difference.
It's been like this for a while, but I only just became impatient and
decided to fix it.
Any tips on how to track this down? Thanks!
Paul
pened? Was I running two instances of spamd all along? How is
that possible? And what was different today?
thanks,
Paul
.
* Sync email using OfflineIMAP to a workstation
* Mail client is mutt
(Workstation is GNU/Linux)
Thanks,
Paul.
f users complaining
so as of about 3 hours ago im trialling SNF4SA (google it), initial
results so far look promising, quite a few of these "new" variations of
the image spam have been caught which wouldnt have without it.
Obvisouly to early to tell how effective it is but ill update the list
of my findings.
Paul
imits and standard
_BLOCKED returns for overuse and do not return bogus replies or ignore
queries.
That said the fmb.la nameservers seem to be responding fine from our
monitoring nodes.
Paul
The following plugin extracts the SendGrid ID to a Tag, now we can use it
with askdns..
https://github.com/fmbla/spamassassin-sendgrid
Paul
On Sun, 23 Aug 2020 at 20:42, Giovanni Bechis wrote:
> On 8/21/20 9:28 PM, Rob McEwen wrote:
> > ANNOUNCEMENT: The NEW invaluement "Se
ny moons ago.
The intention of this rule was to match two different addresses, but because I
don't know about the other related changes I'll leave for JH to comment/adjust
as needed
Paul
On 10/12/2020, 10:33, "Benoit Branciard"
wrote:
Hello,
Have there been any c
Sorry for the garbage in the signature from my $work email..
Maybe a tflag on the AskDNS to mark it as an RBL lookup? This doesn't exist
currently
Adjusting to "dns_query_restriction deny fmb.la" will avoid just this
domain lookups
Paul
On Fri, 15 Jan 2021 at 13:09, RW wrote:
> On Fri, 15 Jan 2021 09:43:42 +0100
> Dan Malm w
Replied to Yuri directly,
This could result of not having internal_networks set.
mail2.{redacted} considers mail1.{redacted} to be an external server - thus
checking the SPF record for freebsd.org against the IP address of
mail1.{redacted}
Paul
On Sat, 24 Apr 2021 at 11:45, Antony Stone
2021 at 11:48, Paul Stead wrote:
> Replied to Yuri directly,
>
> This could result of not having internal_networks set.
>
> mail2.{redacted} considers mail1.{redacted} to be an external server -
> thus checking the SPF record for freebsd.org against the IP address of
> mail
have no
matching "bad" rules, ever, which isn't true or how masscheck/SA works.
Paul
On Tue, 4 May 2021 at 07:28, Denis Chenu
wrote:
> Yes,
>
> You receive spam from pro and then all pro gTLD owner received a
> punishment.
>
> It's same for all gTLDS, li
> The score is derived from the combined corpus of our contributors to
> ensure minimal false positives of ham being detected as spam - that is,
> scoring 5.0 or more.
>
I don't feel I've done masscheck justice here. The routine is a lot more
complex than this! I should also note that masscheck tr
> To be fair, we are very much lacking masscheckers to have a good view of
> global mail.
>
Agreed!
> If anyone has a decend mail flow, help is welcome. Even a few hundreds of
> varied messages per month would help:
>
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/NightlyMassCheck
>
Did you ever get a reply for this?
I was wondering the same thing.
DNSRBL is still available, but I don't know how often this is updated.
Regards,
Paul
From: Noel Butler
Sent: Monday 1 February 2021 01:36
To: users@spamassassin.apache.org
Su
Hi,
looks like it is activley been worked on here.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7956
Regards,
Paul
From: Brent Clark
Sent: Friday 18 February 2022 11:43
To: users@spamassassin.apache.org
Subject: Re: Regex error in most recent update
e any place, I don't have a good feel for whether
or not this is some regular problem.
If anyone can point me to how this check is performed, that would be
very helpful.
Thank you,
Paul
[1] https://check.spamhaus.org/
[2] Scores:
* 10 URIBL_SBL_A Contains URL's A recor
On 2022-05-07 07:53, Benny Pedersen wrote:
On 2022-05-07 16:42, Paul Pace wrote:
I have set up SpamAssassin with the following in
/etc/spamassassin/mycustomscores.cf:
* 10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
* blocklist
*
On 2022-05-07 10:37, Matija Nalis wrote:
On Sat, May 07, 2022 at 09:35:31AM -0700, Paul Pace wrote:
On 2022-05-07 07:53, Benny Pedersen wrote:
> On 2022-05-07 16:42, Paul Pace wrote:
> > * 10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> >
o BZ
after some cleanup.
Paul
On Fri, 16 Sept 2022 at 22:05, Carlos G Mendioroz via users <
users@spamassassin.apache.org> wrote:
> Hi,
> I'm facing a problem with SA, that seems to be related to askdns.
>
> Mail server on Ubuntu 22.04 LTS, spamassassin 3.4.6 via exim4. Lo
he rule to fire. If this is
an email you're sending it would indicate the need to look at fixing the
>From & To headers in said email.
Paul
On Sun, 13 Nov 2022 at 10:47, Yassine Chaouche
wrote:
> Hello all,
>
> I was wondering what this rule means?
> the description rea
Hi there,
Thanks for the notice - this looks to be a frontend website issue - the
backend looks to be functional - I'm investigating.
Paul
On Tue, 7 Mar 2023 at 17:54, Benny Pedersen wrote:
> Greg Troxel skrev den 2023-03-07 18:48:
>
> > I wonder if anyone knows if DKIMWL is
e a few more examples and details here
https://github.com/fmbla/spamassassin-levenshtein/
Note that this is a third party plugin.
Paul
e is being updated. (I checked the timestamp on
the file after running the script manually.)
I can’t make sense out of this error message. What am I missing?
Paul Schmehl
paul.schm...@gmail.com
> On Jun 20, 2024, at 6:05 PM, Bill Cole
> wrote:
>
> On 2024-06-20 at 16:14:47 UTC-0400 (Thu, 20 Jun 2024 15:14:47 -0500)
> Paul Schmehl mailto:paul.schm...@gmail.com>>
> is rumored to have said:
>
>> I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, an
> On Jun 21, 2024, at 8:24 AM, Bill Cole
> wrote:
>
> On 2024-06-20 at 19:17:19 UTC-0400 (Thu, 20 Jun 2024 18:17:19 -0500)
> Paul Schmehl
> is rumored to have said:
>
>> Here’s every line with bayes_ in it:
>> bayes_#auto_learn 1
>> bayes_learn_to_jour
looked up the man page for sa-update on the web. Sure
enough, that’s where the rules go. Is that where my local.cf file should be
located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf
file in /var/lib/…..
Paul Schmehl
paul.schm...@gmail.com
> On Jun 22, 2024, at 12:28 AM, Kenneth Porter wrote:
>
> On 6/21/2024 8:56 PM, Paul Schmehl wrote:
>> I scratched my head, then looked up the man page for sa-update on the web.
>> Sure enough, that’s where the rules go. Is that where my local.cf file
>> should be
Here's some quick stats from our servers:
Hits on 0.16% of all email
Hits 2.5% of spam detected
58% overlap with my iXhash implementation
0.004% hit rate on ham
Paul
On 10/12/15 14:52, Rick Macdougall wrote:
On 2015-12-09 11:58 AM, Marc Perkel wrote:
On 12/09/15 05:50, Rick Macdougall
On 10/12/15 17:24, Bill Cole wrote:
On 10 Dec 2015, at 10:48, Paul Stead wrote:
0.004% hit rate on ham
Clarify this please: 4 out of 100k hits are ham (not so bad) OR 4 out
of 100k hams get hit (OUCH)
The former, 4 out of 100k hit are ham emails
--
Paul Stead
Systems Engineer
Zen Internet
On 10/12/15 18:23, Paul Stead wrote:
On 10/12/15 17:24, Bill Cole wrote:
On 10 Dec 2015, at 10:48, Paul Stead wrote:
0.004% hit rate on ham
Clarify this please: 4 out of 100k hits are ham (not so bad) OR 4 out
of 100k hams get hit (OUCH)
The former, 4 out of 100k hit are ham emails
Re
etc
# spaspamassassin -D -t < p2 2>&1 | grep baddomain
p2 doesn't pick up on baddomain.com
Any thoughts or have I stumbled upon a problem?
Paul
--
Paul Stead
Systems Engineer
Zen Internet
report in bugzilla.
Mark
Patch looks to work.. Done - thanks!
--
Paul Stead
Systems Engineer
Zen Internet
Come across the following which lists all *.sch.uk local authorities -
thought it might be useful to someone
http://www.nominet.uk/wp-content/uploads/2015/10/Schools_Domain_Name_Rules.pdf
Paul
--
Paul Stead
Systems Engineer
Zen Internet
/usage/signatures/
--
Paul Stead
Systems Engineer
Zen Internet
On 2016-04-04, RW wrote:
> On Mon, 4 Apr 2016 15:29:40 -0400
> Alex wrote:
>
>> >> >> Can someone help me understand why this auto-away message failed
>> >> >> the DMARC tests?
>> >> >>
>> >> >> http://pastebin.com/wXhxex92
>> >> >>
>> >> >> It looks like it passed through an AOL MX, yet SPF still
Second, the foxhole_js database is what you're looking for
Paul
On 20/05/16 13:11, Reindl Harald wrote:
Am 20.05.2016 um 13:07 schrieb Dianne Skoll:
On Fri, 20 May 2016 09:31:48 +0300
Emin Akbulut wrote:
What do you suggest to fight these spams?
ClamAV is basically useless
no
low risk signatures - do take some
time to read through the different rule types though.
Paul
--
Paul Stead
Systems Engineer
Zen Internet
om/fmbla/spamassassin-concepts
I'd be really interested to hear your feedback/thoughts on this system
and it's approach.
Paul
--
Paul Stead
Systems Engineer
Zen Internet
private
variable) at /etc/mail/spamassassin/Concepts.pm line 84, near "$headl;"
...
With David's help I have tracked down the problem(s). Version 0.02 is
up. Would be interested to hear you thoughts - even if just theoretical
about the affect to the Bayes DB.
Paul
--
Paul Stead
Syste
omes into the platform, is tokenized (token1 & meds) and is
classified and learnt as spam.
Mail 2 comes into the platform, is tokenized (token2 & meds) and has the
same common "meds" token as associated with Mail 1
Does this makes sense - am I right in my assumptions?
Paul
On 25/0
On 25/05/16 15:21, Dianne Skoll wrote:
On Wed, 25 May 2016 15:07:37 +0100
Paul Stead wrote:
Consider the following 2 basic emails:
Mail 1:
Viagra
Mail 2:
V1agra
Yes, except here's the problem. A drug company might legitimately
talk about Viagra, so that wouldn't be a spam toke
On 31/05/16 20:20, Bill Cole wrote:
It is no shock that while this implementation has Paul Stead's name on
it, it is apparently mostly the product of the anti-spam community's
most spectacular case of Dunning-Kruger Syndrome, who has apparently
figured out that his personal &
ack via their mailing list - might be worth popping along?
I recently added the MagicNumber for "old" style doc files, just for files
inside zips (when they appeared, as mentioned in my previous post).
This could be accomplished with yara rules within ClamAV too - docs on
signature cre
On 08/06/16 21:39, Paul Stead wrote:
BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*
Should point out that this may be prone to false positives. The Sane sigs are
scored low, med, high FP risk and can be installed as such.
--
Paul Stead
Systems Engineer
Zen Internet
On 06/07/16 16:16, John Hardin wrote:
Does that cache-min-ttl also affect NXDOMAIN? Is it possible to
configure different TTL for NXDOMAIN (relatively low) and positive
results (relatively high)?
For this cache-max-negative-ttl exists :)
Paul
--
Paul Stead
Systems Engineer
Zen Internet
esting, Olivier! :)
https://github.com/fmbla/spamassassin-levenshtein
An implementation I made for SA - feedback welcome
--
Paul Stead
Systems Engineer
Zen Internet
On 15/09/16 20:54, RW wrote:
On Thu, 15 Sep 2016 15:37:42 +0100
Paul Stead wrote:
https://github.com/fmbla/spamassassin-levenshtein
An implementation I made for SA - feedback welcome
A couple of things
1. Instead of having a with/without tld option you could compute
the distance without
Spammer Countries e.g. China,
Thaiwan, India, etc...
Hi Thomas,
The RelayCountry plugin would answer your needs:
https://wiki.apache.org/spamassassin/RelayCountryPlugin
Paul
--
Paul Stead
Systems Engineer
Zen Internet
f reasons).
You may find you're blocking legitimate email from an Exchange server (poorly?)
configured in this way.
Paul
--
Paul Stead
Systems Engineer
Zen Internet
;e6dfa16bdb.zip"
This run of emails can be blocked using the Sanesecurity ClamAV ruleset
for Foxhole - http://sanesecurity.org/
Paul
--
Paul Stead
Systems Engineer
Zen Internet
eature improvement which
might help towards this too, watch this space
Paul --
Paul Stead
Systems Engineer
Zen Internet
https://github.com/fmbla/spamassassin-olemacro
- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection
Paul
--
Paul Stead
Systems Engineer
Zen Internet
YPTED0.0.1
T OLEMACRO0. 0.1
Paul
--
Paul Stead
Systems Engineer
Zen Internet
On 14/10/16 14:44, Axb wrote:
On 10/14/2016 03:40 PM, Paul Stead wrote:
On 14/10/16 14:11, Axb wrote:
How's the performance. I know you run hi traffic sites.
Have you felt a difference?
Thanx
Axb
From the week or so of testing, things seem to be efficient and quick -
not to say th
rnet addr-spec address is described in
section 3.4.1<https://tools.ietf.org/html/rfc5322#section-3.4.1>.
--
Paul Stead
Systems Engineer
Zen Internet
rg/20161017-r1765221-n/T_PDS_FROM_2_EMAILS/detail
http://ruleqa.spamassassin.org/20161017-r1765221-n/T_FROM_2_EMAILS/detail -
similar to above with less metas
They both seem to hit more ham than spam on the Corpus
Paul
On 18/10/16 07:27, Ruga wrote:
Yes, you can prefix a quoted string to the actual a
/full/3.4.x/doc/Mail_SpamAssassin_Plugin_TxRep.html#template_tags
Paul
--
Paul Stead
Systems Engineer
Zen Internet
On 21/10/16 18:40, Paul Stead wrote:
A plugin I've developed could be handy here:
https://github.com/fmbla/spamassassin-tagmatch
tagmatch TAGMATCH_TXREP_IP_HIGHSCORE _TXREP_IP_MEAN_
/^[1-9][0-9]+(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large
On 21/10/16 18:53, Paul Stead wrote:
tagmatch TAGMATCH_TXREP_IP_LOWSCORE _TXREP_IP_MEAN_
/^\-[0-9]{2,}(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_LOWSCORE TxRep mean score quite low
scoreTAGMATCH_TXREP_IP_HIGHSCORE -0.1
Also - typo on score rulename!
--
Paul Stead
Systems Engineer
Zen
On 21/10/16 18:40, Paul Stead wrote:
On 21/10/16 16:22, John Hardin wrote:
I was going to say: you can't write a rule based on the *current* AWL
adjustment because that's calculated after all the rules have hit. But
SA *could* potentially have a rule that checks the current historic
On 24/10/16 16:46, John Hardin wrote:
Paul:
I haven't looked at the plugin myself yet, but here's a suggestion:
have a mode where you can mark a RE as capturing a numeric value, and
the rule's hit value is the value that the RE captured. This would
(for example) let the AW
On 24/10/16 16:46, John Hardin wrote:
Paul:
I haven't looked at the plugin myself yet, but here's a suggestion:
have a mode where you can mark a RE as capturing a numeric value, and
the rule's hit value is the value that the RE captured. This would
(for example) let the AW
bad attachment - generally these don't
even get as far as SA in my setup
This all depends on the glue used and ordering within your MTA and how
it reacts to malware attachments
Paul
--
Paul Stead
Systems Engineer
Zen Internet
ample, if a ‘spoofed’ To header isn’t matching the actual recipient of the
email within your system… *mumble* numbers and things
Paul
--
Paul Stead
Systems Engineer
Zen Internet
=~ /\.amazonaws\.com$/
meta LOCAL_AWSURI __TAGMATCH_RDNS_AWS
score LOCAL_AWSURI 2.6
describe LOCAL_AWSURI Last rDNS amazonaws.com
endif
I find .compute.amazonaws.com a good indicator
Paul
On 18/01/2017, 17:13, "Ken Johnson" wrote:
Hi,
I would like to write a rule to compar
/Mail-SpamAssassin/lib/Mail/SpamAssassin/Plugin/AskDNS.pm
Paul
On 18/01/2017, 17:13, "Ken Johnson" wrote:
Hi,
I would like to write a rule to compare the rDNS lookup of the sender's IP
address to a regular expression. I have written super simple URI rules for
/e
ns
askdns LOCAL_TRUSTED_DKIM _DKIMDOMAIN_.lookup.example.com A 127.0.0.2
tflags LOCAL_TRUSTED_DKIM nice net
describeLOCAL_TRUSTED_DKIM DKIM trusted sender
score LOCAL_TRUSTED_DKIM -7.5
Paul
--
Paul Stead
Systems Engineer
Zen Internet
On 25/01/2017, 21:34, "Paul Stead" wrote:
A similar method I use is to have the DKIM signing domains I like in a rbl
server and query them with askdns
askdns LOCAL_TRUSTED_DKIM _DKIMDOMAIN_.lookup.example.com A 127.0.0.2
tflags LOCAL_TRUSTED_DKIM nice net
s:
header PDS_FROM_OTHER_BAD_TLD eval:check_from_in_list('NEWSPAMMY')
Paul
On 21/02/2017, 03:40, "Alex" wrote:
Hi,
Some time ago I had put together a rule based on comments from this
list, and I've identified a FP that I hoped someone could help me to
correct.
Th
On 21/02/2017, 18:41, "RW" wrote:
On Tue, 21 Feb 2017 17:57:13 +0000
Paul Stead wrote:
> I’ve posted this before, this is how I manage these nasty TLDs:
>
> Make sure WLBLEval is enabled:
>
> loadplugin Mail::SpamAssassin::Plugin::WLBLEval
On 21/02/2017, 23:15, "Paul Stead" wrote:
I can’t see how this can be the same for the check_from_in_list calls,
however?
Apologies – it is not possible to add custom addrlists in SA -
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354
--
Paul Stead
Systems Engineer
Zen Internet
rt you patching your production SA) you can use:
enlist_addrlist (NEWSPAMMY) *@*.top
to create the NEWSPAMMY addrlist to then use the check_from_list_list and
associated evals
Paul
--
Paul Stead
Systems Engineer
Zen Internet
n be helpful in determining the filetype:
https://en.wikipedia.org/wiki/List_of_file_signatures
I make use of this in the OLEMacro plugin:
https://github.com/fmbla/spamassassin-olemacro/
--
Paul Stead
Systems Engineer
Zen Internet
I’ve checked and as in the plugin,
foreach my $part ($pms->{msg}->find_parts(qr/./, 1)) {
does find each attachment, including the ones without Content-Type header – the
method below can be used on these parts found regardless of lack of Content-Type
Paul
From: Pedro David Marco
Re
This. With no Content-Type the type gets set to “text/plain” by default –
should have maybe said this earlier, too
On 17/08/2017, 15:53, "RW" wrote:
Have you ruled-out the possibility that the mime-type for such parts is
set to the default mime type of text/plain?
--
Something along the following still seems the easiest to read approach to me
enlist_uri_host (BADTLDS) vn
enlist_uri_host (BADTLDS) pl
enlist_uri_host (BADTLDS) my
enlist_uri_host (BADTLDS) lu
enlist_uri_host (BADTLDS) ar
header __TEST_URLS eval:check_uri_host_listed('BADTLDS')
tlds that look in headers as well (Received, From, Env_From being the
main ones), so these wouldn't help with that. If there's something
similar for those cases, I'd love to know about it.
The following patch works for me:
https://bz.apache.org/SpamAssassin/show_bug.cgi?
On 15/09/2017, 20:59, "Paul Stead" wrote:
On 15/09/2017, 20:57, "sha...@shanew.net" wrote:
If you're only looking at uris, it probably is (though I wonder a
little about processing time between a long list of such entries and a
sing
documents.
Source code and more info on Github:
https://github.com/bigio/spamassassin-vba-macro
Cheers
Giovanni
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
etting all the spam.
Thanks in advance
Paul
P.S First post to a
mailing so sorry if I have done it wrong.
Links:
--
[1]
http://spamassassin.apache.org/full/3.2.x/doc/spamassassin.txt
On Mon, 25 Apr 2011 16:59:22 +0200, Karsten Bräckelmann wrote:
> On Mon,
2011-04-25 at 13:01 +0100, Paul Hugill wrote:
>> I have SA (v3.2.3)
installed along with hMailServer and it is working
>> great but I just
wanted to check if you can make changes to the
>> default heade
On Tue, 26 Apr 2011 04:38:36 +0200, Karsten Bräckelmann wrote:
>
Please keep the thread on-list, unless you definitely intend to
contact
> me personally. Even "topic solved" posts like this are
worthwhile to
> have on the list.
>
> On Mon, 2011-04-25 at 19:58
s
with invalid sender addresses. This will reduce the number of messages that require more
costly processing.
--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
I've noticed a trend recently where I'm getting emails sent to me from
either an aol or yahoo or hotmail account. But the email has a "to"
address to some other account that is not mine.
First off I'm p...@topguncomputers.com. I also run the postfix servers.
Usually my spam score is about 1
On 15/10/2011 3:39 PM, John Hardin wrote:
On Sat, 15 Oct 2011, Paul Cabot wrote:
Is there any way of blocking emails sent to me that are not really
addressed to me.
...you don't ever want to receive legitimate BCCs?
Didn't think about the fact that it would be because of me being a BCC.
On 15/10/2011 3:52 PM, Benny Pedersen wrote:
On Sat, 15 Oct 2011 14:32:07 -0700, Paul Cabot wrote:
I've noticed a trend recently where I'm getting emails sent to me
from either an aol or yahoo or hotmail account. But the email has a
"to" address to some other acco
On 15/10/2011 5:56 PM, Benny Pedersen wrote:
On Sat, 15 Oct 2011 16:40:48 -0700, Paul Cabot wrote:
blacklist_from *@aol.com
whitelist_from_spf good-us...@aol.com
users can then get a new url for free :-)
Would that not blacklist everyone from aol.com unless I specifically
allowed them with
through the postfix docs, but can't find
anything.
Hi Paul,
I have done it but it took me three months to get all the exceptions ... such
as my
tax advisor's bi-monthly newsletter sent to 'undisclosed recipients'. This guy
could even
have used an aol account.
One thing that
mentioned in body etc...
Then when someone complains ill enable the rules to stop them bothering me.
If not ill look at writing some myself, if anyone has suggestions on
what to look for on opt-in lists please let me know.
Thanks
Paul
problem would not have been ongoing for at least 4
years.
--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
ource of filter fodder.
YMMV, of course.
--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
time, it was easier to filter by sender address or reply-to address than
content. Over time, the phishers seem to have expanded the target demographic to include
everyone everywhere.
--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
out - http://spamassassin.apache.org/full/3.3.x/doc/spamc.html
Paul
On 22/06/14 02:15, Steve Bergman wrote:
Hi,
I just have a question about the expected performance of salearn with the
--nosync option. Working with the default backend, with a bayes_toks file size
of less and 1 MB, it's taking about
Namely counting the encoded chars and recognising other traits I've noticed
with this type of mail.
Hope the patches above get pushed into production
Paul
--
Paul Stead, Zen Internet
Systems Engineer
KAM's rules are also helping add a few extra points
On 23/07/14 19:23, Paul Stead wrote:
On 23/07/14 18:45, Amir 'CG' Caspi wrote:
So, to follow up on this... over the past couple of weeks I've been getting a lot more
FNs than normal, and almost every single one of
d in md5 -
.@domain.com
* All emails to the same recipient have the same MIME boundary - possibly a
hash of the recipient address
Paul
--
Paul Stead, Zen Internet
Systems Engineer
On 23/07/14 20:44, John Hardin wrote:
On Wed, 23 Jul 2014, Paul Stead wrote:
body __LOC_COUNT_UNI /x[0-9A-F]{4};/
tflags __LOC_COUNT_UNI multiple
Recommend maxhits on that.
Apologies, I omitted the max hits...
If you're only looking for 10+ hits, then maxhits=11 will allow y
On 23/07/14 21:24, Axb wrote:
look at the HTML source, sharply - there's tons of little traits to
dump in a meta rule
I have these 'traits' in my custom Clamav rules, but that's another
list... :)
--
Paul Stead, Zen Internet
Systems Engineer
2EU
regex takes over 9.
--
Paul Stead
Systems Engineer
Zen Internet
1 - 100 of 634 matches
Mail list logo
