Any SA rules out there that can catch the german spam mails?
|-Original Message-
|From: Bob Proulx [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de 2005 12:00 a.m.
|To: users@spamassassin.apache.org
|Subject: Re: Bombarded by German political spam
|
|Raymond Dijkxhoorn wrote:
|> Thi
Yes, see here:
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
There's also info over at http://isc.sans.org/, where the abovve link
was found.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -Original Message-
> From: Anton Krall [mailto
Hi
i am new into SPamAssassin and i want know if they have a tools for check
a personnal .cf files for see if he don't have a error.
Thanks for your help
smime.p7s
Description: S/MIME Cryptographic Signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Phibee Network operation Center schrieb:
> Hi
>
> i am new into SPamAssassin and i want know if they have a tools for check
> a personnal .cf files for see if he don't have a error.
>
Try spamassassin -D --lint. It will check all of your config
Another CF file that might help you if you don't want to block it at the
MTA-level:
http://mailscanner.prolocation.net/german.cf
Menno van Bennekom
> Yes, see here:
>
> http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
>
> There's also info over at http://isc.sans.org/, where the abovve li
Hi Phil
So that's why the Sober's dried up last week. Gone from infection phase
to 'spam zombie' phase. Great ;-(
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Randal, Phil wrote:
Yes, see here:
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
Hi all
Using SA 3.0.3 with most of the SARE rules, pyzor, all the SURBL.org
URI-RBLS etc etc along with a few extras.
We got alot lof spam this weekend where the URL was interestingly
obsfucated. here's an example or two..
http://gi-19.r6xmf38p75f2pm6mk57lfww7r.l-31.h-13.i-25.positionside.net/i
Thanks Christoph for your answer,
i have see a big quantity of error into my .cf file ;=) goods i have
resolved it ..
In the debug, i have a information that i don't understand :
=
debug: plugin: Mail::SpamAssassin::Plugin::URIDN
what to do when bayes shows signs of poisoning???
those germal political mails are being flagged at Bayes_00 scores even
though they are still hitting 20+ points.
this one only got 10ish
7.3 points, 5.0 required;
0.0 NO_REAL_NAME From: does not include a real name
0.2 INVALID_DATE
On Sunday 15 May 2005 17:51, List Mail User wrote:
> >...
> >
> >wolfgang wrote:
[...]
> >>
> >> I noticed that the WS URIBL does by now recognize various of the
> >> URIs in those mails, and a rule like
> >> # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
> >> urirhssub URIBL_RFCI_WHOI
Simon Byrnand wrote:
At 09:53 16/05/2005, Jo wrote:
Simon Byrnand wrote:
Hi All,
After going from 2.64 to 3.0.3 I thought Bayes was working much
better - previously certain classes of spam were being consistently
reported as ham, scoring BAYES_00 no matter what I did, or how much
manual training
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
On Sun, 2005-05-15 at 22:34 -0500, John Fleming wrote:
I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that
has been working great, but tonight I see something I don't understand.
I suspect that your procmail recipe doesn't scan files over a certain
size. What does your .procm
On Sun, May 15, 2005 at 10:59:40PM -0600, Bob Proulx wrote:
> The list I have collected is slightly different than yours.
>
snips
> Subject: Ihre Anfrage an Amazon.de
"Your question to amazon.de" - are you sure that's a spam subject ?
Nick
On Monday 16 May 2005 12:15, Ronan McGlue typed:
> I too have all net tests enabled and have started from a fresh clean new
> database friday, and already Im seeing the german spams hit bayes_00...
> I dont want to switch autolearning off becuase well i find it incredibly
> usefull. i have spam/ha
Hi!
Using SA 3.0.3 with most of the SARE rules, pyzor, all the SURBL.org URI-RBLS
etc etc along with a few extras.
We got alot lof spam this weekend where the URL was interestingly obsfucated.
here's an example or two..
X-Prolocation-MailScanner-SpamCheck: spam, SpamAssassin (score=13.459,
r
Anyone else seeing this today?
Connecting to www.rulesemporium.com[67.67.32.207]:80... failed: Connection
refused.
Connecting to www.rulesemporium.com[209.218.125.117]:80... failed:
Connection refused.
Hi
i use a Linux Server with Qmail/SpamAssassin 3.0.3/Qmail-Scanner-1.25st ...
this server are the first mx contact, receive the email, scan it for
AntiSpams and AntiVirus
an sent the email to another qmail server on my network.
On this server, i don't have mailbox ... i want know what is the pro
I keep getting emails that are sent in html and have a bmp that is about 94k
with the offending products in bmp form. Its extreemly hard to detect these
because I think its just a picture eg bmp not real words.
When I click on the html picture and save it, the bmp size is always about
94k. I would
config: SpamAssassin failed to parse line, skipping: rewrite_subject 1
config: SpamAssassin failed to parse line, skipping: report_header 1
config: SpamAssassin failed to parse line, skipping: use_terse_report 1
config: SpamAssassin failed to parse line, skipping: defang_mime 1
config: SpamAssassin
> what to do when bayes shows signs of poisoning???
> those germal political mails are being flagged at Bayes_00 scores even
> though they are still hitting 20+ points.
Zap it and start over. Probably be working again in a few hours if you have
reasonable mail flow. A personal site might take a
At 06:36 AM 5/16/2005, Ronan McGlue wrote:
what to do when bayes shows signs of poisoning???
those germal political mails are being flagged at Bayes_00 scores even
though they are still hitting 20+ points.
First, that's not really a sign of poisoning. Poisoning involves a
deliberate attempt to ev
Raymond Dijkxhoorn wrote:
Hi!
Using SA 3.0.3 with most of the SARE rules, pyzor, all the SURBL.org
URI-RBLS etc etc along with a few extras.
We got alot lof spam this weekend where the URL was interestingly
obsfucated. here's an example or two..
X-Prolocation-MailScanner-SpamCheck: spam, SpamAs
At 08:35 AM 5/16/2005, Phibee Network operation Center wrote:
1- Create a email on my relay server and send with my mail software (in
forward, i use thunderbird)
to this mailbox for after start sa-learn ? but in forward, it's not a
problems ?
You cannot use a normal inline forward. You must prese
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
> Hi!
>
> >>http://mailscanner.prolocation.net/german.cf
>
> >You've got a bit of duplication in there (rules 02 and 22 are the
> >same, as are 04 and 26).
>
> I'll clean them, thanks! v0.2 there in a few :)
http://www.citecs.d
Does anyone have any good generic german spam filter rulesets? We have
some legitimate German users, so I don't want to start blacklisting,
and I worry that filtering one specific header at a time is a lost
cause...
thanks Betsy
I've just switched to a new hosting provider who has installed a fairly
standard Spamassassin for me. It seems like a lot of spam is getting
through. I just looked at this one:
Subject: Innocent Asian Babe Hairy Pussy Fucking
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16)
Phibee Network operation Center wrote:
>
> Thanks Christoph for your answer,
>
> i have see a big quantity of error into my .cf file ;=) goods i have
> resolved it ..
>
> In the debug, i have a information that i don't understand :
>
> ===
>-Original Message-
>From: wolfgang [mailto:[EMAIL PROTECTED]
>Sent: Sunday, May 15, 2005 7:04 PM
>To: users@spamassassin.apache.org
>Cc: users@spamassassin.apache.org
>Subject: Re: Bombarded by German political spam
>
>
>In an older episode (Monday 16 May 2005 00:17), List Mail User wrot
Matt Kettler wrote:
> At 06:36 AM 5/16/2005, Ronan McGlue wrote:
>
>> what to do when bayes shows signs of poisoning???
>> those germal political mails are being flagged at Bayes_00 scores even
>> though they are still hitting 20+ points.
>
>
> First, that's not really a sign of poisoning. Poiso
Steve wrote:
> I keep getting emails that are sent in html and have a bmp that is about 94k
> with the offending products in bmp form. Its extreemly hard to detect these
> because I think its just a picture eg bmp not real words.
>
> When I click on the html picture and save it, the bmp size is al
>
> Anyone else seeing this today?
>
> Connecting to www.rulesemporium.com[67.67.32.207]:80...
> failed: Connection refused.
> Connecting to www.rulesemporium.com[209.218.125.117]:80... failed:
> Connection refused.
>
The httpd.conf was invalid and logrotate hup'd httpd and caused it to
shut d
You can use "identify" command to obtain some info about an image.
If you have linux (i hope you do), just type: identify [IMAGE_FILENAME]
If you need the size of the file just type: ls -l [FILENAME]
David A. Velásquez R.
Gerente Fundador
Conexiones Colombianas (CONEXCOL)
[EMAIL PROTECTED]
http://w
This is a ruleset I created based on information from the Internet Storm
Center (isc.sans.org).
I scored it at 4 points. Feel free to raise or lower to your liking.
Bowie
Sober_German.cf
Description: Binary data
>...
>
>Hi all
>
>Using SA 3.0.3 with most of the SARE rules, pyzor, all the SURBL.org
>URI-RBLS etc etc along with a few extras.
>
>We got alot lof spam this weekend where the URL was interestingly
>obsfucated. here's an example or two..
>
>
>href=http://gi-19.r6xmf38p75f2pm6mk57lfww7r.l-31.h-13
Craig McLean wrote:
> Can you be more specific? A search of wiki.apache.org/spamassassin shows
> 2 pages containing "rounding":
> StatusRounding - orphaned.
> RoundingIssues - this is not the issue I'm talking about, and in any
> case was fixed in 3.0.
Actually if you read:
http://wiki.apache.org
ÐÐÐ ÐÐÑÐ wrote:
> I'm using SpamAssassin 3.0.3 with amavisd and mysql.
> I've learned it for 900 ham messages and 1000 spam messages this way for
> each user:
>
> /usr/local/bin/sa-learn -u [EMAIL PROTECTED] --ham
> /home/cyrus/spool/domain/domain.ru/user/igor/NoSpam
>
> /usr/local/bin/s
Matt Kettler wrote:
At 08:35 AM 5/16/2005, Phibee Network operation Center wrote:
1- Create a email on my relay server and send with my mail software
(in forward, i use thunderbird)
to this mailbox for after start sa-learn ? but in forward, it's not a
problems ?
You cannot use a normal inline fo
In an older episode (Monday 16 May 2005 03:23), Jeff Chan wrote:
> > i started listing such publishers today:
>
> > uridnsbl_skip_domain*.berlinonline.de
> > uridnsbl_skip_domainberlinonline.de
> > uridnsbl_skip_domain*.heise.de
> > uridnsbl_skip_domainheise.de
> > uridnsbl_skip_d
Hello,
I didn't read this discussion but did found a link on the clamav mailinglist
which I want to share before reading 300 emails ;)
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
Met vriendelijke groet,
Maurice Lucas
TAOS-IT
- Original Message -
From: "Christian Recktenwald"
Thx!
|-Original Message-
|From: Randal, Phil [mailto:[EMAIL PROTECTED]
|Sent: Lunes, 16 de Mayo de 2005 03:56 a.m.
|To: Anton Krall; users@spamassassin.apache.org
|Subject: RE: Bombarded by German political spam
|
|Yes, see here:
|
|http://weir.dattitu.de/archives/9-Filtering-Sober-P.htm
In an older episode (Monday 16 May 2005 16:53), Elizabeth Schwartz wrote:
> Does anyone have any good generic german spam filter rulesets?
> We have
> some legitimate German users, so I don't want to start blacklisting,
> and I worry that filtering one specific header at a time is a lost
> cause..
Thanks, just put it in!
> http://www.citecs.de/99_sober.cf
> - the often seen "Lese selbst" is scored 4
Just curious, what's that mean to the spammers? google translates it
as "vintage"
Christoph Petersen wrote:
Hi,
I'm trying to get the following command to work:
pyzor_options --homedir=/var/qmail/vpopmail/.spamassassin in local.cf.
But everytime when I start spamassassin --lint -D I get the following error:
config: SpamAssassin failed to parse line,
--homedir=/var/qmail/vpopmail
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
Betsy,
This particular spam blast uses just 30 particular subject lines, with no
variations, so the provided rule sets work great without generating false
positives.
Bayes, of course, is insensitive to language and will soon learn to
differentiate German ham from German spam. And some of the
On Mon 16 May 05 05:22, MIKE YRABEDRA <[EMAIL PROTECTED]> wrote:
> Anyone else seeing this today?
>
> Connecting to www.rulesemporium.com[67.67.32.207]:80... failed:
> Connection refused.
> Connecting to www.rulesemporium.com[209.218.125.117]:80... failed:
> Connection refused.
Please do not hijac
Pat Traynor wrote:
>
> This seems like a lot of relatively standard porn terms that haven't
> been recognized. Is this normal? Do I have to add my own rules to
> catch this sort of stuff?
>
> --pat--
Normally bayes and URIBLs deal with this stuff, but it looks like your ISP isn't
using bayes,
I've got some rules in place (thank you guys!) that blocks a lot of this spam,
but now my director is getting emails on her blackberry with bogus "TO"
addresses that doesn't seem
to be going thru SpamAssassin. Any ideas?
E-mail correspondence to and from this address may be subject to the
Nor
I'm doing the upgrade to 3.03 through CPAN. I shut down spamd for the
install process. I dutifully fill in the report address, then put in to
skip network, Bayes, and AWL tests during "make test." I get a warning
for an old version of Razor2 (2.34, not 2.4) and then everything runs
fine until "
On Sun, 15 May 2005, David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybo
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam, and
adds its headers to the mail. However, it does not rewrite the subject
header with the `[SPAM]' tag.
Here's what I have in local.cf:
---
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam, and
adds its headers to the mail. However, it does not rewrite the subject
header with the `[SPAM]' tag.
Here's what I have in local.cf:
---
On Sat, 14 May 2005 [EMAIL PROTECTED] wrote:
I don't think 3.0.2 is worse, just that there's more spam around
lately. If I take my own stats, SA is catching a slightly higher
percentage of spam in the last month to 6 weeks. The RBL's I use
frontline are catching more too.
From January 05 to March 0
Well, I've got to ask you.
Would spamd (spamassassin 3.0.2 on RHL 7.2/sendmail) ever be the cause of
message delivery delays of a few hours? The suspect emails arrive very
delayed and without X-Spam headers. Sometimes I find spamd running at 99%
CPU for long periods (possibly stuck on processing o
Many thanks for this rule (99_sober.cf)
It rocks :-)
Thanks again
Eddy
- Original Message -
Subject: Re: Bombarded by German political spam
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
Hi!
>>http://mailscanner.prolocation.net/german.cf
>You've got a bit of duplic
>>
>>
>> >-Original Message-
>> >From: wolfgang [mailto:[EMAIL PROTECTED]
>> >Sent: Sunday, May 15, 2005 7:04 PM
>> >To: users@spamassassin.apache.org
>> >Cc: users@spamassassin.apache.org
>> >Subject: Re: Bombarded by German political spam
>> >
>> >
>> >In an older episode (Monday 16 May
On Monday, 16-May-2005 09:53, Elizabeth Schwartz wrote:
> Does anyone have any good generic german spam filter rulesets? We
> have some legitimate German users, so I don't want to start
> blacklisting, and I worry that filtering one specific header at a
> time is a lost cause...
This link showed u
Thanks for all the pointers to the cf files for this particular virus.
We have one installed and it is working fine - for this time.
Since I have legitimate users communicating all over the world, I am
very interested in other rulesets that would block spam in languages
besides English. Not sure
59 matches
Mail list logo
