On 13/10/2011 1:45 AM, Karsten Bräckelmann wrote:
On Wed, 2011-10-12 at 23:32 -0230, Lawrence @ Rogers wrote:
Starting today, I've noticed that 3 of my rules fire in situations where
they should not. They are simple meta rules that count how many rule,
against certain URIBL rules, fire. They the
I dunno Joanne, by your reply, seems like the listing is valid to me.
On Wed, 2011-10-12 at 21:44 -0700, jdow wrote:
> On 2011/10/12 16:35, Noel Butler wrote:
> > On Wed, 2011-10-12 at 12:49 -0700, jdow wrote:
> >> The idiots who run that one have put the Earthlink smtp servers into their
> >> l
On 2011/10/12 16:53, Benny Pedersen wrote:
On Wed, 12 Oct 2011 12:49:12 -0700, jdow wrote:
The idiots who run that one have put the Earthlink smtp servers into their
list. So I am opting out of it. I don't want ALL my received mail marked as
spam.
Damn fools.
{+_+}
what are stopping you from
On 2011/10/12 16:35, Noel Butler wrote:
On Wed, 2011-10-12 at 12:49 -0700, jdow wrote:
The idiots who run that one have put the Earthlink smtp servers into their
list. So I am opting out of it. I don't want ALL my received mail marked as
spam.
Damn fools.
{+_+}
What makes them idiots for doi
On Wed, 2011-10-12 at 23:32 -0230, Lawrence @ Rogers wrote:
> Starting today, I've noticed that 3 of my rules fire in situations where
> they should not. They are simple meta rules that count how many rule,
> against certain URIBL rules, fire. They then raise the spam score.
> meta LW_URIBL_LO (
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
> > Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
> > how they were done). Modifying bodies -will- mess up sigs.
>
> I was not specifically talking about dkim signed mails. It is clear
> that body rewriting mess up sigs. It is
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
Certainly SA should detect and score such obfuscation, if the FP rate
can be kept low. But controlling what the end user sees in the body of
the mail is properly the MUA's job.
No, MUAs interprets and shows html like browsers does and does not
mo
On Wed, 12 Oct 2011, David B Funk wrote:
On Wed, 12 Oct 2011, Bowie Bailey wrote:
The example I gave was taken from a newsletter where the url was
hidden. Almost all email newsletters that I have seen do the same
thing. Currently, most of the spam I'm seeing does not attempt to hide
the url
> Large numbers of spammers use DKIM. We've been under attack for weeks
> now by some outfit who is buying up old, "clean" IP subnets and using it
> to spew their non-pharma, really "clean looking" spam onto us - no
> RBL/SURBL hits for 3-5 *days*, getting scores from 0.5-3.0 - really
> tough - not
Hi,
I am using SpamAssassin 3.3.1 (cPanel) with latest rule updates.
Starting today, I've noticed that 3 of my rules fire in situations where
they should not. They are simple meta rules that count how many rule,
against certain URIBL rules, fire. They then raise the spam score.
They are as f
On 13/10/11 14:05, Christian Grunfeld wrote:
>
> I was not specifically talking about dkim signed mails. It is clear
> that body rewriting mess up sigs. It is also clear that phishers dont
> use dkim !
>
Large numbers of spammers use DKIM. We've been under attack for weeks
now by some outfit who i
> Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
> how they were done). Modifying bodies -will- mess up sigs.
I was not specifically talking about dkim signed mails. It is clear
that body rewriting mess up sigs. It is also clear that phishers dont
use dkim ! and if they do y
On 10/12/2011 11:48 AM, dar...@chaosreigns.com wrote:
> Which uses it as part of SPOOFED_URL (the "__" in the other rule is
> important), which is described as:
> "Has a link whose text is a different URL". But that one hasn't made it
> into the default rule set yet. Ah, it hits 1.1% of spam but
On Wed, 12 Oct 2011 12:49:12 -0700, jdow wrote:
The idiots who run that one have put the Earthlink smtp servers into
their
list. So I am opting out of it. I don't want ALL my received mail
marked as
spam.
Damn fools.
{+_+}
what are stopping you from add there ip to trusted_networks ?
On Wed, 12 Oct 2011, Bowie Bailey wrote:
> The example I gave was taken from a newsletter where the url was
> hidden. Almost all email newsletters that I have seen do the same
> thing. Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.
Not too many spam do that bu
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
> > SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> > message bodies is, I think most if all will agree, beyond the scope of what
> > SA is intended to do, and beyond the scope of what it _should_ do.
>
> it does modify head
On Wed, 2011-10-12 at 12:49 -0700, jdow wrote:
> The idiots who run that one have put the Earthlink smtp servers into their
> list. So I am opting out of it. I don't want ALL my received mail marked as
> spam.
>
> Damn fools.
> {+_+}
What makes them idiots for doing that?
There just very well mi
On 10/12, Greg Troxel wrote:
>
> dar...@chaosreigns.com writes:
>
> > To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> > Abuse" section in the right column. I wrote a spamassassin plugin
> > which might make it easier to report spam that matches dnswl rules:
> > http:/
dar...@chaosreigns.com writes:
> To report abuse to dnswl.org, on http://www.dnswl.org/ there is a "Report
> Abuse" section in the right column. I wrote a spamassassin plugin
> which might make it easier to report spam that matches dnswl rules:
> http://www.chaosreigns.com/dnswl/sa_plugin/
It w
> SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> message bodies is, I think most if all will agree, beyond the scope of what
> SA is intended to do, and beyond the scope of what it _should_ do.
it does modify headers, subjectswhy not bodies ?
> Certainly SA should
2011/10/12 Bowie Bailey :
> Please keep list traffic on the list.
sorry but you reply only to me first ! Check it!
> On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
>> I see all genuine (non-spam) mails for subscriptions, checking and
>> activating accounts showing the long and crapy url !
>> An
On Wed, 2011-10-12 at 15:46 -0400, Bowie Bailey wrote:
> Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.
>
+1
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
It certainly seems like it would be very useful. I see there's a
__SPOOFED_URL rule, but it's hard to read and doesn't have a description.
This is an issue that comes up on this list occasionally. It sounds
like a good idea at first, but when yo
The idiots who run that one have put the Earthlink smtp servers into their
list. So I am opting out of it. I don't want ALL my received mail marked as
spam.
Damn fools.
{+_+}
Please keep list traffic on the list.
On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
> I see all genuine (non-spam) mails for subscriptions, checking and
> activating accounts showing the long and crapy url !
> And when the url is hidden and text is shown you have 99% phising chance.
> It is tru
On 10/12/2011 1:57 PM, Kelson Vibber wrote:
> Yeah. There's an awful lot of newsletter, opt-in advertisement,
> and even transactional mail traffic that uses URL redirectors for
> click-tracking purposes, and far too often they'll put the
> destination URL (or a simplified form of it) in as the lin
> -Original Message-
> From: Bowie Bailey [mailto:bowie_bai...@buc.com]
>
> This is an issue that comes up on this list occasionally. It sounds like a
> good
> idea at first, but when you start looking into it, you find that there is WAY
> too
> much legitimate email that does this for t
>> It certainly seems like it would be very useful. I see there's a
>> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> This is an issue that comes up on this list occasionally. It sounds
> like a good idea at first, but when you start looking into it, you find
> that
On 10/12, Christian Grunfeld wrote:
> the point is that I dont think it would be a good idea to let SA give
> a high score based on an "apparently" missmatch between text and url.
SpamAssassin rule QA and optimized score generation infrastructure means
we can find out if it's useful before deployi
On 10/12/2011 2:25 PM, dar...@chaosreigns.com wrote:
> On 10/12, Christian Grunfeld wrote:
>> Many phishing mails exploit the bad knowledge of the difference
>> between real url and link anchor text by simple users. So they show
> Does spamassassin really not have a rule to detect this? I just dug
On 10/12, Christian Grunfeld wrote:
> > It certainly seems like it would be very useful. I see there's a
> > __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> where did you find that rule ?
On my server in the file
/var/lib/spamassassin/3.004000/updates_spamassassin_o
> Rather than tampering with the original mail, surely the solution is to
> clearly detect the mail as spam in the first place so it hopefully never
> reaches the user.
the point is that I dont think it would be a good idea to let SA give
a high score based on an "apparently" missmatch between tex
dar...@chaosreigns.com wrote:
On 10/12, Alessio Cecchi wrote:
> I have found the problem: Google name server
>
> >On 10/11, Alessio Cecchi wrote:
> >>Received: from [175.145.6.37] (unknown [175.145.6.37])
> >
> >$ host 37.6.145.175.list.dnswl.org
> >Host 37.6.145.175.list.dnswl.org not found: 3(N
> It certainly seems like it would be very useful. I see there's a
> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
where did you find that rule ?
On 10/12/2011 07:01 PM, Christian Grunfeld wrote:
Hi,
I have an idea that I want to discuss with users and developers.
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
atractive link text that points to hiden, un
On 10/12, Christian Grunfeld wrote:
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor text by simple users. So they show
Does spamassassin really not have a rule to detect this? I just dug
up a perfect example - trying to look like an email from
Like mailscanner does then :-)
On Wednesday, 12 October 2011, Christian Grunfeld <
christian.grunf...@gmail.com> wrote:
> Hi,
>
> I have an idea that I want to discuss with users and developers.
>
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor
Hi,
I have an idea that I want to discuss with users and developers.
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
atractive link text that points to hiden, unrecognized and evil urls.
eg: exe files hiden by pho
On 10/12, Alessio Cecchi wrote:
> I have found the problem: Google name server
>
> >On 10/11, Alessio Cecchi wrote:
> >>Received: from [175.145.6.37] (unknown [175.145.6.37])
> >
> >$ host 37.6.145.175.list.dnswl.org
> >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
> >
> >Should not hit
This is so off topic, I'm sorry, but the repeated accusations are hard not
to respond to.
On 10/12, Benny Pedersen wrote:
> On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote:
> >On 2011/10/11 12:30, Benny Pedersen wrote:
> >>On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote:
> >>>And I
On Mon, 10 Oct 2011 13:14:21 +0200 (CEST), Tomas Macek wrote:
OK, this should be good:
trusted_networks 213.0.0.5 213.0.0.10 # primary mx IP and backup
mx IP
internal_networks 213.0.0.5 # only the IP of primary mx
Right?
On 10.10.11 16:40, Benny Pedersen wrote:
backup is i
On 10.10.11 13:14, Tomas Macek wrote:
OK, this should be good:
trusted_networks 213.0.0.5 213.0.0.10 # primary mx IP and backup mx IP
internal_networks 213.0.0.5 # only the IP of primary mx
Right?
No. All the backup MX servers must be in internal_networks too
I know,
On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:
was this changed or you just continue FUDding?
On 12.10.11 16:18, Benny Pedersen wrote:
From: header is NOT envelope-from header, stop fuding self
From: is _NOT_ "mail from:" and since DKIM has nothing with mail from:,
I don'
On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:
was this changed or you just continue FUDding?
From: header is NOT envelope-from header, stop fuding self
On Tue, 11 Oct 2011 17:14:06 +0200, Matus UHLAR - fantomas wrote:
(and possibly list of forwarders who do not rewrite mail from)
On 11.10.11 21:03, Benny Pedersen wrote:
breaks dkim, and instalations that use from: as envelope sender
header ask for troubles
cite from rfc4686:
DKIM oper
On 10/11/2011 5:49 PM, Kris Deugau wrote:
>
> I contacted LinkedIn support a couple of times about including a "don't
> email me" link on their various send-to-a-friend-ish emails; while I'm
> still getting these things reported by customers as spam, they do,
> finally, have a link on the invit
On 10/12/2011 1:55 AM, Varghese, Daniel wrote:
> Hi Bowie,
>
> Thank you so much for the details.
>
> Forgot mention one important point in my previous mail, the rejection happens
> only when I use Yahoo mail. If I send the same mail using any other clients
> (Hotmail, Google, OL etc) the mail a
On Tue, 11 Oct 2011 15:49:36 +0200, Matus UHLAR - fantomas wrote:
such forwarding will break SPF iff the forwarder does not change the
mail from: address, and in such case it FAKES the return path, since
it's not the original sender who sent the mail, it's the recipient.
On 11.10.11 20:55, Benn
On Wed, 12 Oct 2011 08:15:03 +0200, Alessio Cecchi wrote:
[snip]
Why Google name server returns an incorrect value?
google is free, so thay can sooks as much thay want to :)
dig -4 +trace 10.223.104.2.list.dnswl.org
resolved in 154 ms here
does it timeout ?, then contact dnswl.org
make sure
On Tue, 11 Oct 2011 18:53:40 -0700, jdow wrote:
On 2011/10/11 12:30, Benny Pedersen wrote:
On Tue, 11 Oct 2011 13:27:04 -0400, dar...@chaosreigns.com wrote:
And I have my own IP reputation project that could use your data:
http://www.chaosreigns.com/iprep/
shame on microsoft not letting me have
50 matches
Mail list logo
