u do something to strip off all of the email headers?
For the BAYES_99, as already mentioned you probably need to retrain
bayes, making sure to correct any incorrectly trained email messages.
-jeff
les overlap. A message with bayes >= 99.9% hits both
rules. BAYES_99 ends at 1.00 not .999.
-jeff
See below:
On 5/13/2022 8:41 PM, Arne Jensen wrote:
Den 13-05-2022 kl. 23:42 skrev Jeff Koch:
We're getting numerous false positives on 'RCVD_IN_DNSWL_HI RBL'.
When I check these IP's (193.106.175.39, for example) at
https://www.dnswl.org they are NOT listed.
* trust
* [193.106.175.39 listed in list.dnswl.org]
How can I fix this? I've run sa-update and it does not help.
TIA - Jeff
lib/spamassassin
/usr/share/spamassassin
So, I can do Meta-. in Emacs and it goes directly to the 'header
FSL_HELO_NON_FQDN_1' definition
-jeff
rked as planned. If
this is something no one else has thought of before, then obviously
document it for science so it may save other people's lives. :)
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
sers to maintain individual whitelists and monitor individual
logs of rejected mail at http://www.rhyolite.com/dcc-demo-cgi-bin/
or http://cgi-demo:cgi-d...@www.rhyolite.com/dcc-demo-cgi-bin/. It
requires a user name of cgi-demo and a password of cgi-demo the same
as the user name.
-jeff
since only they know
which bulk mail they solicited. The only false positives (mail marked
as "bulk" by a DCC ...
-jeff
From: "Kevin A. McGrail"
Date: Wed, 18 Mar 2015 10:21:39 -0400
Anyone use this RBL or familiar with it? Pros/cons? Efficacy data?
regards, KAM
I get 5% spam hits on DYNA and 10% on NOPTR. The SPAM list isn't that
great (< 1% spam and some false hits).
-jeff
tched? Would I have to implement a
separate rule for each address?
use blacklist_to bogus_us...@mydomain.com ...
This will lead to hits on USER_IN_BLACKLIST_TO
-jeff
ive lock to the bayes
database particularly during expiration.
If spamc does bayes autolearning and starts an expiration then other
spamc runs for that user will be locked out of bayes. At some point
you start getting timeouts at different points in the email delivery
chain.
I have a separate sa-learn (or spamc -L) procmail recipe that has a
serialization lock.
-jeff
t that be fairly easy to implement by intercepting the call to
_tokenize_headers in Plugin/Bayes.pm?
# Tokenize the headers
my %hdrs = $self->_tokenize_headers ($msg);
while( my($prefix, $value) = each %hdrs ) {
push(@tokens, $self->_tokenize_line ($value, "H$prefix:", 0));
}
-jeff
s the messages are
learned correctly. In addition to not having enough spam messages
you probably have learned various spam messages as ham.
-jeff
d the equal sign (i.e., user=domain.tld)?
Thanks,
Jeff
http://pastebin.com/UZeDtLWZ
You need to save the complete original message. Many of the headers are
missing.
MISSING_DATE=0.1,MISSING_MID=0.497,NO_RECEIVED=-0.001,NO_RELAYS=-0.25
With sufficient training you should be able to get BAYES_99 +
BAYES_999
-jeff
an-spamd, even set the directory and all contents to
world rwx, and the error persists. If I run sa-update as root, that
works fine too. Only when it is run as debian-spamd do I get the error.
Any ideas?
Jeff
uot; part.
The Bayes database is probably locked doing an expire.
Also, the GeoIP data file should be fixed:
Error Opening file /usr/local/share/GeoIP/GeoIPv6.dat
You need to post samples (to pastebin). We can't make comments on what
*should* be hitting unless we can see the message itself.
Yep.
-jeff
From: Matus UHLAR - fantomas
Date: Mon, 19 May 2014 15:44:30 +0200
> On 17.05.14 14:11, Jeff Mincy wrote:
> >It would have been easier to figure out why it was matching if the
> >matching spf entry was printed out, for example something like this:
> &g
From: Matus UHLAR - fantomas
Date: Sun, 18 May 2014 18:22:49 +0200
On 17.05.14 14:11, Jeff Mincy wrote:
>I just got some spam that was erroneously spf whitelisted hitting
WHITELIST_FROM_SPF
>It took me a while to figure out why it was getting WHITELIST_FROM_SPF
else {
study $scanner->{sender};
foreach my $regexp (values %{$scanner->{conf}->{$param}}) {
if ($scanner->{sender} =~ qr/$regexp/i) {
##New dbg output here:
dbg("spf: $param: $scanner->{sender} matches $regexp entry");
return 1;
}
}
}
return 0;
}
-jeff
probably don't need unbounded {10,} but you do need
the {30,} part to be unbounded.
Is the 10 number part really important?
-jeff
I setup an email server today and for the life of me I can't figure out why
my spamaassin implementation is flagging all of my emails from the server
with DATE_IN_FUTURE_03_06
any help would be appreciated.
thanks in advance
Jeff
Return-Path:
Delivered-To: spam-quarantine
X-Envelope-T
http://lists.surbl.org/pipermail/announce/2013-May/000209.html
Date: Wed, 1 May 2013 05:54:48 -0700
To: SURBL Announce
Subject: [SURBL-Announce] MW malware sublist added to multi, replaces OB
As announced last October, malware data has been moved from PH
to a new list MW, taking the bit of O
unadulterated original email message. You can do this by
attaching the complete email message. Otherwise you are training
bayes to recognize tokens added by your users during the forwarding
process as a spam indicator.
-jeff
From: Matus UHLAR - fantomas
Date: Thu, 21 Feb 2013 16:36:18 +0100
>On 2/21/2013 9:03 AM, Jeff Mincy wrote:
>>Well, I trust the network not to lie. This is more of an omission
On 21.02.13 10:26, Kevin A. McGrail wrote:
>Your Clinton-esque logic likely d
se headers outside SA or fixing the ISP creating those headers
are the real solutions.
There is of course a third option for me - I could turn off the spam
filtering on Rcn email. Most of the spam is blocked by Rcn, there's
almost no point in trying to filter what little spam is left.
-jeff
From: "Kevin A. McGrail"
Date: Thu, 21 Feb 2013 08:46:40 -0500
On 2/20/2013 8:51 PM, Jeff Mincy wrote:
> ...
>
> This leads to various bad things (RDNS_NONE & broken WHITELIST_FROM_RCVD)
>
> Is there anything in SpamAssassin that can deal
nything in SpamAssassin that can deal more elegantly with
this particular problem? Perhaps Some sort of please_fill_in_rcvd_rdns
type option?
I'm still on 3.2.5 (yes I know it is old).
-jeff
means unknown, mostly due to stale database. You can update the
IP::Country database. See:
http://wiki.apache.org/spamassassin/RelayCountryPlugin
-jeff
EADERS_MESSAGE Message appears to be missing most RFC-822
you are passing in malformed email messages into SpamAssassin.
SpamAssassin can not find any of the headers. I'd guess that you
have extraneous junk at the beginning of each message.
-jeff
u are really getting about 1 per day. You
could just turn off Bayes. Or you could just turn Bayes off. I'm
almost at the same point with my home email, for the same reason.
-jeff
ery results for this issue are
scant.
There have been numerous posts on BAYES.
-jeff
From: RW
Date: Tue, 19 Jun 2012 23:43:57 +0100
On Tue, 19 Jun 2012 18:02:28 -0400
Jeff Mincy wrote:
>From: John Hardin
>Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT)
>
>On Tue, 19 Jun 2012, Benny Pedersen wrote:
>
>&
om_rcvd? For example, whitelist_from could
trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The
description of the test could include warnings about how easy
it is to spoof whitelist_from.
-jeff
On Thursday, December 1, 2011, 10:11:35 AM, Darxus Darxus wrote:
> On 12/01, Jeff Chan wrote:
>> Also keep in mind that PH has a generally low score even for net
>> + bayes since it doesn't hit a large portion of spam in the SA
>> corpus.
> No. Scores are not d
es it does hit are
generally going to be phishing or malware, so IMO it should have
a much higher score. Unless people want to get phishing and
malware
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
rtolini-sales.com auth.ccsend.com
The auth.ccsend.com comes from the signature line
DKIM-Signature: ... d=auth.ccsend.com
-jeff
UTOMATIC_ACTION Disposition =~
/automatic-action\/MDN-sent-automatically; deleted/
This appears to be some new MS Exchange bounce message.
I'm running 3.2.5 if it matters.
thanks.
-jeff
do things.
See:
http://www.surbl.org/surbl-nameserver-setup
and:
http://www.surbl.org/links#mirrors
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
with
the easiest way to get help is to post a complete sample including all
the headers using some pastebin and send the link and the x-spam-status
line that you get on your SpamAssassin to the group.
Otherwise all you're going to get vague platitudes like train bayes.
-jeff
ach rule, for example by appending _00 _01 _02, etc.
Also, the rules could be combined into a single rule (untested) using
regexp (?:index|nana|ontokoros|tbt|webadmin)
uri LOCAL_URI_EXAMPLE
/zynetsw.com\/forms\/use\/(?:index|nana|ontokoros|tbt|webadmin)\/form1.html/
-jeff
scribe
3. What went wrong
etc.
So at least there is a responsible party to hopefully act on
unsubscriptions, fire the spammy marketer, etc. It's sort of a
degenerate case of the degenerate case of email addresses going
to to a third party, except it's the same party.
Spam is easy.
ould then be discarded.
Both seem reasonable approaches.
Those degenerate cases of both are indeed interesting.
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
ople don't want the stuff bots send.
The issue is complex, and there are many deliverability, security
and anti-spam companies and organizations that struggle with these
issues every day. Maintaining accurate ham and spam corpora and
making policies for what belongs in which category is trivia
I had noticed my black list shrinking.
>>> But here's some raw data from someone who tracks it.
>>>
>>> Now:
>>>
>>> http://www.sdsc.edu/~jeff/spam/cbc.html
>>>
>>> A year ago:
>>>
>>> http://www.sdsc.edu/~jeff/spam/2
our rbldnsd an BIND configs for the zone and
spamassassin rule, and we will check them.
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
_SENDER (__LOCAL_SENDER && __TRUSTED_NETWORKS)
score VALID_LOCAL_SENDER -0.1
-jeff
whitelist_from_rcvd *...@mydomain.com mydomain.local
trusted_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24 xx.xx.xx.xx
internal_networks 172.16.1/24 172.16.2/24 172.16.3/24 172.16.5/24
x
bayes_auto_expire and use bayes_learn_to_journal.
Add a cron job to periodically sa-learn --sync (say hourly)
and another cron job to do sa-learn --force-expire (daily/weekly)
-jeff
out this in a
log file.
If this is the case you can turn off bayes_auto_expire and run expire
from cron. You could also try learning to the journal and doing
sa-learn --sync periodically from cron.
-jeff
===
2010-03-31 01:22:25 1Nwlbc-0001QS-Ua H=
host81-136-197-8
wrongly flagging legitimate email if you make IP queries to the DBL.
> **
> Also check out the announcement at
> http://www.spamhaus.org/news.lasso?article=655 which goes into further
> detail on this new list.
Please also see this bugzilla:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6335
Cheers,
Jeff C.
--
Jeff Chan
mailto:je...@surbl.org
http://www.surbl.org/
y
domain
name it wants. Hosts can do this at a variety of levels: in
particular, the session, the envelope, and the mail headers.
Although this feature is desirable in some circumstances, it is a
major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka
spam)."
I think this argument is
How silly. That's like saying an iPhone is not a gaming device even though
plenty of people use it to play game apps. Perhaps you should re-read the
SPF FAQ's.
At 04:31 PM 2/25/2010, you wrote:
Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500:
> I disagree.
I don'
I disagree. SPF is just one of the tools - among other tools (e.g. DKIM,
domain keys, not accepting email from servers with no RDNS, etc) -
developed to help reduce spam.
--
Get your web at Conactive Internet Services: http://www.conactive.com
Best Regards,
Jeff Koch, Intersessions
hen the periodic
backscatter showers have got steadily smaller, so it looks as though
mailservers configured check SPF before bouncing undeliverable mail have
been getting steadily more common.
Either that or spammers tend to avoid forging domains that have SPF.
-jeff
ation program which we neither have the time
or money to do. Since we like our customers and they pay the bills it is
now a dead issue.
Any other experiences? I love to hear.
Best Regards,
Jeff Koch, Intersessions
JD - and after spending an hour registering and filling out forms I finally
get this email. Sweet!
Jeff
Delivered-To: intersessions.com-jeffk...@intersessions.com
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
pegasus.avspamfilter.com
X-Spam-Level: *
X-Spam-Status: No
ve me a contact name I would appreciate it.
Jeff
Delivered-To: intersessions.com-jeffk...@intersessions.com
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
pegasus.avspamfilter.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=RDNS_NONE,URI_HEX autolea
et signed ( for eg using a direct
relay with a compromised account ) you may be relaying the spams
inadvertently on the outbound , but never get FBL's until all the world
blacklists you
--
J.D. Falk
<jdf...@returnpath.net>
Return Path Inc
Best Regards,
Jeff Koch, Intersessions
hand, they send out emails from
their abuse-admin saying that they have no such program.
Yahoo is making me crazy.
If anyone has the email address of someone their that can actually get an
ISP signed up for the program I would appreciate it.
Best Regards,
Jeff Koch, Intersessions
From: Robert Nicholson
Date: Fri, 12 Feb 2010 19:32:00 -0600
Perhaps my confusion lies in the fact that it looks like headers != metadata?
Is there a way or setting that allows metadata to result in headers in the
message?
Did you try add_header?
ifplugin Mail::SpamAssassin:
ack-ass ATTITUDE page.
Heh. Using IE 7.0 I get:
Your browser cannot handle the 9 year old standard required by the
web page you attempted to access. ...
IE 7.0 displays the page fine, but you have to save the file out as a
plain html file.
-jeff
wizard http://www.openspf.org/, then you paste
the results into the DNS TXT record for your domain).
SPF is great for what it does.
-jeff
ably useful and
> actively maintained spamassassin rulesets that publish an sa-update channel?
> - Marc
As I understand it, as soon as rules are published, some of the
senders of unsolicited messages immediately change their behavior
to defeat or bypass the rules, so publishing them is som
From: KÄrlis Repsons
Date: Sat, 30 Jan 2010 17:20:23 +
On Saturday 30 January 2010 15:48:36 Jeff Mincy wrote:
> BAYES_99,DCC_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_FIVETEN_SPAM,RCVD_IN_NIX
> SPAM,RCVD_IN_UCEPROTECT1,RCVD_IN_UCEPROTECT2,RCVD_IN_UCEPROTECT3,BOTN
From: Ralph Bornefeld-Ettmann
Date: Sat, 30 Jan 2010 18:14:10 +0100
Am 30.01.2010 16:48, schrieb Jeff Mincy:
>From: KÄrlis Repsons
>Date: Sat, 30 Jan 2010 14:07:16 +
>
>On Saturday 30 January 2010 13:54:14 Jeff Mincy wrote:
>
From: KÄrlis Repsons
Date: Sat, 30 Jan 2010 14:07:16 +
On Saturday 30 January 2010 13:54:14 Jeff Mincy wrote:
> Retrain the message correctly in Bayes. Bayes will catch on to this
> after a few times. The subject alone should be a strong enough clue
> for bay
rn and not correcting messages that were
learned incorrectly.
-jeff
g the same rules...
Jeff
-Original Message-
From: John Wilcock [mailto:j...@tradoc.fr]
Sent: Wednesday, January 27, 2010 10:03 AM
To: users@spamassassin.apache.org
Subject: Re: Fuzzyocr and rule errors after upgrade to 3.3.0
Le 27/01/2010 18:57, Justin Mason a écrit :
>> Either someon
I've copied the working server's local.cf to
the non-working server. Still get the errors. Any ideas why one server would
have the errors and the other not? Prior to upgrading, I wasn't getting any
errors with 3.2.5...
Jeff
basis, but not sure that's very useful, just interesting.
sa-learn tells how many tokens were deleted you when you do --force-expire, for
example:
expired old bayes database entries in 152 seconds
1516428 entries kept, 115692 deleted
token frequency: 1-occurrence tokens: 73.76%
token frequency: less than 8 occurrences: 16.19%
-jeff
From: Cecil Westerhof
Date: Sat, 09 Jan 2010 16:24:56 +0100
Jeff Mincy writes:
>I upgraded from 3.0.4 to 3.2.5. I have the feeling that sa-learn takes
>more time with 3.2.5 as it took with 3.0.4. Can this be true?
>
>It is not a problem, b
aster.
Also, What is the size of your database? Maybe you are spending lots
of time doing expires or something.
-jeff
hould i enable special logging?
or, should i check the MTA and it's assigns that deal with the header?
The rule is probably also defined in some other file.
Are you using 00_FVGT_File001.cf? If so check there.
-jeff
n corrected yet?
Best Regards,
Jeff Koch, Intersessions
20[2-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX The date is grossly in the future.
##} FH_DATE_PAST_20XX
-jeff
er
...
-c Concatenate continued fields in the header. Might be convenient
when postprocessing mail with standard (line oriented) text utili-
ties.
-jeff
I give up!
Best Regards,
Jeff Koch, Intersessions
Instead of trying to make points why not read the whole thread? As I said
in a prior response - not everyone has management control over the
mailserver they use to get SA list mail.
At 01:01 PM 12/15/2009, Toni Mueller wrote:
On Tue, 15.12.2009 at 12:52:44 -0500, Jeff Koch
wrote:
>
As I said not everyone controls the mailserver they get their list mail from.
At 12:55 PM 12/15/2009, LuKreme wrote:
On 15-Dec-2009, at 10:52, Jeff Koch wrote:
> At 12:41 PM 12/15/2009, Benny Pedersen wrote:
>> open your eyes and see more, both the above smartphones above can
>&
Of course an iPhone can see IMAP folders. But what's going to sort mail
into folders when I'm traveling for a week and the office PC is turned off?
At 12:41 PM 12/15/2009, Benny Pedersen wrote:
On tir 15 dec 2009 18:22:00 CET, Jeff Koch wrote
How could a two character tag
- but why not
also make it easy to follow discussions on other devices?
At 12:00 PM 12/15/2009, Toni Mueller wrote:
Hi,
On Tue, 15.12.2009 at 11:44:49 -0500, Charles Gregory
wrote:
> On Tue, 15 Dec 2009, Jeff Koch wrote:
>> I have to say that it is extremely annoying that thi
How could a two character tag like SA be annoying? You must never use a
blackberry or iPhone to check your email either.
At 11:12 AM 12/15/2009, RW wrote:
On Tue, 15 Dec 2009 09:44:50 -0500
Jeff Koch wrote:
>
> I have to say that it is extremely annoying that this mailing list
>
trying to get more users sending
there login and passwords then what ever it really is ?
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Best Regards,
Jeff Koch, Intersessions
r, It's your email, so you
can do anything you want. If you think HABEAS is so bad just set the
HABEAS scores to zero and save the network bandwidth.
-jeff
Mail::SpamAssassin::Plugin::Razor2
# How many seconds you wait for razor to complete before you go on without
the results
razor_timeout 15
endif
-jeff
From: Rick Knight
Date: Tue, 13 Oct 2009 09:42:18 -0700
Jeff Mincy wrote:
>From: Rick Knight
>Date: Tue, 13 Oct 2009 08:53:21 -0700
>
>Just following this thread because I recently got dcc working also. In
>my case I didn'
Body=1 Fuz1=many Fuz2=many
If you get 'dccifd is not available:
... dbg: dcc: dccifd is not available: no r/w dccifd socket found
then you need to use dcc_dccifd_path or dcc_home
-jeff
From: Dan Schaefer
Date: Tue, 13 Oct 2009 10:17:43 -0400
Jeff Mincy wrote:
>From: Dan Schaefer
>Date: Tue, 13 Oct 2009 09:18:44 -0400
>
>Jeff Mincy wrote:
>>From: Dan Schaefer
>>Date: Tue, 13
From: Dan Schaefer
Date: Tue, 13 Oct 2009 09:18:44 -0400
Jeff Mincy wrote:
>From: Dan Schaefer
>Date: Tue, 13 Oct 2009 08:54:29 -0400
>
>Jason Bertoch wrote:
>> Dan Schaefer wrote:
>>> I just enabled DCC yesterda
343 0.000 [28903] dbg: dcc: listed: BODY=3/20 FUZ1=4384/20
FUZ2=99/20
-jeff
rt to DCC" SpamAssassin function do for our
good?
Using "Report to DCC" reports the message to DCC with a count of many.
After that everybody else querying the same message will get a count
of many.
-jeff
ient, such as would happen
if dccproc is not given -Q when processing a stream of mail that has
already been seen by a DCC client. Additional reports of a message
increase its apparent "bulkness."
-jeff
reporting the email from the mailing list to DCC, which will
increase the DCC count. Eventually somebody will report the mailing
list as spam to DCC and you will get a DCC match on the default
many=99.
You have to whitelist the mailing list in the dcc whiteclnt file.
-jeff
=RDNS ...] relay.
If the RDNS is blank then the whitelist_from_rcvd won't work.
Your internal_networks and trusted_networks needs to be setup correctly.
-jeff
he X-Spam headers:
formail -I X-Spam < msg
-jeff
locally generated email that contain spam URLs through
SpamAssassin is not a particularly good idea. If you have Bayes
enabled then you are training your Bayes that spam URLs and whatever
else is in the log files are hammy tokens.
You really do want to skip SpamAssassin processing on messages like
this in your procmail.
-jeff
From: Jonas Eckerman
Date: Thu, 23 Jul 2009 15:37:11 +0200
Michael Hutchinson wrote:
>> I saw a test
>> message with just the word test in the subject hit DCC once.
> That's really strange, I don't see how DCC would fire on the subject..
> the checksum of the messa
e scripts like edit-whiteclnt.
Pyzor and Razor are easier to use because of the whitelisting.
Razor and DCC are both highly effective (>80%), and Pyzor is good (>40%).
-jeff
cussions on shell environment variables like LD_LIBRARY_PATH.
-jeff
usted. Various tests are not run on
trusted hosts.
-jeff
RW-15 wrote:
> On Sat, 11 Jul 2009 12:52:56 -0700 (PDT)
> dmy wrote:
>
>> As far as I understand SpamAssassin is supposed to just check the ip
>> that directly delivered the email to my server but not
1 - 100 of 1038 matches
Mail list logo
