> > While you are at it, you can also scan for
> > full /Content-Type: image\/gif;\n[^a-z]+name=""/
> It's already been mentioned, but mimeheader is the right way to look
> at the headers of MIME parts.
How about multiline Content-Types?
I tried without success:
mimeheader NAMELESSGIF_ATTACHME
On 2008-11-03, 13:02, Bob Kinney wrote:
> We set up server side filters for SPAM that users can enable or
> disable, is this something you could do in your environment?
Uhmmm...not easily I think.
We're using a combination of postfix and AMaViS.
I'd have to plug procmail inbetween somehow...
Than
On 2008-11-03, 10:13, Bob Kinney wrote:
> but had one unfortunate side effect: E-mail forwarded from another
> account to an account on our servers was considered a "bounce"
> because it hit __BOUNCE_RPATH_NULL.
Uhmm... interesting. What exactly might cause this?
I tried to trigger this behaviou
On 2008-10-29, 18:44, Chris Arnold wrote:
> We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin
> built-in. At the present time, my mailbox is filled with
> backscatter; getting around 10 a minute since 4:30 today. I have
> postfix backscatter rules in postfix of zimbra,
> http://www.postfix.
John Rudd wrote:
But even if I wanted a dynamic IP doesn't make much sense as MX. :-(
> Part of the operating definition of "soho mail server" that I am using
> for botnet is: if your operation is so small that you're forced to use a
> dynamic IP address for your email server, then you're proba
John Rudd wrote:
> b) spiegl.de has 1-5 MX records, and one of them has 1-5 A records, one
> of which resolves to the submitting relay (87.152.143.202).
Hm, but why would I want to put this dynamic IP into the list of MXs?
The soho mailserver doesn't accept mails from outside.
Shouldn't the BOT
John Rudd wrote:
> When you're just using the BOTNET rule directly, not as a meta-rule, the
> BOTNET_SOHO code is called internally, so it should automatically kick in
> an exempt a host from BOTNET if it appears to be a soho type mail server.
I'm not sure I understand what you mean by "using as
...I wonder how to deal with the cases where there is a legitimate
internal mailserver behind dialup-IPs. There are quite a few small
companies that have a small home office network behind a dialup DSL
and run an internal mailserver which relays external mail to the mailserver
of their provider wh
Hi Tim,
> Is there a good test for these?
I don't get many of them, probably because I block them at MTA via
zen.spamhaus.org. But the ones that do get through are caught nicely
by the BOTNET rules.
Chau,
Andy.
--
If it ain't broke, improve it.
> Since the scores were set with a threshold of 5, you would need three of
> those and change to get the message marked as sapm. If you are having
> problems wiht this makring messages as spam, I'd look to see what else is
> hitting also.
Sometimes HTML_10_20 or/and HTML_IMAGE_ONLY
Then, if bayes
> afaik no, but other things which spammers do are not forbidden too ;-)?
Right. :-)
But the score for SUBJECT_ENCODED_TWICE is pretty high:
1.723
How does that justify?
Greetings,
Andy.
--
If you have good memory you can forget the rest.
Hi,
several of my HAMs are tagged with SUBJECT_ENCODED_TWICE.
Is this forbidden by any RFC?
Even mutt, a usually very RFC-compliant MUA, does that.
For example this mail from ebay:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on kira2.XXX.de
X-Spam-Scores: AWL=-2.283,BAYES_00=-2.599
Hi Vincent,
> Are you running spamd/spamc as root? it is not recommended to run spamd
> as root.
I know, but so far I was too lazy setting it up to run as a user.
There are still some issues, e.g. when I start spamd with
use_auto_whitelist 1
and there is no file auto-whitelist yet, it is
> If you remember my log file, there were a bunch of days in a row with one
> to three of them, then three on April 8th, one on April 9th and none
> since then.
Well, it still could be some kind of watchdog that kills processes when
they use too much CPU or memory. That wouldn't happen on a regula
Hi Jason,
I found the cause: my stupidess DOH!
I've got a cronjob that kills processes which have been hanging around for
too long. Two days ago I reconfigured it and made a mistake which lead to
exactly this: spamd with etime of more than 60 minutes are killed with
SIGTERM. This cronjob is re
While I am reading through the spamd.log in order to find the cause for the
strange SIGTERMs (see my other posting) I saw that there are many lines
like this:
Fri Apr 13 18:18:54 2007 [26659] error: alarm
What could that mean?
Here is the full log of the child with pid 26659 (started with
"--max
While I am reading through the spamd.log in order to find the cause for the
strange SIGTERMs (see my other posting) I saw that there are many lines
like this:
Fri Apr 13 18:18:54 2007 [26659] error: alarm
What could that mean?
Here is the full log of the child with pid 26659 (started with
"--max
Hi,
I call spamc to scan the messages (like most of you I assume :-)
But if spamd isn't running (see my other postings) spamc returns the
messages unprocessed. How are you guys coping with that?
I guess I have to check the processed messages for the
"X-Spam-Checker-Version" header to see whether
> Someone here suggested that it's a memory problem.
Where? I didn't see any reply to your post.
Most of my machines have 1gig RAM. That should be enough for the 5
SA-children I thought...
> The rate that it's occuring for you might support that if you handle a
> lot of users.
Yes, but my setup
I seem to have the same problem!
Yesterday I upgraded from 3.0 to 3.1
(to be exact: 3.0.3-2sarge1 to 3.1.7-1~bpo.1 from Debian backports)
and now ALL spamds terminate after a while. And I have no clue why!
The worst part is that spamc returns the messages unprocessed if it cannot
connect to spa
> > How many metas with nice hit ratios depend on that base rule?
>
> Exactly. That rule is used more in combination with other rules. On its own,
> its of no great use. But combined with other rules to form meta rules, its a
> force so powerful it should be a category 5 hurricane :)
I thought a
Hi, I am wondering whether using HTML_MESSAGE makes any sense.
Nearly 60% of the mails on my servers hit that rule, and the HAM-SPAM
ratio for this rule is about 50:50.
Okay, it only adds 0.001 points but uses resources, right?
MIME_HTML_ONLY and HTML_FONT_BIG have a pretty bad ratio, too.
Even HT
> Do you have them installed?
Ups, you are right. They weren't installed on that machine.
Thanks,
Andy.
--
Politics: Poli=Many, Tics=Blood sucking parasites
After upgrading spamassassin 3.1.0a-2 -> 3.1.1-1 (Debian Packages)
I get the following lint errors:
SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for
"pyzor_path", skipping: pyzor_path /usr/bin/pyzor
SpamAssassin failed to parse line, "/usr/bin/dccproc" is not valid for
"dc
> [3320] dbg: bayes: corpus size: nspam = 178, nham = 168
Probably because your corpus is still too small.
man Mail::SpamAssassin::Conf
...
bayes_min_ham_num(Default: 200)
bayes_min_spam_num (Default: 200)
To be accurate, the Bayes system does not activate un
Matt Kettler wrote:
> At least in SA's real world testing, SPF_HELO_FAIL had a worse spam:ham ratio
> that SPF_HELO_SOFTFAIL.
Interesting! So, sysadmins aren't so sure yet about SPF, it seems.
I myself have got one doubt, too:
What to do about Email-forwarders?
Many people have secondary email
Hi, I'm wondering why the default score for SPF_HELO_FAIL is only 0.001?
On the other hand SPF_HELO_SOFTFAIL adds 3.14
After reading "man Mail::SPF::Query" I thought fail is a lot worse than
softfail, right?
"fail" means the client IP is not a designated mailer, and the sender
wants you to re
> Also, unless this really is very common stuff, you should look to your
> Bayes database. Getting Bayes_00 on a spam is generally not a good sign!
Thanks, but the mail text is pretty usual German and 95% of my users are
Germans so I can't really do much about that. :-(
I'll try with some body r
This new spam only hits J_CHICKENPOX_24 and DATE_IN_FUTURE_12_24 or
DATE_IN_PAST_12_24.
So far they all came with "angemessenes Gehalt" in the Subject:
Die beste Weise zu sein payed. Anti- Spam Schutzcode:MX-8253
Die einzigartige Moglichkeit zum Haben ein angemessenes Gehalt. Anti- Spam
Sind
Hi Carlo,
back in May you wrote:
>Moreover, you might want to firewall (or reject their mail
>otherwise before it reaches spamassassin) all of South Korea and
>all of China -- that will reduce the ammount of spam you
>receive with about 99% ... So, it is more than worth it.
When I
Hi Loren,
> I suspect that is more of a broken spammer than a new trick.
Maybe both? :-)
> I can't see what good that line is going to do for the spammer.
Well, whoever replys to the spammer, telling him no matter what
mails his reply (usually including the quoted original mail) to everyone in
th
Hi, I just got a nigerian spam with a huge Reply-To: line!
Never seen that trick before, but I suppose it works with quite a few of
the recipients. Should we create a new rule for that? I can't think of a
legitimate reason to have more than one address in the Reply-To line, right?
Here goes a sa
32 matches
Mail list logo
