URI_TRY_3LD FP on mynews.apple.com

Hey, John et al. It's been a while. I hope things are going well. I've found an FP on URI_TRY_3LD from https://mynews.apple.com/subscriptions?… that you could solve by adding a new alternation to the relevant negative lookahead in that regex: -uri URI_TRY_3LD m,^https?://(?:try|start|get(?!.adob

Re: Hints needed for spf rule

(Please ignore my last message. My phone hit “send” randomly.) On Sep 28, 2018, at 9:48 AM EDT, bOnK wrote: > A better idea might be testing if SPF for a external domain would pass on > your own server. > This is what milter greylist does. > http://hcpnet.free.fr/milter-greylist/ That’s interest

Re: Hints needed for spf rule

On Sep 28, 2018, at 9:48 AM, bOnK wrote: A better idea might be testing if SPF for a external domain would pass on your own server. > > This is what milter greylist does. > http://hcpnet.free.fr/milter-greylist/ > > Though probably exceptional, according to the RFC +all *can be* restrictive... >

Re: Hints needed for spf rule

On 2018-09-22 10:33 am, Kevin A. McGrail wrote: > On 9/22/2018 10:29 AM, Matus UHLAR - fantomas wrote: > >> remove those ?'s: /^v=spf1 .*?all/ and /^v=spf1 .*+all/ > > Updated. I was trying to stop a greedy regex if someone was doing a > weird spf but I am overthinking. These SPF records ar

Re: About Petya2 campaign

nnaCry ended up being Jaff <http://blog.talosintelligence.com/2017/05/wannacry.html?showComment=1494683710652#c7954588230675341778>. If you have email samples suggesting otherwise, I'd very much like to see them. Adam Katz @adamhotep <https://twitter.com/adamhotep> On 06/27/201

Re: Add "may be forged" minor rule?

e playing nice together. If your infrastructure /doesn't/ add this header (this is a sendmail thing iirc), you do not want this type of rule. Even if it does, you have the issue of external mail servers adding this header. That's why the above meta rule excludes mailing lists. -Adam -- Adam Katz @adamhotep <https://twitter.com/adamhotep> signature.asc Description: OpenPGP digital signature

SARE RULEGEN, Re: Rule updates....

Ran these against my corpus. Here are the worst performers (lots in common with RW's complaints): *SPAM% HAM%S/O NAME* 0.013 0.153 0.080 __RULEGEN_PHISH_BLR6YY 0.006 0.286 0.022 __RULEGEN_PHISH_0ATBRI 0.008 0.334 0.023 __RULEGEN_PHISH_L3I0Z5 0.002 0.300 0.006 __RULEGEN_PHISH_LG

Re: Emails with extremely long URLs

On 11/22/2014 07:16 PM PST, John Hardin wrote: > On Sat, 22 Nov 2014, Igor Chudov wrote: >> I receive spam emails that contain extremely long URLs, about 2,400 >> characters. I wanted to know if spamassassin has a rule that I can >> turn on to flag such URLs. I do not think that I ever receive >> l

Re: Philosophical question on Bayes (was Re: 23_bayes_ignore_header.cf)

> On Tue, 14 Oct 2014 16:10:52 +0200 Axb wrote: >> and to avoid further discussions of what header may pollute bayes or >> not, I've removed all header entries which are not directly related >> to AV/filter products. On 10/14/2014 07:17 AM, David F. Skoll wrote: > I'm not sure I agree with being

Re: Help with body rule

On 05/28/2014 11:16 AM, Alex wrote (syntax highlighting added): > I'm trying to write a body rule that will catch an email exactly > containing any number of characters up to 15, followed by a URI, > followed by any number of characters, up to 15. My attempt has failed > miserably, and hoped someon

Re: khop channel errors

On 02/01/2014 09:04 PM, Glenn Sieb wrote: > Actually, now that I look at it, it appears to be a DNS issue. Hopefully > it will get fixed soon. > I noticed this a while ago, my guess is that the channel's gone. > > Are there any other channels out there at this point? What are people > using nowaday

Re: Spam Pattern

On 02/14/2014 11:23 AM, Amir Caspi wrote: > To be clear, that wasn't my sample; I am not the originator of this > thread. Whoops, my bad. My point was clear anyway. > What about this, a variant of what I posted earlier? It requires 10 > matches, but I believe it does the same thing as yours exc

Re: Spam Pattern

Ha! I checked my mail before sending this; we're on the same wavelength yet our emails are out of sync. You just suggested the same thing I was leaning on. On 02/14/2014 10:53 AM, John Hardin wrote: > S/O is a little surprising: > > http://ruleqa.spamassassin.org/?daterev=20140213-r1567864-n&rul

Re: Spam Pattern

On Feb 14, 2014, at 11:00 AM, Adam Katz mailto:antis...@khopis.com>> wrote: >> >> Given the nature of the content, I'd go the other direction and not >> require the word boundary. This removes the wildcard, though it >> doesn't short circuit as quickly,

Re: Spam Pattern

On 02/12/2014 01:46 PM, John Hardin wrote: > On Wed, 12 Feb 2014, Axb wrote: >> On 02/12/2014 10:06 PM, John Hardin wrote: >>> Perhaps something like this: >>> >>> body __HEXHASHWORD /\b[0-9a-f]{30,}\s[a-z]{1,10}\b/ >>> tflags__HEXHASHWORD multiple maxhits=5 >>> meta HEXHASH_W

Re: AXB_X_ORIG_OMNIMS is causing too many FPs

On 10/28/2013 12:30 PM, John Hardin wrote: > On Mon, 28 Oct 2013, Axb wrote: >> I'll disable this rule. > > Convert it to a subrule, it may be useful in metas. It is useful. I added the domain to freemail_domains (see r1533678 ) to cat

Re: FSL_HELO_BARE_IP_2 & RCVD_NUMERIC_HELO

On Sat, 12 Oct 2013, Stan Hoeppner wrote: >> and engage in discussion WRT lowering the score, eliminating the >> overlap with the other bare IP HELO rules, etc? On 10/12/2013 07:28 PM, John Hardin wrote: > It seems that 94% of the ham hits in masscheck are against list mail, > and none of the spam

Re: FSL_HELO_BARE_IP_2 & RCVD_NUMERIC_HELO

On 10/12/2013 09:26 AM, Stan Hoeppner wrote: > These two rules are adding 4.0 pts [...] > Content analysis details: (4.8 points, 4.2 required) > pts rule name description > - > 2.8 FSL_HELO_BARE_IP_2 FSL_H

Re: Question about T_KHOP_FOREIGN_CLICK

On 05/31/2013 06:51 AM, Bowie Bailey wrote: > > On 5/31/2013 8:30 AM, Matteo Vannucchi - TeamEnterprise wrote: >> Hello, my name is Matteo. >> >> I do not manage a spamassassin installation, but I would like to ask >> this simple question, because I saw it is a rule which is used to >> evaluate spa

[OT] Re: Privacy Concerns and Implementing Corrective Proceedures To Combat Information Harvesting

This topic is off topic. I have marked the subject as such. On 09/05/2012 09:40 PM, NMTUser X <...@gmail.com> wrote: > Would it be possible to send mail to myself encrypted in pgp/gpg, > use a token at the beginning of the email with the correct email > address (which is on the local network) hav

Re: Spamhaus and others check at MTA level: how disable in Spamassassin?

On 08/07/2012 09:19 AM, Bowie Bailey wrote: > I don't know where I found those settings. I did some testing and > verified that all three methods listed above will prevent the DNS > query from running. > > I distinctly remember reading a while back that just setting the > scores to 0 on the DNS

Re: Spamhaus and others check at MTA level: how disable in Spamassassin?

On 08/06/2012 08:01 AM, Bowie Bailey wrote: > Actually, since these are more complex rules, just setting the score to > 0 will not stop the DNS check. This is what I have in my config: > > # Blocking Zen with MTA...don't need these > meta RCVD_IN_SBL (0) > meta RCVD_IN_XBL (0) > meta RCVD_IN_PBL

Re: How do I reenable AWL on spamassassin 3.3 after upgrade from 3.1

>> Den 2012-07-26 17:26, Nißl Reinhard skrev: >>> reading the manuals, I've discovered that the AWL plugin isn't >>> loaded anymore in spamassassin 3.3. Therefore I put the >>> following lines into local.cf: > On Fri, 27 Jul 2012 02:57:26 +0200 Benny Pedersen wrote: >> oh no, do not put loadlugin

Re: KB_FAKED_THE_BAT

On 05/03/2012 10:02 AM, Mike Grau wrote: > The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting > circumvented here because the meta rule component > > header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t > > is being evaded by spam that now has a space character before the tab: > > # grep D

Re: Regex help (targetting very long HTML comments)

On 04/02/2012 09:40 AM, Kris Deugau wrote: > Can anyone point out what bit of stupidity I'm committing in trying > to use this: > > rawbody OVERSIZE_COMMENTm|).{32000,}|s > > to match messages that are mostly very very long HTML comment(s)? > > Testing the same regex against the whole ra

Re: Bayes_ignore

On 04/01/2012 06:35 AM, joea wrote: > While exploring Bayes stuff, (wanting to populate appropriately for > my setup), found reference to removing headers that might confuse > Bayes. > > Specifically bayes_ignore_header. > > The example they show is an X header. Seems the ones spamassassin > pu

Re: Some rules I created for suspicious Javascript practices

On 02/15/2012 04:43 PM, Thomas Rutter wrote (as neon_overload): > I have created some rules which I have found to be very effective so > far at identifying a certain type of spam that spamassassin > otherwises cannot detect. > I hereby license them under the WTFPL which is GPL and Apache license

Re: update channel list

On 01/18/2012 09:25 AM, dar...@chaosreigns.com wrote: > All of those are currently listed by Adam Katz on > http://khopesh.com/wiki/Anti-spam > I expect that list to be up to date. > He's an active spamassassin developer. All of my channels are still relevant, though

Re: French rules

On 12/08/2011 03:51 PM, LEVEAU Stanislas wrote: > I am looking for French rules with sa-update? > Does it exist? Most of the body rules in previous versions of SpamAssassin were phased out because the Bayesian filter does a *significantly* better job at that sort of thing. The few that remain tar

Re: Martin Gregorie's portmanteau rule building script

On 11/30/2011 03:59 AM, Martin Gregorie wrote: > On Tue, 2011-11-29 at 14:22 -0800, Adam Katz wrote: >> You might want to consider Regexp::Assemble for your tool, though >> that would require using perl. This would cause your man page's >> example rule to res

Martin Gregorie's portmanteau rule building script

On 11/25/2011 10:13 AM, Martin Gregorie wrote: > Subject: [Fwd: Re: How long a rule can be?] My main answers to the original thread were posted there (today). I guess I'm too accustomed to orderly threads; coupling my threaded view in thunderbird with the big pile of mail unread since before the h

Re: How long can a rule be?

Summary for the impatient: Do not write rules like this. Instead, train Bayes, make sure you're using DNSBLs. On 11/25/2011 09:49 AM, Sergio wrote: > I wrote all the HELO spammers that SA didn't caught ... > header CHARLY_RULE1ALL =~ /(...)/i > describe CHARLY_RULE1Charly Spammers > scor

Re: (Non-) Capturing REs

On Mon, 2011-10-24 at 13:58 -0700, Adam Katz wrote: >> Using special variables like those you mentioned are particularly >> bad, [...] That's not to say that the extra memory consumption >> from an unnecessary grouping doesn't impact performance. On 10/24/2011 02:45 P

Re: (Non-) Capturing REs

On 10/23/2011 06:44 PM, Karsten Bräckelmann wrote: > [...] as I read it, the warning is referring to the usage of the > special $&, $` and $' match capturing variables, resulting in a > substantial performance penalty -- and mentions the non-capturing > extended regex in this *context*, since it

Re: Chickenpoxed subjects

On 10/19/2011 04:43 AM, Mynabbler wrote: > You are kidding, right? 50% of this crap comes from FREEMAIL > addresses, and even more specific: 44% of this crap is delivered by > aol.com. The aol deliveries have about 85% unique from@aol > addresses, so they pretty much 'own' aol. We're writing spam

Re: Rule to count freemail recipients?

On 10/17/2011 08:42 PM, Tom wrote: > I'm using a couple rules I found here that hits when there are 5-9 or > 10+ recipients: > > header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/ > tflags __COUNT_RCPTS multiple > > meta RCPTS_5_10 (__COUNT_RCPTS >= 5) > score RCPTS_5_10 1.0 > describe RCPTS_5_

Re: Chickenpoxed subjects

On 10/17/2011 04:36 PM, John Hardin wrote: > On Mon, 17 Oct 2011, Adam Katz wrote: >> Time for F-U-N >> I like D&D and rock&roll >> /var/spool/mail is full > > It must hit more than a specified number of times. __SUBJ_OBFU_PUNCT > isn't scored, SUBJ_

Re: Chickenpoxed subjects

On 10/17/2011 02:29 PM, Adam Katz wrote: > I think this would satisfy the original request: > > header __SUBJ_LACKS_WORDS > Subject !~ /(?!^.{0,15}$)(?:^|\s)[a-z]{3,15}(?:\s|$)/ > > (I have not checked that in, feel free if you like it.) Okay, that needed a little w

Re: Chickenpoxed subjects

On 10/15/2011 03:37 PM, John Hardin wrote: > On Thu, 13 Oct 2011, Mynabbler wrote: > >> Typically the chickenpox rules do not get a lot of love abroad, >> since they tend to trip over other languages than English. However, >> does someone have an idea how to use the logic in chickenpox for >> subj

Re: New Bayes like paradigm

> On 9/28/2011 8:02 AM, dar...@chaosreigns.com wrote: >> You definitely have a good point that it would only be necessary to >> track the combinations that actually show up in emails, however >> 1024 is only the possible combinations from one set of 10 rules. >> The number of combinations in the ac

Re: antiphishing

On 10/12/2011 11:48 AM, dar...@chaosreigns.com wrote: > Which uses it as part of SPOOFED_URL (the "__" in the other rule is > important), which is described as: > "Has a link whose text is a different URL". But that one hasn't made it > into the default rule set yet. Ah, it hits 1.1% of spam but

Re: "Your mailbox has exceeded..."

> On 30/09/11 01:41, jida...@jidanni.org wrote: >> Sure a lot of "Your mailbox has exceeded" spam these days. Phish rises this time of year ;-) On 09/30/2011 09:31 AM, Ned Slider wrote: > I've seen a few of these, but probably not enough examples to have > Bayes reliably catch them yet - the firs

Re: Plugin for Spanish Spams?

On 09/09/2011 02:16 AM, Alok Kushwaha wrote: >> I am using the 'SpamAssassin Server version 3.3.2' but 'Spanish >> spams' are getting through. Can anyone please suggest/point me the >> rule-set/plug-in for Spanish spams. The short answer is to train bayes; it's far better at this sort of thing t

Re: blacklist based on authoritative nameservers of sender domain

On 08/22/2011 04:13 PM, Noah Meyerhans wrote: > I've recently observed a fair amount of spam from domains that all > share the same set of authoritative nameservers. It occurred to me > that it might be nice to be able to blacklist mail from all domains > sharing these nameservers, or maybe to sim

Re: Why does this hit __HAS_ANY_URI

On 08/14/2011 02:17 PM, Ned Slider wrote: > Hi all, > > The following email hits __HAS_ANY_URI and I'm not sure why: > > http://pastebin.com/jvFrFhA4 > > When I run the message through SpamAssassin in debug mode I see: > > dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI > dbg: ru

Re: SA-update: failing for khopesh.com rules?

On Fri, 05 Aug 2011 10:49:36 -0700, Adam Katz wrote: >> I fixed this yesterday and updates are now fully functional. On 08/05/2011 07:36 PM, Benny Pedersen wrote: > super, i just noticed nopublis in the above file, is this intended ? Short answer: Yes. The GA is too slow to publish th

Re: SA-update: failing for khopesh.com rules?

On 07/23/2011 01:05 PM, Benny Pedersen wrote: > On Sat, 23 Jul 2011 00:35:41 -0700 (PDT), Fenris wrote: > > http://khopesh.com/sa/khop-sc-neighbors/2011062101.tar.gz request > failed: 404 Not Found: > >> Sorry Adam, I'm still seeing the same problem this morning, for whatever >> reason it

Re: Heads up: Plesk + SpamAssassin, spam attack doing the rounds

On 07/27/2011 10:32 AM, Benny Pedersen wrote: > On Wed, 27 Jul 2011 18:13:25 +0100, Bruno Ferreira - Digitalmente Lda. > wrote: >> Hi, registered just to post this, in hope that it'll be of help for >> some other users. This pertains boxes with Plesk + SpamAssassin. > > http://old.nabble.com/postf

Re: ok, we all get spam.. but.. spam warning us we opted out?

> On 7/26/11 8:41 PM, Karsten Bräckelmann wrote: >> Did the message genuinely come from Dell? The named $director >> entity? Or was it an ESP on behalf of Dell? On 07/27/2011 07:13 AM, Michael Scheidell wrote: > noop, dell directly, with a DNSWL_MED credit on the email with the > default rules SA

Re: SA-update: failing for khopesh.com rules?

"Fenris" wrote >> Recently (for a few weeks I think) I've been seeing errors from my >> sa-update script, like this: >> >> /etc/cron.daily/sa-update: >> >> http: GET >> http://khopesh.com/sa/khop-sc-neighbors/2011062101.tar.gz request >> failed: 404 Not Found: ... >> channel: could not find wo

Re: FSL_RU_URL Re: whitelist

On 06/23/2011 05:48 PM, Noel Butler wrote: > Hrmm sa-update reports no new updates, last touch date was march 25 > > Jun 24 10:21:24.410 [30018] dbg: dns: 1.3.3.updates.spamassassin.org => > 1083704, parsed as 1083704 > Jun 24 10:21:24.410 [30018] dbg: channel: current version is 1083704, > new ve

FSL_RU_URL Re: whitelist

On 06/22/2011 05:42 PM, Noel Butler wrote: > Resurrecting an old thread but > Lately I see a lot of false hits on FSL_RU_URL > The only place in the email where .ru is, is in envelope-from , from, > and the received headers, this is supposed to be > from 72_active.cf:uriFSL_RU_URL

Re: Yahoo sent 5.5x as much spam as any other legit provider in April

On 05/11/2011 01:01 PM, dar...@chaosreigns.com wrote: > http://www.chaosreigns.com/dnswl/dnswlabusehistory.svg Too bad FF doesn't let me zoom on an svg; had to hit F11 to see it. > Percentage of total spam from legitimate email providers in April as > reported as abuse to dnswl.org: > > 35.5% ya

Re: Yahoo sent 5.5x as much spam as any other legit provider in April

On 05/11/2011 01:19 PM, dar...@chaosreigns.com wrote: > I bet it's largely related to the fact that yahoo is apparently the > only freemail provider that doesn't require you to have a previously > existing email address. I just created a test @live.com (hotmail) account without an existing address

Re: Amazon S3 triggering FPs with SPOOF_COM* rules

On 03/24/2011 05:44 PM, Jason Haar wrote: > Apparently when you use sharethis.com (who use S3 for hosting services) > to send out links, the links look like > > hXXp://img.sharethis.com *DOT* s3.amazonaws.com > > I imagine from this that ANY .com domain using Amazon S3 services would > create sim

Re: Regex help

Getting back to a viable solution to your actual spam problem... > Adam Katz wrote: >> How about this rule instead: >> >> blacklist_from *@regionstargpsupdates.com On 04/21/2011 04:37 PM, Kevin Miller wrote: > Yes, but then I'm playing whack-a-mole. Looking at t

Re: Regex help

On 04/22/2011 07:02 AM, Joseph Brennan wrote: > I'd be cautious with this. > > I have tried scoring for multiple and also for more than ten > closing in a row, but unless you score very low, you'll get > false positives. Unfortunately some legitimate software products > translate their native

Re: Regex help

On 04/21/2011 05:22 PM, John Hardin wrote: > On Thu, 21 Apr 2011, Adam Katz wrote: > >> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi > > ...when does \s{0,4} not match the same text as [\s\r\n]{0,4} ? > > (i.e. \r and \n are whitespace, no?) I believe they are

Darxus's LOCAL_8X_TAGS

Broken apart from previous thread to prevent confusion. On 04/21/2011 04:18 PM, dar...@chaosreigns.com wrote: > On 04/21, Adam Katz wrote: >> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi > > I wonder if it would be useful to generalize this as: > > rawbody LOCAL_8X_TA

Re: Regex help

On 04/21/2011 03:55 PM, Kevin Miller wrote: > Thanks (also to Martin who replied). I posted one of the spams here: > http://pastebin.com/9aBAxR7m > > You can see the long series of break codes in it. Yes I can. I can also see several other diagnostic bits in it, such as the domain: http://www.

Re: Regex help

> "egrep '[]{5,}' p3L..." prevents the shell from trying to interpret > your query but still has a bad query, as it looks for five or more > consecutive occurrences of any character listed between the angle > brackets, so "brr" will match up to the slash. Between the square brackets ("[" and "]"),

Re: Regex help

Before I help you with your shell and regex issues, I should point out that this is not a very strong rule. It will hit ham. On 04/21/2011 02:54 PM, Kevin Miller wrote: > I'm trying to write a local rule that will scan for 5 or more > instances of "" but not having much luck. I'm testing first

Re: Mailspike Performance

On 04/12/2011 01:39 AM, Warren Togami Jr. wrote: > We haven't had working statistics viewing for a few weeks, but now it > is fixed and I'm amazed by the performance of RCVD_IN_MSPIKE_BL. > > http://ruleqa.spamassassin.org/20110409-r1090548-n/T_RCVD_IN_MSPIKE_BL/detail > > > RCVD_IN_MSPIKE_BL ha

Re: SpamCop and false positives from Yahoo

>> I'm seeing a lot of false positives from SpamCop blacklisting Yahoo >> mail IP's. >> >> For example: >> http://www.senderbase.org/senderbase_queries/detailip?search_string=98.138.82.0%2F24 >> http://www.senderbase.org/senderbase_queries/detailip?search_string=115.178.12.0%2F24 >> >> Anyone tried

Re: Create a rule to block MAX recipients

On 04/06/2011 01:00 PM, John Hardin wrote: > Dang, I thought these were already in my sandbox: > > describe TO_TOO_MANY To: too many recipients > header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/ > > describe TO_WAY_TOO_MANY To: too many recipients > header TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,80

Re: ups.com virus has now switched to dhl.com

On 03/31/2011 08:59 AM, Michael Scheidell wrote: > all those nice ups.com rules, tests and signatures? > > the EXACT same file that was in a ups.com virus? is now being sent > 'from' dhl.com (come on ups/dhl.. I know SPF is broken, but in this > case it would sure help is decide if the sending ip

Re: Spam

On 03/30/2011 01:23 PM, RW wrote: > A lot of these long words are rarely used in the wild - other than > to say how long they are. > > The subjects have two separate characteristics: the length and the > number of lower to upper case transitions. I score them separately > and use: > > header SUB

Re: Spam

On 03/29/2011 04:57 PM, Martin Gregorie wrote: > On Wed, 2011-03-30 at 00:58 +0200, mar...@swetech.se wrote: >> recetly i been getting ALOT of these mail with the subjects like this >> contain a link to some scam/chinese crap factory >> >> i run the latest spamassassin along with amavis but these

Re: Obfuscating advanced fee scams with html attachements?

On 03/28/2011 10:41 PM, Ned Slider wrote: >> NSL_RCVD_FROM_USER=1.226, > > Personally I score this rule way up and would have no hesitation > with outright blocking at smtp level - it's as good an indication of > spam as I've ever seen. Scoring at 6pts here and never seen a FP. This is a good ill

Re: fake URL's in mail

;ve never understood why they don't use a hash table for those tracking URLs so that they don't get truncated...) >> On 23/03/2011 4:36 PM, Adam Katz wrote: >>> Even with such a mechanism in place, it unduly penalizes the >>> little guys. On 03/25/2011 05:00 AM,

Re: username in from address

On 3/22/2011 1:16 PM, Mark Chaney wrote: >>>> Ever notice that a lot of spam seems to have your username in >>>> their from address? Such as an email sent TO b...@domain.com is >>>> FROM blah...@anotherdomain.com (notice 'blah' included in the >&g

Re: fake URL's in mail

On 03/23/2011 11:43 AM, Matus UHLAR - fantomas wrote: >> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote: >>>>> Does anyone successfully use plugin or at least rules that >>>>> catch fake URLs? > On 21.03.11 13:36, Adam Katz wrote: >> __SPOOFED_UR

Re: username in from address

> On 3/22/2011 1:16 PM, Mark Chaney wrote: >> Ever notice that a lot of spam seems to have your username in their >> from address? Such as an email sent TO b...@domain.com is FROM >> blah...@anotherdomain.com (notice 'blah' included in the from >> address). This appears to be the case with a large

Re: TAB_IN_FROM from g...@vger.kernel.org

On 03/22/2011 12:58 PM, Greg Troxel wrote: > I've been noticing that mail from g...@vger.kernel.org is getting lots > of points, and this seems like a recent change. Specifically, these > rules are hitting on almost all messages: > > * 0.1 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB >

Re: fake URL's in mail

On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote: >>> Does anyone successfully use plugin or at least rules that catch >>> fake URLs? > I mean URLs pointing to different address than they appear, like: > > http://webmail.example.com/ No plugin needed. __SPOOFED_URL, a rule already shipping

Re: Regex Rule Help?

On 03/21/2011 10:07 AM, Terry Carmen wrote: > I'm trying to match any URL that points to a URL shortener. > > They typically consist of http(s) followed by a domain name, > a slash and a small series of alphanumeric characters, > *without a trailing "/" or file extension*. > > I seem to be having

Re: sa-updates

On 03/10/2011 11:49 AM, Jason Bertoch wrote: > On 2011/03/10 2:17 PM, Adam Katz wrote: >> I figure spam capped at 15+ points would be fine, but you'll need >> developer consensus on that. >> > > Wouldn't spam already scored at 15+ be considered a little re

Re: sa-updates

On 03/10/2011 07:59 AM, Adam Moffett wrote: > I'd be happy to contribute, but we bounce or outright delete high > scoring spam. > > After Reading these wiki articles: > http://wiki.apache.org/spamassassin/HandClassifiedCorpora > http://wiki.apache.org/spamassassin/CorpusCleaning > I get the impr

Re: The one year anniversary of the Spamhaus DBL brings a new zone

On 03/08/2011 01:46 PM, Yet Another Ninja wrote: > I'll never grasp why one would use one of those in mail. Many shortened links allow you to anonymously track click-throughs (clicks-through?), e.g. adding a plus sign to any bit.ly or j.mp URI will bring anybody to the stats (and target) of the li

Describing "AWL"

On 03/06/2011 11:33 AM, Karsten Bräckelmann wrote: > On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote: >> I just found an incoming message which is ham but marked as spam. >> It received a score of 14 because it is in the auto white-list. >> Shouldn't it receive a negative score? > > http://wiki.

Re: low score for ($1.5Million)

On 03/04/2011 04:11 PM, jdow wrote: > We, it IS a small number by Nigerian scam standards. So why not > a small score? > > - She ran that way FAST{O,o} Likewise, I also enjoy weekends: http://i.imgur.com/cxX6t.jpg (mildly NSFW, though it's on my cube)

Re: low score for ($1.5Million)

On 03/03/2011 04:40 PM, Dennis German wrote: > Can someone comment on the low score assigned to the email located at > > http://www.cccu.us/hundredThousand.txt > > X-Spam-testscores: AWL=1.086,BAYES_00=-2.599,HTML_MESSAGE=0.001, > MILLION_USD=1.528 > > Is my bayes "broken"? Not "broken" so

Re: Should Emails Have An Expiration Date

On 02/28/2011 12:53 PM, Gary Smith wrote: >> I think this would be a great idea. Many end users never bother >> to delete old emails and on some, such as sales etc, there is no >> valid reason for them to countinue to waste disk and server space. >> >> http://www.zdnet.com/news/should-emails-have

Re: FRT_APPROV, FRT_EXPERIENCE FPs on French text

On 02/28/2011 08:24 AM, Kris Deugau wrote: > Mail reported by a customer as falsely tagged showed these rule hits. > I've scored these rules down for now. > > Checking through the message text showed these likely matches: > > FRT_APPROV:approuvé > > FRT_EXPERIENCE:Expérience > > I'm pre

Re: Decisions on how to handle mail from some domains

On 02/23/2011 07:17 PM, Alex wrote: > I'm wondering what people's opinion is on domains like > verticalresponse.com and vresp.com, and others, that seem to > distribute mail to anyone who wants to spend the money to buy a list > from them. Constantcontact might be in this same business, but it

Re: Automatically extracted SpamAssassin FAQs

(Professor Monperrus is Bcc'd) On 02/22/2011 09:35 PM, Stefan Henß wrote: >> I'm currently doing research for my bachelor thesis on how to >> automatically extract FAQs from unstructured data. Bravo, this is great work. Release your work with a OSI-approved Free Software license (I suggest the A

Re: using spamhaus droplist with sa ?

Andreas Schulze began: http://www.spamhaus.org/faq/answers.lasso?section=DROP+FAQ mention as very last point to use the Spamhaus Drop list with SA. Yet Another Ninja continued: >>> "DROP is a tiny subset of the SBL designed for use by firewalls >>> and routing equipment." >>> >>>

Re: Tonns of russian DOT info spam

On 02/20/2011 08:22 AM, Michelle Konzack wrote: > You need to train bayes. Those messages all hit BAYES_00 when they should be somewhat consistently hitting BAYES_80 or higher (after you begin training them). If you are not prepared to d

Re: Tonns of russian DOT info spam

> Ah, good one. Though unfortunately, and I hate to admit that, both our > rules will never match. The # hash needs to be escaped... *sigh* > > [/:?\#] > > Or just ignore it by leaving it out. It's pretty rare, anyway. Hash (#), like At (@) and sometimes Dollar ($), has an inconsistent behavio

Re: Tonns of russian DOT info spam

>> If you really want to do something that bold, at least limit it to the >> debian list (note, that list-id is a guess, check your headers): >> >> header __TD_DEB_LIST List-Id =~ // >> uri__TD_DOT_INFO m'^http://[^/]*\.info[/:?#]'i On 02/18/2011 02:55 PM, Karsten Bräckelmann wrote: > Way bett

Re: Tonns of russian DOT info spam

On 02/18/2011 01:46 PM, Michelle Konzack wrote: > Since three weeks the Debian Mailinglist are hit be several 1000 russian > DOTinfo spams and spamassassin score this crap with -4 > > Does someone have a working rule for this crap? > > I tried : > > describe TD_INFO dot info spam > body __

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

On 02/12/2011 05:19 PM, Sahil Tandon wrote: > On Fri, 2011-02-11 at 12:08:35 -0800, Adam Katz wrote: > >> I consider it a mission-critical component to be able to deliver a >> rejection notice at SMTP-time (to avoid backscatter from an emailed >> bounce message). The

Re: channel 70_zmi_german.cf.zmi.sa-update.dostech.net update?

On 02/11/2011 06:53 AM, Bowie Bailey wrote: > The khop rules should probably be added to that list. > The only "official" site I could find referencing these rules is > http://khopesh.com/wiki/Anti-spam (under the "sa-update channels" > heading), but this also has some out of date information re

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

On 02/10/2011 03:41 PM, Warren Togami Jr. wrote: > On 2/10/2011 1:29 PM, John Hardin wrote: >> I suppose we ought to compose a boilerplate response for the >> inevitable visitors who will show up asking about this "exploit in >> SpamAssassin"... > > Perhaps more than boilerplate, but rather an off

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

On 02/11/2011 03:39 AM, Giles Coochey wrote: > Under CentOS spamass-milter appears to run as sa-milt. IIRC, Debian does this too. However, the -x flag may require running as root, so it is possible (I have not verified) that it never downgrades its privileges. > The Vulnerability is only active

FIX for ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

On 02/10/2011 09:42 AM, Michael Scheidell wrote: > active exploits going on. > > > > > Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 > > I don't see anything on bugtraq about a fi

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

Copying the spamass-milter mailing list. On 02/10/2011 09:42 AM, Michael Scheidell wrote: >> if case you are using spamassassin milter: >> >> active exploits going on. >> >> >> >> >> Vulnerable: SpamAssas

Re: http://khopesh.com/Anti-spam/

gone ? No, not gone. I just moved across the country and started a new job (using SA at IronPort). In this process, my name server died. I expect to have its replacement up in the next few weeks. Also of note, I'm /dev/nulling SA list mail for now as that was my mail server as well, so p

Re: Updated rules are not regarded

On 05/29/2010 05:03 AM, Yves Goergen wrote: >> Stepping away from the ZMI issue and headig towards the larger >> picture, what kind of spam are you trying to nail down with this >> ruleset? What goals did you hope to meet with the ZMI rules? If >> it's a specific type of spam, can you pastebin

Re: Yerp connection issues

On 05/26/2010 07:32 PM, John Hardin wrote: > On Wed, 26 May 2010, Karsten Br�ckelmann wrote: > >> The correct answer to both these statements is -- because it is in the >> mirrors list. ;) >> >> $ lynx -dump http://yerp.org/rules/MIRRORED.BY >> http://yerp.org:8080/rules/stage/ weight=10 >> http:/

  1   2   3   >