Owen B. Mehegan wrote:
>Lately a lot of 419 and investment spams have been getting through
>with very low SA scores. Can anyone take a look at these and see
>if there's another ruleset I should use to trap them?
Owen, particularly with 419/scam spams, it's VERY helpful if you
tell us more about yo
On Thu, 18 Jun 2009, Jeff Drury wrote:
http://pastebin.ca/1465504
On 6/18/09 2:00 PM, "Benny Pedersen" wrote:
On Thu, June 18, 2009 22:33, Jeff Drury wrote:
They don¹t appear to be scored at all (see attached header)
test:
spamassassin 2>&1 -D --lint
any errors here ?
spamassassin 2>
Hi there, just a FYI
I just received this: http://pastebin.com/m54006b68
420K in size - standard configuration of SA wouldn't have even run over
this message. Also the inline image is too large for FuzzyOCR to trigger
- I would guess FuzzyOCR has the (screen) size limit as a mechanism to
reduce F
On Fri, June 19, 2009 01:22, Jeff Drury wrote:
> http://pastebin.ca/1465504
#
[49973] dbg: spf: cannot get Envelope-From, cannot use SPF
#
[49973] dbg: spf: def_spf_whitelist_from: could not find useable envelope
sender
#
[49973] dbg: spf: already checked for Received-SPF headers, proceeding
with
http://pastebin.ca/1465504
On 6/18/09 2:00 PM, "Benny Pedersen" wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don¹t appear to be scored at all (see attached header)
>
> test:
>
> spamassassin 2>&1 -D --lint
>
> any errors here ?
>
> spamassassin 2>&1 -D -t msgtotest |
Hi Dan,
> Do I need the backslashes to escape the spaces?
>
> no, although \s would be fine.
>
Okay, so either \s or nothing at all works just the same?
> this can be much more effectively written as:
> /.spam\ssample./i
> That will match the words "spam sample" in the subject as long as ther
On 6/19/2009 12:28 AM, Benny Pedersen wrote:
On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
w-crook.com.ar.multi.uribl.com has address 127.0.0.2
w-crook.com.ar.multi.surbl.org has address 127.0.0.46
it now make sense with ttl in 300 sec :)
I've been told it was detected on 2009-06-17
On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
> w-crook.com.ar.multi.uribl.com has address 127.0.0.2
> w-crook.com.ar.multi.surbl.org has address 127.0.0.46
it now make sense with ttl in 300 sec :)
but if i get time, i would make meta rules to spot the phish sometime
is the exe even de
On 6/19/2009 12:10 AM, Benny Pedersen wrote:
On Thu, June 18, 2009 23:53, fchan wrote:
http://pastebin.ca/1465411
make a meta rule for line 24 25 35
solved
i would like to hold your credit card for a moment, and you would like to
download phising report in a exe file ? :)
???
w-crook.c
On Thu, 2009-06-18 at 18:01 -0400, MySQL Student wrote:
> I'm also having a problem with one of my rules:
>
> [32692] info: config: invalid expression for rule LOCAL_XPS: "Subject
> =~ /Free\ DELL\ XPS/i": syntax error
>
> Here is the full rule:
>
> meta LOCAL_XPSSubject =~ /F
On Thu, June 18, 2009 23:53, fchan wrote:
> http://pastebin.ca/1465411
make a meta rule for line 24 25 35
solved
i would like to hold your credit card for a moment, and you would like to
download phising report in a exe file ? :)
--
xpoint
At 03:01 PM 6/18/2009, you wrote:
Hi. I'm relatively new to spamassassin and perl scripting, and I
must already be doing a few things wrong that I hoped the list could
help me to solve. I'm receiving the following output when running
"spamassassin -D < spam-test.txt 2>&1|less'
[32692] warn: N
On 6/18/2009 11:53 PM, fchan wrote:
I was doing some reading some spam mail to feed sa-learn and found this
message with this interesting phished domain name. At least they told me
who they were:
http://pastebin.ca/1465411
URI pointed to malware
site has been suspended
a toast to W3-Server
Hi. I'm relatively new to spamassassin and perl scripting, and I must
already be doing a few things wrong that I hoped the list could help me to
solve. I'm receiving the following output when running "spamassassin -D <
spam-test.txt 2>&1|less'
[32692] warn: Number found where operator expected at
On Thu, June 18, 2009 23:33, Jeff Drury wrote:
> No errors... The only error I ever received had to do with rewriting the
> subject which was unimportant to me so I commented it out, other then that
> no errors
stop sending me mail in private for things you ask public about
still like to see the
>>
>> SA is working for the most part beyond expectations, the only problem I=B9m
>> having is filtering spoofed email address (i.e. valid_u...@ourdomain.com). =
>> I
>> am able to filter out non-valid user addresses (i.e. spam...@ourdomain.com)=
>> .
>> I run SA-Update daily, have piped well over
No errors... The only error I ever received had to do with rewriting the
subject which was unimportant to me so I commented it out, other then that
no errors
On 6/18/09 2:00 PM, "Benny Pedersen" wrote:
>
> On Thu, June 18, 2009 22:33, Jeff Drury wrote:
>> > They don¹t appear to be scored at al
On Thu, June 18, 2009 22:33, Jeff Drury wrote:
> They don¹t appear to be scored at all (see attached header)
test:
spamassassin 2>&1 -D --lint
any errors here ?
spamassassin 2>&1 -D -t msgtotest | less
press s in the less output and post on pastebin
i belive you miss envelope_sender_header i
They don¹t appear to be scored at all (see attached header)
Return-Path:
Received: from murder ([unix socket])
by impactps.com (Cyrus v2.3.8-OS X Server 10.5:9C31) with LMTPA;
Thu, 18 Jun 2009 12:28:22 -0700
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
Benny Pedersen wrote:
On Tors, Juni 18, 2009 20:36, Rick Macdougall wrote:
I'd recommend upgrading to the latest version (3.2.5) and running and
sa-update to get the latest rules.
how will this help on spoofed mail problem ?
The improved rules should help catch them.
Rick
On Thu, 18 Jun 2009, Jeff Drury wrote:
SA is working for the most part beyond expectations, the only problem
I?m having is filtering spoofed email address (i.e.
valid_u...@ourdomain.com). I am able to filter out non-valid user
addresses (i.e. spam...@ourdomain.com). I run SA-Update daily, have
On Tors, Juni 18, 2009 20:36, Rick Macdougall wrote:
> I'd recommend upgrading to the latest version (3.2.5) and running and
> sa-update to get the latest rules.
how will this help on spoofed mail problem ?
--
xpoint
On Thu, 18 Jun 2009, Michael Scheidell wrote:
What are you seeing? more main-sleaze spam, directly targeting your
company/vertical market or clients? or aren't you seeing much of this?
We aren't overwhelmed with it, but now that you mention it, I've been
seeing a slow steady trickle of (techn
Jeff Drury wrote:
SA is working for the most part beyond expectations, the only problem
I’m having is filtering spoofed email address (i.e.
valid_u...@ourdomain.com). I am able to filter out non-valid user
addresses (i.e. spam...@ourdomain.com). I run SA-Update daily, have
piped well over 500
On Tors, Juni 18, 2009 20:26, Jeff Drury wrote:
> sa-learn, yet they still come through. I know this is a generic outline of
> the problem, but it¹s a start, if you need more info I can send it.
http://old.openspf.org/wizard.html?mydomain=impactps.com&submit=Go!
next do a spf test in mta level,
SA is working for the most part beyond expectations, the only problem I¹m
having is filtering spoofed email address (i.e. valid_u...@ourdomain.com). I
am able to filter out non-valid user addresses (i.e. spam...@ourdomain.com).
I run SA-Update daily, have piped well over 500 of these messages throu
Anthony Peacock a écrit :
[..]
0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[62.57.252.74 listed in zen.spamhaus.org]
3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
2.0 RCVD_IN_JANET_DUL RBL: Relay in JANET MAPS RB
main sleaze, as in spam from larger, established, 'legit' companies. I
am seeing a 20% increase in spam that doesn't trigger any of the zombie,
forged, gappy or dialup list rules. Neither are they triggering SARES
or SOUGHT rules.
Looks like with the global downturn, many companies are turni
On Wed, 17 Jun 2009, omehegan wrote:
Please trim irrelecant content when you reply, thanks.
I have site-wide bayes, and yeah its rules are owned by the same user
that SA is running as.
That's not what I asked - are you _training_ as that user? That's often
the problem when bayes isn't behavi
> Bowie Bailey wrote:
>
> > I couldn't find any place on junkmailfilter website to report this,
> so
> > I'll put it here.
> >
> > I received a 419 scam email with this whitelist hit:
> >
> > * -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
> > * [213.4.129.18 listed in hostkarma.junkema
Mike Cardwell wrote:
Bowie Bailey wrote:
I couldn't find any place on junkmailfilter website to report this, so
I'll put it here.
I received a 419 scam email with this whitelist hit:
* -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
* [213.4.129.18 listed in hostkarma.junkemailfilt
On Thu, Jun 18, 2009 at 7:26 AM, Michael
Monnerie wrote:
> On Mittwoch 17 Juni 2009 Theo Van Dinter wrote:
>> Yes, it matters (one path is tried then the other has to be tried, as
>> opposed to having a single path)
>
> So which is better performance wise? I guess [sz]? but I'm not sure now.
[sz]
Bowie Bailey wrote:
I couldn't find any place on junkmailfilter website to report this, so
I'll put it here.
I received a 419 scam email with this whitelist hit:
* -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
* [213.4.129.18 listed in hostkarma.junkemailfilter.com]
I found that u
Paweł Tęcza wrote:
> Steve Freegard pisze:
>> Paweł Tęcza wrote:
>>> Also a lot of spams I received have good reverse IP address. We use
>>> greylisting for our mail system, but we still receive that spam.
>>>
>>> Maybe that IP address above has been noted on popular RBL lists, but the
>>> spammers
Hi,
My results below...
omehegan wrote:
Here are two more of a type that have been getting through CONSTANTLY.
They're always almost exactly the same, and I keep training them into my
bayes DB but it's not hitting on them :(
http://www.nerdnetworks.org/spam/spam7
Content analysis de
35 matches
Mail list logo
