These emails are often also about translation help, or offering to
publish an article on your site.
I do run the KAM ruleset, but they do not hit on these. Happy to provide
some samples in some way that wouldn't get caught :D
On 2021-07-29 10:25:19, Robert S wrote:
> I am getting deluged with
le below the learning thresholds
> for quite a long time.
Can you give an idea of the size calculation? I'm wanting to do this,
but I need to figure out how much space I need to allocate per user!
Thanks for the clarifications, this is super helpful.
--
micah
ons are to turn down the score for bayes, so it has
less of an impact, maybe turn off bayes auto-learning, or just simply
disabling bayes altogether.
thanks for any information
--
micah
-
> Kevin A. McGrail
> kmcgr...@apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
--
micah
WGET - only using the setting that only downloads when the server
versions are newer.'
I am doing that, once per minute... are others having this issue?
thanks
--
micah
*@*.amazon.com
I do not understand this, how does this work?
--
micah
What is the highest score you've seen a spam get? I think I just broke
my own high score, with a spam that managed to pile up 64 points.
I'm sure you all have seen much higher!
--
micah
has made a rule that looks to see if the From
contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), then
score them up, if it wants to also drop a psd, or a tar.xz, or a png, or
a pdf or whatever, then light them on fire.
thanks!
--
micah
0. this rule does fire, and is helpfu
Noel Butler writes:
[weird rant deleted]
> There are 192 _other_ countries in the world, the USA is united states
There are 194 other countries in the world.
--
micah
not in fact going to be better off as a result of
>> changing
>> the word black to block an an email filtering system, but nobody really
>> thinks
>> that, do they?
>>
>> Note for those challenged by sarcasm or irony: I do not agree with the change
>> and I do not think it will have the effects it is being done in the name of.
>>
>>
>> Antony.
>>
--
micah
another $10 to a cultural marxist organization in his
name. Thanks Eric for your continued support of BLM!
--
micah
Eric Broch writes:
> 2) You accuse "the right wing[er]" of making this issue political when
> we've/I've done no such thing.
hilariously, you then go on to do exactly that:
> The maintainers of the list have listened to those who've turned
> something benign (whitelist/blacklist) into somethin
John Hardin writes:
> On Fri, 19 Jun 2020, micah anderson wrote:
>
>> So, what can I do to tweak these rules to score things up more,
>> specifically the rules that provide a low false positive rate[1]. This
>> seems something that should be done programmatically, and n
particular breed of spam that comes through?
Thanks for any ideas,
micah
0. with some notable exceptions, like KAM_DMARC_REJECT and
HELO_DYNAMIC_SPLIT_IP
1. like KAM_DMARC_STATUS, HTML_NO_CHARSET are possible ones, or mails
that do not have a To: have a score of 0.1
--
micah
that looks identical.
I understand that UTF-8 From and Subject are legitimate, so I do not
want to just block those, but it seems like we should look for typical
homographs in the middle of words and add a weighted score for these.
I do have 'normalize_charset 1' set here.
--
micah
e with you, because I agree... except to point
out that the statement about old PHP being required is not true, you can
run squirrelmail with php7.3.
--
micah
Matus UHLAR - fantomas writes:
>>> On 31.05.20 10:51, Noel Butler wrote:
>>>>Anyone else noticed it seems to scoring much much higher FP's in past
>>>>few weeks?
>>>>
>>>>Ima disable the damn thing I think.
>
>>Matus UHLAR
good results with pyzor
actually, and have thought it should be scored higher.
I have seen messages reported 89 times, anyone seen more?
--
micah
Thanks for the reply.
John Hardin writes:
> On Tue, 19 May 2020, micah anderson wrote:
>
>> The final stage I thought would be short-circuited, because it was
>> relayed through our internal network, and we already do spam filtering
>> at the list server stage, we d
AMAV spam
score CLAMAV 20
endif # Mail::SpamAssassin::Plugin::Shortcircuit
--
micah
it?
I've been staring at the spamc code, but I'm not skilled enough here to
understand if -C report means it also learns.
I'd really like to know if I'm feeding the bayes database, or just
pyzor.
--
micah
to do both at once, instead
of having to invoke spamc twice, once to adjust the bayes, and once to
report to pyzor/razor.
--
micah
dea to me.
Each of the mails is 100% spam, so what I'd like to do is have an
automated way to tune my rule scoring, or improve/add rules based on
what gets sent there.
If I have to manually inspect each message by hand, and manually craft
rules, then it doesn't seem like this will scale very well at all.
--
micah
100% spam. Would it be better to use it for mass-check and contribute
some to the overall rule scoring? Or would it be better to just build
some kind of RBL out of whatever it receives?
Thanks for any ideas/suggestions!
--
micah
positives... but something needs
to happen here.
--
micah
_FROM((( __LOCAL_FROM_QUOTA_ISUS ) + (
__LOCAL_FROM_CONTAIN_NOTUS )) > 1)
describe TRICKY_FROMFrom has example.com in quotes, but not
in path
score TRICKY_FROM 5
0. https://www.mail-archive.com/users@spamassassin.apache.org/msg100800.html
--
micah
gin is for trunk but it works out of the box in 3.4.3rc3 as well (some
> work is needed to let it work on 3.4.2)
Can't these be blocked at the MTA level to be much more CPU friendly?
--
micah
Sean Lynch writes:
>>Having such a list would be very helpful for dealing with fast flux.
>
> SA already has this. It used fresh.fmb.la to detect domains registered within
> the past couple of weeks.
It does? Do I need to enable something to get that?
--
micah
that happens only
on Namecheap.
> I think there are also lists of domains that have been recently
> registered. Which might help if the single use domains were recently
> registered.
Having such a list would be very helpful for dealing with fast flux.
--
micah
"Bill Cole" writes:
> On 20 Nov 2018, at 13:53, John Hardin wrote:
>
>> On Tue, 20 Nov 2018, micah anderson wrote:
> [...]
>>>> What it does do is prevent compiled rules from being installed. But
>>>> as I
>>>> said it's t
RW writes:
> On Tue, 20 Nov 2018 12:53:18 -0500
> micah anderson wrote:
>
>> RW writes:
>>
>> > On Tue, 20 Nov 2018 12:38:24 -0500
>> > micah anderson wrote:
>> >
>> >> I was doing multiplication in rules to add scores, like thi
RW writes:
> On Tue, 20 Nov 2018 12:38:24 -0500
> micah anderson wrote:
>
>> I was doing multiplication in rules to add scores, like this:
>>
>> meta LOCAL_EXCEEDED_PHISH (((0.4 * __MAILBOX) + (0.4 *
>> __LOCAL_EXCEEDED) + (0.4 * __LOCAL_STORAGE) + (0.4 * __LOC
46] warn: config: Strange rule token: 0.4
What should I do to fix that?
Thanks!
--
micah
d in KAM as part of an update channel, it would make
updates more frequent. The only thing is I have to adjust KAM each time
I update it. For example, the political spam section is a bit dated and
has caused some frustrations for people.
--
micah
John Hardin writes:
> On Tue, 14 Aug 2018, micah anderson wrote:
>
>> John Hardin writes:
>>
>>> On Tue, 14 Aug 2018, micah anderson wrote:
>
> OK, I can see about adding some mobile MUA exclusions. Any FP headers you
> can provide (directly) will b
John Hardin writes:
> On Tue, 14 Aug 2018, RW wrote:
>
>> On Tue, 14 Aug 2018 13:24:47 -0700 (PDT)
>> John Hardin wrote:
>>
>>> On Tue, 14 Aug 2018, micah anderson wrote:
>>>
>>
>>>> I searched my pile of mail that I have from two ic
John Hardin writes:
> On Tue, 14 Aug 2018, micah anderson wrote:
>
>> but how can I tell how many messages are part of the corpus?
>
> As RW said, hover over the percentages.
Thanks.
>> Also, the percentages seem very low: 1.5192% Spam, and .0005%
>> Ham... 1.5
me to be adding 3.5 score to this rule, but
what do I know... which is why I'm asking.
thanks!
--
micah
"Kevin A. McGrail" writes:
> I think Bayes should be in redis though not SQL.
Curious to know why you think that?
John Hardin writes:
> On Tue, 12 Jun 2018, micah anderson wrote:
>
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (althoug
Matus UHLAR - fantomas writes:
> On 12.06.18 19:37, micah anderson wrote:
>>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>Subject:
>>
>>It did not have a subject, but it did have content (although only
>>encrypted) it also hit:
&g
Reindl Harald writes:
> Am 13.06.2018 um 01:37 schrieb micah anderson:
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (alth
have one, but have you
looked in your Spam folder lately? All spam has a subject, pretty much
always an informal survey of my trash heap showed 4 messages out of
400 did not have a Subject, and two of them were repeats.
--
micah
Axb writes:
> AppRiver Acquires Roaring Penguin
>
> https://globenewswire.com/news-release/2018/03/26/1453063/0/en/AppRiver-Acquires-Roaring-Penguin.html
Sorry, but what is AppRiver, and what is Roaring Penguin, and who is
Dianne? It seems like people are responding as if this isn't spam, so
I'
Even with normalization
> there may be some headers that don't transcode properly.
>
> I've never seen a from header encoded in UTF-16, but then I don't get
> much mail in Asian languages.
Do most people have 'normalize_charset 1' set? I noticed I do not have
it set
Axb writes:
> On 11/12/2017 05:35 PM, micah wrote:
>> David Jones writes:
>>
>>>> I am interested in seeing the bayes info in the database, because it was
>>>> created years ago
>>>>
>>>
>>> Spam changes all of the time s
David Jones writes:
>> I am interested in seeing the bayes info in the database, because it was
>> created years ago
>>
>
> Spam changes all of the time so I train mine daily and manually expire
> mine after about a month. Depending on your recipients, number of
> mailboxes, and mail flow, y
like the database is working fine...
any ideas?
thanks!
micah
as
Spam.
How can I get around that?
Thanks!
micah
dar...@chaosreigns.com writes:
> On 01/18, Micah Anderson wrote:
>> updates.spamassassin.org
>> sought.rules.yerp.org
>> khop-bl.sa.khopesh.com
>> khop-blessed.sa.khopesh.com
>> khop-general.sa.khopesh.com
>> khop-sc-neighbors.sa.khopesh.com
>>
>
might be able to make some suggestions for improvements?
thanks,
micah
--
pgpOebTBWqWzt.pgp
Description: PGP signature
Dominic Benson writes:
> On 19 Oct 2010, at 17:05, Micah Anderson wrote:
>
>>
>> Hello,
>>
>> I'm running a busy mail server. We've got a bayes database on its own
>> server, with InnoDB tables.
>
> What is your total DB size / server RAM?
SET spam_count = spam_count + '1'
WHERE id = '5'|
| 475089 | spamass | 127.0.0.1:48669 | bayes | Query | 0 | statistics
| SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime
FROM bayes_token
Any ideas what could be going on, or steps I could take to troubleshoot
this?
Thanks!
micah
--
pgpkF4tD1yEOu.pgp
Description: PGP signature
Hello,
I'm running a busy mail server. We've got a bayes database on its own
server, with InnoDB tables.
I'm seeing a number of these entries in my log files and am struggling
to determine what could be causing them and how to fix them:
Oct 19 07:02:10 spamd3 spamd[27474]: learn: exceeded time
inclusion of
> their source in Debian gives them. Quite obviously they complained
> and
> their stuff was withdrawn as a result.
Your conclusions are amazing, but that does not make them any more
right.
micah
en RPM?
Probably because Debian doesn't use RPMs... sorry I couldn't resist. The
real reason is the one cited here, and in previous messages.
> someone official from debian want to chime in?
Since I am a Debian Developer, I may count as 'official' here.
micah
0. http://www.debian.org/social_contract#guidelines
1. http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/128332
2. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380542
Michael Scheidell writes:
> On 4/15/10 5:35 PM, Micah Anderson wrote:
>> M
>> "The Distributed Checksum Clearinghouse source carries a license that is
>> free to organizations that do not sell filtering devices or services
>> except to their own users and th
ng the
above channel (or 90_3tld.cf) because these files have been merged into
3.3.1 and are released as 20_aux_tlds.cf
micah
0. http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/127703
Kai Schaetzl writes:
> Micah Anderson wrote on Wed, 17 Mar 2010 18:20:40 -0400:
>
>> saupdates.openprotect.com
>
> It's been said repeatedly on this list: don't use it.
Thanks, should I be using the sought.rules.yerp.org channel instead, or
some of the dostech ones?
micah
ate any second eyes on my interpretation
here.
thanks,
micah
unning v2.007 to see if that fixes it, I suspect it will. If
it does I will make sure the debian package gets that noted so others
wont run into this.
thanks for your answers,
micah
Michael Scheidell writes:
> On 4/12/10 4:55 PM, Micah Anderson wrote:
>> I'm getting a lot of these log entries ever since I've upgraded:
>>
>> Apr 9 22:31:14 spamd2 spamd[2774]: dcc: [26896] terminated: exit 241
>>
>>
> what version of dcc are
::All" at /usr/share/perl5/Mail/SPF/Record.pm
line 227.
I'm using libmail-spf-perl version: 2.005-1
Might this be fixed in a newer perl version?
Micah
m
(or maybe they are normal and I need to start ignoring them?)
Does anyone have a clue about these? thanks!
micah
--
"It is no measure of health to be well adjusted to a profoundly sick society."
- J Krishnamurti
worry about it? Should I ignore it in logcheck?
thanks!
micah
--
"It is no measure of health to be well adjusted to a profoundly sick society."
- J Krishnamurti
other suggestions that I offer people as alternatives,
but until then I think I may need to remove Botnet from the equation.
micah
pgpOYcMscG6vB.pgp
Description: PGP signature
.rules.yerp.org
saupdates.openprotect.com
But I wonder if the last two are still relevant, or if there are other
lists to use instead?
Thanks for any advice,
micah
or experiences with this plugin!
micah
ps. I notice it is not listed on
http://wiki.apache.org/spamassassin/CustomPlugins and I wonder the
reason why?
On Fri, 12 Mar 2010 15:44:21 -1000, Julian Yap wrote:
> On Thu, Mar 11, 2010 at 7:58 AM, micah anderson wrote:
>
> > On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap
> > wrote:
> > > Just wanted to add that this particular line is incorrect:
> >
w I am wondering if this is the right
thing to do.
I'm very curious about resolving this, it does seem like a bad setup and
it is being taken as gospel from the spamassassin wiki, but perhaps
there is something that we are not understanding here that Justin can
clarify?
micah
pgpPzA62WWh7c.pgp
Description: PGP signature
* Michael Grant [2009-06-05 10:26-0400]:
> On Fri, Jun 5, 2009 at 16:08, Micah Anderson wrote:
> > Michael Grant writes:
> >
> >> I did not realize one could store the bayes scores in sql.
> >>
> >> So I'd store the bayes scores on a third serv
/etc/spamassassin
I knew about the FreeMail.cf because I've used SA plugins before, but I
had no idea about the domain list. Might be good to make these
instructions a little more explicit, so that others will also win.
Micah
s is why I will want to change my
training behavior.
thanks,
micah
ldn't have any row-level locking issues... in
any case I might have had some issues because my MySQL database needed
to be optimized, but I was not able to determine how and now I just run
one of the spamd's without bayes, which is not too bad because my bayes
database seems to be totally w
sers? Any chance some of them are training badly? At worst
No, I don't trust my users. In fact because of that we moved from doing
site-wide training to selected users who can demonstrate that they
understand how to train. Perhaps these numbers are legacy from before we
switched to this method.
thanks,
micah
Adam Katz writes:
> Micah Anderson wrote:
>>> Also, to see how experienced your Bayes knowledge is - use "$ sa-leanrn
>>> --dump magic"
>>
>> This shows me that I have no idea what these magic things are :) Does
>> this tell you anything usefu
Dave Walker writes:
> Micah Anderson wrote:
>> I got a phish message that was understood by bayes as:
>>
>> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
>> [score: 0.]
>>
>> So I traiend with spamc
that score up?
Thanks for any info,
micah
ASSWORD ) + ( 0.4 * LOCAL_PHISH_FROMREPLY)) > 1)
describe LOCAL_PHISHER_USERPASS Typical phish: asks for username and
password, we dont do that
score LOCAL_PHISHER_USERPASS10.5
thanks,
micah
in postfwd and in spamassassin, i have contacted facebook
> about it, but the problem might still be there
>
> i like your postfwd config
Where is this postfwd config you refer to? I would like to see this.
micah
my
different mail servers to query different spamds?
Thanks for any ideas,
micah
t open, they
>>> susbcribe first.
>>
>> Ah right, I was looking it a bit wrong.. it's silly that the original
>> recipient is nowhere to be found in headers.
>>
>
> Now that you say it, I don't see any list headers! so it looks like a
> bug somewhere...
No, I receive email at [EMAIL PROTECTED], so it doesn't need to go
through a debian list to get to me.
micah
0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
tflags RCVD_IN_JMF_BR net
score RCVD_IN_JMF_BR 1.0
0. http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/113625
1. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
micah
Matt Kettler <[EMAIL PROTECTED]> writes:
> Micah Anderson wrote:
>> I set some 'add_header' options in my global local.cf and could not
>> figure out why they were not being applied. It turns out that because I
>> am using SQL user_prefs, any add_header lines
* Justin Mason <[EMAIL PROTECTED]> [2008-11-12 05:20-0500]:
>
> John Hardin writes:
> > On Sun, 9 Nov 2008, Micah Anderson wrote:
> >
> > > Does anyone have any rules to catch these, or suggestions of scores to
> > > tweak to make these hit be
them in my
local.cf they would be honored globally as well, as certain other things
that are set there are honored globally. I'm not sure which are and
which are not.
micah
I have the hardest time understanding, the
trusted_networks and internal_networks settings. I've read all the posts
that try to clarify it and I still can't keep it straight :)
How would adding a list relay to my trusted_networks actually make
stopping spam easier? Doesn't that make it a network that I should spend
less time doing SA processing, because I 'trust' it?
micah
escribe RCVD_IN_BRBL Received via relay listed in Barracuda
RBL
score RCVD_IN_BRBL 1.0
tflags RCVD_IN_BRBL net
micah
Rob McEwen <[EMAIL PROTECTED]> writes:
> Micah,
>
> In addition to the barracuda RBL, this IP is also listed on ivmSIP
> (since 10/21/08) and ivmSIP/24
Can you provide me with the local.cf details to be able to add the
ivm RBLs?
> Additionally, the domain "h
reat, and it is appreciated that you have thought of
small charitable/non-profits with low email volume. However, I think you
are missing that there are small charitable/non-profits that can do this
volume on a extremely tight budget.
Micah
cf
as described, and it appears like it is working, as I am seeing some
messages get tagged with it.
Are the plugins that I am installing like this compilable regexps with
sa-compile? Or do they stand separately?
Thanks,
micah
I'm getting probably 4-5 of these a day, the messages vary, so they
aren't the same, but they aren't firing on any specific rules related to
their 'hard money conference/webinar/seminar' etc. Does anyone have any
customized rules for these? I've been training my bayes on them, and its
starting to
* Justin Mason <[EMAIL PROTECTED]> [2008-11-10 05:30-0500]:
>
> John Hardin writes:
> > On Sun, 9 Nov 2008, Micah Anderson wrote:
> > > Does anyone have any rules to catch these, or suggestions of scores to
> > > tweak to make these hit better?
Chris <[EMAIL PROTECTED]> writes:
> On Sunday 09 November 2008 2:33 pm, Micah Anderson wrote:
> 2.5 CTYME_IXHASH BODY: iXhash found @ ixhash.junkemailfilter.com
This one is interesting to me, when I pump these messages through spamc
-R I get:
-5.0 RCVD_IN_JMF_W
John Hardin <[EMAIL PROTECTED]> writes:
> On Sun, 9 Nov 2008, Micah Anderson wrote:
>
>> Does anyone have any rules to catch these, or suggestions of scores to
>> tweak to make these hit better? I am running clamav-milter with the
>> sanesecurity add-ons, but the
0156699029126214
[9595] dbg: bayes: token 'bates' => 0.0156699029126214
[9595] dbg: bayes: token 'current' => 0.0200447781112092
[9595] dbg: bayes: token 'H*r:IMP' => 0.0961561369397845
[9595] dbg: bayes: token 'notified' => 0.121287867011135
[9595] dbg: bayes: token 'Password' => 0.13640095340516
[9595] dbg: bayes: token 'HX-Spam-Relays-External:sk:webmail' => 0.1492193587257
[9595] dbg: bayes: token 'H*RU:sk:webmail' => 0.1492193587257
[9595] dbg: bayes: score = 1.83186799063151e-15
Any ideas would be very appreciated! My goal is to stop these phishers
from getting their mail through, but even with a customized rule set to
a high score, they will get through if BAYES_00 fires...
micah
e default DKIM scores, I finding I am getting spam that are
DKIM_VERIFIED causing the score to dip below zero and let the message
through, for example:
http://micah.riseup.net/1
I am thinking of actually increasing the score because of this.
micah
I'm getting a number of these types of emails getting through SA with
either negative scores, or very low scores. This is surprising to me as
these are pretty classic spams. I suspect that some of the low scores
are due being DKIM signed.
Does anyone have any rules to catch these, or suggestions
caution scoring a custom rule over 1, however it seems
like these would be better scored higher than that.
> The first of course is partly local to us. Another useful local rule
> is to check for the uri of your own webmail.
Yeah, i'll make a uri rule for that and probably add that to the
meta-rule.
Thanks for any advice,
micah
; he asked whether any legitimate mail flows
> from live.com. That was my answer. :)
You are technically correct, but Joseph's message made clear the
information that I was not aware of, which was quite helpful and
technically better.
Micah
1 - 100 of 138 matches
Mail list logo
