I wasn't thinking there for a second :)
Matt
Kami Razvan wrote:
Hi Matt:
:) on /pics/
Actually we have had (surprisingly) good results with that. I just checked and our weight on this is 10.
Question.. I did not think that the filter weight is cumulative on a single hit, meaning if I have 10 of the /pics/ in the body of email I do not think the final weight will be 100. I thought once a filter is hit it is only counted once.
Scott... True? False?
As for Spamdomains.. You are right. We have PayPal as:
@paypal.com .paypal.com
But not eBay. eBay is added now..
@ebay.com .ebay.com
Has anyone seen any other variation for eBay?
Regards, Kami
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through..
Kami,
Your Body URL filter caught "/pics/" in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name.
There seems to be some code in there to help it get some credit. The offending URL of course is:
cgi5-update[dot]com
Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live?
Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems.
There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.:
Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138
Domain Name: AQUIREREALTY.COM
Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138
Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138
Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003
Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98
I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk.
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
