Re: Filtering zip spam

On Tue, 2010-04-27 at 11:08 -0400, Alex wrote: > Hi, > > >> Might as well just block all of \.fr at smtp time for that matter :-) > >> Poor France :( > > > > I mostly do... au revoir Le France > > Somewhat off-topic, but in the interest of increasing awareness, India > reportedly ranks f

Re: Filtering zip spam

Hi, > Alex, does Bayes understand/check INSIDE zips, at least for file > properties?  If not, then it is inherently limited (just in this I'm not sure if you're asking me rhetorically here. I really don't know. Is it enough that bayes finds the encoded string as the attachment, and matches that a

[Copfilter] Copy of quarantined email - *** SPAM *** [8.9/7.0] Re: How many Froms?

On Wed, 28 Apr 2010, Frank Heydlauf wrote: > Hi, > > On Wed, Apr 28, 2010 at 08:05:27PM +0100, Martin Gregorie wrote: [snip..] > >> Or could I just use a rule like: > >> > >> header From =~ /\...@.*\@/ > > This regex matches i.e. > > From: u...@example.com > > which is a common "auto expansion" o

[Copfilter] Copy of quarantined email - *** SPAM *** [8.9/7.0] ING Direct mail FPing on TVD_ rules

I just received a mistagged-ham report from a customer showing two stock rules hit on a legitimate email from ING Direct - total score was 6.4, even with -3.5 from BAYES_00. I've asked if I can pass the message on for analysis. Stock scores: score TVD_PH_SUBJ_ACCOUNTS_POST 2.602 2.607 2.497 3.

Re: new PDF "Launch" malware exploit (with sample)

On 2010-04-28 20:01, Chip M. wrote: I haven't seen any since the first blast, so I suspect their signatures were widely distributed by most anti-virus orgs. I'm mainly publishing this for all of us who like to have backup rules, and are willing to be more general than the sometimes too tightly f

Re: ING Direct mail FPing on TVD_ rules - also TO_EQ_FROM root subrules

On 4/28/10 4:47 PM, Kris Deugau wrote: Michael Scheidell wrote: On 4/28/10 3:13 PM, Kris Deugau wrote: 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only 0.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX 1.7 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX so. its als

Re: ING Direct mail FPing on TVD_ rules - also TO_EQ_FROM root subrules

Michael Scheidell wrote: On 4/28/10 3:13 PM, Kris Deugau wrote: 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only 0.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX 1.7 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX so. its also obviously bulk email. I don't know how

Re: How many Froms?

David B Funk wrote: > On Wed, 28 Apr 2010, Frank Heydlauf wrote: > > >> Hi, >> >> On Wed, Apr 28, 2010 at 08:05:27PM +0100, Martin Gregorie wrote: >> > [snip..] > Or could I just use a rule like: header From =~ /\...@.*\@/ >> This regex matches i.e. >> >> Fro

Re: [sa] Re: How many Froms?

On Wed, 28 Apr 2010, David B Funk wrote: There's an easy fix for that FP, just use the 'From:addr =~ ' varient of the header rule. That ignores the "comment" part of the 'From:' address and only examines the stuff inside the '' part. Avoid FP, yes, but also avoid the live header that is trigger

Re: Filtering zip spam

>I'm seeing an increase in zip attachment spam, and hoped someone >could help me figure out why it isn't being properly tagged. Are >others seeing this? Is BAYES_99 being triggered or is it lower? Alex, does Bayes understand/check INSIDE zips, at least for file properties? If not, then it is inhe

Re: How many Froms?

On Wed, 28 Apr 2010, Frank Heydlauf wrote: > Hi, > > On Wed, Apr 28, 2010 at 08:05:27PM +0100, Martin Gregorie wrote: [snip..] > >> Or could I just use a rule like: > >> > >> header From =~ /\...@.*\@/ > > This regex matches i.e. > > From: u...@example.com > > which is a common "auto expansion" o

Re: How many Froms?

Hi, On Wed, Apr 28, 2010 at 08:05:27PM +0100, Martin Gregorie wrote: > Having said that, I can't remember seeing multiple addresses on a From: > header or a Sender: header. I have plenty of them in my mailfolder - but not formated in the way you thought about, regarding your cite of RFC822. >On

Re: ING Direct mail FPing on TVD_ rules

On 4/28/10 3:13 PM, Kris Deugau wrote: 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only 0.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX 1.7 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX so. its also obviously bulk email. if img direct wants to be stupid about the

ING Direct mail FPing on TVD_ rules

I just received a mistagged-ham report from a customer showing two stock rules hit on a legitimate email from ING Direct - total score was 6.4, even with -3.5 from BAYES_00. I've asked if I can pass the message on for analysis. Stock scores: score TVD_PH_SUBJ_ACCOUNTS_POST 2.602 2.607 2.497 3

Re: How many Froms?

On Wed, 2010-04-28 at 12:41 -0400, Charles Gregory wrote: > Occasionally I see an e-mail with multiple addresses on the 'From:' > header. (not the envelope) > Do these messages also contain a 'Sender:' header? According to RFC 822 they should do so. > Can anyone think of legitimate uses for mul

RE: new PDF "Launch" malware exploit (with sample)

Quoting "Rosenbaum, Larry M." : Please don't send live malware samples to the list. Um... The OP did not send malware to the list. A link was supplied to the original message. You must have a scanner set up to follow links. That isn't a good idea, in my opinion. -Original Message---

Re: new PDF "Launch" malware exploit (with sample)

On ons 28 apr 2010 20:01:29 CEST, "Chip M." wrote About a month ago, Didier Stevens found a nifty way to exploit PDFs, using their "launch action". when you get more add them here http://www.clamav.net/ -- xpoint http://www.unicom.com/pw/reply-to-harmful.html

RE: new PDF "Launch" malware exploit (with sample)

Please don't send live malware samples to the list. > -Original Message- > From: Chip M. [mailto:sa_c...@iowahoneypot.com] > Sent: Wednesday, April 28, 2010 2:01 PM > To: users@spamassassin.apache.org > Subject: new PDF "Launch" malware exploit (with sample) > > FILE QUARANTINED > > Micr

new PDF "Launch" malware exploit (with sample)

About a month ago, Didier Stevens found a nifty way to exploit PDFs, using their "launch action". Original article: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ More info: http://www.sophos.com/blogs/sophoslabs/?p=9301 Yesterday morning, several of these showed up in

Problem with pyzor and Spamassassin (in Postfix)

Hi, i am using pyzor-0.4.0-11.el5 on CentOS 5 with spamassassin-3.3.1-3. Spamassassin works fine in postfix, but pyzor does not. maillog: [...] Apr 28 15:10:43 mail spamd[19721]: pyzor: opening pipe: /usr/bin/pyzor --homedir /var/vmail/.pyzor check < /tmp/.spamassassin19721QlsZUItmp Apr 28 1

Re: Auto Learn Spam

Carlos Mennens wrote: > On Wed, Apr 28, 2010 at 12:10 PM, Dennis B. Hopp wrote: > >> Autolearn kicks in at certain scores. I believe the default is 12.0 for >> spam and 0.1 for ham. You can customize those settings in your local.cf >> file. >> >> bayes_auto_learn 1 >> bayes_auto_learn_thresho

Re: Auto Learn Spam

On Wed, 2010-04-28 at 12:38 -0400, Carlos Mennens wrote: > I checked /etc/mail/spamassassin/local.cf just now and found only the > following: > > required_hits 5 > report_safe 0 > rewrite_header Subject [SPAM] > > However I don't know if Amavisd-new is looking at local.cf because I > show para

How many Froms?

Hiyo! Occasionally I see an e-mail with multiple addresses on the 'From:' header. (not the envelope) Can anyone think of legitimate uses for multiple From: addresses? Or could I just use a rule like: header From =~ /\...@.*\@/ - C

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

On ons 28 apr 2010 10:55:10 CEST, ram wrote /usr/bin/spamd -V SpamAssassin Server version 3.3.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 1.01) with zlib support (Compress::Zlib 1.42) spamassassin 2>&1 -D --lint | less see what gets loaded where -- xpoint http://www.unic

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

On ons 28 apr 2010 10:54:38 CEST, ram wrote both installed from rpm so you really have both installed at once ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Auto Learn Spam

On Wed, Apr 28, 2010 at 12:10 PM, Dennis B. Hopp wrote: > Autolearn kicks in at certain scores.  I believe the default is 12.0 for > spam and 0.1 for ham.  You can customize those settings in your local.cf > file. > > bayes_auto_learn 1 > bayes_auto_learn_threshold_nonspam -3.0 > bayes_auto_learn_

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

On ons 28 apr 2010 08:10:49 CEST, ram wrote after update also still it shows old version why ? make sure its not installed so possible you have 2 perl versions, 2 spamassassin versions installed only you can see it -- xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Auto Learn Spam

On Wed, 2010-04-28 at 11:53 -0400, Carlos Mennens wrote: > I noticed when reviewing headers today that there was a section for > 'autolearn=no' and was wondering what exactly does this mean and > wouldn't autolearn be a good thing? I use Amavisd-new which calls out > to SpamAssassin modules but I

Re: Auto Learn Spam

On 4/28/10 11:53 AM, Carlos Mennens wrote: I noticed when reviewing headers today that there was a section for 'autolearn=no' its a SPAMASSASSIN thing. (google) it means the score was either not high enough for SA to learn as spam (bayes, and/or AWL) or was not low enough to learn as ham. y

Auto Learn Spam

I noticed when reviewing headers today that there was a section for 'autolearn=no' and was wondering what exactly does this mean and wouldn't autolearn be a good thing? I use Amavisd-new which calls out to SpamAssassin modules but I don't have the spamd daemon running physically. The Amavisd-new da

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

ram wrote: > /usr/bin/spamd -V > SpamAssassin Server version 3.3.1 > running on Perl 5.8.8 > with SSL support (IO::Socket::SSL 1.01) > with zlib support (Compress::Zlib 1.42) > > > On Wed, Apr 28, 2010 at 12:14 PM, Jari Fredriksson > wrote: > > On 28.4.2010 9:10, ra

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

/usr/bin/spamd -V SpamAssassin Server version 3.3.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 1.01) with zlib support (Compress::Zlib 1.42) On Wed, Apr 28, 2010 at 12:14 PM, Jari Fredriksson wrote: > On 28.4.2010 9:10, ram wrote: > > after update also still it shows old ver

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

both installed from rpm Ram On Wed, Apr 28, 2010 at 12:14 PM, Jari Fredriksson wrote: > On 28.4.2010 9:10, ram wrote: > > after update also still it shows old version why ? > > > > X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00, > > DATE_IN_PAST_03_06,HTML_MESSAGE,HTML_MIME_NO_H

Re: Spamassassin rewriting headers of messages that are not marked Spam

On Tue, 2010-04-27 at 23:53 -0700, Sitapati wrote: > Thanks for your reply Alex! > > > Alex-325 wrote: > > > > Hi, > > > >> My spamassassin installation suddenly (since March) starting rewriting > >> the > >> headers of messages that are not spam. > > > > March isn't so suddenly. Why is it a p