"Noel Butler" wrote in message
news:1297993593.5473.74.camel@tardis...
/Very Ancient/
On Thu, 2010-06-10 at 18:40 +0200, Jeremy Fairbrass wrote:
Hi, I've noticed what seems to be unexpected behaviour with the Freemail
plugin, which I'm hoping someone can shed some
Hi, I've noticed what seems to be unexpected behaviour with the Freemail
plugin, which I'm hoping someone can shed some light on.
I'm using SpamAssassin 3.2.5, and the "FreeMail.pm" plugin v2.001 from
http://sa.hege.li, along with the rules from the 20_freemail.cf file at the
same location.
"ram" wrote in message
news:1267506187.16095.11.ca...@darkstar.netcore.co.in...
http://www.spamhaus.org/dbl/
I think sa-folks would have this already in some URIBL rule. What are
the scores you assign for a dbl positive hit ?
I assume my current datafeed would already extend to data access on t
"Dirk Bonengel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Hi all,
I'm the author of the iXhash plugin, a piece of code that computes a variety of 'fuzzy checksums' along the lines of the NiXSpam
project (run by the German IT magazine iX).
I also run two DNS zones (nospam.login
"mouss" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Mike Cisar wrote:
Hi All,
Have been trying to write a regex for a custom rule to catch a particular
spam that's been annoying the heck out of me.
I've got about 6 body rules and have narrowed the problem down to the regex
"Jeremy Fairbrass" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Hi all,
Can the "tflags multiple" setting be used with mimeheader rules? Or only with
header, body, rawbody, uri, and full tests?
Also, where can I find some further info on how "
Hi all,
Can the "tflags multiple" setting be used with mimeheader rules? Or only with
header, body, rawbody, uri, and full tests?
Also, where can I find some further info on how "tflags multiple" should be used - perhaps with an example or two? I can't find
anything in the SpamAssassin wiki on
Hi, could someone kindly tell me what the file "triplets.txt" is used for, and
if I need to have it in my rules directory or not?
Cheers,
Jeremy
"Rob McEwen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Marc Perkel wrote:
I was just wondering from those of you who have done it - how to start a URIBL.
I'm guessing the process (simplified) is:
1) Mine messages for links
2) Subtract out anything matching a fairly large whit
I think it's also used in Germany. The two domain names function identically, and I even think if someone sends a message to either
[EMAIL PROTECTED] or [EMAIL PROTECTED], both will reach you - ie. you can use them interchangeably. But whether you can
officially register for one or the other prob
; <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
for what it's worth, I just pushed Henry's version of Joe's rules into the
3.2.x sa-updates.
--j.
Jack Pepper writes:
Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>:
> HI Jack,
> Any chance of s
HI Jack,
Any chance of sharing your rules for this?!
Cheers,
Jeremy
"Jack Pepper" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
This info popped up on the emerging-Threats list. I have watched our
mail servers and have confirmed that it works.
The problem is that my attempts
No, MIMEHeader works fine with 3.1.x
- Jeremy
"Justin Mason" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
>
> Martin.Hepworth writes:
>> Hmm
>>
>> I'm still running 3.1.8..
>
> I think you need 3.2.x for the MIMEHeader plugin.
>
> --j.
>
>> Content analysis details: (7.
Try this (for replacing your the three meta rules):
metaRCVD_IN_LRBL_W (__RCVD_IN_LRBL_W && !__RCVD_IN_LRBL_B)
describeRCVD_IN_LRBL_W Local RBL Whitelist
tflags RCVD_IN_LRBL_W net
score RCVD_IN_LRBL_W -7
metaRC
"Michael W Cocke" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> These blasted PDF spams are driving me mad! Any ideas for a rule that
> would trip if there's no text in the body, just a PDF attachment ?
>
> (I'm using the PDFinfo plugin now, but I don't really understand it)
>
> Th
"Loren Wilton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
>> Right? If I test this rule using the Regex Coach tool at
>> http://weitz.de/regex-coach/ (I'm on Windows), with the 'm' switch
>> enabled, the rule works fine. But when I test it with SpamAssassin, it
>> doesn't work
out how to get multiline mode to work in a rule
- Jeremy
"Per Jessen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Jeremy Fairbrass wrote:
> Hi all,
> I hope someone can help me with a rule I'm trying to write. My
> understanding of the multi-l
Hi all,
I hope someone can help me with a rule I'm trying to write. My understanding of
the multi-line mode, with the /m switch at the end,
is this: in this mode, the caret (^) and dollar ($) match before and after
newlines in the string. Is that correct?
I believe this is the correct method fo
I'm running PDFInfo 0.3 with SA 3.1.8 and it works fine for me - and I'm
even running it on Windows! :)
Cheers,
Jeremy
"Suhas Ingale" <[EMAIL PROTECTED]> wrote in message
news:!&[EMAIL PROTECTED]
Hello,
I am trying to run PDFInfo plugin with SA 3.1.7. SA registers the plugin
successf
You can try the Windows port of SA at http://sawin32.sourceforge.net/
(currently version 3.1.7). They have a POP3 proxy version called SAwin32
(designed for end-user mail clients), as well as a full-blown port of
SpamAssassin plus sa-learn and sa-update.
There's also a list of Windows SA-relate
Thanks Dirk!
I have a question: two of the RBL zones have very similar names -
nospam.login-solutions.de and nospam.login-solutions.ag. Do they
belong to the same company, and what are the differences between them? Eg. do
they both contain exactly the same data (hashes) as
each other, or are th
Hi all,
Can someone please advise me: is it good or bad to add "bayes_ignore_header"
values in my local.cf file for the X-Spam headers that
are added by SA? For example:
bayes_ignore_header X-Spam-Status
bayes_ignore_header X-Spam-Level
bayes_ignore_header X-Spam-Checker-Version
bayes_ignore_hea
brackets] - I think it's acceptable to just have
[ ] without the \ inside. Although it doesn't do any harm having it in there
either...
Cheers,
Jeremy
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> On Thu, 8 Mar 2007, Jeremy Fairbrass wrote:
>
>> I
I just tested those three rules below, and none of them work with
"www.superveils . com" (ie. having a space both before and after
that dot).
You might want to try my version of this rule instead - it's attached to avoid
line wraps. Works well for double-spaces in a URL
(including on either si
Hi Justin,
What exactly is the fix, and where do I find it?
I just installed the VBounce plugin on my server this weekend (for the first
time), and have the same probs described here - ie.
although I've added my server to whitelist_bounce_relays in local.cf, I'm not
getting the MY_SERVERS_FOUND
Hi all,
I'm not sure if this is a bug with the FAKE_HELO_MSN rule, or if I'm just
overlooking something...
I just received a legitimate email from MSN.com (to verify an email address
for MSN Messenger). The email triggered the FAKE_HELO_MSN rule, but I can't
see why. Here are the 3 Received hea
CTED]
> On Thu, Nov 30, 2006 at 06:22:46PM +0100, Jeremy Fairbrass wrote:
>> Can someone please let me know exactly what illegal characters are being
>> checked for with the eval:check_illegal_chars rules? Can I find a list of
>> those characters somewhere?
>> Also, what a
Hi all,
Can someone please let me know exactly what illegal characters are being
checked for with the eval:check_illegal_chars rules? Can I find a list of
those characters somewhere?
Also, what are the meanings of the variables that this rule takes? For
example:
eval:check_illegal_chars('Subje
Why does your rule not work? It looks good to me, if you're trying to detect
a subject consisting of (for example): "hi it's John" or something. Can you
give some exact samples of subject lines you're trying to flag?
If this string ("hi it's ") is the only thing in those subject fields -
no
-Relays-Untrusted??
- Jeremy
"Matt Hampton" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Jeremy Fairbrass wrote:
>> I want to block all emails that come from an IP in China (where the IP is
>> the one connecting to me), *BUT* I want to exclude
e IPs listed in
trusted_networks.
Any ideas?
Cheers,
Jeremy
"Matt Kettler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Jeremy Fairbrass wrote:
>> Hi all,
>> It says at
>> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.
Hi all,
It says at
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options
that when an IP address is added to a 'trusted_networks' entry (eg. in
local.cf), "DNS blacklist checks will never query for hosts on these
networks".
However, from what I can see
Where exactly can I find the new RCVD_FORGED_WROTE2 rule you refer to? I
have RCVD_FORGED_WROTE in my 80_additional.cf file, but I don't have any
RCVD_FORGED_WROTE2 rule. And yes, I have run sa-update to get the latest
updates available :)
Cheers,
Jeremy
"Tony Finch" <[EMAIL PROTECTED]>
"Justin Mason" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> Jeremy Fairbrass writes:
>> Hi all,
>> I have a question about the MIMEHeader plugin: if I have multiple
>> mimeheader
>> rules, are they all checked against the same par
Hi all,
I have a question about the MIMEHeader plugin: if I have multiple mimeheader
rules, are they all checked against the same part in a multipart message?
So let me give an example:
Let's say an email has 2 separate mime header sections (perhaps one is TXT
and the other is HTML, or perhap t
A further question to this: if I want to disable one of those rules in
20_dnsbl_tests.cf, do I only need to give a score of 0 (in local.cf) to the
rule with the check_rbl part, or do I need to give a score of 0 to each of
the 'sub' rules?
For example, there are three sections to the Spamhaus lo
You can change the "score" line to this, if you simply want the score to be
3:
score PRIVATE_RBL 3.0
Also, make sure that the file you create in your spamassassin directory, has
the .cf file extension - ie. it should be: 99_Private_Rbl.cf rather than
simply 99_Private_Rbl
Cheer
Hi all,
I've noticed with SA 3.1.5 that the length of the lines in the X-Spam-Report
header seems to have reduced, ie. the line length for each rule mentioned
there is not as long as it used to be, and thus the lines are wrapping more
often than before. Just in the X-Spam-Report only, the other
G'day everyone,
I received a legitimate email from Hotmail today, which (I believe)
inappropriately triggered the FORGED_HOTMAIL_RCVD rule in my SpamAssassin
(version 3.1.5). The email from Hotmail was actually a bounce-back to an
email sent by one of my users to a Hotmail address - it was bounc
AFAIK it's currently residing at http://zmi.at/x/70_zmi_german.cf
- Jeremy
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> what is the current home of the ZMI (german) ruleset?
>
> Wolfgang Hamann
I've had that problem in the past, and found that it was caused by an error
with some other rule elsewhere (usually a custom rule I'd written myself
which had a syntax error in it that I'd overlooked). I'd suggest doing
a --lint check of your rules, see what it turns up.
- Jeremy
"scottjf8"
I use a nifty tool called OLSpamCop to achieve this functionality with my
Outlook. OLSpamCop is an Outlook plugin, it adds a new toolbar to Outlook
and basically allows you to select an email, hit either a "spam" or "ham"
button on the toolbar, and OLSpamCop will forward the email to an address
you
I'm not sure it's actually obfuscated though?? It seems to be a valid URL, I
mean in terms of it existing in DNS as-is, and in terms of it working (click
on it and it takes you to the spammer's site). I actually didn't know you
could use <>[] characters in a domain name, but I guess you can - this
Good point, you're completely right! Thanks for pointing that out... :)
Cheers,
Jeremy
"John Rudd" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> On Apr 25, 2006, at 6:33 AM, Jeremy Fairbrass wrote:
>
>>
>>
>> /style=
Thanks guys for the clarifications! My understanding of how regex worked was
the same as Bowie's, ie:
-
> My understanding is that with [^"]+ the engine will scan from left to
> right until it finds a quote. Then, in the context of the previous
> regex, it will start backtracking to find a mat
Hi all,
I wonder if one of you regex gurus might be able to give me some advice
regarding the most efficiant way of writing a particular rule
Let's say I want to use regex to search for the phrase "color:blue" within a
tag as in the example below (just a made-up example for the sake of
thi
Hi Eric,
Actually the "full" rules don't ignore HTML at all - they are able to search
within HTML tags quite fine, and also take into account line breaks, because
they are run before SA does any decoding of the email. I use a bunch of
custom full rules for this exact purpose.
>From
http://spam
I use Outlook 2003 and use a freeware Outlook toolbar called "Outlook Spam
Report Utility", available from http://www.olspamcop.org/download.shtml.
It's designed to enable the easy forwarding of spam to SpamCop, but can
easily be modified to forward spam or ham to your own mail server for
learn
Hi, can anyone tell me if it's allowed to use regex with bayes_ignore_header
in local.cf? I've seen this done here and there by others but don't know if
it's actually allowed or will cause things not to function properly. For
example:
bayes_ignore_header X-Spam-\S+
If this *is* allowed, are th
Okay, thanks anyway for the advice! I'd upgrade in a flash but unfortunately
I'm not able to - I'm using MDaemon v8 which has SA bundled in such a way
that it can't be separately upgraded.
Cheers,
Jeremy
"Matt Kettler" <[EMAIL PROTECTED]> wrote in mess
Hi all,
Is it possible to use the SA 3.1.x rulesets (from
http://spamassassin.apache.org/full/3.1.x/dist/rules/) on SA 3.0.4? In other
words, simply downloading the .cf files from that URL and plonking them over
the top of the existing 3.0.4 rulesets? Would that cause any problems? The
advantag
Hi Jean-Paul,
I'll send you my own rule for these spams off-list - they may also help.
Fred's rules look like they're searching within the plain text part of those
spams, whereas mine searches within the HTML part and is a bit less specific
than Fred's, in that it doesn't care what specific lett
The wildcard isn't needed, and I doubt it's allowed either. See the info and
examples at
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
Specifically, the string at the end of whitelist_from_rcvd which refers to
the reverse DNS of t
Was this one only in plain text, or did it include an HTML part as well? Can
you give us the full body unaltered? Could be that it's using some other
type of fancy HTML to make the text look like that.
Cheers,
Jeremy
"Emmanuel Lesouef" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTE
Hi Emmanuel,
I have a custom rule which works nicely for me to catch those spams that use
this HTML trick. I'll send it to you offline as I've heard it's not wise to
post rules to the list (coz the spammers then see them) :)
Happy to send it to anyone else who asks too...
Cheers,
Jeremy
"Emma
What's the difference? Your meta rule is fundamentally identical to Loren's
rule, is it not?!
Cheers,
Jeremy
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Loren Wilton wrote:
> header LW_NONEWSSubject =~ /^Re:\s.*\bnews$/i
...
> The .* should be safe in that regex since a sub
Correct me if I'm wrong, but would a rule like the following one of mine not
do the trick regardless of how the MTA writes the Received header, and be
less prone (actually not prone at all) to spoofing?
headerJF_NO_PTRX-Spam-Relays-Untrusted =~ /^\[ ip=[^ ]* rdns= helo=/
describeJF_N
Something's not right there - the URL mentioned in the spam
(deolich-MANGLED.com without the -MANGLED bit) should have hit on both the
SURBL.org and URIBL.com blacklists, yet I don't see hits for either in the
tests that were flagged for this spam - you only have
"BAYES_40,FM_NO_STYLE,HTML_80_90,HT
Hi Eric,
The text there is encoded with base64, which is decoded into the "proper"
text by the mail client. SpamAssassin will also decode it before running its
rules against it, for "body" or "rawbody" rules, which means SpamAssassin
will be able to filter it out whether the text was encoded wit
Hi all,
Can anyone tell me if it's possible to make SA (3.0.x) save the
X-Spam-Relays-Trusted and X-Spam-Relays-Untrusted pseudoheaders within the
actual headers of each email, or at least somewhere else, so I can see what
they say for each email received? Eg. perhaps there is some setting in
l
You could also easily filter based on the subject, if it's always something
obvious like "Parhamcy news", and perhaps on obvious misspellings like
"tabIet", "abIets" etc (note the i in stead of l). And I don't think it
would be too hard to create a special rule to search for a long string of
indivi
Okay I've rewritten the first line of the rule in a way I think is better
(mind any line breaks)...
full__JF_STOCKSPAM1a/- Original
Message -[^\n]*\nFrom:[^\n]+\nTo:[EMAIL PROTECTED]@[^\n]+\nSent:[^\n]+\nSubject:[^\n]+\n{5,20}\w+/i
I've exchanged the .* and .+ with [^\n] (nega
Could you kindly explain to me about the @ character and why it needs to be
escaped, or in what conditions it needs to be escaped? Eg. you seem to imply
that it only needs to be escaped if followed by an alphabetic character. Is
that the only rule or are there other occasions when it should be e
Hi Loren, thanks for the feedback and suggestions! I didn't actually realise
that the @ symbol had to be escaped - my bad! I'm learning as I go... What a
pain that rawbody only does one line at a time; but at least now I know this
for sure - previously I wasn't completely sure about that.
SARE
64 matches
Mail list logo
