tell me if SA ca
On Mon, 27 Apr 2009 18:04:36 +0100
Justin Mason wrote:
> that's pretty much it. low FPs and a useful number of hits (ie. over
> 1% iirc).
Unfortunately, that doesn't necessarily mean that the rule is useful.
It's easy to create rules that match the above criteria, but most of
them never make a
John Hardin wrote:
> On Tue, 28 Apr 2009, Steve Freegard wrote:
>
>> To reduce the likelihood of collisions then it's better to add the input
>> string length at the end of the md5 like ClamAV does in it's MD5 sigs
>> e.g.
>>
>> s...@laptop-smf:~$ perl -MDigest::MD5 -e '$email="s...@fsg.com"; prin
On 27-Apr-2009, at 16:06, Jo Rhett wrote:
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue
to be, because it gets through. Right now the only way I find this
blocked is if spamcop blocks it.
Just as a point of
On Tue, 28 Apr 2009, Steve Freegard wrote:
To reduce the likelihood of collisions then it's better to add the input
string length at the end of the md5 like ClamAV does in it's MD5 sigs e.g.
s...@laptop-smf:~$ perl -MDigest::MD5 -e '$email="s...@fsg.com"; print
Digest::MD5::md5_hex($email).leng
Adam Katz wrote:
> Steve Freegard wrote:
>> I've been thinking about creating an emailBL to target dropboxes used
>> for 419 scams, phishing, russian penpals etc. as I have a reasonable way
>> to collect these in real-time and it would close a lot of doors on these
>> folks provided I can avoid bei
At 14:54 27-04-2009, David B Funk wrote:
On Mon, 27 Apr 2009, John Hardin wrote:
How about "_at_" - I think a leading and trailing underscore will be very
rare in real world domain name parts, especially as you can't register
a domain name having an underscore, and may apps will discard hostnam
On Mon, 27 Apr 2009, Jo Rhett wrote:
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue to be,
because it gets through. Right now the only way I find this blocked is if
spamcop blocks it.
Just as a point of refer
I rely on Fuzzy OCR for some messages. I get some with Viagra/Cialis images,
and just garbage text in the message. Other than FuzzyOCR, nothing usually
scores.
Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State Col
Steve Freegard wrote:
> I've been thinking about creating an emailBL to target dropboxes used
> for 419 scams, phishing, russian penpals etc. as I have a reasonable way
> to collect these in real-time and it would close a lot of doors on these
> folks provided I can avoid being caught by address st
On Apr 27, 2009, at 1:16 PM, Dan Mahoney, System Admin wrote:
The problem exists now, there is PNG spam, and there will continue
to be, because it gets through. Right now the only way I find this
blocked is if spamcop blocks it.
Just as a point of reference, I'd like to note that we haven'
On Mon, 27 Apr 2009, David B Funk wrote:
On Mon, 27 Apr 2009, John Hardin wrote:
How about "_at_" - I think a leading and trailing underscore will be
very rare in real world domain name parts, especially as you can't
register a domain name having an underscore, and many apps will
discard h
On Mon, 27 Apr 2009, John Hardin wrote:
How about "_at_" - I think a leading and trailing underscore will be very
rare in real world domain name parts, especially as you can't register
a domain name having an underscore, and may apps will discard hostnames
with underscores as invalid.
Ever see
Adam Katz wrote:
> (note, I'm guessing at the appropriate mailing list for cross-post)
>
> Dennis Davis wrote:
>> http://code.google.com/p/anti-phishing-email-reply/
>>
>> is also useful as it attempts to detail the compromised accounts.
>> Just block/quarantine email for those accounts.
>
> Inte
Removing the quoted body and changing the Subject after hitting the
Reply button doesn't make it a new post. It is still a reply. Aka
"please don't hijack unrelated threads".
Frankly, I'm almost surprised to see *that* old a version of Lotus Notes
actually honor and set an In-Reply-To header at al
On Mon, 27 Apr 2009, Karsten Br?ckelmann wrote:
y.real-at999.z @ a.at.real-at2.bc ->
y.real-at999.z.real-at1000.a.at.real-at2.bc
Still ambiguous. So the generated s/at/real-at$n/ is the last occurrence
of a numbered "real-at" plus 1.
What if we need it twice, and there are 3 such thingies
Hi!
Any Idea of when we will expect a new version of SA or new rule
updates. We are getting hit pretty hard with Spam lately.
Feel free to submit rules, dont just sit and wait. ;)
Bye,
Raymond.
Any Idea of when we will expect a new version of SA or new rule updates.
We are getting hit pretty hard with Spam lately.
> y.real-at999.z @ a.at.real-at2.bc ->
> y.real-at999.z.real-at1000.a.at.real-at2.bc
Still ambiguous. So the generated s/at/real-at$n/ is the last occurrence
of a numbered "real-at" plus 1.
What if we need it twice, and there are 3 such thingies in total? How do
we know we only need to "decod
Karsten Bräckelmann wrote:
> You are aware there's a ccTLD .at? :)
Yes, but the TLD goes at the very end of the email, so the parser,
which strips ".emailbl.org" with that leading dot, can only trip over
invalid domains like "a.at..emailbl.org" ... my latter two examples
below show what the parser
On Mon, 27 Apr 2009, Karsten Bräckelmann wrote:
> On Mon, 2009-04-27 at 16:10 -0400, Adam Katz wrote:
> > Since email addresses contain everything a valid domain can contain,
> > the user.AT.domain.tld (which is really user.at.domain.tld since
> > domains are not case-sensitive) could be ambiguous
Thanks that did the trick- removed ALL Perl mods and reinstalled exim and sa
Greatly appreciated
-Original Message-
From: Jean-Paul Natola [mailto:jnat...@familycareintl.org]
Sent: Monday, April 27, 2009 12:20 PM
To: Mark Martinec; users@spamassassin.apache.org
Subject: RE: 3.2.5 upgrad
On Mon, 27 Apr 2009, Dan Mahoney, System Admin wrote:
3) Wordlists loadable from userprefs, if not bayes.
Along with that, the detected words should be (somehow) fed into bayes for
analysis along with the other message text.
We touched on that last time fuzzyOCR was active.
--
John Hardin
On Mon, 27 Apr 2009, Henrik K wrote:
Nothing of this makes sense. If you don't have a test server, too bad. If
you don't trust the "score-changing values" too bad. It all worked for me.
It's a great idea, but I'd like to see it mature some first, especially
with respect to its documentation, te
Adam Katz wrote:
> (note, I'm guessing at the appropriate mailing list for cross-post)
Failure. I've sent a lead developer a list to an online caching of my
post.
Also, I borked my last example, and online caching sites' defanging
techniques make this proposal impossible to read, so I've spaced
On Mon, 2009-04-27 at 16:10 -0400, Adam Katz wrote:
> Since email addresses contain everything a valid domain can contain,
> the user.AT.domain.tld (which is really user.at.domain.tld since
> domains are not case-sensitive) could be ambiguous if the "user" or
> the "domain" contains ".at." in itsel
(note, I'm guessing at the appropriate mailing list for cross-post)
Dennis Davis wrote:
> http://code.google.com/p/anti-phishing-email-reply/
>
> is also useful as it attempts to detail the compromised accounts.
> Just block/quarantine email for those accounts.
Interesting ... this seems like it
On 26-Apr-2009, at 22:36, Dan Mahoney, System Admin wrote:
While there's a decent amount of spamassassin list traffic to imply
otherwise, is the SA project falling dormant?
No. Development is proceeding on 3.3.
the sare-rules claim they won't be updated due to lives, wives, and
hockey.
SA
On Mon, Apr 27, 2009 at 18:00, John Hardin wrote:
> On Mon, 27 Apr 2009, Justin Mason wrote:
>
>> On Mon, Apr 27, 2009 at 17:38, John Hardin wrote:
>>
>>> But this is only part of the problem. How difficult is it for third
>>> parties
>>> to submit rules for review and inclusion in the base rules
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:38, John Hardin wrote:
But this is only part of the problem. How difficult is it for third parties
to submit rules for review and inclusion in the base ruleset without
necessarily joining the dev group? Is posting the propose
On Mon, Apr 27, 2009 at 17:38, John Hardin wrote:
> On Mon, 27 Apr 2009, Justin Mason wrote:
>
>> On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja wrote:
>>
>>> SARE had a nice system where you could submit a rule via email and got
>>> the masscheck results via email. Sadly all the boxes which di
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D < spam.eml then its correctly detected as spam and no sign of
UNPARSEABLE_RELAY.
I have created case 6103 - but this may be a milter-issue, although
the
On Mon, 27 Apr 2009, Justin Mason wrote:
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja wrote:
SARE had a nice system where you could submit a rule via email and got
the masscheck results via email. Sadly all the boxes which did this are
dead.
actually, I _did_ come up with one of those,
I have a few computers that I can volunteer for checking spam rules.
i
> SARE had a nice system where you could submit a rule via email and got
> the masscheck results via email. Sadly all the boxes which did this are
> dead. I wonder if the SA masscheckers could be taught to do something
>
I tried to fetchindex but it failed with
make: don't know how to make fetchindex.
-Original Message-
From: Mark Martinec [mailto:mark.martinec...@ijs.si]
Sent: Friday, April 24, 2009 12:34 PM
To: users@spamassassin.apache.org
Subject: Re: 3.2.5 upgrade - getting clobbered
Possibly
On Mon, Apr 27, 2009 at 17:03, Yet Another Ninja wrote:
> On 4/27/2009 5:47 PM, Theo Van Dinter wrote:
>>
>> These days there is basically no rule development going on, it seems.
>> Justin's sought rules are the only ones really being updated, and
>> that's because they're computer generated. :)
>
On Mon, 2009-04-27 at 12:16 +0200, Andy Spiegl wrote:
> > It's already been mentioned, but mimeheader is the right way to look
> > at the headers of MIME parts.
>
> How about multiline Content-Types?
They appear to be wrapped.
$ grep -A 1 image/ dsl.png.msg
Content-Type: image/png;
n
On 4/27/2009 5:47 PM, Theo Van Dinter wrote:
These days there is basically no rule development going on, it seems.
Justin's sought rules are the only ones really being updated, and
that's because they're computer generated. :)
That's actually something else I'm sad about -- we had such a huge
co
mark schrieb:
> Hey,
>
> I am trying to track down an issue on Centos 5 x86_64 with
> spamass-milter-0.3.2-1 and spamassassin-3.2.5.
>
> Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
> take the email as delivered by the MDA and run it with spamassassin -t
> -D < spam.eml th
fwiw, I was going to say "Yes" to the first question. Not sure about
the second question, though I've always wanted to see more
sharing/give-back from those folks.
While there have been a bunch of mails on the dev list, most of it is
incorrectly opened bugs, or other randomness.
IMO, there hasn't
jp wrote:
We've seen some of it with our webmail too.
When one of your users gives out their password and you notice their
account being abused, lookin the message headers or apache logs to see
where the perp is. We've seen them mostly to be from Africa, Nigeria
probably. I've taken to block
Dennis Davis wrote:
There was a project from an educational institution to target
phishing emails. I don't recall the name of the project or
whether the source code was released.
You might be thinking of Kochi:
http://oss.lboro.ac.uk/kochi1.html
The Google project:
http://code.google.com/p
On Fri, 24 Apr 2009, SM wrote:
> From: SM
> To: users@spamassassin.apache.org
> Date: Fri, 24 Apr 2009 22:03:21 -0700
> Subject: Re: Phishing
...
> There was a project from an educational institution to target
> phishing emails. I don't recall the name of the project or
> whether the source co
We've seen some of it with our webmail too.
When one of your users gives out their password and you notice their
account being abused, lookin the message headers or apache logs to see
where the perp is. We've seen them mostly to be from Africa, Nigeria
probably. I've taken to blocking their /16
mark wrote:
> Hey,
>
> I am trying to track down an issue on Centos 5 x86_64 with
> spamass-milter-0.3.2-1 and spamassassin-3.2.5.
>
> Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
> take the email as delivered by the MDA and run it with spamassassin -t
> -D < spam.eml then i
On Mon, Apr 27, 2009 at 12:56, Matt Kettler wrote:
> Dan Mahoney, System Admin wrote:
>> Hey all,
>>
>> While there's a decent amount of spamassassin list traffic to imply
>> otherwise, is the SA project falling dormant?
>>
>> the sare-rules claim they won't be updated due to lives, wives, and
>>
Dan Mahoney, System Admin wrote:
> Hey all,
>
> While there's a decent amount of spamassassin list traffic to imply
> otherwise, is the SA project falling dormant?
>
> the sare-rules claim they won't be updated due to lives, wives, and
> hockey.
>
> the fuzzyOCR project claims the only thing that w
Hey,
I am trying to track down an issue on Centos 5 x86_64 with
spamass-milter-0.3.2-1 and spamassassin-3.2.5.
Nearly all the emails are received with UNPARSEABLE_RELAY - but if I
take the email as delivered by the MDA and run it with spamassassin -t
-D < spam.eml then its correctly detected
> > While you are at it, you can also scan for
> > full /Content-Type: image\/gif;\n[^a-z]+name=""/
> It's already been mentioned, but mimeheader is the right way to look
> at the headers of MIME parts.
How about multiline Content-Types?
I tried without success:
mimeheader NAMELESSGIF_ATTACHME
> On Sat, April 25, 2009 05:44, Igor Chudov wrote:
> > DKIM will not work, as this is purely a social engineering attack.
On 26.04.09 15:33, Benny Pedersen wrote:
> will postmas...@example.com work ?
>
> if the hacked accounts was signed with dkim remote will know what domain
> to contact about i
53 matches
Mail list logo
