Cold emails are not considered spam?

Hi - Our site has recently been getting lots of "cold emails". I've read according to a Google search, they aren't considered "spam".  And websites provide instructions and templates for people, on how to send cold emails.  Or there are web sites that prove a service, to do it for them. Most

The latest fake warning email trying to get you to call a phone number.

Hi - I'm really getting tired of these fake warnings.  See below. This one luckily hit spamcop.  Otherwise, it would have been delivered. As an aside, see the last line of the email.   I am not automated! Obviously, the spammer used a script to convert the word "email" to "m...@psfc.mit.edu". 

Re: Fake paypal email triggers -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM

Alan, you’ve pointed out the issue with the scam emails. Specifically with the phone number. Venmo emails are doing something similar. I’m sure thst PayPal and Venmo will not do anything to stop these. PayPal knows about it. They have warnings on their website about the scams. That’s all t

Re: Fake paypal email triggers -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM

This my pet peeve.   I set USER_IN_DEF_DKIM_WL  to 0.001 a long time ago, and it hasn't affected me at all. But my view is probably not mainstream. As an aside, I've added rules to filter for the recent fake requests for money, that abuse that feature, which exists on  PAYPAL and VENMO.  Rule

What is causing "dbg: zoom: skipping rule"

I have a custom rule: body WRITE_US   /\b(?:or write us at|write us directly|physical opt.?out|write( to)? us at)/i From the spamassassin debug output, I see the line: Jan  3 15:21:35.132 [3478024] dbg: zoom: skipping rule WRITE_US, code differs in compiled ruleset '(

Re: All RCVD_IN_VALIDITY rules being applied to every email.

Matus - Oops!  I had installed a new email server last year, running Ubuntu, and I didn't realize by default, updating is off. After updating, I see that we are getting blocked by RCVD_IN_VALIDITY.  My bad.  Thanks very much! - Mark On 11/14/2024 8:44 PM, uh...@fantomas.sk wrote: From: Matus

All RCVD_IN_VALIDITY rules being applied to every email.

FWIW, Today I discovered that RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL, and RCVD_IN_VALIDITY_SAFE, were being triggered for every email that our server received.  I do not use a public DNS server.  I disabled all of them.  Strange. - Mark

Re: Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

I asked ChatGPT how to test for a "Dear 'username'". After a bit of work, I got working code. ChatGPT knows perl. I already had a Perl file EvalTests.pm file with customized Perl eval functions, so I threw it in there. Otherwise, you'll need to create your own file with the proper headers.

Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

Does anyone have a rule to detect "Dear xxx," in the body of the message, where the "To:" address is xxx@domain? We've been getting phishing email sent to us with variations of that. Hi, Dear, etc, followed by the username of the address. Thanks. - Mark

Re: namechep and DOB

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails hitting them? In my case, URIBL_RHS_DOB is no longer working at all.   Is this still working? - Mark On 7/8/2024 5:13 PM, Alex wrote: Hi, I'm seeing emails from smartlendingclub dot com getting through that are clearl

Re: ChatGPT > Spamassassin? :)

Bill - Thanks for the response.  As an aside, it would be nice (though impossible?) for a spam filter to be more suspicious of emails coming from a new email address, that is not in my Sent folder or my Inbox. FWIW. - Mark On 6/25/2024 11:21 AM, Bill Cole wrote: Mark London is rumored to

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

d reverse lookups.  But the number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct.  All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name.   That

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

Marc - You are correct.  All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name.   That will solve my problem.  Thanks! - Mark On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

Unfortunately most of the ip addresses do have reverse lookups. On the other hand, I do see that some have common domains.   So I could use block by domain using sendmail. Heck, maybe I should just block the whole country.  :) On 11/9/2023 12:38 PM, Marc wrote: The spam is coming from many d

Anybody else getting bombarded with "I RECORDED YOU" spam?

In the last couple of days, the number of "I RECORDED YOU" spams that my server has been receiving, has gone way up. Well over a thousand a day.  And the spam is only being sent to about 20 of my users.  We had been receiving these for the last month, but nothing at all like rate it's now happe

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

Sorry, I didn't change the subject line when I posted this. On 9/29/2023 12:41 PM, Mark London wrote: Hi - Can anyone tell me why the following email header triggered DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? Strangely, if I run spamassassin from the command l

Re: Mysterious bogus DKIM hits (was: Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575)

On 9/29/2023 1:47 PM, Reindl Harald (gmail) wrote: Am 29.09.23 um 19:37 schrieb Bill Cole: Strangely, if I run spamassassin from the command line on the message, DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6 Oh. So you've let a piece of security software go most of year after th

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

Hi - Can anyone tell me why the following email header triggered DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? Strangely, if I run spamassassin from the command line on the message, DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6 (Note, I truncated the X-Spam-Level

Dropbox invoice phishing

Dropbox now has an invoice feature, that allows you to create a customized invoice. So what this person did was to create an invoice that looks like it’s coming from PayPal. Except for the fact that the From address shows it is coming from Dropbox. Months ago I saw a similar problem with f

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

I’ve never seen a false positive with USER_IN_DEF_SPF_WL. > On Mar 20, 2023, at 1:48 PM, Reindl Harald wrote: > >  > >> Am 20.03.23 um 18:44 schrieb Mark London: >> It seems like it too high a negative score. > > then adjust it in local.cf > > the poin

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

It seems like it too high a negative score. On 3/20/2023 1:24 PM, Reindl Harald wrote: Am 20.03.23 um 18:17 schrieb Mark London: Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL? Or put it another way. Why wasn't it detected as a phishing

Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

Can someone tell me why this paypal phishing email, managed to trigger USER_IN_DEF_SPF_WL? Or put it another way. Why wasn't it detected as a phishing email? Thanks. Received: from a39-208.smtp-out.amazonses.com (a39-208.smtp-out.amazonses.com [54.240.39.208]) by PSFCMAIL.MIT.EDU (8.14.7/

Re: Maybe it's time to revive EvilNumbers?

Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my email, because there is no List-Id.   The email actually came from a microsoft account.  - Mark header  __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/ header  __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/ header  __LW_A

Re: Maybe it's time to revive EvilNumbers?

Loren - Unfortunately, the fake amazon shipment email that we received, doesn't contain the word Amazon in it's From or Subject headers. Or even the word amazon in the text of the message!  Just the Amazon logo. And they've removed all the URLs, so the links don't work at the bottom.   And the

Maybe it's time to revive EvilNumbers?

My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark

Why is SENDGRID_REDIR score so high?

Hi - I receive email from spiceworks.com help desk, which are sent via sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score, which is 3.4 ? Thanks. - Mark Terms and Conditions: https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebrAUotywMJTp7

Sendgrid Under Siege from Hacked Accounts

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ - Mark

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK

Can we start a separate mailing list for people to discuss this issue elsewhere?

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

"As programmers, our day to day work doesn’t typically present us with opportunities to take a stand against racism. Situations like this are opportunities to be the change we want to see. When you get that opportunity and you don’t act, or even worse, you defend the status quo." That quote wa

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

The proposed name changes were proposed for many years in the software community.   For example in 2014, Drupal opted to use "primary/replica" instead, and Django followed suit the same year with "leader/follower".    In 2018, there apparently was a renewed interest in changing the names by man

Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

Spamassassin is not alone. https://www.google.com/search?q=whitelist+blacklist&rlz=1C1CHBD_enUS893US893&sxsrf=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351&source=lnms&tbm=nws&sa=X&ved=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw&biw=1008&bih=5900

__BITCOIN_ID doesn't test for SegWit addresses that start with bc1

Hi - I just got a BITCOIN blackmail spam that avoided detection, because it used a SegWit bitcoin address, that starts with a bc1: bc1q0q7u8a7735za93um20yk5ynphdnpvenj0k0ufn This format is explained here: https://changelly.com/blog/bitcoin-addresses-types-and-meaning/ I guess the definition o

False positives due to __BITCOIN_ID

It seems to me that the rule for detecting a BITCOIN in an email, is incorrect. See below: body __BITCOIN_ID /\b(?Why is there a \s in this rule?I didn't think that a BITCOIN id has a space. This rule is triggered, on a simple line like this, because of the fact that the line has a "1"

Bombard by spam source in India that wasn't in any RBL used by spamassassin.

Hi - We got several hours of spam from the IP address 103.136.41.36 in India.When I did a Multi-RBL check, the ip address was in the following databases: bl.emailbasura.org dnsbl.sorbs.net dns.spfbl.net spam.spamrats.com truncate.gbudb.net I think sorbs.net is a paid for service. At least

Is PDS_TONAME_EQ_TOLOCAL_SHORT new?

Is PDS_TONAME_EQ_TOLOCAL_SHORT new? I see it hitting real emails here, but hitting no spam emails. Thanks. - Mark Sent from my iPhone

PDS_NO_HELO_DNS is not helpful at all.

I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS is mostly hittng real emails at my site 1168 real emails versus 219 spam mls. Luckily, the score is not high, to be making any difference. FWIW. - Mark

Re: How do I filter emails that have only special characters in them.

- 703.798.0171 > > >> On Tue, Jul 2, 2019 at 8:17 AM Mark London wrote: >> Hi - I'm trying to filter emails that have only special characters in >> them. Like the text of the following email. Thanks. - Mark >> >> - =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9

How do I filter emails that have only special characters in them.

Hi - I'm trying to filter emails that have only special characters in them. Like the text of the following email. Thanks. - Mark - =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1= =B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1= =B4=87=C9=AA

Another form of obfuscation email.

Does anyone have any rules that can catch this type of obfuscated spam? https://pastebin.com/qi8dsREW Thanks. - Mark

Re: How to block email with multiple addresses in From: IGNORE ME.

\W*\S+\@psfc.mit.edu,/i And that works. although I don't know why I need the \W*. But, whatever! Never mind. - Mark On 12/20/2018 12:30 PM, Mark London wrote: Hi - What's the best rule to catch email with multiple addresses in the From: line? I realize thatrfc2822allows it. But the only e

How to block email with multiple addresses in From:

Hi - What's the best rule to catch email with multiple addresses in the From: line? I realize thatrfc2822allows it. But the only email we've ever received with multiple addresses, were spam, and even GMAIL.COM doesn't allow it: <<< 550-5.7.1 Messages with multiple addresses in From: <<< 550 5

Re: BITCOIN_PAY_ME and new type of blackmail, non porn.

However, I think the BITCOIN_PAY_ME rule need a bit of fine tuning, to catch other emails. Like the one below, which escaped triggering the rule. A constant battle between spam rules, and bad English grammar. Maybe I should say the hell with it, and simply block any email sent to me, with a

BITCOIN_PAY_ME and new type of blackmail, non porn.

This email hit the new (to me) BITCOIN_PAY_ME rule. Never ending fun. 😟 Begin forwarded message: > From: "Broaddus Walther" > Date: December 17, 2018 at 1:49:04 PM EST > To: m...@psfc.mit.edu > Subject: You should definitely go through this before something negative can > happen 17.12.2018 08:

Re: Another form of obfuscation email.

Sorry, I cut off the full URL. It should have been: https://pastebin.com/5ASMFahi On 12/12/2018 12:16 PM, Mark London wrote: On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote

Re: Another form of obfuscation email.

On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated.

Another form of obfuscation email.

Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why the message got a high spam rating. By default though, that rul

Re: No longer just embedded =9D characters in blackmail emails.

The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe it needs updating? - Mark On 12/5/2018 11:19 AM, Mark London wrote: No longer just embedded =9D characters. From: =?utf-8?B?bmlnaHRt0LByZQ==?= To: Subject: You are my victim. Date: Tue, 4 Dec 2018 15:56:36 -0800 MIME

No longer just embedded =9D characters in blackmail emails.

No longer just embedded =9D characters. From: =?utf-8?B?bmlnaHRt0LByZQ==?= To: Subject: You are my victim. Date: Tue, 4 Dec 2018 15:56:36 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="a0d0993ce53319101c19af03d5311b0976b26b" X-Scanned-By: MIMEDefang 2.79 on 18.18.166.1

Re:: 9D character used in words to avoid detection

On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote: I ran it as-is, and it scored poorly. After I manually de-borked the headers, and retested, it hit SA's "OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests. OBFU_BITCOIN was hit because the =9D chara

Re:: 9D character used in words to avoid detection

Forwarded Message Subject:[OFF-list] 9D character used in words to avoid detection Date: Sat, 17 Nov 2018 15:42:08 -0600 From: Chip M. To: Mark London Mark, could you post a full spample to the SA list? Thanks in advance! "Ch

Re: 9D character used in words to avoid detection.

ect https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Nov 16, 2018 at 7:37 PM John Hardin <mailto:jhar...@impsec.org>> wrote: On Fri, 16 Nov 2018, Mark London wrote: > I just received a spam email with the 9D character placed inside of words, > that prevented m

9D character used in words to avoid detection.

I just received a spam email with the 9D character placed inside of words, that prevented my custom BODY rules from being hit. I.e.: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready change=9Dd it. Is there a way to define BODY rules, so that they will be triggered?

Small talk.

I started getting very short emails, such as "How are you?" or "please. can we talk please?" Ok, maybe the latter one is a bit suspicious. But in any event, has anyone encountered "small talk" spam emails like this before? I have this big desire to respond and say "No, I'm not fine, and

How to test for this suspicious From address?

Hi - I'm getting spam with From that contain 2 different From addresses, that I would like to try and detect: From: " x " I created a crude rule that was properly being triggered when I manually ran spamassassin on the email itself. But when it arrives (via Mimedefang), the rule is

Re: Using UTF-8 characters to avoid spam filter rules.

On 6/28/2018 1:46 PM, users-digest-h...@spamassassin.apache.org wrote: Subject: Re: Using UTF-8 characters to avoid spam filter rules. From: RW Date: 6/26/2018 12:12 PM To: users@spamassassin.apache.org On Tue, 26 Jun 2018 00:33:11 -0400 Mark London wrote: Hi - Some of the words in the

Using UTF-8 characters to avoid spam filter rules.

Hi - Some of the words in the spam email below, are using UTF-8 characters, to avoid spam detection. I.e. the phrase "bitcoin wallet address", are not the simple ASCII characters that they appear to be. View the source of my email, to understand what I'm talking about. Is there any rule I can

Malformed spam email gets through.

Hi - I previously mentioned that I was getting emails with hand created html tags, that had both uppercase and lowercase letters. I created a crude rawbody rule to test for them. It worked, until the spammer accidentally added the line "Content-Transfer-Encoding: base64", even though the body

Re: Flakey spam email. How to filter?

On 12/11/2017 10:59 AM, Reindl Harald wrote: Am 11.12.2017 um 16:44 schrieb Mark London: I'm getting a lot of flakey spam messages, that don't trigger any significant spamassassin rules, even though it obviously looks really bogus. Here's an example. Any suggestions? https

Flakey spam email. How to filter?

I'm getting a lot of flakey spam messages, that don't trigger any significant spamassassin rules, even though it obviously looks really bogus. Here's an example. Any suggestions? https://pastebin.com/bZUt0ThS These spams are being sent to my gmail account, and then forwarded to my work add

Re: Re: HTML_IMAGE_ONLY_* generating too many FP's

On 12/5/2017 5:28 AM, Sebastian Arcus wrote: On 02/12/17 18:45, David Jones wrote: On 12/02/2017 11:22 AM, Sebastian Arcus wrote: On 02/12/17 13:06, Matus UHLAR - fantomas wrote: On 12/01/2017 11:17 AM, Sebastian Arcus wrote: -0.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

Sent from my iPhone > On Nov 18, 2017, at 5:29 PM, RW wrote: > > On Sat, 18 Nov 2017 15:46:16 -0500 > Mark London wrote: > >> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email >> address like this: >> >> mqsjkeqgy...@sina.com >>

Why doesn't HK_RANDOM_FROM trigger on this email address?

FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email address like this: mqsjkeqgy...@sina.com But it doesn't. Yet it does trigger on this: dxn...@sina.com Curious. - Mark

Re: FROM header with two email addresses

Hi - I received a spam message with the following double From address: From: struth...@psfc.mit.edu, "Lorraine M." But neither of the 2 previously suggested rules were triggered by it. I'm sure a simple modification to the rules will cause it to trigger. Can we get an official rule to test

Spam with tons of lines with garbage characters, preceded by

Hi - Sorry if this has been discussed before. I'm seeing a lot of html spam with a few links, followed by a line that just contains

Re: SpamAssassin does not scan consistently

yed for too long a time period. Mark London Natick, May

Re: Anyone seeing URIBL_BLOCKED?

I'm not using dns forwarding. Sent from my iPhone > On Dec 6, 2016, at 5:13 PM, Reindl Harald wrote: > > get rid of dns forwarding and use dns servers with *real* recursion, that > topic makes people sick after so many years > >> Am 06.12.2016 um 22:58 schrieb Mark

Anyone seeing URIBL_BLOCKED?

Hi - Around 7PM yesterday (US eastern time), I started seeing URIBL_BLOCKED, and it didn't go away after midnight. I tried switching to one of our other local name servers, and that didn't help. I've been using this service for many years. Do you know if their policy has changed? Thanks.

Spam URLs based on my email address!

This was a email message sent to my markrlon...@gmail.com account. Note the hostname of markrlondon23474.seksizlex.co! - Mark SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/460142604-11776440226-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/NZV~VJM" Widt

Re: Re: Email with attachment caused 100% CPU usage.

On 6/8/2016 1:20 PM, John Hardin wrote: On Wed, 8 Jun 2016, Mark London wrote: Hi - We received an email with several large postscript attachments, and the content type was "text/plain". This caused our spamassassin server to use up 100% CPU, parsing the attachments as

Email with attachment caused 100% CPU usage.

Hi - We received an email with several large postscript attachments, and the content type was "text/plain". This caused our spamassassin server to use up 100% CPU, parsing the attachments as text. I temporarily disabled spam scanning to allow the message to go through. How can I prevent

OFF TOPIC: A cartoon spam joke.

OFF TOPIC: I was amazed to see this cartoon, since so many people probably won't get the joke! http://bizarro.com/comics/november-15-2014/ - Mark

Re: Spamassasin not as effective anymore

On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-help@spamassassin.apache.orgwrote: From: Lorenzo Thurman Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring

Re: Spamassasin not as effective anymore

;ve had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. Mark London

What's the difference between the T_SMF_FM_FORGED_REPLYTO rule and the FREEMAIL_FORGED_REPLYTO rule?

The T_SMF_FM_FORGED_REPLYTO rule was recently added I think, and it looks identical to FREEMAIL_FORGED_REPLYTO. A mistake, or is there a reason for both? - Mark

Re: How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

/s didn't appear to work for rawbody in version 3.1.8 But I just tried it on a different system running 3.2.5, and it works there. Sorry about posting my question before testing my problem on a newer version! - Mark Karsten Bräckelmann wrote: On Sun, 2010-02-28 at 12:00 -0500, Mark L

How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

Hi - I created a FULL rule that works fine with html in plain text. However, if the html is base64 encoded, FULL rules don't appear to work. A RAWBODY rule doesn't work either, because it doesn't ignore line breaks. Any ideas? Thanks. - Mark

Re: What's does m{} do ?

Sorry, I wasn't clear about my question, which is why is m{} used in that test rather than simply //, or are they identical? (There are only a couple of tests which use m{} in Spamassassin).

Re: Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

Thanks for the info! Daryl C. W. O'Shea wrote: Mark London wrote: Mark London wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: This causes spamassassin to flag it with: HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR Rec

Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

Mark London wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418 for <[EMAIL PROTECTED]>; Tue, 18 Oc

Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

s adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.netWhy? Mark At 7:29 PM -0400 10/18/05, Matt Kettler wrote: Mark London wrote: Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.

False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

Hi - We are receiving mail from a site that includes the headers: Received: from mail1..com (mail..com [xx.xx.xx.xx]) by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418 for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 18:07:52 -0400 Received: from adsl-xx-xx-xx-

Re: Howto skip empty lines in a body test?

Loren Wilton earthlink.net> writes: > It might be impossible on full, if the message is encoded, since full will > see the encoded text. > It may or may not be impossible on body, depending on the version you are > running and a handful of other things. > > Sometimes body gets broken up into mult

Howto skip empty lines in a body test?

I use the "body" command to tests for phrases. This was working great, until a spammer started to use double spacing in his email, and the phrases were split up by empty lines. Is there any way around this? I've tried everything, including using full and rawbody, but I still can't find a way to