Hi,
I am trying to diagnose why certain rules do not fire as expected on
beginning of lines. Here is a MWE e-mail
"""
From: f...@addr.com
To: t...@addr.com
Subject: email's subject
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
To: Aa
To: Bb
To: Cc
I have affected a hefty penalty in SA to any mail that comes from one of
these TLDs:
(party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)
.xyz used to be on the list but I have started seeing more legitimate
traffic from the
On 2016-06-28 10:48, John Wilcock wrote:
Or, if your company is a worthwhile target, it is equally easy for the
scammer to setup a lookalike domain and configure it with proper SPF,
DKIM and the like. Who's going to notice that the message came from
examp1e.com instead of example.com?
Theo
t the debug, but the timing seems to skip
multiple seconds at random intervals that are not indicative of what
rule ran.
--
Olivier Coutu
Assistance technique
Technical Support
T : 514-527-3232 x 2
n...@zerospam.ca
On 2016-07-15 10:22, Reindl Harald wrote:
Am 15.07.2016 um 16:06 schrieb Olivier Coutu:
I am trying to figure out what part of SA is taking the most time on
certain e-mails, e.g
time spamassassin ham-1468528393442166.eml
[...]
real0m34.531s
user0m33.958s
sys0m0.452s
I have
home-made implementation of
Levenshtein's algorithm, but Paul Stead's version is probably simpler
and more appropriate for general use.
Olivier Coutu
On 2016-09-15 10:22, Chip M. wrote:
Have you used that technique to generate tokens for regular
Phish prevention (e.g. all the myriad variations on Paypal)?
ultiple maxhits or did I overlook something? If it is not
designed to work with it, would there be any workarounds to detect
multiple attachments?
--
Olivier Coutu
Assistance technique
Technical Support
T : 514-527-3232 x 2
n...@zerospam.ca
27;, 0)/ and has
the same issue.
The bug appears whether the domain is a freemailer or not, but does not
happen when there is no from_name.
I am looking for tips as to where the problem might be. Is it possible
that my /get/ or other calls are modifying the PerMsgStatus? Could it be
related to patches that have been applied with the Ubuntu install?
--
Olivier Coutu
n...@zerospam.ca
On 2016-12-06 11:19, Olivier Coutu wrote:
However, if I run that on machine B (Ubuntu 16.04, SpamAssassin
version 3.4.1, Perl version 5.22.1) that I have recently created,
after the first call to the /get//('From', 0)/ which returns the
correct value, the following calls return the v
used instead of the headers, but
I did not dig into the code enough to find out.
Is this an issue that other people have experienced? I am using
spamassassin 3.4.1 and sa-update version svn1652181
--
Olivier Coutu
this command to find which rule is causing it to hang
spamassassin -D all,rules-all < yourfile.eml
On 2017-06-16 10:13, Konstantin wrote:
Here is the full msg
https://1fichier.com/?jpqjmsfxkf
Olivier Coutu
I got a spearphishing e-mail the other day that had a From with the
following form:
From: "Mister President "
I attempted to craft a SA rule to catch the "@" in the From:name but I
was unable to catch anything after the "<"
ex:
From:name =~ /Mister President/hits
From:name =~
Le 2015-08-20 15:04, Joe Quinn a écrit :
On 8/20/2015 2:56 PM, John Hardin wrote:
On Thu, 20 Aug 2015, Olivier Coutu wrote:
I believe that SA may be removing the part
from the From:name, am I correct?
Define this rule:
header __ALL_FROMNAME From:name =~ /.*/
...and run spamassassin
Le 2015-09-01 11:34, Alex a écrit :
Hi all,
I'm having a problem with "buy my list" spam and hoped someone could
help me with ideas of how to best block them.
Here's an example:
http://pastebin.com/01C1DDmq
Even a few days later, and the sending IP isn't blacklisted anywhere.
I have a couple
In the last few months, we have seen an increase of generic emails (e.g.
regarding unpaid invoices) being sent with links to infected legitimate
websites hosting malware. This malware often comes in the form of docs
with macros e.g. https://pastebin.com/VHz41RUL
In a lot of cases, neither the
On 2018-04-18 20:37, Alex wrote:
Hi all, this may be slightly OT, but we've been blocking .emf files
forever but today a user complained that we blocked their Word
documents which apparently have "image1.emf" files in them and were
considered a threat by amavisd due to our restricted file type po
We got a few hits on RCVD_IN_PBL for the IP 24.137.53.2 that do not
appear to be listed on spamhaus. I tried
dig 2.53.137.24.zen.spamhaus.org
on that same server and got no results, and even then SA kept hitting
that rule. My understanding of /eval:check_rbl('zen-lastexternal',
'zen.spamhaus.
I wrote a rule that throws a /variable length lookbehind/ error where
the lookbehind is fixed length. Here is a MWE:
body __Z_NEGATIVE_LOOKBEHIND /(?The error goes away if I remove the case insensitive, or if I put a
character between the two /s/ characters. Using /nn/ instead of /s
You are correct Pedro, the curly-braces solution does work. I will
integrate the solution, I leave it to you guys to determine if a bug
should be opened and with whom.
On 2018-08-31 15:01, Pedro David Marco wrote:
It works with Perl 5.14.2 but not with 5.20.2
It seems that Perl preprocessor d
We have started seeing some clickbait spam that hides the suspicious
text behind /
https://pastebin.com/SLMyFvmN
The text /Optima Tax Relief: Do You Still[...]/ is visible in the email
in thunderbird since the image does not load, but spamassassin's body
rule does not trigger
/body T_
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
header __SUBJ_HAS_FROM_1 ALL =~
/\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
If the from and the to are identical and the subject is empty, this rule
hits,
https://regex101.com/r/SUqMxn/1/
I understand that a single quote should be used when writing /won't/,
but it's probably not the first time __YOU_WON_01 hits on /won’t/ with a
right single quotation mark.
Apparently this can happen automatically in certain text editors when
there are two apo
22 matches
Mail list logo
