Re: FSL_HELO_BARE_IP_2 & RCVD_NUMERIC_HELO

On Thu, 17 Oct 2013, Stan Hoeppner wrote: Whether Gmane is violating RFC or not isn't my concern. What is my concern is that the way they create these headers is breaking the two rules in the subject line. Apparently a fix is already in place to prevent these two rules from being applied to li

Re: FSL_HELO_BARE_IP_2 & RCVD_NUMERIC_HELO

On 10/17/2013 2:09 PM, Jonas Eckerman wrote: > I answer privately since this really isn't about SpamAssassin any more, and > SpamAssassin isn't about RFC conformance. Oh, but it does directly relate to the above two rules. And I believe this is a healthy discussion. It will educate others as to

Re: Email in Russian not triggering UNWANTED_LANGUAGE_BODY

On Thu, 2013-10-17 at 09:13 -0700, John Hardin wrote: > On Thu, 17 Oct 2013, Mauricio Tavares wrote: > > Reading > > http://www.mail-archive.com/spamassassin-talk@lists.sourceforge.net/msg23962.html > > I was wondering where those .lm files are (vi.lm, en.lm, etc). I could > > not find them in the

Re: Strange URIBL_SBL false positive?

On 10/17/2013 08:27 PM, Stan Hoeppner wrote: On 10/17/2013 10:55 AM, Axb wrote: On 10/17/2013 05:41 PM, Stan Hoeppner wrote: This is what Neil meant by the "deeper dive". Again, the URIBL_SBL test isn't responsible for this behavior. Spamhaus is. Thus you can't create a separate rule to do t

Re: Strange URIBL_SBL false positive?

On 10/17/2013 08:08 PM, Kai Schaetzl wrote: Axb wrote on Thu, 17 Oct 2013 17:05:48 +0200: 15 live SBL listings aren't collateral damage: It doesn't matter if there is more evidence. The scoring via URIBL_SBL would have happened no matter whether the other 14 exist or not. It doesn't get the

Re: Strange URIBL_SBL false positive?

On 10/17/2013 10:55 AM, Axb wrote: > On 10/17/2013 05:41 PM, Stan Hoeppner wrote: >> This is what Neil meant by the "deeper dive". Again, the URIBL_SBL test >> isn't responsible for this behavior. Spamhaus is. Thus you can't >> create a separate rule to do this "deeper diving". Spamhaus is doin

Re: Strange URIBL_SBL false positive?

Axb wrote on Thu, 17 Oct 2013 17:05:48 +0200: > 15 live SBL listings aren't collateral damage: It doesn't matter if there is more evidence. The scoring via URIBL_SBL would have happened no matter whether the other 14 exist or not. > It doesn't get the nameserver, it gets the NS IP What's the d

Re: Email in Russian not triggering UNWANTED_LANGUAGE_BODY

On Thu, 17 Oct 2013, Mauricio Tavares wrote: On Wed, Oct 16, 2013 at 1:44 PM, John Hardin wrote: On Wed, 16 Oct 2013, Mauricio Tavares wrote: ) Email in question is at http://pastie.org/8403863; I put it there so it would not harm anyone with its HTTP-Posting-URI header. In my local.cf

Re: Strange URIBL_SBL false positive?

On 10/17/2013 05:41 PM, Stan Hoeppner wrote: This is what Neil meant by the "deeper dive". Again, the URIBL_SBL test isn't responsible for this behavior. Spamhaus is. Thus you can't create a separate rule to do this "deeper diving". Spamhaus is doing it, automagically, and it will continue to

Re: Strange URIBL_SBL false positive?

On 10/17/2013 9:51 AM, Kai Schaetzl wrote: > Neil Schwartzman wrote on 17 Oct 2013 07:01:00 -0700: > >> incorrect, not false, which implies maliciousness. I believe Spamhaus >> only recently, for some value of recently, started doing NS listings >> with deeper dives that show up on an SBL listing.

Re: FSL_HELO_BARE_IP_2 & RCVD_NUMERIC_HELO

On 10/16/2013 3:01 AM, Jonas Eckerman wrote: >> Operators of newsgroups which mirror/archive mailing >> lists, and allow posting from a web interface, are adding forged >> Received: headers before sending an email to the respective list >> server. > > In what way are they forged? I'm to this list

Re: Strange URIBL_SBL false positive?

On 10/17/2013 04:51 PM, Kai Schaetzl wrote: Neil Schwartzman wrote on 17 Oct 2013 07:01:00 -0700: incorrect, not false, which implies maliciousness. I believe Spamhaus only recently, for some value of recently, started doing NS listings with deeper dives that show up on an SBL listing. They d

Re: Strange URIBL_SBL false positive?

Neil Schwartzman wrote on 17 Oct 2013 07:01:00 -0700: > incorrect, not false, which implies maliciousness. I believe Spamhaus > only recently, for some value of recently, started doing NS listings > with deeper dives that show up on an SBL listing. They didn't list any "NS IP". If you look at the

Re: Strange URIBL_SBL false positive?

FTR: describeURIBL_SBLContains an URL's NS IP listed in the SBL blocklist COMMIT/trunk/rules/25_uribl.cf Committed revision 1533093.

Re: Strange URIBL_SBL false positive?

On 10/17/2013 04:01 PM, Neil Schwartzman wrote: On Oct 17, 2013, at 6:49 AM, Tom Hendrikx wrote: Basicly the description "Contains an URL listed in the SBL blocklist [URIs: example.com]" is false, incorrect, not false, which implies maliciousness. I believe Spamhaus only recently, for som

Re: Strange URIBL_SBL false positive?

On Oct 17, 2013, at 6:49 AM, Tom Hendrikx wrote: > > Basicly the description "Contains an URL listed in the SBL blocklist > [URIs: example.com]" is false, incorrect, not false, which implies maliciousness. I believe Spamhaus only recently, for some value of recently, started doing NS listing

Re: Strange URIBL_SBL false positive?

On 10/17/2013 03:37 PM, Marco wrote: the unreal score this person is using "7.0 URIBL_SBL" means he's screaming for trouble definitely NOT an FP I though SBL could be safe for MTA blocking configurations. If the plugin works as explained I'll restore the score to the default. Many thanks M

Re: Strange URIBL_SBL false positive?

On 10/17/2013 02:08 PM, Axb wrote: > On 10/17/2013 02:00 PM, Tom Hendrikx wrote: >> On 10/17/2013 12:25 PM, Marco wrote: >>> Hello, >>> >>> If I submit this to Spamassassin 3.3.2: >>> >>>Da: <>> href="mailto:ziop...@errebian.it";>ziop...@errebian.it>; >>> Cc: Alice <>> href="mailto:al...@

Re: Strange URIBL_SBL false positive?

the unreal score this person is using "7.0 URIBL_SBL" means he's screaming for trouble definitely NOT an FP I though SBL could be safe for MTA blocking configurations. If the plugin works as explained I'll restore the score to the default. Many thanks Marco

Re: Strange URIBL_SBL false positive?

On 10/17/2013 02:00 PM, Tom Hendrikx wrote: On 10/17/2013 12:25 PM, Marco wrote: Hello, If I submit this to Spamassassin 3.3.2: Da: ziop...@errebian.it>; Cc: Alice al...@errebian.it>, Bob b...@err

Re: Strange URIBL_SBL false positive?

On 10/17/2013 12:25 PM, Marco wrote: > Hello, > > If I submit this to Spamassassin 3.3.2: > > Da: < href="mailto:ziop...@errebian.it";>ziop...@errebian.it>; >Cc: Alice < href="mailto:al...@errebian.it";>al...@errebian.it>, >Bob b...@errebian.it>; > > I see:

Re: Strange URIBL_SBL false positive?

On 10/17/2013 12:25 PM, Marco wrote: Hello, If I submit this to Spamassassin 3.3.2: Da: ziop...@errebian.it>; Cc: Alice al...@errebian.it>, Bob b...@errebian.it>; I see: 7.0 URIBL_SBL

Strange URIBL_SBL false positive?

Hello, If I submit this to Spamassassin 3.3.2: Da: ziop...@errebian.it>; Cc: Alice al...@errebian.it>, Bob b...@errebian.it>; I see: 7.0 URIBL_SBL Contains an URL listed in the SBL blockl