ake, at least for any mail
system in this millenium.
R's,
John
make it look like an abandoned module is
available and in use when it is not isn't a precedent we want to set. That way
lies madness.
+1
Agree.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
out moment à
ce traitement à des fins de marketing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
amples are always welcome.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
t already hit
bayes99 (and bayes999) but are still just shy of 5 points.
I use local metarules that include BAYES_999 + other hits like URIBL to
add extra points.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@
It appears that John Hardin said:
>> PS: If this leads to questions like "what exactly was the point of the
>> thousand new TLDs?"
>> you're not the only one asking.
>
>ICANN monetizing their product. Period.
Actually, if you look at ICANN's financ
ional damage from the abusers infesting the .online
domain.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
On Thu, 13 Feb 2025, John Levine wrote:
It appears that wissen.online | Stefan Mehlhorn said:
Are there any specific configurations or adjustments we can make to lower
the high spam score of our emails?
Or can you put us on one of your global whitelists for trusted .online
domains?
I doubt
The .online TLD is full of garbage, and
spamassassin
is not the only spam filter to treat it as highly suspicious.
If you want people to accept your mail, send it from a TLD that isn't awful.
I'm guessing that wissen.online is the same company as wissenonline.de. That
domain
should
On Tue, 11 Feb 2025, Kris Deugau wrote:
John Hardin wrote:
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just
like the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so i
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so it's a *little* less obvious.
Initial rules checked in.
--
J
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
"If you did not authorize this, please call us immediately at-I(888)
592-O36I to secure your account and recover your
funds."
Will add rules tonight.
--
John Har
to make a difference unless the
scores are set manually, which increases their FP risk.
I'd ask all who are doing masschecks to review their corpora of Paypal
messages to see whether these messages, and Paypal messages with
obfuscated phone numbers, are misclassified as ham.
2}\x{E0}\x{B8}\x{B8}\x{E0}\x{B8}\x{97}\x{E0}\x{B8}\x{B1}\x{E0}\x{B8}\x{99}\x{E0}\x{B8}\x{97}\x{E0}\x{B8}\x{B5}'
=~ /(?^aa:\x{E0}\x{B8}\x{95})/
(does not match)
You should probably open a bug with your rule and attach the spample.
--
John Hardin KA7OHZhttp://www.im
}\\x{B8}\\x{97}\\x{E0}\\x{B8}\\x{B1}\\x{E0}\\x{B8}\\x{99}\\x{E0}\\x{B8}\\x{97}\\x{E0}\\x{B8}\\x{B5}/
...do you alwo need to escape the curlies?
/\\x\{E0\}\\x\{B8\} etc...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
and I can't really see why apart
from it not appearing in 50_scores.cf, and at the moment I don't want to
go spelunking in the code to verify that's the override...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
It appears that Kevin A. McGrail said:
>John, Are you using the KAM ruleset? We have several list/data broker
>rules and list them in the RBL quite regularly
Hm, I thought I was but now I see I had spamd looking at an old version of
spamassassin. Oops.
>On 1/17/2025 1:58 PM, Jo
is as -all
Throwaway account == actual Gmail or Outlook account. Their SPF and DKIM
all validate.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
Every day I get a bunch of spam from fake list brokers, invariably from
throwaway Gmail or Outlook
accounts.
The text in them seems fairly consistent. Anyone have patterns to catch them?
They're quite annoying
since they're hard to separate from the legit mail we get from giant mail
systems.
ardless of subdomain is
an excessively broad response.
FYI, ct.sendgrid.net has been in the base ruleset util_rb_3tld since April
2021.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB87
Le 10/01/2025 à 15:35, Bill Cole a écrit :
On 2025-01-10 at 08:49:04 UTC-0500 (Fri, 10 Jan 2025 14:49:04 +0100)
John Wilcock
is rumored to have said:
Hi all,
I'm using Spamassassin 4.0.1 on Gentoo and I've recently switched to
using MySQL (actually Mariadb 10.6) for Bayes stor
ished
Jan 10 14:45:02.884 [15474] dbg: bayes: found bayes db version 3
I see no sign of a reconnect option being used in BayesStore/MySQL.pm
I know it's only a warning; everything appears to work anyway.
Any ideas?
--
John
le mailbox file containing multiple messages -
that's 46 individual email files in one zip or gz archive), but that's
not a requirement.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key
to me directly for review, if
we're missing new variants or some Google domains that would help us
improve our coverage.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 --
ll be happy to back out those changes if consensus is they aren't
reasonable.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
PNTLD && (__PDS_SEO1 + __PDS_SEO2 >=
1)
tflags SEO_SUSP_NTLD publish
I don't know whether Paul is still actively maintaining his rule sandbox,
his last commit there was four years ago.
The changes seems reasonable, I'll apply them.
--
John Hardin KA7OHZ
usual TLDs
there as well...
I will see about adding that to my sandbox tonight or tomorrow, but no
guarantees on how it will do in masschecks.
It might also be time to update my phishing phrases rules...
Feel free to send me an archive of spamples if you like.
--
John Hardin KA7OHZ
stead informational score 0.0001, ALL_TRUSTED is used in
metas.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
reverse
lookup of the sender's IP and whitelist/blacklist for domain names from
that so you block the sender at SMTP time.
Don't get tunnel vision about SpamAssassin being the only tool available
for this sort of thing... :)
--
John Hardin KA7OHZhttp://www.
On Thu, 26 Sep 2024, joe a wrote:
So, on the one hand I can add them to whitelist and be done with it, or
I can add them to missed HAM for re-learning.
Which is the best approach?
Do both.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Fri, 13 Sep 2024, Bill Cole wrote:
Please send any replies to the list only.
...or to Harald only.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
e the links directly
rather than providing the pastebin links publicly here on the list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
illing to bring that code up-to-date and
figure out what was needed and corpora providers were available.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
a look
at config "report_safe 0".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
ffectively maintained"?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
l validate. Other than
that I don't think it's a strong spam indicator but there's no reason
to try and guess whether a message with a length that doesn't cover the
full body has been modified maliciously.
R's,
John
time based on the corpora.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
ts: csa-complai...@eco.de header, which looks legit.
>
>Has anyone had success with reporting mail to this address? Does it get
>results?
ECO is real and I've found it worthwhile to report spam to them.
R's,
John
explain to the board members I'm
helping out is... painful.
Very simply worded step by step instructions, with screenshots amended
with arrows, outlines, highlights and so forth as needed.
...the .sigmonster agrees.
--
John Hardin KA7OHZhttp://www.impsec.org/~jh
7;t suffer the TLD reputational hit. (If
you do that, avoid setting "ReplyTo: supp...@play.date", as that would
also take a reputation hit.)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec
that all that rule does, vs. hitting *specific* SendGrid accounts?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
, learning
as few mail as one should fix BAYES issues.
Move previously tagged SPAM into HAM folder and "relearn"?
Right. Train on misclassifications.
Also if there was a ham in your spam corpus review why it got
misclassified in the first place.
--
John Hardin KA7OHZ
uot;Missed SPAM"?, thinking along lines of keeping
BAYES "clean and sharp". So to speak.
Leave as is? Delete and re learn?
For a low volume home office user, I would simply NOT autolearn. Set up a
hambox and a spambox and manually feed them and train from them.
--
John Hardin
ven't
even seen the email at this stage) or indeed doing something they do not want.
It doesn't sound like it will *visit* the link, just ask some service if
the like has a reputation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
is
pushing a lot of Email into "Junk folders", for now I'ma change that score to
0.25
2.5 points by itself shouldn't be enough to quarantine/junk messages. What
else is spammy about those messages?
--
John Hardin KA7OHZhttp://www.
/<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F50
also hit __HAS_X_AUTHED_SENDER;
19% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%)
I'll add a few of those to see how they do.
F'ing legit emailers that generate crap HTML {fume}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@i
SRC_EMPTY
score LOCAL_BADLY_HTML 3 3 3 3
too much spams in hotmail
I'll put the subrules in my sandbox so they can be evaluated by masscheck.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key:
It wouldn't be much of a loss, but it's not spam either.
How did they perform individually?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8
like that, as a newbie mailing list member, looking for help, I humbly submit
that he's not someone you want being the first interaction a new list member
has.
Sadly, we cannot control that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
olumn headers would aid analysis.
Can you swap the numbers in the 4th column and see if that changes the
behavior?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
fic senders coming from specific IP
addresses, there's already built-in features for that. Look into
whitelist_from_rcvd, it may do exactly what you want.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...
u also add:
USER_IN_WHITELIST 0
They are synonyms, might need to kill both explicitly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
a more general
solution, but this might be quite useful.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
On Sat, 13 May 2023, Matus UHLAR - fantomas wrote:
But I was more interested if SA already has something like that?
It does not.
On Fri, 12 May 2023, Loren Wilton wrote:
Weren't there a whole set of "FUZZY" rules once?
On 12.05.23 20:01, John Hardin wrote:
There still
On Fri, 12 May 2023, Loren Wilton wrote:
But I was more interested if SA already has something like that?
It does not.
Weren't there a whole set of "FUZZY" rules once?
There still are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jha
On Fri, 12 May 2023, Matija Nalis wrote:
I wonder if someone has already done it, and something sufficiently
similar to be used to that purpose?
There are a lot of ReplaceTags rules in the base ruleset.
I don't know if offhand that works with header rules.
--
John Hardin K
: config: failed to parse line in (sql config) (line 9): use_pyzor\t0
info: config: not parsing, administrator setting: use_razor2\t0
info: config: failed to parse line in (sql config) (line 10): use_razor2\t0
... in SQL config? perhaps the lines are misplaced?
--
John Hardin KA7OHZ
me, for example commercial
accounts where you don't want a delay in receiving communications from
customers or potential customers. There are ways to tune it that may
mitigate these concerns somewhat.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
, i just report it
This bit:
WHERE short_url $1 = AND
...should probably be:
WHERE short_url = $1 AND
The basic expression syntax of SQL is the same as other (infix!)
languages..
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
trashed.
Poof, gone.
We don't sit watching our MUAs 24/7
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
On Thu, 12 Jan 2023, John Hardin wrote:
On Thu, 12 Jan 2023, Martin Gregorie wrote:
On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote:
Hello All,
I created this rule to check for email addresses matching a list to
get
added some negative value.
I also tried it with just domains so it
There are instructions for setting such
up for local blacklists, that works equally well for a local whitelist.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
e gateway to its external
address."
I think you're getting distracted by the word "resolve" there... This
sounds like a DNS issue.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
On Wed, 28 Dec 2022, Matus UHLAR - fantomas wrote:
On 28.12.22 12:55, John Stimson via users wrote:
The machine has bind9 running locally to provide DNS for its own domain,
and uses it for name resolution.
This is the problem:
Bind9 is configured to use OpenDNS and Google as forwarders
On 2022/12/28 15:09:36 Matus UHLAR - fantomas wrote:
> spamassassin service is not needed when you use amavis, you can stop and
> disable it.
Good to know.
On 2022/12/28 15:09:36 Matus UHLAR - fantomas wrote:
> >~amavis/.spamassassin contains a file user.prefs that has only comment
> >lines. Co
Updates:
On 2022/12/28 12:45:48 Matus UHLAR - fantomas wrote:
> have you reloaded amavisd?
I restarted the amavisd-new.service and spamassassin.service after
editing /etc/spamassassin/local.cf
> do you have anything set in amavis' home directory?
> usually ~amavis/.spamassassin
~amavis/.spa
; On 27.12.22 13:04, John Stimson via users wrote:
> >Thanks -- I found a mechanism that empties the list of headers used to
> >determine the originating IP. I added this line to my local.cf:
> >
> >clear_originating_ip_headers
>
> I recommend checki
On 2022/12/26 23:47:41 Benny Pedersen wrote:
> X-Originating-Ip should not be used for whitelists, only for blacklist
> rbl, even on only blacklist its unsafe to use, rules maintainers can
> remove it, now that spamassassin 4.0.0 is out :)
>
> read "perldoc Mail::SpamAssassin::Conf" to see how th
the error and perhaps even figure out why the standard ubuntu package
doesn't do this correctly.
On 2022/12/26 23:02:30 Benny Pedersen wrote:
> John Stimson via users skrev den 2022-12-26 21:44:
>
> > My second question is where to report an SMTP server that passes SPF,
>
Hello,
I have lately seen an increase in the number of spam messages passing
spamassassin. Checking the X-Spam-Status header, I see that the common
reason they are all passing is that they hit the DNSWL_HI test to get a
-5 adjustment to their spam score. However, when I check the IP address
blacklist
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Micron Confidential
Micron Confidential
h. "Go away and stop bothering us."
It's not the only place Google won't let you report problems from outside
their ecosystem either - you can't report spam coming through Google Groups
with the link in the messages without logging in to a Google account.
I gave up tryi
block all page.link, whois says its hosted by google :/
go ahead..
There are legitimate sites using that domain.
I added it as a 2tld for URIBL, so please report such domains to URIBL.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
tion tools available that
would return much the same information, and that would give something
helpful to discuss with the site admin when trying to resolve the
situation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Sat, 13 Aug 2022, joe a wrote:
Why waste your own system resources to help a scoundrel? Drop them and be
done.
I personally perfer to TCP tarpit repeat offenders.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
that is "headers misspelled" (not "headers missing")
MISSP = misspaced
and it is checking for any of the listed words at the start of a line,
followed by a colon, and NOT followed by a space.
--
John Hardin KA7OHZhttp://www.impsec.org/~jha
about posting it here so you do not need to do this work. If you do
some random checks, you can see this looks weird[2]. Do as you
please with this info.
FYI, I'm rejecting them at the postfix level.
*cough* TCP Tarpit *cough*
--
John Hardin KA7OHZhttp://www.impsec.or
ba3e69a
MIME-Version: 1.0
Capitalizations-Grievously: oilers
Content-type: multipart/mixed; boundary="--=_1649731129-716331-86"
Obviously, the following bogus header names are present:
Minicomputers-Exhume
Malthus-Films
Parasitic-Homogeneity
Capitalizations-Grievously
Take
naged by your provider and
if a more than a few of them are listed (particularly by multiple DNSBLs)
then your provider is probably problematic and you should look elsewhere.
[Ooo, look, the .sigmonster is listening...]
--
John Hardin KA7OHZhttp://www.impsec.org
;s not universal, either. It passed lint here or I wouldn't have
checked it in. It passed the masscheck lint or it wouldn't have been
published.
I've checked in a fix, there may be one more bad update tonight before it
goes out.
--
John Hardin KA7OHZ
On Fri, 18 Feb 2022, da...@grmcompany.com wrote:
Dan:
The SA users mailing list is self-managed.
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
m matching
delimiters from SA. I suspect there are at least hundreds of rules like that
in the release database. I have about a hundred local rules of my own that
use that.
Indeed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
No, I added that after observing multiple spams with random garbage after
the closing HTML tag in the HTML body part. Presumably it was an attempt
at Bayes poison, checksum avoidance, or some other filter evasion
technique.
I'll tighten it up.
--
John Hardin KA7OHZ
"htmlbody" rule type...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Will update, thanks for the report.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
but that does have the downside
of accepting spam from them if their account gets hacked, for example.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C A
correctness.
Isn't that exactly what we're discussing here? "Technical correctness"?
The way I generally put it is: SpamAssassin is not an RFC-compliance audit
tool.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Thu, 18 Nov 2021, Matt Corallo wrote:
On 11/18/21 16:49, John Hardin wrote:
On Thu, 18 Nov 2021, Matt Corallo wrote:
I followed up on the exim-users list on this - Exim *did* verify the
FcRDNS here and the above header line is what it generates by default for
FcRDNS. The RFC quote they
ified that rule a bit to also look at the HELO and envelope From
address to see if they are from Shopify. Granted that's less reliable than
rDNS, but it's probably Good Enough.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
NS is causing their mail to be
considered spam.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Mon, 15 Nov 2021, Matt Corallo wrote:
Full headers follow, but it seems the shopify detection in the above isn't
quite correct;
Thanks for the report, will fix.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
On Mon, 15 Nov 2021, Philip Prindeville wrote:
On Nov 12, 2021, at 8:49 PM, John Hardin wrote:
On Fri, 12 Nov 2021, Philip Prindeville wrote:
I got the message, saved it to a flat file, and ran "spamassassin -t -D rules <
netdev.eml" and saw:
...
Nov 12 11:45:38.048 [3636
ication to the timeout message could display the name of the rule and
even how long it took to that point.
That's what I was thinking when I said "capture and log".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Sat, 13 Nov 2021, Henrik K wrote:
On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wrote:
What would be helpful here would be logging of when a rule *starts*
evaluation. Normally that would be painful, but for tracking a runaway it
would be useful. Perhaps I can code up something to
ode up something to capture that and log
it on a timeout...
If you want to send me that message zipped up I can try it here with those
changes and see if it's a base rule running away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
===
And what of the BIDI sequence that actually causes the problem?
All Of Unicode is not the problem.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 1
can find a problematic rule by comparing that debug output from a bad
message to that of a message which doesn't hang SA.
There's also the HitFreqsRuleTiming plugin if you're running in a dev
environment and can let it scan for a potentially long time (until
completion).
--
On Sat, 23 Oct 2021, Benny Pedersen wrote:
On 2021-10-20 16:58, John Hardin wrote:
On Wed, 20 Oct 2021, Axb wrote:
On 10/19/21 8:06 PM, Jerry Malcolm wrote:
Where do I find a starter toks file?
You don't need a "starter" file.
Your Bayes starter is your training cor
1 - 100 of 5360 matches
Mail list logo
