On Tue, 18 Oct 2011 21:55:11 -0400, David F. Skoll wrote:
X-CanIt-Geo: No geolocation information available for 192.168.10.23
bill me for that one :-)
My original measurements and script are here:
http://article.gmane.org/gmane.mail.spam.spamassassin.general/132047/match=cache
bind can use
On Tue, 2011-10-18 at 21:55 -0400, David F. Skoll wrote:
> On Wed, 19 Oct 2011 03:12:34 +0200, Karsten Bräckelmann wrote:
>
> > > That's true, though caching is much less effective than you may
> > > suppose. In real-life measurements on real mail servers, I found a
> > > very low cache hit rate
On Wed, 19 Oct 2011 03:12:34 +0200
Karsten Bräckelmann wrote:
> > That's true, though caching is much less effective than you may
> > suppose. In real-life measurements on real mail servers, I found a
> > very low cache hit rate for common DNS{B,W}Ls, on the order of only
> > 25-50% hits.
> As
On Tue, 2011-10-18 at 20:24 -0400, David F. Skoll wrote:
> On Tue, 18 Oct 2011 23:55:41 +0200, Karsten Bräckelmann wrote:
>
> > The DNS TTL appears to be 12 hours, and a good share of mail
> > (definitely true for ham, only partly for spam) is received from a
> > rather limited number of distinct
On Tue, 18 Oct 2011 13:07:21 -0700 (PDT)
Mynabbler wrote:
>
>
> RW-15 wrote:
> >
> > It would hit:
> > Re: Did you pick-up the dry-cleaning?
> >
> Nope. Scores just two (one ':' and a '?') and the rule needs three
> different odd characters.
OK the font I'm using makes ~ look very like a -, b
Hi,
I'm having difficulty with figuring out how to tag spam where the body
is only one line with a URL in it. Here is an example:
http://pastebin.com/Y9mX1DRV
>>>
>>> It would be more helpful if you provided several examples. It would be
>>> easy enough to write a rule that ma
On Wed, 2011-10-19 at 01:29 +0200, Karsten Bräckelmann wrote:
> Keep in mind, the actual number of queries isn't relevant unless you're
> at least in the general ball-park of 100,000 messages a day.
>
Indeed: I'm not remotely near that. It was just an idea that I thought
might be useful provided
On Tue, 18 Oct 2011 23:55:41 +0200
Karsten Bräckelmann wrote:
> The DNS TTL appears to be 12 hours, and a good share of mail
> (definitely true for ham, only partly for spam) is received from a
> rather limited number of distinct SMTP servers, only. With a local,
> caching DNS server the number o
On Tue, 18 Oct 2011 17:27:17 -0500, David B Funk wrote:
> Would you black-list google.com
Yes, happily.
On Wed, 2011-10-19 at 01:29 +0200, Karsten Bräckelmann wrote:
> On Tue, 2011-10-18 at 23:52 +0100, Martin Gregorie wrote:
> > On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
> > wonder if it would be useful for SA to log the number of BL lookups it
> > does: as it need only involve o
On Tue, 2011-10-18 at 23:52 +0100, Martin Gregorie wrote:
> On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
> > [...] there is one DNS lookup per URI and
> > DNSBL -- e.g. SURBL (multiple lists) or URIBL (multiple listings).
>
> OK, so the answer is not straight forward: thanks for
On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
> On Tue, 2011-10-18 at 12:51 +0100, Martin Gregorie wrote:
> > I've just been thinking about URIBL lookups, etc and realising that I
> > don't know how many of these an SA configuration does or how to estimate
> > it.
> >
> > Is it co
On Tue, 2011-10-18 at 17:27 -0500, David B Funk wrote:
> So if you black-list those hosts you are generating FPs on any legit mails
> that link to those sites. Would you black-list google.com because
> somebody puts 'phish' forms in a google-docs spread-sheet and then
Absolutely yes, size do
On 10/18/11 6:27 PM, David B Funk wrote:
So if you black-list those hosts you are generating FPs on any legit
mails that link to those sites. Would you black-list google.com
because somebody puts 'phish' forms in a google-docs spread-sheet and
then
sends out spams with that as the payload? (I
On Tue, 18 Oct 2011 17:27:17 -0500 (CDT), David B Funk wrote:
sends out spams with that as the payload? (I see lots of 'phish'
spam with that tactic on a regular basis).
.
if google accept links to any uribl sites then yes i would block
google, if google just have a phish page ok with me, those
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
> The DNS TTL appears to be 12 hours, and a good share of mail (definitely
> true for ham, only partly for spam) is received from a rather limited
> number of distinct SMTP servers, only. With a local, caching DNS server
> the number of
On Tue, 18 Oct 2011, Alex wrote:
Hi,
I'm having difficulty with figuring out how to tag spam where the body
is only one line with a URL in it. Here is an example:
http://pastebin.com/Y9mX1DRV
It would be more helpful if you provided several examples. It would be
easy enough to write a rule
On Tue, 2011-10-18 at 23:55 +0200, Karsten Bräckelmann wrote:
> > Basically, free use only allows 100,000 queries per organization per day.
> > If you're handling more than 100,000 emails a day,
>
> That's a theoretical lower bound, and incorrect in real life.
>
> The DNS TTL appears to be 12 hou
On Mon, 2011-10-17 at 18:03 -0400, dar...@chaosreigns.com wrote:
> http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html
> Basically, free use only allows 100,000 queries per organization per day.
> If you're handling more than 100,000 emails a day,
RW-15 wrote:
>
> It would hit:
> Re: Did you pick-up the dry-cleaning?
>
Nope. Scores just two (one ':' and a '?') and the rule needs three different
odd characters.
RW-15 wrote:
>
> I think it needs more work, maybe combine it with tests for lots of
> very short words or adjacent punctuation
On 10/18/11 12:12 PM, "Karsten Bräckelmann" wrote:
> On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
>> One of my users submitted a spam for analysis, and I was amazed at the
>> efforts this troglodyte expended to poison bayes.
>> Is it worth the effort to try to find huge html comme
On Tue, 2011-10-18 at 12:51 +0100, Martin Gregorie wrote:
> I've just been thinking about URIBL lookups, etc and realising that I
> don't know how many of these an SA configuration does or how to estimate
> it.
>
> Is it correct to assume that every configured URIBL is sent a single
> lookup requ
On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote:
> One of my users submitted a spam for analysis, and I was amazed at the
> efforts this troglodyte expended to poison bayes.
> Is it worth the effort to try to find huge html comments hiding junk
> like this?
Hmm, wait -- Bayes and HTML com
On 10/17/2011 08:42 PM, Tom wrote:
> I'm using a couple rules I found here that hits when there are 5-9 or
> 10+ recipients:
>
> header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/
> tflags __COUNT_RCPTS multiple
>
> meta RCPTS_5_10 (__COUNT_RCPTS >= 5)
> score RCPTS_5_10 1.0
> describe RCPTS_5_
rg/?daterev=20111018-r1185533-n&rule=%2Fspoofed_url
MSECSSPAM% HAM% S/ORANK SCORE NAME WHO/AGE
0 1.6825 1.0301 0.6200.550.01 T_SPOOFED_URL
0 1.2441 0.9989 0.5550.530.01 T_SPOOFED_URL_HOST
0 2.1419 7.9151 0.213
Daniel McDonald wrote:
Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/
Describe OBFU_HTML_LONG_COMMENT contains a ridiculously long html comment
Tried with exactly that limit, 1 kb.
TargetX, which is used by universities in recruiting, uses a long comment
in its generated mail (I did no
On 10/18/2011 8:53 AM, Daniel McDonald wrote:
> One of my users submitted a spam for analysis, and I was amazed at the
> efforts this troglodyte expended to poison bayes.
> Is it worth the effort to try to find huge html comments hiding junk
> like this?
>
> Maybe something like
>
> Rawbody OBFU_HT
On Tue, 18 Oct 2011 01:21:36 -0700 (PDT)
Mynabbler wrote:
>
>
> Adam Katz wrote:
> >
> >> On Mon, 17 Oct 2011, Adam Katz wrote:
> >>> Time for F-U-N
> >>> I like D&D and rock&roll
> >>> /var/spool/mail is full
> >
> ... those examples don't get a hit with the rule I cooked up (since
> it needs
One of my users submitted a spam for analysis, and I was amazed at the
efforts this troglodyte expended to poison bayes.
Is it worth the effort to try to find huge html comments hiding junk like
this?
Maybe something like
Rawbody OBFU_HTML_LONG_COMMENT /\<--.{1024,}?--\>/
Describe OBFU_HTML_LONG_
I've just been thinking about URIBL lookups, etc and realising that I
don't know how many of these an SA configuration does or how to estimate
it.
Is it correct to assume that every configured URIBL is sent a single
lookup request for every message that SA scans?
Martin
On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a change
> Date: Mon, 17 Oct 2011 19:10:28 -0400
> From: dar...@chaosreigns.com
> To: users@spamassassin.apache.org
> Subject: Re: Why doesn't anything at all get these botnet spammers?
>
> On 10/15, Jenny Lee wrote:
> > fwoicka odrp jbguybf etvwmbwm
> > i aluawj ggn. http://[redacted].tumblr.com/ poxpza
Adam Katz wrote:
>
>> On Mon, 17 Oct 2011, Adam Katz wrote:
>>> Time for F-U-N
>>> I like D&D and rock&roll
>>> /var/spool/mail is full
>
... those examples don't get a hit with the rule I cooked up (since it needs
three different odd characters), and besides, an MN_PUNCTUATION hits only
scores
33 matches
Mail list logo
