On Tue, 25 Aug 2015 08:25:30 -0400
Joe Quinn wrote:
> On 8/25/2015 7:51 AM, RW wrote:
> > On Tue, 25 Aug 2015 09:55:57 +0200
> > Tom Hendrikx wrote:
> >
> >
> >> Basically every MUA I know will label the message as a possible
> >> scam when you use the BAD version, which why you actually never
> >
On 8/25/2015 7:51 AM, RW wrote:
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
Basically every MUA I know will label the message as a possible scam
when you use the BAD version, which why you actually never see it in
non-spam mail, unless the editor was a real noob.
That applies to sp
On Tue, 25 Aug 2015 09:55:57 +0200
Tom Hendrikx wrote:
> Basically every MUA I know will label the message as a possible scam
> when you use the BAD version, which why you actually never see it in
> non-spam mail, unless the editor was a real noob.
That applies to spam too.
Would this really h
On 24-08-15 18:34, Joseph Brennan wrote:
>
> Nick Edwards wrote:
>
>> example
>> the displayed version in mail might be www.example.com, but the actual
>> URI when you highlight or click on it, is foobar.example.net
>
>
> The most common case is that the text shows the real web page, but the
Nick Edwards wrote:
example
the displayed version in mail might be www.example.com, but the actual
URI when you highlight or click on it, is foobar.example.net
The most common case is that the text shows the real web page, but the link
goes to a click counter page that redirects to the rea
On Mon, 24 Aug 2015 13:14:41 +1000
Nick Edwards wrote:
> Hey,
>
> Kind of had enough of regular URIBL's not getting this stuff, so
> wondering has anyone wrote any rules they want to share on/off list to
> match on mismatched URI links,
Are you getting a lot of phishes that still do this?
It u
On August 24, 2015 5:14:53 AM Nick Edwards wrote:
ciao
Agere, create share deploy, thank you
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I created a meta-rule out of these (with a score of 8), and then ran
spamassassin -D < phish to see ho
Micah Anderson wrote:
Joseph Brennan <[EMAIL PROTECTED]> writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this.
Joseph Brennan <[EMAIL PROTECTED]> writes:
> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>
> /Password.{0,10}\([\s\.\*\_]+\)/
>
> /you must reply to this email/i
>
> Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be be
Sahil Tandon <[EMAIL PROTECTED]> writes:
> Joseph Brennan <[EMAIL PROTECTED]> wrote:
>
>>> We get some legitimate email from @live.com users.
>>
>> But they don't set a Reply-to header. That's the test.
>
> But that wasn't his question; he asked whether any legitimate mail flows
> from live.com.
On Mon, November 3, 2008 12:02, Martin Gregorie wrote:
> ^http:.*\.spaces\.live\.com\/$
> in its body but the From: header identifies a completely unrelated
> address. Would a rule that tags messages with this From and URI combo be
> useful or would it generate too many FPs?
http://www.nabble.com
Jeff Chan wrote:
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
[...]
I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
pulls in the 25
Micah Anderson wrote:
* Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]:
Micah Anderson wrote:
reject_rbl_client list.dsbl.org,
DSBL has shut down, and you should remove the query from your list. It
won't help with the phishing, but it'll free up some network resources.
In
Joseph Brennan <[EMAIL PROTECTED]> wrote:
>> We get some legitimate email from @live.com users.
>
> But they don't set a Reply-to header. That's the test.
But that wasn't his question; he asked whether any legitimate mail flows
from live.com. That was my answer. :)
--
Sahil Tandon <[EMAIL PRO
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote:
> Joseph Brennan <[EMAIL PROTECTED]> writes:
>
> >> Reply-to: [EMAIL PROTECTED]
> >
> >
> > First pass:
> >
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
> > score LOCAL_REPLYTO_LIVE8.0
> >
> > Maybe scoring 8.0 for
Sahil Tandon <[EMAIL PROTECTED]> wrote:
We get some legitimate email from @live.com users.
But they don't set a Reply-to header. That's the test.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Micah Anderson <[EMAIL PROTECTED]> wrote:
> Joseph Brennan <[EMAIL PROTECTED]> writes:
>
> >> Reply-to: [EMAIL PROTECTED]
> >
> >
> > First pass:
> >
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
> > score LOCAL_REPLYTO_LIVE8.0
> >
> > Maybe scoring 8.0 for one thing sca
Karsten Bräckelmann <[EMAIL PROTECTED]> writes:
> On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
>> Joseph Brennan <[EMAIL PROTECTED]> writes:
>
>> > Do you mean attempts to get your users to send their passwords,
>> > or fake mail pretending to be from banks?
>>
>> I mean attempts to g
SM <[EMAIL PROTECTED]> writes:
> At 07:56 01-11-2008, Micah Anderson wrote:
>>Here is an example one I received recently, note the hideously low bayes
>>score on this one, caused it to autolearn as ham even, grr.
>
> [snip]
>
>>X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSW
Joseph Brennan <[EMAIL PROTECTED]> writes:
>> Reply-to: [EMAIL PROTECTED]
>
>
> First pass:
>
> header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
> score LOCAL_REPLYTO_LIVE8.0
>
> Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> fp in a couple of months.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Micah Anderson wrote:
[...]
> Report them where exactly?
>
> Here is an example one I received recently, note the hideously low bayes
> score on this one, caused it to autolearn as ham even, grr.
>
>
> From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote:
> Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
>
> > Anyway, can't you educate your users [...]
>
> Experience tells me the answer is no, or at least a qualified no. And
> we're supposed to have smart people here.
>
> I suppose the numb
Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
Anyway, can't you educate your users
Experience tells me the answer is no, or at least a qualified no. And
we're supposed to have smart people here.
I suppose the number of responses might be even higher if we did not
try to educate people. I
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
> Joseph Brennan <[EMAIL PROTECTED]> writes:
> > Do you mean attempts to get your users to send their passwords,
> > or fake mail pretending to be from banks?
>
> I mean attempts to get my users to send their passwords, are these not
> call
Micah Anderson <[EMAIL PROTECTED]> wrote:
I mean attempts to get my users to send their passwords, are these not
called phishing?
micah
Yes, it's phishing, but for thos you might want to make local rules to
catch things specific to your own web mail system and domain.
I find myself relucta
Reply-to: [EMAIL PROTECTED]
First pass:
header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/
score LOCAL_REPLYTO_LIVE8.0
Maybe scoring 8.0 for one thing scares you, but I haven't seen this
fp in a couple of months.
Joseph Brennan
Columbia University Information Technolo
At 07:56 01-11-2008, Micah Anderson wrote:
Here is an example one I received recently, note the hideously low bayes
score on this one, caused it to autolearn as ham even, grr.
[snip]
X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.2.
Brent Clark <[EMAIL PROTECTED]> writes:
> Hiya
>
> See SA examples
>
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
>
> Also add hostkarma.junkemailfilter.com to you DNSBL.
Thanks, I'll add this to my local.cf and see how it goes.
> Another thing I do find is useful is adding additio
Joseph Brennan <[EMAIL PROTECTED]> writes:
> Micah Anderson <[EMAIL PROTECTED]> wrote:
>
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>
> Do you mean attempts to get your users to send their passwords,
> or fake mail prete
Karsten Bräckelmann <[EMAIL PROTECTED]> writes:
> On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
>> I keep getting hit by phishing attacks, and they aren't being stopped by
>> anything I've thrown up in front of them:
>>
>> postfix is doing:
>> reject_rbl_client b.barracudace
Randy <[EMAIL PROTECTED]> writes:
> Micah Anderson wrote:
>> Sadly, I do not have an example I can share at the moment, as I
>> typically delete them in a rage after training my bayes filter on
>> them. However, I am looking for any suggestions of other things I can
>> turn on... in particular, ar
* Jeff Chan <[EMAIL PROTECTED]> [2008-10-31 02:36-0400]:
> On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
>
> > I keep getting hit by phishing attacks, and they aren't being stopped by
> > anything I've thrown up in front of them:
>
> [...]
> > I've got spamassassin 3.2.5 with
* Kelson <[EMAIL PROTECTED]> [2008-10-30 17:29-0400]:
> Micah Anderson wrote:
>> reject_rbl_client list.dsbl.org,
>
> DSBL has shut down, and you should remove the query from your list. It
> won't help with the phishing, but it'll free up some network resources.
> Info: http://dsbl.
Hiya
See SA examples
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
Also add hostkarma.junkemailfilter.com to you DNSBL.
Works really well.
Another thing I do find is useful is adding additional higher valued MX
records.
http://www.junkemailfilter.com/spam/support.html
HTH
Rega
On Thursday, October 30, 2008, 12:56:53 PM, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
[...]
> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
> pulls in the 25_uribl.cf auto
Micah Anderson <[EMAIL PROTECTED]> wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
Do you mean attempts to get your users to send their passwords,
or fake mail pretending to be from banks?
Joseph Brennan
Lead Email S
Micah Anderson wrote:
reject_rbl_client list.dsbl.org,
DSBL has shut down, and you should remove the query from your list. It
won't help with the phishing, but it'll free up some network resources.
Info: http://dsbl.org/node/3
I've got clamav pulling signatures updated once
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus
Micah Anderson wrote:
> I keep getting hit by phishing attacks, and they aren't being stopped by
> anything I've thrown up in front of them:
>
> postfix is doing:
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client
Micah Anderson wrote:
I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:
postfix is doing:
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client lis
41 matches
Mail list logo
