hi,
with the debug infos, do you see your module loaded?
A few hints: check permissions on the .pm itself, then check permissions
of the user to write in this directory.
You may want to try a call on the CLI with the flag --cf="loadplugin
HitFreqsRuleTiming /etc/mail/spamassassin/HitFreqsRuleTim
Hi,
your meta is wrong.
It should be:
meta LOC_MULT_BR __LOC_BR > 10
Note that it will not match "just" 10 instances of this tag. It will
match "at least" ten of them.
If you want exactly 10, you have to do something like:
meta LOC_MULT_BR __LOC_BR = 10
Never done that, maybe you need to
Hi there,
just write a single detection rule for FONT face= (rawbody or
uri_detail) and use tflag multiple.
Then meta this with a counter.
eg:
rawbody __BLAH / 20
score MULTPL_FONTS 5.0
describe MULTPL_FONTS At least 20 FONT tags found
Best regards,
Alex, from prypiat.
Yes, I recycle.
O
avoid
false negatives.
And no FP for a long time on this rule (this is an old bot, first saw
last summer, but probably older but unnoticed).
Alex, from prypiat.
Yes, I recycle.
On 13-03-01 02:45 PM, David F. Skoll wrote:
> On Fri, 01 Mar 2013 14:39:09 -0500
> Alexandre Boyer wrote:
>
>
access to SMTP infos. That a pitty, but you can't
have the real thing, you rely on headers.
Alex, from prypiat.
Yes, I recycle.
On 13-03-01 02:38 PM, Dave Warren wrote:
> On 3/1/2013 11:26, Alexandre Boyer wrote:
>> There is no silly question. Just noobs. FYI: most of the time,
Right: the suggested pattern is working great, but there are some
variants as KAM says.
However I sense that these are not the same bots. The one with the "date
in body" is always the same (the spammer only changed the date format).
I heard about a cross site botnet exploit on Yahoo! and third pa
Hello,
There is no silly question. Just noobs. FYI: most of the time, I'm a noob.
I do not understand your question: To or Cc headers are recipients. Do
you want to compare the name portion to the address portion?
eg: To: "Alex Boyer"
If Alex matches the local part in the address, then it's OK
The answer is 42.
Alex, from prypiat.
Yes, I recycle.
On 13-02-25 01:07 PM, Chris Hunt wrote:
signature.asc
Description: OpenPGP digital signature
Hi there,
Specifically checking name is:
header LOL From:name =~ "AndyTheCoach"
Meta this with the excellent suggestion from Martin (header
MSGID_BLOCKER Message-ID =~ /AndyNgPC/) to minimize false positive risk.
Best regards,
Alex, from osmosed.
Bow before me, for I am root.
On 24/02/13 0
Alex, from prypiat.
Yes, I recycle.
On 13-01-07 04:18 AM, Fabio Sangiovanni wrote:
> Hi,
>
> thanks to everybody for your answers.
>
> Il giorno 04/gen/2013, alle ore 18:12, Kris Deugau ha
> scritto:
>> Mmmm, the problem the OP was asking about is "how do I make sure that
>> only the specific
Hi there,
Why dont you perform those checks at the pre-data level, within postfix?
It's faster and cuts a lot of treatment for the data analysis.
The way you are doing is the way I would do, but someone on the list might
have a better way.
Alex, from N7.
Hello list,
I'm a relatively new user o
I there Frederic,
I think a geoip module exists. I saw that somewhere. Just take a look
for it.
But I think this is a bad idea. You are right about the analysis, but
geoip filtring is not efficient and may lead to FPs.
Take extra care to the rules you are going to build about it. You may
also ta
Hi,
I've fairly good results with this rule:
header__AJB_OBFU_PR0N_SUBJSubject =~
/[\:\;\/\`\(\)\{\}~\#\&\"\%\$\_][a-z0-9][\:\;\`\(\)\/\{\}\_\~\#\&\"\%\$]/im
It's realy basic and desrve a rework.
Best,
Alex, from prypiat.
Yes, I recycle.
On 12-12-04 06:57 AM, Tom Hendrikx wrote:
> Hi,
Hi,
I guess you may change your threshold for the cut off? the -s flag, when
calling spamc seems to be it.
I use amavisd-new to feed SA, it does the same thing, I had to change my
threshold too to analyze bigger emails.
Best,
Alex, from prypiat.
Yes, I recycle.
On 12-12-03 06:25 AM, Joseph Ac
Alex, from prypiat.
Yes, I recycle.
On 12-12-03 02:04 AM, John Wilcock wrote:
> Le 30/11/2012 18:18, John Hardin a écrit :
>>>header __AJB_HAS_XEROXX-Mailer =~ /WorkCentre \d{3,5}/
>>>header __AJB_XEROX_SUBJ Subject =~ /Scan from a Xerox/
>>
>> Thanks! I will add those to m
Take care with Xerox versions, it just changed.
I mentioned this in my reply to Kris.
I do not trust PHP Mailers, as PHP is wrong by design.
Alex, from prypiat.
Yes, I recycle.
On 12-11-30 10:17 AM, Kris Deugau wrote:
> John Hardin wrote:
>> On Thu, 29 Nov 2012, Kris Deugau wrote:
>>
>>> I've
th those, as I never saw such faked headers in
spams spoofing the Subject: Scan from a Xerox, but in the case of
forwarded scans, I keep my meta with Thread related rules.
Regards,
Alex, from prypiat.
Yes, I recycle.
On 12-11-30 09:54 AM, Kevin A. McGrail wrote:
> On 11/30/2012 8:15 AM, Alexandr
As a Mailer agent, I also spotted the Xerox Workcenter to have a dirty
bahavior.
As I had the very same problem as Kris, I personnaly did not disabled
those rules but builded some metas based on X-Mailer and Subject tests:
header __AJB_HAS_XEROXX-Mailer =~ /WorkCentre \d{3,5}/
hea
Hello there,
Well if you feel uncomfortable with running mass-check and send data
(not the email themselves, just the rules they hit, as Darxus is
pointing out), you may want to override the score for those rules in
your local.cf.
You may even write you own rules to compensate those false positiv
Hello,
Well as far as I know, if your SA instance restart after sa-update, it
should find the most recent and up to date ruleset.
Did you restart your instance? if you use amavis, restart it as well.
You may want to remove the ancient (theoritacally unsued) rulesets in
/var/lib/spamassassin in o
This tends to proove that you do not sa-update your installation.
$ grep -r HK_LOTTO /usr/share/spamassassin/
/usr/share/spamassassin/50_scores.cf:score HK_LOTTO 3.599 2.755 2.993 3.599
You may either use sa-update (score is lowered to 1) or override the
score in your personnal ruleset.
Alex, f
Alex, from Nexus7.
Boyaah!
Le 28 oct. 2012 14:16, "John Hardin" a écrit :
>
> On Sun, 28 Oct 2012, Alexandre Boyer wrote:
>
>> Le 26 oct. 2012 11:06, "Axb" a écrit :
>>>
>>>
>>> That is all done on SA servers - all you need to do i
Alex, from osmose.
Bow before me, for I am root.
On 12-10-26 12:18 PM, dar...@chaosreigns.com wrote:
> On 10/26, Alexandre Boyer wrote:
>> Well, discouraged was implicit (as is the fact that every admin is
> I don't think there's anything implicit about it being discourage
Alex, from Nexus7.
Boyaah!
Le 26 oct. 2012 11:06, "Axb" a écrit :
>
> On 10/26/2012 04:47 PM, Alexandre Boyer wrote:
>>
>> For example, I'm in the process of learning to use mass-check to
>> contribute back to SA (which implies a lot of hard work, simply
ttps://wiki.apache.org/spamassassin/NightlyMassCheck
>
>
> RuleQA results for that rule are here:
> ruleqa.spamassassin.org/?daterev=20121020&rule=DEAR_SOMETHING
>
> MSECSSPAM% HAM% S/ORANK SCORE NAME WHO/AGE
> 0 0.6160 0.2324 0.7260.
Hi all,
Simon, I had some FPs because of this rule and because my threshold is
lower than 5.
I just had a score override to lower it but this rule still hist a lot
of spam (419 scams essentially).
You may want to fine tune the score according to your specific FPs.
Regards,
Alex, from prypiat.
Hi there,
This suggestion should be considered as a last chance.
I used monit in the past and had very nasty behaviors, multiple
instances of the same process running. May be monit is better know.
Debuging using your logs and knowledge is the first thing you should do.
Try to find what is your r
On 12-10-17 02:32 PM, Ned Slider wrote:
> On 17/10/12 18:51, Alexandre Boyer wrote:
>> Right, but you have the content on the other link:
>>
>> http://igor.chudov.com/tmp/spam013.trace.txt
>>
>>
>> It scores 5.7 and should be blocked.
>>
>
> The
Right, but you have the content on the other link:
http://igor.chudov.com/tmp/spam013.trace.txt
It scores 5.7 and should be blocked.
Igor, what's the threshold of your SA installation?
Alex, from prypiat.
Yes, I recycle.
On 12-10-17 01:44 PM, John Hardin wrote:
> On Wed, 17 Oct 2012, Igor Ch
Hi there,
If you're asking a question, I guess you wonder why you are seeing this
in your logs.
The answer is simple: your system lacks a Perl module.
Install it with your distribution package manager or directly via the CPAN.
If you are not asking any question, then ignore this answer and try
Alex, from Nexus7.
Boyaah!
Le 6 oct. 2012 06:37, "Arthur Dent" a écrit :
>
> On Sat, 2012-10-06 at 12:25 +0200, Axb wrote:
> > On 10/06/2012 12:14 PM, Arthur Dent wrote:
> > > I am trying to improve the performance of SA on my small home server.
I
> > > use the sought rules, but though I would als
Try my regex ( /[:;`(){}~#&"%$_][a-z][:;`(){}_~#&"%$]/im ) in a subject
header check, and meta this with something like __HAS_ANY_URI and or
SUBJ_ALL_CAPS.
You may also want to upper your scoring for URIBL rules.
And train your bayesian filter with those spam messages. BAEYS_00 means
they are con
Hello,
On 12-10-05 08:43 AM, Martin Gregorie wrote:
> On Thu, 2012-10-04 at 20:56 -0700, Cathryn Mataga wrote:
>> I'm getting a lot of SPAM with words written like this. These are pretty
>> horrible, and I don't like
>> getting them every day.
>>
>> A:N ;A %L"
>> P:O ~R %N ( P &lCT U #R&E /
>>
>>
Hi there,
first, your threshold is high. You may want to lower it a little bit.
Then, if it's always the same phrase, rule it:
body__AYOY/HELLO dude/
Then meta this with other thing you may see a lot in those spams:
metaME_SPAMRCVD_IN_SORBS_WEB && __AYOY
score ME_SPAM2.0
Great, thanks, will do that today.
Alex, from osmose.
Bow before me, for I am root.
On 12-09-27 07:04 PM, dar...@chaosreigns.com wrote:
> On 09/27, Alexandre Boyer wrote:
>> I met you earlier on the IRC channel, remember?
> Yup.
>
>> Anyway, I would be glad to submit my rule
Hi there Darxus !
I met you earlier on the IRC channel, remember?
Anyway, I would be glad to submit my rules (corrected by Bowie Bailey).
I indeed asked how one could do that.
Should I start a sandbox? I'm familiar with some aspects of SA, but the
"return to the project" lack to my personnal cul
Alex, from Nexus7.
Boyaah!
Le 27 sept. 2012 14:34, "Bowie Bailey" a écrit :
>
>
> On 9/27/2012 1:48 PM, Alexandre Boyer wrote:
>>
>> Alex, from prypiat.
>> Yes, I recycle.
>>
>>
>> On 12-09-27 11:09 AM, Bowie Bailey wrote:
>>>
>&
Alex, from prypiat.
Yes, I recycle.
On 12-09-27 11:09 AM, Bowie Bailey wrote:
> On 9/27/2012 10:41 AM, Alexandre Boyer wrote:
>> Hello all,
>>
>> Here is a small ruleset that I'm working with. I added it to our
>> local ruleset in prod:
>>
>>
becoming a regular contributor but
this part of SA project is a little cryptic to me right now.
Do not hesitate to contact me off-list if necessary.
Alex, from prypiat.
Yes, I recycle.
On 12-09-26 11:03 AM, Bowie Bailey wrote:
> On 9/26/2012 10:45 AM, Alexandre Boyer wrote:
>> H
Alex, from prypiat.
Yes, I recycle.
On 12-09-26 11:09 AM, Sergio wrote:
> Hi all,
> how may I can check a FROM different to the one on the headers?
>
> I have seen that some emails on the FROM on the header has something
> different than the FROM on the email, as an example:
You are talking abo
Alex, from prypiat.
Yes, I recycle.
On 12-09-26 11:03 AM, Bowie Bailey wrote:
> On 9/26/2012 10:45 AM, Alexandre Boyer wrote:
>> Hi all,
>>
>> Me happy :-D
>>
>> It works as expected for simple rules.
>>
>> For example, to get rid off my problem
Hi all,
Me happy :-D
It works as expected for simple rules.
For example, to get rid off my problem with youtube links I had this
simple rule:
uri_detail Z_URIDETAIL_UTUBE_SPOOF raw !~ /youtube\./ text =~
/(https?://)?(www\.)?youtube\./ type =~ /^a$/
scoreZ_URIDETAIL_UTUB
I found a couple of examples with uri_detail checks (instead of uri
checks) that are written in a very similar way to what John suggested.
I wil test this today.
Having writen two plugins already (that is, on the edge to begin to
understand how the PMS works ;) ), I knew that one could work with
Hi list,
I'm receiving a lot of spam of a very particular sort.
It's essentially FREEMAIL_FROM and the body only contains a fake Youtube
link like:
http://www.probono.fr/95280_pdf";>http://www.youtube.com/wa=
tch?v=3D3VvOFqaHbL5&feature=3Dg-vrec&feature=3Dg-vrec
I ended with a regex fo
Yep, you are damn right. I work in a company where I maintain a list for
canadian banks and more. It's a pain, but it's effective.
Should a few responsible of us contribute, it would greatly help.
Alex, from osmose.
Bow before me, for I am root.
On 12-08-24 02:03 PM, Matt Garretson wrote:
> In
That's my opinion too.
Therefor the community will have to contribute to the list of which
domain to add or not.
Alex, from osmose.
Bow before me, for I am root.
On 12-08-23 07:20 PM, Jason Haar wrote:
> Great idea - but don't under-estimate the amount of work. Someone
> thought there'd be "onl
That's right.
Excuse me to use this thread, but I have a short question about scoring.
When I want to prevent a rule from being used, I set it's score to 0:
score RULE 0
Is the method asked by Brent working too?
Alex, from prypiat.
Yes, I recycle.
On 12-08-10 04:29 PM, dar...@chaosreigns.c
Did you meant:
score RCVD_IN_DSBL0
?
Alex, from prypiat.
Yes, I recycle.
On 12-08-10 04:00 PM, Brent Gardner wrote:
> On 08/10/2012 04:46 AM, Axb wrote:
>> DSBL.org was shut down 4 years ago but apparently there's still ppl
>> sending lookups.
>>
>> As of today, dsbl.org is returning posi
+1
Alex, from osmose.
Bow before me, for I am root.
On 12-06-09 03:29 AM, Niamh Holding wrote:
> Hello best_sellercvv,
>
> Saturday, June 9, 2012, 7:00:35 AM, you wrote:
>
> b> Hi every customer
>
> Oh the irony to see the spamassassin list spammed :)
>
signature.asc
Description: OpenPGP digi
49 matches
Mail list logo
