spam emails sent by bots using Amazon SES servers are getting through
because i have amazonses.com in my whitelist due to several "important
/ trusted companies" using amazon ses.
How does this rule work, to separate the "Received: ", versus the "From: " ?
the header "From: " is NOT in my whitel
I have a cron job running as root, which calls sa-update
it warns about unsafe ownership
gpg: WARNING: unsafe ownership on homedir
`/var/lib/spamassassin/sa-update-keys'
this is my current o
Hi, I am running version 3.4.2
/usr/bin/spamassassin -V
SpamAssassin version 3.4.2
running on Perl version 5.22.1
spamd --version
SpamAssassin Server version 3.4.2
running on Perl 5.22.1
with SSL support (IO::Socket::SSL 2.024)
with zlib support (Compress::Zlib 2.068)
which spamd
/usr/sbin
On 2021-05-07 10:33 AM, Henrik K wrote:
On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
I want to extract the first part of an email address from the
"Delivered-To"
header and use it witin a custom rule.
Example pseudo code:
my ($first_part) = $email_file =~ /^
I want to extract the first part of an email address from the
"Delivered-To" header and use it witin a custom rule.
Example pseudo code:
my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
body __LOCAL_AWKWARD_INTRO /hi $first_part/i
How can I do this in my .cf file?
On 2021-04-27 03:03 PM, Dave Wreski wrote:
Invalid List-ID. You can then use that with other weirdness in a
meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
/<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORM
On 2021-04-27 02:23 PM, Reindl Harald wrote:
Am 27.04.21 um 19:57 schrieb Steve Dondley:
On 2021-04-27 01:19 PM, Dave Wreski wrote:
Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services
OK, how do I get those rules
On 2021-04-27 01:19 PM, Dave Wreski wrote:
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[185.41.28.7 listed in
hostkarma.junkemailfilter.com]
We've reduced this score to -1 locally.
-1.0 BAYES_00 BODY: Bayes spam probability is 0 t
On 2021-04-27 01:12 PM, Greg Troxel wrote:
As always, if you have a problem stemming from a dns-based or similar
reputation list, you need to report problems to those lists.
If you aren't running greylisting with aggressive delays for SBL/XBL
and
moderate for dialup, do that too.
What does "
Got this: https://pastebin.com/Gfz951dh
Spam report:
Content analysis details: (-2.3 points, 5.0 required)
pts rule name description
--
--
-2.5 RCVD_IN_HOSTKARMA_WRBL: Sender listed in HOSTKARMA-WHITE
On 2021-04-25 01:47 PM, Henrik K wrote:
On Sun, Apr 25, 2021 at 01:28:31PM -0400, Steve Dondley wrote:
> mass-check -c parameter expects to find every config file in that single
> directory. Now it's missing spamassassin updates and specifically
> 20_aux_tlds.cf from there. You
spamassassin -V reports: "SpamAssassin version 3.4.4"
I imagine I have to checkout an older 3.4.4 point version from SVN and
use the mass-check command from that. It's been ages since I've used
SVN.
How can I get to the older version via SVN?
I solved this by downloading version 3.4.4 of S
> On Apr 25, 2021, at 1:31 PM, Axb wrote:
>
> What are you trying to do?
> run masscheck for your rules or for the SA project?
I’m experimenting with writing my own rules. My machines are using SA 3.4.4 so
I want to use the 3.4.4 rules.
mass-check -c parameter expects to find every config file in that
single
directory. Now it's missing spamassassin updates and specifically
20_aux_tlds.cf from there. You could copy it to /etc/spamassassin
temporarily, but I'd rather make a completely separate directory that
should
include
I'm running this command:
./mass-check -n --rules='^LOCAL_AWK_INTRO' -o
ham:dir:/spam/Maildir/.INBOX* -c=/etc/spamassassin/ | grep '. 1'
Everything appears to work as expected but I'm getting this
warning/error when I do:
"config: registryboundaries: no tlds defined, need to run sa-updat
On 2021-04-25 10:19 AM, RW wrote:
On Sun, 25 Apr 2021 00:40:59 -0400
Steve Dondley wrote:
On both machines, /usr/share/spasmassassin/72_active.cf has this rule
which is commented out:
This is the legacy rule directory from before sa-update existed.
Have you not got another directory
On 2021-04-25 05:57 AM, Reindl Harald wrote:
Am 25.04.21 um 07:09 schrieb Steve Dondley:
That rule has this line in the 72_active.cf file:
Look in 72_scores.cf and compare the modification dates on that file.
Their scores as of today (saturday):
72_scores.cf:score FSL_BULK_SIG
On 2021-04-25 01:00 AM, John Hardin wrote:
On Sun, 25 Apr 2021, Steve Dondley wrote:
I'm running the same version of SA on the same email on two different
machines and getting different scores in for some rules in the report:
Machine A gives: 0.0 FSL_BULK_SIG Bulk signature wi
I'm running the same version of SA on the same email on two different
machines and getting different scores in for some rules in the report:
Machine A gives: 0.0 FSL_BULK_SIG Bulk signature with no
Unsubscribe
Machine B gives: 1.0 FSL_BULK_SIG Bulk signature with no
Unsubsc
And if you want to test your rules against a corpus rather than
testing against a few one-off spamples, then look into setting up a
local masscheck instance. You don't need to upload the results to SA,
but it will give you a good overview of how a rule behaves against
multiple messages.
I'm
On 2021-04-23 05:41 PM, Martin Gregorie wrote:
On Fri, 2021-04-23 at 16:28 -0400, Steve Dondley wrote:
I'm experimenting with writing a library of my own SA rules and
scores.
I do this on a separate computer, which has Spamassassin installed but
not linked into anything else. It also
I'm experimenting with writing a library of my own SA rules and scores.
I'd like to be sure that the rules I write don't turn ham into spam and
vice versa. I figured the best way to do this would be to run SA against
an existing collection of ham and spam to make sure emails are still
scored ac
On 2021-04-23 01:37 PM, Henrik K wrote:
On Fri, Apr 23, 2021 at 01:03:33PM -0400, Steve Dondley wrote:
I'm looking at KAM.cf. There is this rule:
body__KAM_WEB2 /INDIA based
IT|indian.based.website|certified.it.company/i
I'm wondering if there is a good reason why a singe peri
On 2021-04-23 01:02 PM, mau...@gmx.ch wrote:
> Hello
>
> Please how its possible to disable the spam check from sending mails from
> "privat to public" network?
>
> I was realy thinking if enable the trusted network this will pass over.
>
> trusted_networks 192.168.28.
>
> thanks
Ar
I'm looking at KAM.cf. There is this rule:
body__KAM_WEB2 /INDIA based
IT|indian.based.website|certified.it.company/i
I'm wondering if there is a good reason why a singe period is used
instead of something like \s+ which would catch multiple spaces whereas
a singe period doesn't.
I could add another point between BAYES_999 and BAYES_99 scores but
that seems reactionary. Is there a better way? Should I thrown in
another point for certain keywords in marketing emails like these?
add score to tags that score possitive 0.0
until it gives 5.0 and above
I like this idea.
On 2021-04-22 02:31 PM, Matus UHLAR - fantomas wrote:
On 22.04.21 14:21, Steve Dondley wrote:
pts rule name description
--
--
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org
For whatever reason, solicitations from marketers for various web
development services are easily slipping through my defenses. I figured
bayes filtering would eventually do the job but after a reporting them
for many days now, I'm still getting like 3 to half dozen a day. Here's
one example: h
The DCC FAQ at https://www.dcc-servers.net/dcc/FAQ.html#license
describes the definitive ways to get any questions answered regarding
DCC licensing. Any answers you could get here would be conjecture and
anecdote.
I found a form on their website for licensing questions. Waiting to hear
back.
Sorry if this is a bit off-topic.
I'm looking into installing DCC (Distributed Checksum Clearninghouse)
software.
The page at https://www.dcc-servers.net/dcc/INSTALL.html says:
"The free license is intended to cover individuals and organizations
including Internet service providers using DCC
On 2021-04-21 11:00 AM, Eric Broch wrote:
Does anyone one have a solution to this:
spamd[]: pyzor: check failed: internal error, python traceback
seen in response
I have this in my local.cf
#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
I don't have this in my config at all. Maybe you are
First, thanks to everyone on the list how has given me a hand over the
past couple of weeks as I get my "sea legs" with spamassassin. It's
working well for me now but I obviously still have more to learn.
For one, I'm still uncertain on the best way to fine tune SA to beat
back some tricky spa
On 2021-04-12 03:11 AM, Matthias Leisi wrote:
> -2.0 RCVD_IN_DNSWL_HI RBL: Sender listed at
> https://www.dnswl.org/,
> high trust
> [203.160.71.180 listed in list.dnswl.org [1]] I looked up this, and the other
> one, and didn't find them in dnswl. As
> others said, if you are using publi
However, in 50_scores.cf, this line is commented out:
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
Maybe that's the problem?
no, there are other SORBS lists used:
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
Best I can tell, my SA config should be testing for sorbs. I've got this
line in /etc/spamassassin/v3220.pre:
loadplugin Mail::SpamAssassin::Plugin::DNSEval
And in /usr/share/spama
Also, I've heard of sorbs over the years but I'm not sure exactly what
it is. Is this the same block list run by Cisco?
OK, I was getting SORBS confused with SenderBase Reputation Score
(SBRS). That's the one run by Cisco, I believe.
I actually have an account on the SORBS website that I s
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
How would I check if it's turned on? I tried grepping in
/etc/spamassassin on "sorb" (case insensitive) and found nothing. So I
guess it's not in my default config.
I see many men
Second, I'm not sure if my tests will work on my spam samples which
have the spam encapsulated with the "report_safe" setting set to a
value of "1".
I wouldn't expect it to work at all. "report_safe" encapsulation
creates a new email which isn't a spam.
From what I read on pyzor's home page
On 2021-04-11 04:19 PM, Benny Pedersen wrote:
On 2021-04-11 22:09, Steve Dondley wrote:
Content analysis details: (4.4 points, 5.0 required)
pts rule name description
--
--
3.5 BAYES_99
I've received about a dozen phishing attack emails from Microsoft's
sharepoint service within the last couple of weeks. Only one of them was
identified by SA as spam. After running the emails through sa-learn,
they still only score a 4 to 4.5. But I could see that it would be easy
for these ema
On 2021-04-11 03:09 PM, Bill Cole wrote:
On 11 Apr 2021, at 13:21, Steve Dondley wrote:
value of "1". By the way, anyone know of a CLI utility for extracting
the original spam email from these files?
spamassassin -d < wrappedspam.eml
Ah, ok. I was familiar with the -d optio
value of "1". By the way, anyone know of a CLI utility for extracting
the original spam email from these files?
Here's a very crude perl script that does the trick:
#!/usr/bin/perl
use strict;
use warnings;
my $email;
while (<>) {
$email .= $_;
}
my ($boundary) = $email =~ /boundary="(.
On 2021-04-11 09:34 AM, Benny Pedersen wrote:
On 2021-04-11 15:13, Steve Dondley wrote:
What do you think?
pyzor is usefull if running pyzord localy, design of pyzor was imho
ment to be local pyzord and have the pyzor client query local, but
pyzord could be get results from other pyzord
I just installed pyzor and did a random spot check of about 10 spam
emails to try to evaluate it using this command:
pyzor check < some_spam
Only one message gave me a hit on pyzor.
But I take my results with a grain of salt because I may not have pyzor
configured optimally.
For one, I'm us
On 2021-04-10 03:20 PM, Bill Cole wrote:
On 10 Apr 2021, at 14:53, Steve Dondley wrote:
I'm very, very sorry to beat a dead horse, but I'm deeply confused by
the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly
on my system.
STOP USING ANY PUBLIC DNS RES
I'm very, very sorry to beat a dead horse, but I'm deeply confused by
the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on
my system.
I ran this command:
sudo -u s -- spamassassin -t -d < some_email
It gives me this report:
pts rule name description
---
You should fix URIBL_BLOCKED first.
You need a local, caching, non-forwarding DNS server for SpamAssassin.
Yeah, setting up a DNS server for SA is on my todo list. Thanks.
When you say local, it doesn't have to be on the same machine as
spamassassin, does it? I assume I can have the DNS ser
It would be helpful to post an entire actual set of headers --
unmodified -- along with the spamassassin -t report. I can't figure
out (from what you posted) the IP address of the server that was in
DNSWL_HI that delivered mail to your internal/trusted network.
OK, here is the entire output
On 2021-04-10 12:10 PM, Greg Troxel wrote:
Steve Dondley writes:
Here are the headers from some egregious spam. It scored a whopping
20.8 point despite being flagged with "RCVD_IN_DNSWL_HI."
Return-Path:
Delivered-To: s...@example.com
Received: from email.example.com
I have been looking at this issue a little more. I just grepped my
spam folder. Out of 1000 emails I have flagged as spam, 321 have been
flagged with RCVD_DNSWL_HI, a rule which adds -5 points to the eamil.
That's almost 1 out of 3 emails which seems pretty insane.
Here are the headers from s
On 2021-04-06 11:48 AM, Steve Dondley wrote:
I have emails that have been flagged as spam in the past but that are
still getting through, presumably because the servers are on some
DNSWL.
Example:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999,
DATE_IN_PAST_03_06
It can only do so if report_safe is set to 0. With non-zero
report_safe settings, the original mail is encapsulated as an
attachment inside a wrapper message also including the report. That
wrapper message containing the SA report is "safe" because it is fully
local, the text/plain part won't look
On 2021-04-06 04:19 PM, Steve Dondley wrote:
It seems to have done so. Thank you.
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
I've recently switched to
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
Ah! I see that option now under the little down arrow next to "Reply
all". My day is made. Thanks!
It seems to have done so. Thank you.
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
I've recently switched to Roundcube from gmail. I didn't see that option
but I think I'
On 2021-04-06 02:55 PM, Steve Dondley wrote:
On 2021-04-06 02:32 PM, Bill Cole wrote:
PLEASE NOTE:
I read the mailing list obsessively and DO NOT NEED (or want) the
extra copies sent when you send both to me and to the list.
Sorry, I still haven't figured out how to properly respond. W
On 2021-04-06 02:32 PM, Bill Cole wrote:
PLEASE NOTE:
I read the mailing list obsessively and DO NOT NEED (or want) the
extra copies sent when you send both to me and to the list.
Sorry, I still haven't figured out how to properly respond. When I hi
"reply all" it cc's the list and sends to y
Can you provide a working example message AND the operative user prefs?
OK, I was being very stupid. It finally dawned on me that the SA scores
that appeared above the message body and below the headers when spamc
was run without the -R option were SA scores embedded in the message by
the
When I run spamc without -R option like this:
spamc -u some_user < some_email
I get the following output:
This is a multi-part message in MIME format.
Content analysis details: (5.2 points, 5.0 required)
pt
I have emails that have been flagged as spam in the past but that are
still getting through, presumably because the servers are on some DNSWL.
Example:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999,
DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
HTML_IMAGE
The email below slipped through my spam filter.
It has malicious content attached which purports to be a voicemail from
comcast (I've snipped the attachment from the example) but it is
actually a phishing attack. The attachment contains a link that goes to
a web page at an obscure domain that
I'm learning a bit about spamassassin rules and taking a peek at how my
inbound mail is scored. I noticed that PF_NONE scores zero points by
default. I'm wondering if there is a good reason for not giving it a
score and whether I should set that to something much higher like 1.0.
I'm curious t
You covered a lot of ground here. Thanks.. If you have some spare
cycles, I have follow up questions to get an understanding of how you
process your email:
21 seconds at that includes fetch the samples via imap from two
folders, fire them against a bayes-only spamassasin instance,
What is a
I have been accumulating spam/ham samples and sorting them out into
different directories on my server. As new spam/ham comes in, I throw it
into the existing pile and then run "sa-learn --spam|--ham" on the whole
pile.
It dawned on me that this will get very slow as I eventually collect
tens
I'm noticing a fair amount of spam getting through using letters in the
subject line that are outside the standard set of ASCII characters in an
effort to bypass spam filters. For example, instead of a capital "R",
there will be a letter that closely approximates a capital "R" but when
you look
OK, thanks for the additional info. It looks like I was having a
permissions issue and the bayes_* files were not both r/w for users
despite having bayes_file_mode set to 0666. I'm thinking probably
because the bayes_path was originally created manually with root.
spamassassin reads site-wide
I'm learning to understand how to properly set up a site-wide bayes
database on my server. Thanks for everyone's help and patience so far.
I've discovered that the SA score assigned to a user's incoming email is
different than the SA score run through the "spamc" or "spamassassin"
command. For
Are there any BAYES hits on their messages, ham or spam? BAYES_{not
50} would be a positive confirmation. I'm not sure offhand if BAYES_50
hits when bayes is enabled but insufficiently trained...
In one email, I'm seeing this:
3.0 BAYES_95 BODY: Bayes spam probability is 95 to
I *think* I now I have site-wide bayes filtering working now for all
users on a server. I've edited /etc/spamassassin/local.cf to include
"bayes_path" and "bayes_file_mode" and I don't see any errors about
permissions being wrong from debian-spamd in mail.log.
But rather than guessing, I'm won
I have a few different mail servers. I harvest mail from the servers and
periodically sort them into ham/spam folders and then share the sorted
mail back out to the servers and run sa-learn on each of the servers to
coach spamassassin. After doing this a few days, I notice that stuff
that I kno
On 2021-03-09 08:28 AM, Greg Troxel wrote:
Steve Dondley writes:
I've read through
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which
states that "anything over about 5000 messages does not improve
accuracy significantly in our tests."
I would take that with
I've read through
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which
states that "anything over about 5000 messages does not improve accuracy
significantly in our tests."
So once I hit 5,000, what do? Do I run --forget on say the 500 oldest
emails, delete those from my ham/spa
on this documentation page:
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UpgradingVersion
"If you install using a Linux package installer:
Debian unstable: apt-get install spamassassin
"
what is the meaning of "unstable" ?
it sounds scary, like the package should not be run in live ma
I'm sorry, but I do not understand your message.
I thought an upgrade fixes bugs. Maybe you are thinking about an update,
which seems like it would updates rules in *.samples?
I would "like" to backup everything, for safety, that is why I included a
list of the directories (fodlers) which I thoug
are these the important folders which need to be backed up?
PREFIX=/usr,
DEF_RULES_DIR=/usr/share/spamassassin,
LOCAL_RULES_DIR=/etc/spamassassin,
LOCAL_STATE_DIR=/var/lib/spamassassin
and...
/var/lib/spamassassin/3.004002
does that match to SA version 3.4.2 ?
I see 3.00... and think, NO that i
Hi, I am running version 3.4.2
/usr/bin/spamassassin -V
SpamAssassin version 3.4.2
running on Perl version 5.22.1
spamd --version
SpamAssassin Server version 3.4.2
running on Perl 5.22.1
with SSL support (IO::Socket::SSL 2.024)
with zlib support (Compress::Zlib 2.068)
which spamd
I’m seriously thinking about doing the same (block all emails that contain a
bitcoin address). I’ve had good luck with my custom rule that also tests for
Unicode obfuscation:
body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\
> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.
Well, actually, no. I sent you a snippet of my rule and inflated the score to
10 for t
Yes, absolutely.
On 10/5/18, 1:42 PM, "John Hardin" wrote:
On Fri, 5 Oct 2018, Zinski, Steve wrote:
> Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>
> body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{2
Here's how I'm blocking bitcoin emails with Unicode characters embedded:
body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3 /\b\W*b\W*t\W*c\W*\b/i
body__BTC4 /\bb[i\x{0456}]t[c\x{0441}][o
now filter on a bitcoin regex (see below) and some other words
such as “pixel”, “virus”, etc. which are always a part of the sextortion
message.
body __BITCOIN /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
Steve
From: Mark London
Date: Thursday, June 28, 2018 at 2:26 PM
To: "
Didn't cc users@
How do I add a non sa-compile ruleset to spamassassin? The googles are not
helping.
on Ubuntu16
Steve
On Tue, May 1, 2018 at 7:52 PM, Kevin A. McGrail
wrote:
> I have several rules for sexually explicit content in KAM.cf. See
> https://www.pccc.com/downloads/S
body text and/or is there a
recipe specifically for that type of thing?
Steve
Report to – supp...@bitly.com
On 9/12/17, 1:29 PM, "Benny Pedersen" wrote:
Chip M. skrev den 2017-09-12 15:28:
>
> Does anyone have a contact at BitLy? These would be trivially
> easy for them to block.
https://support.bitly.com/hc/en-us/articles/231247908-I-ve-foun
Sorry for the trouble, everyone… I had been forwarding the spam through my
personal IMAP account (to test my rule) which was apparently blocking it. I
forwarded it using my gmail account and my new rule fired. I feel like an idiot.
Steve
On 1/31/17, 2:53 PM, "John Hardin" wrote:
Here’s the “view source” of the message in question.
http://pastebin.com/AnwkAf9t
Again, it’s line 88 that I’m trying to match.
Thanks.
On 1/31/17, 11:36 AM, "John Hardin" wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> I’m trying to write a custom rule to bl
Hello, I have a problem that I hope someone can help me with.
I’m trying to write a custom rule to block a certain type of spam. When I view
the message source, the very last lines of the spam look like this:
http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu";>
Every sin
I’m seeing the same thing here, I’ve had to adjust that score lower. Also
seeing lots of RCVD_IN_SORBS_WEB false-positives.
On 9/8/16, 4:53 PM, "Shane Williams" wrote:
Hey all,
I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in
digging deeper, I realize that t
On 24/02/2016 22:59, John Hardin wrote:
On Wed, 24 Feb 2016, Steve wrote:
I've used spamassassin for many years - on Ubuntu, using amvisd -
with great success. In recent months, I've been receiving several
spam messages each day that evade the filters.
Can you provide samples? (
I've used spamassassin for many years - on Ubuntu, using amvisd - with
great success. In recent months, I've been receiving several spam
messages each day that evade the filters.
* These false-negatives conform to a handful of simple, formulaic,
textual forms - on common subjects.
* The email
7;ve made the following adjustment and the rule is
now being triggered.
header T_SCS_ASN_AS15169CX-ASN =~ /^15169$/
As to whether this will be helpful in detecting spam I'll let you know.
Kind regards
Steve
> steve skrev den 2015-11-23 15:43:
>
> > That was just one example I received. Yes, you can very well use
> > google.junc.en and no that doesn't mean Google spams me.
> >
> > My eventual goal is to test for "Has google in the sender name OR
> >
9.161.224 (ASN 20738 - Webfusion
Internet Solutions) and had *google* in the domain, to me that's something I
want to have visability of.
Overall, while i appericate your efforts and discussions about the validatility
of my objectives, what I'm really after is how can I query the X-ASN header?
If this turns out to be a waste of time I'll be the first to let you know.
Many thanks
Steve
t yet).
>
> a meta rule with rcvd header and From: header rules will do the trick,
> faster and simpler.
>
Good thinking. I'll investigate this futher.
Thanks
Steve
> steve skrev den 2015-11-23 13:31:
>
> >>> asn plugin currently does not work with ipv6
> > I'll cross that bridge when I come to it.
>
> i just still need self to debug why it fails, currently i have seen
> 2.0.0.0/8 when ipv6 recieved in 26xx: :=)
&
t yet).
> asn is nice but too unstable to make rules on
I feel its worth exploring for my purposes.
Any further advice will be grafefully recived.
Regards
Steve
Original Message
Subject: Re: A rule to check X-ASN header (23-Nov-2015 12:13)
From:Benny Pedersen
To: st
ANYTHING,T_SCS_ASN_EXISTS shortcircuit=no autolearn=no
X-Spam-ASN_RV: AS15169 74.125.0.0/16
X-Spam-ASN_SASM4: AS15169
X-Spam-ASN_SEM: AS15169 74.125.0.0/16
SPF_PASS=-0.001,TXREP=-1.021,T_DKIM_INVALID=0.01,T_SCS_ASN_ANYTHING=0.01,
T_SCS_ASN_EXISTS=0.01
Any advice gratefully received!
Steve
We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m
running MIMEdefang and it’s configured to skip messages larger than 100KB (and
I hesitate to increase the limit due to performance issues). I read somewhere
that there’s a way to have MIMEdefang (or spamassassin) strip out
; reported by ClamAV
(which is what we do here).
Kind regards,
Steve.
On 19/06/15 16:57, Steve Freegard wrote:
spamd will already log the envfrom= line provided it has this
information passed through from whatever calls it. I send it over via a
X-Envelope-From: (see 'envelope_sender_header' in man
Mail::SpamAssassin::Conf).
Actually - I'm tal
1 - 100 of 573 matches
Mail list logo
