Re: SA 4.0.1 Bayes in SQL: MYSQL_OPT_RECONNECT is deprecated

2025-01-10 Thread John Wilcock
Le 10/01/2025 à 15:35, Bill Cole a écrit : On 2025-01-10 at 08:49:04 UTC-0500 (Fri, 10 Jan 2025 14:49:04 +0100) John Wilcock is rumored to have said: Hi all, I'm using Spamassassin 4.0.1 on Gentoo and I've recently switched to using MySQL (actually Mariadb 10.6) for Bayes stor

SA 4.0.1 Bayes in SQL: MYSQL_OPT_RECONNECT is deprecated

2025-01-10 Thread John Wilcock
Hi all, I'm using Spamassassin 4.0.1 on Gentoo and I've recently switched to using MySQL (actually Mariadb 10.6) for Bayes storage. I'm seeing "WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version" warnings. $ spamassassin --lint --debug=bayes Jan 10 14:45:02.8

Re: What can one do abut outlook.com?

2020-10-26 Thread John Wilcock
The problem with your analogy is that you are not just interacting with one unwelcome neighbour with a defective washing machine, but with dozens of neighbours whose washing machines work perfectly but who happen to share the same plumber as the unwelcome one. And in many cases these people are

Re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

2020-08-03 Thread John Wilcock
On 2020-08-01 21:23, bugzilla-dae...@spamassassin.apache.org wrote: > https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7826 > > --- Comment #58 from Kevin A. McGrail --- > (In reply to John Hardin from comment #57) (In reply to Kevin A. McGrail from > comment #55) > > This isn't a plugin to

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

2020-07-10 Thread John Wilcock
On 2020-07-10 10:36, Matus UHLAR - fantomas wrote: > On 10.07.20 08:50, Axb wrote: > >> the US problems won't be fixed with renaming B&W lists. >> Seriously.. you have more important issues... > > while I am not a fan of renaming, I think that > "welcome list" and "block list" are more informat

Re: another extortion email check

2020-05-04 Thread John Wilcock
Le 03/05/2020 à 05:27, Grant Taylor a écrit : On 5/2/20 1:47 PM, Loren Wilton wrote: The compromised password is already in plain text in the subject of the message; there isn't much point in hiding it other than embarassment. What if the email server with the list of plain text passwords is

Re: No longer just embedded =9D characters in blackmail emails.

2019-03-21 Thread John Wilcock
Le 21/03/2019 à 14:52, John Wilcock a écrit : Le 20/03/2019 à 20:19, Bill Cole a écrit : I've added these lines to the block that defines MIXED_ES which may help some sites: lang pl  score MIXED_ES  0.01 lang cz  score MIXED_ES  0.01 lang sk  score MIXED_ES  0.01 la

Re: No longer just embedded =9D characters in blackmail emails.

2019-03-21 Thread John Wilcock
Le 20/03/2019 à 20:19, Bill Cole a écrit : I've added these lines to the block that defines MIXED_ES which may help some sites:     lang pl  score MIXED_ES  0.01     lang cz  score MIXED_ES  0.01     lang sk  score MIXED_ES  0.01     lang hr  score MIXED_ES  0.01     lang el  score MIXED_E

Re: using existing score value in new rule's score

2019-02-25 Thread John Wilcock
Le 23/02/2019 à 01:42, David B Funk a écrit : IIWY I'd just redefine the HTML_IMAGE_ONLY_XX rules in the form body __HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800') meta HTML_IMAGE_ONLY_28   __HTML_IMAGE_ONLY_28 && !L_O365_USER That's one way, but given that HTML_IMAGE_ONLY_28 is a core

Re: fake base64 encoding

2017-02-02 Thread John Wilcock
Le 02/02/2017 à 15:50, RW a écrit : On Thu, 2 Feb 2017 05:43:24 -0500 Kevin A. McGrail wrote: ... I will score much higher since it is in the wild. Can you throw a spample up on pastebin? Perhaps text/html makes a big difference, but base64 encoded utf-8 text is not uncommon these days - part

Re: NOTSAME__REPLY_TO

2016-09-28 Thread John Wilcock
Le 28/09/2016 à 16:56, SA a écrit : what .cf file includes that rule on your system? That was the point: I can't find it. I've done a grep for NOTSAME on usr/share/spamassassin/*.cf but got nothing. Is there another place I should be looking? /etc/mail/spamassassin is another likely place, bu

Re: Catching well directed spear phishing messages

2016-06-28 Thread John Wilcock
Le 28/06/2016 à 16:13, David Jones a écrit : From: RW That wont work in this example because nothing has actually been spoofed. ... All it takes is a compromised account on a trusted mail server (happens all of the time) to provide a conduit for this type of phishing email. Very easy to

Re: why: auto-learn? no: scored as spam but autolearn wanted ham

2015-11-05 Thread John Wilcock
Le 05/11/2015 15:54, Matthias Apitz a écrit : X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on c720-r276659 X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=1000.0 required=3.0 tests=GTUBE,NO_RECEIVED, NO_RELAYS autolea

Re: charset=utf-16 tricks out SA

2015-10-08 Thread John Wilcock
Le 08/10/2015 17:34, Reindl Harald a écrit : Content-Type: text/plain; charset=utf-16 Content-Transfer-Encoding: base64 no custom body rules hit like they do for ISO/UTF8 :-( What is your normalize_charsets setting? -- John

Re: Whatsapp spam

2015-07-02 Thread John Wilcock
Le 02/07/2015 04:23, Alex a écrit : Not sure if the Unicode replace stuff will catch it, but you might try this: > > body FUZZY_DETAILS /(?:etails)/i > replace_rules FUZZY_DETAILS It doesn't catch it, and I don't know enough about replace_rules to figure it out. Shouldn't that ?:

Re: Whatsapp spam

2015-07-02 Thread John Wilcock
Le 02/07/2015 04:50, John Hardin a écrit : Is there supposed to be an existing FUZZY_DETAILS rule? I don't think so. If you were to envisage such a rule, it's worth noting that it would almost certainly need a special case to avoid FPs on genuine French "détails" with an acute accent. There

Re: definition update frequency?

2015-06-04 Thread John Wilcock
Le 04/06/2015 17:47, Kevin A. McGrail a écrit : As noted, I think the users@ might welcome the information especially if it is filterable. But someone will have to step up and work on that script. If someone does see the need for this and volunteer to improve the script, perhaps it could be c

Re: Honeypot email addresses

2014-11-26 Thread John Wilcock
Le 26/11/2014 19:56, Christian Grunfeld a écrit : even /64 DNSxLs will be expensive ! /64 lists will have 2^32 times more entries than IPv4 lists. /64 lists can *theoretically* have that many entries, yes, but it'll be a very long time before there are 2^32 times as many *allocated* IPv6 /64s

Re: shellshock via SMTP?

2014-10-29 Thread John Wilcock
Le 29/10/2014 16:54, Mark Martinec a écrit : 2014-10-29 16:26, Joe Acquisto-j4 wrote: Comments on the ZD net article that claims shellshock exploit via crafty SMTP headers? Just asking, that's all . . . I attached a link to it below, please excuse if that is improper behavior. http://www.zd

Re: getting tons of SPAM

2014-10-20 Thread John Wilcock
Le 20/10/2014 17:03, Reindl Harald a écrit : Am 20.10.2014 um 17:00 schrieb motty cruz: yes you're right I am trying to "reject" emails that end with *.eu and *.link. can I do a wild card *.eu? *.link? http://www.postfix.org/access.5.html http://www.postfix.org/regexp_table.5.html http://www.p

Re: LIST_PARTIAL

2014-09-16 Thread John Wilcock
Le 16/09/2014 13:29, Reindl Harald a écrit : works, however, the penalty of 2 for 'List-Unsubscribe' without 'List-Id' feels a little bit unfair What's unfair about being penalised for not being standards-compliant? RFC2919 states that a mailing list SHOULD add a List-Id header, just as RFC23

Re: LIST_PARTIAL

2014-09-16 Thread John Wilcock
Le 16/09/2014 12:24, Reindl Harald a écrit : score LIST_PARTIAL 2.000 1.999 2.000 1.999 that feels too high, as example we add "List-Unsubscribe" headers in case of ordiany newsletters to support MUA which read that header (for TB a extension exists) IMHO that penalty hits senders which try to

Re: writing own rbl rules

2014-08-26 Thread John Wilcock
Le 26/08/2014 21:03, Reindl Harald a écrit : i just don't know how to do that with the setup and mailflow by just start "spamassassin -D dns" which runs the process but how to get the mail there? You need a copy of the message as a text file on your SA machine, then you simply run, from the co

Re: More text/plain questions

2014-07-06 Thread John Wilcock
Le 05/07/2014 19:08, Philip Prindeville a écrit : As for encoding a cyrillic small a: there are many ways to do this. iso-8859-4, utf-8, jp2212, gb2312, win1252, etc. I don’t think this would be very efficient—there are just too many charsets possible. Normalising the input message to UTF-8 bef

Re: dependency hell]

2013-11-15 Thread John Wilcock
Le 15/11/2013 16:39, Jay G. Scott a écrit : About the only thing we can get past the "air gap" (not a true air gap, but it's the shortest way to describe it) is email. Management has all these grandfathered requirements about stuff they must have_and_ stuff I can't do (e.g.,no RBLs)_and_ (so it

Re: sa-update: MIRRORED.BY is 404 for any channel

2013-06-11 Thread John Wilcock
Le 11/06/2013 10:28, Mike Brown a écrit : I'm running 3.3.2 on two FreeBSD 8.3 systems on different networks. Both systems are configured roughly identically with regard to SpamAssassin. One system runs Perl 5.16 (not sure if that matters) and can run sa-update without error, but the other runs P

Re: Interesting Spam Trap Idea - Fake Authentication

2013-06-10 Thread John Wilcock
Le 10/06/2013 17:38, David F. Skoll a écrit : That's an interesting honeypot. I've seen spammers crack SMTP AUTH passwords, but in most cases the first thing they do is send an email to a freemail account with a subject like: 192.168.33.55,user,passwd and if they don't get the round-tr

Re: Telling BAYES not to learn?

2013-02-05 Thread John Wilcock
Le 05/02/2013 16:20, Marc Perkel a écrit : is there a way I can put something in a rule that would cause bayes not to learn - such as a rule that detects bayes poisoning? Yep - tflags RULENAME noautolearn John. -- -- Over 5000 webcams from ski resorts around the world - www.snoweye.com -- Tr

Re: FROM_MISSP_* causing FPs

2012-12-02 Thread John Wilcock
Le 30/11/2012 18:18, John Hardin a écrit : header __AJB_HAS_XEROXX-Mailer =~ /WorkCentre \d{3,5}/ header __AJB_XEROX_SUBJ Subject =~ /Scan from a Xerox/ Thanks! I will add those to my sandbox. Question: how often do you see that subject _without_ that X-Mailer? Whenever s

Re: False negatives with distinctive punctuated subjects

2012-10-19 Thread John Wilcock
Le 19/10/2012 13:22, Ian Turner a écrit : I meant something to specifically pick out words like phArmACy. You could try a rule with a negative lookahead to exclude the correct casing, something like this (untested): header SUBJ_MIXED_CASE_PHARMACY Subject =~ /(?![Pp]harmacy)[Pp][Hh][Aa][Rr]

Re: Sender domain in IP space 5.0.0.0/8 triggers RCVD_ILLEGAL_IP

2012-10-15 Thread John Wilcock
Le 16/10/2012 07:57, Frederic De Mees a écrit : When I receive mails from servers hosted in IP address space 5.0.0.0/8, SA tags them with RCVD_ILLEGAL_IP. This address space is currently heavily distributed in Europe. I have found a bug report #6810 (https://issues.apache.org/SpamAssassin/show_b

Re: How to check from that is not on the header?

2012-09-26 Thread John Wilcock
Le 26/09/2012 17:40, Alexandre Boyer a écrit : Note that you may look upon a X-Envelope-From header also, depending on your MTA and how and when it may log it in the headers. Or, provided your spamassassin glue is configured properly, you can test on the sa-provided EnvelopeFrom pseudo-header.

Re: Sensitivity of FILL_THIS_FORM_SHORT (score: 2.556)

2012-09-06 Thread John Wilcock
Le 06/09/2012 18:34, John Hardin a écrit : ...yeah, the _PARTIAL versions are intended to catch a form that's spread out over several paragraphs or HTML sections. Unfortunately there's no way to tell a rule to match multiple times but not for a string it has already matched. Yes, I've seen simi

Re: translations of SpamAssassin descriptions?

2011-09-12 Thread John Wilcock
Le 12/09/2011 15:20, Tomasz Chmielewski a écrit : Is there a way to get ALL rule names used by a given spamassassin installation, together with their descriptions? grep -R describe /var/lib/spamassassin/3.003002/ would probably be a good place to start John. -- -- Over 4000 webcams from ski

Re: Quicky custom rule in local.cf question - dbg: rules: PRIVATE_PHONICA2 merged duplicates: PRIVATE_RULE1

2011-09-01 Thread John Wilcock
Le 01/09/2011 16:23, J4K a écrit : meta PRIVATE_RULE1 (__PR1&& __PR2) ... meta PRIVATE_PHONICA2 (__PR1&& __PR2) Spamassassin -D -lint records this: Sep 1 15:45:56.313 [11484] dbg: rules: PRIVATE_PHONICA2 merged duplicates: PRIVATE_RULE1 What is this really telling me, and why is th

Re: Received mails are marked as spam with RCVD_ILLEGAL_IP adding 3.4 score.

2011-08-09 Thread John Wilcock
Le 09/08/2011 09:06, eprint email a écrit : One of my customers has sent mail through Nokia mobile. SpamAssassin has marked it as spam. When I examined the individual score components, I found RCVD_ILLEGAL_IP with 3.4 score. I've examined the Received headers for restricted IP addresses. I could

Re: block all high importance priority email

2011-07-06 Thread John Wilcock
Le 06/07/2011 17:44, tonym302 a écrit : I get an assortment of domain changing high importance spam email (mostly sales stuff, some hip replacement info LOL) and want to know if it is possible to block all high priority stuff liek this. It has the red exclamation point when it arrives. I tried

Re: RelayCountry Plugin

2011-05-18 Thread John Wilcock
Le 19/05/2011 04:46, John Hardin a écrit : Sure. Well, not a _single_ rule, but you can achieve what you want... First, write a rule that hits on all messages and assign it a positive score: meta RELAYCOUNTRY_ALL__HAS_RCVD describe RELAYCOUNTRY_ALLRelayed through any country sc

Re: FRT_APPROV, FRT_EXPERIENCE FPs on French text

2011-03-02 Thread John Wilcock
Le 28/02/2011 20:34, Adam Katz a écrit : I agree. I have fixed those two specific examples on SA trunk at svn revision 1075489. Please note that this sort of thing is better handled as a bug request, and complaints directed at this list tend not to get such prompt attention. Try filing it in h

Re: Need Volunteers for Ham Trap

2011-01-18 Thread John Wilcock
Le 18/01/2011 10:46, Jeff Chan a écrit : 2. Some of the areas are very difficult to resolve into spam or ham. Some more aggressive anti-spammers may say all of the above is spam, but others may disagree, and the mail may be legal. I'd suggest that SA ought to be classifying e-mail in *three*

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2011-01-04 Thread John Wilcock
Le 04/01/2011 17:01, Rob McEwen a écrit : I've thought this through and... best case scenario is that spammers then get 5+ years of play time because it will take at least that time for those other techniques to catch up. Great damage will happen in the meantime. That scenario assumes rapid ado

Re: Misguided energy

2010-12-02 Thread John Wilcock
Le 02/12/2010 11:47, Martin Gregorie a écrit : On Thu, 2010-12-02 at 08:28 +0100, John Wilcock wrote: I wish I could say the same - at work we have at least a dozen clients who use challenge/response, and when it's for business you can't just ignore the challenges, let alone blac

Re: Discard spam messages

2010-12-02 Thread John Wilcock
Le 02/12/2010 09:57, Massimiliano Giovine a écrit : No chance to reproduce this beavior with postfix? Not with postfix on its own, no. SpamAssassin returns a score, you decide what action to take. There are various "glue" systems to do this for you. My personal recommendation would be MailS

Re: Misguided energy

2010-12-01 Thread John Wilcock
Le 02/12/2010 01:02, Karsten Bräckelmann a écrit : Personally, I have *never* received a legit C/R. Every single one that ended up on my machines have been in response to spam sent with a forged sender address. I wish I could say the same - at work we have at least a dozen clients who use chal

Re: custom rule help

2010-11-24 Thread John Wilcock
Le 24/11/2010 09:50, Tom Kinghorn a écrit : Subject: =?windows-1252?Q?100%_Finance_with_No_Deposit_Required_:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village?= I would like to match _Stands_in_a_Pristine_West_Coast_Beachside_Security_Village By default, header rules work on the *de

Re: Negative score, yet marked as spam.

2010-11-23 Thread John Wilcock
Le 23/11/2010 15:36, Ger Apeldoorn a écrit : You are absolutely right! I have disabled this blocklist in the Mailscanner config. (I was under the impression that Mailscanner left all checking to Spamassassin...:( ) While MailScanner *can* check RBLs itself, doing so is only recommended in ca

Re: Perl IO::Socket::INET6

2010-10-06 Thread John Wilcock
Le 06/10/2010 17:13, Mark Martinec a écrit : Updating to a recent version of IO::Socket::INET6 would probably solve the issue and would be advised anyway - the 2.51 is pretty ancient, from October 2004. Thanks. Updating to 2.63 did indeed solve the problem. I'll file a gentoo bug to get the ve

Perl IO::Socket::INET6

2010-10-06 Thread John Wilcock
Just installed spamassassin on a gentoo box with perl 5.12. sa-update gives: Constant subroutine IO::Socket::INET6::AF_INET6 redefined at /usr/lib64/perl5/5.12.2/Exporter.pm line 64. at /usr/lib64/perl5/vendor_perl/5.12.2/IO/Socket/INET6.pm line 16 Prototype mismatch: sub IO::Socket::INET6::A

Re: FORGED_HOTMAIL_RCVD2 contributing to FP

2010-10-04 Thread John Wilcock
Le 04/10/2010 17:02, Kris Deugau a écrit : Not sure exactly what this test actually checks (since it's an eval rule I gave up on tracing after the third layer of "$self->callanotherfunction"), but it should not be triggering at all on this set of Received: headers IMO: ... The entire /16 is ass

Re: header To =~ question

2010-06-22 Thread John Wilcock
Le 22/06/2010 17:09, David Michaels a écrit : I don't mean to be stupid.. and I know that this should be done with sieve but.. Is there a obvious reason this doesn't work? I think it's the "To" thats messing up.. header __GK__PHARMS_01 To =~ micha...@ucrwcu.rwc.uc.edu header __GK__PHARMS_02 S

Re: expedia emails broken, anyone got a contact?

2010-04-22 Thread John Wilcock
Le 22/04/2010 15:13, John Hardin a écrit : Bayes 50 is neutral and you're scoring it at 0.8? Agreed that's not a good idea. Except that 0.8 is the default score for BAYES_50 under 3.3.0 and 3.3.1... John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Transla

FPs on DOS_HIGHBIT_HDRS_BODY

2010-03-25 Thread John Wilcock
I've seen a few FPs on this rule from genuine ham sent by one of my colleagues using Thunderbird 3.0.4 - not all her mail, but specifically replies to certain messages with UTF-8 encoding. Anyone else seeing this? John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.c

Re: [sa] Re: Bogus Dollar Amounts

2010-02-25 Thread John Wilcock
Le 25/02/2010 17:06, Charles Gregory a écrit : On Thu, 25 Feb 2010, John Hardin wrote: i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Reject languages you can't read at SMTP time? I've been noticing more 'f

Re: Smut spam

2010-01-31 Thread John Wilcock
Le 30/01/2010 10:32, Ned Slider a écrit : There is already a "from Hotmail" rule in 20_head_tests.cf for use in meta rules that may suffice? header __FROM_HOTMAIL_COMFrom =~ /\...@hotmail\.com\b/i Bear in mind, however, that not all hotmail users have hotmail.com domains. There are plen

Re: Fuzzyocr and rule errors after upgrade to 3.3.0

2010-01-27 Thread John Wilcock
Le 27/01/2010 22:31, Kai Schaetzl a écrit : John Wilcock wrote on Wed, 27 Jan 2010 17:43:56 +0100: someone forgot to include 72_active.cf and 80_additional.cf in the sa-update files. Now I understand. However, why am I not getting these warnings with a spamassassin --lint? Presumably

Re: Fuzzyocr and rule errors after upgrade to 3.3.0

2010-01-27 Thread John Wilcock
Le 27/01/2010 18:57, Justin Mason a écrit : Either someone forgot to delete all these rules, or (more likely IMO) someone forgot to include 72_active.cf and 80_additional.cf in the sa-update files. I think you're dead right. It appears one of the build scripts does the wrong thing with the 3.3

Re: Fuzzyocr and rule errors after upgrade to 3.3.0

2010-01-27 Thread John Wilcock
Le 27/01/2010 17:31, Kai Schaetzl a écrit : John Wilcock wrote on Wed, 27 Jan 2010 15:27:17 +0100: Me too... 463 of them, to be exact. Do you want to say that you changed the score of 463 rules? No, absolutely not. On this test box I haven't changed the scores of any rules. Ther

Re: Fuzzyocr and rule errors after upgrade to 3.3.0

2010-01-27 Thread John Wilcock
Le 27/01/2010 07:30, Ed Kasky a écrit : Also - is anyone else getting a lot of "warning: score set for non-existent rule" errors? I ran sa-update after teand continue to get a slew of them... Me too... 463 of them, to be exact. With the exception of ACCESSDB where the score is set to 0 anyway

Re: there goes the uri scripts..

2009-11-02 Thread John Wilcock
Le 02/11/2009 18:36, Matt Garretson a écrit : Good point. It will be fun when grandma loses her glasses and clicks on a link to ämazon.com or þankofamerica.com That's the real risk here from an anti-spam point of view, and no doubt some new sorts of URI rule will be needed once we see what

Re: anyone collecting French 419 scams?

2009-10-19 Thread John Wilcock
I'd be happy to see them. I'm working on updating the Advance Fee 419 ruleset and your samples would be welcome. Feel free to gzip up a mbox and send it to me. I have a ruleset at http://www.tradoc.fr/spamassassin/fraude_fr.cf that, while it hasn't been actively updated for a while, still hits

Re: Any one interested in using a proper forum?

2009-07-28 Thread John Wilcock
Le 28/07/2009 15:31, Mike Cardwell a écrit : For those using Thunderbird, I have an addon installed named "Reply to mailing list" which adds a button "Reply list" inbetween "Reply" and "Reply All" which has been very useful. For that matter, for those using Thunderbird 3.0b3, this feature is b

Re: whitelist_from questions

2009-07-27 Thread John Wilcock
Le 26/07/2009 04:00, McDonald, Dan a écrit : >From: Robert [mailto:list...@abbacomm.net] >> There are no doubt lots of ways, but how about: >> >> egrep 'whitelist_from[^_]' local.cf | awk '{FS="@"; print $2" >> TXT";}' | xargs dig | grep "v=spf1" >what is this supposed to do? select all o

Re: whitelist_from questions

2009-07-23 Thread John Wilcock
Le 24/07/2009 04:09, MySQL Student a écrit : I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Can't you just look at the scores that the whitelisted messages are getting and see

Re: whitelist_from questions

2009-07-22 Thread John Wilcock
Le 22/07/2009 17:48, MySQL Student a écrit : So, forever I have been using whitelist_from and have probably a thousand entries. Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. Does mail fro

Re: SA scores zero... sometimes

2009-07-06 Thread John Wilcock
Le 06/07/2009 14:22, RW a écrit : http://pelorus.org/spammy.txt > That's odd, I get MISSING_DATE, MISSING_HB_SEP, MISSING_HEADERS, MISSING_MID, MISSING_SUBJECT too, even though all the headers are there. So do I until I get rid of the extraneous carriage return in the following received lin

Re: constantcontact.com

2009-07-03 Thread John Wilcock
Le 03/07/2009 12:19, Justin Mason a écrit : Going by bug 5905 though, and this report, we should probably remove it from the whitelist. Is there any *clean* way (i.e. something that could be put in local.cf or equivalent in order to override files updated by sa-update) for users to remove thi

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread John Wilcock
Le 30/06/2009 17:16, John Hardin a écrit : ... looking at the www peter got an impression of ... (-> www.peter.got?) TLDs are limited and prevent FPs of that particular nature. Sure, but there are lots of ccTLDs that could be confused with English words, never mind other languages. D

Re: A difficult one to weed out?

2009-06-22 Thread John Wilcock
Le 21/06/2009 12:04, Jeremy Morton a écrit : OK, so I just got one of those www medsXX com spams, and even though it hit my rule and got 2.0 added to it, it still didn't even get over 3 points. Looks like it was sent from quite a legit host. What rules do other people get matching for this e-mail

Re: whitelist_from_spf

2009-05-14 Thread John Wilcock
Le 14/05/2009 13:30, Alvaro Marín a écrit : It seems that there is a problem resolving DNS records of that domain so I want to whitelist it. If I add: whitelist_from_spf *...@orange.es You're misunderstanding the purpose of whitelist_from_spf. It is intended for whitelisting mail from an addr

Re: Almost no score

2009-04-30 Thread John Wilcock
Le 30/04/2009 15:23, Jean-Paul Natola a écrit : If anyone can shed some light here , I would appreciate it. ftp://ftp.fcimail.org/IT/SA/headers.txt Content-Type: image/png; name="DSC0080.png" Over the last week or so I'd been having some success looking for this pattern, suggested

Re: my emailBL is live!

2009-04-29 Thread John Wilcock
Le 29/04/2009 02:40, Adam Katz a écrit : replaces the @ with a dot (not an underscore, that's not a legal character). Won't that pose problems distinguishing between fred.blo...@example.tld and f...@bloggs.example.tld ? John. -- -- Over 3000 webcams from ski resorts around the world - www.s

Re: spam, one line, word attachment, no space ratio?

2009-04-24 Thread John Wilcock
Le 24/04/2009 12:55, Michael Scheidell a écrit : this spam, http://pastebin.com/m504b4262 one line in email, word document. I didn't see it trigger any of the space ratio rules. Nor me. I also don't see the 'ALL CAPS' rule anymore? I suspect, without having checked the eval code, that sub

Re: interesting flash attack in spam

2009-03-19 Thread John Wilcock
Le 19/03/2009 11:27, John Hardin a écrit : No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. FWIW, MailScanner has had the option of disarming and tags for ages. John. -- -- Over 3000 webcams from s

Re: 2 + 2 != 4 - Spamassassin needs a new paradigm

2009-03-04 Thread John Wilcock
Le 04/03/2009 10:38, Matus UHLAR - fantomas a écrit : I should note that some policy rules and rules with manually updated scores (SPF_PASS, BAYES_*) may need to be exempted from this. We don't want SPF_PASS to generate high positive score, do we? It could probably be argued both ways. There mi

Re: 2 + 2 != 4 - Spamassassin needs a new paradigm

2009-03-03 Thread John Wilcock
Le 03/03/2009 17:42, Matus UHLAR - fantomas a écrit : I have been already thinking about possibility to combine every two rules and do a masscheck over them. Then, optionally repeating that again, skipping duplicates. Finally gather all rules that scored>=0.5 ||<=-0.5 - we could have interesting

Re: Make a rule to block fake url to pdf files...

2009-01-21 Thread John Wilcock
Le 21/01/2009 17:41, Rejaine Monteiro a écrit : But, I'm receive a *lot* of spam like this... (another case abelow) and I don't no how stop this ... Perhaps if you posted a few *complete* samples with *full headers*, others could see which rules are hit and suggest improvements... John. --

Re: Make a rule to block fake url to pdf files...

2009-01-21 Thread John Wilcock
Le 21/01/2009 14:23, Rejaine Monteiro a écrit : the text suggests a link to a pdf file, but in the truth it is not. In this specific case perhaps, but there's absolutely nothing to stop a legitimate php script (or any other URL for that matter) generating a legitimate PDF file. The only way

Re: SARE Update: 90_2tld.cf

2008-11-05 Thread John Wilcock
Yet Another Ninja a écrit : http://www.rulesemporium.com/rules/90_2tld.cf # Last Mod: 11/1/2008 At first I wondered why you were posting now about an update from 11 January - until I realised that this was US date format. How about 2008-11-01 (ISO 8601) as a universal format? John. -- -

Re: Capture -D --lint output

2008-09-11 Thread John Wilcock
Mariusz Kruk a écrit : On czw, 2008-09-11 at 07:53 -0500, Jack L. Stone wrote: Folks, I'm trying to capture/grep specific given info from the subject output, like this: #spamassassin -D --lint | grep database I KNOW that doesn't work, but describes my issue at hand. I've spent an hour+ searchi

Re: How to configure spamassassin to stop unwanted mails

2008-07-23 Thread John Wilcock
score RCVD_IN_NJABL_SPAM 15.0 Thanks for that i did add this rule in local.cf can you tell me what it will do. It will add 15 points (instead of the 2.072 points in the default ruleset) to any messages which are received by a relay in the NJABL blacklist, ensuring that they are pret

Re: Exclude domain from WHOIS_MYPRIVREG?

2008-07-23 Thread John Wilcock
Greg Troxel a écrit : What I want, basically is domains_exclude WHOIS_MYPRIVREG nabble.com AFAIK the best you can do is uridnsbl_skip_domainnabble.com which excludes nabble from all URIBL lookups. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Tr

Re: How to configure spamassassin to stop unwanted mails

2008-07-23 Thread John Wilcock
RCVD_IN_NJABL_SPAM In local.cf score RCVD_IN_NJABL_SPAM 15.0 That's a bit drastic - any blacklist can have false positives. In any case only one of the original poster's samples was on that list anyway. I've tried a few of the samples which also hit LOTTERY_PH_004470 (from sa-update to 3.2

Re: seekrules over French spam (was Re: [Rule Set proposal] French Rules

2008-06-24 Thread John Wilcock
Justin Mason a écrit : John GALLET writes: Well, thanks for writing it. I think its main weak point for French and other accented languages is handling the different encodings for a same char with an accent, some kind of "synonyms" list. The same letter, say "a with an accent", can be misspell

Re: French advance fee fraud ruleset

2008-06-24 Thread John Wilcock
John GALLET a écrit : What happens with the agrave htmlentity ? I mean if the received spam is htmlentity encoded, or mixes utf-8 accents and ascii-htmlentity ? SA deals with that for you. Body rules are applied to text that has already been decoded, so you don't need to take account of html

French advance fee fraud ruleset

2008-06-24 Thread John Wilcock
In a similar vein to the "Nigerian" advance fee fraud, here's a ruleset for French-language scams, often originating from Côte d'Ivoire. http://www.tradoc.fr/spamassassin/fraude_fr.cf All comments welcome. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Tr

Re: Philosophy for opt-in (was Re: [Rule Set proposal] French Rules

2008-06-24 Thread John Wilcock
John GALLET a écrit : I think I have a newbye simple problem of philosophy/strategy: my approach, for what it's worth, was that I flag anything that contains some unsubscribe links and French law reminders because anyway all the ones I receive are spam, and I add the opt-in mailing/newsletter I

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

2008-06-24 Thread John Wilcock
Yet Another Ninja a écrit : If these are hit rates with a very minimal daily corpus, don't know if the present ruleset is ready for production unless you have 0 tolerance for any bulk, period I'm afraid I must agree. I don't have a confirmed and sorted corpus per se, but after a single night'

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

2008-06-23 Thread John Wilcock
John GALLET a écrit : Any feedback on the results (not enough in corpus, bad rules, good rules, etc.) appreciated. Looking at the rules, I'm worried about false positives on genuine opt-in advertising. I have a number of users who choose to receive all kinds of advertising blurb, so I'll run

Re: TTAB Dismisses Hormel's Petition to Cancel SPAM ARREST Trademark

2007-11-29 Thread John Wilcock
Matt Kettler wrote: You can use generic words in trademarks (ie: Windows). However, the fact that your mark is generic will prevent you from trying to claim infringement against someone using it in a market outside the one you've registered the mark for. You can only do that if your mark is consi

Re: bayes autolearn - nonspam threshold

2007-05-23 Thread John Wilcock
Jim Maul wrote: It is somewhat confusing as if you were to read the documentation, it says the default is 0.1. However, if you were to download SA and install it without any modifications, the value that would be used for this threshold would be -1. Being that devs can release conf changes w

Re: SUBJECT_ENCODED_TWICE really wrong?

2007-04-25 Thread John Wilcock
Andy Spiegl wrote: But the score for SUBJECT_ENCODED_TWICE is pretty high: 1.723 How does that justify? No doubt it is "justified" by the fact that the corpora used to determine SpamAssassin scores don't contain enough non-English-language content. You'll almost certainly find that you wa

Re: How can I reject messages with a wrong fullname.

2007-03-01 Thread John Wilcock
John D. Hardin wrote: That looks kinda fragile in the face of multiple TO addresses. Agreed, though that's not a scenario that I personally see very often. In any case it was only meant as a simplified example from which the original poster could build his own rule. John. -- -- Over 3000 w

Re: How can I reject messages with a wrong fullname.

2007-03-01 Thread John Wilcock
Evan Platt wrote: At 07:10 AM 3/1/2007, Steven W. Orr wrote: Sometimes messages get through but something I see that we could maybe do something about is the full name. If the message is sent to [EMAIL PROTECTED] and joedoe's fullname is Joe Doe, then I'd like to get SA to see that To: Heav

Re: simple TZ test (Re: current stock scams are easy to spot)

2006-11-16 Thread John Wilcock
Michael Scheidell wrote: Maybe extent the regex? I'm using /\s[+-]\d\d(?!00|30|45)\d\d$/ which seems to be working well (though so far all the spam it's hit has been scored pretty high by other rules anyway). John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com

Empty messages hit pyzor and razor

2006-03-06 Thread John Wilcock
One of my users just received a totally empty message from a friend (sent as a test message, but unwisely with no subject or body). This hit EMPTY_MESSAGE and MISSING_SUBJECT for a total of 4.1 points. Fair enough - I've seen plenty of empty spam (presumably due to buggy spamware or as trial r

Re: Spammer style messages ?

2005-07-18 Thread John Wilcock
Brian Ipsen wrote: Recently I've noticed at lot of spammer emails in html format containg entries like: perfume The text/word in the SPAN tags is random Has anyone implemented a rule to assign a high score for messages, which matches this pattern (with the "display: none" style) ?? I u

Re: How can I filter this kind of spam?

2005-07-05 Thread John Wilcock
Craig Jackson wrote: See that return path? The domain ends in .mx I have rule that checks for that type of domain and gives the email 5 points for it. Not all Mexicans are spammers, you know :-) Beware of rules like that which arbitrarily discriminate against foreign countries. In this case

Re: Additional SPAM recognition method

2005-05-24 Thread John Wilcock
Jeff Chan wrote: Is there an SA rule to detect URIs that have ridiculously large numbers of subdomain levels? If not, perhaps it could be useful (perhaps even more useful than wildcard DNS). Note that it may not be feasible to resolve domains found in message body URIs to even detect wildcards.

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

2005-05-20 Thread John Wilcock
Chris Lear wrote: They're in my header0.cf from sare/rules du jour. And in header.cf with a lower score as well. Have I got the wrong files? Methinks you have an old header0.cf that is no longer being updated - these rules aren't in the current header0 on rulesemporium.com. And in any case you sh

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

2005-05-20 Thread John Wilcock
Chris Lear wrote: But today I noticed that several e-mails are hitting both SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251. These are ham, sent from (one specific address in) Ukraine to a Ukrainian in England, written in English. The scoring is such that the e-mail gets a score of 3.333 PLUS 4.0 - so

  1   2   >