Re: SA rule: fortinet attachment removed

On 27.09.22 07:56, Kevin A. McGrail wrote: I use upstream filtering all the time to add points with SA but I typically due it with headers.  Does Fortinet add any headers? it does for spam detection, not when it removed suspicious attachments. Especially depending on the size of emails, the at

Re: SA rule: fortinet attachment removed

Hi matus, I use upstream filtering all the time to add points with SA but I typically due it with headers.  Does Fortinet add any headers? Especially depending on the size of emails, the attachment parsing plugins like OCR you might have, etc. your rule could get pretty heavy in terms of par

Re: SA Rule Tester/Checker

On 2015-07-18 04:54, Martin Gregorie wrote: There are lots of possibilities. I test using a big (and growing) spam collection, which I keep so I can regression test my current rule set. Thats quite crude: if everything in the collection is recognised as spam, nothing gets flagged up during the t

Re: SA Rule Tester/Checker

> Do you test on a production server, other (test) server, or local > mbox with Mutt as your client? > There are lots of possibilities. I test using a big (and growing) spam collection, which I keep so I can regression test my current rule set. Thats quite crude: if everything in the collection

Re: SA Rule Tester/Checker

On 2015-07-17 16:49, Kevin A. McGrail wrote: We use maildir most of the time on our servers. Is that a problem or are you referring to a mbox file on a client machine? I never ran spamassassin on a client before. Sorry, just trying to understand your test environment. I usually am working a

Re: SA Rule Tester/Checker

On 7/17/2015 5:39 PM, a...@satester.com wrote: On 2015-07-17 09:27, Kevin A. McGrail wrote: On 7/16/2015 8:00 PM, Allen Marsalis wrote: Can you elaborate on the macros any? Sure. Mutt is a very powerful little mail client and it's perfect for me for analysis of mbox files. We use maildir

Re: SA Rule Tester/Checker

On 2015-07-17 09:27, Kevin A. McGrail wrote: On 7/16/2015 8:00 PM, Allen Marsalis wrote: Can you elaborate on the macros any? Sure. Mutt is a very powerful little mail client and it's perfect for me for analysis of mbox files. We use maildir most of the time on our servers. Is that a probl

Re: SA Rule Tester/Checker

On 7/16/2015 8:00 PM, a...@satester.com wrote: Can you elaborate on the macros any? Sure. Mutt is a very powerful little mail client and it's perfect for me for analysis of mbox files. Creating a .muttrc file, you can add some macros like ctrl-y (why is this hitting KAM ;-) ): macro index

Re: SA Rule Tester/Checker

On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run sp

Re: SA Rule Tester/Checker

On 2015-07-16 07:32, Axb wrote: header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i header __KAM_MULTIPLE_FROM From =~ /^./ I think I get the first one (if anything exists in X-No-Relay) but I'll have to look deeper to understand why you would trigger on any From address. Anyway I'm having fun,

Re: SA Rule Tester/Checker

On 7/16/2015 8:28 AM, a...@satester.com wrote: On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also u

Re: SA Rule Tester/Checker

On 16.07.2015 14:28, a...@satester.com wrote: On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also us

Re: SA Rule Tester/Checker

On 2015-07-16 04:53, Kevin A. McGrail wrote: You might find the regression_tests.cf in the trunk rules/ dir interesting. It's a way of giving strings you want to hit/not-hit on rules and see if it properly hits/doesn't hit as you expect. I also use mutt and a few macros such as one that run sp

Re: SA Rule Tester/Checker

On 7/15/2015 6:41 PM, a...@satester.com wrote: I started writing SA rules about a year ago. Although I am new to this list, I have been lurking for quite a while. I would like to thank Kevin McGrail and others for providing rules and tips that inspires me to write my own custom rules. Today I

Re: SA rule - URIBL_SBL-XBL scores false positive?

Acording to this https://twitter.com/spamhaus/status/545139926191575040 , 2 days ago Spamhaus DBL had an issue and flagged all .net . Perhaps it's related somehow . José Borges Ferreira On Fri, Dec 19, 2014 at 10:55 AM, Dharma Monie wrote: > > Anyone experinced SA rule URIBL (spammhaus/local.cf

Re: SA rule - URIBL_SBL-XBL scores false positive?

On Fri, 19 Dec 2014 14:12:47 +0100 Matus UHLAR - fantomas wrote: > >On 12/19/2014 12:28 PM, Dharma Monie wrote: > >>The rule is shipped with SA by default, > >>regarding if it?s enabled by default - checking against that exact > >>uribl - I?m affraid I can?t provide you with a satisfying answer >

Re: SA rule - URIBL_SBL-XBL scores false positive?

On 12/19/2014 12:28 PM, Dharma Monie wrote: The rule is shipped with SA by default, regarding if it’s enabled by default - checking against that exact uribl - I’m affraid I can’t provide you with a satisfying answer there, as I was not the initial admin configuring “this” file. On 19.12.14 12

Re: SA rule - URIBL_SBL-XBL scores false positive?

On 12/19/2014 12:28 PM, Dharma Monie wrote: Good question there. The rule is shipped with SA by default, regarding if it’s enabled by default - checking against that exact uribl - I’m affraid I can’t provide you with a satisfying answer there, as I was not the initial admin configuring “this”

Re: SA rule - URIBL_SBL-XBL scores false positive?

Good question there. The rule is shipped with SA by default, regarding if it’s enabled by default - checking against that exact uribl - I’m affraid I can’t provide you with a satisfying answer there, as I was not the initial admin configuring “this” file. Other than that, this check have been a

Re: SA rule - URIBL_SBL-XBL scores false positive?

On 12/19/2014 11:55 AM, Dharma Monie wrote: Anyone experinced SA rule URIBL (spammhaus/local.cf) score false positive? —> uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL’) <— All of a sudden, it scores 40-5

Re: SA rule to detect prior SA pass?

On 28. jun. 2014 22.46.48 CEST, RW wrote: remove_header clear_headers and add_header control the new headers that are added at the end of the scan. The preexisting X-Spam-* headers are all stripped before the header tests begin. On 29.06.14 04:11, Benny Pedersen wrote: this potently breaks dk

Re: SA rule to detect prior SA pass?

On 28. jun. 2014 22.46.48 CEST, RW wrote: > remove_header clear_headers and add_header control the new headers >that are added at the end of the scan. The preexisting X-Spam-* headers > are all stripped before the header tests begin. this potently breaks dkim signed mails if this headers is dkim

Re: SA rule to detect prior SA pass?

On Sat, 28 Jun 2014 15:30:44 +0200 Axb wrote: > On 06/28/2014 03:21 PM, RW wrote: > > I don't see how that helps. It allows you to customize the headers > > written by SA, but it doesn't stop it stripping all the pre-existing > > X-Spam-* headers. > > > > remove_header ham > > and only leave th

Re: SA rule to detect prior SA pass?

On Sat, 28 Jun 2014, RW wrote: On Fri, 27 Jun 2014 20:43:19 -0500 (CDT) David B Funk wrote: Looking at my mail streams I see evidence that spammers sometimes add faked "SpamAssassin" headers to their messages (I assume to try to trick recipients into thinking that the message has already been

Re: SA rule to detect prior SA pass?

On 06/28/2014 03:21 PM, RW wrote: On Sat, 28 Jun 2014 15:05:00 +0200 Axb wrote: On 06/28/2014 03:43 AM, David B Funk wrote: Checking the SA source I found in PerMsgStatus.pm a line of code: $self->{msg}->delete_header('X-Spam-.*'); that ran before any tests. So looking for SA headers ins

Re: SA rule to detect prior SA pass?

On Sat, 28 Jun 2014 15:05:00 +0200 Axb wrote: > On 06/28/2014 03:43 AM, David B Funk wrote: > > Checking the SA source I found in PerMsgStatus.pm a line of code: > >$self->{msg}->delete_header('X-Spam-.*'); > > that ran before any tests. So looking for SA headers inside of SA > > is pointless

Re: SA rule to detect prior SA pass?

On 06/28/2014 03:43 AM, David B Funk wrote: Looking at my mail streams I see evidence that spammers sometimes add faked "SpamAssassin" headers to their messages (I assume to try to trick recipients into thinking that the message has already been given a clean bill-of-health). I wrote a few test

Re: SA rule to detect prior SA pass?

On Fri, 27 Jun 2014 20:43:19 -0500 (CDT) David B Funk wrote: > Looking at my mail streams I see evidence that spammers sometimes > add faked "SpamAssassin" headers to their messages (I assume to try > to trick recipients into thinking that the message has already been > given a clean bill-of-healt

Re: SA rule to detect prior SA pass?

28.06.2014 05:47, Jari Fredriksson kirjoitti: > 28.06.2014 04:43, David B Funk kirjoitti: >> Looking at my mail streams I see evidence that spammers sometimes >> add faked "SpamAssassin" headers to their messages (I assume to try >> to trick recipients into thinking that the message has already bee

Re: SA rule to detect prior SA pass?

28.06.2014 04:43, David B Funk kirjoitti: > Looking at my mail streams I see evidence that spammers sometimes > add faked "SpamAssassin" headers to their messages (I assume to try > to trick recipients into thinking that the message has already been > given a clean bill-of-health). > > I wrote a fe

Re: SA Rule help question

On Fri, 30 Oct 2009, Rose, Bobby wrote: Does anyone know how a rule can be written to compare two header markers for similar info? Take a look at MAILER_EQ_ORG here: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?view=log -- John Hardin KA7OHZ

Re: [SA] Rule and Rule

Mark Martinec wrote: > Adam, > > Btw, channels only provide the khop-sc-neighbors.sa.khopesh.com for > SA 3.3.0, but not the khop-bl.sa.khopesh.com, > khop-blessed.sa.khopesh.com, and khop-general.sa.khopesh.com . First: It's awesome to see interest in my channels! Second: you are correct. I

Re: [SA] Rule and Rule

Adam, > That example may have been overly simplistic, but I thought it conveyed > the idea. To see a real-world example, see KHOP_DNSBL_ADJ in > http://khopesh.com/sa/khop-bl/khop-bl.cf (though please use the actual > channel if you're going to use my rules, otherwise you won't get updates). Btw

Re: [SA] Rule and Rule

Karsten Bräckelmann wrote: >> Here's my workaround. It involves some redundancy, but it does the trick: > > After some brief moment of head scratching... > > The "workaround" basically is just weighting sub-rules in the meta, and > works regardless if it is meant to be the individual sub-rules'

Re: Sa rule broken, fix with bugzilla id5750 RE: question on reverse DNS

Michael Scheidell escreveu: -Original Message- From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED] Sent: Saturday, December 29, 2007 8:02 AM To: spamassassin ML Subject: question on reverse DNS i would like to give some score for messages that came from IP addresses tha

Re: SA rule for userid in subject?

I was wondering how to modify Lorens rule for the follwing type of emails which I have been getting a lot of: In the subject I get: "some word[s]-userid" or "some word[s]-some word[s]-userid" You aren't too specific about the subject form, and you aren't specific about the To: form. That lea

RE: SA rule for userid in subject?

I was wondering how to modify Lorens rule for the follwing type of emails which I have been getting a lot of: In the subject I get: "some word[s]-userid" or "some word[s]-some word[s]-userid" > > > > Loren answered that a month ago. Is in the archives. You may use: > > > > header RULE_NAME AL

Re: SA Rule based on checks

On Wed, Aug 01, 2007 at 12:15:55PM -0400, Rose, Bobby wrote: > Is it possible to have a rule that looks at the SA checks already > performed and score based off that. For example, I'm thinking about a > rule that offsets a negative Bayes/CRM114 value if DCC and RAZOR or some > other rules checks h

Re: SA Rule

Hi, On Wed, Nov 29, 2006 at 04:46:32PM -0800, John D. Hardin told us: > On Wed, 29 Nov 2006, Loren Wilton wrote: > > > for mangled viagra and other stuff ..is there any simple rule?? > > > such as following text... > > > > Mangled rules are never simple rules. > > I have a perl script that will t

Re: SA Rule

On Wed, 29 Nov 2006, Loren Wilton wrote: > > for mangled viagra and other stuff ..is there any simple rule?? > > such as following text... > > Mangled rules are never simple rules. I have a perl script that will take a word list and generate REs for obfuscated versions of those words. http://w

Re: SA Rule

for mangled viagra and other stuff ..is there any simple rule?? such as following text... Mangled rules are never simple rules. The SARE rules contain a lot of these, as does the antidrug stuff in SA itself. It may be that these specific cases aren't caught though. Loren

Re: SA rule question / suggestion

On Thu, Mar 16, 2006 at 09:28:11PM -0500, Barry Callahan wrote: > >58.171 62.4003 34.85560.642 0.820.01 T_RECEIVED_COUNT_01 > >I did up a quick check to gather some stats from my corpus (last 14 days). > Interesting. I don't seem to have that rule. Which ruleset is it in? > I used gre

Re: SA rule question / suggestion

Theo Van Dinter wrote: BTW, it seems weird to me that you see these results. 58.171 62.4003 34.85560.642 0.820.01 T_RECEIVED_COUNT_01 Interesting. I don't seem to have that rule. Which ruleset is it in? I used grep to search for "RECEIVED_COUNT" in all of my installed rules

Re: SA rule question / suggestion

Barry Callahan: > On a large percentage of the SPAM that gets through, the only > Received: header that exists was put there by my mailserver. BTW, it seems weird to me that you see these results. 58.171 62.4003 34.85560.642 0.820.01 T_RECEIVED_COUNT_01 I did up a quick check to ga

Re: SA rule question / suggestion

On 3/16/2006 5:49 PM, [EMAIL PROTECTED] wrote: Barry Callahan wrote: On a large percentage of the SPAM that gets through, the only Received: header that exists was put there by my mailserver. The legitimate email, on the other hand ALL has at least one additional Received: header, OR the machi

RE: SA rule question / suggestion

Barry Callahan wrote: > On a large percentage of the SPAM that gets through, the only > Received: header that exists was put there by my mailserver. > > The legitimate email, on the other hand ALL has at least one > additional Received: header, OR the machine it was received from is > allowed to

Re: SA rule question / suggestion

On Thu, Mar 16, 2006 at 05:15:58PM -0500, Barry Callahan wrote: > I spent some time looking at the SPAM and compared it it to the > legitimate email I receive. :) > So, I was wondering if the following set of logic would be possible to > implement in SpamAssassin, either as a collection of rule

Re: SA rule question / suggestion

Barry Callahan wrote: > I'm running SpamAssassin 3.1.0 with sendmail, and I think it's great. > I'm using milter-spamc to interface with SpamAssassin running as a daemon. > > It doesn't /quite/ catch everything, and some (very little, actually) > SPAM gets through untagged. > > I spent some time

Re: SA rule for userid in subject?

Mensaje original- De: Matt Kettler [mailto:[EMAIL PROTECTED]] Enviado el: viernes, 10 de marzo de 2006 21:57 Para: Ruben Cardenal CC: users@spamassassin.apache.org Asunto: Re: SA rule for userid in subject? Ruben Cardenal wrote: Hi, Loren answered that a month ago. Is in the

RE: SA rule for userid in subject?

[EMAIL PROTECTED] > Enviado el: viernes, 10 de marzo de 2006 21:57 > Para: Ruben Cardenal > CC: users@spamassassin.apache.org > Asunto: Re: SA rule for userid in subject? > > Ruben Cardenal wrote: > > Hi, > > > > Loren answered that a month ago. Is in the archives

Re: SA rule for userid in subject?

Ruben Cardenal wrote: > Hi, > > Loren answered that a month ago. Is in the archives. You may use: > > header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: > .{0,30}\s*\1\b/i > > That covers "Fw: userid" and "Fw: (some word[s]) userid". > True, but that's using () and \1, w

Re: SA rule for userid in subject?

On Fri, Mar 10, 2006 at 02:59:09PM -0500, Jonathan Engbrecht wrote: > I'm seeing a lot of image-only spam of the following form: > > rcpt to: @domain.com > Subject: Fw: Yeah, there's a lot of that. > Is there a way to create a simple spamassassin rule that will hit on > this? I could use ()

RE: SA rule for userid in subject?

att Kettler [mailto:[EMAIL PROTECTED] > Enviado el: viernes, 10 de marzo de 2006 21:17 > Para: Jonathan Engbrecht > CC: users@spamassassin.apache.org > Asunto: Re: SA rule for userid in subject? > > Jonathan Engbrecht wrote: > > hello assassin-types, > > > > I'm

Re: SA rule for userid in subject?

Jonathan Engbrecht wrote: > hello assassin-types, > > I'm seeing a lot of image-only spam of the following form: > > rcpt to: @domain.com > Subject: Fw: > > Is there a way to create a simple spamassassin rule that will hit on > this? I could use () and \1 in regular expressions and a giant,

RE: SA Rule - Matching on "From" AND "Subject"

Perfect! Thanks!!! -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 2:10 PM To: Steve Dimoff; Spamassassin-Users ([EMAIL PROTECTED]) Subject: Re: SA Rule - Matching on "From" AND "Subject" At 01:52 PM 3/3/2005

Re: SA Rule - Matching on "From" AND "Subject"

At 01:52 PM 3/3/2005, Steve Dimoff wrote: I'm running SA 2.63, and I have a rule I would like to create that would only be a positive number/match if two checks both were matched. I don't want one rule checking "To" and another checking "Subject", I want to combine to the two rules so that

Re: SA Rule - Matching on "From" AND "Subject"

On Thu, Mar 03, 2005 at 01:52:53PM -0500, Steve Dimoff wrote: > I don't want one rule checking "To" and another checking "Subject", I want > to combine to the two rules so that if "To" and "Subject" both match > something then to give it a positive score. RTFM for "meta" rules. :) -- Randomly Ge