thus Michael Monnerie spake:
Dear users of the ZMI-GERMAN ruleset. I manage those ruleset, and just
(again) received the message below, about "you won a trip". Those
messages are spammy, although you really can do such a trip and only pay
the flight ticket (which then costs enough to also inclu
Dear users of the ZMI-GERMAN ruleset. I manage those ruleset, and just
(again) received the message below, about "you won a trip". Those
messages are spammy, although you really can do such a trip and only pay
the flight ticket (which then costs enough to also include the trip
itself ;-). Anywa
Jari Fredriksson wrote:
> I have two spamd hosts, and spamc calls them seemingly random or
> doing some kind of load balance. -H option if I remeber right.
The documentation says that it just randomizes the ordering of the
addresses. So if luck is with you then you will split the load among
all o
On Tue, 2009-06-02 at 13:40 -0700, Bob O'Brien wrote:
> Actually, Richard, yes - I have management approval for what details I choose
> to share with any given online community.
Share? Oh Sorry Bob. I only had Barracuda down as digital thieves. Let
me see;
SPAM and 'VIRUS' (lol) 'FIREWALL'
BSMTPD
Hi all,
System:
MailScanner 4.76.24
spamassassin 3.2.5
MTA - postfix
ClamAV 0.95.1
I am trying to trouble shoot why a particular server cannot send into
our email system.
There is no reference in the logs to this server ever trying to connect.
I have discovered they are on ips.backscatterer.o
On Thu, 2009-05-28 at 20:14 +0200, Karsten Bräckelmann wrote:
> On Thu, 2009-05-28 at 09:43 -0700, Marc Perkel wrote:
> > I'm looking for domains to whitelist that meet this criteria:
>
> Speaking of which, how would you like me to report bad listings in the
> Hostkarma whitelist?
I was kind of s
On Tue, 2009-06-02 at 17:01 -0700, fchan wrote:
> I recently was checking on servers that were sending out spam and
> found one of them had the hostname called "localhost" which I think
> is a attempt to bypass SA. The IP address is 222.252.188.181 which
> maps back to Vietnam.
Why would that
I recently was checking on servers that were sending out spam and
found one of them had the hostname called "localhost" which I think
is a attempt to bypass SA. The IP address is 222.252.188.181 which
maps back to Vietnam.
Also I found that a large percentage of my spam comes from Brazil and
I
On Tue, 02 Jun 2009 16:26:08 -0400
Adam Katz wrote:
> -notfirsthop examines all IPs except the originating one, useful for
> ignoring the user's direct IP, which could be a hotel or dialup IP.
You'd think, but in practice -lastexternal gets used. I'm not sure why.
> My confusion:
>
> -first
On Tue, 2 Jun 2009, Luis campo wrote:
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]: connec
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]: connect to spamd on 172.16.0.14
fa
Larry Starr wrote:
>> I have been using the AWL ( --add-addr-to-blacklist ) for some
>> time, to bump new spam senders above the "Bayes-99" score.
Theo Van Dinter responded:
> Well, the first problem is that the AWL has no impact on Bayes.
> They're totally independent.
> Perhaps you want "sa-l
Well, the first problem is that the AWL has no impact on Bayes.
They're totally independent.
Perhaps you want "sa-learn" ?
On Tue, Jun 2, 2009 at 2:32 PM, Larry Starr wrote:
> I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
> new spam senders above the "Bayes-99" scor
> I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
> new spam senders above the "Bayes-99" score.
>
> My problem is that this feature seems, extreemly slow.
>
> I'm now trying to use the "( --add-to-blacklist )" option and am finding that
> this is, equally, slow.
>
>
Bob O'Brien wrote:
Actually, Richard, yes - I have management approval for what details I choose
to share with any given online community. I am also learning to count Jann
among my friends, and I'm sure he would *appropriately* acknowledge your
greeting.
If your participation is at all typic
On Tue, 2009-06-02 at 13:40 -0700, Bob O'Brien wrote:
> Actually, Richard, yes - I have management approval for what details I
> choose to share with any given online community. I am also learning
> to count Jann among my friends, and I'm sure he would *appropriately*
> acknowledge your greeting.
Actually, Richard, yes - I have management approval for what details I choose
to share with any given online community. I am also learning to count Jann
among my friends, and I'm sure he would *appropriately* acknowledge your
greeting.
If your participation is at all typical of this community,
ANTICOM-STINGER a écrit :
> On Fri, 2009-05-29 at 12:16 -0600, J.D. Falk wrote:
>> Rob McEwen wrote:
>>
>>> Additionally, I'd like to ask, other than being a superb cash-generating
>>> machine, what good is a whitelist built upon pay-to-enter and NOT based
>>> on editorial decisions made by non-bia
> If you were nearby, I'd give you a gig stick of RAM to
> solve your problem. It's cheap these days.
I grabbed this 15 years old Pentium PRO machine from my cellar just for this
extra SpamAssassin process. I think EDO DRAM is not cheap, it at all available
these these days. Old rig, but but wor
If you were nearby, I'd give you a gig stick of RAM to solve your
problem. It's cheap these days.
On Tue, Jun 02, 2009 at 11:06:05PM +0300, Jari Fredriksson wrote:
> I have two spamd hosts, and spamc calls them seemingly random or doing some
> kind of load balance. -H option if I remeber right.
The various eval:check_rbl() selectors are:
-notfirsthop -firsttrusted -untrusted -untrusted
My understanding from the docs:
-notfirsthop examines all IPs except the originating one, useful for
ignoring the user's direct IP, which could be a hotel or dialup IP.
-firsttrusted examines the IP
I have two spamd hosts, and spamc calls them seemingly random or doing some
kind of load balance. -H option if I remeber right.
Sometimes one of those are down when doing maintance or something..
When spamc encouters "connection refused" it keeps retrying as told with
--connect-retries
But if
I have been using the AWL ( --add-addr-to-blacklist ) for some time, to bump
new spam senders above the "Bayes-99" score.
My problem is that this feature seems, extreemly slow.
I'm now trying to use the "( --add-to-blacklist )" option and am finding that
this is, equally, slow.
I'm running it
Matus UHLAR - fantomas wrote:
>> http://puffin.net\software\spam\samples\0005_body.txt
>
> Address Not Found
>
> puffin.net\software\spam\samples\0005_body.txt could not be found.
> Please check the name and try again.
>
> Did nobody ever told you that URL directories are separated by
> slashes,
On Tue, 02 Jun 2009 12:19:50 -0400
David Ronis wrote:
> I've been playing with FuzzyOcr and FacileOCR in spamassassin (current
> trunk). Both plugins are built and installed, and test properly;
> however,
> ...
> Doesn't look like the tests are being triggered. Anybody know why?
I don't know
We have installed SpamAssassin 3.25 working with qmail Simscan ClamAV.
The problem is that spam works a few minutes then let it pass all
messages giving a score of 0.00 in the log and see the siguientre
message:
Jun 2 11:31:26 ServerAS spamc[7259]: connect to spamd on 172.16.0.14
failed, re
On 2-Jun-2009, at 07:10, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550
bite word
attachment?
I reject .doc attachments since they can carry macro virus payloads.
--
We will fight for Bovine Freedom and hold our large heads high
We will run free with
On Tue, 2 Jun 2009, John Hardin wrote:
Well, any tool that's composing MIME messages can choose to omit a text
body part if no text is available... (snip)
In practice, we're only seeing it in spams. There may be false positives in
some unusual situations, but it's not likely with legitimate huma
On Tue, 2 Jun 2009, Rich Shepard wrote:
This morning not only was the mail log report and logwatch report falsely
flagged as spam, but so were several messages posted to the google group
mail list for an application I use. What is interesting to me is that every
one had a +2.5 score for EMPTY_BO
On Tue, 2 Jun 2009, Charles Gregory wrote:
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right?
I
decoder wrote:
> after quite some time, I've decided to release another version of
> FuzzyOcr...
Where's the best place to provide feedback/bug reports for FuzzyOCR? Is
this list okay, or would you prefer folks open tickets on the website,
or something else?
Nels Lindquist
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right? So the 'no text body' would mean that the
mess
I've been playing with FuzzyOcr and FacileOCR in spamassassin (current
trunk). Both plugins are built and installed, and test properly;
however, I'm not sure spamassassin is actually using them in routine
mail scanning. Basically, after 2-3 days running (ca 1000 spams) I've
yet to see a spamd lo
How difficult would it be to let spamc control spamd's logging output on
a per-message basis?
My reason for asking is this: I maintain a body of spam that I use to
develop and regression test local rules and, during rule development,
use spamc to pass the test messages through my only copy of spa
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
Yep, the rules below will hit on that message.
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 11:18 AM
To: SpamAssassin Users List
Subject: Re: wo
ftp://ftp.fcimail.org/IT/SA_Sample/message.txt
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 11:18 AM
To: SpamAssassin Users List
Subject: Re: word doc spam
On Tue, 2 Jun 2009, Dave Walker wrote:
> John Hardin wrote:
>> On Tue, 2 Jun 20
On Mon, 1 Jun 2009, Bowie Bailey wrote:
Your biggest problems here are BAYES_99 and EMPTY_BODY. To fix the Bayes
problem, sa-learn some of these messages as ham. Make sure you are
learning as the right user...
Bowie,
I started doing this today. Each of the false positive messages was
expo
On Mon, 1 Jun 2009, Charles Gregory wrote:
Just to be clear, are you looking at the body in the actual rejected
message, to make sure it is still there (not 'stripped' from the message)?
Charles,
I hope the following information is helpful in telling you more
experienced folks why I'm havin
On Tue, 2 Jun 2009, Dave Walker wrote:
John Hardin wrote:
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite
word attachment?
Can you post a sample somewhere for us?
Hi,
I assume he means the recent surge in "rtf" attachment sp
On 02.06.09 09:10, Jean-Paul Natola wrote:
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
> The only rule its triggering is the
> RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
I reject these at SMTP level...
--
Matus UHLAR -
Does Drako know you are posting here Bob?
It's a bit naughty. He had everyone sign a form saying they would not
post to places like this? You really should know better.
We all know that Barraucda are behind emailreg. We know that emailreg is
'cash for spamming'. We know that support have been to
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Correction they are rtf not doc
ftp://ftp.fcimail.org/IT/SA_Sample/shambling.rtf
Sorry, I meant a sample of the raw message, so that we can inspect the
headers and such.
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
> On 1-Jun-2009, at 05:52, Michael Scheidell wrote:
>> I don't follow anyone on twitter.
>> Went to their web site for the first time last week to look for their
>> complaint address.
>
> I've never seen a mail from twitter that was not directed to my
> twitter account. I searched the entire mail
April 29?
You started your narrative on 5/28 with an explicitly specified three week time
frame. On the 29th, I looked at four weeks of history, and the factual numbers
were lower. If that's where the discrepancy arose, then we may not really
disagree about anything of consequence.
No, I defi
If you look back a whopping 2 days in the list archive,
there are some rules that are very good at catching this
.rtf spam.
John Hardin wrote:
> On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
>
>> Is there a rule to catch these messages with no body and a 550 bite
>> word attachment?
>
> Can you post a sample somewhere for us?
>
Hi,
I assume he means the recent surge in "rtf" attachment spam. I've posted
two examples:
htt
Correction they are rtf not doc
ftp://ftp.fcimail.org/IT/SA_Sample/shambling.rtf
-Original Message-
From: John Hardin [mailto:jhar...@impsec.org]
Sent: Tuesday, June 02, 2009 9:47 AM
To: Jean-Paul Natola
Cc: users@spamassassin.apache.org
Subject: Re: word doc spam
On Tue, 2 Jun 2009
On Tue, 2009-06-02 at 09:10 -0400, Jean-Paul Natola wrote:
> Hi all,
>
> Is there a rule to catch these messages with no body and a 550 bite word
> attachment?
Yes, add the SaneSecurity clamav signatures.
codling.rtf: Sanesecurity.Spam.10307.UNOFFICIAL FOUND
Integration with spamassassin left
On Tue, 2 Jun 2009, Jean-Paul Natola wrote:
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
Can you post a sample somewhere for us?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -
Hi all,
Is there a rule to catch these messages with no body and a 550 bite word
attachment?
thx
The only rule its triggering is the
RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
50 matches
Mail list logo
