Brett Romero wrote:
> I sent the following message through SA 3.0 on Windows.
>
>
> The following were returned:
> UPPERCASE_25_50 0.10 message body is 25-50% uppercase
> MISSING_SUBJECT 1.40 Missing Subject: header
> ALL_TRUSTED -2.80 Did not pass through any untrusted hosts
>
J Thomas Hancock wrote:
> Part 1:
>
> My boss is convinced that SpamAssassin can delete an email if it
> crosses a certain hit threshold. Everything I have read states that
> SpamAssassin can only add a flag to the message (be it a subject
> rewrite, something in the header, ect) and that the MTA,
Matt Kettler wrote:
> Looking at my MRTG graphs, spam-rate is pretty much a constant here.
Same here, it's about 1,200-1,400 per hour for us. This stays constant 24
hours a day for us. In the past 48 hours, the lowest point was 11pm on Oct.
13th with only 800 spam, and the high point of 10pm on
Here is the rule from 3.0
header __SANE_MSGID MESSAGEID =~ /^<[^<>\\ [EMAIL PROTECTED]<>\\
\t\n\r\x0b\x80-\xff]+>\s*$/m
header __HAS_MSGID MESSAGEID =~ /\S/
header __MSGID_COMMENT MESSAGEID =~ /\(.*\)/m
meta INVALID_MSGID __HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT)
describe INVALID_MSGID
Kai Schaetzl wrote:
> For about 48 hours I see an increase in attempts to unload spam to our
> clients.
For the past 12 months I have seen endless attempts to send mail to invalid
addresses. I get 1,000 per hour, every hour for every day of the working
week. Off hours is slightly lower, during p
Kai Schaetzl wrote:
> J Thomas Hancock wrote on Fri, 22 Oct 2004 16:20:12 -0500:
>
>> We want our users to set their own custom delete levels and marking
>> levels.
>>
>
> Deleting messages doesn't make much sense. You want to quarantine
> them and reject as much as possible at MTA level. But delet
Kris Deugau wrote:
>> I'ld also like to drop, bounce, whatever mail that has certain words
>> in the subject, such as rolex, penis, viagra, etc.
>
> *VERY*, **VERY** dangerous in an ISP environment!! I would STRONGLY
> recommend AGAINST this. It has far too much potential to backfire on
> you.
>
Oliver Thalmann wrote:
> is it possible in spamassassin (via regexp ?) to test for a
> "sandwiched" X-Message-Info: header between Received: headers ?
There is a default rule since 3.0 which looks for X-Message-Info, it's
scored pretty high too, which version of SA are you using?
Install ClamAV and it'll help you with viruses, SA is a mail filter which
does not do virus checking.
Chris Santerre wrote:
>> Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth:
>>> Thomas
>>>
>>> what extra rules above the standard SA ones have you got? Any from
>>> www.rulesemporium.com ?
>>
> None of these have been tested yet. Use at your own risk. Do not
> operate while under heav
---#
I do hope people read the comments at the top of the rulefile before added
them to their systems!
Fred
francois.baert wrote:
> Hello,
>
> Spamassassin-3.0.2 running on redhat9.0
> spamassassin --lint gives a list of warning like this:
> warning: description for REMOVE_PAGE is over 50 chars
> warning: description for FROM_WEBMAIL_END_NUMS6 is over 50 chars
> ...ie
> lint: 171 issues detected.
>
> Wh
Slightly off topic but does Sendmail 8.12 add a subject when one is not
present?
Matt Kettler wrote:
> Russell P. Sutherland wrote:
>
>> Is there a test that one can construct that would
>> assign a weight to a message that is missing
>> a certain header, completely? In my case, no Subject
>> line
wolfgang wrote:
> In an older episode (Saturday 30 April 2005 14:45), Theo Van Dinter
> wrote:
>> "=3d" is quoted-printable encoding for "=", "=2e" for ".", etc...
>> SA handles "proper" encoding (it handles a lot of non-proper encoding
>> as well), but doesn't make guesses if the MIME part says th
Steve Lake wrote:
> I'm curious. How well does SA do with handling phishing spam and is
> there stuff built into it to identify and nail these kind of emails?
> I'm just curious because I heard that in just the past 5 months
> Netcraft has logged over 5600 unique phishing sites on the net, so I
>
Chris Lear wrote:
> I've removed the SARE forged rules now altogether, and
> most of the remaining spam scores under 50 (just one 52.9 yesterday).
>
> Chris
Nope no citibank here, just making a generic rule like the rest, if you give
me some info on what's wrong with it, I'll gladly fix it. Just
Post your e-mail address to some public newsgroups, get yourself active on
anyplace that posts live e-mail addresses, if you built it (your name
everywhere) they (spammers) will come.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
Johnson, S wrote:
> An
Chris Santerre wrote:
> Long answer: Multiple meta rules. Take to much computational effort.
> The regex isn't slick for these type of rules either.
The multiple meta rules are the easiest approach to doing this. I have a
number of rulesets which use this trick to count different things. Not
exa
George Breahna wrote:
> Not sure why this is happening but I just received an e-mail that I
> use ONLY with go daddy. The e-mail is: [EMAIL PROTECTED]
I receive occasional spam to my e-mail used only for whois with Network
Solutions, i wouldn't accuse them of selling my addy but I would think it's
Ben Hanson wrote:
> Shortly after the first of the year, I noticed the percentage of spam
> messages for our organization dropped consistently by 10-15%.
> Ben
I see between 83-85% spam.
We use SARE rules + my own home-brew rules + the new BLACK uribl lists +
unreleased SARE rules.
In the past 24
Kevin Peuhkurinen wrote:
> Having gotten the spam under control, I found that I was getting
> bombed with tons of bounces as well. So I made up a quick ruleset
> to stop undeliverables due to the german spam, using Raymond's
> ruleset as a starting point. You can get it here:
I was working on s
jimsheffer wrote:
> config: SpamAssassin failed to parse line, skipping: rewrite_subject 0
> config: SpamAssassin failed to parse line, skipping:
> always_add_headers 1 config: SpamAssassin failed to parse line,
> skipping: auto_learn 1
Those 3 config options are no longer supported.
In the readm
Hamie wrote:
> How do you count 'unknown users'? Accurately I mean...
>
> Assuming you don't accept email in the first place if the user is
> unknown (Or you might I guess, but it seems like un-necessary
> processing to me) most spammers that I can see in our logs just keep
> re-trying again & agai
You have a .cf file with HTML code in it. Most likely Rules-du-jour or
something went bad on you recently and downloaded a webpage insted of a
rulefile. Search for the string in your rules and see if you find
one that's obviously wrong.
Frederic Tarasevicius
Internet Information Services, Inc.
h
Ronan McGlue wrote:
> is there an 'easy' way to get a grpahical representation of how well
> SA is doing??
> preferably something flashy with lots of primary colours for the
> managment elite??
I use MIMEDefang with GraphDefang, it's easy to add your own graph features,
I recommend it!
martin smith wrote:
> I had a rule I was working on, it works on the example u pasted, be
> interested if this works, if not if you could send me a sample to
> work on.
> Use at your own risk has I havent checked it that well for FP's
Martin,
I checked your rule for FPs for you, the results are:
U
I am checking it now, I will have results in a few minutes.
wrote:
> Have you run it through the corpus tests?
>
>
>
I forgot to reply all when I sent this, the group should have access to this
trick too.
Steve Roemen wrote:
> Thanks, this should do the trick.
> Steve
>
> on 06/17/05 12:37 Fred wrote the following:
> One possible work around to this would be create a meta rule that
> fires
You need to set the option in MIMEDefang to allow network tests to run in
SpamAssassin. I'm fairly sure it's in your mimedefang-filter file. Check
with the MIMEDefang folks if you need more help.
Montse Seisdedos wrote:
> Hello:
>
> I use mimedefang+spamassassin+clanv kit.
>
> I can't get these
> I am also attaching the actual message which it fails on. File
> failingmessage.txt.
Does anyone else think it's kind of bad that Symantec is sending a
newsletter with it's entire subscribed base in the CC field? I wonder if
they have heard of BCC or mailing list software?
Mike Jackson wrote:
> For instance, they show the last updated
> date on 70_sare_random.cf as 2004-05-17, while you and I both have
> the date as 2005-06-01.
Yes we are aware of this issue, the site has changed owners a couple times
and during those transitions we had to change the way we updated
DJ... :-(
Hello again,
No I'm saying the page is out-dated but the links point to the current
rulesets. As you said, the page that reflects them needs work. All our
released rules are always placed on that page, it's just we often get lazy
and don't update the page when we update the rules.
Fred
George Georgalis wrote:
> Argument "REPORT" isn't numeric in
> subroutine entry at /usr/share/perl/5.6.1/IO/Socket/INET.pm line 223,
> line 58. 2005-09-07 13:49:11.026387500 Argument "REPORT" isn't
> numeric in subroutine entry at
> /usr/share/perl/5.6.1/IO/Socket/INET.pm line 223, line 58.
> 200
You have a permissions problem, plus you are running duplicate rules..
Remove the tripwire.cf file as you are using a newer version called
99_FVGT_Tripwire.cf
That file was updated months ago with a new name, now it's called
88_FVGT_Tripwire.cf I'm not sure why we changed that but we had good
reaso
Martin Hepworth wrote:
> Looking in /usr/local/share/spamassassin/25_uribl.cf the black and
> grey URI-RBLs are in their by default you so you'll need those.
I don't have URIBL-BLACK or GREY in my 25_uribl.cf file, I checked the
sources and it wasn't there either...
i(?:ke|chael))\b/i [if-unset: Mike]
scoreNOT_MY_NAME 0.5
This way if name is not given, it defaults to Mike. It's untested but looks
right.
Fred
Which version of Net::DNS are you using?
Florian Effenberger wrote:
> Hello,
>
> after fixing the first problem with my SA 3.1.0 installation due to
> Theos help (thanks again!), I have another one. Atfer starting up SA,
> I receive
>
> # /etc/init.d/spamassassin start
> Starting SpamAssassin M
Florian Effenberger wrote:
> I suppose it is 0.34. What is the Perl command to find this out?
Go into CPAN and issue:
i Net::DNS
It'll respond with the version number. I was looking for a 1-liner to do
this and don't know perl good enough to be more help.
I have been seeing a large increase in spam overall, I wouldn't be so sure
if it's anything you caused.
Matthew Lenz wrote:
> so much spam is getting in since I switched to sarge. anyone else
> have this problem? it looks like the tests are working but stuff
> that is so obviously spam is get
Run spamassassin --lint on this server and fix the errors you have and then
once all is running well, go back and try rulesDuJour. You'll get better
results for sure :)
Thijs Koetsier | Exception wrote:
> Hi,
>
> No, I did not.
> I just re-installed Rules Du Jour and am using Spamassassin 3 on t
Matthew Yette wrote:
> For those who went from 3.0.4 to the latest release candidate, would
> you say it's a worthy upgrade? Where do you see the largest benefits?
> Is it overall a good move if you're currently pretty satisfied with
> 3.0.4?
>
> Matt
I love the new ReplaceTags plugin, I would rec
Thijs Koetsier | Exception IT wrote:
> X-Spam-Status: Yes, score=5.4 required=5.0
> tests=AWL,BAYES_00,HTML_60_70,
> HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10,
> HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART,
> MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
> USER_
Bret Miller wrote:
> You would think that whitelist should be given a lower number than
> -1.0. Otherwise, how does it counteract the many other rule additons.
>
> How about adding:
> score USER_IN_WHITELIST -20
> score USER_IN_WHITELIST_TO -20
> to your local.cf so that it does actually "whitelist
Thijs Koetsier | Exception IT wrote:
> So, now that I've replaced by 50_scores.cf (thanks Fred), I'm getting
> the 150 warnings back. They're all of the type:
Redownload the spamassassin package and extract that file again. It sounds
like you have an older version of that file.
Pierre Thomson wrote:
> Bottom line: SARE_FORGED_EBAY is working just fine!
I have to agree with what you said, my lil FORGED_EBAY rule has been working
good for a year and a half here!
Fred
Just a heads up we updated the spoof ruleset to include 33 new bank spoofs.
Data collected from phish archive websites and suggestions from fellow users
aided in this update.
http://www.rulesemporium.com/rules/70_sare_spoof.cf
Fred
#357
[17344] warn: config: failed to parse line, skipping: razor_timeout 10
joe wrote:
> I am running SpamAssassin version 3.1.0 running on Perl version 5.8.5
>
> When I run the spamassassin -D --lint, I am receiving an error but I
> can not find the reason in the debug. Can someone point out my
ther old and doesn't contain any
> rules for
> these variants.
>
> It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything
> close to %NAME_TO.
>
> Perhaps Fred Tarasevicius needs to make an update.
>
> Adding NAME_FROM is easy:
> header
Title: Out of Office AutoReply: *SPAM* Re: Stupid spammer rule
Can we have this account removed from the
list...
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 25, 2005 5:47 PM
Subject: Out of Office AutoReply: *SPAM* Re:
jdow wrote:
> Well, you sort of got it. But the from IS paypal.com, it claims. And
> there is no appropriate paypal received from.
>
The Spoof rules look specifically for paypaL.com in the from line, this guy
used paypaI notice I not L, I'll include this mis-spelling in the next
update of the spoo
List Mail User wrote:
> They should hit a well trained BAYES
They get some from bayes but not enough, I hand feed every one I get into my
bayes and each new run always comes up with less bayes score.
The past few I received got:
BAYES_60
BAYES_60
BAYES_80
BAYES_95 <- I think this one was a few we
I made changes to the spoof set, no more 104 points for any rules.
I added meta's to check for whitelist_from, if whitelist_from hits AND
sare_forged_(ebay|paypal|etc) then we score 100 points. This way, if
people don't whitelist then the spoof will only score 4.0 from our
ruleset.. If it's a sp
There are not any updates available yet, the SA
devs are working to make this feature available, at this time, everything is
still being setup and tested for when this goes live. The commands are
there but the back end isn't entirely ready yet. Other channels are if /
when other rule-write
Craig Zeigler wrote:
> I have been getting hundreds of these messages per day and don't know
> how to stop them. The bayes is only come back at 60%.
>
> They are the messages advertising drugs with a random subject (yes, I
> know, one of the many) The filename is Part 1.1.jpg. There is no virus
> t
Well I am looking at list
and Google and I didnt read nothing about how to change this
configuration..
Where I change this?
Any
help?
The most funny is that when
I receive a message outside my Email server or from my web mail ( IMP
HORDE) everything work fine.. This just happens when
More troubles..
Iam using Spamassassin last one, user at sql, qmail
and qmailscan 1.25st.
When i receive email outside from my email server,
everything is working fine..
But when i send from a client and using my email
server. the spamassassin is using the recipient username and email in pl
g mail and process it, rather than letting
it continue through the suboptimal default SA install. Can someone point me
in the right direction?
Thanks,
Fred
--
View this message in context:
http://spamassassin.1065346.n5.nabble.com/Using-alternate-SA-in-individual-user-account-tp100540.html
Sent from
eek.
From 40k on the weekend to an average peak of 54k weekdays.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
It returns what looks like gibberish, (high-ascii) characters.
With full rules being replaced with rawbody in 3.2, what would be the
best way to write a rule to catch the attached message.
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
B0043097815.MSG
Descripti
_RULE
meta SOME_FOO_RULE(!__FOO1 && __FOO2 && SOME_RULE)
else
body SOME_RULEb /[s5][oO]m[e3] f[o0][o0]/i
meta SOME_FOO_RULE(!__FOO1 && __FOO2 && !SOME_RULEb)
endif
This would most likely only benefit 3rd party rule developers but wh
it so
I'm guessing I'm crazy but I swear this isn't how it always worked.
--
Best regards,
Fred
I know it's been this way, there's probably a really old bugzilla
ticket someone can dig up, but it's been around since 2.64 or earlier.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
inted out, the best bet might be the use of a new
config item / plugin. something like:
ifplugin mxhelo
mx_helo_name mx.host.tld host.tld d.d.d.d
headerHELO_AS_ME eval:check_for_my_mx()
score HELO_AS_ME 0.1
endif
I'll create a ticket for enhancement.
--
o my numbers, about 17% of mail passing SA is considered
spam by the time I'm done writing rules after it's already entered my
system. I block at 6.0 and use no RBL's. I do write custom rules
daily.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello Alan,
Wednesday, November 29, 2006, 8:23:14 PM, you wrote:
> -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64
I'm curious about P0F_UNIX could you share this rule with me? And any
similar fingerprint rules? Thanks!
--
Best regard
gt; figure out your MX server (or the name of the machine spamassassin is
> running on) and then ding someone HELO'ing as that?
For all those interested, I opened a ticket for enhancement based on
this idea. See: http://issues.apache.org/SpamAssassin/show_bug.cgi?id
,user=$recipz,autolearn=no");
}
--cut--
Watch for line wraps, and I'm not sure if I had to make any other
changes besides this, but this is all I can see from looking at my
filter.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello Dan,
Sunday, January 14, 2007, 1:52:36 PM, you wrote:
> I got a hit on SARE_FORGED_BANKOFA. It's a 3 pointer (using sa-update).
I updated this rule just now!
Thanks for the notice!
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
h involved?
> Where can I find documentation of this? Any suggestions would be greatly
> appreciated.
As a side note, have you seen the reverse engineer sha1 and md5 search engine
yet?
http://md5.rednoize.com/
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello Justin,
Thursday, January 18, 2007, 9:22:14 AM, you wrote:
> Hi all --
> we're going to be starting the mass-checks for 3.2.0 RSN. These will be
> used to generate an up-to-date score set for that release.
Should we run sa-update before we begin the mass-check? I'm just
curious if or
options to deal with this problem?
This message is also cluttering the output from mass-check making it
difficult to keep an eye on the progress.
Thank you,
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
Hello R,
Tuesday, January 23, 2007, 12:53:00 PM, you wrote:
> Thanks, if anyone out there running some or a lot of the FRED rules with a
> lot of success or should we only run certain ones in general
> Bottom line is, I don't know how aggressive or not the rulesets are etc
>
res with your own, the best solution here is to use
svn 3.2 and sa-update to get those of my rules that are performing
good.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
n update the latest release, start the
mass-checks as outlined on the wiki page and send away when we are
done?
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
ve in my ftp, has no icon.
> So perhaps that's not the way...
If you are using Windows and want to edit .cf files, I recomment
Crimson Editor. It's free and installs easily, add a shortcut to your
sent to folder and easily open files in Crimson in any format. It
even has a cut
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
log # mass-check rules
perl ./mass-check -p=$PWD --progress -n -j 2 --loghits --mid $netparm
$tailparams --mbox ./corpus.spam/* >spam.log
So this appears to be a minor bug with the --progress switch on
mass-check.
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
3/22/06
#counts FB_SAVE_LEO 31s/0h of 111691 corpus (74068s/37623h DOC)
03/22/06
Watch for line wraps!
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
I noticed this when installing
this script on my server. So just cause it says it hit 8.18% of ham,
doesn't really mean those hits were really on ham, only what SA
thought was HAM... hth
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
0 if the message is going
to get -100 from the whitelist. In the end, the message is still
only going to get 4 points from the forgery. I suggest if you feel
comfortable with this, just add a score line to your local.cf and
give it any score you feel comfortable with ;)
--
Best regard
said it is not good
> at it.
See bugzilla:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4691
If accepted / it would allow for rules to use a tflags multiple
keyword to indicate the rule looks for multiple matches.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
#x27;m not sure why
the sudden increase in false negatives.
--
Fred W. Bacon <[EMAIL PROTECTED]>
Rigid Rotor
I have been using it for 6 month and it is very helpful and accurate when used
as a plugin for spamassassin.
Fred Stein
Network Administrator
The Hill School
717 E. High Street
Pottstown, PA 19464
[EMAIL PROTECTED]
www.thehill.org
-Original Message-
From: Blaine Fleming [mailto
t; error: Bad exit status from /var/tmp/rpm-tmp.45769 (%check)
>
>
> Any thoughts?
> --
> Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy
> http://www.austinenergy.com
>
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
I am getting the same make test errors on Centos 3.0, fedora 2, and
Centos 4.2
Fred Stein
Network Administrator
The Hill School
717 E. High Street
Pottstown, PA 19464
[EMAIL PROTECTED]
www.thehill.org
84 matches
Mail list logo
