/organization/dnsblusage/
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
hich one parses the headers in this instance) is seemingly
picking the wrong Received header to work on. Could be your
trusted_networks or internal_networks settings?
If you don't mind, maybe you could send me off-list a complete
copy of the headers of this test message? I can't guaran
Hi,
On Thu, Jun 30, 2011 at 04:07:57PM +0200, Mark Martinec wrote:
> (I'm Cc'ing to Matthew in case he wants to check how it turns out
> on his mailer).
Arrived over IPv6 fine here, and did not hit (patched) BOTNET.
Cheers
Matthew
--
Matthew Newton, Ph.D.
Systems Arc
On Thu, Jun 30, 2011 at 12:06:06PM +0100, Matthew Newton wrote:
> > Doesn't seem to work. It's a false positive again. And Botnet recognises
> > the incoming IPv6 address as some IPv4 address and reports that one.
>
> That doesn't look right - unless your munging
4 address there: "2**.1**.2**.7*"
Do a dig -x against that IPv4 address, and the 2001:***::40
address, and see if both have correct PTRs.
However, there could be a problem if it's picked up a v4 address
to test, when the mail actually came to you from a v6 address. I'm
no expe
Hi,
On Sat, Jun 11, 2011 at 02:44:19AM +0300, Jari Fredriksson wrote:
> 11.6.2011 0:41, Matthew Newton kirjoitti:
> >
> > I've therefore hacked together the following patch to Botnet.pm
> > (0.8). It should fix the main issue that BOTNET does not do any
> > AA
+ $ip =~ s/::/":" . "0:" x (9 - $len)/e;
+ }
+ $ip = join(":", map {substr "$_", -4} split(/:/, $ip));
+ return $ip;
+ }
+
+
sub check_ipinhostname {
# check for 2 octets of the IP address within the hostname, in
# hexidec
Hi,
On Fri, Apr 16, 2010 at 01:53:55PM +0200, Karsten Bräckelmann wrote:
> On Fri, 2010-04-16 at 12:20 +0100, Matthew Newton wrote:
> > We had a legitimate e-mail hit the JM_SOUGHT_3 yesterday. It also
> > hit a few other rules that pushed it over our reject threshold of
> >
Intern ational Publishing" (spaces
added!) which is the name of their company.
I know SOUGHT is an auto-generated ruleset; just wondering if
there is there any way to remove false positives before the set is
generated? Otherwise I'll add local rules to compensate against
this one.
Thank
zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting
> pounded. Here is the header from on such mail:
I don't know how easy it is in Postfix (I use exim, and it's
fairly trivial in that), but one effective solution for this is
BATV.
http://mipassoc.org/batv/
Chee
es ;-).
There's not a lot you can't achieve with exim - if really stuck
then shell out with a ${run ...} string expansion.
HTH,
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
Network Support and UNIX Systems Administrator, Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <[EMAIL PROTECTED]>
ms):
http://www.le.ac.uk/its/mcn4/mcnchickenpox.cf
Maximum chickenpox score with this is 3.5, if over 9 rules hit.
HTH,
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
Network Support and UNIX Systems Administrator, Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United
ople who use real
typesetting software. ;-)
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
Network Support and UNIX Systems Administrator, Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <[EMAIL PROTECTED]>
On Thu, May 10, 2007 at 12:27:38PM -0700, Marc Perkel wrote:
> What's this "use bytes" thing and where do you add it and what does it do?
#! /usr/bin/perl
use Google;
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Services,
I.T.
ore shouldn't matter for
them (unless they actually are sending spam, which is a different
matter altogether).
> The two files you need (put them in /etc/mail/spamassassin ... or
> wherever you want to put your plugins) are:
I'll drop it on our mailers (probably with a smaller sc
viously the
sender wasn't abusing anything by sending a direct SMTP message
rather than using their ISP; they were just using their webmail.
Comments?
Thanks,
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre
to recipients that shouldn't have it.
Quite.
I'd be more inclined to just dump it into a mail store on the exim
box for administrator investigation if necessary.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Compute
strange to me. Fixing the user account
would be my first task.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Thu, Oct 20, 2005 at 05:59:22AM -0700, jdow wrote:
> From: "Matthew Newton" <[EMAIL PROTECTED]>
>
> >On Wed, Oct 19, 2005 at 08:57:44PM +0200, Jon Kvebaek wrote:
> >>Hi,
> >>we are currently receiving a lot of mail like the one listed beneath. No
KGEO rule at the bottom (definitely
adjust score until you are happy: it seems OK for me but you
should start lower...)
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Mon, Oct 10, 2005 at 04:21:50PM +0200, Maurice Lucas wrote:
> Matthew Newton wrote:
> >On the assumption that "normal" URLs don't use the construct /? in
> >them, and especially at geocities (are CGI scripts even allowed
> >there?) how about the following?
&
e condensed to the following (completely
untested):
full UOLCC_UKGEO
/http:\/\/..\.geocities\.com\/[A-Za-z0-9_]{2,40}\/\?[\w=\.]{3}/
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Wed, Oct 05, 2005 at 06:28:48AM +0100, John Hodson wrote:
> I have solved this problem with the help of suggestions from Rick
> Macdougall, Matthew Newton, and Bob Menchal. Thanks chaps!
Excellent!
> suggestions were using spamassassin -D to debug, corrupt Rule in .cf file,
>
edit the e-mail. The problem
seems to be caused by some Smart Tag thing, together with the fact that
Word is trying to use XML stuff which doesn't stick to the standard HTML
tags. It's strange that there are tags around single letters, generally
"l", but if Word's HTML generat
backhair ruleset still recommended, or does this current type of
e-mail make its use obsolete?
Thanks!
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Fri, Jul 08, 2005 at 09:33:50AM -0700, Justin Mason wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> Let me guess -- these were "full" rules, too?
> yep, * really isn't a good thing to use. ;)
Yes...!
Matthew
--
Matthew Newton <[EMAIL PROTEC
ed them. I guess that "*" _really_ isn't good to use (as people
have said before), and that if you do use them they will come back to
get you later!
Removed the rules and all is happy again. I can finally rest for the
weekend! Yup, I've learnt my lesson now ;-).
Matthew
address,
but not for everyone else. You could use a file lookup as the condition,
of course.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
unce would cause a real bounce to get rejected?
Obviously not all bounces include info about the original message, but
this might help cut down some of them, maybe?
Any comments?
Thanks
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Suppo
ink the
database is corrupt, just that we have a very wide range of different
types of e-mail coming in here.
Thanks
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
ne and pitch of
your voice. It is also helpful to speak slowly and distinctly, and to repeat
words and phrases. However, don't underestimate your baby's grasp of what you
are saying. Well before they can respond with words, babies and toddlers can
understand a lot of what is said.
Have
__UOLCC_DRUG4 + __UOLCC_DRUG5 + __UOLCC_DRUG6 + __UOLCC_DRUG7) > 4)
describe UOLCC_DRUGS1 Refers to drugs
score UOLCC_DRUGS1 3.5
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Thu, Apr 07, 2005 at 11:00:52AM +0100, Ron McKeating wrote:
> On Thu, 2005-04-07 at 10:53 +0100, Matthew Newton wrote:
> > Ron,
> >
> > On Thu, Apr 07, 2005 at 10:23:24AM +0100, Ron McKeating wrote:
> > > Thanks to all of you who replied about the job offer spams
o be
covered by rules, so end up writing my own. I'm no expert, but basic
rule-writing isn't that hard if you can write regular expressions.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, Unive
DELUXE1
UOLCC_RUSDELUXE2
UOLCC_ZETA_TRADE
UOLCC_ZETA_TRADE
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
I can post it to the list.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
If there isn't a "standard" rule out there then I'll put one together
for it.
Thanks!
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mai
-munged.com/?bluebushpvv
*******
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Sat, Mar 05, 2005 at 01:12:54AM +, Matthew Newton wrote:
> On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
> > The URI is a little unusual, with a missing port number after the
> > colon:
> >
> > http://crazyrxl0wprices-MUNGED.com:/
>
>
d-domain.com:/ is not picked up
http://blocked-domain.com:80/ is picked up
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Fri, Mar 04, 2005 at 12:23:10PM -0500, Daryl C. W. O'Shea wrote:
> Matthew Newton wrote:
> >OK, thanks. I still have problems exactly understanding the difference
> >between trusted_networks and internal_networks is, though. My
> >understanding is that trusted_network
x27;t use these supposedly un-used IPs?
Matthew (getting increasingly confused about the whole issue!)
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Fri, Mar 04, 2005 at 11:57:37AM -0500, Daryl C. W. O'Shea wrote:
> Matt Kettler wrote:
> >At 10:23 AM 3/4/2005, Matthew Newton wrote:
> >
> >>Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
> >>Funny thing is that my local.
obability is 40 to 60%
[score: 0.5000]
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
+chars
--
Matthew Newton
added by a relay
3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Return-Path: [EMAIL PROTECTED]
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
le. I got hit by
this on Solaris 9.
Sent an e-mail with a suggested fix to the module creator a couple of
months ago, but heard nothing back.
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Le
t; > from each server could be merged, and then uploaded with "sa-learn
> > --restore"?
>
> FYI, --restore will not read the --dump all format.
OK, thanks. It was just a guess!
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
.
I would guess that something like the output of "sa-learn --dump all"
from each server could be merged, and then uploaded with "sa-learn
--restore"?
Thanks
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX Systems Administrator, Network Support Section,
Computer Centr
Hi
On Mon, Dec 13, 2004 at 04:43:28PM -0800, jdow wrote:
> > I've seen another variant about by Matthew Newton that makes a bunch of
> > rules for both subject and body separately. I generally don't do this as
> > the body rules will match the subject line, so there
On Thu, Dec 09, 2004 at 10:32:22AM +, Matthew Newton wrote:
> On Wed, Dec 08, 2004 at 04:51:27PM -0800, Justin Mason wrote:
> > try turning off AWL -- if the usage goes down, it's either
> > a massive AWL file or a bug in DB_File on solaris...
>
> Thanks, I'v
e :-(.
(The AWL data files are approximately 60Mb, 30Mb and 10Mb on the three
machines.)
I've allowed one machine to keep spamassassin running until 4.5gb of
memory is used. I'll see if usage levels off at some point.
Thanks
Matthew
> Matthew Newton writes:
> > Hello
> >
hese extra services sometime (looking at the possibility of running
a DCC server), but none in use yet.
I could turn the cron job off on one machine out of three and see how
much memory it uses, if that's useful. The machines are configured to
give them around 5Gb memory including swap,
it swapping?
The machines each process around 8 mails/day and we have something
like 25000 users.
Thanks for any help/advice you can give.
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX Systems Administrator, Network Support Section,
Computer Centre, University of Lei
On Wed, Dec 08, 2004 at 02:22:07PM +0100, Alex Broens wrote:
> Matthew Newton wrote:
> >
> >I've recently installed SA 3.0.1, and found some junk was
> >getting through with scores too low for my liking, especially before the
> >URLs made it into SURBL. I've p
/([A-Z][a-z]{3,}\s{1,2}){15,}/s
describe UOLCC_CAPWORD_TEST String of words that all begin with caps letter
score UOLCC_CAPWORD_TEST 0.1
Hope these are of use to someone. If anyone can show me that they are
likely to pick up false positives, I'd be most grateful.
Thanks,
--
Matthew
55 matches
Mail list logo
