headers
Jeroen Koekkoek | 20 Dec 2012 00:33
Picon

Content-Type-Encoding?

Hi,

While going through the code for Razor v2, I found the check below in 
String.pm and enBase64.pm.

----- quote -----
     my $is_binary = ($hdr =~ /^Content-Type-Encoding: 8-bit/) ||
         ($body =~ /([\x00-\x1f|\x7f-\xff])/ and $1 !~ /[\r\n\t]/);
----- /quote -----

I may be wrong, but does the "Content-Type-Encoding:" header even exist? 
RFC 1341 (http://tools.ietf.org/html/rfc1341) doesn't mention it. It 
does mention 8-bit encoding in the "Content-Transfer-Encoding:" header 
however.

The check is also case sensitive and doesn't allow for the value 8bit in 
the "Content-Transfer-Encoding:" (or "Content-Type-Encoding:) header.

Anyway, I was curious about this. Maybe someone can comment on this? Thanks.

Best regards,
Jeroen Koekkoek

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andy Smith | 17 Dec 2012 18:08
Picon

Re: testing razor, understanding positive results

Hi Stef,

   thanks for your reply. I don't run razor on outbound mails anyway so 
I'm going to attempt to revoke some mails and see where that gets us,

cheers Andy.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
Permalink | Reply | 0 comments |
headers
Andy Smith | 13 Dec 2012 18:55
Picon

testing razor, understanding positive results

Hi,

  I think mail from our company may have been listed in razor. Having googled a little on checking razor and the possibility of resolving the issue I've not got much furhter than testing via razor-check.


For example can someone help me understand the output of razor-check -H, ie:

1.0 e4: KOQdDz58L451g4akrfcPDgthXSQA, ep4: 7542-10
1.0 e8: uNFZFVRwA-4A
1.0 e8: FVW9OG-WA-4A
1.1 e4: 79gYKj8Bv9VDBcS6OuDcKi1axXsA, ep4: 7542-10
1.1 e8: FVW9OG-WUy0A
1.2 e4: WUK1-RYSRgTSHNJXJAUVqa60eC0A, ep4: 7542-10
1.3 e4: dhdlKnsGuKKLx6zOxQZnZaKVVEEA, ep4: 7542-10
1.4 e4: JPPq_hiy3gtLKsfYr-f5l3FR7AEA, ep4: 7542-10


I'd like to be able to understand this so I can undestand better what mails are being flagged and what I can do about this.


Thanks in advance for any help,

Andy. 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 1 comment |
headers
Stef Simoens | 9 Jun 2012 02:08
Favicon

Razor2 problems

Hello,

I don't see a lot of action on this list, I hope someone will read me here.
Is Razor2 still being used, by the way?

I'm seeing a lot of false positives with Razor2 scans on my domain.
I did some research (adding some verbosity printf's and running razor-check -d < false_positive_email).

I noticed the following facts:
- because in Whiplash.pm, line 655, the line-wrap kill is commented out, a lot of URL's are not found (in a
real-life e-mail only 3 URLs were found out of 14 URLs present in the e-mail)
- due to my domain name bgs.org and the Whiplash.pm "canonify" function, all URLs on my domain are being
canonified to "bgs.org". That wouldn't be bad, if the hash for that domain wouldn't be marked as being 100%
SPAM (e=8 sig=PhKPm4hzfMkA: Is spam: cf 100 >= min_cf 21).

Is this "Spam" an indicator for "bulk" or is it an indicator for "unsolicited e-mail"?
How can this situation be handled? (i.e. what are the rules for the bgs.org hash to be considered non-spam?).

Thank you for your help/comments/advice/...

--
Stef Simoens
BGS.org hostmaster

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 0 comments |
headers
Andrey Nazarov | 15 Nov 2011 17:34
Picon
Favicon

Re: [!! SPAM] Welcome to the "Razor-users" mailing list

15.11.2011 20:26, razor-users-request <at> lists.sourceforge.net пишет:
> Welcome to the Razor-users <at> lists.sourceforge.net mailing list!
>
> To post to this list, send your email to:
>
>    razor-users <at> lists.sourceforge.net
>
> General information about the mailing list is at:
>
>    https://lists.sourceforge.net/lists/listinfo/razor-users
>
> If you ever want to unsubscribe or change your options (eg, switch to
> or from digest mode, change your password, etc.), visit your
> subscription page at:
>
>    https://lists.sourceforge.net/lists/options/razor-users/nasario2%40yandex.ru
>
>
> You can also make such adjustments via email by sending a message to:
>
>    Razor-users-request <at> lists.sourceforge.net
>
> with the word `help' in the subject or body (don't include the
> quotes), and you will get back a message with instructions.
>
> You must know your password to change your options (including changing
> the password, itself) or to unsubscribe.  It is:
>
>    nearfew
>
> Normally, Mailman will remind you of your lists.sourceforge.net
> mailing list passwords once every month, although you can disable this
> if you prefer.  This reminder will also include instructions on how to
> unsubscribe or change your account options.  There is also a button on
> your options page that will email your current password to you.
>
>

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 0 comments |
headers
Andrey Nazarov | 15 Nov 2011 17:35
Picon
Favicon

(no subject)


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply | 0 comments |
headers
Giampaolo Tomassoni | 2 Sep 2011 09:43

Re: Razor and Pyzor

> From: l.rinetti <at> movimatica.com [mailto:l.rinetti <at> movimatica.com]
> 
> Thank You Gianpaolo.
> Are you aware of some problem between Spamassassin and Pyzor from June
> 2011 ?
>  From June i continue to see RAZOR2_CHECK on the header of some of my
> mail
> but the PYZOR_CHECK are no more present from June.
> I run Ubuntu 10.10 Server with Exim4 4,72, SA 3.3.1-1.
> Any information is much appreciated.
> 
> Best Regards

My SAs get Pyzor hits even today, so I guess it is some problem with your
own setup/installation.

Why don't you place a help request in pyzor-users <at> lists.sourceforge.net ?

Giampaolo 

> 
> 
> 
> 
> 
> Il 01/09/2011 20.42, Giampaolo Tomassoni ha scritto:
> >> From: l.rine
> 
> 
> 
> >> tti <at> movimatica.com [mailto:l.rinetti <at> movimatica.com]
> >>
> >> Hello,
> >> maybe is not a great question, but i'd like to know if:
> >> a) when spamassassin give a score due to RAZOR2_CHECK
> >>     should give the same score to PYZOR_CHECK ?
> >> b) Razor and Pyzor are based on different signature database or they
> > differ
> >>     only because Pyzor is Python based ?
> >>
> >> Many thanks,
> >>
> >> Luciano
> > Hi Luciano.
> >
> > It is not only a matter of databases: they use different methods to
> extract
> > hashes of the message in order to check them against their own
> databases of
> > well-known spam signatures.
> >
> > Besides, the methods Razor adopt to do it are proprietary, so
> generally we
> > (the users) can't easily estimate how much overlap is in the results
> of
> > these two packages. So it is not easy to tune their scores.
> >
> > However, Razor seems to have a quite wide userbase and
> (authenticated)
> > methods to revoke FPs, so I'm inclined to trust Razor hits a bit more
> than
> > Pyzor ones.
> >
> > Giampaolo
> >
> >
> > ---------------------------------------------------------------------
> ---------
> > Special Offer -- Download ArcSight Logger for FREE!
> > Finally, a world-class log management solution at an even better
> > price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> > download Logger. Secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsisghtdev2dev
> > _______________________________________________
> > Razor-users mailing list
> > Razor-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/razor-users
> 
> 
> --
> Luciano Rinetti
> mail l.rinetti <at> movimatica.com
> Mob. 335.7878.602
> 
> Movimatica S.r.l.
> www.movimatica.com - info <at> movimatica.com
> _________________________________________
> sede Operativa:
> C.so Svizzera, 185 - 10149 Torino - Italy
> Tel. +39 011 7767694 - Fax +39 011 746179
> _________________________________________

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
Permalink | Reply | 1 comment |
headers
l.rinetti@movimatica.com | 30 Aug 2011 13:48

Razor and Pyzor

Hello,
maybe is not a great question, but i'd like to know if:
a) when spamassassin give a score due to RAZOR2_CHECK
   should give the same score to PYZOR_CHECK ?
b) Razor and Pyzor are based on different signature database or they differ
   only because Pyzor is Python based ?

Many thanks,

Luciano 
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 2 comments |
headers
Leesa Vuola | 17 Jun 2011 02:36
Picon
Favicon

(no subject)


 

Leesa 

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 0 comments |
headers
Gordon Dickens | 12 Jun 2011 20:13
Favicon

Razor not working

I have been using razor2 with spamassassin for about 4 years on a CentOS 5.x system. I am currently running spamassassin 3.3.1 with razor 2.84 from the rpmforge repo.  In any event, I recently noticed that razor is not showing up much in my logs catching spam.  So, I did some testing with the gtube.txt spam file and razor is not catching the gtube.txt spam file either.  When I send an email with gtube.txt, then the razor logs say: "mail 1.0 e8 got no sig" and "No queries, no spam".  Here is an excerpt from my razor-agent.log file when the gtube.txt spam file is sent:

Jun 12 13:57:30.844373 check[11031]: [ 5] Connecting to c303.cloudmark.com ...
Jun 12 13:57:30.949209 check[11031]: [ 4] c303.cloudmark.com >> 37 server greeting: sn=C&srl=13227&a=1&a=cg&ep4=7542-10
Jun 12 13:57:30.949489 check[11031]: [ 4] c303.cloudmark.com << 25
Jun 12 13:57:30.949770 check[11031]: [ 5] mail 1.0 e8 got no sig
Jun 12 13:57:30.949834 check[11031]: [ 5] No queries, no spam
Jun 12 13:57:30.949900 check[11031]: [ 5] disconnecting from server c303.cloudmark.com
Jun 12 13:57:30.949997 check[11031]: [ 4] c303.cloudmark.com << 5

Everything appeared to be working fine with razor until sometimes earlier this year.  While razor appears not to be working, pyzor and DCC have been working fine so I suspect something has changed with the way that cloudmark servers are handling razor.

Please reply with your recommendations for getting razor back working properly.

Thanks,

Gordon Dickens




------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 6 comments |
headers
Catalin Constantin | 31 May 2010 10:40
Picon
Gravatar

listing lifetime / delisting procedure

Hello,
 
On a RAZOR Check test we got the following response:
May 31 11:01:21.044243 check[1359]: [ 6] -a=c&e=4&ep4=7542-10&s=FxupY3CrG_jPhmM_oqTFgPZLEgEA
a=c&e=8&s=41Dr2IFv8cUA
a=c&e=8&s=G90YD_Ns8cUA
a=c&e=4&ep4=7542-10&s=0UNezv5b6KiISgimLsy2IXzpguIA
a=c&e=8&s=41Dr2IFv2EIA
a=c&e=8&s=G90YD_Ns2EIA
.
May 31 11:01:21.428958 check[1359]: [ 4] c303.cloudmark.com >> 46
May 31 11:01:21.429072 check[1359]: [ 6] response to sent.8
-p=0
p=1&cf=44
p=0
p=0
p=1&cf=44
p=0
.
May 31 11:01:21.429542 check[1359]: [ 6] mail 1.0 e=4 sig=FxupY3CrG_jPhmM_oqTFgPZLEgEA: sig not found.
May 31 11:01:21.429632 check[1359]: [ 6] mail 1.0 e=8 sig=41Dr2IFv8cUA: Is spam: cf 44 >= min_cf 21
May 31 11:01:21.429691 check[1359]: [ 6] mail 1.0 e=8 sig=G90YD_Ns8cUA: sig not found.
May 31 11:01:21.429755 check[1359]: [ 6] mail 1.1 e=4 sig=0UNezv5b6KiISgimLsy2IXzpguIA: sig not found.
May 31 11:01:21.429815 check[1359]: [ 6] mail 1.1 e=8 sig=41Dr2IFv2EIA: Is spam: cf 44 >= min_cf 21
May 31 11:01:21.429871 check[1359]: [ 6] mail 1.1 e=8 sig=G90YD_Ns2EIA: sig not found.
May 31 11:01:21.429943 check[1359]: [ 7] method 4: mail 1.0: no-contention part, spam=1
May 31 11:01:21.429993 check[1359]: [ 7] method 4: mail 1.1: no-contention part, spam=1
May 31 11:01:21.430041 check[1359]: [ 7] method 4: mail 1: a non-contention part was spam, mail spam
May 31 11:01:21.430090 check[1359]: [ 3] mail 1 is known spam.
May 31 11:01:21.430147 check[1359]: [ 5] disconnecting from server c303.cloudmark.com
May 31 11:01:21.430255 check[1359]: [ 4] c303.cloudmark.com << 5
May 31 11:01:21.430305 check[1359]: [ 6] a=q
May 31 11:01:21.430513 check[1359]: [ 8] razor-check finished successfully.
 
I have 2 questions:
1) is there any delisting procedure we can follow in order to get delisted for the particular message
2) what is the lifetime of a listing. How long does it take for the "listing" to fade out ?
 
Calling razor-revoke did not help.
 
Thank you.

--
Catalin Constantin
------------------------------------------------------------------------------


_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users
Permalink | Reply | 0 comments |

Gmane