Hi all,
I'm using SA-3.2.5 on Linux and my system is being deluged with spam that
isn't being caught, apparently from botnets. I'm using botnet-0.7. The
subject is random and the "Received from" header is always an unresolvable
IP. Is there a more robust botnet plugin that may be more effective?
B
Hi John,
Botnet seems to have caught that just fine (it's listed in the rules
> which were triggered). The problem is either that you're running it
> at a lower score (which you could also do for Botnet0.8 if you wanted
> to upgrade -- their default scores are exactly the same), or you need
> oth
Hi Charles,
Received: from [78.97.185.89] (unknown [78.97.185.89])
>> Message-ID:
>>
>
> Do they all have message ID's that include the IP?
Yeah, great, it looks like they all do. Would something like this work?
header MYMSGIPMessage-ID =~ /78.97.185.89/
score MYMSGIP0.3
desc
Hi. I'm relatively new to spamassassin and perl scripting, and I must
already be doing a few things wrong that I hoped the list could help me to
solve. I'm receiving the following output when running "spamassassin -D <
spam-test.txt 2>&1|less'
[32692] warn: Number found where operator expected at
Hi Dan,
> Do I need the backslashes to escape the spaces?
>
> no, although \s would be fine.
>
Okay, so either \s or nothing at all works just the same?
> this can be much more effectively written as:
> /.spam\ssample./i
> That will match the words "spam sample" in the subject as long as ther
Hi Matus (and list :-)
> I'm not Dan. This is a mailing list. Meny people read it and many can
> respond your mail.
Yes, thanks, I had responded to him directly and probably didn't need to,
but the reply-to must not be set to the list address?
/spam sample/ will match the test anywhere on line
Hi all,
When I run "spamassassin -D --lint", I receive this output:
[14406] info: rules: meta test LOCAL_BAYES_RTF has dependency 'BAYES_99'
with a zero score
Which is it saying has a zero score?
BAYES_99 in 50_scores.cf is shown as:
score BAYES_99 0 0 3.5 3.5
The LOCAL_BAYES_RTF is a meta ru
>
>
> Post your entire scoring block for LOCAL_BAYES_RTF
meta LOCAL_BAYES_RTF(BAYES_99 && LOCAL_CTYP_RTF)
score LOCAL_BAYES_RTF 1.5
describe LOCAL_BAYES_RTF Rule by AS: Probably an Inline RTF spam
mimeheader LOCAL_CTYP_RTFContent-Type =~
/^application\/octet-stream.\
Hi,
I'm not sure this is an SA question specifically, but perhaps an amavisd-new
question that I hoped someone could help me to answer.
I'm using amavisd-new, postfix, and spamassassin for multiple domains. I'd
like to know if it's possible to permit per-domain forwarding of certain
attachment ty
Hi,
I guess I have more of a general sa-update question. I have sa-update
running against updates.spamassassin.org and these others:
70_sare_stocks.cf.sare.sa-update.dostech.net
70_sc_top200.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
90_2tld.cf.sare.sa-update.dostec
Hi all,
I am stuck trying to figure out why the attached spam isn't caught properly.
In fact, BAYES_99 isn't flagged
and I know it should be, and the total score is 0.0, despite several rules
being flagged. The LOCAL_BODY_1577053434 and LOCAL_BODY_4046600451 both
catch the phone numbers and have a
Hi,
spamassassin 2>&1 -D --lint
>
> search here for missing perl modules
How effective are razor/pyzor and SPF/DKIM? I've always been a bit hesitant
to use any of those.
and the spam mail have all_trusted ?, you trust a spammer in
> trusted_networks
trusted_networks isn't at all defined. It l
Hi again,
and the spam mail have all_trusted ?, you trust a spammer in
> trusted_networks
I meant to add, how can I determine which IP it was that is being trusted,
anyway?
Thanks again,
Alex
Hi,
I'm receiving a lot of spam that I can't catch containing fields where the
recipient is supposed to enter their contact details, like this:
Full Legal Name :
Address :
City :
State :
Zip code :
Country :
Nationality :
Home and Cell # :
I've added specific rules that look for, say /Full Legal
Hi,
...actually, the rules sandbox in svn has been rearranged a bit since that
> announcement. The current ruleset lives here:
>
>
> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
>
> The updated ReplaceTags.pm is available at:
>
>
> http://svn.apache.org/vi
Hi,
ALL_TRUSTED is a bit odd. If you you look back through the debug, it
> has identified untrusted relays:
>
> [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137
> rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident=
> envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [
Hi again,
I have more information on those untrusted hosts.
ALL_TRUSTED is a bit odd. If you you look back through the debug, it
>> has identified untrusted relays:
>>
>> [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137
>> rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomai
Hi,
have any of you tryed going to dnswl.org homepage ?, even tryed to lookup
> the ip ?, got refused submit of new ticket ?
Yes, I went to the site, but didn't try to resolve either of them because I
knew they were already on the list. They now appear to no longer be on the
list. Now I know to
Hi,
I have created a routine where I can enter a string into a text file
and it gets converted into a set of rules that form a cf file. They
are all of the form LOCAL_RULE_N, where N is a random 6-digit number.
Two points are added if the rule is triggered. There are now about
3800 of these rules,
>> How effective are razor/pyzor and SPF/DKIM?
>
> very effective, razor/pyzor altogether with DCC.
>
> SPF also helps much, although it should be implemented at SMTP level and
> refuse all messages that cause (hard) fail.
>
> While DKIM is currently in SA, the only place it currently applies is
>
> when that was set a couple of years back, PBL had a few FPs -- the FP
> rate has dropped greatly since then, going by recent ruleqa results.
> go ahead and bump it up.
I just checked many of my FPs that have RCVD_IN_PBL, and increasing
the score there would sure help me too! Thanks for spotting
Hi all,
Some time ago someone had mentioned to never use whitelist_from but
instead use whitelist_from_rcvd. Where is whitelist_from_rcvd
documented? It doesn't appear in the SA docs in the same place that
whitelist_from is listed.
So, forever I have been using whitelist_from and have probably a
> It is documented on the Mail::SpamAssassin::Conf man page just like
> whitelist_from.
Ugh, thanks.
> whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net
> Use this to supplement the whitelist_from addresses with a check against the
> Received headers. The first parameter is the
> add
Hi,
Are spamd and amavisd-new mutually exclusive?
I'm also trying to use sa-stats.pl, and it is reporting zeros because
I've just learned it relies on spamd, which I'm apparently not using.
Here is the relevant log information from line in my mail.log:
Jul 22 00:01:24 mail02 amavis[30729]: (307
> Please use pastebin.
Yes, will do, thanks.
>>It hit BAYES_99, but that's it. Are there any rules that pertain to
>>'loan' or this type of mail that can somehow block these?
>
> FreeMail.pm and the SOUGHT_FRAUD rules.
Some time ago you were speaking about the AOL tunome.com freemail
domain, and
Hi,
>> I found the SOUGHT_FRAUD rules in jm's sandbox. Are those the proper ones
>> to use? Are the testing ones safe?
>
> Subscribe your sa-update to the sought rules channel. The reulsets are
> regenerated too often for manual maintenance to be feasible.
Okay, I have configured sa-update to dow
>> Can I also ask where the best place to start with to implement razor
>> and/or pyzor in SA3.2 on Linux with postfix?
>
> EHM? implement it on your mailserver...
Heh, no, I mean where can I go to learn how to implement it? Where's
the docs? :-)
I think I'm headed towards razor first, as it does
Hi,
What is the preferred list of URL block lists that everyone uses? I'm
currently using SURBL and a few others, often times there are URLs
like 'learningbetter.net' that isn't tagged.
We've set up our own internal URL block list that gets trained
manually by inspecting email visually, until the
>> I thought FreeMail was part of SA proper, but apparently not. Who
>> maintains that, and how do I find it?
>
> You need three files:
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
> http://sa.hege.li/freemail_domains.cf
>
> And it's also worthwhile to add the
> 90_sare_freemail.
Hi,
>> Please don't paste examples to this list.
>>
>> Please post them to pastebin (or a similar service) and then include the
>> link.
..
Yes, understood. FWIW, I know enough to not post an entire message
with headers to the list -- I'm sure half the time it would be
filtered anyway. This time
Hi,
> sa-update lint checks the rules in a sandbox, and does not update the
> local channel, if there are any issues. Moreover, do NOT copy these
> updates to your site config dir -- but keep it in the update dir where
> sa-update puts them [1]. SA knows how to use them instead of the
> "install-t
Hi,
> Firstly, before you convert all these to whitelist_from_rcvd, perhaps you
> ought to ask yourself whether you really need 1000 entries on your
> whitelist.
I'm surprised you were the first to make that very comment, so thanks.
> Does mail from these addresses actually get miscategorised as
Hi,
> * 3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in
> * dnsbl-2.uceprotect.net
> * [81.202.69.68 listed in dnsbl-2.uceprotect.net]
> * 2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in
> * dnsbl-3.uceprotect.net
> * [81.20
Hi,
I'm looking an email that appears to be one of the users from the
whitelist, but instead was from:
From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009
Why can't a comparison be made between the "From:" info and the actual
sender? Is this because of virtual domains and/or
Hi,
I recently upgraded perl from 5.6.0 to perl-5.10.0, along with all the
modules necessary for sa-3.2.5 and amavisd-new (an old version still).
I'm now having a problem that I really don't understand:
Jul 30 14:24:30 bigship amavis[1757]: (01757-175) TROUBLE in
check_mail: decoding2-get-file-ty
Hi,
>> check_mail: decoding2-get-file-types FAILED: 'file' utility
>> (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line
> How's this a SA question?
Yes, my apologies. I don't know enough about amavis yet, and thought
it may be related to all the modules I upgraded, and not amavis
Hi,
We have accumulated quite a large list of whitelisted users, primarily
because they were previously tagged incorrectly. I've extracted a copy
of all whitelisted mail into a separate mbox.
Certainly there is some spam in there as well, but assuming I only
learn the ham, would it make sense to
Hi,
I'm still working on my bayes training project, but also trying to
upgrade the bayes DB due to upgrading perl and all the associated
modules. I started with this output from "sa-learn --dump magic"
0.000 0 3 0 non-token data: bayes db version
0.000 0
Hi,
I'm trying to configure RelayCountry. I have it installed, and SA recognizes it:
# spamassassin --lint -D 2>&1|grep -i country
[4278] dbg: diag: module installed: IP::Country::Fast, version 604.001
[4278] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC
[4278] dbg: plug
Hi,
> I don't know if it makes a difference, but I call it Relay-Countries to
> match the name of the pseudo-header used in the tests
>
> add_header all Relay-Countries _RELAYCOUNTRY_
It doesn't appear to make a difference. I must be doing something else
wrong. Using "spamassassin --lint
Hi,
Has anyone tried the phishing rules generated by Julian Field and
developed by Google? It looks really neat:
http://www.jules.fm/Logbook/files/anti-phishing-v2.html
It's basically a list of 3.5k email addresses found in email thought
to be spam. Looks to be developed by Google, so it's "saf
Hi,
>> [23760] dbg: metadata: X-Relay-Countries:
>>
> The --lint test is *NOT* valid for this. --lint is *ONLY* to verify your
> config files are parseable.
Yes, thanks, I should have known that, and I think I did. I mentioned
in the previous post that I tried it with a real message, and even
vie
Hi,
> This is also why the plugin works and you do get the per-country rule
> hits, but don't get the SA Relay-Countries header.
Yes, you are correct. Thanks for the lead and the explanation. Here's
a thread that talks about how to add the header for amavisd:
http://www.mail-archive.com/amavis-u
Hi,
> I find ordinary header and meta rules are all I need:
>
> http://pastebin.com/f5e5232d1
Among those rules you have:
meta RELAYCOUNTRY_MED ! RELAYCOUNTRY_HIGH && (
__RELAYCOUNTRY_AF || __RELAYCOUNTRY_AS || __RELAYCOUNTRY_EU_S ||
__RELAYCOUNTRY_OC_S || __RELAYCOUNTRY_AM_S )
It's p
Hi,
After another day of hacking, I have a handful of general questions
that I hoped you could help me to answer.
- How can I find the score of a particular rule, without having to use
grep? I'm concerned that I might find it at some score, only for it to
be redefined somewhere else that I didn't
Hi,
I'm having trouble catching a particular type of spam, and hoped
someone had some time to take a look:
http://pastebin.com/d57336542
It doesn't match RAZOR2, or any of the URI lists, and it's only
BAYES_50. I have a pretty well-established BAYES db, so I'm surprised
it's only BAYES_50. What
Hi,
>> Maybe this will sound dumb but wouldn't it be perfectly
>> safe to blacklist "example.com" after all, that isn't a
>> domain your ever going to get mail from.
>
> I could be wrong, but I'm guessing the example.com is the OP's munging.
Yes, that's correct. My apologies.
Best,
Alex
Hi,
> Are we to make guesses on what else might be munged?
> Is just example.com munged or the 172.0.0.1 also munged?
Just the domain was munged. Thanks for the info. I should have been
able to figure that out.
Thanks,
Alex
Hi,
> it hits spamhaus, and spamcop, what more do you want ?
>
> meta haus_cop (spamhaus && spamcop)
> score haus_cop 5
X-Spam-Status: No, hits=4.8 tagged_above=-300.0 required=5.0 use_bayes=1
tests=BAYES_50, DATE_IN_PAST_03_06, RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_SORBS_WEB, RCVD_IN_XBL, RELAYCOUNT
Hi,
> 50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 2.188 0 1.960 # n=0 n=2
> 50_scores.cf:score RCVD_IN_XBL 0 2.896 0 3.033 # n=0 n=2
> 70_relay_country.cf:score RELAYCOUNTRY_US 0.1
> 50_scores.cf:score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> 50_scores.cf:score BAYES_50 0 0 0.001 0.
Hi,
I have another spam message that is very elusive, and thought someone
might be able to take a look. I tried to post it to pastebin, and its
spam filter apparently catches it, and prevents me from posting. It's
definitely in the header.
Is there something else I can do to post it, or does some
Hi,
> Unknown user 32.00% (32.00%) 87427696
> Greylisted 24.88% (16.92%) 46225401
> Throttled 11.03% (5.64%) 15399444
> Relay access denied 0.01% (0.00%)
Hi,
>> What log script do you good people use to generate the list above ? Is it
>> a home brew or one we can download so we can compare our own hits ?
>
> http://www.rulesemporium.com/programs/sa-stats.txt
Any chance someone knows where there is a compatible one that parses
amavisd instead of sp
Hi,
I thought "grep -c RAZOR2_CHECK" through my mail logs would give me a
good approximation of the number of times RAZOR2 was consulted, but
that doesn't seem to be the case. There are some mails that don't have
it listed in the "tests=" section.
I've also tried the razor-* commands, and they do
Hi,
> So perhaps instead of adding another RBL, maybe some admins need to
> consider adding in some HELO checking / rejection.
Can you explain a bit more here? What are you checking for, that the
host is valid?
Thanks,
Alex
Hi,
> You can also set your min_cf in your razor config files, which will
> affect when the RAZOR2_CHECK rule fires. This does work in SpamAssassin,
> as I have over-ridden the min_cf on my own system, and have done so for
> years.
Thanks to everyone for their great ideas thus far. I'm looking fo
Hi,
> The problem is that the spammers test with the SA rulesets as soon
> as they are released, which is why the rulesets become ineffective.
I'm not sure I agree with that. If this were the case, I would have a
lot less spam with scores of 50 or more, which obviously aren't even
trying to do so
Hi,
> spamassasin. I have a test message which is genuine. Running this through
> spamassasin with -t (test) mode as described below gives the output below:
>
> Running : spamassassin -t /tmp/rose2 gives at the bottom the following
> (edited for privacy) report.
Try adding some debugging output
Hi,
> list. No errors reported then, and I've now forgotten the url. www.yerp.org
> now gets me a webmail login screen, so obviously that wasn't it. Toss that
> url to me and I'll replay it again.
You should be able to search through your browser history, no?
With Firefox v3.5, you can also ju
Hi,
> Text added to e-mail is a bogus one, never repeated, same as the old styled
> spam mail with attached images. The OCR doesn't detect nothing, I understand
> because of flagged effect. Also, image file name changes, if it have.
A few of these have slipped through on my systems, but for the m
Hi,
I've been using the junkmailfilter rules for a few days now, and it's
doing quite well. It occurred to me that I might be able to use the
RCVD_IN_JMF_W rule filter whitelisted domain mail, and use that to
train bayes ham.
Would this work? There of course would be mail from
constantcontact.com
Hi,
>> mimeheader AS_090508_CTYP_PNG Content-Type =~ /image\/png/
>> mimeheader AS_090508_CTYP_JPG Content-Type =~ /image\/jpg/
>> mimeheader AS_090508_CTYP_JPEG Content-Type =~ /image\/jpeg/
>
> All scored the same. Can be written as a single rule.
I've spent some time and tried to r
Hi,
> mimeheader LOC_CTYP_IMG ((Content-Type =~ /image\/png/) ||
> (Content-Type =~ /image\/jpg/) || (Content-Type =~ /image\/jpeg/) ||
I thought this passed through my --lint, but I only caught it the
second time. I was looking around for the (new) right way to do it,
and found this in 80_addit
Hi,
> If you're using autolearning, what are your learning thresholds?
What do you recommend for thresholds? I'm considering using
autolearning, but very concerned about corrupting the database. I
think I would use something like +15 for spam.
There are FNs on occasion in the 2.x range with low
Hi SA users,
I have a few messages found in the quarantine that I need to train as
ham because they were marked as spam incorrectly. To do this, I added
the following to the top of the file so it becomes a normal email:
From DUMMY-LINE Thu Jan 1 00:00:00 1970
Is this correct? (without the lead
Hi all,
I'm seeing an increase in Google Reader and yahoo
groups/personals/profile spam. Here's an example of the Google Reader
spam:
http://pastebin.com/m1021fc5f
Any ideas on how to catch this one? For the Yahoo spam (with links to
yahoo sites ending in '/1', I've created these:
uriLO
Hi all,
I thought I understood, but I'm still having trouble converting a
message in the quarantine back into a normal email message that I can
forward on to a recipient. Does anyone know how to do this?
Thanks so much.
Best regards,
Alex
Hi,
>> I thought I understood, but I'm still having trouble converting a
>> message in the quarantine back into a normal email message that I can
>> forward on to a recipient. Does anyone know how to do this?
>
> Maybe I missed something, but SpamAssassin doesn't have a quarantine.
>
> http://wiki
Hi,
> I am getting rather tired from messages spamming porn-portals. They typically
> originate from hotmail.com, and advertise a porn-portal based on
> google.com/groups, google.com/reader, groups.yahoo.com, pipes.yahoo.com,
> spaces.live.com, docs.google.com, sites.google.com and livejournal.com
Hi,
> On Saturday August 29 2009 19:47:32 R-Elists wrote:
>> have many, or any of you folks on the list migrated your production servers
>> to the 3.3.0 alpha 2 or later release?
>
> We are certainly one of them (actually running CVS head,
> which is pretty close to alpha2). About 1000 users here.
Hi all,
I'm trying to understand how shortcircuit works to ease some of the
load on the severs. First, does anyone have any recommended metas that
they use in their environment that might help?
Can I add shortcircuit to an existing rule, or does the rule have to
be designed to be used with shortc
Hi all,
I've seen this pattern in spam quite a bit lately:
href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
.61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
62.2e.6a.61.7a.65.72.74.2e.68.
Hi,
I have several emails that are tagged with RCVD_IN_JMF_W,
SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
http://pastebin.com/m4a4d990e
Is the criteria for being listed on the JMF_W simply that it contains
a domain that is whitelisted, despite whether it contains another URL
that is blackli
Hi,
>> http://pastebin.com/m4a4d990e
>>
>> Is the criteria for being listed on the JMF_W simply that it contains
>> a domain that is whitelisted, despite whether it contains another URL
>> that is blacklisted?
>
> I'm not sure what you are saying here, it's not as if the people
> running the white
Hi,
> The 'doubleheadedrover' domain currently shows up in Razor(E8),
> uribl_black, surbl_jp, and invaluement.
>
> But it wasn't in all of those when he first started posting about it.
Yes, that's correct. Thanks for your help. That's already caught a
few. I have another that I thought you could
Hi,
>> I have several emails that are tagged with RCVD_IN_JMF_W,
>> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
>> http://pastebin.com/m4a4d990e
>
> why accept SPF_SOFTFAIL ?
>
> cant this be solved ?
I don't understand. I'm still learning how the SPF rules work.
Shouldn't I be adding points
>>> \s is the proper way to represent whitespace.
>>
>> lol, yes, I know that; I was actually trying to match 's' and the
>> slash is the start of the pattern match.
>
> I wasn't referring to the beginning of the RE.
Yeah, I realized that just after I sent this, if anyone cares :-)
Thanks again,
Hi,
I have been going through about 15MB of email generated from a
procmail recipe searching for RCVD_IN_JMF_W, and you would not believe
how many also match URIBL_BLACK or URIBL_GREY. Call me naive, but are
there really that many providers that are unaware their clients are
sending spam? (okay, r
Hi,
> also if using amavisd make its temp dir on ram speed up scanning and it
> considered safe, mta have it on disk for the backup :)
How about mounting /var with noatime? Does anyone do that? Do you
think it helps? What Linux filesystem is best suited for this? ext4?
Thanks,
Alex
Hi,
I have an mbox with about a 100 messages in it from a few days ago.
The mbox is a combination of spam and ham. What is the best way to run
SA through these messages again, so I can catch the ones that have
URLs in them that weren't on the blacklist at the time they were
received?
Must I break
Hi,
> Do you just want to re-scan the whole mbox and see what rules hit now
> for research reasons?
That's a good start, but I'd like to see if I can break out the ham to
train bayes.
> There's no way to (directly) get SA to modify email that's already in an
> mbox file. The mass-check and sa-le
Hi,
> You probably want "spamassassin --mbox". :)
> It won't modify the messages in-place, but you can do something like
> "spamassassin --mbox infile > outfile".
My apologies if it wasn't clear, but these messages have already been
marked by SA. Some are ham, and the rest are FPs that I'd like t
Hi,
>> You probably want "spamassassin --mbox". :)
>> It won't modify the messages in-place, but you can do something like
>> "spamassassin --mbox infile > outfile".
>
> My apologies if it wasn't clear, but these messages have already been
Wait, my mistake. I read that too fast. Does that work, a
Hi,
>> Thank you all for your help. The "mbox split" suggestion is a good
>> one. I'll follow that route and post my experience later.
>
> formail -s is the way to go.
I thought about that as a component of procmail. Sounds great.
Thanks,
Alex
> but this will invalidtate dkim headers if this headers is signed, are
> spamassassin aware of this problem ? (in general)
Are you saying there is a bug?
> mutt -f mbox
>
> in mutt save to another folder if missclassified
Yes, I use pine for that, but would like to eliminate as many of the
FNs
Hi,
> IIRC you previously mentioned using Pine. Just in case you're not aware
> the default format for Pine/Alpine is MBX, an extended version of
> MBOX. You can tell the difference because MBX mailboxes start with a
> dummy email that's hidden by the software.
It seems that if you save messages
Hi,
It's certainly not a fast operation, but using the following will
split an mbox into individual messages:
export FILENO=0
mkdir msgs
formail -s sh -c 'cat - >msgs/$FILENO' < mbox-name.mbox
I also created a loop that would strip all the SA headers from the messages:
for file in *; do ech
Hi,
> Try using a local SA setup for stripping the headers. By local, I mean
> don't use your main production SA - run a separate copy with its own
> (cut down) configuration and all data base accesses and UBL calls etc
> turned off.
Much better idea, thanks. Thanks for the script, too.
Best,
Al
Hi John,
Another batch of money spam attached. Everything is the same as the last time.
Thanks,
Alex
money-spam-092709.gz
Description: GNU Zip compressed data
Okay, my bad, please ignore. Damn google auto-complete.
Alex
On Sun, Sep 27, 2009 at 6:46 PM, MySQL Student wrote:
> Hi John,
>
> Another batch of money spam attached. Everything is the same as the last time.
>
> Thanks,
> Alex
>
Hi,
I posted bug 6198 a few weeks ago, and there have been no comments or
fixes on it in two weeks, and I'm unsure what to do next. It's either
not a bug and I'm doing something wrong or it's not significant enough
to bother with the focus on v3.3.
Thought someone might have some ideas here? I'm
Hi,
>> [13204] dbg: config: read
>> file /var/lib/spamassassin/3.002005/sought_rules_yerp_
>> org/20_sought.cf [13204] warn: config: invalid regexp for rule
>> __SEEK_D52BRW:
>
> grep doesn't find __SEEK_D52BRW in my copy of the rules.
This was from the sa-update when I submitted the bug repor
Hi,
> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
> describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
> tflags RCVD_IN_JMF_W net nice
> score RCVD_IN_JMF_W -5
Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not onl
Hi,
> For those of you getting spam from IPs/Hostnames on my hostkarma
> white list, if you could email me a list of false hits (IP or host name) I
> could probable clean out the bad entries in the white list pretty quick.
I'm not sure this is the best approach. I have a procmail recipe that
filt
Hi All,
Regarding the .cn oddity, I added these to my rules, and of about 79k
messages today so far, I have the following:
uri LOC_URI_CN m;^https?://[^/?]+\.cn\b;
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
LOC_URI_CN: 2926
T_CN_8_URL: 1634
HTH,
Alex
Hi,
> It's a shame that, living in Denver, I will be *just* out of range of
> hearing the screams as the mailspools fill with viruses, malware, and
> massive payloads of Spanish Prinsoner spams.
Awe, c'mon now. Yes, I agree SA is a better solution, but Microsoft
didn't get to be a multi-billion-d
Hi,
> doesnt it appear to everyone else that this has the (slim to none) makings
> of a new urban legend?
I have to admit that when Warren posted this, I went to snopes to
check, and there was nothing there :-)
Regards,
Alex
Hi,
> Other than the sought rules, all the rules are manually generated? Is there
> any statistics on how frequently are new rules/regex adopted by
> spamassasssin? Who are the people who write them? Any details related to
Information on Justin Mason's SOUGHT rules is here:
http://taint.org/2007
Hi,
> I actually would be doing that but the filter does not know how to
> handle int(), so I would have to build a filter for all possible number
> combinations, but if I could just get SA to do the basic math for me and
> write a header or subject I can filter off of that.
We do something s
Hi,
> That sounds overly complicated and like a lot of wasted cycles. Calling
> a Perl script for each message? What you just described sounds a hell of
> lot like this light-weight SA configuration:
Yes, I should have mentioned that it is a copy of the mail that users
receive and only visible by
1 - 100 of 128 matches
Mail list logo
