Re: [sa] Re: problem getting spamassassin to invoke fuzzyocr

Charles Gregory wrote: On Wed, 13 May 2009, Lists wrote: Do you mean in /etc/mail/spamassassin/FuzzyOcr? I'm not familiar with the module in particular, but that behaviour - runnable as one user (or root) but not another - is nearly always some sort of permission issue. So if the permissions

Re: Wondering why this scored a -4.0

On 13-May-2009, at 03:43, RW wrote: On Sun, 10 May 2009 16:04:47 -0400 Adam Katz wrote: That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are going out of their way to send from whitelisted servers these days, a testament to how powerful DNSBLs are. The other day I had a lottery sca

Re: Boxtrapper and Spamassassin Cpanel 11 strange behaviour.

Yay, a long-ish post. But I believe it's worth it. On Tue, 2009-05-12 at 13:14 -0700, an anonymous Nabble user wrote: > Karsten Bräckelmann wrote: > > The problem is with the design itself. Only the real sender can and will > > confirm. The challenge to the *forged* sender of spam will not be > >

Re: [SA] Wondering why this scored a -4.0

RW a écrit : > On Sun, 10 May 2009 16:04:47 -0400 > Adam Katz wrote: > > >> That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are going >> out of their way to send from whitelisted servers these days, a >> testament to how powerful DNSBLs are. > > The other day I had a lottery scam sp

Re: Whitelist_From Woes

Please always keep threads on-list by replying to list. I am not the only one, who can help you. On Wed, 2009-05-13 at 11:57 -0500, Michael Lyon wrote: > But...how do I remove an autowhitelist entry for just one user? I > have a rule that was duplicated and causing me problems (It was to > preve

Re: [SA] Wondering why this scored a -4.0

On Wed, May 13, 2009 11:43, RW wrote: > The other day I had a lottery scam spam sent via University > College London wemail, from a Nigerian IP address. It hit > RCVD_IN_DNSWL_MED and RCVD_IN_SBL, which have a combined score of -2.4. did you tell at dnswl about what ip ? > I think it might be us

Re: NO_RELAYS does not trigger when all received is 127.0.0.1

On Wed, May 13, 2009 05:17, Matt Kettler wrote: > In that case the local host is considered a "relay", even though it's > relaying to itself. yes > Really NO_RELAYS really means "NO_MTAS", i.e.: no parseable Received: > headers. okay i learn it then, thanks for explaining it -- http://localh

Re: Whitelist_From Woes

On Wed, 2009-05-13 at 11:16 -0500, Michael Lyon wrote: > We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I suggest upgrading. That's quite ancient... > I'm having problems getting a domain whitelisted. Previously, adding > domains to be whitelisted simply meant adding a "wh

Re: Whitelist_From Woes

Well maybe you should figure out what is going on with these two: RE_PASSWORD 100.00, RE_PASSWORDV 100.00 since your choice of "-100" (it is not a magic pass value, just another factor in the arithmetic) for your manual whitelist only counteracts one of them ... or run your manual whitelist scor

Re: FreeMail plugin updated - banks

neil wrote: Hi; Ned Slider wrote: >First up, from Mike's inspiration above, I came up with these: I took your rule and added some meta rules to it. I'm getting hits on phishes, but I haven't seen any legitimate traffic hit it. This may be that I have not seen any real bank mail or it could be

RE: Whitelist_From Woes

/var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0

Whitelist_From Woes

We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a "whitelist_from *...@domain.com" to my /opt/MailScanner/etc/spam.assassin.prefs.conf file. Now, however, my mai

Re: FreeMail plugin updated - banks

Hi; Ned Slider wrote: >First up, from Mike's inspiration above, I came up with these: I took your rule and added some meta rules to it. I'm getting hits on phishes, but I haven't seen any legitimate traffic hit it. This may be that I have not seen any real bank mail or it could be that it misse

Re: [SA] Wondering why this scored a -4.0

On Wed, 13 May 2009 08:16:19 -0400 Greg Troxel wrote: > > RW writes: > > > On Sun, 10 May 2009 16:04:47 -0400 > > Adam Katz wrote: > > > > > >> That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are > >> going out of their way to send from whitelisted servers these > >> days, a testa

Re: EmailBL plugin released - I like it!

On Wed, 13 May 2009, Henrik K wrote: Still no description of how an address is chosen for inclusion in the RBL blacklist itself. Still wouldn't mind knowing this, unless you fear it would sharing a secret with spammers that they could use to get around this test... First we should test if ther

Re: khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

> This is updated nightly in my sa-update channel at: > khop-sc-neighbors.sa.khopesh.com > > (Generation script:  http://khopesh.com/scripts/sa-sc-neighbors ) > > Install with something like: > > wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import - > sa-update --gpgkey E8B493D6 --cha

Re: EmailBL hit count

Yet Another Ninja wrote: Assuming Henrik may appreciate some stats, even if minimal like below: Yesterday's hits: grep EMAILBL/var/log/maillog.1 | wc -l 1263 Not so good here, well good, but not so usable on the spam we see. Total messages tagged as spam by SA was 29k, 290 tagged by EM

Re: FreeMail plugin updated

Henrik K wrote: >> When I run "spamassassin --lint" no problems are reported. Any thoughts >> on why this is happening only when updating the sought rules? > > It seems sa-update only lints the directory that it downloaded, thus no > freemail_domains cf is ever seen. I've now reduced the warning

Re: [SA] Wondering why this scored a -4.0

RW writes: > On Sun, 10 May 2009 16:04:47 -0400 > Adam Katz wrote: > > >> That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are going >> out of their way to send from whitelisted servers these days, a >> testament to how powerful DNSBLs are. > > The other day I had a lottery scam spam

Re: FreeMail plugin updated - banks

Ned Slider wrote: uriLOCAL_URI_PHISH_UK3 m{https?://.{1,40}/.{1,60}\.(ac|co|gov)\.uk} describeLOCAL_URI_PHISH_UK3contains obfuscated UK phish link of form example.com/bank.co.uk Ah, this rule hits on unsubscribe links etc, which wasn't what was intended. For example:

Re: [SA] Wondering why this scored a -4.0

On Sun, 10 May 2009 16:04:47 -0400 Adam Katz wrote: > That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are going > out of their way to send from whitelisted servers these days, a > testament to how powerful DNSBLs are. The other day I had a lottery scam spam sent via University Colle

Note about FreeMail and EmailBL

It seems I've forgotten how SA loads things.. All the loadplugin clauses should be moved from .cf to .pre files. If any of you are using 90_sare_freemail.cf, it isn't in effect, since cf files are sorted in order of digits, uppercase, lowercase. No problem with files from my site, as I've had th

Rule from an added header

Hello, I'm using a plugin that does an "eval:check_msg()" and adds a header with add_header. In that header there is information about the scanned mail (if it's spam or a virus). The problem is that I want to difference between these results: - If it's spam ("spam" word appears in the hea

Re: FreeMail plugin updated

On Tue, May 12, 2009 at 07:25:26PM -0700, Bill Landry wrote: > Hi Henrik, > > > I've revamped fully the old code. Works still the same, but has some new > > functions. It's also a bit more careful when parsing body (new parser, > > emails inside <> are ignored, as well ones inside urls etc), so it

Re: EmailBL plugin released - I like it!

On Tue, May 12, 2009 at 05:23:07PM -0400, Charles Gregory wrote: > > Still no description of how an address is chosen for inclusion in > the RBL blacklist itself. Particularly where the (often forged) > "From" header is being used, how does the list avoid FP's? First we should test if there actual

EmailBL hit count

Assuming Henrik may appreciate some stats, even if minimal like below: Yesterday's hits: grep EMAILBL/var/log/maillog.1 | wc -l 1263