>I'm assuming this means their feed into Zen and XBL has shut down, too?
>If I'm wrong and that feed still exists, (anyone who knows...) please
>reply to this post with that clarification. (would be interesting to know)
The whole thing is kaput. The guy who was running it has a new job,
there was
On Sat, 2 Mar 2013, Ned Slider wrote:
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
If the username + domain name
On Sat, 2 Mar 2013, Wolfgang Zeikat wrote:
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) re
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) repeated three times.
Does that mean the same sequence
On 02/03/13 01:40, John Hardin wrote:
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5
with
no
On Sat, 2013-03-02 at 01:11 +, Ned Slider wrote:
> That said, I just checked my example, and __MANY_RECIPS failed to fire.
> Here's the current rule:
>
> header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
>
> Can someone explain the regex and why it fails to fire for 7 recipients?
On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was hard
On 3/1/2013 5:52 PM, Axb wrote:
> "Please spread the word. NJABL has to be shut down effective
> immediately. I just emptied the dnsbl zone files.
I'm assuming this means their feed into Zen and XBL has shut down, too?
If I'm wrong and that feed still exists, (anyone who knows...) please
reply t
In an older episode, on 2013-03-02 02:19, Benny Pedersen wrote:
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
as i read it, it fires if there is more then 4 domains
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7
recipients?
as i read it, it fires if there is more then 4 domains, not only 5
recipients, just a wild guess from me since i am n
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule a
Axb wrote:
> If you're using SA 3.4 trunk:
> as temporary entry in local.cf
>
> # ONLY FOR SA 3.4 or higher!!
> dns_query_restriction deny njabl.org
Thanks for reminding us of the new feature!
Wrapped up in a conditional, for those wishing to switch between
versions while keeping the same .
On 03/01/2013 11:52 PM, Axb wrote:
As per:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6913
Just got the bad news:
"Please spread the word. NJABL has to be shut down effective
immediately. I just emptied the dnsbl zone files.
My expectation is that the servers will be allowed to r
On 03/02/2013 12:25 AM, Kevin A. McGrail wrote:
On 3/1/2013 6:14 PM, Kevin A. McGrail wrote:
score RCVD_IN_NJABL_CGI 0
score RCVD_IN_NJABL_MULTI 0
score RCVD_IN_NJABL_PROXY 0
score RCVD_IN_NJABL_RELAY 0
score RCVD_IN_NJABL_SPAM 0
And score __RCVD_IN_NJABL 0 just in case...
If you're using SA
On 3/1/2013 6:14 PM, Kevin A. McGrail wrote:
score RCVD_IN_NJABL_CGI 0
score RCVD_IN_NJABL_MULTI 0
score RCVD_IN_NJABL_PROXY 0
score RCVD_IN_NJABL_RELAY 0
score RCVD_IN_NJABL_SPAM 0
And score __RCVD_IN_NJABL 0 just in case...
As per:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6913
Just got the bad news:
"Please spread the word. NJABL has to be shut down effective
immediately. I just emptied the dnsbl zone files.
My expectation is that the servers will be allowed to run for some time
so the shutdown
> Another thing I'd like to do, if possible, is check to see if the "From"
> address matches the "return path" and add to the spam score if they
> do not match.
The inverse rule is already there (just use a meta rule negation of it):
header RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
de
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to avoid
Okey...
Didn't catch that.
Not a bad idea but cannot be a decision making thing. And need a plugin.
I thought about that already but didn't had time to code this. And I
don't remember who on this list brang objections that it would not be
such a good idea.
Plus: SA do not have access to SMTP in
Yes! That's exactly it.
Another thing I'd like to do, if possible, is check to see if the "From"
address matches the "return path" and add to the spam score if they do not
match. I know they won't match completely in some cases, but a way to check if
the same pattern, u...@domain.com exists b
On Fri, 01 Mar 2013 14:39:09 -0500
Alexandre Boyer wrote:
> Pretty the same as what David suggests :-)
My latest attempt is this:
header __RP_D_00040_1 From:addr =~ /yahoo/i
header __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D
Right: the suggested pattern is working great, but there are some
variants as KAM says.
However I sense that these are not the same bots. The one with the "date
in body" is always the same (the spammer only changed the date format).
I heard about a cross site botnet exploit on Yahoo! and third pa
On 3/1/2013 11:26, Alexandre Boyer wrote:
There is no silly question. Just noobs. FYI: most of the time, I'm a noob.
I do not understand your question: To or Cc headers are recipients. Do
you want to compare the name portion to the address portion?
eg: To: "Alex Boyer"
If Alex matches the loc
Hello,
There is no silly question. Just noobs. FYI: most of the time, I'm a noob.
I do not understand your question: To or Cc headers are recipients. Do
you want to compare the name portion to the address portion?
eg: To: "Alex Boyer"
If Alex matches the local part in the address, then it's OK
On 01/03/13 17:33, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
Here's one from this morning:
http://pastebin.com/cuk595z6
that matches the pattern being discussed.
Hey All,
I'm just starting to dive into advanced custom SA rules, so forgive me if this
is a silly question. Is it possible to construct a rule that looks at the To
and/or CC field and compares it to the recipient? I know this can be dangerous
as legitimate email can be BCCed, but I think bei
On Fri, 2013-03-01 at 12:33 -0500, David F. Skoll wrote:
> Somewhat OT... are people still seeing these Yahoo single-link spams?
> They seem to have stopped abruptly as far as I can tell.
>
I haven't seen one for a few days either, but think its still a useful
rule because it can't cost a lot to r
On 3/1/2013 12:43 PM, David F. Skoll wrote:
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) an
Hi,
These are the common elements as far as I can see in the text/plain part
of the spam:
1) The URL always matches this regex:
http://\S+/\S+\.\s+\?
In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) and a question mark.
2) The URL is then fol
I saw 3 yesterday, yes. Scored 6.4 but
I use a high threshold so I can view the fringe spam.
On 3/1/2013 12:33 PM, David F. Skoll wrote:
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as
We don't see them as much as we used to, but they still make an appearance
every once and a while.
~ Anthony
- Original Message -
From: "David F. Skoll"
To: users@spamassassin.apache.org
Sent: Friday, March 1, 2013 9:33:55 AM
Subject: Re: Yahoo single link spam
Somewhat OT... are peop
Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.
Regards,
David.
On Fri, 2013-03-01 at 15:38 +, Scott Ostrander wrote:
> Would someone put some samples of Yahoo single link spam on PasteBin.
> I am trying to test my rules and I seem to be missing some of the variations.
>
Here's an example: it is the message I developed the following rule
against: http://pa
Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the variations.
Thanks,
Scott
-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com]
Sent: Friday, February 22, 2013 12:20 PM
To: users@s
On Thu, 2013-02-28 at 20:34 -0500, Steve Prior wrote:
> I'm really starting to suspect that these spammers are scraping your public
> posts on Facebook and grabbing the names of people that commented on those
> posts, then using a Yahoo account and setting that name on the account before
> send
35 matches
Mail list logo
