dear friends,
had a few questions
1) what is the sequence based on which the rules are processed ?
is there any documentation on this ?
how is the rule number example 20_dnsbl_tests.cf or 25_uribl.cf related to the
sequence of rule processing ?
2) is there a way by which if a specific rule is
seem to hit
UriRBLs (centuryfear.guru:SURBL,SURBL,URIBL,SPAMHAUSDBL)
or
PreRBLs (TRUNCATEGBUDB,BLOCKLISTDE)
they get denied instantly
Did you try contacting via abuse?
M. Omer GOLGELI
---
August 31, 2020 8:15 AM, "Bill Cole"
wrote:
> On 30 Aug 2020, at 3:02, Anders Gustafsson
mass mailing without checks is the better
approach IMO.
M. Omer GOLGELI
August 22, 2020 10:17 AM, "Benny Pedersen" wrote:
> @lbutlr skrev den 2020-08-22 08:03:
>
>> On 21 Aug 2020, at 14:15, Benny Pedersen wrote:
>>> blacklist_from *+14927644-*
>>
>
July 22, 2020 11:46 AM, "M. Omer GOLGELI" wrote:
> Like Laura questioned,
Oops!
/Laura/Loren/ my bad...
--
M. Omer GOLGELI
t option) just shut the f*ck up,
July 22, 2020 10:39 AM, "Noel Butler" wrote:
> if you dont like democracy at work (ppl having their say) , then you fuck off
Both of you are acting like children. Well done.
Nice language BTW.
--
M. Omer GOLGELI
Congrats on derailing another post needlessly.
M. Omer GOLGELI
July 15, 2020 12:41 AM, "Antony Stone"
wrote:
> On Tuesday 14 July 2020 at 23:23:29, Martin Gregorie wrote:
>
>> On Tue, 2020-07-14 at 22:59 +0200, Antony Stone wrote:
>> On Tuesday 14 July 2020
OSS mail product and
doesn't know that there's such a limit etc.
So for that matter, maybe these can be left for the admins decision to enable
them after installation.
Or all users should be made aware of these limitations in a better manner and
clearly for each semi-commercial RBL used.
M. Omer GOLGELI
n unknowingly using it and weren't aware of the limits.
But maybe this kind of RBLs shouldn't be on by default due to their commercial
nature and must be left to the user to activate after installation.
M. Omer GOLGELI
o the same category
coincidentally because even if the mail addresses do not exist, you can not get
out of the list and can't report address as fake)
--
M. Omer GOLGELI
May 29, 2020 6:40 PM, "@lbutlr" wrote:
> How do people deal with lists that a user subscribed to that
nitor the number of outgoing messages and notify you if
there's a sudden surge of mail requests.
M. Omer GOLGELI
---
AS202365
https://as202365.peeringdb.com
https://bgp.he.net/AS202365
NOC:
Phone: +90-533-2600533
Email: o...@chronos.com.tr
March 3,
On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample
This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you
As requested:
http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
I MUNGED the "To".
It's the latest of two sent to me by an awesome volunteer. :)
First thoughts:
Both were base64 encoded.
Both have "disclaimers" that they're not terrorists. :roll-eyes:
John Hardin: I'll ask
Ditto to what John said, however, thanks for the spample Mark. :)
Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.
Your posted spample is quoted-printable, and should have been
There's a new morph of the porn extortion campaign, with some
interesting under-the-hood changes.
The previous ones were always:
- two "quoted-printable" parts (plain text, html)
- "From" Outlook accounts
- sent via Outlook/Hotmail/MS IPs (no other IPs in route)
- passed both DKIM and SPF
The new
On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith wrote:
> Testing despite these errors the only rule I'm getting a hit on from KAM
> is JMQ_SPF_NEUTRAL_ALL
Andy, thanks for the very useful spamples! :)
Could somebody do a sanity check on the SPF record for
"ballybofeycarpets.com"?
I get a PermEr
On Tue, Oct 31, 2017, David Jones wrote:
>Add the Lashback RBL. I am trying to get this added to the default SA
>rules. See my post on 2017-10-17 in the following link and increase the
>scores after some testing.
David, after your Lashback post, I had added it to my FP pipeline
(i.e. run fro
Starting Monday late pm (Iowa time), I've been seeing my first DDE
exploits, with significant volume.
Here's a spample, with only the account part of the To header munged:
http://puffin.net/software/spam/samples/0056_dde_auto.txt
The MIME part Content Types are all of the same form, with o
hello
how do we mark such email as spam where our customer is sent an email asking
user to verify account to prevent the account being disabled.
i have provided below the source of such emails.
#
Hi metal@mycustomer.net.in ,
Recently we received some notifications r
KAM, thanks!
I took a look at your rules, and like your scoring. :)
Over my years, I've seen enough BBB scare campaigns which use
shorteners, that perhaps it would make sense to add "KAM_SHORT"
to your additive list of metas (I forget what that's called).
To all the other repliers:
Thanks for your
There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").
Here's some sample Locations returned by HEADing the shorteners:
appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/repor
hi
we are constantly getting spam which has the following in the body of the email
dear u...@domain.com
where u...@domain.com is the mailto email id ie our customer's email id
is there a way to mark emails containing the mailto email id in the body of the
email as spam ?
normal email communic
Just spotted my first snow with the TLD ".jetzt".
It's selling for $1.88 at NameCheap so should become widespread.
On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote:
>We get some (very little) real mail from info, biz, and name domains.
>All the other new domains are on a "prove you're not
Alex, thanks for the spample!
I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.
On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show
>most
SpamAssassin caught this phish, however some tweaks would have
let it thru, and it's an interesting new (to me) approach, so I
figured I'd share it with y'all.
Full raw spample (with MUNGED email addresses):
http://puffin.net/software/spam/samples/0053_phish_image.txt
At arrival time, the
On Sun, 25 Sep 2016, RW wrote:
>If you mean you poison-pill anything with a redirect, then this
>doesn't seem all that clever because tinyurl is such a well known
>shortener.
I poison pill by default, not always. :)
If the arrival time HEAD is a redirect to a "skip" listed domain,
the poison pill
Here's a spample of a well done "Dropbox" Phish sent thru Gmail,
containing a custom URL shortener which (apparently) did _NOT_
exist at message arrival time:
http://puffin.net/software/spam/samples/0045_shortener_phish.txt
I MUNGED the To & From headers, however I left the original From
do
On Fri, 16 Sep 2016, John Hardin wrote:
>Chip, could you send me some spamples of non-image data: messages
>offlist? The only ones I have anywhere are images.
Sent last week - thanks for your ongoing work on this John! :)
After that request, I decided to add (in my post SA filter)
a minimally sc
John,
thanks a TON for your efforts! I was afraid this would be hard
to catch. :(
On the bright side, the campaign has been morphing, and they are
now (IMO) much less enticing, which is a partial victory. :)
** Update:
The emails have gone thru two more significant morphs, first with
To.Realname
On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the
>sender's domain and your organisation's domains, e.g. by building a
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
>That could be done for a small number of
On Thu, 8 Sep 2016, John Hardin wrote:
>Yes. Given that ID on the first line the corpus owner can find the message
>in question, review it, potentially fix misclassifications (that has
>happened before), etc.
Shiny - that sounds perfect! :)
>There's one more exclusion I can add that will take o
On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing
That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).
However, the vast majority of those TLDs
On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated. Any & all TLDs that have
>sent > 100 messages within the last year *AND* have a
Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on
Spample:
http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt
I removed 19 (of 20 original) email addresses out of the
To header, ST:TOS munged all remaining email addresses, and
munged the target URL to match the other mungings.
Everything else is exactly as received, im
On Sat, 3 Sep 2016, John Hardin wrote:
>I've tweaked the FP avoidance a bit, maybe that will be enough
>to get the S/O up high enough to publish it.
John, do you have any detailed info about the Ham hits?
I just datamined my three best corpora, from the beginning of
2014 thru this weekend, and fo
Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".
Four years ago, I read this fascinating article:
http://isc.sans.edu/diary/%22Data%22+URLs+used+for+in-URL+phishin
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa
Alex, thanks for the spa
Thanks for all the lists and references, everyone! :)
+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).
*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been snowballin
On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client, the
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files. While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js
>inside .zip files.
+1
We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".
Thanks Andreas! :)
Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of prev
Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.
It came From a known friend at "swbell", who normally sends t
Thanks guys, for all the helpful info and sanity checks! :)
Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.
Followup:
>I had considered anchoring the MIME string, however we have a
>very powerful quar
Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign. About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(
Full spample (with munged email addresses):
http://puffin.net/software/spam/samples/0040_mal_tgz.txt
T
Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that b
hi
we are using qmailtoaster with spamassassin
currently the spamassasin log details show as such
is it possible to log the detailed information in the log files ?
ie sender email , recipient email spam rules applied and the spam score.
thanks,
rajesh
hi
i am using qmailtoaster on centos6.6 64 bit
is there a way to have detailed logging for spamassassin
which includes the sender and the recepient and the scan result.
my current logs are as such which does not show the
Jun 19 18:31:45 ns1 spamd[48983]: spamd: connection from localhost [127.0
hi
is there anyway to check the size of emails or count the number of characters
in an email using spamassassin ?
basically i wish to mark emails that are less than 2 kb in size with long links
in them as spam since they mostly spam.
also is there any way to check if a word / excel document co
hi
am using qmailtoaster, centos 6 - 64 bit with spamassassin, dovecot, vpopmail,
spamdyke, squirrelmail
dell server : intel hexcore 2.2 ghz proc, 16 gb ram
i have several such servers.
on one of my servers all of a sudden there was a high cpu utilization which
continued the whole day -- all
I use amavis-new and block based on file type. My users should never get legit
executables via email, so they are sent to a quarantine.
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types,
hi
i am using qmailtoaster
when the emails are sent to specified recepients via bcc then there is a header
Delivered-To created which i tried to use to check
however spamassassin does not seem to check Delivered-To header
what could be the problem ?
rajesh
- Original Message -
From
hi
i have an email id : u...@abc.com
now i need to set a rule such that u...@abc.com can receive emails only from
specific external domains and rest all should be rejected as spam
i have set a rule as such
header MYDOMAIN_A ToCc =~ /\b(?:test\@mydomain\.com)\b/i
header MYDOMAIN_B Delivered-To
2014-09-10 10:17 GMT-03:00 Antony Stone
:
> On Wednesday 10 September 2014 at 14:56:06 (EU time), M. Rodrigo Monteiro
> wrote:
>
>> Hi. Here is my scenario:
>>
>> Internet -> MX (Postfix) -> Relay (Postfix + Amavis with SpamAssassin) ->
>> Zimbra
>
2014-09-10 10:23 GMT-03:00 David F. Skoll :
> Option 2 is to accept the message unfiltered, split it into multiple copies,
> and remail each copy so it can be scanned per-recipient. This avoids
> the delay, but it also means you cannot reject spam with a 5xx SMTP failure
> code or you'll be blackl
Hi. Here is my scenario:
Internet -> MX (Postfix) -> Relay (Postfix + Amavis with SpamAssassin) -> Zimbra
In SpamAssassin, I have a whitelist/blacklist. All the e-mail passes
through, but Spams are taged (header and subject).
My problem is that when an e-mail comes to multiple destinations and
o
himy spamassassin version is : 3.2.5the body content message source is like this. how to i block theseᏟоmрlеtе thе Κоhl'ѕ Survеу!Ꮯlаіm уоur $25 Κоhl'ѕ Gіft Ꮯаrd!Ꮃіntеr іѕ hеrе аnd thе wеаthеr іѕ chіllу, fаll fаѕhіоn hаѕ ѕlоwlу chаngеd tо wіntеr fаѕhіоn. Κоhl'ѕ Ьrіngѕ уоu аmаzіng nеw ѕtуlеѕ wіth іtѕ
hiwe are getting spam with a lot of hashes &Ꭼmаi checked out KAM.cf but not able to trap such emailsany solution please ?thanksrajesh
2014-07-29 13:18 GMT-03:00 Benny Pedersen :
> disabling html postings with big signature could be a start?
>
How does disabling html helps me?
If you do have the answer for what I've asked, then it's fine to respond my
question, like Axb did.
If not, please don't bother to answer.
Sent with Aqu
Hi.
How can I bypass this check only for my domain, say mydomain.com?
M. Rodrigo Monteiro
<http://twitter.com/MarcioRodrigoM/>
<http://www.facebook.com/mrodrigom/>
<http://br.linkedin.com/pub/m%C3%A1rcio-rodrigo-de-oliveira-monteiro/28/491/3b8>
<http://foursqua
kevincan you please post the kam.cf file online ?i understand some basics but am not good at these. rajesh- Original Message -
From: Kevin A. McGrail [mailto:kmcgr...@pccc.com]
To: axb.li...@gmail.com,users@spamassassin.apache.org
Sent: Wed, 23 Jul 2014 08:31:28 -0400
Subject: Re: block new
/23/2014 09:09 AM, Rajesh M. wrote:> hi>> we are getting spam with long url links to external websites. some times the> links are hundreds of characters long.>> few examples given below>> basically i need to block any url which contains several alphanumeric characters> at t
hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowbasically i need to block any url which contains several alphanumeric characters at the end.http://domainname.com/dfd/b7e7c7f=a5d66e_a4404d9is there any rule
hiwe are getting spam with long url links to external websites. some times the links are hundreds of characters long.few examples given belowis there any rule to block these ?basically i need to block any url which contains several alphanumeric characters at the end.http://x.com/uquote/b7e7c7f9
Good morning.
I can also confirm that the rules were updated on my server.
Thanks!
Hello! I'm using Spamassassin 3.3.1-2 on two of my servers.
Recently I've noticed that there haven't been updates on both channels I use
(updates.spamassassin.org and
sough.rules.yerp.org).
Does this mean that there won't be any more updates for version 3.3.1-2?
Thanks and regards!
David
Hi.
How to create a rule to tag e-mails from *@word.*.com.br?
This is what I tested:
header TEST From =~ /.*\@word\..*\.com\.br/i
SA 3.4
M. Rodrigo Monteiro
<http://twitter.com/MarcioRodrigoM/>
<http://www.facebook.com/mrodrigom/>
<http://br.linkedin.com/pub/m%C3%A1rcio-rodr
James, are these botnet or "snowshoe" spam?
When you get a chance, please provide some spamples (pastebin or
elsewhere), as Kevin recommended. Please mung JUST the email
addresses (e.g. change all email domains to "example.com", and
change the victim account name to "victim"). If the victim
acc
t; got hit: "e-mail"
= SA log =
= mail header =
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
xx.x.xxx
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=4.0 tests=HTML_MESSAGE,T_REMOTE_IMAGE
shortcircuit=no autolearn=ham autolearn_force=no version=3
Thanks Alex! :)
As Alex's rules imply, it switched over to 100% image spam
(in my spamtraps), and continued its excellent syncing.
Just on April 11, the volume more than tripled, and it hit many
different spamtraps than all previous days. Some of those traps
had never been hit before, and/or are
block (~2K chars) of Bayes salad.
EACH salad and image filename is completely different.
They do not contain unsubscribe links, or any "extra" headers.
The Message-ID always ends with the victim's domain name,
NOT the sender (the HTML versions contain standard botnet M-IDs).
All are
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
customers.
One was from "Marriott Rewards" with terse SA report:
score=0.9 requi
-Original Message-
From: Kris Deugau [mailto:kdeu...@vianet.ca]
Sent: Monday, June 10, 2013 2:21 PM
To: spamassassin-users
Subject: Re: Large # of Spam getting through all of a sudden.
>*nod* I recently flagged them as a nuisance netblock owner in the
>internal DNSBL[1] here. I've been
On 6/10/2013 2:45 PM, Duncan, Brian M. wrote:
> I rarely have seen any SpamAssasin hits on the bodies of these messages.
>
> (cached, score=-0.125,required 6.5, autolearn=not spam,
> RP_MATCHES_RCVD -0.12)
Do you train the Bayes database manually? Or via autolearn only?
There's a new (to me), overly clever campaign combining Google
Translate with a URL shortener. It's fairly low volume, but most
are sailing thru SA. It's such a goofy pattern it feels like it's
worthy of an Extinction level score. :)
These started yesterday (Dec 9) at around 2am Eastern US time
Hi Alex!
Actually, that's a Snowshoe IP.
Which, on balance, can be a good thing, slaying-wise. :)
Almost four years ago, I posted my approach to snowshoe slaying:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e
It has cont
There's yet another variant in the ongoing campaign of HTML file
attachments with javascript malware payloads. :(
The trick is that it sets the Content-Type to "application/zip",
and uses an ".htm" file extension, for example (actual spam):
Content-Type: application/zip
Content-Tr
There's a new campaign using "bitly.com", instead of "bit.ly".
Other characteristics are:
1. empty plain text Part, followed by a quoted-printable HTML Part
2. very long HTML Title
3. large Style section, with random text (Bayes salad like)
4. current Subject is "FW: your arrest record"
I expect
R - elists wrote:
>does anyone get legit emails that come from the mailengine1.com
>email marketing servers?
Yes, I've seen a trickle of ham, so did some data mining for you...
The IP ranges I have for them are:
66.59.0.0 - 66.59.31.255
72.19.192.0 - 72.19.255.255
Does anyone h
There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.
I've seen barely a trickle, but so far, all have had VERY low
SA scores ("1.1" with generally unremarkable test hits).
I'm still waiting for permission from the recipient to publish
a complete sample.
Here'
nts) that looks for our domain name in the From and combined
> that with SPF_FAIL in a meta that really whacks the score.
>
> IE, in general it's not safe to use SPF_FAIL as a one-shot-kill but
> when restricted to our domain I can trust it.
to say a little something
run openspf softwar
the main process is still run by root:
> >
> > ps -C spamd -o user,cmd
> > USER CMD
> > root /usr/sbin/spamd -d -r /var/run/spamd.pid -m 2 -u spamd
> > --nouser-config --helper-home-dir=/sysram/spamassassin --allow-tell spamd
> >spamd child
> > spamd
hi folks
in my station
anti virus EICAR file is not detected by the couple clamd amavisd
all testimonials are welcome
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
gpg --keyserver pgp.mit.edu --recv-key 092164A7
pgpiBHw6zHTrd.pgp
Description: PGP signature
> From: Matt [mailto:lm7...@gmail.com]
> Sent: Wednesday, May 18, 2011 11:32 AM
> To: users
> Subject: DKIM Checks
>
> I am running spamassassin-3.2.5-1.el5 on 64 bit CentOS.
>
> sa-update -D seems to indicate that the DKIM libraries are installed.
> ...
> May 18 10:25:02.683 [15134] dbg: diag:
> On 05/07, Rajesh M wrote:
>> trusted_networks xxx.yyy.zzz.ppp
>>
>> if i do this then the email from this server ip should be given a
>> negative
>> score but it does not seem to work
>
> That's not what trusted_networks does. It skips the Received
hi
i wish to whitelist a few client's server's static ip in the spamassasin
trusted network
i am entering a line like this in local.cf file.
trusted_networks xxx.yyy.zzz.ppp
if i do this then the email from this server ip should be given a negative
score but it does not seem to work
spamassass
mouss wrote:
>with a stock config, and without Bayes, it now yields:
Hmmm, interesting!
Yes, all the "caught" spam here were due to RBL hits.
Which begs the question, what SpamAssassin tests are hitting for
the misses vs the kills?
Here's what hit (here), for the first 38 missed spams:
Test
Hi,
Is this corpora available for public use (e.g using the corpora for their
testings)?
All I know is that SA has an old public corpora that dates back in 2005.
(Sending from BB)
---
Mahmoud Khonji
-Original Message-
From: "Warren Togami Jr."
Date: Thu, 23 Dec 2010 12:45:14
To:
C
> From: Bob Proulx [mailto:b...@proulx.com]
> Subject: Re: Fake MX
>
> > > [...] but that is distinct from being a tarpit, which is what
> > > I'm trying to clarify.
> >
> > A discussion around the definition of tarpit, and why tarbaby might be a
> > suboptimal, though catchy, name?
>
> For the r
Are there domains that have actually defined SPF record type records? I
haven’t been able to find any, but it could be the fault of the tools I’m using.
L
From: Noel Butler [mailto:noel.but...@ausics.net]
Sent: Thursday, November 11, 2010 5:14 PM
To: users@spamassassin.apache.org
Subject: Re: e
ut as I said, I already block all email at my MTA that doesn't pass it.
Since January 2007, apparently. So I think it's worth having a test for.
On 10/30, m...@khonji.org wrote:
> How do you expect this to handle cases when a single IP address (i.e single
> MTA) is responsible
How do you expect this to handle cases when a single IP address (i.e single
MTA) is responsible for sending emails for multiple domains. The domain name
match won't happen for all.
That's why we have SPF, SenderID (MS didn't want to feel left out, and DKIM
(RFC standard).
As far as reverse loo
www.ceas.cc/2006/19.pdf
---
Mahmoud Khonji
-Original Message-
From: m...@khonji.org
Date: Fri, 22 Oct 2010 01:03:54
To: ;
Reply-To: m...@khonji.org
Subject: Re: Collecting IP reputation data from many people
>I was originally thinking it would be
>most informative to provi
>I was originally thinking it would be
>most informative to provide the
>number of spams and non-spams from
>each IP over some time period.
Google has a presentation in CEAS (check ceas.cc website) that explained a very
similar approach to fight SPAM by ranking mail senders. As the presentation
Received: from [74.15.226.43] by web80505.mail.mud.yahoo.com via HTTP; Mon, 11
Oct 2010 11:06:16 PDT
The line above is probably giving you spammer's source IP (or http proxy ---
some SP use trans. fwd. proxies).
Analyse that IP address and other similar spammers. If the region is not
importan
> It differs because I am saying they *should* remain listed forever.
False positives are far worst than false negatives for businesses. Some
blacklists do not tolerate a FP of more than 1%.
Blacklists are behind the line as they don't fight zero-hour attacks, and the
only reason why blacklists
How do you propose to make such relations between the keywords, and how to
mitigate false positives?
Naïve Bayes deals with words independently. If we want to link between words, I
think we are into Natural Language Processing (NLP).
If you have any good thoughts please share.
---
Mahmoud Kho
ing. It is in
/var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf
or some similar directory. To find your config directory path, try this:
spamassassin -D config --lint
>
> Rosenbaum, Larry M. wrote:
> >
> >
> >
> >> -Original Message-
> >&
> -Original Message-
> From: njjrdell [mailto:nruggi...@dellmagazines.net]
> Sent: Wednesday, September 29, 2010 11:32 AM
> To: users@spamassassin.apache.org
> Subject: Re: DOS_OE_TO_MX
>
>
> I'm pretty sure she would not send a GTUBE. Here is another from her
>
> Sep 28 08:35:26 nsmai
There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(
Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt
It began (here) on Sep 10, and replaced his (relatively boring)
"Your wife photos attached"
On 19 Sep 2010, John Hardin wrote:
>> Adding to my sandbox for masscheck:
>>
>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>
>It performs pretty well. It should be in the next rules update, under a
>slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about com
1 - 100 of 406 matches
Mail list logo
