seen idn spamming urls here that is not tested in uridnsbl, have
spamassassin 3.4.0 not idn support yet ?
is it just missing tld defines for idn domains ?
should it be filled a bug ?
David F. Skoll skrev den 2013-08-08 23:33:
meta MY_SPF_FAIL SPF_FAIL && __MY_SENSITIVE_DOMAIN
score MY_SPF_FAIL 5.0
describe MY_SPF_FAIL SPF failure on a sensitive domain
This is all completely untested, you understand. ;)
make meta on !SPF_PASS is same as all versions of SPF_FAIL
Quanah Gibson-Mount skrev den 2013-08-08 23:22:
I would love to see your rules here so I can see how you did it. I
don't see if/and in the SA docs on rules.
body __BODY_FACEBOOK /Facebook/
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGE
David F. Skoll skrev den 2013-08-08 23:14:
+1 to John's comments about domain-specific SPF scores. For certain
domains,
an SPF fail is a strong indicator of spam or phishing. These are the
domains I score strongly for SPF fail:
yes spf pass does not default get -100 :
maybe change it f
RW skrev den 2013-08-09 00:01:
dkim is generally the better way to go since legitimate emails can
fail
SPF due to forwarding.
and dkim never fails on forwards ?, well it does if forwards mangle
bódy and removes or changes headers in a way that dkim breaks, i have
seen it since i begin using
--On August 8, 2013 11:01:43 PM +0100 RW wrote:
Facebook dkim signs all their emails with the domain
facebookmail.com, so you may have better luck using the ADSP rules...
dkim is generally the better way to go since legitimate emails can fail
SPF due to forwarding.
Ok, so I imagine I want
John Hardin skrev den 2013-08-08 22:49:
SPF is _by itself_ not useful as a spam sign.
-1
If you're seeing a lot of facebook spam that fails SPF because it's
being forged, then a rule that checks SPF_FAIL *IF* the mail claims
to
be from Facebook, and adds a point or two, would be more reaso
Quanah Gibson-Mount skrev den 2013-08-08 22:34:
How is .001 in any way considered a "large" penalty?
meta SPF_FAIL (3) (3) (3) (3)
in local.cf fixes it
or use pypolicyd-spf on mta stage
--On August 8, 2013 5:33:26 PM -0400 "David F. Skoll"
wrote:
On Thu, 08 Aug 2013 14:22:53 -0700
Quanah Gibson-Mount wrote:
I would love to see your rules here so I can see how you did it. I
don't see if/and in the SA docs on rules.
Emm... actually, I did it outside of the SA infrastru
Robert A. Ober skrev den 2013-08-08 22:21:
Hello Folks,
who?
First of all, I appreciate the fact that a quality tool like
SpamAssassin has an opensource version. Only costs time. Furthermore,
I appreciate all the hard work the devs put into making it better.
opensource means you can make p
On Thu, 8 Aug 2013 21:31:59 +
Franck Martin wrote:
>
> On Aug 8, 2013, at 10:49 PM, John Hardin wrote:
>
> > On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
> >> How is .001 in any way considered a "large" penalty?
Comments can be useful when they agree with reality, but all too often
they
--On August 8, 2013 5:38:52 PM -0400 dar...@chaosreigns.com wrote:
The explanation for the quote is, quite simply, that it is out of date,
and you should fix it.
I don't have commit access to SA's SVN. ;) I suppose I can file a bug. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Eng
.001 in any way considered a "large" penalty?
As has been said, SPF is kind of a terrible spam indicator:
http://ruleqa.spamassassin.org/?daterev=20130808-r1511618-n&rule=SPF_FAIL
MSECSSPAM% HAM% S/ORANK SCORE NAME WHO/AGE
0 0.1057 1.4410 0.06
On Thu, 08 Aug 2013 14:22:53 -0700
Quanah Gibson-Mount wrote:
> I would love to see your rules here so I can see how you did it. I
> don't see if/and in the SA docs on rules.
Emm... actually, I did it outside of the SA infrastructure.
I imagine you could do something like:
header__MY_SENS
On Aug 8, 2013, at 10:49 PM, John Hardin wrote:
> On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
>
>> For SA 3.4.0, it says in 50_scores.cf:
>>
>> # SPF
>> # Note that the benefit for a valid SPF record is deliberately minimal; it's
>> # likely that more spammers would quickly move to setti
--On August 8, 2013 5:14:12 PM -0400 "David F. Skoll"
wrote:
On Thu, 8 Aug 2013 13:49:18 -0700 (PDT)
John Hardin wrote:
SPF is _by itself_ not useful as a spam sign.
Indeed. In my experience, most SPF "softfail" results and a fairly large
fraction of SPF "fail" results are from miscon
On Thu, 8 Aug 2013 13:49:18 -0700 (PDT)
John Hardin wrote:
> SPF is _by itself_ not useful as a spam sign.
Indeed. In my experience, most SPF "softfail" results and a fairly large
fraction of SPF "fail" results are from misconfigured domains whose
administrators don't bother making correct SPF
--On August 8, 2013 1:49:18 PM -0700 John Hardin wrote:
How is .001 in any way considered a "large" penalty?
SPF is _by itself_ not useful as a spam sign.
If you're seeing a lot of facebook spam that fails SPF because it's being
forged, then a rule that checks SPF_FAIL *IF* the mail claim
On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
For SA 3.4.0, it says in 50_scores.cf:
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect*
For SA 3.4.0, it says in 50_scores.cf:
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large.
;)
However, ".001" do
Hello Folks,
First of all, I appreciate the fact that a quality tool like
SpamAssassin has an opensource version. Only costs time. Furthermore, I
appreciate all the hard work the devs put into making it better.
But really, shouldn't the latest version with sa-update run a few days
ago, be
Thomas Harold skrev den 2013-08-08 05:29:
Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
in postfix
It's not just FSL_HELO_BARE_IP_1 and FSL_HELO_BARE_IP_2 that overlap.
There's also
RCVD_NUMERIC_HELO
TVD_RCVD_IP
TVD_RCVD_IP4
On Thu, 08 Aug 2013 10:32:12 +0100
Steve Freegard wrote:
> FSL_HELO_BARE_IP_1 looks at only the last external IP address,
> whereas FSL_HELO_BARE_IP_2 looks at all external received hops.
FSL_HELO_BARE_IP_2 also matches on hostnames like 1.2.3.4.example.com,
which I think is probably a mistake.
On 08/08/13 04:29, Thomas Harold wrote:
Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
Sure - I wro
On 07.08.13 23:29, Thomas Harold wrote:
Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
looks like
26 matches
Mail list logo
