Re: Lint problem with KAM.cf

+1 Same issue here. On 8/30/21 14:31, Rick Cooper wrote: > This have been going on a while but I haven't had time to addresses. > When the KAM rules are updated I see the following lint warning > warn: rules: error: unknown eval 'short_url' for __KAM_SHORT > > Near as I can tell I am running th

Re: Which Net::DSN for SpamAssassin-3.4.1

> > Net::DNS has had some very good but rather weakly-controlled improvement > recently, including an API change that got rolled back, so the latest > (1.06) is probably the best choice (it's what I use.) However, all > recent versions cause a problem with the released version of SA. The > patch

Which Net::DSN for SpamAssassin-3.4.1

Hello all I'm confused ... what is the "recommended" version of Net::DNS to use with an unpatched SpamAssassin-3.4.1? Or are there patches I ought to apply for, say, Net::DNS 1.06? Thanks! -- Mike G.

Re: ancient perl versions

On 12/05/2014 09:38 AM, Noel Butler wrote: > pffft > > I see no problem, as like most developers if you cant reproduce it, then > its nothing to bother about, after all this time 2 ppl dont like a font > or whatever, your pissing up the wrong tree if you think I have a care > factor about changing

Re: Hacked Wordpress sites & Cryptolocker

>> I'm also getting WP phishing urls that end in "/", like so: >> >> ... /wp-includes/logs/ > > spample plz? > http://pastebin.com/yBLqTrYP

Re: Hacked Wordpress sites & Cryptolocker

> I'm testing versions that insist on .php and am getting very good > results. Thanks to the OP for pointing this out! I'm also getting WP phishing urls that end in "/", like so: ... /wp-includes/logs/ Presumably, this is the equivalent of /wp-includes/logs/index.php? -- Mike G

Re: refusing to untaint

> >> Please open a new bug. I'll try and make it a blocker for 3.4.1 if you >> open it ASAP. > > Done. > For the list - the error appears to have been caused from an old .pre file that was left in /etc/mail/spamassassin. Removing t

Re: refusing to untaint

> Please open a new bug. I'll try and make it a blocker for 3.4.1 if you > open it ASAP. Done.

Re: refusing to untaint

> Any chance you can try the very small patch in > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7015 and see if > it's related? Still the same error after patching: Feb 26 15:24:07.130 [20964] warn: util: refusing to untaint suspicious path: "${exec_prefix}/lib"

refusing to untaint

Hello, I've installed SpamAssassin-3.4.0 on a couple of machines via the tarball and perl Makefile.PL make make test make install When I run a message through spamassassin -t it gives this warning from Util.pm Feb 26 12:19:27.028 [17527] warn: util: refusing to untaint suspicious pa

Re: Huh? Variable length lookbehind?

> > The 'st' is apparently equivalent to some ligature or some other UTF-8 > character, so you end up with an alternation of two different lengths, > which can't be used for look-behinds. > > Use a character set modifier /a to restrict the matching to ASCII rules. > Search for "Character set modi

Huh? Variable length lookbehind?

I have a problem with a rule on a newly installed relay on which --lint throws a warning on an old local rule, squawking about "Variable length lookbehind not implemented". I simplified the rule trying to discover the problem and it seems to be with the /i modifier: This rule does _not_ provoke

Re: X-Relay-Countries

> > Hmm I would do something like this (untested): > > header RELAY_NOT_US X-Relay-Countries =~ /\b(?!US)[A-Z]{2}\b/ > I've had to use, IIRC. X-Relay-Countries =~ /\b(?!US|XX)([A-Z]{2})\b/

Re: Question about TRACKER_ID

Martin Gregorie wrote: > On Fri, 2013-02-08 at 13:26 -0600, Mike Grau wrote: >> Hello folks. >> >> In 20_body_tests.cf (SA 3.3.2) there is this rule: >> >> body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9{6,24}\s*\z/is >> >> What is the &quo

Question about TRACKER_ID

Hello folks. In 20_body_tests.cf (SA 3.3.2) there is this rule: body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9{6,24}\s*\z/is What is the "\z" in the regex? This rule matches "". Is that as intended? Thanks! -- Mike

Re: KB_FAKED_THE_BAT

>> >> # grep Date: HEADERS | od -a >> 000 D a t e : sp ht T h u , sp 3 sp M a >> 020 y sp 2 0 1 2 sp 1 6 : 5 3 : 5 9 sp >> 040 + 0 7 0 0 nl >> 046vi H* >> >> This has been Russian language spam (charset koi8-r) wit

KB_FAKED_THE_BAT

Hello all, Just an FYI ... The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting circumvented here because the meta rule component header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t is being evaded by spam that now has a space character before the tab: # grep Date: HEADERS | od -a 00

Re: RP_MATCHES_RCVD

On 07/28/2011 09:28 AM the voices made RW write: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and w

Re: FPs on FH_FAKE_RCVD_LINE_B

> > I believe the issue is that there are no brackets around the IP. The > line should look like this: > > Received: from [68.103.178.110] by webmail.east.cox.net; Mon, 28 Jun 2010 > 18:02:23 -0400 > > Ah, right! Thanks! ( Drat, sorry about the reply to poster rather than list. )

FPs on FH_FAKE_RCVD_LINE_B

Hello, I'm getting a lot of FPs from FH_FAKE_RCVD_LINE_B RCVD line looks faked (B) since the default score for this rule is a whopping 4.000. It's matching on this header: Received: from 68.103.178.110 by webmail.east.cox.net; Mon, 28 Jun 2010 18:02:23 -0400 This rule matches the ISP Cox Commun

Re: [sa] Re: Yahoo/URL spam

On 3/23/2010 2:49 PM the voices made Charles Gregory write: On Tue, 23 Mar 2010, Alex wrote: This is what I have: /^[^a-z]{0,10}(http:\/\/|www\.)(\w+\.)+(com|net|org|biz|cn|ru)\/?[^ ]{0,20}[a-z]{0,10}$/msi My bad. I got an option wrong. Please remove the 'm' above. I always get it backwards. A

Re: newbie: configure SA to reject spam

tonjg wrote: On 01/13/2010 07:22 PM, tonjg wrote: thanks for your response Ned. your last line describes exactly what I want to do - reject mail, do it at the smtp stage in sendmail - but I don't know how to achieve this. Call spamassassin from within a milter. I use Mimedefang, but there a

Re: Rule to catch PO#

On 12/04/2008 01:49 Ray Jette wrote: > A lot of these rules look good but not appear to work for what I am > trying to do. Sorry about all the trouble. I'm not realy that good at > regular expressions but I am learning. Here are some real examples from > my mail server: > >* PO1786 >* PO

Re: Rulesemporium

If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2F&langpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3

Re: Rulesemporium

If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2F&langpair=fr%7Cen I bet the 'donate' link would help :-) Ken Okay, done. We'll see if it helps. Mike

Re: Rulesemporium

A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you

Re: Rulesemporium

Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. # traceroute www.rulesemporium.com traceroute to www.rulesemporium.com (209.200.135.151), 30 hops max, 40 byte packet

Re: Rulesemporium

On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless.

Re: Catching and stopping 419 spam

I'd like to see other people's states as well. I'm using it to block and my 419 spam is almost completely gone. But I'm wondering what other people's experiences are. FPs here on emails that have been forwarded and have email addresses in the message body. These have all been from cox.net

Re: SARE ADULT easily worked around?

Hum. Most of us seem to have been listwashed off the porn lists, so it is kinda hard to adjust the rules! We used to be plagued by pornographic spam, usually obfuscated. Unexpectedly, to me anyway, greylisting virtually eliminated it. -- Mike G

Spam or something else?

Hello. (sendmail->mimdefang->spamassassin) Since this past weekend I been seeing in the mail log: possible SMTP attack: command=HELO/EHLO, count=3 These used to be very rare, but since Saturday there are a great many (for us). For the past few hours, I've been firewalling the offending IPs w

3.1.6, local scores, and sa-update

Since upgrading to SpamAssassin 3.1.6, running sa-update yields # sa-update config: warning: score set for non-existent rule BAYES_50 config: warning: score set for non-existent rule BAYES_05 config: warning: score set for non-existent rule BAYES_00 config: warning: score set for non-existent rule

Re: Rule advice please

subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i subject =~ /\b(?!dripping)d[ripn]{6}g\b/i subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i You can't use rules like this. The pattern "can" matches your first exam

Rule advice please

Hello. Following discussions on this list about obfuscating words to avoid spam detection, and not being a ninja, I'd like some feedback about the possible efficacy or pitfalls on rules like the following. As noted in other discussions, words with scrambled letters between the first and last le