On Fri, 25 Jan 2008, Mofo_Jones wrote:
> John D. Hardin wrote:
> >
> > On Fri, 25 Jan 2008, Mofo_Jones wrote:
> >
> >> One more question. This site has multiple domains that it does a
> >> MX backup for and there are a few domains that I do not want SA to
On Fri, 25 Jan 2008, Mofo_Jones wrote:
> One more question. This site has multiple domains that it does a
> MX backup for and there are a few domains that I do not want SA to
> scan and add any header info. Can I exclude just those domains?
What is passing emails to SA? A milter? Procmail?
Whate
On Thu, 24 Jan 2008 [EMAIL PROTECTED] wrote:
> I am fairly sure. The other subject lines started getting flagged
> when I added entries for them. And I sent emails from an outside
> account with a subject that matched one of the other patterns and
> it got flagged.
>
> Is there a more concrete wa
On Thu, 24 Jan 2008 [EMAIL PROTECTED] wrote:
> In the last few weeks, all of a sudden messages with the same 4 or 5
> subject lines started coming through undetected for some reason.
>
> So I decided to add patterns matching those to
> /usr/local/share/spamassassin/60_whitelist_subject.cf
Sill
On Thu, 24 Jan 2008, Mofo_Jones wrote:
> > spamassassin -D >
> > Where message.txt is containing the message to test.
>
> Sorry, What I meant was how do I send a email to the SA server
> that will be tagged so I can see it in the message.
If your SA is configured to add status headers, the comm
On Thu, 24 Jan 2008, Mofo_Jones wrote:
> I am trying to setup my first SA and I can't seem to get the SA to do a check
> on Spamcop. The following are my cf files and debug information. Can someone
> please tell me what I am doing wrong?
> [11631] dbg: plugin: loading Mail::SpamAssassin::Plugin::
On Thu, 24 Jan 2008, Jeff Chan wrote:
> Quoting Matt Kettler <[EMAIL PROTECTED]>:
>
> > The only big difference I see at face value is it uses whois instead of
> > DNS to find the NS records.. that hardly seems efficient..
>
> Whois is definitely the wrong protocol to use for automated
> testing
On Thu, 24 Jan 2008, Michael Hutchinson wrote:
> Bareword "MAX_URI_LENGTH" not allowed while "strict subs" in use
> at /usr/share/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 2010.
>
> Bareword "MAX_URI_LENGTH" not allowed while "strict subs" in use
> at /usr/share/perl5/Mail/SpamAssassin/PerMsgS
On Wed, 23 Jan 2008, ram wrote:
> > Allegedly 100% spam. Innocent until proven guilty, ect.
> >
> > NUCLEAR NAMES, INC.
>
> I would love to block all domains with these , but to think of it what
> is there to prevent them from getting themselves whitelisted by
> registering "good domains"
On Tue, 22 Jan 2008, Mike Yrabedra wrote:
> Is anyone else getting these google link spams?
Yes, we've been discussing them for the past week.
It's a good idea to check the list archives before asking if there are
rules for a particular type of spam.
> http://www.gooogle.com/search?
>
> A
John D. Hardin writes:
>
> Loren mentioned to me in a private email: "common subexpressions".
Whoops! Matt Kettler mentioned it to me, not Loren. Sorry!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a
On Tue, 22 Jan 2008, George Georgalis wrote:
> On Sun, Jan 20, 2008 at 09:41:58AM -0800, John D. Hardin wrote:
>
> >Neither am I. Another thing to consider is the fraction of defined
> >rules that actually hit and affect the score is rather small. The
> >greatest optimizat
On Tue, 22 Jan 2008, Chr. v. Stuckrad wrote:
> On Mon, 21 Jan 2008, John D. Hardin wrote:
>
> > > m,https?://(?:[^\./]+\.)*goo+gle(?:pages)?\.(?:[a-z][a-z][a-z]?(?:\.[a-z][a-z])?)/+.*[?&](?:btni|adurl),i
>
> If I understand that pattern, both the '*' are &#
Whoops! Just noticed I didn't send this to the list after all...
On Fri, 18 Jan 2008, John D. Hardin wrote:
> On Fri, 18 Jan 2008, Loren Wilton wrote:
>
> > I guess btnl is no longer working. Now they are doing a redirect:
> >
> > http://google.co.uk///pagead/i
On Mon, 21 Jan 2008, JP Kelly wrote:
> > JP Kelly wrote:
>
> >> I am not able to write my own rules or regex.
Does that mean "I don't know how to write regular expressions", or "my
SA install doesn't permit me to add rules"?
If the former, then the rules I and others have posted over the past
w
On Sat, 19 Jan 2008, Loren Wilton wrote:
> I would not be terribly surprised to find out that on average
> there was no appreciable difference in running all rules of all
> types in priority order, over the current method;
Neither am I. Another thing to consider is the fraction of defined
rules t
On Wed, 16 Jan 2008 [EMAIL PROTECTED] wrote:
> So, all 3 categories include emails that SA has already seen and
> presumably included in its Bayesian filters,
Only if you have autolearn enabled. Can we assume that you do from
this question? You didn't explicitly say.
> and emails that it has ne
On Fri, 11 Jan 2008, Gene Heskett wrote:
> [EMAIL PROTECTED] ~]# wget http://spamassassin.apache.org/updates/GPG.KEY
> --14:33:42-- http://spamassassin.apache.org/updates/GPG.KEY
>=> `GPG.KEY.1'
> Resolving spamassassin.apache.org... 140.211.11.130
> Connecting to spamassassin.apache.
On Thu, 10 Jan 2008, Rosenbaum, Larry M. wrote:
> Is it safe to use unbounded quantifiers like + and {2,} in uri
> rules? I avoid them in regular body rules.
Probably. URIs are parsed out of the body, so they are going to be
fairly limited in length.
'course, if you've got the habit of writing
On Wed, 9 Jan 2008, Loren Wilton wrote:
> uri GOOGLEPAGES /http://[~/]*\.googlepages\.com/i
> uri LIVEFILESTORE /http://[~/]*\.bay\.livefilestore\.com/i
I think you mean http:\/\/[^\/]+\. in those REs.
Perhaps a little better would be http:\/\/[^\/]{1,40}\.
--
John Hardin KA7OHZ
On Tue, 8 Jan 2008, Noah wrote:
> the problem is that our moderators are getting way too much mail
> and just want to trash the high-scoring meesages.
It's been a while since I've look at my mailman config so I don't
remember if there's an automatic-discard threshold.
Are you using any DNSRBLs?
On Tue, 8 Jan 2008, Noah wrote:
> We want to run spamassassin on mail lists
If you're managing your mailing lists using Mailman, there are patches
floating around that will make mailman pass messages through SA and
hold high-scoring messages for moderation.
--
John Hardin KA7OHZ
On Tue, 8 Jan 2008, Stefan Suurmeijer wrote:
> I'm trying to use spamassassin with per-user rules on a machine
> running Linux with sendmail 8.14.2 and cyrus imapd 2.2.12. I'm
> running into a small problem: it seems that spamd doesn't know
> which user the mail is intended for and therefore alway
On Thu, 3 Jan 2008, Sg wrote:
> Hi,,
>
> How to find score for content checker(validator) perl or php.?
You're going to have to reword that question, and provide more details
(like, what are you trying to do) before anyone will be able to
provide a helpful answer.
--
John Hardin KA7OHZ
On Wed, 2 Jan 2008, Marc Perkel wrote:
> Here's the info on my lists:
> http://wiki.ctyme.com/index.php/Spam_DNS_Lists
Get somebody to proofread that page.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTE
On 1 Jan 2008 [EMAIL PROTECTED] wrote:
> maybe I misread the laBrea docs that talk about capturing unused
> ip Could you show me configuration you use for labrea
There are some patches you need to apply to use LaBrea this way. See
http://sourceforge.net/tracker/?group_id=70896&atid=529395
A
On Tue, 1 Jan 2008, Robert - elists wrote:
> > When I say "tarpit" I don't mean an MTA-native "slow the SMTP
> > conversation down" model, I mean a genuine TCP tarpit that plays games
> > with window sizes to trap the attacker - that's what LaBrea does.
> >
> > I don't think the MTA should be tas
On 1 Jan 2008 [EMAIL PROTECTED] wrote:
> However, labrea may be great software ... but it is certainly not
> the software one wants to compete with a live machine for incoming
> connections.
The way I run it, the IP addresses being tarpitted are IP addresses
that would be rejected anyway by zen e
On Tue, 1 Jan 2008, mouss wrote:
> John D. Hardin wrote:
> > On Mon, 31 Dec 2007, Mike Cisar wrote:
> >
> >
> >> Even tried yanking the IP address off of the server over the
> >> holidays in the hope that whatever it was would just give up. No
> >
On Mon, 31 Dec 2007, Mike Cisar wrote:
> Even tried yanking the IP address off of the server over the
> holidays in the hope that whatever it was would just give up. No
> such luck, within a minute of reactivating the IP to the server
> this morning the traffic was back to full flow.
Tarpit 'em.
On Sat, 29 Dec 2007, mouss wrote:
Oooo! Script critique! My turn!
> > > # Filter for Spam
> > > cat | $SPAMASSASSIN > out.$$
> > >
> > > cat out.$$ | /usr/sbin/sendmail -io -f $ORIGIN $TARGET
>
> I too love cats. but "$cmd < $file" does the same as
> "cat $file | $cmd".
Why even have an explic
On Thu, 27 Dec 2007, Leonidas Safran wrote:
> I am using qmail with Plesk and have greylisting activated (suse).
> Passed that, DNSBLs, SPF, Spamassassin and razor filter incoming
> emails.
>
> I am searching now for a nice light tool to get
> daily,weekly,monthly reports about spam/ham/rejected/
On Mon, 24 Dec 2007, jikke wrote:
> I will also look into procmail, it's installed, but again that's
> completely new to me.
I'll be happy to help with procmail if you contact me directly
off-list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FA
On Thu, 20 Dec 2007, jikke wrote:
> I'm new to SpamAssassin and have checked the web on spam rules. I
> just can't seem to find the info I'm looking for. I want to create
> a rule where all mail to [EMAIL PROTECTED] with a certain text like
> 'new message' is passed through and all other mail is c
On Thu, 20 Dec 2007, Merlin wrote:
> I looked it up and found that Spamassasin believes that it is to
> 99% spam by training from users. I believe there is more to it, as
> I can not believe that users mark such msges as spam.
An unfortunate reality of system administration is that most people
a
On Mon, 17 Dec 2007, Per Jessen wrote:
> Does anyone have a current status for blackholes.us ? The rsync'ed data
> is about 18months old.
>
> I had an email rejected earlier today due to a server
> being "blacklisted" by germany.blackholes.us
Well, if the MTA is in Germany, the DNSBL isn'
On Sun, 16 Dec 2007, gpr wrote:
> Thanks for the reply.
>
> Ok, by public corpus i mean the sample corpus hosted at
> http://spamassassin.apache.org/publiccorpus/
> I want to import these mails to the outlook folders.Hope this
> clarifies my intent.
Okay, that is a bunch of single-email RFC-822-
On Sun, 16 Dec 2007, gpr wrote:
> I really need help on this. Any help of this is highly
> appreciated.
>
> gpr wrote:
> > I am looking for a utility which can dump the mails
> > from SpamAssassin public corpus to an outlook or outlook express
> > folder?
What precisely do you mean when you say
On Thu, 13 Dec 2007, Kelson wrote:
> Date: Thu, 13 Dec 2007 09:58:42 -0800
> From: Kelson <[EMAIL PROTECTED]>
> To: users@spamassassin.apache.org
> Subject: Re: Adjusting SA scores in 50_scores.cf...
>
> John D. Hardin wrote:
> >score URIBL_SBL 5
> >
>
On Wed, 12 Dec 2007, Ken Morley wrote:
> I'm running SpamAssassin 3.2.3 and have been advised to increase
> the score for URIBL_SBL to 5.0. I see where it is defined in
> 50_scores.cf, but I don't completely understand the format.
Don't change the distribution files. Alter scores in a local.cf f
On Wed, 12 Dec 2007, peter pilsl wrote:
> How is this AWL-scoring calculated? It seems almost broken to me.
The name is very misleading. If you think of it as a historical score
averaging system instead, with the goal of allowing a typically-hammy
sender to occasionally send a spammy message, and
On Thu, 6 Dec 2007, Wes wrote:
> We're going to switch to all-manual learning and hopefully
> convince enough users to send in spam and false positives to train
> it well. Sufficient participation is a big question, but appears
> to be the only viable option at this point.
That could be automate
On Thu, 6 Dec 2007, DAve wrote:
> I would think if you scored based on mismatched URLs you would tag
> the same messages incorrectly.
You could mitigate that bby using it in a meta along with rules that
hit on phishing-like text, and leave the score for a single mismatched
URL low, like 0.1 or so
On Wed, 5 Dec 2007, Paul Griffith wrote:
> I guess I could write rules that verify a valid .tex and .bib
> document and then assign a minus score, it would be better if
> e-mail clients actually send attachments as true attachments.
Not too hard to do...
> \title{\LaTeX}
> \date{}
> \begin{docum
On Fri, 30 Nov 2007, Kevin W. Gagel wrote:
> >Not quite. The RFC only says that you should not reject if the helo does
> >not match the connecting IP address. It says nothing about rejecting the
> >helo for other reasons - such as not being an fqdn.
>
> I agree. Besides, as much as I preach adher
On Thu, 29 Nov 2007, Jason Holbrook wrote:
> Everything I have read indicates to me that I should stay away from
> custom rules.
Goodness. Where are you reading that? The customizability of SA is
its great attraction when compared to a black-box proprietary spam
filter.
> ** My spam info u
On Thu, 29 Nov 2007, denversteve wrote:
> I am running qmailrocks mail server and have not found a good
> answer to this question for blocking IP instead of just processing
> the spam emails and overwhelming my server.
>
> Is there someone with a script to modify qmail-scanner-queue.pl or
> anoth
On Thu, 29 Nov 2007, mouss wrote:
> I don't blame them. The name has been adopted and widely used:
> they had no chance at this.
Actually, they did have a chance early on; I heard that they didn't
object so long as the term was not capitalized. Allowing that loophole
is what allowed the term to
On Wed, 28 Nov 2007, Wes wrote:
> In 12 hours, the bayes_toks file gets to 160-320 MB, with a ball
> park of something over 7 million tokens.
Have you considered pushing your autolearn thresholds a bit further
out, to reduce the number of messages that are elegible for autolearn
and thus reduce
On Sat, 17 Nov 2007, robgeo730 wrote:
> 2. Since Spamassassin is on our SMTP server can a rule be created
> to only allow email to be delivered to the users if it comes from
> the Barracuda MX? This is with the assumption that email bypassing
> the MX has to be spam.
The best way to do that is at
On Mon, 12 Nov 2007, Kim Hurlbutt wrote:
> Wondering if you can point me in the right direction on how to
> make our spam scores lower. How can I get information on how to
> make edits to our pages to lower our scores? We currently use
> Kintera to send our email newsletters. Please help!! Tha
On Wed, 7 Nov 2007, Matias Lopez Bergero wrote:
> John D. Hardin wrote:
> > On Wed, 7 Nov 2007, Matias Lopez Bergero wrote:
> > FAQ.
> >
> > (1) turn off Bayes auto-expire. It's taking longer to clean your
> > database than spamd is willing to wait, so
On Wed, 7 Nov 2007, Matias Lopez Bergero wrote:
> -rw---1 spamdspamd10182656 Feb 28 2007 bayes_toks.expire10134
> -rw---1 spamdspamd 4472832 Feb 23 2007 bayes_toks.expire10399
> -rw---1 spamdspamd10629120 Oct 24 00:54 bayes_toks.expire1220
> -rw---
On Mon, 5 Nov 2007, Philip Prindeville wrote:
> Well, Yahoo is a waste of time for other reasons, right? They
> tell you that it doesn't come from their site...
I generally don't get spam from Yahoo MTAs; most of my reporting is
of fraud spams with yahoo contact addresses.
--
John Hardin KA7O
On Mon, 5 Nov 2007, Steven Kurylo wrote:
> Philip Prindeville wrote:
> > Between the truly clueless administrator, and those that feign
> > ignorance to cover up their implicit approval of spammers...
> >
> > What do you do in the case where someone is filtering deliveries to
> > their "abuse" m
On Sat, 3 Nov 2007, Chris Edwards wrote:
> On Fri, 2 Nov 2007, Mike Kenny wrote:
>
> | Thanks John, I had tried this. It appears that the \1 is
> | not defined within the pattern. Only for substitution?
>
> The regex John posted is fine in SA.
>
> //
>
> Mike, what's going wrong for you ? A
:
//
but I'm less confident $+ will work in a match (vs. a substitution).
> On 11/2/07, John D. Hardin <[EMAIL PROTECTED]> wrote:
>
> > header XX From =~ //
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174
On Fri, 2 Nov 2007, Mike Kenny wrote:
> I have a number of users that are receiving spam of varying types. The only
> common factor is the from address. This looks like
>
> from=<[EMAIL PROTECTED]>
>
> where sX.com looks like it is a genuine site name, e.g.
> shibatec.com
> southstreetfinancial.
On Fri, 26 Oct 2007, Nigel Frankcom wrote:
> On Fri, 26 Oct 2007 09:43:37 -0700 (PPT), "John D. Hardin"
> <[EMAIL PROTECTED]> wrote:
>
> >On Fri, 26 Oct 2007, Duane Hill wrote:
> >
> >> > But people don't read logs, or they would know...
On Fri, 26 Oct 2007, Duane Hill wrote:
> > But people don't read logs, or they would know... I'd suggest die-ing
> > instead.
>
> Why not make it a configurable option in local.cf defaulting to
> die. That way for those of us who create custom .cf files that
> have the system resources can do so
On Sat, 20 Oct 2007 [EMAIL PROTECTED] wrote:
> TVD> In short, add the following to your ~/.razor/razor-agent.conf file:
> TVD> debuglevel = 0
>
> OK, I did mkdir .razor && echo debuglevel=0 > .razor/razor-agent.conf
> That was at 7:56. Now the activity has shifted to that new director
On Wed, 17 Oct 2007, Chris wrote:
> >> Does anyone know of a way, that whenever someone
> >> emails
> >> from say, for example, Nigeria, Korea, Russia and
> >> China, the email either gets deleted by Spamassassin
>
> >-Original Message-
>
On Fri, 12 Oct 2007, Jason Frisvold wrote:
> The bayesian database fills up with tons of tokens that I believe
> are hurting, rather than helping, the identification of spam.
Some options:
(1) turn off autolearn.
(2) if you suspect auto-mistraining then adjust your auto-training
thresholds.
(
On 9 Oct 2007 [EMAIL PROTECTED] wrote:
> >> On Tue, 9 Oct 2007, Loren Wilton wrote:
> >>
> >> > Base-64 encoding of HTML strikes me as a little odd. I wonder if
> >> > it would make a good spam sign.
> >>
> >> Very likely. The only reason to do that is to shield the HTML from
> >> pattern match
On Tue, 9 Oct 2007, Loren Wilton wrote:
> Base-64 encoding of HTML strikes me as a little odd. I wonder if
> it would make a good spam sign.
Very likely. The only reason to do that is to shield the HTML from
pattern matching filters that don't decode text body parts first.
Of course, it might
On Tue, 2 Oct 2007, Steve Ingraham wrote:
> Most of the new spam is very raw adult sex spam emails some with
> pictures in the body of the text.
Images, huh? Have they passed the spamc message size limit and aren't
being scanned at all?
--
John Hardin KA7OHZhttp://www.impsec
On Tue, 2 Oct 2007, Steven Stern wrote:
> We get many, many emails from a "Robert Sexton" who claims he'll do
> wonders with search engine placement. As fast as I add an address to
> the blacklist, he comes in with another.
> Does anyone have a rule handy that would replace my "blacklist_from"
On Tue, 2 Oct 2007, Obantec Support wrote:
> From: "Matthias Häker" <[EMAIL PROTECTED]>
>
> > SPAM='spam'
> >
> > :0fw: $SPAM$LOGNAME.lock
> >
> > this will scan only one message for one user at a time.
>
> i thought the reason for using spamd/spamc was to provide a more
> efficient processing o
On Mon, 1 Oct 2007, Daryl C. W. O'Shea wrote:
> John D. Hardin wrote:
> > On Thu, 27 Sep 2007, Sara wrote:
> >
> >> Just Go To The Link Given Below To See How You Can Get Everyone
> >> Begging You To Share Your Little Secret!
> >>
> >> htt
On Mon, 1 Oct 2007, Obantec Support wrote:
> DROPPRIVS=yes
> :0fw
> * < 512000
> | /usr/bin/spamc
> :0:
> * ^X-Spam-Status: Yes
> $HOME/mail/spam
That looks okay. There's a more complex example at
http://www.impsec.org/~jhardin/antispam that you might want to look
at.
> do i need to use the lo
stomer Service 1 <[EMAIL PROTECTED]>
> To: John D. Hardin <[EMAIL PROTECTED]>
> Subject: Re: sender name same as recipient name (KMM4975266I96L0KM) :ppk1
>
> Dear John D. Hardin,
>
> Hello my name is (auto-insert your name). I am sorry to hear about this
> sit
On Fri, 28 Sep 2007, JOW wrote:
> ServerA (the good one) is using nearly all of the 4gb of RAM
> available to it. But ServerB is only using a fraction of available
> RAM and the # of context switches is tons higher, too.
>
> I hope this isn't a silly question, but how significant is this,
> and w
On Fri, 28 Sep 2007, Kenneth Porter wrote:
> Is there a new PayPal phish going about? This almost looks
> legitimate, and I imagine it would have a lot of appeal to the
> survey-lovers. (I had no communication with PayPal this week, so I
> know this is bogus.)
I reported it to paypal as such.
If
On Thu, 27 Sep 2007, Sara wrote:
> Just Go To The Link Given Below To See How You Can Get Everyone
> Begging You To Share Your Little Secret!
>
> http://cloakedlink.com/jcmyhpwnzp
etc.
Is cloakedlink.com in the default redirectors list?
--
John Hardin KA7OHZhttp://www.imps
On Thu, 27 Sep 2007, Henrik Krohns wrote:
> mysql> SELECT count(*) FROM bayes_token WHERE id = '1' AND (1190870335 -
> atime) > 345600;
> +--+
> | count(*) |
> +--+
> | 1710591 |
> +--+
> 1 row in set (5.69 sec)
>
> mysql> SELECT count(*) FROM bayes_token WHERE id = '1'
On Wed, 26 Sep 2007, Micah Anderson wrote:
> SELECT count(*)
>FROM bayes_token
> WHERE id = '4'
> AND ('1190846660' - atime) > '345600';
Who the hell wrote *that* query? Is MySQL smart enough to rearrange
that equation to give an indexable comparison
On Wed, 26 Sep 2007, Raquel wrote:
> I have a question. Is there any advantage to using say,
> Spamass-Milter over calling spamc from procmail?
Using a milter allows you to reject the message during the SMTP
conversation. The value of that is, it's far better than generating a
bounce message if
On Wed, 26 Sep 2007, Giampaolo Tomassoni wrote:
> So, I don't see the problem here: we are attempting to obtain
> information about or related to a domain name registration record.
Doing it over and over and over from an automated tool can be
considered abusive when the service was intended to an
On Wed, 26 Sep 2007, John Calvert wrote:
> I have decided to restart this whole process... setting the bayes
> database back to its initial state & deleting auto-whitelist file.
>
> Is it good to use a bayes starter DB ? If so, where can I get a
> good one.
It's not generally a good idea to use
On Wed, 26 Sep 2007, John Calvert wrote:
> I see no "-L" or "--local" anywhere. See below...
> # Source spamd configuration.
> if [ -f /etc/sysconfig/spamassassin ] ; then
> . /etc/sysconfig/spamassassin
> fi
You'll also want to look in /etc/sysconfig/spamassassin
--
John Hardin KA7O
On Tue, 25 Sep 2007, feral wrote:
> Hmmm... deepest thread here w/ John Hardin somehow got
> broken... nabble hiccup?
My pruning stuff.
> Where is this configuration file?
Probably under /etc/mail/spamassassin
> John Hardin wrote:
>
> > Look for the command line that starts SA. If "-L" or "-
On Tue, 25 Sep 2007, feral wrote:
> How do I enable network tests?
...and make sure your DNS on that box is configured and working, and
you will probably want to install a local caching DNS server as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECT
On Tue, 25 Sep 2007, feral wrote:
> X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
> autolearn=no version=3.1.9
>
> So BAYES_00 brought the score down to negative .6 ?
Probably.
> Methinks the BAYES is not even functional (database absent).
It wouldn't give
On Tue, 25 Sep 2007, feral wrote:
> Whatever the case, global bayes or not, or even bayes or not, how
> could an email with the obvious porn words in the subject (as in
> my examples) NOT get flagged?
If bayes was mistrained to consider such words hammy, then BAYES_00
could drag the score back do
On Tue, 25 Sep 2007, Luis Hernán Otegui wrote:
> I want to know how to report them to a RBL server (currently I report
> them via SpamCop, Razor and DCC, besides I'm blacklisting them at
> local.cf), but I think it would be good for the rest of us here in
> Argentina to blacklist these guys.
Do t
On Tue, 25 Sep 2007, Leon Kolchinsky wrote:
> As Dave said it seems that your problem in whitelist
> configuration. Please use whitelist_from_rcvd instead of whatever
> you are using.
How so? The samples he posted did not say that whitelist rules were
hitting.
--
John Hardin KA7OHZ
On Mon, 24 Sep 2007, feral wrote:
> RE: training. I don't know. My experience w/ SA is that
> it just works and I haven't dealt with it at this level yet.
> What is strange is that SA appeared to be working fine
> for my client, then all of the sudden this spike in spam
> occurred... and as I sa
On Mon, 24 Sep 2007, feral wrote:
> Here are the headers & bodies of 3 of the spams that got through
> (and are continuing to come through at a high rate):
> tests=BAYES_00,HELO_DYNAMIC_IPADDR2
> autolearn=no version=3.1.9
> tests=BAYES_00,HELO_DYNAMIC_IPADDR2,
> HELO_DYNAMIC_SPLIT_I
On Mon, 24 Sep 2007, feral wrote:
> Question: is SA not filtering out these obvious spams because the
> name "mark" is the same as the name on my client's account?
That depends on the rules in use. If a rule like From ~= /mark\@/ with
a high negative score was defined, sure!
Would it be possibl
On Sun, 23 Sep 2007, Magnus Holmgren wrote:
> On Sunday 23 September 2007 18:50, John D. Hardin wrote:
> > On Sun, 23 Sep 2007, Jari Fredriksson wrote:
> > > > SpamAssassin's trusted_network configuration caught my
> > > > eye. What exactly does this do
On Sun, 23 Sep 2007, Jari Fredriksson wrote:
> > SpamAssassin's trusted_network configuration caught my
> > eye. What exactly does this do, and should I put my box's
> > ip address in there?
>
> Absolutely. You put all your internal servers and possible ISP
> servers there too. Trusted networks a
On Sat, 22 Sep 2007, Dave Koontz wrote:
> If I might ask, where are you getting the list "SEED" addresses
> from? It's hard for me to imagine you have such a large number of
> users that have already requested information you have not
> configured to send yet. If this is a purchased list of addr
On Wed, 19 Sep 2007, mizzio wrote:
> I'm setting up an SMTP server (centos + qmail) on a dell quad core
> machine for sending out a periodic newsletter (10 millions a
> month).
>
> In order to avoid any possible blacklisting problem, I'm looking
> for all the best practices.
As others have said,
On Wed, 19 Sep 2007, Matt Kettler wrote:
> > PS.: Ideas welcome for catching the characteristic Subject of
> > those spams, which look like 'just random tty line noise'!
>
> Something like this might be a first shot:
>
> header NO_ALPHA_SUBJECT Subject !~ /[a-zA-Z0-9]/
I've seen some of
...being joe-jobbed in a spam run that has Return-Receipt-To: headers.
Your message:
(spam spam spam eggs sausage spam)
was successfully delivered to:
(some poor [EMAIL PROTECTED] domain)
ARRRGGG!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[E
On Tue, 18 Sep 2007, Michael Chapman wrote:
> OK ... I don't know what to do now. I am still having issues with
> every incoming message getting tagged with USER_IN_BLACKLIST. No
> blacklist statements exist ANYWHERE on the file system, in any
> file whatsoever.
I assume you mean you did somethin
I just got one and it sailed through SA here, too, as it had a 400+Kb
JPEG attachment. It seems they are attacking via SA message size
limits now.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0
On Wed, 12 Sep 2007, Luis Hernán Otegui wrote:
> 2007/9/12, Marc Perkel <[EMAIL PROTECTED]>:
> > I just added you to my blackhole list.
>
> So, You've just added Gmail to it. A Wise one, eh?
I suspect Marc thinks blackhole list == kill file. If not, then he
just severely damaged the credibility o
On Wed, 12 Sep 2007, Brian Wilson wrote:
> uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score
Escape that period.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34
On Fri, 7 Sep 2007, ram wrote:
> Usually it makes a lot of sense to do all RBL/RHSBL checks at the
> MTA
INCOMING!!!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F
1 - 100 of 717 matches
Mail list logo
