at's very "nice" :)
Thank you,
-- Jared Hall
SA 3.4.6
I see this negative scoring rule in many spams:
MAILING_LIST_MULTI=-1
Seems counter-intuitive but I could not find a score for this rule anywhere.
Is this just an issue with version 3.4?
Thanks,
-- Jared Hall
On 11/21/2024 7:57 AM, AJ Weber wrote:
I saw a "conversation" a few weeks ago regarding paypal phishing
emails that were not being caught.
I can't recall if anyone found a reasonable solution (or new rules).
BOLO for my email.
That is the complete PayPal stanza from Ja
Not enough information. Could simply be a case of DNS poisoning?
-- Jared Hall
sn't help PayPal at all.
Shame that PayPal, *probably* the largest online financial processor,
doesn't have
it's act together; bad SPF records and Microsoft Exchange
(66.211.170.93/.94) systems that
are Pwned.
Just FYI,
-- Jared Hall
nless you advise them of
this - doubt PayPal even knows.
-- Jared Hall
explains everything.
Thanks for chiming in. I've always been amazed at
this SA User Group.
-- Jared Hall
like your thinking Matus
:) My mind is about as sharp as a cooked linguine noodle. I'm sure
there are a lot of people out there that can conjure up better solutions.
-- Jared Hall
after every message.
On Deb-based distros, you can add this in /etc/amavis/conf.d/50-user
under the $max_servers parameter.
-- Jared Hall
later be reported as BAYES_50?
Are unsolicited emails always considered spam?
Thanks,
Alex
+1
-- Jared Hall
On 4/12/2024 1:20 PM, Bill Cole wrote:
In my opinion, this is an indication that the default welcomelist entries in
the official SpamAssassin rules for '*@*.microsoft.com' are inappropriate. Note
that there is an entry for '*@accountprotection.microsoft.com' which is still
justified as far a
ling Up
I've observed an increase in the blocking of IPs belonging to
Microsoft Corporation by the SpamCop blacklist since November 2023,
with a notable spike in activity during February and March 2024.
Yes, you are correct. I see there is a spat between Microsoft and
SpamHaus also.
I've several customers whose accounts were used to send spam as a result
of Microsoft's infrastructure breech.
Curiously, NOBODY has received any breach notifications from Microsoft,
despite personal information being compromised.
What has anyone else experienced?
Thanks,
-- Jared Hall
On 3/12/2024 4:04 PM, Benny Pedersen wrote:
Jared Hall via users skrev den 2024-03-12 20:37:
Is there a use case for emailing .shtml files, or can these just be
simply discarded?
i have seen .html attachment
only reason i think its tryed was to skip url testing in spamassassin
might be same
Is there a use case for emailing .shtml files, or can these just be
simply discarded?
Thanks,
-- Jared Hall
Content-Transfer-Encoding: base64
I can hit on the Content-Disposition header regex fine, but tflags/multiple
doesn't seem to work here. I'm not sure if this is a problem (1) with the
Mimeheader plugin, (2) working as designed, (3) or a fault in my system.
Any suggestions?
Thanks,
-- Jared Hall
, SPF/DKIM/DMARC Auth-neutral will become the
new "bad".
I apologize this isn't strictly SA related, I am just hoping someone
can give me advice or provide I link to follow on how to make this work.
package: opendkim + access to your managed domain's DNS records.
$0.02,
-- Jared Hall
5.0
endif
You can read more information about this function here:
https://metacpan.org/pod/Mail::SpamAssassin::Conf#CAPTURING-TAGS-USING-REGEX-NAMED-CAPTURE-GROUPS
-- Jared Hall
ion oriented, and less-prone to race conditions. This actual
comment in SA 3.4.2's DNSEval.pm module says it all:
"# Very hacky stuff and direct rbl_evals usage for now, TODO rewrite
everything"
An upgrade is in order.
-- Jared Hall
On 9/28/2023 8:39 AM, Andy Smith wrote:
Hello,
On Thu, Sep 28, 2023 at 06:48:54AM -0400, Jared Hall wrote:
Do you mind if I redirect the below back onto the spamassassin list
and respond to it there?
Well I was going to do that, but fair enough!
On Thu, Sep 28, 2023 at 12:02:47AM -0400
Hi Jared,
Do you mind if I redirect the below back onto the spamassassin list
and respond to it there?
I'm concerned that I might have a configuration error if a DNSBL
check was done against an IP from a Received header that wasn't the
last external one, as you mention.
Thanks,
An
d --create-prefs --max-children 5
--helper-home-dir --syslog-socket=native
CPAN will put stuff in the /usr/local/bin folder. Compare
/usr/sbin/spamd -V to /usr/local/bin/spamd -V
Also, check the values in /etc/init.d/spamassassin
-- Jared Hall
.
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9
Still, anything blocking MS Store is pretty egregious, especially since
it's both Address and Body URL. A score of 9 for each?
-- Jared Hall
.
KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9
Still, anything blocking MS Store is pretty egregious, especially since
it's both Address and Body URL. A score of 9 for each?
-- Jared Hall
=~
/(\xC2\xAEPayroll_stubs\.Htm)([";']?|$)/
The more native (raw) formatted rule works even without specifying
"Content-Disposition:raw":
mimeheader __JR_EXPLOIT_ATT_UTF Content-Disposition =~
/(%C2%AEPayroll_stubs\.Htm)([";']?|$)/
How does SA handle UTF-8 filenames?
-- Jared Hall
presence of the MIME::Base64 module and
Unicode::UTF8 modules (something like "instmodsh" option "l").
Just another great mystery; like Bigfoot, Pyramids, UFOs, Crop Circles,
Plains of Nazca, and Microsoft Fax Server.
-- Jared Hall
message and EVERY time it
said it examined a message it also said it "learned" 1 token.
I believe the default format is Maildir. You mention a single file w/
multiple emails which suggests you might be running MBox format? If so,
try the --mbox command line switch.
-- Jared Hall
at the top, but usually this is the responsibility of the
Milter. What Milter/content_filter are you using?
-- Jared Hall
hat have been fixed since then.
I would upgrade SA to 3.4.6.
-- Jared Hall
ARC_OFFSET (ENA_SUBJ_LONG_WORD && DKIM_VALID)
score DMARC_OFFSET -2.2
Yes, for sure, ALL Microsoft DMARC messages hit ENA_SUBJ_LONG_WORD.
dokomo.ne.jp also hits (32 chars). In the near-miss category, mail.ru
comes in OK at 29 characters.
-- Jared Hall
you wish. But IMHO, it is probably not a good idea to go looking for
trouble that doesn't exist.
-- Jared Hall
ive wildly different BAYES scores.
Try rattling off another Gmail message, but this time switch the two
Email addresses on the "To:" line around. Maybe a case where only the
first Email address is looked at by SA?
Thanks,
Jared Hall
mple:
ln -s /usr/lib/perl5/vendor_perl/5.26.1/Mail /lib/Mail
Or, if you have to be more specific (say, /lib/Mail exists already),
something like:
ln -s /usr/lib/perl5/vendor_perl/5.26.1/Mail/SpamAssassin
/lib/Mail/SpamAssassin
etc...
--Jared Hall
.
Thank you
-- Jared Hall
On 1/8/2023 12:57 AM, Brian Conry wrote:
...
Third, to expand on something I alluded to briefly, the emails in
question are generated by a security appliance on our customer's
network, in accordance with their security policy and posture. The
warnings we're getting when our mail server perfo
On 12/15/2022 7:03 AM, Pedro David Marco via users wrote:
HI,
Situation:
i have 2 twin servers running exactly the same OS, and SA. (3.4.4)
i have an email with the word 'dog' inside.
i have this rule:
body __ANIMALS /cat|mouse|bird|dog/i
Problem:
Rule __ANIMALS its in one server, but
SA: 3.4.6
The Header ToCc test doesn't seem to accept :name and :addr modifiers.
Is that how this function operates?
Thanks,
-- Jared Hall
On 8/14/2022 2:55 PM, John Hardin wrote:
On Sat, 13 Aug 2022, joe a wrote:
Why waste your own system resources to help a scoundrel? Drop them
and be done.
I personally perfer to TCP tarpit repeat offenders.
+1
-- Jared Hall
/sa-update.verein-clean.net/1900065.tar.gz.sha256, FAILED, status:
exit 22
-- Jared Hall
age, it's not possible to match
on them.
Maybe rewrite the Subject on the upstream server to something unique and
trigger on that. Beware that KAM rules (eg. KAM_MARKSPAM) might detect
most "standard" methods of Subject rewriting and add more points to the
message.
$0.02,
-- Jared Hall
teral format by expressing the Emoji in its 3
hexadecimal bytes:
header PP001 Subject =~ /\xE2\x9C\x85 Dein Paket/
Regards,
-- Jared Hall
is keyboard then replied, "Sir, we have
11 Pin Lo Chens on staff, and 5 guests by that name. Can you be more
specific?"
I just sat down and ordered breakfast when the "real" Pin Lo Chen found me.
First thing he says is, "Why didn't you call me?"
-- Jared Hall
t they preach: SANITIZE USER INPUT. Instead,
their careless attitude presents a security threat to us all.
-- Jared Hall
's "Adopt-a-Character" program, I
mentioned that to my psychiatrist a while back. "It's only a hundred
bucks", I told her.
She probes, "If you could be a character, which would you be?"
"That's easy", I said, "I'd be a F09F.&qu
On 11/4/2021 10:44 AM, Bill Cole wrote:
On 2021-11-04 at 08:45:02 UTC-0400 (Thu, 4 Nov 2021 08:45:02 -0400)
Jared Hall
is rumored to have said:
[...]
2) Beware of using somebody else's source code :)
That's the really significant warning...
Agreed. Does one need to write a
MIME-Defang, or in your case, Fuglu).
-- Jared Hall
<https://metacpan.org/pod/Mail::DKIM::AuthorDomainPolicy>
:
https://www.pccc.com/
2) AppRiver is well-known. They emerged from MIME-Defang/Roaring
Penquin: https://appriver.com/
Regards,
-- Jared Hall
a is practically
non-existent.
Since SA rule-based systems have such great efficiency, perhaps a better
use-case of ML/AI/DL would be in Virus/Malware control. Still, I
envision an environment where the ISP/ESP can set privacy flags, what
services are requested (AV/Spam), and what algorithm (or
, and Deep-learning systems
communicate with Email hosts?
Thanks,
-- Jared Hall
pamd --socketmode=0660"
thanks
1) Make sure spamd is running:
netstat -an
2) Make sure firewall rules allow the connection.
-- Jared Hall
On 9/27/2021 4:37 PM, Lucas Rolff wrote:
So is FISA702.
True that. But that is a harder sell (to my clients).
-- Jared Hall
ice.
Even Cloudflare can only go so far with signature detection. They do
have the advantage of scale. Others, like many here, have the advantage
of responsiveness.
Thanks,
-- Jared Hall
;),
we can talk about it on the MIMEDefang ml
(https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org)
or you can send me an email
about it.
Giovanni
Grazie per l'aiuto. Alex dovrebbe essere felice.
:)
-- Jared Hall
someone on
Upwork, or maybe Freelancer, to do exactly what you want.
Thanks,
Alex
Good Luck,
-- Jared Hall
a while() or a foreach() loop.
:)
-- Jared Hall
On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
Jared, looks to me like an FP in Pyzor.
No doubt. The 4.608 points for a single aberration seems reasonable.
-- Jared Hall
JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY
DCC_CHECK = 0
RAZOR2_CHECK = 0
PYZOR_CHECK = 1
__FSL_HAS_LIST_UNSUB = 0
__UNSUB_LINK = 0
__RCVD_IN_DNSWL = 0
__JM_REACTOR_DATE = 0
__RCD_RDNS_SMTP_MESSY = 0
It does not appear that the actual rule matches the spirit of the rule.
Thoughts?
-- Jared Hall
t (FP) becomes Cascading Garbage Out.
Disable autolearn, wipe your Bayes store, and manually train from hand
classified ham and spam.
1000% Correct, IMO. If you must run Bayes, train it once and leave it
be. Repeat as needed.
Regards, KAM
-- Jared Hall
*
*
Be advised of spam from .sbs top-level-domains.
FWIW,
-- Jared Hall
/log/apport.log file on Ubuntu, /var/log/syslog and/or
/var/log/kern.log on Debian.
FWIW,
-- Jared Hall
Kevin,
Thanks. NBD. Replied OL.
Benny Pedersen wrote:
is this now your newspaper to post all kind of evil numbers ?, if all
rule set updates would be aswell we all loose, do your good homework,
but dont make ads out it here
if its just me, sorry
Yes, you are right. There's too much traffic on this list.
More EvilNumbers from Maria Louise, one of Norton's GMail accounts.
Lucky for me my record was credited and not my actual account :)
Payment for renewal of service has been credited to your record.
*Order Number : JSRT-002349*
*Date: Sep 02, 2021*
Details:-
---
with a PDF
attachment called: "Norton Service Invoice PDF.pdf"
The PDF listed the phone number, highlighted and bolded, four times in
two slightly different variants:
+1855 552 2963
1855 552 2963
Blimey,
-- jared Hall
TO_MALFORMED=0.1
0.1. Seriously? Could we at least get a 0.1 for the CC address also?
Aargh,
-- Jared Hall
in 4.0 could've been modified to check versions and load the correct
DecodeShortURLs.pm module. Say, what does happen if two plugins
register the same Eval rule? Anybody know?
2) OTOH, what's the point of sa-update doing versioning if nobody uses it?
-- Jared Hall
after that.
Another Thought,
-- Jared Hall
tic as
well as
they have a lot of Unicode sprinkled throughout; the SA normalize_charset
conundrum.
A Thought,
-- Jared Hall
omes a TLD :)
*Maybe* a little more refinement could prevent it picking up .hidden
folders that have a BAD_TLD name.
/[A-z0-9]+\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)(\s|$|\/)/i
$0.02,
-- Jared Hall
I expected it. These are
professionals that took the time to load the plugin to see what it is
about. I adapted, made changes and came out better and wiser. My
respect for these people increased 100 fold. That's how I roll.
But if you're going to sit on the sidelines and complain, I have bad
news for you. There's no shortage of stuff I can shove into /dev/null.
$0.02,
-- Jared Hall
de of
normal PERLs /g. But preferably:
2) I'd get rid of delineation for those two Regexes, period.
X-Spam-Category =~ /(SPAM|PHISHING)/
X-AES-Category =~ /(SPAM|PHISHING)/
These are produced by something external with an obviously KNOWN
pattern. How many of those would you expect in a message? That'd be
another problem entirely. SA syntax is PERLish-only and has does it's
own internal sanity-checks and conversions.
$0.02,
-- Jared Hall
Henrik K wrote:
On Tue, Jul 20, 2021 at 10:44:43PM -0400, Jared Hall wrote:
I went out in the garage this morning and pulled out an old Dell PowerEdge
that had CentOs 6 on it.
Ever heard of virtual machines, or even perlbrew? :-)
I've been swamped. Didn't really have the time
old Dell PowerEdge that had CentOs 6 on it. Unfortunately it didn't
recognize the drives; SCSI RAID controller probably. So please let me
know if it works OK on PERL 5.16.
Sincere Thanks,
-- Jared Hall
Could be worse, like 3.4.4 on Ubuntu. Surprisingly, CPAN update worked great
and put everthing in the right spots, symlinks and all!
9 out of 10 cavemen prefer Ubuntu with their Brontosaurus burgers. *Sigh*
-- Jared Hall
Sent from my T-Mobile 4G LTE Device
Get Outlook for Android<ht
elecom2k3/CHAOS/wiki/CHANGELOG#notes>Notes
There are no configuration file changes needed in this release.
Enjoy,
-- Jared Hall
using SeaMonkey for a few months now.
It never sent any User-Agent header until Monday. Very Strange. "Looks
like I picked the wrong week to quit sniffing glue".
-- Jared Hall
Defender Firewall Protection
+1, 888, 313, 1366
Thank you, kind Sir
-- Jared Hall
Sent from my 4G LTE Device
Get Outlook for Android<https://aka.ms/AAb9ysg>
x27;t set a User-Agent field.
It's not a Mozilla MSGID.
Only question I'd have is on MSGID.
$0.02,
-- Jared Hall
: USD 311.06
Order ID : AKSF-624F
Payment Mode :Auto-Debit
If you have any issues regarding this order,
Connect with us: +1(867)768-0009.
Thanks and Regards,
+1(867)768-0009.
FWIW,
-- Jared Hall
html and Content-Transfer-Encoding: quoted-printable
(w/ my document anyway).
I'm curious as to what HornetSecurity saw in their E-mail MIME header.
It DOES make a difference, at least regarding plugin scanning. But a
.doc file is a .doc file as far as Word is concerned.
I put forth a que
amned.
Maybe some 400-pound anti-spam nut in New Jersey would've stopped the
whole thing. We'll never know. We anti-spam folks are forced to sit on
the bench, waiting for another billion dollars in damages.
$0.02,
-- Jared Hall
not!
Martin
The CHAOS.pm module has an eval: from_no_vowels that may do the job as
well. Like most of the stuff in there it has internationalization so
that vowels in other language character sets are taken into account.
This looks at the From Name field.
$0.02,
-- Jared Hall
4|\+1\(866\)\s889\-3387)\b/i
FWIW,
-- Jared Hall
d inspecting threads on a computer.
The status quo is not sustainable. Just from a national/homeland
security perspective it would be a noble project; perhaps worthy of your
foundation - belly of the beast and all that.
$0.02,
-- Jared Hall
boundary="_c23d8b80-2b40-49d4-8897-08b0026dddfb_"
I called my customer to see if they opened it as it was in their Junk
mailbox. They didn't recognize the sender so no, they didn't.
Interesting, indeed.
-- Jared Hall
ways named "request.zip". Probably
IcedID or Konni malware.
Just FYI,
-- Jared Hall
From the project page at: https://github.com/telecom2k3/CHAOS here's
what's transpired since my last CHAOS module SA-User's post:
Version 1.2.0
Date: June 21, 2021
*
New Eval, check_reference_doms() controls how many @domain.tld
references can appear in a Reference header.
*
Debit:Auto
Wish to upgarde/ cancel the plan,
Reach out us AT +1 (850) 254-0627
Regards,
+1 (850) 254-0627
-- Jared Hall
-4052|\+1\s661\s280\s8730|\+1\s\(570\)\s500\-8391|\+1\-866\-785\-0325)\b/i
As per Loren and Martin, these rules are best used in a meta rule.
Loren's rule is solid. I had one message that did not contain the word
"order" in the subject and one other that had "Order Status" in the
From:Name field.
I also use these in conjunction with FreeMail rules. Good Luck.
My $0.02,
-- Jared Hall
ndGrid; NEVER, EVER. One thing is certain, if
this matter is NOT addressed by the mail admins on this list, it WILL BE
addressed by the US Department of Commerce.
What started out as an interesting project has become a National
Security risk.
-- Jared Hall
From names, like this actual one:
DHL☺com
CHAOS will also help you with Unicode Character spoofs, via its
UniBabble rulesets:
ᴀмαzσи ᴘ𝔯𝔦𝔪ё
𝘼𝔪𝔞𝘻𝙤𝘯 𝘾𝘶𝘴𝙩𝙤𝘮𝘦𝘳 𝙎𝔢𝘳𝙫𝘪𝘤𝔢
Amαzoɴ Priⅿë
🅰🅼🅰🆉🅾🅽 🆂🅴🆁🆅🅸🅲🅴
𝐀𝐦𝐚𝐳𝐨𝐧 𝐍𝐨𝐭𝐢𝐜𝐞
...
...
CHAOS will run on PERL 5.18 and later.
-- Jared Hall
$USER_PART:", "Dear Esteemed $USER_PART", etc.) let me know.
Thanks.
-- Jared Hall
ues. How are you guys at Invaluement
tracking in that area? I saw some esp stuff on Github.
-- Jared Hall
I do kind of like Tom Hendrikx idea of putting cloning the folder into
somewhere in /usr/local/etc and putting a modified pre file in
/etc/spamassassin/. But it's true it's not perfect.
Yes. Tom's idea is correctish; perhaps a more "true" solution for some.
ZERO-TRUST. SpamAssassin is equa
/telecom2k3/CHAOS
May your days be long and without bifurcation.
-- Jared Hall
t: 2024-12-31 23:59:59
Looks like your Email is the zombie offspring of Scriptkiddie meets
Spamkiddie :)
Hope this helps!
-- Jared Hall
/Messages rule.
* New Admin Fraud messages added.
-- Jared Hall
this: There is
something to the ZERO-TRUST security model.
Thank you, John. "You do that voodoo that you do so well".
-- Jared Hall
e name of your company! ;)
I see that JH and the SpamAssassin crew will address your problem. In
the meantime, it won't
hurt to add a local rule like:
header MY_XM_RANDOM X-Mailer =~ /Qboxmail Webmail/
score MY_XM_RANDOM -1.154
-- Jared Hall
On 2/16/2021 2:06 PM, RW wrote:
That's not a bad idea, but if anyone is interested I'd suggest copying
the character matching regexes into ordinary rules. Or better still into
template tags, so that they can be reused in multiple rules.
Agreed, RW. Most of the stuff in there originated from rul
1 - 100 of 141 matches
Mail list logo
