On 2019-03-01 07:21, Mike Marynowski wrote:
For anyone who wants to play around with this, the DNS service has been
posted. You can test the existence of a website on a domain or any of
its parent domains by making DNS queries as follows:
subdomain.domain.com.httpcheck.singulink.com
Hello.
I
On Thu, 21 Mar 2019 18:26:15 +0100
Ralph Seichter wrote:
> * Mike Marynowski:
>
> > I was more asking if there is a good reason to build packages
> > intended for local installation by email server operators and I
> > don't think there really is.
>
> As a maintainer of several Gentoo Linux ebu
* Mike Marynowski:
> I was more asking if there is a good reason to build packages intended
> for local installation by email server operators and I don't think
> there really is.
As a maintainer of several Gentoo Linux ebuilds, I agree you should
leave packaging to the various Linux distribution
Here ya go ;)
https://github.com/mikernet/HttpCheckDnsServer
On 3/21/2019 5:42 AM, Tom Hendrikx wrote:
On 20-03-19 19:56, Mike Marynowski wrote:
A couple people asked about me posting the code/service so they could
run it on their own systems but I'm currently leaning away from that. I
don't t
Perhaps I should have been clearer - I'm not against posting the code
for any reason and I am planning to do that anyway in case anyone wants
to look at it or chip in improvements and whatnot.
I'm an active contributor on many open source projects and I have fully
embraces OSS :) I was more as
On 20-03-19 19:56, Mike Marynowski wrote:
>
> A couple people asked about me posting the code/service so they could
> run it on their own systems but I'm currently leaning away from that. I
> don't think there is any benefit to doing that instead of just utilizing
> the centralized service. The wh
Continuing to fine-tune this service - thank you to everyone testing it.
Some updates were pushed out yesterday:
* Initial new domain "grace period" reduced to 8 minutes (down from 15
mins) - 4 attempts are made within this time to get a valid HTTP response
* Mozilla browser spoofing is imple
Thank you! I have no idea how I missed that...
On 3/13/2019 7:11 PM, RW wrote:
On Wed, 13 Mar 2019 17:40:57 -0400
Mike Marynowski wrote:
Can someone help me form the correct SOA record in my DNS responses
to ensure the NXDOMAIN responses get cached properly? Based on the
logs I don't think dow
On Wed, 13 Mar 2019 17:40:57 -0400
Mike Marynowski wrote:
> Can someone help me form the correct SOA record in my DNS responses
> to ensure the NXDOMAIN responses get cached properly? Based on the
> logs I don't think downstream DNS servers are caching it as requests
> for the same valid HTTP doma
Can someone help me form the correct SOA record in my DNS responses to
ensure the NXDOMAIN responses get cached properly? Based on the logs I
don't think downstream DNS servers are caching it as requests for the
same valid HTTP domains keep hitting the service instead of being cached
for 4 days
Any HTTP status code 400 or higher is treated as no valid website on the
domain. I see a considerable amount of spam that returns 5xx codes so at
this point I don't plan on changing that behavior. 503 is supposed to
indicate a temporary condition so this seems like an abuse of the error
code.
> Antony Stone kirjoitti 13.3.2019
> kello 20.36:
>
> On Wednesday 13 March 2019 at 19:21:47, Jari Fredriksson wrote:
>
>> What would it result for this:
>>
>> I have a couple domains that do not have any services for the root domain
>> name. How ever, the server the A points do have a web s
On Wednesday 13 March 2019 at 19:21:47, Jari Fredriksson wrote:
> What would it result for this:
>
> I have a couple domains that do not have any services for the root domain
> name. How ever, the server the A points do have a web server that acts as
> a reverse proxy for many subdomains that wil
What would it result for this:
I have a couple domains that do not have any services for the root domain name.
How ever, the server the A points do have a web server that acts as a reverse
proxy for many subdomains that will be served a web page. A http 503 is
returned by the pound reverse for
On Wed, 13 Mar 2019 at 13:04, RW wrote:
>
> On Wed, 13 Mar 2019 10:53:06 +
> Dominic Raferd wrote:
>
> > On Wed, 13 Mar 2019 at 10:33, Mike Marynowski
> > wrote:
> > >
> >
> > For those of us who are not SA experts can you give an example of how
> > to use your helpful new lookup facility (i.
On Wed, 13 Mar 2019 10:53:06 +
Dominic Raferd wrote:
> On Wed, 13 Mar 2019 at 10:33, Mike Marynowski
> wrote:
> >
>
> For those of us who are not SA experts can you give an example of how
> to use your helpful new lookup facility (i.e. lines to add in
> local.cf)? Thanks
askdns AUTHOR_IN
On Wed, 13 Mar 2019 at 10:33, Mike Marynowski wrote:
>
For those of us who are not SA experts can you give an example of how
to use your helpful new lookup facility (i.e. lines to add in
local.cf)? Thanks
Back up after some extensive modifications.
Setting the DNS request timeout to 30 seconds is no longer necessary -
the service instantly responds to queries.
In order to prevent mail delivery issues if the website is having
technical issues the first time a domain is seen by the service, it w
On Fri, 1 Mar 2019 01:21:40 -0500
Mike Marynowski wrote:
> For anyone who wants to play around with this, the DNS service has
> been posted. You can test the existence of a website on a domain or
> any of its parent domains by making DNS queries as follows:
>
> subdomain.domain.com.httpcheck.sing
Mike: If you want a tester, I am happy to join the effort, I see little
harm in assigning 0.75 to the results.
There are quite a few email only domains we end up whitelist_auth'ing
them and all is well.
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis
On 2/28/2019
On Fri, 01 Mar 2019 22:09:01 +
Rupert Gallagher wrote:
> Case study:
>
> example.com bans any e-mail sent from its third levels up, and does
> it by spf.
>
> spf-banned.example.com sent mail, and my SA at server.com adds a big
> fat penalty, high enough to bounch it.
example.com has a TXT
On Fri, Mar 1, 2019 at 23:14, Mike Marynowski wrote:
>> Does SpamAssassin even have facilities to do that?
> Yes, if spf runs at priority 1, you can define your test at priority 2, so SA
> executes them in the given order.
>> Don't all rules run all the time?
> They run when relevant, in the
The focus was on the To header for mailing lists, complaints on MUAs and
people's choices. If you do not want to appear in the To header of a list, you
are exercising a legal right under the GDPR. So, to cut through all those
problems and enforce a sound solution, I suggest list majordomos do th
Does SpamAssassin even have facilities to do that? Don't all rules run
all the time? SpamAssassin still needs to run all the rules because MTAs
might have different spam mark / spam delete /etc thresholds than the
one set in SA.
The number of cycles you're talking about is the same as an RBL l
Case study:
example.com bans any e-mail sent from its third levels up, and does it by spf.
spf-banned.example.com sent mail, and my SA at server.com adds a big fat
penalty, high enough to bounch it.
Suppose I do not bounch it, and use your filter to check for its websites. It
turns out that bo
On 3/1/2019 4:31 PM, Grant Taylor wrote:
afraid.org is much like DynDNS in that one entity (afaid.org
themselves or DynDNS) provide DNS services for other entities.
I don't see a good way to differentiate between the sets of entities.
I haven't come across any notable amount of spam that's
On 03/01/2019 01:25 AM, Rupert Gallagher wrote:
A future-proof list that complies with GDPR would automatically rewrite
the To header, leaving the list address only.
Doesn't GDPR also include things like signatures? Thus if the mailing
list is only modifying the email metadata and not the mes
On 02/28/2019 09:39 PM, Mike Marynowski wrote:
I modified it so it checks the root domain and all subdomains up to the
email domain.
:-)
As for your question - if afraid.org has a website then you are correct,
all subdomains of afraid.org will not flag this rule, but if lots of
afraid.org su
On 3/1/2019 1:07 PM, RW wrote:
Sure, but had it turned-out that most of these domains didn't have the A
record necessary for your HTTP test, it wouldn't have been worth doing
anything more complicated.
I've noticed a lot of the spam domains appear to point to actual web
servers but throw 403 o
Sorry, I meant I thought it was doing those checks because I know I was
playing with checking A records before and figured the rules would have
it enabled by default...I tried to find the rules after I sent that
message and realized that was related to sender domain A record checks
done in my M
On Friday 01 March 2019 at 17:37:18, Mike Marynowski wrote:
> Quick sampling of 10 emails: 8 of them have valid A records on the email
> domain. I presumed SpamAssassin was already doing simple checks like that.
That doesn't sound like a good idea to me (presuming, I mean).
Antony.
--
"The fu
On Fri, 1 Mar 2019 11:37:18 -0500
Mike Marynowski wrote:
> Looking for an A record on what - just the email address domain or
> the chain of parent domains as well? If the latter, well a lack of A
> record will cause this to fail so it's kind of embedded in.
Sure, but had it turned-out that most
Looking for an A record on what - just the email address domain or the
chain of parent domains as well? If the latter, well a lack of A record
will cause this to fail so it's kind of embedded in.
Quick sampling of 10 emails: 8 of them have valid A records on the email
domain. I presumed SpamAs
On Wed, 27 Feb 2019 12:16:20 -0500
Mike Marynowski wrote:
> Almost all of the spam emails that are
> coming through do not have a working website at the room domain of
> the sender.
Did you establish what fraction of this spam could be caught just by
looking for an A record?
Changing up the algorithm a bit. Once a domain has been added to the
cache, the DNS service will perform HTTP checks in the background
automatically on a much more aggressive schedule for invalid domains so
that temporary website problems are much less of an issue and invalid
domains don't dela
A future-proof list that complies with GDPR would automatically rewrite the To
header, leaving the list address only. Any other recipient will still receive
it from the original sender.
On Thu, Feb 28, 2019 at 20:29, Mike Marynowski wrote:
> Unfortunately I don't see a reply-to header on your
For anyone who wants to play around with this, the DNS service has been
posted. You can test the existence of a website on a domain or any of
its parent domains by making DNS queries as follows:
subdomain.domain.com.httpcheck.singulink.com
So, if you wanted to check if mail1.mx.google.com or a
You'll be able to decide how you want to prioritize the fields - I've
implemented it as a DNS server, so which domain you decide to send to
the DNS server is entirely up to you.
On 2/28/2019 10:23 PM, Grant Taylor wrote:
On 2/28/19 9:33 AM, Mike Marynowski wrote:
I'm doing grabs the first avai
I modified it so it checks the root domain and all subdomains up to the
email domain.
As for your question - if afraid.org has a website then you are correct,
all subdomains of afraid.org will not flag this rule, but if lots of
afraid.org subdomains are sending spam then I imagine other spam
On 2/28/19 1:24 PM, Luis E. Muñoz wrote:
I suggest you look at the Mozilla Public Suffix List at
https://publicsuffix.org/ — it was created for different purposes, but I
believe it maps well enough to my understanding of your use case. You'll
be able to pad the gaps using a custom list.
+1 fo
On 2/28/19 12:33 PM, Mike Marynowski wrote:
This method checks the *root* domain, not the subdomain.
What about domains that have many client subdomains?
afraid.org (et al) come to mind.
You might end up allowing email from spammer.afraid.org who doesn't have
a website because the parent afr
On 2/28/19 9:33 AM, Mike Marynowski wrote:
I'm doing grabs the first available address in this order: reply-to,
from, sender.
That sounds like it might be possible to game things by playing with the
order.
I'm not sure what sorts of validations are applied to the Sender:
header. (I don't r
st address, but for the record I don't see any reply-to
headers.
But it's right there in the copy that the list delivered to me:
From: "Bill Cole"
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's
root domain
D
I'm pretty sure the way I ended up implementing it everything is working
fine and it's nice and simple and clean but maybe there's some edge case
that doesn't work properly. If there is I haven't found it yet, so if
you can think of one let me know.
Since I'm sending an HTTP request to all sub
"Bill Cole"
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's root domain
Date: Thu, 28 Feb 2019 14:21:41 -0500
Reply-To: users@spamassassin.apache.org
Whether you see it is a function of how your MUA (TBird, it seems... )
displ
On 28 Feb 2019, at 14:39, Antony Stone wrote:
> On Thursday 28 February 2019 at 20:33:42, Mike Marynowski wrote:
>
>> But scconsult.com does in fact have a website so I'm not sure what you
>> mean. This method checks the *root* domain, not the subdomain.
>
> How do you identify the root domain, gi
On 28 Feb 2019, at 14:33, Mike Marynowski wrote:
But scconsult.com does in fact have a website so I'm not sure what you
mean. This method checks the *root* domain, not the subdomain.
Ah, I see. I had missed that detail.
That's likely to have fewer issues, as long as you get the registry
boun
ht there in the copy that the list delivered to me:
From: "Bill Cole"
To: users@spamassassin.apache.org
Subject: Re: Spam rule for HTTP/HTTPS request to sender's root domain
Date: Thu, 28 Feb 2019 14:21:41 -0500
Reply-To: users@spamassassin.apache
On 28 Feb 2019, at 11:53, Mike Marynowski wrote:
There are many ways to determine what the root domain is. One way is
analyzing the DNS response from the query to realize it's actually a
root domain, or you can just grab the ICANN TLD list and use that to
make a determination.
What I'm proba
There are many ways to determine what the root domain is. One way is
analyzing the DNS response from the query to realize it's actually a
root domain, or you can just grab the ICANN TLD list and use that to
make a determination.
What I'm probably going to do now that I'm building this as a cac
On Thursday 28 February 2019 at 20:33:42, Mike Marynowski wrote:
> But scconsult.com does in fact have a website so I'm not sure what you
> mean. This method checks the *root* domain, not the subdomain.
How do you identify the root domain, given an email address?
For example, for many years in t
But scconsult.com does in fact have a website so I'm not sure what you
mean. This method checks the *root* domain, not the subdomain.
Even if this wasn't the case well, it is what it is. Emails from this
mailing list (and most well configured lists) come in at a spam score of
-6, so they are n
On Thursday 28 February 2019 at 20:25:36, Bill Cole wrote:
> On 28 Feb 2019, at 13:43, Mike Marynowski wrote:
> > On 2/28/2019 12:41 PM, Bill Cole wrote:
> >> You should probably put the envelope sender (i.e. the SA
> >> "EnvelopeFrom" pseudo-header) into that list, maybe even first. That
> >> wil
Unfortunately I don't see a reply-to header on your messages. What do
you have it set to? I thought mailing lists see who is in the "to"
section of a reply so that 2 copies aren't sent out. The "mailing list
ethics" guide I read said to always use "reply all" and the mailing list
system takes c
On 28 Feb 2019, at 13:43, Mike Marynowski wrote:
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one) p
Please respect my consciously set Reply-To header. I don't ever need 2
copies of a message posted to a mailing list, and ignoring that header
is rude.
On 28 Feb 2019, at 13:28, Mike Marynowski wrote:
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one) pass your test where a test of real header domains w
On 2/28/2019 12:41 PM, Bill Cole wrote:
You should probably put the envelope sender (i.e. the SA
"EnvelopeFrom" pseudo-header) into that list, maybe even first. That
will make many messages sent via discussion mailing lists (such as
this one) pass your test where a test of real header domains w
Ralph Seichter skrev den 2019-02-28 18:53:
By the way, are you aware of https://www.dnswl.org ?
https://www.mywot.com
https://www.trustpilot.com
* Mike Marynowski:
> Question though - what is your reply-to address set to in the emails
> coming from your email-only domain?
We very rarely inject Reply-To, because this might interfere with what
the original sender intended.
-Ralph
* Mike Marynowski:
> You know what I mean.
That's quite an assumption to make, in a mailing list. ;-)
> I could just not publish this and keep it for myself and I'm sure that
> would make it more effective long term for me, but I figured I would
> contribute it so that others can gain some benef
* David Jones:
> I would like to see an Open Mail Reputation System setup by a working
> group of big companies so it would have some weight behind it.
Running a smaller business, I have no interest whatsoever in a "group of
big companies" having any say in our mail reputation, as you can surely
On 28 Feb 2019, at 11:33, Mike Marynowski wrote:
Question though - what is your reply-to address set to in the emails
coming from your email-only domain?
I can't answer for Ralph, but in my case I use a mail-only domain in
From for most of my personal mail, and while I usually set Reply-To to
On 2/28/19 10:50 AM, Ralph Seichter wrote:
> * Mike Marynowski:
>
>> And the cat and mouse game continues :)
>
> It sure does, and that's what sticks in my craw here: For a pro spammer,
> it is easy to set up websites in an automated fashion. If I was such a
> naughty person, I'd just add one tin
You know what I mean. *Many (not all) of the rules (rDNS verification,
hostname check, SPF records, etc) are easy to circumvent but we still
check all that. Those simple checks still manage to catch a surprising
amount of spam.
I could just not publish this and keep it for myself and I'm sure
* Mike Marynowski:
> Everything we test for is easily compromised on its own.
That's quite a sweeping statement, and I disagree. IP-based real time
blacklists, anyone? Also, "we" is too unspecific. In addition to the
stock rules, I happen to maintain a set of custom tests which are
neither publis
Why even use a test for something that is so easily compromised?
-Ralph
Everything we test for is easily compromised on its own.
* Mike Marynowski:
> And the cat and mouse game continues :)
It sure does, and that's what sticks in my craw here: For a pro spammer,
it is easy to set up websites in an automated fashion. If I was such a
naughty person, I'd just add one tiny service that answers "all is well"
for every incoming
And the cat and mouse game continues :)
That said, all the big obvious "email-only domains" that send out
newsletters and notifications and such that I've come across in my
sampling already have placeholder websites or redirects to their main
websites configured. I'm sure that's not always the
* Antony Stone:
> Each to their own.
Of course. Alas, if this gets widely adopted, we'll probably have to set
up placeholder websites (as will spammers, I'm sure).
-Ralph
I would not do it at all, caching or no caching. Personally, I don't see
a benefit trying to correlate email with a website, as mentioned before,
based on how we utilise email-only-domains.
-Ralph
Fair enough. Based on the sampling I've done and the way I intend to use
this, I still see thi
Question though - what is your reply-to address set to in the emails
coming from your email-only domain?
The domain checking I'm doing grabs the first available address in this
order: reply-to, from, sender. It's not using the domain of the SMTP
server. I did come across some email-only domain
On Thursday 28 February 2019 at 17:14:04, Ralph Seichter wrote:
> * Grant Taylor:
> > Why would you do it per email? I would think that you would do the
> > test and cache the results for some amount of time.
>
> I would not do it at all, caching or no caching. Personally, I don't see
> a benefit
* Grant Taylor:
> Why would you do it per email? I would think that you would do the
> test and cache the results for some amount of time.
I would not do it at all, caching or no caching. Personally, I don't see
a benefit trying to correlate email with a website, as mentioned before,
based on how
On 2/28/19 3:40 PM, Mike Marynowski wrote:
Right now the test plugin I've built makes a single HTTP request for
each email while I evaluate this but I'll be building a DNS query
endpoint or a local domain cache to make it more efficient before
putting it into production.
Please keep us updat
Just one more note - I've excluded .email domains from the check as I've
noticed several organizations using that as email only domains.
Right now the test plugin I've built makes a single HTTP request for
each email while I evaluate this but I'll be building a DNS query
endpoint or a local do
I've tested this with good results and I'm actually not creating any
HTTPS connections - what I've found is a single HTTP request with zero
redirections is enough. If it returns a status code >= 400 then you
treat it like no valid website, and if you get a < 400 result (i.e. a
301/302 redirect
On 02/27/2019 03:25 PM, Ralph Seichter wrote:
We use some of our domains specifically for email, with no associated
website.
I agree that /requiring/ a website at one of the parent domains
(stopping before traversing into the Public Suffix List) is problematic
and prone to false positives.
* Mike Marynowski:
> Of the 100 last legitimate email domains that have sent me mail, 100%
> of them have working websites at the root domain.
We use some of our domains specifically for email, with no associated
website. Besides, I think the overhead to establish a HTTPS connection
for every inc
Hi everyone,
I haven't been able to find any existing spam rules or checks that do
this, but from my analysis of ham/spam I'm getting I think this would be
a really great addition. Almost all of the spam emails that are coming
through do not have a working website at the room domain of the sen
On 6/12/2014 10:57 AM, Axb wrote:
On 06/12/2014 03:11 PM, Joe Quinn wrote:
We received a report that our published ruleset is slow on large emails
(http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf)
After doing our own profiling (using "Finding slow rules" under
http://wiki.apache.org/s
On 06/12/2014 03:11 PM, Joe Quinn wrote:
We received a report that our published ruleset is slow on large emails
(http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf)
After doing our own profiling (using "Finding slow rules" under
http://wiki.apache.org/spamassassin/FasterPerformance), we
On 06/12/2014 03:11 PM, Joe Quinn wrote:
We received a report that our published ruleset is slow on large emails
(http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf)
After doing our own profiling (using "Finding slow rules" under
http://wiki.apache.org/spamassassin/FasterPerformance), we
We received a report that our published ruleset is slow on large emails
(http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf)
After doing our own profiling (using "Finding slow rules" under
http://wiki.apache.org/spamassassin/FasterPerformance), we have not been
able to reproduce anythin
On Mon, 12 Aug 2013, Kris Deugau wrote:
Amir 'CG' Caspi wrote:
My main feeling is that if anyone is
sending HTML email with LOTS of stuff commented out, that email is
almost certainly spam. Ham HTML email would probably be done with more
care.
*snigger* Take a look at the raw source from a
Amir 'CG' Caspi wrote:
> My main feeling is that if anyone is
> sending HTML email with LOTS of stuff commented out, that email is
> almost certainly spam. Ham HTML email would probably be done with more
> care.
*snigger* Take a look at the raw source from a message sent with
Outlook (especiall
At 8:23 PM -0700 08/11/2013, John Hardin wrote:
However, I may be taking too-conservative a stance here. It's
possible that, while HTML comments can appear in ham, *long* HTML
comments won't, and the fact that we're looking for long blocks of
comment text is enough safety.
That's why feeling.
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 7:20 PM -0700 08/11/2013, John Hardin wrote:
Yuck. Can you pastbin spamples, if you still have them?
Here's one that comes to mind:
http://pastebin.com/zVEH2h02
That's going to be problematic as the comment isn't gibberish, it's a
bunch of pr
At 7:20 PM -0700 08/11/2013, John Hardin wrote:
The unbounded matches you're using probably caused the RE engine to
get stuck backing off and retrying.
That's what I figured. That's why I changed things to the current
version, which is "bounded" by the end-tag of the comment. My
current ver
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 6:56 PM -0700 08/11/2013, John Hardin wrote:
I'm also going to make FP-avoidance changes that should also help.
Care to share? =)
Everything is publicly visible in my sandbox:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhar
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 9:31 PM -0400 08/11/2013, Alex wrote:
Are you using sqlgrey? If not, it's incredible and you should try it.
I have not implemented any sort of greylisting yet. I can't use sqlgrey
because I don't use postfix... my server runs sendmail. I'm sur
At 6:56 PM -0700 08/11/2013, John Hardin wrote:
I'm also going to make FP-avoidance changes that should also help.
Care to share? =)
Just make sure that the rule does not match the --> comment-end token
I tried doing that and it caused SA to hang... couldn't figure out
why the regex wasn't
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote:
My regex is valid and appropriate for those comments... I tested it at
regexpal.com, which shows that all three comments match just fine (all
three get highlighted).
So... why is SA hitting only o
At 9:31 PM -0400 08/11/2013, Alex wrote:
Can you post this rule again so we can investigate?
# HTML comment gibberish
# Looks for sequence of 100 or more "words" (alphanum + punct
separated by whitespace) within HTML comment
rawbody HTML_COMMENT_GIBBERISH //im
describe HTML_COMMENT_GIBBERISH
Hi,
> Further confusion. Received another of these types of spam today:
>
> http://pastebin.com/YywcFkui
>
> My new HTML_COMMENT_GIBBERISH rule didn't hit on this one at all. Running
Can you post this rule again so we can investigate?
How do you find the SPAMMY_URI_PATTERNS rule is performing?
At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote:
My regex is valid and appropriate for those comments... I tested it
at regexpal.com, which shows that all three comments match just fine
(all three get highlighted).
So... why is SA hitting only on the final comment, and ignoring the first tw
On Aug 11, 2013, at 9:10 AM, Benny Pedersen wrote:
> i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without
> this rules its spam
It is NOW, it was not when it was originally processed, as you can see from the
SA headers included in the pastebin. If you read the messages
Amir 'CG' Caspi skrev den 2013-08-11 10:22:
http://pastebin.com/VCtvzjzV
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
--
--
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good repu
At 1:41 PM -0600 08/10/2013, Amir 'CG' Caspi wrote:
(The HTML comment gibberish rule would be a big step here, since
that's one of the few things that would distinguish this from ham...
unlikely that a real person would embed tens of KB of comment
gibberish.)
OK, I'm trying to test an HTML co
On Sat, 10 Aug 2013, Amir 'CG' Caspi wrote:
At 2:17 PM -0700 08/10/2013, John Hardin wrote:
Perhaps it's time to bring FuzzyOCR up-to-date...?
Is this something I need to manually update or something that needs updating
in the SA distribution?
FuzzyOCR was a SA plugin a few years back. It
1 - 100 of 143 matches
Mail list logo
