Why did this email from yahoo trigger FORGED_YAHOO_RCVD?
Spamassassin 3.03
Received: from web31002.mail.mud.yahoo.com (68.142.200.165)
by mail.avtcorp.com with SMTP; 31 May 2005 19:33:31 -
Received: (qmail 41639 invoked by uid 60001); 31 May 2005 19:33:29
-
Comment: DomainKeys? See http
This triggered FORGED_HOTMAIL_RCVD. Another bug?
Received: from bay0-smtp02.bay0.hotmail.com (65.54.241.109)
by mail.avtcorp.com with SMTP; 31 May 2005 23:43:25 -
Message-ID: <[EMAIL PROTECTED]>
X-Originating-IP: [63.226.220.248]
X-Originating-Email: [EMAIL PROTECTED]
Received: from officepc
On Wed, 01 Jun 2005 08:15:56 -0700, you wrote:
>This triggered FORGED_HOTMAIL_RCVD. Another bug?
oops, sorry, this is from SA 3.0.3
Has gocr .41 fixed the segfault problem patched in .40 by
http://antispam.imp.ch/patches/patch-gocr-segfault ?
If not is there an updated patch for .41?
thanks,
Russ
Hi,
Has anyone come up with a SA method for identifying animated GIFs?
Like some way of getting the properties of the file and checking if
the frame count > 1?
I've looked at mime signatures, but I'm not sure if that will work and
I don't have enough samples to test.
thanks,
->Russ
On Wed, 18 Oct 2006 11:50:03 -0400, you wrote:
>
>Before anyone else slams you. YES. And a 60 second search of the archives
>would have pulled it up.
>
>You can use FuzzyOCR, or the SARE stock ruleset will be updated soon with a
>less CPU intense solution.
>
>--Chris
Sorry, I should have been m
Hi,
Is it possible to whitelist by "rcpt to:" when there is nothing in the
header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.
->Russ
On Wed, 23 Nov 2005 09:32:38 -0800, you wrote:
>Russ Ringer wrote:
>> Is it possible to whitelist by "rcpt to:" when there is nothing in the
>> header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.
>
>No.
>
>But you may be able to tell your
>One thing to be wary of is if you're integrating at the MTA layer, there may be
>one message with multiple different recipients. If one is whitelisted but not
>the others, your tool will have to jump a few hoops to split the message into
>two copies to scan one and not the other.
Yes, I warned m
Why did this message trigger these rules?
The email was not sent directly from a dial-up IP.
RCVD_IN_NJABL_DUL
RBL: NJABL: dialup sender did non-local SMTP
[209.30.176.199 listed in combined.njabl.org]
RCVD_IN_SORBS_DUL
RBL: SORBS: sent directly from dynamic IP address
On Thu, 08 Dec 2005 03:31:21 +0100, you wrote:
>2. next check if that IP delivered directly to you (= your mail server) or
>not.
>If yes, then this hit is legitimate. It's not your IP and it delivered
>directly to you. That's exactly the kind of IP you want to check if it is
>on a blacklist.
>Is your trusted_networks set correctly? Note: if you have a NATed mailserver
>you
>MUST set this manually, otherwise SA will mis-detect external mailservers as
>being a part of your network and this rule will misfire.
>
>Other common signs of incorrect trusted_networks are ALL_TRUSTED matching s
On Thu, 8 Dec 2005 03:34:44 -0800, you wrote:
>score ALL_TRUSTED 0
>
>This is simply masking the problem, not setting trusted_networks correctly.
>And it is only masking the obvious problem - there are inobvious problems
>that will still score incorrectly.
>
>If you remove that line and start seei
On Thu, 08 Dec 2005 15:24:29 -0500, you wrote:
>On 08/12/2005 12:01 AM, Russ Ringer wrote:
>> I have:
>> internal_networks 10.0.0
>
>As long as your trusted_networks are the same (or blank as
>internal_networks will be copied if I remember correctly), that setting
>
OK, thanks for the clarification. I'm not sure if I trust myself, but
my mailserver now trusts itself :)
->Russ
On Thu, 8 Dec 2005 23:16:13 -0800, you wrote:
>> Even with TRUSTED_NETWORKS set, the RCVD_IN_SORBS_DUL rule is
>triggered. I don't see how this is correct, when the IP address that
>triggered it was not the last hop. This rule should only be triggered
>when "sent directly from dynamic IP address"
On Wed, 18 Oct 2006 13:17:04 -0400, you wrote:
>> I was hoping for a simple way to
>> detect if the image property frames > 1
>>
>> Will the updated SARE ruleset be able to do this?
>
>It won't need to. It just useses other flags to determine whats going on. I
>went about it as the gif didn't mat
17 matches
Mail list logo
