Hello all you happy people,
While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
body __FRAUD_JBU /\bforeign account\b/i
and
body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
Correct me if I'm wrong, but won't anything matching __FRAUD_JBU also
match __FRAUD_TCC? It also
mouss wrote (about the PBL):
> stop spreading FUD. if you know of false positives, show us so that we
> see what you exactly mean.
>
> a lot of people, including $self, use the PBL at smtp time.
As usual, it depends on your definition of “false positive”.
If you mean “IP address that should not
Charles Gregory wrote:
> Though again, legit senders that average negative are relatively rare
> (well, on my system, anyways).
For what it’s worth, I’ve set up SA to identify replies to the
organisation’s email. It looks at the In-Reply-To and References headers
(our Message-IDs have a distinct
Theo Van Dinter wrote:
> It's already been mentioned, but mimeheader is the right way to look
> at the headers of MIME parts.
Charles Gregory wrote:
> Look more closely at my rule. It is checking for TWO headers,
> one after the other (separated by \n), identifying a gif with no name.
>
>>> full /
Gary Forrest wrote:
> Hi All
>
> We are receiving the same image spam many times, random text within the
> body.
> The only common thing is a image attachment, with the filename in the
> following format
>
> DSL1234.png
>
> I have made the following ' RAWBODY ' rule
>
> /dsl[0-9]{4}\.png/i
>
Charles Gregory wrote:
> I've been scoring the attachment name pattern with a 'full' test.
> But this will only work until they figure ways to randomize the
> attachment names
The mimeheader plugin can do that and is much cheaper.
The
Abody
Ahead
part of the HTML seems to b
I wrote:
> meta __SEEK_LZH2GT 0 # Microsoft Office 2003 Pro
> meta __SEEK_O1TQTY 0 # aving trouble viewing this e
> meta __SEEK_QGCXIK 0 # lots of dots
> which relies on the names being derived from the string.
Benny Pedersen wrote:
> the above __SEEK_* is random so you disable random seek :
Karsten Bräckelmann wrote:
> By looking at the sub-rules' names I got the impression they are just
> random. But maybe they actually are somehow based on the rule's content?
> Never checked. Justin?
Justin Mason replied:
> yep, they're derived from a hash of the string.
Is that documented, or co
Mark wrote:
> Eh, it's no biggie, really, I was just surprised it scores as high as,
> say, being listed on DCC. But then again, who actually *does* write in all
> caps, except a spammer? :)
Quite a few of my employer’s correspondents: and not just in the
subject!
I know a number of my users who
I wrote (about the AWL):
> In the absence of any sort of expire mechanism¹ (see, for example,
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6059) one can do
> a crude approximation by periodically resetting it.
LuKreme wrote:
> But why would you want to ever reset the AWL?
To quote tha
LuKreme wrote:
> On 31-Mar-2009, at 11:13, Lucio Chiappetti wrote:
>> And even resetting the AWL ...
>
>
> Why would you reset the AWL? I can't see any circumstance on which that
> would be a good idea.
In the absence of any sort of expire mechanism¹ (see, for example,
https://issues.apache.org/S
John Hardin wrote:
> No reason it shouldn't be. I'd suggest something like a rawbody match on
> /]/i meta'd with HTML_MESSAGE should be worth a few (dozen)
> points.
This would seem to FP on Microsoft HTML generated by certain versions of
Word. One example:
Andrzej Adam Filip wrote:
> At "RCPT TO:" stage there are available:
> * connecting client IP address (last mail hop)
> so big part of DNSBL and DNSWL tests *CAN* be used
> * envelope sender for SPF based tests
> * envelope sender and envelope recipient for auto white/black listing
> (producing
Ricardo Kleemann wrote:
> Are SBL/XBL tests automatically enabled or is there a plugin I need to enable?
SBL/XBL are tested as part of the SpamAssassin ZEN list for 3.2.x if you
have network tests enabled.
Hope this helps,
James.
--
E-mail: james@ | “Sir, they’ve taken Mr. Rimmer!”
apr
Kban35 wrote:
> I just upgraded my SA to 3.2.5 and now when I look in my /etc/init.d I do not
> see spamassassin listed anywhere in there.
Which OS? How did you upgrade – cpan? yum? apt-get? From where did you
get 3.2.5?
Thanks,
James.
--
E-mail: james@ | “Drums must never stop. Very bad i
Karsten Bräckelmann wrote:
> However, there are some highly abusive patterns sticking out. A google
> URI with a ../ in the path? Sure! Score 2. :) Alternating alpha and
> numbers might be worth another point. A question mark in a google groups
> URI? Punish that.
You can eliminate links to Usene
Ricardo Kleemann wrote:
> I'm running spamc/spamd 3.2.4 on a Ubuntu 8.04 server, it's the
> standard Ubuntu package. I have the default settings for Bayes (with
> auto_learn) and I'm using a mysql backend for BayesStore.
It’s worth noting that Bayes, by itself, is not allowed to condemn spam.
Its
Gary Forrest - Netnorth wrote:
> Question, are custom rules ignored if a white list entry has the same
> email address ?
Quick point – if you have short-circuiting turned on, then they may well
be…
James.
--
E-mail: james@ | Which do you consider was the stronger swimmer,
aprilcottage.co.u
LuKreme wrote:
> I read the man page, where there is no mention of how to obtain this
> number. In fact, I read many posts, and many webpages and have still not
> found that information. I've seen the IDs in others posts, sure, but
> where do they originate?
>
> Even searching the wiki (which
Matt Kettler wrote:
> If a spammer is using the same sending address over and over again,
> blacklist them entirely.
>
> That said, I've never seen a spammer re-use the same address twice.
Doesn’t mean it doesn’t happen – only that you’re not on any
“narrowcast” lists (e.g. “Email 200,000 British
Kai Schaetzl wrote:
> well, but how? By auto-learning? In that case you are just multiplying your
> problem. It seems a lot of spam gets miscategorized as ham. Auto-learning
> that spam as ham means enforcing this miscategorization and that's what you
> see as a result.
When SpamAssassin decide
Thomas Zastrow wrote:
> I have a new server where I installed Spamassassin. Next, I took a
> maildir with a lot of spam and learned the filter:
>
> sa-learn --spam --showdots /path/to/maildir
Did you learn some non-spam, too?
Bayes needs at least 200 of each before it will work.
Hope this helps
mouss wrote:
> in which sublist? xbl, sbl or pbl? and when you say "a lot", how many?
> can you show an example of an IP that you consider as an FP?
Well, since you asked…
I’m not the Original Poster, but I consider most of
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL60174 to be a FP *when
u
Bob Cohen wrote:
> I'm running Fedora v9. All of the prerequisite and optional modules
> installed with no problem. Suggestions?
Well, there’s always “install it with yum”:
yum install spamassassin
Hope this helps,
James.
--
E-mail: james@ | “It has taken 24 years to get the Reichstag
jdow wrote:
> I believe you could "blacklist_from". That would train SpamAssassin's
> Bayes filter -
Or not. Both USER_IN_BLACKLIST and USER_IN_BLACKLIST_TO have tflags set
to userconf noautolearn (in current 3.2.5 rules), which means that
SpamAssassin will ignore their scores when deciding whethe
John Hardin wrote:
> Is there any reason the base rules should _not_ contain a
> whitelist_from_spf or whitelist_from_rcvd for the list?
Larry Nedry wrote:
> Would you really want to auto-train your bayes with mail from this list?
The whitelist rules are ignored when SpamAssassin decides whether
Henry Kwan wrote:
> Thanks for the script but I don't think I can use it as Exchange2K7
> has dropped IMAP support for public folders. Or least this blog post
> from MSFT seems to indicate:
>
> http://msexchangeteam.com/archive/2006/02/20/419994.aspx
I don't have any Exchange 2007 experience, bu
Eric Wood wrote:
> Is there a website or repository where I can yum upgrade to the latest
> spamassassin from, say, a FC6 system?
F7 and F8 (and F9) have version 3.2.4 in the standard Fedora updates
repo: just
sudo yum update
Note that Fedora 7 will go out of support in a month or so, and FC6 is
> I have SA 3.17 running with amavisd-new, dovecot and Postfix 2.4.3 and
> Clama/v on freebsd 6.1
>
> I am trying to"teach" sa using the following
>
> sa-learn /var/mail/vmail/example.com/user/.INBOX.spam/cur/
>
> this is a maildir I have put around 175 spam messages in..
find cur new -type f
Michael Hutchinson wrote:
> There's been a rise in Canadian Pharmaceutical Spam lately. This spam is
> quite basic, generally only including some text and a link. The link is
> always changing so we can't score against that.
>
> About the only other thing it scores on is the FORGED_HOTMAIL_RCVD ru
Skip wrote:
> I am on a linux, shared hosting site (Bluehost.com). I don't
> know how I can get it into the startup script for that box, and I only have
> access to my own home directory. That may be a showstopper right there.
> I'll have no way of knowing when they reboot the box.
Earlier,
Matt Kettler wrote:
> Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Chip M. wrote:
> Matt, yes this is correct, however in this particular case "nonspam" is
> perhaps a bit broad. It's been my experience that these almost always
> occur in mass marketing ham, not person-
Dan Barker wrote:
> My whitelist_from_rcvd tags don't hit. I believe this has been happening
> since my upgrade from 3.1.7 to 3.2.3.
> Just in case there is something [else] I've done silly, my local.cf is at
> http://www.visioncomm.net/temp/080104Local.txt):
Here's what may be a thoroughly stu
lochness wrote:
>
> I'm running on windows and i'm using one software call "NoSpamtoday" that
> software is based on spamassassin I modify local.cf file but in my test I
> have this message bellow I put required_hits on 5 but in the message I have
> 0 so how can I apply my config
NoSpamToday puts
Hello, all you happy people,
I have in my possession a legitimate e-mail with
Message-ID: <[EMAIL PROTECTED]>
but no sign that it comes from a Microsoft product.
As far as I can see, this one header is causing it to get
2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
35 matches
Mail list logo
