Hi,
I've got an issue whereby spam messages seem to be somehow bypassing SA and
getting into my inbox. I call SA via procmail as per
https://wiki.apache.org/spamassassin/UsedViaProcmail
The exact procmail file that calls SA is as follows:
#
#Standard SA call to be included from .procmailrc fil
> On 03 Sep 2014, at 02:05 , Matus UHLAR - fantomas wrote:
>
>> On Sat, 30 Aug 2014 08:23:02 -0600
>> LuKreme wrote:
>>
>>> if test -d "$J_PATH"; then
>>>MYFIND=`find $J_PATH/ -type f -mtime -7|grep -v dovecot`
>
> On 30.08.14 22:32, RW wrote:
>> mtime may not be the best choice. Ideally
Hi,
> > However, spam with scores greater than 9.0 aren't being autolearned:
>
>
http://spamassassin.apache.org/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html
>
>
> > Sep 2 21:01:51 mail01 amavis[25938]: (25938-10)
> > header_edits_for_quar: ->
> > , Yes, score=16.519 tag=-200 tag2=5 kill=
On Wed, 2014-09-03 at 17:18 -0400, Kevin A. McGrail wrote:
> On 9/3/2014 5:14 PM, Karsten Bräckelmann wrote:
> > > > The specified criteria are trivial, and can be easily translated into
> > > > rules. [...]
> > header __PHIL_TOTo:addr =~ /phil\@example.com/i
> > header __PHIL_SUBJ Subject =~
On Wed, 03 Sep 2014 16:49:48 -0400
"Kevin A. McGrail" wrote:
> One is CanIt by Roaring Penguin
> (http://www.roaringpenguin.com/products/canit-pro)
Much as I'd love to get customers on our hosted anti-spam service,
you should go with KAM's service if you want to benefit SpamAssassin most.
KAM i
On Wed, 3 Sep 2014, Amir Caspi wrote:
On Sep 3, 2014, at 2:01 PM, John Hardin wrote:
Did that hit any of the existing phish rules? They may need some attention...
Similar phishing just received, spample here:
http://pastebin.com/UEmb035j
It did not hit any phishing rules.
The existing p
On Sep 3, 2014, at 2:01 PM, John Hardin wrote:
> Did that hit any of the existing phish rules? They may need some attention...
Similar phishing just received, spample here:
http://pastebin.com/UEmb035j
It did not hit any phishing rules. In fact, because it was only BAYES_50, it
actually got
On Wed, 2014-09-03 at 23:36 +0200, Axb wrote:
> On 09/03/2014 11:17 PM, Jesse Norell wrote:
> > Hello,
> >
> >Looking at recent botnet spam, comparing messages from one day to the
> > next, I see new URL's being advertised that resolve to the same IP
> > address as ones in the past. Eg. some a
On 09/03/2014 11:17 PM, Jesse Norell wrote:
Hello,
Looking at recent botnet spam, comparing messages from one day to the
next, I see new URL's being advertised that resolve to the same IP
address as ones in the past. Eg. some at http://pastie.org/9525224
The first of those was already on UR
On 9/3/2014 5:14 PM, Karsten Bräckelmann wrote:
The specified criteria are trivial, and can be easily translated into
rules. Reading the SA conf docs and maybe some of the rule-writing wiki
docs should enable the reader to do exactly that. (Hint: meta rules)
Oh well, here goes. Untested.
header
Hello,
Looking at recent botnet spam, comparing messages from one day to the
next, I see new URL's being advertised that resolve to the same IP
address as ones in the past. Eg. some at http://pastie.org/9525224
The first of those was already on URIBL/RBL lists when it hit, but the
others were
On Wed, 2014-09-03 at 12:30 +0200, Luciano Rinetti wrote:
> Thank You for the answer Karsten,
> you have right, Phil doesn't exists, (as example.com) but i hide the
> real address for obvious reasons, and it is a "role" email that i want
> will receive only mail with subject "CV" or "Curriculum" an
Hello,
Both today and in the past I've looked at some FP's that scored very
high on AWL. At least today I dug up the old messages that caused AWL
to get out of line, and trained them as ham. AWL's scores still show
the high scores on those (in this case I manually corrected AWL). It
sure seem
On Wed, 3 Sep 2014, Axb wrote:
On 09/03/2014 10:29 PM, Adam Moffett wrote:
I've been thinking it could easily be a full time job to read spam,
write sa rules, test sa rules, etc.
There isn't enough time in my day for that, so I'm pretty much running
SA un-customized. I do have bayes, whic
On 9/3/2014 4:29 PM, Adam Moffett wrote:
I've been thinking it could easily be a full time job to read spam,
write sa rules, test sa rules, etc.
There isn't enough time in my day for that, so I'm pretty much running
SA un-customized. I do have bayes, which I do train with my own spam
& ham,
On 09/03/2014 10:29 PM, Adam Moffett wrote:
I've been thinking it could easily be a full time job to read spam,
write sa rules, test sa rules, etc.
There isn't enough time in my day for that, so I'm pretty much running
SA un-customized. I do have bayes, which I do train with my own spam &
ham,
Am 03.09.2014 um 22:29 schrieb Adam Moffett:
> I've been thinking it could easily be a full time job to read spam, write sa
> rules, test sa rules, etc.
>
> There isn't enough time in my day for that, so I'm pretty much running SA
> un-customized. I do have bayes, which I
> do train with my o
On 8/28/2014 10:12 AM, Kevin A. McGrail wrote:
On 8/28/2014 10:05 AM, Axb wrote:
On 08/28/2014 03:45 PM, Rejaine Monteiro wrote:
body MYRULE /deputado|presidente/i
body MYRULE /(?:deputado|presidente)/i
Technically, Alex's rule is faster but not technically different.
The ?: tells th
I've been thinking it could easily be a full time job to read spam,
write sa rules, test sa rules, etc.
There isn't enough time in my day for that, so I'm pretty much running
SA un-customized. I do have bayes, which I do train with my own spam &
ham, but I don't have a good population of user
On Wed, 3 Sep 2014, David F. Skoll wrote:
On Wed, 3 Sep 2014 14:19:21 -0500 (CDT)
David B Funk wrote:
Do you understand that the visible body size may be completely
different from the MTA byte-count?
Yes. That message substantially longer than 100 characters. Here's
the actual visible tex
On Wed, 03 Sep 2014 21:52:39 +0200
Axb wrote:
> oh.. a phish - not the usual hacked WP sites with only one link in
> them and maybe a line or two of trash I was thinking of...
Yes. It seems that hacked WP sites are a general-purpose tool being
used by phishers, malware distributors, weight-loss
On 09/03/2014 09:35 PM, David F. Skoll wrote:
On Wed, 3 Sep 2014 14:19:21 -0500 (CDT)
David B Funk wrote:
Do you understand that the visible body size may be completely
different from the MTA byte-count?
Yes. That message substantially longer than 100 characters. Here's
the actual visible
On Wed, 3 Sep 2014 14:19:21 -0500 (CDT)
David B Funk wrote:
> Do you understand that the visible body size may be completely
> different from the MTA byte-count?
Yes. That message substantially longer than 100 characters. Here's
the actual visible text with HTML stripped out:
On 09/03/2014 08:33 PM, David F. Skoll wrote:
On Wed, 03 Sep 2014 20:26:21 +0200
Axb wrote:
>try adding this to the meta (req SA 3.4)
Gah, I'm still running 3.3. I'm assuming that
check_body_length('100') fires on a message that is less than 100
characters. However, I'm seeing other types o
On Wed, 3 Sep 2014, David F. Skoll wrote:
On Wed, 03 Sep 2014 20:26:21 +0200
Axb wrote:
try adding this to the meta (req SA 3.4)
Gah, I'm still running 3.3. I'm assuming that
check_body_length('100') fires on a message that is less than 100
characters. However, I'm seeing other types of s
On Wed, 3 Sep 2014, Spectrum CS wrote:
Would you be able to share your regexp? I'm struggling to update my regexp to
catch the .php :)
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?r1=1622275&r2=1622307&diff_format=h
--
John Hardin KA7OHZ
On Wed, 03 Sep 2014 20:26:21 +0200
Axb wrote:
> try adding this to the meta (req SA 3.4)
Gah, I'm still running 3.3. I'm assuming that
check_body_length('100') fires on a message that is less than 100
characters. However, I'm seeing other types of spam hitting the rule
that are much larger. M
On 09/03/2014 08:09 PM, David F. Skoll wrote:
On Wed, 3 Sep 2014 18:02:31 +
"Spectrum CS" wrote:
Would you be able to share your regexp? I'm struggling to update my
regexp to catch the .php :)
Ah, this is what I have. (I've changed the rule names, but that shouldn't
matter.)
uri
Thanks.
royalmail-service.co.uk is now hitting URIBL_BLACK too :)
Regards
Steve
Original Message
Subject: Re: Re-2: Hacked Wordpress sites & Cryptolocker (03-Sep-2014 19:10)
From:David F. Skoll
To: spamassassin-li...@spectrumcs.net
> On Wed, 3 Sep 2014 18:02:31 +0
Am 03.09.2014 um 19:16 schrieb Ted Mittelstaedt:
>
>
> On 9/2/2014 1:52 PM, Reindl Harald wrote:
>>
>> Am 02.09.2014 um 22:32 schrieb Ted Mittelstaedt:
>>> On 9/2/2014 4:59 AM, Reindl Harald wrote:
> just get a proper MTA, enable debug logging
> and watch the commands / responses betwee
On Wed, 3 Sep 2014 18:02:31 +
"Spectrum CS" wrote:
> Would you be able to share your regexp? I'm struggling to update my
> regexp to catch the .php :)
Ah, this is what I have. (I've changed the rule names, but that shouldn't
matter.)
uri__RP_D_00069_1 /\/wp-content\/(?:plugins|them
Would you be able to share your regexp? I'm struggling to update my regexp to
catch the .php :)
Thanks
Original Message
Subject: Re: Hacked Wordpress sites & Cryptolocker (03-Sep-2014 18:59)
From:David F. Skoll
To: spamassassin-li...@spectrumcs.net
> On Wed, 3 Sep
On Wed, 3 Sep 2014 10:49:50 -0700 (PDT)
John Hardin wrote:
> On Wed, 3 Sep 2014, David F. Skoll wrote:
> > I think the FPs can be almost eliminated if we additionally insist
> > the URL contain ".php" somwehere after the /wp-*/ component.
> Right. That's what I'm adding to the versions I'm putt
On Wed, 3 Sep 2014, David F. Skoll wrote:
On Wed, 03 Sep 2014 19:36:00 +0200
Axb wrote:
I've seen a rather large number of legit msgs including links to
images in /wp-content/
I tested the rule. Lots of false-positives.
I think the FPs can be almost eliminated if we additionally insist th
On Wed, 3 Sep 2014, Spectrum CS wrote:
I thought I'd share this incase its helpful to any body else. Today a
series of emails passed though our spamassassin filter cleanly which had
URLs to Wordpress sites like the following...
hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=74169
Fair point.
Can you confirm if uri tests operate on ? I was of the
impression it only operated on but looking at
wiki.apache.org/spamassassin/WritingRules its not absolutely clear?
Regards
Steve
Original Message
Subject: Re: Hacked Wordpress sites & Cryptolocker (03-Sep-2
On Wed, 03 Sep 2014 19:36:00 +0200
Axb wrote:
> I've seen a rather large number of legit msgs including links to
> images in /wp-content/
I tested the rule. Lots of false-positives.
I think the FPs can be almost eliminated if we additionally insist the
URL contain ".php" somwehere after the /w
On 09/03/2014 07:28 PM, Spectrum CS wrote:
I appericate that the score 5 is high but as a Wordpress user I've
never needed to use URLs which contain wp-content or wp-includes as
they are used by the internal mechcanise of the framewaork so I feel
confident of not getting any false positives.
I'
While I appreciate the support, Noel, I'm not in favor of banning
people from mailing lists for using what they think are insulting terms.
Truth is that Harry's insults are really kind of cute, like the 6 year
old all decked out in a Jedi lightsaber doing battle with Darth Vader.
My 16 year o
Hi All,
I thought I'd share this incase its helpful to any body else. Today a series of
emails passed though our spamassassin filter cleanly which had URLs to
Wordpress sites like the following...
hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=741693561
hXXp://vertaser.ru/wp-incl
On 9/2/2014 1:52 PM, Reindl Harald wrote:
Am 02.09.2014 um 22:32 schrieb Ted Mittelstaedt:
On 9/2/2014 4:59 AM, Reindl Harald wrote:
just get a proper MTA, enable debug logging
and watch the commands / responses between
client and server due a message transmission
and to make it clear for
Thank You for the
answer Karsten,
you have right, Phil doesn't exists, (as example.com) but i hide
the real address for obvious reasons,
and it is a "role" email that i want will receive only mail with
subject "CV" or "Curriculum" and
all t
Am 03.09.2014 um 09:13 schrieb Noel Butler:
> Doesnt take you long does it Harry, you've been on this list a
> month and already your abusing and putting ppl down, calling
> child, telling to STFU, and some other tripe you levelled at Ted.
>
> Karsten already warned you once, I suggest you re
On Sun, 31 Aug 2014, Eric Shubert wrote:
I've seen an uptick of spam lately with random low contrast (hidden)
text. This appears to be lowering bayes probabilities.
On 08/31/2014 10:26 PM, John Hardin wrote:
Learn them as spam. That will tend to eliminate that effect.
On 31.08.14 22:54, Eri
Am 31.08.2014 um 12:20 schrieb Axb:
Are you using RAZOR & PYZOR?
On 08/31/2014 11:58 AM, Reindl Harald wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1127650
"perl-Razor-Agent - Only used for the not enabled by default Razor plugin"
so i guess no
ok, so start using them - install packa
On Sat, 30 Aug 2014 08:23:02 -0600
LuKreme wrote:
if test -d "$J_PATH"; then
MYFIND=`find $J_PATH/ -type f -mtime -7|grep -v dovecot`
On 30.08.14 22:32, RW wrote:
mtime may not be the best choice. Ideally what you want is the the time
since the spam was moved to Junk, rather than the ti
Doesnt take you long does it Harry, you've been on this list a month and
already your abusing and putting ppl down, calling child, telling to
STFU, and some other tripe you levelled at Ted.
Karsten already warned you once, I suggest you remember that.
On 03/09/2014 06:52, Reindl Harald wrote:
47 matches
Mail list logo
