make it look like an abandoned module is
available and in use when it is not isn't a precedent we want to set. That way
lies madness.
+1
Agree.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
out moment à
ce traitement à des fins de marketing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
amples are always welcome.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
t already hit
bayes99 (and bayes999) but are still just shy of 5 points.
I use local metarules that include BAYES_999 + other hits like URIBL to
add extra points.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@
ional damage from the abusers infesting the .online
domain.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
one asking.
ICANN monetizing their product. Period.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Tue, 11 Feb 2025, Kris Deugau wrote:
John Hardin wrote:
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just
like the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so i
On Mon, 10 Feb 2025, John Hardin wrote:
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
Ah, not *quite* the same. Zellepay doesn't have their own MTA
infrastructure, so it's a *little* less obvious.
Initial rules checked in.
--
J
I just got a forwarded-via-outlook phish for zellepay that looks just like
the paypal phishes...
"If you did not authorize this, please call us immediately at-I(888)
592-O36I to secure your account and recover your
funds."
Will add rules tonight.
--
John Har
to make a difference unless the
scores are set manually, which increases their FP risk.
I'd ask all who are doing masschecks to review their corpora of Paypal
messages to see whether these messages, and Paypal messages with
obfuscated phone numbers, are misclassified as ham.
2}\x{E0}\x{B8}\x{B8}\x{E0}\x{B8}\x{97}\x{E0}\x{B8}\x{B1}\x{E0}\x{B8}\x{99}\x{E0}\x{B8}\x{97}\x{E0}\x{B8}\x{B5}'
=~ /(?^aa:\x{E0}\x{B8}\x{95})/
(does not match)
You should probably open a bug with your rule and attach the spample.
--
John Hardin KA7OHZhttp://www.im
}\\x{B8}\\x{97}\\x{E0}\\x{B8}\\x{B1}\\x{E0}\\x{B8}\\x{99}\\x{E0}\\x{B8}\\x{97}\\x{E0}\\x{B8}\\x{B5}/
...do you alwo need to escape the curlies?
/\\x\{E0\}\\x\{B8\} etc...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
and I can't really see why apart
from it not appearing in 50_scores.cf, and at the moment I don't want to
go spelunking in the code to verify that's the override...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
ardless of subdomain is
an excessively broad response.
FYI, ct.sendgrid.net has been in the base ruleset util_rb_3tld since April
2021.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB87
le mailbox file containing multiple messages -
that's 46 individual email files in one zip or gz archive), but that's
not a requirement.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key
to me directly for review, if
we're missing new variants or some Google domains that would help us
improve our coverage.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 --
ll be happy to back out those changes if consensus is they aren't
reasonable.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
PNTLD && (__PDS_SEO1 + __PDS_SEO2 >=
1)
tflags SEO_SUSP_NTLD publish
I don't know whether Paul is still actively maintaining his rule sandbox,
his last commit there was four years ago.
The changes seems reasonable, I'll apply them.
--
John Hardin KA7OHZ
usual TLDs
there as well...
I will see about adding that to my sandbox tonight or tomorrow, but no
guarantees on how it will do in masschecks.
It might also be time to update my phishing phrases rules...
Feel free to send me an archive of spamples if you like.
--
John Hardin KA7OHZ
stead informational score 0.0001, ALL_TRUSTED is used in
metas.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
reverse
lookup of the sender's IP and whitelist/blacklist for domain names from
that so you block the sender at SMTP time.
Don't get tunnel vision about SpamAssassin being the only tool available
for this sort of thing... :)
--
John Hardin KA7OHZhttp://www.
On Thu, 26 Sep 2024, joe a wrote:
So, on the one hand I can add them to whitelist and be done with it, or
I can add them to missed HAM for re-learning.
Which is the best approach?
Do both.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Fri, 13 Sep 2024, Bill Cole wrote:
Please send any replies to the list only.
...or to Harald only.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C
e the links directly
rather than providing the pastebin links publicly here on the list.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
illing to bring that code up-to-date and
figure out what was needed and corpora providers were available.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4
a look
at config "report_safe 0".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76
ffectively maintained"?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
time based on the corpora.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
explain to the board members I'm
helping out is... painful.
Very simply worded step by step instructions, with screenshots amended
with arrows, outlines, highlights and so forth as needed.
...the .sigmonster agrees.
--
John Hardin KA7OHZhttp://www.impsec.org/~jh
7;t suffer the TLD reputational hit. (If
you do that, avoid setting "ReplyTo: supp...@play.date", as that would
also take a reputation hit.)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec
that all that rule does, vs. hitting *specific* SendGrid accounts?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
, learning
as few mail as one should fix BAYES issues.
Move previously tagged SPAM into HAM folder and "relearn"?
Right. Train on misclassifications.
Also if there was a ham in your spam corpus review why it got
misclassified in the first place.
--
John Hardin KA7OHZ
uot;Missed SPAM"?, thinking along lines of keeping
BAYES "clean and sharp". So to speak.
Leave as is? Delete and re learn?
For a low volume home office user, I would simply NOT autolearn. Set up a
hambox and a spambox and manually feed them and train from them.
--
John Hardin
ven't
even seen the email at this stage) or indeed doing something they do not want.
It doesn't sound like it will *visit* the link, just ask some service if
the like has a reputation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
is
pushing a lot of Email into "Junk folders", for now I'ma change that score to
0.25
2.5 points by itself shouldn't be enough to quarantine/junk messages. What
else is spammy about those messages?
--
John Hardin KA7OHZhttp://www.
/<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F50
also hit __HAS_X_AUTHED_SENDER;
19% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%)
I'll add a few of those to see how they do.
F'ing legit emailers that generate crap HTML {fume}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@i
SRC_EMPTY
score LOCAL_BADLY_HTML 3 3 3 3
too much spams in hotmail
I'll put the subrules in my sandbox so they can be evaluated by masscheck.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key:
It wouldn't be much of a loss, but it's not spam either.
How did they perform individually?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8
like that, as a newbie mailing list member, looking for help, I humbly submit
that he's not someone you want being the first interaction a new list member
has.
Sadly, we cannot control that.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
olumn headers would aid analysis.
Can you swap the numbers in the 4th column and see if that changes the
behavior?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411
fic senders coming from specific IP
addresses, there's already built-in features for that. Look into
whitelist_from_rcvd, it may do exactly what you want.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...
u also add:
USER_IN_WHITELIST 0
They are synonyms, might need to kill both explicitly.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
a more general
solution, but this might be quite useful.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
On Sat, 13 May 2023, Matus UHLAR - fantomas wrote:
But I was more interested if SA already has something like that?
It does not.
On Fri, 12 May 2023, Loren Wilton wrote:
Weren't there a whole set of "FUZZY" rules once?
On 12.05.23 20:01, John Hardin wrote:
There still
On Fri, 12 May 2023, Loren Wilton wrote:
But I was more interested if SA already has something like that?
It does not.
Weren't there a whole set of "FUZZY" rules once?
There still are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jha
On Fri, 12 May 2023, Matija Nalis wrote:
I wonder if someone has already done it, and something sufficiently
similar to be used to that purpose?
There are a lot of ReplaceTags rules in the base ruleset.
I don't know if offhand that works with header rules.
--
John Hardin K
: config: failed to parse line in (sql config) (line 9): use_pyzor\t0
info: config: not parsing, administrator setting: use_razor2\t0
info: config: failed to parse line in (sql config) (line 10): use_razor2\t0
... in SQL config? perhaps the lines are misplaced?
--
John Hardin KA7OHZ
me, for example commercial
accounts where you don't want a delay in receiving communications from
customers or potential customers. There are ways to tune it that may
mitigate these concerns somewhat.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
, i just report it
This bit:
WHERE short_url $1 = AND
...should probably be:
WHERE short_url = $1 AND
The basic expression syntax of SQL is the same as other (infix!)
languages..
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
trashed.
Poof, gone.
We don't sit watching our MUAs 24/7
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
On Thu, 12 Jan 2023, John Hardin wrote:
On Thu, 12 Jan 2023, Martin Gregorie wrote:
On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote:
Hello All,
I created this rule to check for email addresses matching a list to
get
added some negative value.
I also tried it with just domains so it
There are instructions for setting such
up for local blacklists, that works equally well for a local whitelist.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
e gateway to its external
address."
I think you're getting distracted by the word "resolve" there... This
sounds like a DNS issue.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
.dnswl.org" IN {
type forward;
forward first;
forwarders { };
};
zone "multi.uribl.com" IN {
type forward;
forward first;
forwarders { };
};
...etc. for all DNSBL subdomains.
--
John Hardin KA7OHZ
blacklist
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
h. "Go away and stop bothering us."
It's not the only place Google won't let you report problems from outside
their ecosystem either - you can't report spam coming through Google Groups
with the link in the messages without logging in to a Google account.
I gave up tryi
block all page.link, whois says its hosted by google :/
go ahead..
There are legitimate sites using that domain.
I added it as a 2tld for URIBL, so please report such domains to URIBL.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
tion tools available that
would return much the same information, and that would give something
helpful to discuss with the site admin when trying to resolve the
situation.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Sat, 13 Aug 2022, joe a wrote:
Why waste your own system resources to help a scoundrel? Drop them and be
done.
I personally perfer to TCP tarpit repeat offenders.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk
that is "headers misspelled" (not "headers missing")
MISSP = misspaced
and it is checking for any of the listed words at the start of a line,
followed by a colon, and NOT followed by a space.
--
John Hardin KA7OHZhttp://www.impsec.org/~jha
about posting it here so you do not need to do this work. If you do
some random checks, you can see this looks weird[2]. Do as you
please with this info.
FYI, I'm rejecting them at the postfix level.
*cough* TCP Tarpit *cough*
--
John Hardin KA7OHZhttp://www.impsec.or
ba3e69a
MIME-Version: 1.0
Capitalizations-Grievously: oilers
Content-type: multipart/mixed; boundary="--=_1649731129-716331-86"
Obviously, the following bogus header names are present:
Minicomputers-Exhume
Malthus-Films
Parasitic-Homogeneity
Capitalizations-Grievously
Take
naged by your provider and
if a more than a few of them are listed (particularly by multiple DNSBLs)
then your provider is probably problematic and you should look elsewhere.
[Ooo, look, the .sigmonster is listening...]
--
John Hardin KA7OHZhttp://www.impsec.org
;s not universal, either. It passed lint here or I wouldn't have
checked it in. It passed the masscheck lint or it wouldn't have been
published.
I've checked in a fix, there may be one more bad update tonight before it
goes out.
--
John Hardin KA7OHZ
On Fri, 18 Feb 2022, da...@grmcompany.com wrote:
Dan:
The SA users mailing list is self-managed.
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@imps
m matching
delimiters from SA. I suspect there are at least hundreds of rules like that
in the release database. I have about a hundred local rules of my own that
use that.
Indeed.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
No, I added that after observing multiple spams with random garbage after
the closing HTML tag in the HTML body part. Presumably it was an attempt
at Bayes poison, checksum avoidance, or some other filter evasion
technique.
I'll tighten it up.
--
John Hardin KA7OHZ
"htmlbody" rule type...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Will update, thanks for the report.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
but that does have the downside
of accepting spam from them if their account gets hacked, for example.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C A
correctness.
Isn't that exactly what we're discussing here? "Technical correctness"?
The way I generally put it is: SpamAssassin is not an RFC-compliance audit
tool.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Thu, 18 Nov 2021, Matt Corallo wrote:
On 11/18/21 16:49, John Hardin wrote:
On Thu, 18 Nov 2021, Matt Corallo wrote:
I followed up on the exim-users list on this - Exim *did* verify the
FcRDNS here and the above header line is what it generates by default for
FcRDNS. The RFC quote they
ified that rule a bit to also look at the HELO and envelope From
address to see if they are from Shopify. Granted that's less reliable than
rDNS, but it's probably Good Enough.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
NS is causing their mail to be
considered spam.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507
On Mon, 15 Nov 2021, Matt Corallo wrote:
Full headers follow, but it seems the shopify detection in the above isn't
quite correct;
Thanks for the report, will fix.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pg
On Mon, 15 Nov 2021, Philip Prindeville wrote:
On Nov 12, 2021, at 8:49 PM, John Hardin wrote:
On Fri, 12 Nov 2021, Philip Prindeville wrote:
I got the message, saved it to a flat file, and ran "spamassassin -t -D rules <
netdev.eml" and saw:
...
Nov 12 11:45:38.048 [3636
ication to the timeout message could display the name of the rule and
even how long it took to that point.
That's what I was thinking when I said "capture and log".
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
On Sat, 13 Nov 2021, Henrik K wrote:
On Fri, Nov 12, 2021 at 07:49:00PM -0800, John Hardin wrote:
What would be helpful here would be logging of when a rule *starts*
evaluation. Normally that would be painful, but for tracking a runaway it
would be useful. Perhaps I can code up something to
ode up something to capture that and log
it on a timeout...
If you want to send me that message zipped up I can try it here with those
changes and see if it's a base rule running away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org
===
And what of the BIDI sequence that actually causes the problem?
All Of Unicode is not the problem.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 1
can find a problematic rule by comparing that debug output from a bad
message to that of a message which doesn't hang SA.
There's also the HitFreqsRuleTiming plugin if you're running in a dev
environment and can let it scan for a potentially long time (until
completion).
--
On Sat, 23 Oct 2021, Benny Pedersen wrote:
On 2021-10-20 16:58, John Hardin wrote:
On Wed, 20 Oct 2021, Axb wrote:
On 10/19/21 8:06 PM, Jerry Malcolm wrote:
Where do I find a starter toks file?
You don't need a "starter" file.
Your Bayes starter is your training cor
ou're doing now.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
ubscribe header.
On 25.09.21 13:19, John Hardin wrote:
Perhaps it needs a short-message exclusion?
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be glad to
try.
On 25.09.21 15:04, John Hardin wrote:
I've done some ma
ubscribe header.
On 25.09.21 13:19, John Hardin wrote:
Perhaps it needs a short-message exclusion?
short messages with attachments. if you have an idea how, I'll be glad to
try.
I've done some masscheck review and tuning of it, added avoidance of hits
on very short messages.
like an FP in Pyzor.
RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)
Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.
Perhaps it needs a short-message exclu
ined in a
production environment versus analyzed in a misconfigured and stale
theoretical environment), with all headers intact (<- this is important),
then we might be able to tell you why it ended up there.
Kind Regards
Lukas
-Original Message-
From: John Hardin
Sent:
#x27;s
scoring 5 or more points).
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
ager|[Aa]dvisor|[Cc]onsultant)/
Intentionally *not* case-insensitive.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 1
P exclusion for XPRIO, as it hits
100% of the spam hits.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
ficetheme and an
application/x-mso file. Which (in addition to the text/xml files) are used
by Microsoft Word to load the embedded Word document."
Would the presence of all three of those MIME types be a scorable
indicator?
--
John Hardin KA7OHZ
*very*
helpful when you just can't figure out why the RE is failing.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
lated base rules:
FROM_STARTS_WITH_NUMS
__FROM_ALL_NUMS
__TO_ALL_NUMS
__FM_TO_ALL_NUMS
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873
On Fri, 28 May 2021, Greg Troxel wrote:
John Hardin writes:
On Thu, 27 May 2021, Greg Troxel wrote:
The other problem on a small number of messages was
RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but
getting a message of 1-1.5 kB from an address in .edu is to me not at
On Fri, 28 May 2021, RW wrote:
There is a minor problem:
header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i
allows a match on "by=" from the LE header, when it should just be on
helo/rdns.
D'oh! Fixed, thanks for catching that.
--
John Hardin KA7OHZ
appear in legitimate mail. (In
my case it was a notification of air conditioning shutdown in a
particular building, and that's all there was to say.)
Score limit adjusted. Do you know whether it happened to hit ALL_TRUSTED?
I added an exclusion for that.
--
John Hardin K
On Wed, 26 May 2021, Douglas, Daniel wrote:
We need to detect it so that we can route emails with that header to a
different server.
SpamAssassin does scoring, not routing. Isn't it important that your *MTA*
be able to detect that header?
--
John Hardin KA7OHZ
listed on URIBL too:
http://lookup.uribl.com/?domain=libera.chat
Ot at least it is *now* , maybe it comes and goes for some reasons
...and now it's listed at https://admin.uribl.com/ as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impse
NOT Listed on URIBL
Is that not working correctly?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822
1 - 100 of 3325 matches
Mail list logo
