Re: very basic SA-Learn performance question: is 90 seconds or so per token really, really slow or roughly normal?

On Mon, 30 Oct 2017 22:35:08 -, David Gessel wrote: 1) sa-learn seems really, really slow. Slow enough that spam sometimes comes in faster. This seems far slower than the benchmark results suggest is within the range of normal. I'm sure I'm doing something really wrong, but not s

Re: Whitelisting amazon where no DKIM_VALID_AU exists

On Wed, 30 Aug 2017 19:54:19 +0100, David Jones wrote: That ab...@amazonaws.com address is on this page: https://aws.amazon.com/forms/report-abuse Surely you can forward as attachment or either paste in the original headers to provide them enough detail to track down their bad customer.

Re: Identifiying PDF phish docs

On Wed, 23 Aug 2017 02:02:58 +0100, Alex wrote: John wrote: clamav? It's too slow to react, particularly when the PDFs are written specifically to reach a domain. Sometimes the PDF will never be detected by any of the antivirus scanners because of this. http://blog.adamsweet.org/?p=250

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

On Thu, 10 Aug 2017 15:12:11 +0100, Felix Defrance wrote: In the first lines on log, you could see opendkim results are success. Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none That why

Re: Mail::SpamAssassin::Plugin::EmailBL??

On Thu, 27 Jul 2017 08:28:06 +0100, hospice admin wrote: the above plugin doesn't seem to be distributed with the version of SpamAssassin I'm running: spamassassin --version SpamAssassin version 3.4.0 running on Perl version 5.16.3 Also, I can't find mention of a download location anyw

Re: Direct download link detection

On Mon, 24 Jul 2017 23:00:33 +0100, Alex wrote: Link to malicious file removed... Generally not a good idea to post direct links like that. What would be involved in following these links in SA to determine if they immediately download a file (other than a web page)? Testing links in mail

Re: "bout u" campaign

On Mon, 17 Jul 2017 18:38:24 +0100, David Jones wrote: It would be nice if there was a local tool that could be part of the SA project that would extend the masscheck processing and help build content and meta rules. As John's already mentioned, there is a surprising array of tools already

Re: No rule updates since 1/1/17

On Sat, 21 Jan 2017 19:08:39 -, Jari Fredriksson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hardin kirjoitti 20.1.2017 22:38: Collecting spam after RBL filtering is much less helpful to masscheck. Ideally your spam corpus is from a totally unfiltered feed. However, even i

Re: No rule updates since 1/1/17

On Sat, 21 Jan 2017 16:35:12 -, David Jones wrote: I think the "barrier to entry" is too difficult for most. I would have to setup a new MX on a domain without MTA checks (DNS and RBL) then create a honeypot email address to attract spam if I didn't have established recipient addresse

Re: No rule updates since 1/1/17

On Fri, 20 Jan 2017 19:02:09 -, Tom Hendrikx wrote: I think I can say the same about my platform, but since this issue keeps popping up I just applied for an account just to find out if my contribution could help. I can't speculate so I'm just gonna try if it helps :) Top move, it's defin

Re: No rule updates since 1/1/17

On Fri, 20 Jan 2017 17:26:01 -, Bill Keenan wrote: What is the fix needed so /usr/bin/sa-update starts getting updates? I too have not received an update from updates.spamassassin.org since 1-Jan-17. Besides updates.spamassassin.org

Re: .info TLD gives 2.1?

On Mon, 21 Nov 2016 19:00:59 -, Alex wrote: The part I was unsure of was if those 2.1 points were warranted because I've only ever seen it in ham. Now I understand that it is. http://ruleqa.spamassassin.org/ is a very good source for understanding how rules get the scores they do. It

Re: Custom rule based on AWL score

On Fri, 21 Oct 2016 11:48:41 +0100, simplerezo wrote: very unknown users can't by definition hit AWL. That's why my wanted rule is score(AWL) > -1 : all users that have not yet send enough not-spam mails can not, for example, send me invoices as zip attachment (yes, there is some big com

Re: DKIM Score

On Tue, 16 Aug 2016 09:00:12 +0100, Merijn van den Kroonenberg wrote: Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED From:addr =~ /\@( exa

Re: R: R: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 16:43:50 +0100, Nicola Piazzi wrote: WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end w

Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine to send and receive emails, Pl

Re: eval:check_uridnsbl to check subdomains

On Fri, 05 Aug 2016 19:17:16 +0100, robertboyl wrote: .com.br afaik is TLD nibo.com.br is a 2tld conteudo.nibo.com.br a 3tld Your counting is off: .br is a top level domain - ref: http://www.iana.org/domains/root/db .com.br is a 2nd level domain .nibo.com.br is a 3rd level domain Adding n

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 13:49:17 +0100, jimimaseye wrote: Regarding the range: the range belongs to our mail host provider who receive the emails then pass them amongst their own servers (doing their own teats no doubt). Plus they dont have just the one address - an incoming emial can land at a

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 13:07:14 +0100, jimimaseye wrote: I did try adding the "internal_networks 195.26.90. " option to my LOCAL.CF before, and in fact I have just tried it again based on your advice, but it doesnt make any difference. Here are the headers with * internal_networks 195.26.

Re: Advice: why one relay evaluated and not the other

On Wed, 08 Jun 2016 07:22:19 +0100, jimimaseye wrote: 1, You can see that Spamassassin considered and evaluated the IP address 195.26.90.72 (as reported in its report). Now this is the SECOND received header in the list. And yet it doesnt evaluate the most recent (first on list) [195.26

Re: malware campaign: javascript in ".tgz"

On Thu, 21 Apr 2016 14:33:01 +0100, Chip M. wrote: Starting about two hours ago, about 40% of my real-time honeypot spam is a new malware campaign. About a third are hitting "BAYES_00", with about 10% of all having negative SA scores. :( I've just checked 4 that score between 10.1 and 14.9

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 17:21:32 -, John Hardin wrote: On Wed, 23 Mar 2016, Kevin Golding wrote: Even transcribing it for the list I used the new domain instead of the original rule. I was going to ask about that, but I figured it was just a typo so I didn't. Never underestima

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 16:33:16 -, Matus UHLAR - fantomas wrote: On 23.03.16 16:06, Kevin Golding wrote: Well the whitelisting failure was the first debug I posted, to clarify. When using (only): def_whitelist_auth *@*.bbcmail.co.uk The debug is: Mar 23 11:17:44.805 [15610] dbg: dkim

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 15:38:33 -, RW wrote: On Wed, 23 Mar 2016 14:36:08 - Kevin Golding wrote: On Wed, 23 Mar 2016 14:04:03 -, RW wrote: > On Wed, 23 Mar 2016 13:45:29 - > Kevin Golding wrote: > >> On Wed, 23 Mar 2016 12:30:43 -, Matus UHLAR - fan

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 14:04:03 -, RW wrote: On Wed, 23 Mar 2016 13:45:29 - Kevin Golding wrote: On Wed, 23 Mar 2016 12:30:43 -, Matus UHLAR - fantomas wrote: > On 23.03.16 11:56, Kevin Golding wrote: >> I can't figure this one out so I'll throw it out. >&g

Re: def_whitelist_auth inconsistencies

On Wed, 23 Mar 2016 12:30:43 -, Matus UHLAR - fantomas wrote: On 23.03.16 11:56, Kevin Golding wrote: I can't figure this one out so I'll throw it out. When receiving mail from the address b...@e.bbcmail.co.uk def_whitelist_auth *@*.bbcmail.co.uk # is not whitelisted

def_whitelist_auth inconsistencies

I can't figure this one out so I'll throw it out. When receiving mail from the address b...@e.bbcmail.co.uk def_whitelist_auth *@*.bbcmail.co.uk # is not whitelisted whitelist_from_dkim *@*.bbcmail.co.uk # is whitelisted Now I thought this a bit odd since the docs say: Using whitelist_auth is

Re: DOS_OUTLOOK_TO_MX and fp

On Sat, 05 Mar 2016 04:09:55 -, David B Funk wrote: On Fri, 4 Mar 2016, Alex wrote: I have a legitimate mail that received 2.8 points, making it spam, as a result of what appears to be a false positive with DOS_OUTLOOK_TO_MX http://pastebin.com/dbm2Q4k6 There doesn't seem to be any des

Re: txrep and bayes_sql_override_username

On Thu, 25 Feb 2016 16:47:05 -, bOnK wrote: I'm using bayes_sql_override_username. Mysql userpref: @example.combayes_sql_override_usernameSomeName Table bayes_vars uses SomeName for all users @example.com, but txrep seems to ignore this setting and uses u...@example.com Am I mis

Re: TxRep Template Tags staying as tags

On Thu, 31 Dec 2015 13:52:45 -, Kevin A. McGrail wrote: On 12/30/2015 4:52 AM, Kevin Golding wrote: Simplest option is submitted: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7280 Agreed. It's a good pointer since I never paid attention to it before. Interestingly in submi

Re: TxRep Template Tags staying as tags

On Tue, 29 Dec 2015 17:17:38 -, Kevin A. McGrail wrote: On 12/29/2015 7:18 AM, Kevin Golding wrote: The big thing I've confirmed is the _Y part of the tag is redundant for me, since I see the following in debug: dbg: check: tagrun - tag TXREP_EMAIL_IP is now ready, value

Re: TxRep Template Tags staying as tags

On Mon, 28 Dec 2015 18:21:35 -, Kevin A. McGrail wrote: On 12/24/2015 10:04 AM, Kevin Golding wrote: I know I'm a bit weird but I like stuffing headers with all kinds of data like I'm stuffing a turkey for Christmas, but I've never been able to get anything showing u

TxRep Template Tags staying as tags

I know I'm a bit weird but I like stuffing headers with all kinds of data like I'm stuffing a turkey for Christmas, but I've never been able to get anything showing up for TxRep (it is referenced in _TESTSSCORES_ but none of the TxRep specific ones seem to convert). I feel I can't be the only

Re: DNS lookups fail with SpamAssassin since Net::DNS 1.03

On Wed, 16 Dec 2015 16:13:03 -, Ian Eiloart wrote: On 16 Dec 2015, at 16:09, Reindl Harald wrote: Am 16.12.2015 um 17:00 schrieb Ian Eiloart: On 16 Dec 2015, at 15:30, Kevin A. McGrail wrote: Downgrade tour netdns. There were changes in 1.03 that are fixed in trunk. Regards, K

Re: Spamassassin SPF plugin headers

On Wed, 18 Nov 2015 14:37:38 -, Elod G wrote: The SPF plugin is already checking for the the standard Received-SPF and Authentication-Results headers. Those headers are added by the SPF policy server and used by other milters. It is just the SA milter that is not finding them because of a m

Re: spam with url redirects

- Original Message - > From: "michael reimer" > To: users@spamassassin.apache.org > Sent: Friday, 14 August, 2015 7:44:33 AM > Subject: spam with url redirects > > X-Spam-Status: No, score=2.999 tagged_above=2 required=6.9 > > tests=[DATE_IN_PAST_96_XX=2.07, HTML_MESSAGE=0.001, > > MIM

Re: SOUGHT 2.0 ?

On Thu, 13 Nov 2014 02:17:54 -, Ian Zimmerman wrote: On Sat, 01 Nov 2014 10:06:57 -, "Kevin Golding" wrote: Kevin> So anyone else want to raise their hands? It depends. Would I mind a bit of regular maintenance work? No, I wouldn't mind. Would I mind a major c

Re: SOUGHT 2.0 ?

On Thu, 30 Oct 2014 20:10:22 -, Bob Proulx wrote: Axb wrote: It would be nice to be able to use this experience to replace the SOUGHT rules for everyone BUT: ... All very good, reasonable and understandable reasons. And those reasons also aply to me too. Insert all of those reasons i

Re: Checking Rules

In article <4b827244.2060...@caos.uab.es>, Personal Técnico writes >Another question: is there any way for configuring SA for getting a >detailed score of rules in a mail when "X-Spam-Status: No". By default, >SA does a detailed score when mail is marked as SPAM, but not in HAM cases. add_heade

Re: Pipe characters in From and To's

In article <20100212103757.4dde0...@goof.off.knossos.net.nz>, Spiro Harvey writes >So I'm just wondering if others encounter this with enough regularity, >and if so what your thoughts and advice are. I don't particularly want >to add rules into sendmail, so SA is my avenue of choice. I've seen a

Re: Should I block Experian/Free Credit Report

In article <4b5b125e.2050...@perkel.com>, Marc Perkel writes >This is a tricky decision. What they Free Credit Report / Experian is >doing is fraudulent. Although they aren't stealing they way phishers >are, just because they aren't just as bad. In fact I suspect they rip >off far more people t

Re: Museum piece...

In article <64de5c8b0912162232k1482d588y8ebe065f17c45...@mail.gmail.com> , Rajkumar S writes >On Thu, Dec 17, 2009 at 10:05 AM, McDonald, Dan > wrote: > >> I miss my Ohio Scientific C3. I had a Tektrinix 4027 terminal with more ram >> than the computer. > >Just wondering if any one here started of

Re: FP on blacklist hostkarma

In article <4b22a350.1030...@perkel.com>, Marc Perkel writes > >Kevin Golding wrote: > >> bigfootinteractive.com. 3600IN TXT "v=spf1 >> ip4:206.132.3.0/24 ip4:206.132.1.0/24 ip4:216.35.62.0/25 >> ip4:216.33.63.0/24 ip4:2

Re: FP on blacklist hostkarma

In article <4b226758.90...@perkel.com>, Marc Perkel writes >If you have any other domain names for me to list let me know. I'm >always looking to expand my white lists. shop.marksandspencer.com is one I always see hitting black, and SPF_HELO_PASS so... shop.marksandspencer.com. 86400 IN

Re: All emails being tagged URIBL

In article , David Hasbrouck writes >I am having an issue where all my emails are getting tagged with >URIBL_RED/GREY/BLACK.  Emails that contain invalid domains in them >are also getting tagged. > >From the information I have found, to test this, I should lookup >the domain

Re: sought rules updates

In article , LuKreme writes >The gpg installed on my FreeBSD does not have a man page (installed by >ports for SA3.2.5, IIRC), just a --help which says the syntax is: Logically you have security/gnupg installed which means... %ls -l /usr/local/bin/gpg* lrwxr-xr-x 1 root wheel 4 Oct 15

Re: I'd like to get my blacklist/whitelist included in SA

In article <[EMAIL PROTECTED]>, Marc Perkel <[EMAIL PROTECTED]> writes >What kind of license do I need to provide to be SA compatible? I'd imagine the line "anyone who uses our lists or our data either directly from us or indirectly through a third party grants us a license for us to use your data

Re: Lots of "scam" messages getting through SA

In article <[EMAIL PROTECTED]>, ram <[EMAIL PROTECTED]> writes >But ultimately this boils down to end user education. >Recipients must realize that no one from Africa is going to transfer all >the millions of dollars in an unknown account , or there is nothing >called as a national lottery in the

Re: new google trick: "docs"

In article <[EMAIL PROTECTED]>, Chip M. <[EMAIL PROTECTED]> writes >A brief search shows this actually started at least a month ago: > http://chris.pirillo.com/2007/01/16/google-docs-spam/ Erm, that's from 13 months ago :-) Kevin

Re: Time to make multi.uribl.org optional rather than default?

In article <[EMAIL PROTECTED]>, Andy Dills <[EMAIL PROTECTED]> writes >I must be stupid, I'm not able to invent an explanation that doesn't >involve a profit motive. I think it's very safe to assume that URIBL is not profit making and never likely to be so. >providing free service (in theory) t

Re: Russian and Chinese spam rulesets?

In article <[EMAIL PROTECTED]>, Eray Aslan <[EMAIL PROTECTED]> writes >Some Russian and Chinese spam (especially Russian) is making its way to >our users inboxes. We do business with those 2 countries. >Consequently, lots of legitimate emails go back and forth so that I >cannot just bump up the sc

Minor FP on ham with logo - 5.173

I've had a few FPs on a legitimate mail from someone who apparently enjoys large fonts and a logo. I'm using network tests but not bayes and these are the stock rules being hit along with their scores from sa- update: EXTRA_MPART_TYPE0.815 DK_POLICY_SIGNSOME 0.001 TVD_FW_GRAPHIC_ID1 2.100 H

Re: Breaking up the Bot army - we need a plan

Someone, quite probably John Rudd, once wrote: >Kevin Golding wrote: >> In article <[EMAIL PROTECTED]>, John Rudd <[EMAIL PROTECTED]> >> writes >>> I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. >> >> Registrant: &g

Re: Breaking up the Bot army - we need a plan

In article <[EMAIL PROTECTED]>, John Rudd <[EMAIL PROTECTED]> writes >I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. Registrant: eBay Inc. 2145 Hamilton Avenue San Jose, CA 95125 US Domain name: EMAILEBAY.COM Registrar of Record: TUCOWS, INC. Record last updat

Re: Easyjet e-mail scoring very high

In article <[EMAIL PROTECTED]>, David B Funk <[EMAIL PROTECTED]> writes >FYI, easyjet.com appears to have a valid SPF record, so > > whitelist_from_spf [EMAIL PROTECTED] > >should also work with out the hastle of trying to stay ahead >of mailserver changes. Unfortunately it looks like savvis.net

Re: Percentage of email that is spam after filtering?

In article <[EMAIL PROTECTED]> , Kelly Jones <[EMAIL PROTECTED]> writes >I know that most (90%+) email sent now is spam, but what are the >numbers for people who use spam filtering? > >I realize it varies by user, sensitivity to false positives, tools >used, etc, but do people who use spam filterin

Re: I've got TORA.08 spelled with numbers?

In article <[EMAIL PROTECTED]>, Jeff Moss <[EMAIL PROTECTED]> writes >I'm getting a bunch of spams this morning that have >TORA.08 spelled out with numbers like this. There's another version too. To get around the rather obvious rule they enlarge the text, although that goes beyond their mailers

Re: ALL_TRUSTED creating a problem

Someone, quite probably Jo Rhett, once wrote: >Kevin Golding wrote: >> FWIW I've run SpamAssassin on a bog-standard, normal, plain, old- >> fashioned FreeBSD box sitting in a rack with a public IP, no NAT, no >> patches, and no pixies or faeries. Auto-detection w

Re: ALL_TRUSTED creating a problem

In article <[EMAIL PROTECTED]>, Jo Rhett <[EMAIL PROTECTED]> writes >These arguments are getting sillier and sillier. I'm asking why it >doesn't work in a plain-jane do-nothing normal public box not behind >a NAT. And every argument so far has been some strange configuration >that is very c

Re: How can I (we) get rid of this?

In article <[EMAIL PROTECTED]>, DAve <[EMAIL PROTECTED]> writes >I really don't want to install X on my mailgateways. It would have to be >as good as URIBL and SURBL before I would consider that. > >Is there a way around the dependencies? The FreeBSD port shows the >following, xorg-libraries-6.9.

Re: White List and Yellow List DNS Servers - Proposal

In article <[EMAIL PROTECTED]>, Marc Perkel <[EMAIL PROTECTED]> writes >The idea of this is to improve the blacklisting be creating lists to >reduce false positives. For example, spamcop has a problem were they >sometimes block earthlink and google servers because those servers send >some spam.

Re: Mail from btinternet outlook express users tagged as FORGED_MUA_OUTLOOK

In article <[EMAIL PROTECTED] c.ac.uk>, brandon pearson (BITS) <[EMAIL PROTECTED]> writes >SpamAssassin version 3.1.1 > >We are getting valid mail from outlook express users on btinternet >tagged as FORGED_MUA_OUTLOOK. It looks to me like spamassassin does not >identify the message-id as an outlook

Re: Which Operating Systems Do You Use and Why?

In article <[EMAIL PROTECTED]>, Mike Jackson <[EMAIL PROTECTED]> writes >> The question is does FreeBSD make binary package updates, or are security >> updates source-patch only. > >From what I've observed, the base OS updates are source-patch only, at least >until the next full FreeBSD release. A

Re: V*I*A*

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] online.de writes >I just received some spam built like >V some words I >more text I >Is there any way to detect these? Working on the logic that display:none is highly unlikely to ever appear in ham I have the following rule, albeit scored fairly

Re: German Spam followup

In article <[EMAIL PROTECTED]>, Loren Wilton <[EMAIL PROTECTED]> writes >> Since I have legitimate users communicating all over the world, I am >> very interested in other rulesets that would block spam in languages >> besides English. Not sure how big of a problem this is - I know we get > >I beli