They are very different tools.
One uses an SMTP RFC repeat clause to understand whether the attacker is using
a real server, slowing burst connections and eventually adding the IP to the
firewall. This is limited to port 25, and it does not work against ddos
attacks, because pf is not that effi
On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I
checked.
A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
is 'spamd' which unfortunately shares a name with the daemon aspect of
SA. There's a port fo
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Ehhh not available on bsd with pf, or so it was the last time I checked.
Bummer.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
On Tue, Feb 12, 2019 at 18:34, RW wrote:
> On Tue, 12 Feb 2019 16:49:27 +
> Rupert Gallagher wrote:
>
> Before the change, the
>> service stated that the IP fell into their spamtrap, whatever that
>> is.
>
> Seriously?
>
>> The fact remains that we have never sent mail to the gremlin,
>
> How
Ehhh not available on bsd with pf, or so it was the last time I checked.
Good for you as you have it! It is a fantastic piece of aikido.
On Tue, Feb 12, 2019 at 18:19, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> and we have now blocked their IP at the firewall,
>
I like it!
On Tue, Feb 12, 2019 at 18:15, John Hardin wrote:
> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TMU Too
Ah, ok...
On Tue, Feb 12, 2019 at 18:04, RW wrote:
> On Tue, 12 Feb 2019 16:38:47 +
> Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TM
On Tue, 12 Feb 2019 16:49:27 +
Rupert Gallagher wrote:
Before the change, the
> service stated that the IP fell into their spamtrap, whatever that
> is.
Seriously?
> The fact remains that we have never sent mail to the gremlin,
How can you possibly know that you haven't sent anything to
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
and we have now blocked their IP at the firewall,
A suggestion: it may hurt them more if you TCP tarpit them instead of just
blocking them. That's what I do.
Perhaps a little stale, and overkill for manual punishment, but it
documents the tools:
On Tue, 12 Feb 2019, Rupert Gallagher wrote:
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
How about:
uri __HAS_URI /^http/i
On Tue, 12 Feb 2019 16:38:47 +
Rupert Gallagher wrote:
> Let see if the mail arrives with the correct escaping this time.
>
> body __HAS_URI /(http|https):\/\//
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0
>
> Those who fill
Note that the "too many uris" thing has nothing to do with the Russian gremlin
who, in the meantime, has disabled the part of the rbl that explains why the IP
was listed. Before the change, the service stated that the IP fell into their
spamtrap, whatever that is. The fact remains that we have n
Let see if the mail arrives with the correct escaping this time.
body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
As rightly noted, the same link is counted twice, for text and html bodies when
they are pres
On Tue, 12 Feb 2019 09:44:02 +
MAYER Hans wrote:
> “full” statement should be: full __HAS_URI /(http|https):\/\//
This is still a poor rule, "full" is actually the worst type to use.
Both full and rawbody can find a lot more links than are relevant. It's
already been mentioned that
biz/?beiqv
<http://beiqv.biz/?beiqv> beiqv
I learned a lot. Your reply was very helpful.
Kind regards
Hans
From: Rupert Gallagher
Sent: Thursday, February 7, 2019 7:37 PM
To: MAYER Hans ; SA
Subject: Re: RE: New type of SPAM aggression
full __HAS_URI /(http|https):///
tflags __HAS_
On Thu, 7 Feb 2019, Rupert Gallagher wrote:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
Beaware, if the mail has properly-formed HTML and plain-text alternate
versions, that will double-count every URI.
Rupert Gallagher skrev den 2019-02-07 19:37:
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
mixed http and https, real spam
browsers would not like it
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0
On Thu, Feb 7, 2019 at 09:12, MAYER Hans wrote:
>
>
>> … All emails were spam with links. …
>
> We receive such spam mails with a lot of links too.
>
> Is there
> … All emails were spam with links. …
We receive such spam mails with a lot of links too.
Is there a rule which detects a certain amount of links inside an e-mail ?
// Hans
--
From: Rupert Gallagher
Sent: Wednesday, February 6, 2019 12:55 PM
To: SA
Subject: New type of SPAM aggression
On Wed, Feb 6, 2019 at 15:42, RW wrote:
> On Wed, 06 Feb 2019 11:55:07 +
> Rupert Gallagher wrote:
>
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them
>> automatically to an administrative address for manual inspection. Al
Search engines on DNSBLs:
multiRBL.valli.org
www.rbls.org
On Wed, Feb 6, 2019 at 15:19, Tom Hendrikx wrote:
> Hi,
>
> Anyone can start a DNSBL and list IP space of people they don't like, as
> you surely know. As long as no one uses such a DNSBL to block traffic,
> no harm is done.
>
> The inte
Not the first time I’ve heard of gremlin.ru – found this from a mirror of their
FAQ:
---8<---
A: Surely, you have received a bounce message similar to this:
550 Rejected: 192.168.62.14 is listed at work.drbl.example.net
This is well enough to investigate, who (and ever why) had listed your host.
On Wed, 06 Feb 2019 11:55:07 +
Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them
> automatically to an administrative address for manual inspection. All
> emails were spam with links. From the standpoi
Hi,
Anyone can start a DNSBL and list IP space of people they don't like, as
you surely know. As long as no one uses such a DNSBL to block traffic,
no harm is done.
The interesting part is which "engines" (I guess that you mean antispam
software or antispam saas providers) think that such a
The spammers at gremlin.ru have just created a homepage, with no information on
how to delist an IP.
Their fake dnsbl is listed as genuine in at least two antispam engines.
On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher wrote:
> This is to inform about a new type of SPAM aggression.
>
> We rec
On Thu, 2009-07-02 at 09:33 +0200, Matus UHLAR - fantomas wrote:
> > > On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote:
> > > > I'm going to need to disable some of these lists as the MTA has already
> > > > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > > > al
Kasper Sacharias Eenberg wrote:
> On Thu, 2009-07-02 at 08:20 +0100, rich...@buzzhost.co.uk wrote:
>> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
>>> On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote:
On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
>
On Thu, 2009-07-02 at 08:20 +0100, rich...@buzzhost.co.uk wrote:
> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
> > On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote:
> > > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > > > On 1-Jul-2009, at 06:47, rich...
> > > > On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote:
> > > > >
> > > > > But for the paranoid will changing 50_scores.cf from;
> > > > >
> > > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > > > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > > > > score RCVD_IN_SORBS_HTTP 0 0.0
> > On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote:
> > > I'm going to need to disable some of these lists as the MTA has already
> > > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > > already tested. Thanks for pointing that out Benny.
> On Wed, 2009-07-01 a
On Thu, July 2, 2009 06:32, rich...@buzzhost.co.uk wrote:
> Will it result in a nuclear war?
yes, and burn down all googles servers aswell :)
--
xpoint
On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
> On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote:
> > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > > On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote:
> > > >
> > > > But for the paranoid will changing
On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote:
> > >
> > > But for the paranoid will changing 50_scores.cf from;
> > >
> > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> >
On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote:
> >
> > But for the paranoid will changing 50_scores.cf from;
> >
> > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > score RCVD_IN_SORBS_HT
On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote:
But for the paranoid will changing 50_scores.cf from;
score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 #
On Wed, 2009-07-01 at 19:21 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 19:04, rich...@buzzhost.co.uk wrote:
>
> > You may want to fix that backscatter problem you have too :-)
>
> just stop sending cc to me, then its fixed
>
My apologies. I figured if I sent it twice you may *READ* it
p
On Wed, July 1, 2009 19:04, rich...@buzzhost.co.uk wrote:
> You may want to fix that backscatter problem you have too :-)
just stop sending cc to me, then its fixed
--
xpoint
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote:
>
> > I'm going to need to disable some of these lists as the MTA has
already
> > blocked stuff on them Kind of pointless making repeat lookups for
stuff
> > already tested. Thanks
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote:
>
> > I'm going to need to disable some of these lists as the MTA has already
> > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > already tested. Thanks
On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote:
> I'm going to need to disable some of these lists as the MTA has already
> blocked stuff on them Kind of pointless making repeat lookups for stuff
> already tested. Thanks for pointing that out Benny.
pleasde do your home work again !, w
On Wed, 2009-07-01 at 14:21 +0200, Matus UHLAR - fantomas wrote:
> > On Wed, 1 Jul 2009, rich...@buzzhost.co.uk wrote:
> >> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
> >> Oh, and look: dnsbl.sorbs.net
> >> So it seems that the demise of sorbs will add latency if their ser
> On Wed, 1 Jul 2009, rich...@buzzhost.co.uk wrote:
>> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
>> Oh, and look: dnsbl.sorbs.net
>> So it seems that the demise of sorbs will add latency if their servers
>> stop answering...
On 01.07.09 08:08, Charles Gregory wrote:
> ..
On Wed, 1 Jul 2009, rich...@buzzhost.co.uk wrote:
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
Oh, and look: dnsbl.sorbs.net
So it seems that the demise of sorbs will add latency if their servers
stop answering...
...which leads back to my original question,
Will the dev
On 01.07.09 11:26, rich...@buzzhost.co.uk wrote:
> And there is the argument that anything other than the final IP can
> easily be forged or inserted into the headers rendering a great many
> costly DNS checks. Swings and roundabouts.
if a spammer forges Received: line so the checked ip is in blac
On Wed, 2009-07-01 at 12:00 +0200, Matus UHLAR - fantomas wrote:
> > On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
> >
> > > Note that rbl checks do not only control the IP you are receiving mail
> > > from,
> > > but also an IP others are receiving mail from. That means, rbl c
rich...@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 11:11 +0200, Per Jessen wrote:
>> rich...@buzzhost.co.uk wrote:
>>
>> > I'm guessing there is some way to modify the network checks to it
>> > does not use specific RBL's. I've not studied closely, but I think
>> > today I need to become acqua
On Wed, 2009-07-01 at 11:11 +0200, Per Jessen wrote:
> rich...@buzzhost.co.uk wrote:
>
> > On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
> >> On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote:
> >> > Oh, and look: dnsbl.sorbs.net
> >> >
> >> > So it seems that the demise of sorbs
> On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
>
> > Note that rbl checks do not only control the IP you are receiving mail from,
> > but also an IP others are receiving mail from. That means, rbl checks can
> > help you catch spam others are (unintentionally) forwarding to you
rich...@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
>> On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote:
>> > Oh, and look: dnsbl.sorbs.net
>> >
>> > So it seems that the demise of sorbs will add latency if their
>> > servers stop answering...
>>
>>
>>
rich...@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
>
>> Note that rbl checks do not only control the IP you are receiving
>> mail from, but also an IP others are receiving mail from. That means,
>> rbl checks can help you catch spam others are (uninte
Am 2009-07-01 08:26:09, schrieb Benny Pedersen:
>
> On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote:
> > In particular
> > # Enable or disable network checks
> > skip_rbl_checks 0
> > 0 = off 1 = on
>
> wroung
>
> 0 = use rbl
> 1 = skib rbl test
Both are right...
because the n
On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
> Note that rbl checks do not only control the IP you are receiving mail from,
> but also an IP others are receiving mail from. That means, rbl checks can
> help you catch spam others are (unintentionally) forwarding to you.
>
> I
> > On 30.06.09 07:06, rich...@buzzhost.co.uk wrote:
> > > Are you saying that ZEN caught it after SA processed it? Why are
> > > you not using ZEN in SA or at the SMTP stage?
> On Tue, 30 Jun 2009 09:10:36 +0200
> Matus UHLAR - fantomas wrote:
> > She apparently does not have control over 69.43.
> > Am 2009-06-30 14:08:33, schrieb John Hardin:
> > > If zen worked to catch the message in procmail, how does it not work on
> > > your MTA? Or did we misinterpret your original post?
> On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> > In Debian, the network related scans are acti
On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
> On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote:
> > Oh, and look: dnsbl.sorbs.net
> >
> > So it seems that the demise of sorbs will add latency if their servers
> > stop answering...
>
>
> See "Update: 25th June 2009 "
>
> http:
On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote:
> Oh, and look: dnsbl.sorbs.net
So it seems that the demise of sorbs will add latency if their servers
stop answering...
See "Update: 25th June 2009 "
http://www.au.sorbs.net/
On Wed, 2009-07-01 at 08:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote:
> > In particular
> > # Enable or disable network checks
> > skip_rbl_checks 0
> > 0 = off 1 = on
>
> wroung
>
> 0 = use rbl
> 1 = skib rbl test
>
Indeed I was "WROUNG";
On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote:
> In particular
> # Enable or disable network checks
> skip_rbl_checks 0
> 0 = off 1 = on
wroung
0 = use rbl
1 = skib rbl test
--
xpoint
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not work on
> > your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated an
On Wed, 1 Jul 2009 01:15:56 +0200
Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not
> > work on your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated and
On Wed, 1 Jul 2009, Michelle Konzack wrote:
Am 2009-06-30 14:08:33, schrieb John Hardin:
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why ZE
Am 2009-06-30 14:08:33, schrieb John Hardin:
> If zen worked to catch the message in procmail, how does it not work on
> your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why ZEN is never executed. If you know more abo
On Tue, 30 Jun 2009, Michelle Konzack wrote:
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
Are you saying that ZEN caught it after SA processed it? Why are you
not using ZEN in SA or at the SMTP stage?
Because it does not work...
My Mailserver does tonns (the syslog of my DNS server
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
> Are you saying that ZEN caught it after SA processed it? Why are you
> not
> using ZEN in SA or at the SMTP stage?
Because it does not work...
My Mailserver does tonns (the syslog of my DNS server is full of it) of
DNS checks but ZEN does
Am 2009-06-30 04:33:57, schrieb Benny Pedersen:
> what ip ?
[michelle.konz...@michelle1:~] host 224.118.146.174.zen.spamhaus.org
224.118.146.174.zen.spamhaus.org has address 127.0.0.11
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
On Tue, 30 Jun 2009 09:10:36 +0200
Matus UHLAR - fantomas wrote:
> On 30.06.09 07:06, rich...@buzzhost.co.uk wrote:
> > Are you saying that ZEN caught it after SA processed it? Why are
> > you not using ZEN in SA or at the SMTP stage?
>
> She apparently does not have control over 69.43.203.202,
> On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> > For some seconds I have goten this spam, which has passed my spmassassin
> > but was hit by a seperated ZEN rule in procmail:
> >
> >
> > Return-Path: soria.h.steven...@gmail.com
> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
>
>
> Return-Path: soria.h.steven...@gmail.com
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
>
On Tue, June 30, 2009 00:46, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
what ip ?
imho ipv6 is still not stable in any sa versions, and this might be your problem
--
xpoint
On Tue, 30 Jun 2009 00:46:00 +0200
Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my
> spmassassin but was hit by a seperated ZEN rule in procmail:
please use a pastebin when pasting things like email headers.
http://en.wikipedia.org/wiki/Pastebin
http://pa
body SRH_DRUG4
/(?:v\s*.\s*i\s*.\s*a\s*.\s*g\s*.\s*r\s*.\s*a|c\s*.\s*i\s*.\s*a\s*.\s*l\
s*.\s*i\s*.\s*s|v\s*.\s*a\s*.\s*l\s*.\s*i\s*.\s*u\s*.\s*m)/i
That is what I am using, and it is finding them.
Probably not the most efficient rule, but it gets the job done.
Beware that your or my MUA may hav
> How can I deal with these. I have SA 2.61 and bayes is not helping at
If you can move to a newr version of SA it would help a lot. Spam changes
with time, and 2.61 is REALLY old to be catching spam these days.
Loren
These were posted on the SARE-USERS list by Warren Sallade. They should help you catch some of this.rawbody __EWG_BAD34 />\s{0,3}V\s{0,3}rawbody __EWG_BAD35 />\s{0,3}I\s{0,3}rawbody __EWG_BAD36 />\s{0,3}A\s{0,3}rawbody __EWG_BAD37 />\s{0,3}G\s{0,3}rawbody __EWG_BAD38 />\s{0,3}R
Payal Rathod a écrit :
>
> How can I deal with these. I have SA 2.61 and bayes is not helping at
> all with headers like,
> 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56% [score: 0.5560]
>
> Can someone suggest a solution for this?
> With warm regards,
> -Payal
>
>
from the header
On 2/15/2006 6:39 PM +0100, Payal Rathod wrote:
Hi,
I am getting a lot of new spam since yesterday with subject "Re: news".
The body of the mail contains junk like,
[snip]
Can someone suggest a solution for this?
With warm regards,
-Payal
Upgrading SA would help a lot!
Regards,
Niek
In an older episode (Friday, 30. September 2005 22:52), wolfgang wrote:
> In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:
>
> > Attached is a subset of some porn rules I've been working on. They're
> > experimental, but the seem to work pretty well with fairly low FP ra
wolfgang wrote:
In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:
Attached is a subset of some porn rules I've been working on. They're
experimental, but the seem to work pretty well with fairly low FP rate.
They might have some FP cases I haven't noticed yet, so be c
In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:
> Attached is a subset of some porn rules I've been working on. They're
> experimental, but the seem to work pretty well with fairly low FP rate.
>
> They might have some FP cases I haven't noticed yet, so be careful with
Raymond Dijkxhoorn wrote:
> Hi!
>
> You could try:
>
> http://www.rulesemporium.com/rules/70_sare_specific.cf
1) I do use that ruleset, it helps a little, but not that much.
>
> Caches a lot of the ph*rm spams out there.
2) ph*rm spams aren't the problem. It's porn, not pills we are talking
Hi!
|are you using URIBL checks in SA?
Combine this with some SARE rules and you will see not much comming in.
I use URIBL's and many SARE rules, including SARE's adult rules, and a lot of
this latest wave got missed.
Attached is a subset of some porn rules I've been working on. They're
e
Raymond Dijkxhoorn wrote:
> Hi!
>
>> Yep, Im using URIBL lists but not all mails are been caught.
>
>
>> |is listed in the JP SURBL blocklist and in the URIBL blacklist.
>> |
>> |are you using URIBL checks in SA?
>
>
> Combine this with some SARE rules and you will see not much comming in.
I
Hi!
Yep, Im using URIBL lists but not all mails are been caught.
|is listed in the JP SURBL blocklist and in the URIBL blacklist.
|
|are you using URIBL checks in SA?
Combine this with some SARE rules and you will see not much comming in.
;)
Bye,
Raymond.
Yep, Im using URIBL lists but not all mails are been caught.
|-Original Message-
|From: wolfgang [mailto:[EMAIL PROTECTED]
|Sent: Friday, September 30, 2005 6:32 AM
|To: users@spamassassin.apache.org
|Subject: Re: new type of spam
|
|In an older episode (Friday, 30. September 2005 09
Sorry Loren.
Ill post the headers next time I get one..
|-Original Message-
|From: Loren Wilton [mailto:[EMAIL PROTECTED]
|Sent: Friday, September 30, 2005 6:23 AM
|To: users@spamassassin.apache.org
|Subject: Re: new type of spam
|
|Looks like a variation on what I suspect may be one
In an older episode (Friday, 30. September 2005 09:06), Anton Krall wrote:
> Guys, any way to filter or rules to filter this type of new spam:
xebomehocafi dot info
is listed in the JP SURBL blocklist and in the URIBL blacklist.
are you using URIBL checks in SA?
cheers,
wolfgang
Looks like a variation on what I suspect may be one of Leo's businesses.
I've been lazy and just collecting a handuful of the common phrases to write
rules against.
Of course, there is probably good stuff in the headers you didn't show.
Loren
86 matches
Mail list logo