Jeff Chan wrote:
Got some spams with apparently a single letter per gif, like
a ransom note, with different color backdrounds, capitalization,
fonts, etc., *per letter*. Is this new?
I started noticing these around the 1st of November. Between the
evening of the 2nd and the afternoon of the
I'm wondering which rules you have that flagged that so well. The same spam
message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9
tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID
autolearn=no version=3.1.7). I'm using all default rule sets, network t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Kettler wrote:
> Gilles Hamel wrote:
>> Hello,
>>
>> We are running v3.1.5 with mimedefang.
>> Here is our setup :
>>
>> our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE
>> w.x.y.z / INTERNET
>>
>> In the local.cf
Garry Glendown writes:
> Matt Kettler wrote:
> > In general I'd take a look at the sizes of the rule files themselves..
> > Look for ones that are significantly larger than 128k or so.
>
> Of those, there only few:
>
> -rw-r--r-- 1 root root 384645 Oct 30 2005 70_sare_header.cf
> -rw-r--r-- 1
are you using sa-update?
--j.
Quinn Comendant writes:
> I'm wondering which rules you have that flagged that so well. The same spam
> message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9
> tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE,
> TRACKER_ID autole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Justin Mason wrote:
> there's a rule that matches them in 3.1.x sa-update, fwiw.
>
>
Really? Mine is up to date & they still get through...
One thing I've noticed is the envelope return path... Watching this
morning, they all seem to be from 'debora@
Hello,
Thanks for " logging" tip.
How should I disable razor logging exactly?
This is what I have in razor-agent.conf:
#
# Razor2 config file
#
# Autogenerated by Razor-Agents v2.82
# Thu Oct 26 12:17:46 2006
# Created with all default values
#
# see razor-agent.conf(5) man page
#
debuglevel
Hi,
I've just run sa-update on my 3.1.4 box and it's not picked up anything
new. In fact it looking at the dates on the files it looks like there
haven't been any updates to these rules since the first time I ran
sa-update back in August.
Is sa-update only supporting the newer releases of 3.1.x?
Hello,
Thanks for " logging" tip.
How should I disable razor logging exactly?
This is what I have in razor-agent.conf:
debuglevel = 3
Best Regards,
Leon Kolchinsky
debuglevel = 0
Gary V
_
Try Sea
Hi,
about a week ago my server started experiencing load problems and
eventually closed all connections. It is running at an ISP and has
lots of software preconfigured including spam assassin configured by
the ISP. There are currently two problems: spamd is nearly
monopolising the CPU but
The SARE stocks ruleset would have caught this thing too, I suspect.
Loren
They mostly only hit bayes (running 3.1.7).
ImageInfo.pm is very helpful here
0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
3.0 DC_GIF_UNO_LARGO Message contains a
has anyone got a good corpus of mail from this mail tool?
I hear many anti-image-spam rules have a tendency to FP on its
output and I'd like to try to avoid this (where possible).
--j.
so short circuting tflags is only available on the trunk code?
On Nov 7, 2006, at 10:55 PM, Loren Wilton wrote:
So today is it possible to simply do a head test and if it
indicates unwanted
language or whatever to not scan the body?
If by "today" you mean using the currently unreleased trun
* On 08/11/06 13:57 +, Justin Mason wrote:
| has anyone got a good corpus of mail from this mail tool?
| I hear many anti-image-spam rules have a tendency to FP on its
| output and I'd like to try to avoid this (where possible).
Hmm, I wish I had, but yes, I do agree with the fact that alot of
On Wed, 8 Nov 2006, Odhiambo Washington wrote:
> Well, I have told my MTA to reject mail that scores above 7, so
> yes, I am responsible for these "not getting there", but SA is
> responsible for the high scores, which is what I am trying to
> address.
IMHO (and, I believe, in common practice) 7
Title: RE: IncrediMail?
> has anyone got a good corpus of mail from this mail tool?
> I hear many anti-image-spam rules have a tendency to FP on its
> output and I'd like to try to avoid this (where possible).
>
> --j.
Yes they do FP. I hate that nasty hunk of bloated junk. I do not have a
My web hosting service is running SA 3.1.6. When I do an sa-learn, I get
"config: could not find site rules directory".
Anyone know what this is all about? Is there anything that needs to be
fixed? Here is an example output from 'ssh':
[~]# cat newspam | sa-learn --mbox --spam
config: could not
Justin Mason wrote:
has anyone got a good corpus of mail from this mail tool?
I hear many anti-image-spam rules have a tendency to FP on its
output and I'd like to try to avoid this (where possible).
--j.
It may not matter, but if you provide unlimited free tech support as we
do, Incredimail
On Wed, November 8, 2006 09:52, Quinn Comendant wrote:
> I'm wondering which rules you have that flagged that so well. The same spam
> message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9
> tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID
> autolearn=
rothmail wrote:
> My web hosting service is running SA 3.1.6. When I do an sa-learn, I get
> "config: could not find site rules directory".
>
> Anyone know what this is all about? Is there anything that needs to be
> fixed? Here is an example output from 'ssh':
>
> [~]# cat newspam | sa-learn --mbo
disregard
Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax: 212-941-5563
Mailto: [EMAIL PROTECTED]
Title: RE: SA filter load: massive increase
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 08, 2006 5:00 AM
> To: Garry Glendown
> Cc: Matt Kettler; users@spamassassin.apache.org
> Subject: Re: SA filter load: massive increase
I have a slight "problem".. I thought I'd finally start using sa-learn
to train the Bayes, the catch is that I have Cyrus and its mailboxes on
another server.. I transport the mail via LMTP to Cyrus.
So, is there a smooth way to use sa-learn on the remote IMAP folders, or
do I have to mount it
Anders Norrbring wrote:
I have a slight "problem".. I thought I'd finally start using sa-learn
to train the Bayes, the catch is that I have Cyrus and its mailboxes on
another server.. I transport the mail via LMTP to Cyrus.
So, is there a smooth way to use sa-learn on the remote IMAP folders,
Hi all. So I've got a DNSBL I want to use with SpamAssassin that
wasn't included in the stock install. My question (and there's an
alarming lack of anything useful in this area... wiki anyone on the SA
site?) is if my syntax and placement are correct for what I've done.
In my local.cf file, I've
Does sa_lean -spam ... feed razor report if installed?
If not, does either feed their stdin message input back to stdout to enable
chaining?
On Wed, Nov 08, 2006 at 07:18:04PM +0200, David Baron wrote:
> Does sa_lean -spam ... feed razor report if installed?
no. sa-learn is bayes only.
> If not, does either feed their stdin message input back to stdout to enable
> chaining?
Nope. But you could look at "spamassassin -r" which both
Am 08.11.2006 um 14:05 schrieb Charlie Clark:
Is it possible to get more information from spamd about why it's
taking so long? Thanks for any help.
Okay,
I have managed to get logging and debugging enabled --syslog file --
debug
which will put debugging information in /spamd.log
It seems
Title: RE: IncrediMail?
From: Chris Santerre
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 08, 2006
9:27 AM
To: '[EMAIL PROTECTED]';
users@spamassassin.apache.org
Subject: RE: IncrediMail?
> has
anyone got a good corpus of mail from this mail tool?
> I hear man
On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote:
> 2006-11-08 17:31:00 [9733] i: debug: refresh: 9733 refresh /home/
> confixx/web1p2/.spamassassin/bayes.lock
>
> Is this standard behaviour? It seemed okay when the lock is acquired
> but seems to spend most of its time actually re
On Wed, November 8, 2006 11:38, Hamish Marson wrote:
> One thing I've noticed is the envelope return path... Watching this
> morning, they all seem to be from 'debora@'
debora wrote: in subject at the same time ?
--
"This message was sent using 100% recycled spam mails."
Am 08.11.2006 um 18:43 schrieb Theo Van Dinter:
On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote:
2006-11-08 17:31:00 [9733] i: debug: refresh: 9733 refresh /home/
confixx/web1p2/.spamassassin/bayes.lock
Is this standard behaviour? It seemed okay when the lock is acquired
but see
> ...Incredimail is a drag on your staff. Luckily we now only have a few
> users with Incredimail. We had over a thousand, and we had calls
> constantly.
Btw, this incredible mailer is also the one which leaves
empty lines (TAB only) in the header when it tries to wrap
a long header field such as
On Wed, 8 Nov 2006, Dylan Bouterse wrote:
> Would it be a bad idea to write a rule to give a negative score
> when the string, META content="IncrediMail is found in the body?
Probably. That's trivial for spammers to forge on an image spam.
--
John Hardin KA7OHZICQ#15735746http://www.imp
Mark Martinec wrote:
...Incredimail is a drag on your staff. Luckily we now only have a few
users with Incredimail. We had over a thousand, and we had calls
constantly.
Btw, this incredible mailer is also the one which leaves
empty lines (TAB only) in the header when it tries to wrap
a long hea
On Wed, 8 Nov 2006, DAve wrote:
> Yep, among other things it does. I'm not so certain that I would call SA
> hitting an Incredamil message as an FP.
How about calling it "a waste of resources"? It'd be *much* better to
reject IncrediMail at the MTA level using milter-regex et. al. on the
User-Ag
Hello to all.
I'm currently running spamassassin-3.0.4-1 on a CentOS 3.8 server, along with
sendmail-8.12.11-4.RHEL3.6. I don't want to upgrade either just yet. But, I
do want to keep SA default rules up to date. Alas, sa-update doesn't work;
it simply doesn't do anything that I can see, and
Quinn Comendant wrote:
I'm wondering which rules you have that flagged that so well. The same spam
message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9
tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID
autolearn=no version=3.1.7). I'm using all def
John D. Hardin writes:
> On Wed, 8 Nov 2006, DAve wrote:
> > Yep, among other things it does. I'm not so certain that I would call SA
> > hitting an Incredamil message as an FP.
>
> How about calling it "a waste of resources"? It'd be *much* better to
> reject IncrediMail at the MTA level using
D.J. wrote:
Hi all. So I've got a DNSBL I want to use with SpamAssassin that
wasn't included in the stock install. My question (and there's an
alarming lack of anything useful in this area... wiki anyone on the SA
site?) is if my syntax and placement are correct for what I've done.
In my l
I've added three procmail rules in the last few days to combat the deluge
of these (and other) spams. I figure that these are all passing fads and
aren't worth writing SA rules. YMMV, of course, but in my case, the
procmail method works best.
:0
* ^subject:.*your concert tickets reservation
.spam
On Wed, 8 Nov 2006, Justin Mason wrote:
> John D. Hardin writes:
> > On Wed, 8 Nov 2006, DAve wrote:
> > > Yep, among other things it does. I'm not so certain that I would call SA
> > > hitting an Incredamil message as an FP.
> >
> > How about calling it "a waste of resources"? It'd be *much* be
"max-children (set to 1 in this case)."Why 1???How many email to you received by day? (or by minute???)Francois Rousseau2006/11/8, Charlie Clark <
[EMAIL PROTECTED]>:Am 08.11.2006 um 18:43 schrieb Theo Van Dinter:
> On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote:>> 2006-11-08 17:31:0
I just received an email the other day that had mime headers including:content-type: text/plaincontent-transfer-encoding: base64and the message was encoded in base64, but to the client, it looks like regular text including a geocities spam message. It was only picked up by the MIME_BASE64_TEXT rul
Title: RE: IncrediMail?
> -Original Message-
> From: John D. Hardin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 08, 2006 1:05 PM
> To: Dylan Bouterse
> Cc: users@spamassassin.apache.org
> Subject: RE: IncrediMail?
>
>
> On Wed, 8 Nov 2006, Dylan Bouterse wrote:
>
> > Wo
One thing I've noticed is the envelope return path... Watching this
morning, they all seem to be from 'debora@'
debora wrote: in subject at the same time ?
No. (Finally got my first one of these.)
Loren
> Is there a way to get rules to pass for both plain and base64 encoded
messages?
There are three stages or so to mail decoding:
1 The raw mail body
2 The body after undoing any compression/encoding
(base64)
3 The body after any HTML rendering
'body' rules handle case 3.
Both 'full'
On Wed, Nov 08, 2006 at 02:56:26PM -0500, Steven Kiehl wrote:
> Is there a way to get rules to pass for both plain and base64 encoded
> messages?
SA handles quoted-printable and base64 encodings, so yes, already happens.
> My current rule that failed is like this:
> body IPBL_6/geocities\
On Wed, November 8, 2006 18:42, Dylan Bouterse wrote:
> Would it be a bad idea to write a rule to give a negative score when the
> string, META content="IncrediMail is found in the body?
any negative scores will be abused by spammers :(
PS: disable html in your mua when posting to maillists
-
Am 08.11.2006 um 20:51 schrieb François Rousseau:
"max-children (set to 1 in this case)."
Why 1???
That's the default for servers run by this ISP. Do you have a
suggestion?
How many email to you received by day? (or by minute???)
Excluding spam it's probably less than 50 per day for a
On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote:
> >How many email to you received by day? (or by minute???)
>
> Excluding spam it's probably less than 50 per day for all accounts on
> this server! So there shouldn't ever be a problem. I *think* that the
> changes I've made today
We just started getting a ton of these. Is there an SA ruleset that I can
grab or do I just have to write my own.
Jason
-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 08, 2006 3:26 PM
To: users@spamassassin.apache.org
Subject: Re: Block "wrote
John D. Hardin wrote:
On Wed, 8 Nov 2006, Justin Mason wrote:
John D. Hardin writes:
On Wed, 8 Nov 2006, DAve wrote:
Yep, among other things it does. I'm not so certain that I would call SA
hitting an Incredamil message as an FP.
How about calling it "a waste of resources"? It'd be *much* be
Am 08.11.2006 um 22:45 schrieb Theo Van Dinter:
On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote:
How many email to you received by day? (or by minute???)
Excluding spam it's probably less than 50 per day for all accounts on
this server! So there shouldn't ever be a problem. I *
Write your own:
header LR_WROTE_SUBSubject =~ /\bwrote\b\:/i
describeLR_WROTE_SUBWrote in Subject
score LR_WROTE_SUB3.0
Thanks for the members that made them earlier.
I just repeat them because they do a nice
Hi everyone,
I've tried on apache and SARE and bsd sites to find the documentation on
installing sa-stats , I have found the the actual sa-stats.pl but I dont
know how to go about installing it on BSD any guidance would be appreciated.
Freebsd 5.4
exim
sa 3.1.7
Jean-Paul Nat
A few spams have slipped by that contain HTML that is appearing as
normal text (due to them not getting something right).
For example:
and you may havecontempt seemed abundantly increasing with the
length of his second speech, and at the end of it heand the
mortification of kitty
Is there a rul
Am 08.11.2006 um 23:00 schrieb Charlie Clark:
Am 08.11.2006 um 22:45 schrieb Theo Van Dinter:
On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote:
How many email to you received by day? (or by minute???)
Excluding spam it's probably less than 50 per day for all
accounts on
thi
Am 09.11.2006 um 01:18 schrieb Ron:
A few spams have slipped by that contain HTML that is appearing as
normal text (due to them not getting something right).
For example:
and you may havecontempt seemed abundantly increasing with the
length of his second speech, and at the end of it heand the
Hi,
I am using ifspamh 1.5 with spamassassin and qmail. I guess there might
be a bug in this script that let some emails through, whcich should be
treated as a spam.
Do you know if there is a new version of the script or something I can
use instead?
Thank's
Wojtek
On Wed, November 8, 2006 22:53, DAve wrote:
>> John Hardin KA7OHZ
> WB9VTB
how is spam on the radio networking ? :-)
--
"This message was sent using 100% recycled spam mails."
Charlie Clark wrote:
Looks like I'm on top of the resources problem but I am getting "421
delivery errors" even though the e-mails are coming through. This looks
very similar to bug 3828 (which is Spamassassin + Exim). Except this bug
should have been closed a long time ago.
Without looking
--On Friday, November 03, 2006 5:43 PM + Justin Mason <[EMAIL PROTECTED]>
wrote:
there's a rule that matches them in 3.1.x sa-update, fwiw.
I don't see it either. What's the name of the rule?
Dates on files in /var/lib/spamassassin are 20061024.
I ran sa-update -D and got this at the en
>> A few spams have slipped by that contain HTML that is appearing as
>> normal text (due to them not getting something right).
>>
>> For example:
>>
>> and you may havecontempt seemed abundantly increasing with the
>> length of his second speech, and at the end of it heand the
>> mortification o
On Thu, 9 Nov 2006, Benny Pedersen wrote:
> On Wed, November 8, 2006 22:53, DAve wrote:
>
> >> John Hardin KA7OHZ
> > WB9VTB
>
> how is spam on the radio networking ? :-)
{Field Day flashbacks}
--
John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FAL
Kenneth Porter wrote:
--On Friday, November 03, 2006 5:43 PM + Justin Mason
<[EMAIL PROTECTED]> wrote:
there's a rule that matches them in 3.1.x sa-update, fwiw.
I don't see it either. What's the name of the rule?
I looked at this a few days ago when Theo mentioned it, and forgot to
r
--On Thursday, November 09, 2006 1:21 AM + [EMAIL PROTECTED] wrote:
I really dislike html in mails - whether in the right mime part or not -
but I have seen many legitimate mails that get mime stuff wrong. Of
course these are not normal mail clients, but server generated mails like
order con
> -Original Message-
> From: Kenneth Porter [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 08, 2006 10:06 PM
> To: users@spamassassin.apache.org
> Subject: Re: Rule for raw HTML
>
> My manufacturing company is very picky about accepting
> physical inputs from
> vendors. We shoul
On a certain box we ran a successful current sa-update
Later on, I went back and ran
sa-update -D
in it was this
[7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[7317] dbg: diag: module not
There is no such thing as a false positive on Incredimail. I am quite
pleased to have it relegated to the spam bucket.
{^_-}
- Original Message -
From: "Justin Mason" <[EMAIL PROTECTED]>
has anyone got a good corpus of mail from this mail tool?
I hear many anti-image-spam rules have
--On Wednesday, November 08, 2006 8:52 PM -0800 R Lists06
<[EMAIL PROTECTED]> wrote:
[7317] dbg: diag: module not installed: Mail::SPF::Query ('require'
failed) [7317] dbg: diag: module not installed: IP::Country::Fast
('require' failed) [7317] dbg: diag: module not installed:
Razor2::Client::A
Hi all,
I am running SA 3.1.1. I have seen that sometimes spamd processes using
up a lot of CPU. The cpu load goes up very high to ~ 10. I have checked that
RAM is not the problem since free shows that memory is still free. I have 1
GB RAM. Another thing is that my AWL file is around 85 MB.
K Anand wrote:
> Hi all,
>
> I am running SA 3.1.1.
Warning: if you use the -v and -P options to spamd, your version is
vulnerable to a remote code exploit. This is not a typical setup, but
you should be aware of it.
http://wiki.apache.org/spamassassin/Security
> I have seen that sometimes sp
- Original Message -
From: "Matt Kettler" <[EMAIL PROTECTED]>
K Anand wrote:
Hi all,
I am running SA 3.1.1.
Warning: if you use the -v and -P options to spamd, your version is
vulnerable to a remote code exploit. This is not a typical setup, but
you should be aware of it.
No
75 matches
Mail list logo
