Re: rules for a sneaky SPEAR-VIRUS spam that gets past bayes

Just off the top of my head: rawbodyONEDRIVE_DOWNLOADm'https://onedrive\.live\.com/download[?]cid=' score ONEDRIVE_DOWNLOAD0.5 describeONEDRIVE_DOWNLOADDownload link to a file on Onedrive Personally I'd be inclined to put an i on the end of that. body FILE_PWD

Re: Rules for a recent flood of BTC/webcam spam

On Fri, 26 Feb 2021, RW wrote: It's also possible to tighten the range down to {32,33} or even {33} without losing many matches: $ for n in `jot 12 25` ; do printf "$n" ; < bitcoinlist egrep "^[13].{${n}}$" | wc -l ; done 25 0 26 0 27 0 28 0 29 3 30 1

Re: Rules for a recent flood of BTC/webcam spam

On Thu, 25 Feb 2021 12:13:59 -0500 Alan wrote: > Bitcoin addresses start with either 1 or 3. Most do, but around 13% of those reported to the bitcoin abuse database are in the format starting with "bc". > It's less general specifically to avoid FPs. Personally I'm weighting > this pretty high

Re: Rules for a recent flood of BTC/webcam spam

On 2021-02-25 10:54, John Hardin wrote: On Thu, 25 Feb 2021, RW wrote: On Wed, 24 Feb 2021 18:37:42 -0800 (PST) John Hardin wrote: On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a

Re: Rules for a recent flood of BTC/webcam spam

On Thu, 25 Feb 2021, RW wrote: On Wed, 24 Feb 2021 18:37:42 -0800 (PST) John Hardin wrote: On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/ It might be worth addi

Re: Rules for a recent flood of BTC/webcam spam

On Wed, 24 Feb 2021 18:37:42 -0800 (PST) John Hardin wrote: > On Wed, 24 Feb 2021, Alan wrote: > > > After a little more research, a better regex for an obfuscated BTC > > address is > > > > /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/ > > > > It might be worth adding = and _

Re: Rules for a recent flood of BTC/webcam spam

On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/ It might be worth adding = and _ to the obfuscating delimiters. YMMV. I've updated __BITCOIN_ID with -, = and _ obf

Re: Rules for a recent flood of BTC/webcam spam

On Wed, 24 Feb 2021, Alan wrote: I've seen a recent flood of "I hacked your camera and caught you doing stuff" emails. I doubt they'll continue for a long time, but I made some rules to target them. Find them here https://pastebin.com/B5Q6emBU There are already rules for that sort of thing in

Re: Rules for a recent flood of BTC/webcam spam

On 2021-02-24 17:52, I wrote: I've seen a recent flood of "I hacked your camera and caught you doing stuff" emails. I doubt they'll continue for a long time, but I made some rules to target them. Find them here https://pastebin.com/B5Q6emBU -- For SpamAsassin Users List After a little more re

Re: Rules order to save processing time

On Wed, Feb 19, 2020 at 08:38:15AM +, Pedro David Marco wrote: > I have a very heavy regex rules set that only make sense if a very simple > regex > triggers... > > i think it would be a good idea to have some kind of TFLAG, for example: > > tflagsdepends_on > > to indicate that a r

Re: Rules for invisible div and 0pt font?

On Jun 18, 2019, at 2:21 AM, Giovanni Bechis wrote: > >> rawbody AC_HIDDEN_FONT /font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/ >> > There is T_HIDDEN_WORD on my sandbox > (https://ruleqa.spamassassin.org/20190617-r1861495-n/T_HIDDEN_WORD/detail) > I have just committed a more generic version.

Re: Rules for invisible div and 0pt font?

Just going from http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_html.cf?revision=1861560

Re: Rules for invisible div and 0pt font?

On Tue, 18 Jun 2019, Paul Stead wrote: On Tue, 18 Jun 2019 at 19:14, John Hardin wrote: On Tue, 18 Jun 2019, Giovanni Bechis wrote: On 6/17/19 9:14 PM, Amir Caspi wrote: There is a div here with display:none, as well as font-size:0px. The spample hits HTML_FONT_LOW_CONTRAST but does not

Re: Rules for invisible div and 0pt font?

On Tue, 18 Jun 2019 at 20:23, Paul Stead wrote: > Also rename from T_ otherwise it will be skipped. If you drop the T_ and > omit the publish it will let QA decide if performance is good enough :) > Although not looking so good today - https://ruleqa.spamassassin.org/20190618-r1861562-n/T_HIDDEN

Re: Rules for invisible div and 0pt font?

On Tue, 18 Jun 2019 at 19:14, John Hardin wrote: > On Tue, 18 Jun 2019, Giovanni Bechis wrote: > > > On 6/17/19 9:14 PM, Amir Caspi wrote: > >> There is a div here with display:none, as well as font-size:0px. The > spample hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule > relatin

Re: Rules for invisible div and 0pt font?

On Tue, 18 Jun 2019, Giovanni Bechis wrote: On 6/17/19 9:14 PM, Amir Caspi wrote: There is a div here with display:none, as well as font-size:0px. The spample hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule relating to a hidden div or tiny font. There is T_HIDDEN_WORD on my

Re: Rules for invisible div and 0pt font?

On Jun 18, 2019, at 10:55 AM, Bill Cole wrote: > > Looking at the 2 most recent (a USPS "Informed Delivery Daily Digest" message > and Office Depot order followup) I see display:none only in inline style > attributes of block elements. e.g.: Looks like the first one is a web bug. The secon

Re: Rules for invisible div and 0pt font?

On 18 Jun 2019, at 10:52, Amir Caspi wrote: Are the matches all within @media blocks like lbutlr suggested or do they occur inline within div/span/etc as well? Looking at the 2 most recent (a USPS "Informed Delivery Daily Digest" message and Office Depot order followup) I see display:none onl

Re: Rules for invisible div and 0pt font?

Are the matches all within @media blocks like lbutlr suggested or do they occur inline within div/span/etc as well? Thanks! --- Amir thumbed via iPhone > On Jun 18, 2019, at 8:42 AM, Bill Cole > wrote: > >> On 17 Jun 2019, at 15:25, @lbutlr wrote: >> >>> On Jun 17, 2019, at 1:14 PM, Amir Ca

Re: Rules for invisible div and 0pt font?

On 17 Jun 2019, at 15:25, @lbutlr wrote: On Jun 17, 2019, at 1:14 PM, Amir Caspi wrote: rawbody AC_HIDDEN_ELEMENT /display\s*:\s*none\s*;/ Since display:none is a pretty common method for showing and hiding elements depending on things like screen size, I would guess this is going to

Re: Rules for invisible div and 0pt font?

On 2019-06-17 21:26, Amir Caspi wrote:> On Jun 17, 2019, at 1:14 PM, Amir Caspi > wrote: >> >> rawbodyAC_HIDDEN_FONT/font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/ >> > > Actually, based on another spample (https://pastebin.com/rrU2AsVT), > let's modify this one -- the em/pt/px

Re: Rules for invisible div and 0pt font?

On 6/17/19 9:14 PM, Amir Caspi wrote: > Hi all, > > In reviewing today's FNs I came across the following spample: > https://pastebin.com/9QQVwUY6 > > There is a div here with display:none, as well as font-size:0px. The spample > hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule re

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 2:17 PM, Amir Caspi wrote: > > rawbody AC_MEDIA_DISPLAYNONE > /@media[^{]*{[^}]*display\s*:\s*none\s*;/i > Well, urgh, this particular rule wouldn't work well since it wouldn't capture classes within the @media block. But something LIKE it. --- Amir

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 1:45 PM, @lbutlr wrote: > > Would only be active if the width of the window is 900px or less. That can > include setting a display property to hidden or not. One way of working around that, then, would be to ensure this is only within a div/span tag... Maybe something like

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 1:30 PM, Amir Caspi wrote: > Wouldn't that only be true for dynamic content that can actually evaluate the > screensize, and hence would require javascript? Or is there a way of doing > this with static email content? (I'm very well versed in HTML for web > browsers, but n

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 1:18 PM, Antony Stone wrote: > > If this feature *is* used for screenreaders, you could be creating a false > positive trap here... You may well be right, hence the request to sandbox and see how it compares against masscheck. On Jun 17, 2019, at 1:25 PM, @lbutlr wrote:

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 1:14 PM, Amir Caspi wrote: > > rawbody AC_HIDDEN_FONT /font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/ > Actually, based on another spample (https://pastebin.com/rrU2AsVT ), let's modify this one -- the em/pt/px/% isn't required: rawbody AC_H

Re: Rules for invisible div and 0pt font?

On Jun 17, 2019, at 1:14 PM, Amir Caspi wrote: > rawbody AC_HIDDEN_ELEMENT /display\s*:\s*none\s*;/ Since display:none is a pretty common method for showing and hiding elements depending on things like screen size, I would guess this is going to hit mostly ham. -- It was easy to b

Re: Rules for invisible div and 0pt font?

On Monday 17 June 2019 at 21:14:36, Amir Caspi wrote: > Hi all, > > In reviewing today's FNs I came across the following spample: > https://pastebin.com/9QQVwUY6 > > There is a div here with display:none, as well as font-size:0px. The > spample hits HTML_FONT_LOW_CONTRAST but does not appear to

Re: Rules Update was produced

Am 26.06.2016 um 21:43 schrieb John Hardin: Just a FYI for everybody: We finally got enough masscheck ham corpus to cross the minimum threshold, a weekly rules update was produced confirmed 02-Jun-2016 00:00:04: SpamAssassin: No update available 03-Jun-2016 00:00:04: SpamAssassin: No update

Re: Rules for norwegian spam

John Hardin kirjoitti 12.5.2016 20:34: On Thu, 12 May 2016, Kim Roar Foldøy Hauge wrote: I'd be happy to contribute to the SAMC. I had a look at the wiki and it looks fairly trivial to implement. I already have bayes filtering on spam/ham that is handsorted by me. I'll send them an email.

Re: Rules for norwegian spam

On Thu, 12 May 2016, Kim Roar Foldøy Hauge wrote: On Thu, 12 May 2016, John Hardin wrote: > 2. Is anyone interested in my current rule set of about 120 rules that > target norwegian spam. One thing to be aware of is publishing rules *can* reduce their effectiveness, as that give spammer

Re: Rules for norwegian spam

On Thu, 12 May 2016, John Hardin wrote: 2. Is anyone interested in my current rule set of about 120 rules that target norwegian spam. One thing to be aware of is publishing rules *can* reduce their effectiveness, as that give spammers something to test and tune against. They do read this l

Re: Rules for norwegian spam

On Thu, 12 May 2016, Kim Roar Foldøy Hauge wrote: 2. Is anyone interested in my current rule set of about 120 rules that target norwegian spam. One thing to be aware of is publishing rules *can* reduce their effectiveness, as that give spammers something to test and tune against. They do rea

Re: Rules UPDATE version 1732039 IS BROKEN

On 2/26/2016 9:53 AM, Reindl Harald wrote: Am 26.02.2016 um 15:44 schrieb Bowie Bailey: On 2/26/2016 9:11 AM, Reindl Harald wrote: Am 26.02.2016 um 15:06 schrieb Bowie Bailey: Restored a backup yesterday to get the 72_active.cf file back. Rule updates from the saupdate run at about midnight

Re: Rules UPDATE version 1732039 IS BROKEN

Am 26.02.2016 um 15:44 schrieb Bowie Bailey: On 2/26/2016 9:11 AM, Reindl Harald wrote: Am 26.02.2016 um 15:06 schrieb Bowie Bailey: Restored a backup yesterday to get the 72_active.cf file back. Rule updates from the saupdate run at about midnight updated everything and I don't see any 0-le

Re: Rules UPDATE version 1732039 IS BROKEN

On 2/26/2016 9:11 AM, Reindl Harald wrote: Am 26.02.2016 um 15:06 schrieb Bowie Bailey: Hmmm, well, I guess a big enough problem won't fail lint: bigsky:spamassassin root# ls -l 3.004001/updates_spamassassin_org/72_active.cf -rw-r--r-- 1 root admin 0 Feb 25 04:29 3.004001/updates_spamass

Re: Rules UPDATE version 1732039 IS BROKEN

Am 26.02.2016 um 15:06 schrieb Bowie Bailey: Hmmm, well, I guess a big enough problem won't fail lint: bigsky:spamassassin root# ls -l 3.004001/updates_spamassassin_org/72_active.cf -rw-r--r-- 1 root admin 0 Feb 25 04:29 3.004001/updates_spamassassin_org/72_active.cf That's what backups ar

Re: Rules UPDATE version 1732039 IS BROKEN

On 2/25/2016 12:33 PM, Bill Cole wrote: On 25 Feb 2016, at 11:42, John Hardin wrote: On Thu, 25 Feb 2016, Bill Cole wrote: I haven't had much time for analysis of this yet and likely will not today , but last night's update is missing a number of 'describe' lines (e.g. TO_NO_BRKTS_HTML_ONLY,

Re: Rules UPDATE version 1732039 IS BROKEN

Am 25.02.2016 um 19:25 schrieb John Hardin: If that's indeed the cause, I'm surprised that masscheck proceeded in the face of a failed lint and that an error in one standalone rule affected a bunch of totally unrelated rules... Hmmm, well, I guess a big enough problem won't fail lint: big

Re: Rules UPDATE version 1732039 IS BROKEN

On Thu, 25 Feb 2016, Bill Cole wrote: On 25 Feb 2016, at 11:42, John Hardin wrote: On Thu, 25 Feb 2016, Bill Cole wrote: > I haven't had much time for analysis of this yet and likely will not > today , but last night's update is missing a number of 'describe' lines > (e.g. TO_NO_BRKTS_H

Re: Rules updated!

John Hardin kirjoitti 31.1.2016 22:12: On Sun, 31 Jan 2016, Jari Fredriksson wrote: John Hardin kirjoitti 31.1.2016 20:19: Hallelujah! We got a weekly masscheck with sufficient corpora to generate a rules update! Thanks to everyone who contributed. hm, not according to ruleqa.spamassassi

Re: Rules updated!

On Sun, 31 Jan 2016, Jari Fredriksson wrote: John Hardin kirjoitti 31.1.2016 20:19: Hallelujah! We got a weekly masscheck with sufficient corpora to generate a rules update! Thanks to everyone who contributed. hm, not according to ruleqa.spamassassin.org ... I'm now still running the wee

Re: Rules updated!

John Hardin kirjoitti 31.1.2016 20:19: Hallelujah! We got a weekly masscheck with sufficient corpora to generate a rules update! Thanks to everyone who contributed. hm, not according to ruleqa.spamassassin.org ... I'm now still running the weekly as a late retry, but dunno it does anything.

Re: Rules Updates

On Jan 27, 2016, at 9:18 AM, Björn Keil wrote: > I am using SpamAssassin 3.3.1, installed via the Ubuntu 10.04 An ancient version of SA on a 6 year-old OS? -- A sadder and a wiser man he rose the morrow morn.

Re: Rules Updates

Am 27.01.2016 um 17:18 schrieb Björn Keil: I am using SpamAssassin 3.3.1, installed via the Ubuntu 10.04 package system, and am trying to figure out how it determines which rules to use. It appears my SpamAssassin uses completely outdated rules, including DNS_FROM_AHBL_RHSBL, which queries a l

Re: Rules using WOT

On 8/6/2015 12:38 PM, Benny Pedersen wrote: Kevin A. McGrail skrev den 2015-08-06 16:35: I'll reach out. Perhaps they would consider a free for most model like we have used for RBLs. and another is https://www.trustpilot.com/ Roger that but it will be interesting to see if there is any valu

Re: Rules using WOT

On Thu, 06 Aug 2015 22:35:54 +0200 Benny Pedersen wrote: > RW skrev den 2015-08-06 21:03: > > > "WOT also uses information from numerous > >trusted sources, such as phishing and malware blacklists, to > > provide the WOT community with real time information." > > > > It look like the part

Re: Rules using WOT

On 06/08/15 15:35, Kevin A. McGrail wrote: The integration would be trivial however, WOT does not provide their data or an API to their data that I'm aware of except for buying it at https://www.mywot.com/en/business https://www.mywot.com/wiki/API API looks open to use, as long as following t

Re: Rules using WOT

RW skrev den 2015-08-06 21:03: "WOT also uses information from numerous trusted sources, such as phishing and malware blacklists, to provide the WOT community with real time information." It look like the part of WOT that might be useful for mail filtering comes from third parties. ap

Re: Rules using WOT

On 06.08.2015 21:03, RW wrote: On Thu, 6 Aug 2015 10:35:52 -0400 Kevin A. McGrail wrote: On 8/6/2015 8:38 AM, Sujit Acharyya-choudhury wrote: Is there any SA rule which use WOT (Web of Trust)? I find WOT a very valuable tool to find out about the reputation of URL and an integration with SA

Re: Rules using WOT

On Thu, 6 Aug 2015 10:35:52 -0400 Kevin A. McGrail wrote: > On 8/6/2015 8:38 AM, Sujit Acharyya-choudhury wrote: > > > > Is there any SA rule which use WOT (Web of Trust)? I find WOT a > > very valuable tool to find out about the reputation of URL and an > > integration with SA will be invaluabl

Re: Rules using WOT

Kevin A. McGrail skrev den 2015-08-06 16:35: I'll reach out. Perhaps they would consider a free for most model like we have used for RBLs. and another is https://www.trustpilot.com/

Re: Rules using WOT

Sujit Acharyya-choudhury skrev den 2015-08-06 14:38: Is there any SA rule which use WOT (Web of Trust)? I find WOT a very valuable tool to find out about the reputation of URL and an integration with SA will be invaluable. same here, it just sadly not done yet :( i have talked long with develo

Re: Rules using WOT

On 8/6/2015 8:38 AM, Sujit Acharyya-choudhury wrote: Is there any SA rule which use WOT (Web of Trust)? I find WOT a very valuable tool to find out about the reputation of URL and an integration with SA will be invaluable. Regards Sujit Choudhury The integration would be trivial however,

Re: Rules needed...

On 6/29/2015 10:39 AM, Reindl Harald wrote: tell me one reason why should i waste 1-5 seconds for on some days a million blocked mails while i can get rid of them in ms? On 29.06.15 11:00, Ted Mittelstaedt wrote: Because, it's 1-5 seconds. If it was 1-5 minutes then sure. million times 1-5

Re: Rules needed...

Am 29.06.2015 um 20:00 schrieb Ted Mittelstaedt: I have users who sometimes want to receive mail from a system in an RBL. It's their mailbox, they are paying for it. Why should I not let them do it? these are corporate customers getting mail from other corporate customers who are completely cl

Re: Rules needed...

On 6/29/2015 10:39 AM, Reindl Harald wrote: Am 29.06.2015 um 19:28 schrieb Ted Mittelstaedt: The days of squeezing every last CPU cycle out of something are long, gone Reindl. nonsense I really appreciate that your bound and determined to keep that 80486 server running but nobody else is

Re: Rules needed...

Am 29.06.2015 um 19:34 schrieb Ted Mittelstaedt: My objection isn't to Postfix. My objection is to assuming that Postfix is the one and only way to do something. If you have an idea on how to block spam I'm all ears - until your idea gets positioned as a Postfix-only solution first. If you c

Re: Rules needed...

On 6/29/2015 9:48 AM, Charles Sprickman wrote: On Jun 29, 2015, at 12:35 PM, Reindl Harald wrote: Am 29.06.2015 um 18:29 schrieb Ted Mittelstaedt: Of course, Postfix fixes everything from AIDS to global warming, it's the greatest MTA ever invented. for other MTA'S score-bayes RBL handlin

Re: Rules needed...

Am 29.06.2015 um 19:28 schrieb Ted Mittelstaedt: The days of squeezing every last CPU cycle out of something are long, gone Reindl. nonsense I really appreciate that your bound and determined to keep that 80486 server running but nobody else is doing it anymore. tell me one reason why sho

Re: Rules needed...

The days of squeezing every last CPU cycle out of something are long, gone Reindl. I really appreciate that your bound and determined to keep that 80486 server running but nobody else is doing it anymore. Why do you think SA is written in Perl? Of all languages!!! Sure, let's pick the -slowest

Re: Rules needed...

>On Jun 29, 2015, at 12:35 PM, Reindl Harald wrote: >> >> Am 29.06.2015 um 18:29 schrieb Ted Mittelstaedt: >What other free MTA is there that’s in common use? qmail is dead and >buried. Sendmail and Exim are pretty much niche. What exactly is wrong >with Postfix? Nothing. It's very powerful

Re: Rules needed...

On Jun 29, 2015, at 12:35 PM, Reindl Harald wrote: > > Am 29.06.2015 um 18:29 schrieb Ted Mittelstaedt: >> Of course, Postfix fixes everything from AIDS to global warming, it's >> the greatest MTA ever invented. > > for other MTA'S score-bayes RBL handling on MTA level exists too in form of >

Re: Rules needed...

and here you go, so the next time before you answer with foam in front of your mouth and don't get what "something like Postscreen" means educate yourself! http://blog.schalanda.name/archives/118-Exim-4-and-policyd-weight.html/ Am 29.06.2015 um 18:35 schrieb Reindl Harald: Am 29.06.2015 um 1

Re: Rules needed...

Am 29.06.2015 um 18:29 schrieb Ted Mittelstaedt: Of course, Postfix fixes everything from AIDS to global warming, it's the greatest MTA ever invented. for other MTA'S score-bayes RBL handling on MTA level exists too in form of policy daemons Exactly the kind of thing I would expect from

Re: Rules needed...

Of course, Postfix fixes everything from AIDS to global warming, it's the greatest MTA ever invented. Exactly the kind of thing I would expect from you. Haven't you worn out that Postfix drum your banging yet? Ted On 6/27/2015 3:04 AM, Reindl Harald wrote: Am 27.06.2015 um 10:18 schrieb M

Re: Rules needed...

On Friday 26 June 2015 17.40.04 Ted Mittelstaedt wrote: But, putting RBL checks into the MTA is the best way I know to piss off your users since tag-and-forward is not an option on MTA rbl checking. That's why we all do our RBL checks in spamassassin. On 27.06.15 10:18, Martin S wrote: Could y

Re: Rules needed...

Hi, blacklist_from *@*.allisonarctictrips.com spf-pass take responselily Yes, after it's received, there are a ton of things that could be done to block it (including my local RBL). I was hoping for something preventative. Eh? I'm afraid I don't get this at all - greylisting and RBL check

Re: Rules needed...

Am 27.06.2015 um 10:18 schrieb Martin S: On Friday 26 June 2015 17.40.04 Ted Mittelstaedt wrote: But, putting RBL checks into the MTA is the best way I know to piss off your users since tag-and-forward is not an option on MTA rbl checking. That's why we all do our RBL checks in spamassassin.

Re: Rules needed...

On Friday 26 June 2015 17.40.04 Ted Mittelstaedt wrote: > But, putting RBL checks into the MTA is the best way I know to piss off > your users since tag-and-forward is not an option on MTA rbl checking. > That's why we all do our RBL checks in spamassassin. Could you elaborate on this? I'm "new"

Re: Rules needed...

On 6/26/2015 10:53 AM, Dave Wreski wrote: On 06/26/2015 12:45 PM, Benny Pedersen wrote: Alex Regan skrev den 2015-06-26 18:33: http://pastebin.com/FzUkEvRp blacklist_from *@*.allisonarctictrips.com spf-pass take responselily Yes, after it's received, there are a ton of things that cou

Re: Rules needed...

On June 26, 2015 8:00:22 PM Dave Wreski wrote: On 06/26/2015 12:45 PM, Benny Pedersen wrote: > Alex Regan skrev den 2015-06-26 18:33: > >> http://pastebin.com/FzUkEvRp > > blacklist_from *@*.allisonarctictrips.com > > spf-pass take responselily Yes, after it's received, there are a ton of th

Re: Rules needed...

On 06/26/2015 12:45 PM, Benny Pedersen wrote: Alex Regan skrev den 2015-06-26 18:33: http://pastebin.com/FzUkEvRp blacklist_from *@*.allisonarctictrips.com spf-pass take responselily Yes, after it's received, there are a ton of things that could be done to block it (including my local R

Re: Rules needed...

On 26 Jun 2015, at 12:33, Alex Regan wrote: Hi, I have one system with greylisting enabled and another that hasn't yet been enabled. On the system without it, I'm receiving a ton of random spam that hits bayes99 but pretty much nothing else. http://pastebin.com/FzUkEvRp It all seems to be

Re: Rules needed...

>From: Benny Pedersen Sent: Friday, June 26, 2015 11:45 AM >To: users@spamassassin.apache.org >Subject: Re: Rules needed... >Alex Regan skrev den 2015-06-26 18:33: >> http://pastebin.com/FzUkEvRp >blacklist_from *@*.allisonarctictrips.com >spf-pass take responselily

Re: Rules needed...

Are you running a centralized Bayes with some honeypot addresses feeding it? A search of your messages log should give you plenty of bogus email addresses that the botnet has been probing for on your system. Pick some of the obvious ones and set them up as feeders to Bays and that should take

Re: Rules needed...

Alex Regan skrev den 2015-06-26 18:33: http://pastebin.com/FzUkEvRp blacklist_from *@*.allisonarctictrips.com spf-pass take responselily

Re: Rules not updating

On 02/08/2015 02:53 PM, Axb wrote: On 02/08/2015 02:42 PM, Reindl Harald wrote: just read your syslogs [root@localhost:~]$ cat /var/log/sa-update.log not everyone has a sa-update.log or a dog sa-update --checkonly -D will work for everyone AND his dog Sorry: sa-update --checkonly -v

Re: Rules not updating

On 02/08/2015 02:42 PM, Reindl Harald wrote: just read your syslogs [root@localhost:~]$ cat /var/log/sa-update.log not everyone has a sa-update.log or a dog sa-update --checkonly -D will work for everyone AND his dog

Re: Rules not updating

Am 08.02.2015 um 14:38 schrieb David Dodell: Thank you … puts my mind at ease … is there someplace on the web that is published the latest rules, so I can assure myself in the future that my installation is not broken. It seems that for months the rules were being updated daily, and kinda su

Re: Rules not updating

Thank you … puts my mind at ease … is there someplace on the web that is published the latest rules, so I can assure myself in the future that my installation is not broken. It seems that for months the rules were being updated daily, and kinda surprised I haven’t seen anything in over a week.

Re: Rules not updating

On 02/07/2015 03:10 PM, David Dodell wrote: My spam assassin has been running fine for months, and then last Saturday started reporting that there were no rule updates ending with version 1655961 From the wiki it looks like the rules are at 1658033. Being very much a novice at this, should I be

Re: Rules Not Updating

Our rules qa is currently corpora starved so we have not published rules since Sunday, I believe. Regards, KAM On February 3, 2015 9:47:41 PM EST, David Dodell wrote: >I have noticed that the last three nights that I have not had any rule >updates, sa-update exists with code 1. > >Any site have

Re: Rules Not Updating

On Tue, 3 Feb 2015, David Dodell wrote: Thank you … I don't see it that way in my log; I have the following below … I'm assuming that the last three lines coming from updates.spamassasin.org show the version on the update server, and that I'm matching, therefore no update? Also, how come I c

Re: Rules Not Updating

Thank you … I don't see it that way in my log; I have the following below … I'm assuming that the last three lines coming from updates.spamassasin.org show the version on the update server, and that I'm matching, therefore no update? Also, how come I can't do a DNS lookup of updates.spamassas

Re: Rules Not Updating

Am 04.02.2015 um 03:47 schrieb David Dodell: I have noticed that the last three nights that I have not had any rule updates, sa-update exists with code 1. Any site have information on what the current rule set release is … haven’t had problems for months, usually seeing a new release nightly

Re: Rules for testing

On 11/15/2014 11:20 AM, Paul Stead wrote: A few more examples: WP_POMO - http://pastebin.com/ZeEEcPpN LOC_POMO - http://pastebin.com/1zJmXnXD - not hitting very often SUBJECT_REPEAT - http://pastebin.com/Q7ZHgFV8 http://pastebin.com/P1LBzGZ0 -- Paul Stead Systems Engineer Zen Internet If some

Re: Rules for testing

A few more examples: WP_POMO - http://pastebin.com/ZeEEcPpN LOC_POMO - http://pastebin.com/1zJmXnXD - not hitting very often SUBJECT_REPEAT - http://pastebin.com/Q7ZHgFV8 http://pastebin.com/P1LBzGZ0 -- Paul Stead Systems Engineer Zen Internet

Re: Rules for testing

On 13/11/14 17:07, Paul Stead wrote: FROM_2_EMAILS - inspired by the Khopesh rule of the same name. Matches when the from name contains an email address different to the from address, such as: From: "t...@example.com" 8< header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\

Re: Rules for testing

On 13/11/14 18:01, John Hardin wrote: On Thu, 13 Nov 2014, Paul Stead wrote: TO_EQ_FROM_NAME will match headers that look like the following: From: "t...@example.com" To: t...@example.com I'll review that and add it to my sandbox with the other TO_EQ_FROM rules. I've noticed my describe

Re: Rules for testing

On 13/11/14 18:01, John Hardin wrote: There's already hacked-wordpress rules in testing. I'll compare to existing and see if this is already covered, can be merged neatly, or would be a variant subrule. The testing sub-rule was mine - this is slightly adjusted. The rules in sandbox for Wordpr

Re: Rules for testing

Sending examples for testing: http://pastebin.com/J0R1AYdw - SUBJECT_REPEAT http://pastebin.com/v6BD4m2V - TO_EQ_FROM_NAME / FROM_2_EMAILS http://pastebin.com/pbqUn9qw - FROM_2_EMAILS Paul On 13/11/14 17:55, Paul Stead wrote: I was under the assumption that header matches only match the single

Re: Rules for testing

On 11/13/2014 06:55 PM, Paul Stead wrote: I was under the assumption that header matches only match the single line, The subject repeat one: Subject: Re: Hello Re: Hello Wouldn't the second line become the "Re:" header? The same with the From:/To: headers - I'm comparing the two headers - is

Re: Rules for testing

On Thu, 13 Nov 2014, Paul Stead wrote: I was under the assumption that header matches only match the single line, The subject repeat one: Subject: Re: Hello Re: Hello Wouldn't the second line become the "Re:" header? If the Re: is actually *not* indented, yes. You are correct. The same wi

Re: Rules for testing

On Thu, 13 Nov 2014, Paul Stead wrote: I've developed a few rules which seem to be hitting well, could I get these into the sandbox? TO_EQ_FROM_NAME will match headers that look like the following: From: "t...@example.com" To: t...@example.com I'll review that and add it to my sandbox with

Re: Rules for testing

I was under the assumption that header matches only match the single line, The subject repeat one: Subject: Re: Hello Re: Hello Wouldn't the second line become the "Re:" header? The same with the From:/To: headers - I'm comparing the two headers - is there a better way? Paul On 13/11/14 17:1

Re: Rules for testing

On 11/13/2014 06:07 PM, Paul Stead wrote: Hey guys, I've developed a few rules which seem to be hitting well, could I get these into the sandbox? TO_EQ_FROM_NAME will match headers that look like the following: From: "t...@example.com" To: t...@example.com 8< header __PDS_TO_

RE: rules and configuration not running correctly

e have any ideas?? -Original Message- From: dave Sent: Friday, October 24, 2014 11:51 AM To: users@spamassassin.apache.org >> SA Mailing list Subject: RE: rules and configuration not running correctly (Sorry about the list thing realized after sending) It is launched from amavis --

RE: rules and configuration not running correctly

Anyone have any ideas?? -Original Message- From: dave Sent: Friday, October 24, 2014 11:51 AM To: users@spamassassin.apache.org >> SA Mailing list Subject: RE: rules and configuration not running correctly (Sorry about the list thing realized after sending) It is launched from

  1   2   3   4   5   >